Uploading Docker container to AWS ECR using shell-local post-processor

[iroller]

Latest Packer in Atlas

I've been using packer-tag and packer-push as it suggested in docs to upload a Docker container built with Packer to Amazon EC2 Container Registry. It works fine but it requires me to manually update login_password using aws ec2 ecr-login every 12 hours since the token provided by amazon is temporary.

Since I can provide Packer with AWS keys there should be a way for it to obtain a new token on each execution.

I've tried to use shell-local instead of packer-tag and packer-push to get this working:

     [
       {
         "type": "shell-local",
         "inline_shebang": "/bin/sh -ex",
         "inline": [
           "echo 'Uploading to AWS ECR'",
           "eval $(aws ecr get-login --region us-east-1)",
           "docker tag {{ user `repo_name` }}/0.1:latest 123.dkr.ecr.us-east-1.amazonaws.com/{{ user `repo_name` }}/0.1:latest",
           "docker push 123.dkr.ecr.us-east-1.amazonaws.com/{{ user `repo_name` }}/0.1"
         ]
       },

Packer build completes with no errors. However the image is not being uploaded and there's no related output even with PACKER_LOG=debug. The only thing I see in logs is

2016/06/23 00:42:37 ui: ==> docker: Running post-processor: shell-local
==> docker: Running post-processor: shell-local
2016/06/23 00:42:37 Flagging to keep original artifact from post-processor 'shell-local'
2016/06/23 00:42:37 ui: Build 'docker' finished.
2016/06/23 00:42:37 Builds completed. Waiting on interrupt barrier...

Any suggestions on how to get it working?

Better way would be to keep docker-tag and docker-push post-processors but provide the output of AWS_ACCESS_KEY_ID=123 AWS_SECRET_ACCESS_KEY=123 aws ecr get-authorization-token --output text --query "authorizationData[].authorizationToken" to login_password field somehow. The question is how to do that.

[rickard-von-essen]

Shell local run once per file in the artifact. But amazon builders artifacts have no files. Thus it never executes.

This could be seen as a Atlas specific issue.

[iroller]

In those configs/logs I provided I used docker builder and shell-local still never executed. It does seem weird how shell-local works overall.

What lines in packer debug log should I look for?

[rickard-von-essen]

Could you provide a full template.json and debug.log (PACKER_LOG=1 packer build ...).

[iroller]

Hey, sorry for a delay, I'll try to provide those/logs soon.

[bobbydeveaux]

@iroller my solution is a bash script:

build.sh:

COMMAND=`eval aws ecr get-login --region us-west-2`
echo `eval $COMMAND`
echo "Building via Packer"
packer build ./packer/template.json

My template.json post processor step looks like this:

"post-processors": [
    [
      {
        "type": "docker-tag",
        "repository": "123123123.dkr.ecr.us-west-2.amazonaws.com/myrep}",
        "tag": "latest"
      },
      {
          "type": "docker-push",
          "login_server": "https://123123123.dkr.ecr.us-west-2.amazonaws.com/"
      }
    ]
  ]

Works great! :)

[iroller]

@bobbydeveaux thanks, in my case I run packer in Atlas and don't think I can use the way you described. Still looking into getting local-shell working for executing aws get-login

[dandye]

As @rickard-von-essen said, "Shell local run once per file in the artifact. But amazon builders artifacts have no files. Thus it never executes."

I found that I could work around that behavior, with an "artifice post-processor [to] override the artifact list from an upstream builder or post-processor"(Artiface post-processor) like so:

"provisioners": [
    {
        "type": "shell",
        "inline": [
            ...
        ]
    },
    {
          "type": "file",
          "source": "/var/log/yum.log",
          "destination": "./yum.log",
          "direction": "download"
}
],

"post-processors": [
  [
    {
      "only": ["openstack"],
      "type": "artifice",
      "files": ["./yum.log"]
    },
    {
      "type": "shell-local",
      "only": ["openstack"],
      "inline": [
      ...
      ]
    }],
    {
    ...

[pdakhane]

@iroller. I tried to do mimic your method with Packer 0.10.1 but did not work for me, details below

Error

2016/08/30 19:30:56 ui:     docker (docker-push): f59b7e59ceaa: Preparing
    docker (docker-push): f59b7e59ceaa: Preparing
2016/08/30 19:30:56 ui:     docker (docker-push): f59b7e59ceaa: Image push failed
    docker (docker-push): f59b7e59ceaa: Image push failed
2016/08/30 19:30:56 ui:     docker (docker-push): no basic auth credentials
    docker (docker-push): no basic auth credentials
2016/08/30 19:30:56 ui error: Build 'docker' errored: 1 error(s) occurred:

build.sh

COMMAND=`eval aws ecr get-login --region us-west-2`
echo `eval $COMMAND`
echo "Building via Packer"
packer build data-exchange-packer.json 

packer JSON file snippet

  "post-processors": [
    [
      {
        "type":"docker-tag",
        "repository" : "<acctid>.dkr.ecr.us-east-1.amazonaws.com/sbg_cloudinfra_sse_data_exchange",
        "tag" : "data-exchange-{{user `version`}}"
      },
      {
        "type":"docker-push",
        "login_server": "https://182570719012.dkr.ecr.us-east-1.amazonaws.com"
      }
    ]
  ]

[rickard-von-essen]

Just posted a working example on https://groups.google.com/d/msgid/packer-tool/a93a7a06-eed0-44b4-9432-63f30b30f805%40googlegroups.com?utm_medium=email&utm_source=footer

[rickard-von-essen]

And improved ECR support not requiring to use aws ecr get-login to get ECR credentials, see #3856

[rickard-von-essen]

Closing this since native ECR support was added in #3856.