Shipping docker image into AWS China
While hosting a back-end service in China, the most challenge is all about the great firewall. This post will explain how to utilize AWS tools to transfer docker image into China efficiently.
Following flow chart shows a basic pipeline, with this practice there should be a stable and qualified docker image available in existing service.
While considering to setup a new service in China, there are two options:
- Build image locally in China
- Find a efficient way to ship image from outside into China
For the first option, there are some concerns.
Build docker image directly in China, this means it should be totally a new image, logically no code change, but in fact all of 3rd party dependencies might be changed anytime, it should go through the testing part again to make sure the quality of this new image.
Another concern is China great firewall again, most of open source resources are in US, and setup them from China would take lots of time in network transfer and easily encounter timeout and various network issues. Based on my experience, built one image in US might only cost less than 5 minutes, but in China it might be 30 minutes or more.
The last concern is I would like to have a Golden image which can work in all of environments.
Therefore, I tried to figure out an efficient way to ship my Golden image into AWS China environment.
The major concept:
- Use docker save to dump the golden image
- Upload the golden image to China S3 bucket
- Use docker load to get image from S3 bucket
- Push docker image to China ECR
Following show the pipeline for shipping the image:
Detail instructions:
1. Setup AWS CodeBuild project to pack golden image as zip and post to S3 bucket in China, following is the build script of CodeBuild
version: 0.2env:
variables:
SERVICE_NAME: my-service
ECS_SOURCE: *****.dkr.ecr.region-name.amazonaws.com
CN_AWS_ACCESS_KEY_ID: ****
CN_AWS_SECRET_ACCESS_KEY: ****
phases:
install:
runtime-versions:
docker: 18
pre_build:
commands:
- IMAGE_REPO_NAME=${SERVICE_NAME}
- ZIP_FILE=${SERVICE_NAME}.zip
- echo Logging in to Amazon ECR...
- $(aws ecr get-login --no-include-email --region $AWS_DEFAULT_REGION)
build:
commands:
- mkdir image
- GIT_HASH=`git log -1 --format=%h`
- docker pull ${ECS_SOURCE}/${IMAGE_REPO_NAME}:${GIT_HASH}
- docker save ${ECS_SOURCE}/${IMAGE_REPO_NAME}:${GIT_HASH} -o ./image/${SERVICE_NAME}
- zip -r ${ZIP_FILE} ./image
post_build:
commands:
- echo Upload image...
- AWS_ACCESS_KEY_ID=$CN_AWS_ACCESS_KEY_ID
- AWS_SECRET_ACCESS_KEY=$CN_AWS_SECRET_ACCESS_KEY
- aws s3 --region cn-north-1 cp $ZIP_FILE s3://china-bucket/$ZIP_FILE
2. Setup AWS CodeBuild project can be triggered by Github webhook with specified event
3. Setup another AWS CodeBuild project, and the source is the zip file we stored in S3, and then push the image to AWS ECR in China, following is the build script of CodeBuild
version: 0.2env:
variables:
SERVICE_NAME: my-service
ECS_SOURCE: ****.dkr.ecr.cn-north-1.amazonaws.com.cn
phases:
install:
runtime-versions:
docker: 18
pre_build:
commands:
- IMAGE_REPO_NAME=${SERVICE_NAME}
- echo Logging in to Amazon ECR...
- $(aws ecr get-login --no-include-email --region $AWS_DEFAULT_REGION)
build:
commands:
- docker load -i image/$SERVICE_NAME
- DOCKER_IMAGE=`docker images -q | head -n 1`
- GIT_HASH=`docker images --format "{{.Tag}}" | head -n 1`
- docker tag $DOCKER_IMAGE $ECS_SOURCE/$IMAGE_REPO_NAME:$GIT_HASHpost_build:
commands:
- echo Push image...
- docker push $ECS_SOURCE/$IMAGE_REPO_NAME:$GIT_HASH
4. Setup AWS CloudWatch S3 event to trigger AWS CodeBuild in China
5. All done, then you can try to trigger the whole flow via webhook
References:
