Codenvy and AWS ECR

[soanni]

Hello, Codenvy team.
Can somebody tell me if there is a way to connect Codenvy and private docker registry (AWS ECR).
Is it possible due to specific authentication mechanism in AWS ECR?
Thank you in advance for help.

[TylerJewell]

Hi!

For the onpremises enterprise version you can read about it here.

On a user-basis, they can also reference those private registries using this syntax:
https://eclipse-che.readme.io/v4.4/docs/configuration-docker#private-docker-registries

[soanni]

Tyler thank you very much.
We are using onpremises enterprise version (got 50 licences a few weeks a go and now configuring the system).

I can see in documentation this options for private docker registries

$docker.registry.auth.username=
$docker.registry.auth.password=
$docker.registry.auth.email=

If no server is provided, Docker will default to authenticating at Docker Hub

$docker.registry.auth.server=

But the process of authenticating to AWS ECR is like this:

1. Installing AWS CLI tool
2. configuring: aws configure
   during this configuration you should provide 2 secret keys + region
3. aws get-login
   this command will show you actual docker login string
   like docker login -u 'user' -p 'VERY_LONG_TOKEN_VALID_FOR_12_HOURS'
   Moreover password is valid for 12 hours only.

So the point is what i should paste into codenvy config in order to get access to AWS ECR.
Now it seems to me that every 12 hours i should run aws get-login command and every 12 hours change the codenvy config like this

$docker.registry.auth.username=<USER_FROM_aws_get_login_COMMAND>
$docker.registry.auth.password=<PASSWORD_FROM_aws_get_login_COMMAND>

But this is not very convinient and kills automatization.
Or there is another way to get images from AWS ECR?
Thank you.

[TylerJewell]

That is brutal. @skryzhny @skabashnyuk @riuvshin - any ideas on how an admin would handle configuring Codenvy onprem for private registries when AWS is changing the authentication TOKEN every 12 hours?

@soanni - we may need you to absorb this with a cron job that reconfigures Codenvy every 6 hours. It wakes up, gets the new TOKEN, updates codenvy configuration with codenvy config <prop> <value>.

[skabashnyuk]

We had small discussion about this with @garagatyi . And we think that it's not ideal to reload wsmaster. We could have some kind of aws adapter that will get this token from java code and refresh it when it's needed.

[TylerJewell]

Ok - @skabashnyuk - we'll consider that for the future. In the meantime, for @soanni - we will need you to update the system once every 6-12 hours to avoid the TOKEN refresh problem.

[skabashnyuk]

@skryzhny @riuvshin can we do that?

[soanni]

it seems that properties for private docker registry in documentation are outdated.
i'm doing this

vi /etc/puppet/manifests/nodes/codenvy/codenvy.pp

here i'm setting up properties

$docker.registry.auth.username=
$docker.registry.auth.password=
$docker.registry.auth.server=

Then i'm doing
puppet agent -t

Then i'm checking properties like this

1. codenvy // logging in the im-cli
2. config // listing all properties

There are no just set properties in the list.
Okay, doing this (still in im-cli)

config docker_registry_auth_username=

ERROR. No such property...
After looking up on the properties list can't see any property with '.' in the name of propery, tried to do this

config docker_registry_auth_username=

ERROR. No such property..
Help please.

[TylerJewell]

@ddementieva - please take this as a support issue. This may be a docs issue. Please lets verify the parameters necessary for configuring access to private registry within Codenvy properties.

[dmytro-ndp]

@soanni: properties above should have at least empty values to appear in codenvy config command output :

  $docker.registry.auth.username=""
  $docker.registry.auth.password=""
  $docker.registry.auth.server=""

Anyway, it will not help, and there is another property dedicated to set docker registry custom credentials: docker_registry_credentials. To add credentials please use following template:
docker_registry_credentials = "registry1.url=my-private-registry1.com:5000
registry1.username=corp_user1
registry1.password=corp_pass1
registry2.url=my-private-registry2.com:5000
registry2.username=corp_user2
registry2.password=corp_pass2"

Please take a note that this is multiline variable separated by new line, you can add as many custom registries as you want. By default it is empty. Please take care about same prefix for each new set of credentials.

