Skip to main content
Gå til innhold

Migrate to Elastic Container Registry (ECR) for services running on PaaS

Overview

We have implemented a change on console.paas.sikt.no that ensures both new projects and projects opting to update their configuration will now use a container image repository via Amazon Elastic Container Registry (ECR) instead of registry.uninett.no. This update will significantly improve access speed and reliability for container images used by the services. The ECRs provided are fully managed by Platon and are not supposed to be customized in order to keep everything running smoothly. If you want to customize your ECR or a different kind of repository, you can set it up and manage it yourself (Platon can guide you in the process), some options are listed here.

This change affects only the container image repository. Other configurations and settings remain unchanged.

Repository Structure

The setup is designed such that there is one repository per project. ECRs differ from other image repositories (e.g. Docker Hub) in that way that they do not allow for several image names, only different image tags. Different images and different versions of the images are therefore differentiated by tags. Images are immutable, meaning you cannot push an image with the same tag twice. Image versions that are not used in PaaS (e.g. because a newer version was deployed or because the deployment failed) are deleted after one day.

Migration Steps

To migrate an existing project to use the new ECR container repository, follow these steps:

  1. Update Configuration

  2. Run Pipeline on GitLab

    • Open your project on GitLab.
    • Go to the Build / Pipelines section.
    • Click the "Run pipeline" button.
    • Ensure you run the pipeline for the main or master branch.

Once the pipeline finishes and the service is deployed using the new pipeline, the service will now utilize the new ECR container registry.

FAQ

We build several different images in our CI/CD-pipeline and use different image names like $CI_REGISTRY_IMAGE-api. How do we transfer that to the new registry?

You can differentiate by tags instead. Your build step can then look like this:

- docker build -t $CI_REGISTRY_IMAGE:api-$CI_REGISTRY_TAG api/
- docker push $CI_REGISTRY_IMAGE:api-$CI_REGISTRY_TAG

When I run the pipeline, I get an error saying Job failed: failed to pull image [...] no basic auth credentials

This might be caused by pipelines that first build an image and then use it later to run a different job. Unfortunately, this is not possible any longer, because we cannot hook into the Gitlab CI/CD authorization process to make it authorize towards the registry in that way. You can try to use "docker-in-docker" instead. Example:

test-stuff:
  extends: .docker
  script:
    - |
      docker run --rm -i "$CI_REGISTRY_IMAGE:$CI_REGISTRY_TAG" /bin/sh -eux -c '
        some-command
        some-other-command
      '

When I run the pipeline, I get an error mentioning: is not authorized to perform: ecr:InitiateLayerUpload

Only one image name per project is allowed, so if you build several different images you have to separate them by tag instead. Example:

- docker build -t $CI_REGISTRY_IMAGE:api-$CI_REGISTRY_TAG api/
- docker push $CI_REGISTRY_IMAGE:api-$CI_REGISTRY_TAG

I moved my project to a different group in Gitlab, and now it doesn't work any longer.

The authentication in AWS is dependent on knowing the "path" to the repo and the PaaS console is there to update that. Please go to https://console.paas.sikt.no/ and "Update configuration" for your project to make everything work again.

I want to use my image across different repositories

This is unfortunately not covered by this ECR setup. For this use case you might consider Artifactory instead.