Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • gitlab-runner gitlab-runner
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 3.5k
    • Issues 3.5k
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 95
    • Merge requests 95
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • gitlab-runnergitlab-runner
  • Issues
  • #27269
Closed
Open
Issue created Nov 30, 2020 by Elliot Rushton@erushtonMaintainer

Publish docker images to ECR registry

Overview

With Amazon's new registry we want to publish our docker images to that registry as well as the gitlab one and dockerhub.

The account to push this to is already set up and configured. We should just need to login and push.

CC @DarrenEastman

Resources

  • Getting started

GitLab Namespace

Both k2y5y2m7 and gitlab are valid aliases.

describe-registries
 ecr-public-beta aws --region us-east-1 --profile distribution ecr-public describe-registries
{
    "registries": [
        {
            "registryId": "782774275127",
            "registryArn": "arn:aws:ecr-public::782774275127:registry/782774275127",
            "registryUri": "public.ecr.aws/gitlab",
            "verified": true,
            "aliases": [
                {
                    "name": "k2y5y2m7",
                    "status": "ACTIVE",
                    "primaryRegistryAlias": false,
                    "defaultRegistryAlias": true
                },
                {
                    "name": "gitlab",
                    "status": "ACTIVE",
                    "primaryRegistryAlias": true,
                    "defaultRegistryAlias": false
                }
            ]
        }
    ]
}

GitLab Runner repository

Public repository set up

Screen_Shot_2020-12-01_at_08.20.19

Public repository settings

Screen_Shot_2020-12-01_at_08.25.13

Screen_Shot_2020-12-01_at_08.25.20

GitLab Runner in the public gallery

Screen_Shot_2020-12-01_at_08.27.39

GitLab Runner helper repository

Authentication

  1. Download onboarding zip
  2. Follow the README.pdf

Setting up authentication for CI

  1. Create IAM role for CI with the least privileged to authenticate with the registry to be able to push images.
  2. For every job run the aws --region us-east-1 ecr-public get-authorization-token --output=text --query 'authorizationData.authorizationToken' | base64 --decode | cut -d: -f2 to get a docker login. According to get-authorization-token this token expires after 12hours so we have to generate one for every job to make sure we never get an expired token when trying to push.
  3. Run docker logging from the output of the previous command, for example aws --region us-east-1 ecr-public get-authorization-token --output=text --query 'authorizationData.authorizationToken' | base64 --decode | cut -d: -f2 | docker login -u AWS --password-stdin https://public.ecr.aws

Mirror images

At launch, we want to have the latest gitlab/gitlab-runner and gitlab/gitlab-runner-helper images published already in the ECR registry for users to already use

Mirror gitlab/gitlab-runner

You can use the script below to mirror any tag we need, for example,./mirror.sh gitlab/gitlab-runner:alpine

mirror.sh
```bash
#!/usr/bin/env bash

# gitlab/gitlab-runner:latest
image=$1
tag=$(echo $1 | sed 's/.*://')
imageName=$(echo $1 | sed 's/:.*//')
ecrRegistry=public.ecr.aws
manifest=""

archs=("amd64" "arm64" "s390x")

for arch in "${archs[@]}"
do
    echo "arch: $arch"
    docker pull --platform "$arch" "$image"
    docker tag "$image" "$ecrRegistry/$imageName:$tag-$arch"
    docker push "$ecrRegistry/$imageName:$tag-$arch"
    docker rmi "$image"
    manifest+=" --amend $ecrRegistry/$imageName:$tag-$arch"
done

docker manifest create "$ecrRegistry/$imageName:$tag" $manifest
docker manifest push "$ecrRegistry/$imageName:$tag"

Mirror gitlab/gitlab-runner-helper

Linux

Usage: ./mirror-helper.sh latest

mirror-helper.sh
#!/usr/bin/env bash

# 8fa89735
tag=$1
ecrImage="public.ecr.aws/gitlab/gitlab-runner-helper"
dockerhubImage="gitlab/gitlab-runner-helper"

archs=("x86_64" "arm64" "s390x" "arm")

for arch in "${archs[@]}"
do
  docker pull "$dockerhubImage:$arch-$tag"
  docker tag "$dockerhubImage:$arch-$tag" "$ecrImage:$arch-$tag"
  docker push "$ecrImage:$arch-$tag"
done

Windows

Usage: pwsh -f .\mirror-helper.pwsh -tag latest-servercore1809

mirror-helper.pwsh
param([String]$tag="")

$dockerhubImage="gitlab/gitlab-runner-helper"
$ecrImage="public.ecr.aws/gitlab/gitlab-runner-helper"

docker login https://public.ecr.aws
docker pull "${dockerhubImage}:x86_64-${tag}"
docker tag "${dockerhubImage}:x86_64-${tag}" "${ecrImage}:x86_64-$tag"
docker push "${ecrImage}:x86_64-${tag}"
Edited Dec 02, 2020 by Steve Azzopardi
Assignee
Assign to
Time tracking