Example of codenvy command to set docker_registry_credentials variable:

codenvy config docker_registry_credentials "registry1.url=my-private-registry1.com:5000\nregistry1.username=corp_user1\nregistry1.password=corp_pass1\nregistry2.url=my-private-registry2.com:5000\nregistry2.username=corp_user2\nregistry2.password=corp_pass2"

[soanni]

Thank you @dmytro-ndp @skabashnyuk @TylerJewell but i guess i still not able to add my AWS ECR because there is limitation to the length of password and AWS token has more characters

[soanni]

I tried to add registry in CLI. There were no errors but there are no sign of our images in recepies when creating workspace and in Administration menu Docker registry is empty. However codenvy config shows me that property docker_registry_credentials is updated

[ddementieva]

@soanni Have you tried to reference a custom workspace image at Custom Stack > Write your own stack? You can do that using the hostname and port of your registry, e.g. FROM my.registry.url:9000/image:latest (find more details on that at http://codenvy.readme.io/docs/configuration-docker#private-docker-registries)

Or do you want to add a new stack so that it could appear on the Dashboard?

[soanni]

After the upgrade to 4.5.1 i can't edit the recipies when i'm trying to create a new machine inside an existing workspace. I can add,delete recepies, but the field with dockerfile contents itself is not editable

[soanni]

i tried in several browsers

[ddementieva]

Bug confirmed. You may track it with eclipse-che/che#1967

Is your original issue with adding docker registry resolved?

[soanni]

Okay, i did the way @dmytro-ndp said me to do and now when i create the workspace i can write my own Dockerfile with FROM my_registry and the image is pulling.
But now i can't add the machine with the receipe due to the bug.
Is it possible to create several machines in one shot just from the form of creating workspace?
Like this one:
// dev MAIN machine with all components for codenvy
FROM codenvy/centos
--commands for ws_agent;
// my application server machine
FROM <my_registry>/applications_server;
// my oracle server machine
FROM <my_registry>/oracle;

[TylerJewell]

@soanni - we will be supporting docker-compose syntax as a recipe input before the end of the quarter. This will orchestrate multi-machine workspaces with a network overlay. We had a demo of this at Red Hat DevNation a few weeks ago.

[soanni]

Yeah, i read about it. But now i face the issue that i can't add the machine with my custom receipe due to the bug of uneditable screen.
So that's why i'm asking is it possible to create somehow 3 machines in one shot when creating a workspace?
Or only through REST API and json by creating one main machine during workspace creation process and then add 2 other machines through API calls?

[soanni]

this bug really is a big stopper now. may be it's better to rollback to 4.4 for now?

[TylerJewell]

@soanni - if you need multi-machine launches coordinated before we provide formal support for compose syntax, I would recommend that we work with you to write some REST API scripts using curl to create workspaces + additional machines in a single transactional syntax.

We want to deprecate the operations view - that is more of a debugging view than a view intended for editing machine definitions. With all of the recipe definitions and stack management going into the dashboard, where the experience will be more joyful.

[soanni]

@TylerJewell thank you for the answer. I really need multi-machine launches. We have a lot of products that are using several components better be spreaded on several machines. The Operations view is fine for me and very easy to use. using REST API (even via Swagger) is much more time-consuming.
Okay, can you please kindly write who i can to ask for help to write some REST API scripts to add machines to existing workspace (or even better to create multi-machines workspaces in one shot) ?

[TylerJewell]

@soanni - I think managing all of your requirements is going to be hard in GitHub. So, I propose that @bmicklea and @JamesDrummond make sure we capture all of the issues + priorities for your account, and we'll keep them well prioritized.

Here are the things that we need to do:

1. For any bugs that prevent basic functionality, we'll have our engineering teams prioritize hot fixes immediately.
2. For areas where we can offer some workarounds, like using REST w/ curl, we can give you some helper utilities.
3. For areas which are feature enhancements, added to a backlog.

[soanni]

@TylerJewell thank you.
If anyone will need smth from my side feel free to write me andrey.solodov@aurea.com

[TylerJewell]

Closing as this is cross referenced and tracked with other issues. I think we have handled it pretty well.