In my previous post on running ASP.NET 5 apps on AWS EC2 Container Service we saw just how straightforward it was to get a simple ASP.NET 5 application up and running on AWS ECS with minimal setup or configuration by making use of Docker.
The primary advantage to using Docker instead of using an EC2 instance directly is that I didn’t have to install or configure the .NET execution environment on that instance before deploying my application. Instead I was able to make use of the official microsoft/aspnet Docker image to build my application container locally then just deploy that container to my EC2 instance via ECS and Docker Hub. Dead simple and pretty painless.
Making it Private
Diving a bit deeper – in order for ECS to be able to fetch my custom Docker image I had to first deploy it to a public repository on Docker Hub. This also meant that anybody else could pull down my Docker image and inspect its contents. If this were a real commercial application, its quite possible that I would not want my applications source code to be freely readable like that.
Some of you may be thinking about embedded secrets like API keys or connection strings as well. While I agree it would be horrible to share those publicly, inside of your Docker image is almost definitely not the right place to keep those secrets. Instead you should follow best practices for injecting secrets – one promising approach is to inject them at run time via environment variables, which both Docker and ECS support. But that’s for a different post.
Setting up AWS ECS to Use a Private Repository
In this post I’m going to show how I managed to configure my EC2 instance to be able to pull my custom Docker image from a private Docker Hub repository. This post assumes you’ve already setup ECS to use an image from a Docker Hub public repository like we did in my last post. I’ll focus on what is different in this post.
Disclaimer: I work for Amazon as a software engineer on the Amazon Alexa team. While I do use AWS services in my day to day job, I don’t work for the AWS organization. Opinions, ideas, and thoughts shared in this post (and website) are entirely my own and do not necessarily reflect that of Amazon or AWS.
1. Create a Private Docker Hub Repository
I went into my public repository (
dotnetliberty/ecsdemo) and went to the
Settingspage and clicked
Make Private.
2. Enable SSH into EC2 Instance
There’s an ECS service that is running on the EC2 instance where our containers are deployed – it is responsible for fetching the container images the EC2 instance is tasked with running. In order to enable the ECS service to fetch from my Docker Hub private repository, I need to SSH into the EC2 instance and reconfigure the ECS service.
By default, ECS creates a security group for our EC2 instance that only allows inbound traffic on port 80 (HTTP). Since I need to connect on port 22 for SSH, I had to first update the security group configuration inbound network policy.
First, navigate to the EC2 Management Console in AWS. On the left hand side drop down to Security Groups.
From there, locate the security group with the description ECS Allowed Ports. Click that list entry and switch over to the Inbound tab. Here is where I added a new rule to allow SSH traffic.
3. SSH into EC2 Instance
I used a git bash shell on Windows to SSH in using a private key file I had configured earlier when initially creating the EC2 instance. You can use any SSH client you like, such as PuTTY.
$ ssh -i test.pem ec2-user@52.33.241.23 __| __| __| _| ( \__ \ Amazon ECS-Optimized Amazon Linux AMI 2015.09.b ____|\___|____/ For documentation visit, http://aws.amazon.com/documentation/ecs [ec2-user@ip-10-0-0-151 ~]$
4. Login to Docker Hub from EC2 Instance
Now that I’m on my EC2 instance, I can run standard Docker commands. Let’s start with a
docker ps:
[ec2-user@ip-10-0-0-151 ~]$ docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 1637a611c65e amazon/amazon-ecs-agent:latest "/agent" 3 days ago Up 3 days 127.0.0.1:51678->51678/tcp ecs-agent
What we see is the standard ECS agent – my application container is not yet running. Now I’m going to login to Docker Hub:
[ec2-user@ip-10-0-0-151 ~]$ docker login Username: dotnetliberty Password: Email: armen@example.com WARNING: login credentials saved in /home/ec2-user/.docker/config.json Login Succeeded
The important part is on line 5: after logging in, it saved a login token to config.json. Lets take a look at that file:
[ec2-user@ip-10-0-0-151 ~]$ cat ~/.docker/config.json
{
"auths": {
"https://index.docker.io/v1/": {
"auth": "<redacted token>",
"email": "armen@example.com"
}
}I’ll need this information in the next step to configure the local ECS service to use these credentials.
5. Edit ECS Config
Now I need to update the ecs.config file on the same host to include the credentials stored in config.json above. I used vim to edit this file as root:
[ec2-user@ip-10-0-0-151 ~]$ sudo vi /etc/ecs/ecs.config
I followed the instructions here for using dockercfg style authentication:
ECS_CLUSTER=default
ECS_ENGINE_AUTH_TYPE=dockercfg
ECS_ENGING_AUTH_DATA={"https://index.docker.io/v1/":{"auth":"<redacted token>","email":"armen@example.com"}}I then saved this file and quit back to my shell.
6. Restart ECS Service
Now that I’ve provided updated authentication credentials to ECS, I have to actually restart the ECS service so it picks them up.
[ec2-user@ip-10-0-0-151 ~]$ sudo stop ecs ecs stop/waiting [ec2-user@ip-10-0-0-151 ~]$ sudo start ecs ecs start/running, process 10149
7. Fire up Private Container
That’s all I had to do on the EC2 instance. ECS running on this EC2 instance will now be able to fetch my private repositories. I went back to the ECS console and fired up my service.
At this point I did a sanity check at my SSH prompt:
[ec2-user@ip-10-0-0-151 ~]$ docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES af268be972c3 dotnetliberty/ecsdemo "dnx web --server.ur About a minute ago Up About a minute 0.0.0.0:80->5000/tcp ecs-ecsdemo-1-ecsdemo-92bbf6e69797cf997800 2fff5c766591 amazon/amazon-ecs-agent:latest "/agent" 4 minutes ago Up 4 minutes 127.0.0.1:51678->51678/tcp ecs-agent
As a final check, I navigated to the website from my desktop:
Fin
By making use of a private repository on Docker Hub, I was able to get ECS to securely pull my application container to my EC2 instance and fire it up. While it would have been nice to have private repository support build right into the ECS management console, the manual configuration steps were pretty painless and only had to be done one time.
Are you running any ASP.NET 5 applications on AWS? I’d definitely be interested in hearing about how others have gone about getting this setup to their liking. Chime in below, tweet me @ArmenShimoon, or drop me an email at armen@dotnetliberty.com.