In this section, you create a Docker image of a simple web application, and test it on your local system or EC2 instance, and then push the image to a container registry (such as Amazon ECR or Docker Hub) so you can use it in an ECS task definition.
Docker is a technology that allows you to build, run, test, and deploy distributed applications that are based on Linux containers. Amazon ECS uses Docker images in task definitions to launch containers on Amazon EC2 instances in your clusters. For Amazon ECS product details, featured customer case studies, and FAQs, see the Amazon Elastic Container Service product detail pages.
The documentation in this guide assumes that readers possess a basic understanding of what Docker is and how it works. For more information about Docker, see What is Docker? and the Docker overview.
Topics
Note
If you already have Docker installed, skip to Create a Docker Image.
Docker is available on many different operating systems, including most modern Linux distributions, like Ubuntu, and even Mac OSX and Windows. For more information about how to install Docker on your particular operating system, go to the Docker installation guide.
You don't even need a local development system to use Docker. If you are using Amazon EC2 already, you can launch an instance and install Docker to get started.
To install Docker on an Amazon EC2 instance
Launch an instance with the Amazon Linux 2 AMI. For more information, see Launching an Instance in the Amazon EC2 User Guide for Linux Instances.
Connect to your instance. For more information, see Connect to Your Linux Instance in the Amazon EC2 User Guide for Linux Instances.
Update the installed packages and package cache on your instance.
Install the most recent Docker Community Edition package.
Start the Docker service.
Add the ec2-user
to the docker
group so you can execute Docker commands without using sudo
.
Log out and log back in again to pick up the new docker
group permissions. You can accomplish this by closing your current SSH terminal window and reconnecting to your instance in a new one. Your new SSH session will have the appropriate docker
group permissions.
Verify that the ec2-user
can run Docker commands without sudo
.
Note
In some cases, you may need to reboot your instance to provide permissions for the ec2-user
to access the Docker daemon. Try rebooting your instance if you see the following error:
Amazon ECS task definitions use Docker images to launch containers on the container instances in your clusters. In this section, you create a Docker image of a simple web application, and test it on your local system or EC2 instance, and then push the image to a container registry (such as Amazon ECR or Docker Hub) so you can use it in an ECS task definition.
To create a Docker image of a simple web application
Create a file called Dockerfile
. A Dockerfile is a manifest that describes the base image to use for your Docker image and what you want installed and running on it. For more information about Dockerfiles, go to the Dockerfile Reference.
Edit the Dockerfile
you just created and add the following content.
This Dockerfile uses the Ubuntu 16.04 image. The RUN
instructions update the package caches, install some software packages for the web server, and then write the 'Hello World!' content to the web server's document root. The EXPOSE
instruction exposes port 80 on the container, and the CMD
instruction starts the web server.
Build the Docker image from your Dockerfile.
Note
Some versions of Docker may require the full path to your Dockerfile in the following command, instead of the relative path shown below.
Run docker images to verify that the image was created correctly.
Output:
Run the newly built image. The -p 80:80
option maps the exposed port 80 on the container to port 80 on the host system. For more information about docker run, go to the Docker run reference.
Note
Output from the Apache web server is displayed in the terminal window. You can ignore the 'Could not reliably determine the server's fully qualified domain name
' message.
Open a browser and point to the server that is running Docker and hosting your container.
If you are using an EC2 instance, this is the Public DNS value for the server, which is the same address you use to connect to the instance with SSH. Make sure that the security group for your instance allows inbound traffic on port 80.
If you are running Docker locally, point your browser to http://localhost/.
If you are using docker-machine on a Windows or Mac computer, find the IP address of the VirtualBox VM that is hosting Docker with the docker-machine ip command, substituting machine-name
with the name of the docker machine you are using.
You should see a web page with your 'Hello World!' statement.
Stop the Docker container by typing Ctrl + c.
Amazon ECR is a managed AWS Docker registry service. Customers can use the familiar Docker CLI to push, pull, and manage images. For Amazon ECR product details, featured customer case studies, and FAQs, see the Amazon Elastic Container Registry product detail pages.
This section requires the following:
You have the AWS CLI installed and configured. If you do not have the AWS CLI installed on your system, see Installing the AWS Command Line Interface in the AWS Command Line Interface User Guide.
Your user has the required IAM permissions to access the Amazon ECR service. For more information, see Amazon ECR Managed Policies.
To tag your image and push it to Amazon ECR
Create an Amazon ECR repository to store your hello-world
image. Note the repositoryUri
in the output.
Output:
Tag the hello-world
image with the repositoryUri
value from the previous step.
Run the aws ecr get-login --no-include-email command to get the docker login authentication command string for your registry.
Note
The get-login command is available in the AWS CLI starting with version 1.9.15; however, we recommend version 1.11.91 or later for recent versions of Docker (17.06 or later). You can check your AWS CLI version with the aws --version command. If you are using Docker version 17.06 or later, include the --no-include-email
option after get-login
. If you receive an Unknown options: --no-include-email
error, install the latest version of the AWS CLI. For more information, see Installing the AWS Command Line Interface in the AWS Command Line Interface User Guide.
Run the docker login command that was returned in the previous step. This command provides an authorization token that is valid for 12 hours.
Important
When you execute this docker login command, the command string can be visible to other users on your system in a process list (ps -e) display. Because the docker login command contains authentication credentials, there is a risk that other users on your system could view them this way. They could use the credentials to gain push and pull access to your repositories. If you are not on a secure system, you should consider this risk and log in interactively by omitting the -p
option, and then entering the password when prompted. password
Push the image to Amazon ECR with the repositoryUri
value from the earlier step.
When you are done experimenting with your Amazon ECR image, you can delete the repository so you are not charged for image storage.
Now that you've created a Docker image and pushed it to an Amazon ECR repository, you can begin creating your Amazon ECS resources to get a container launched. Use the following topics to continue:
Complete the prerequisites. For more information, see Setting Up with Amazon ECS.
For AWS CLI walkthroughs, see Using the AWS CLI with Amazon ECS.
For AWS Management Console walkthroughs, see Getting Started with Amazon ECS.
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.
Sign upHave a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
I read Issue #3529 and #3291 and saw those were closed, with the only reaction hinting it was 'not that complicated'. However, the comment also acknowledged that doing this yourself would run the risk of being out of date. Apart from exactly that point, I would also like to point out that, for commercial users, having an official Amazon image is hugely preferential to '/aws-cli:latest'. In my case, I would be using this in a Google Cloud Build because it is far superior than AWS CodeBuild. |
I am here because I too am looking for an official aws-cli docker image to use in my CI/CD environment. Instead I am now going to create ANOTHER pipeline to build a docker image which includes the aws cli when I could just reference the official one in my original pipeline. Also...someone else gets it too https://hub.docker.com/r/google/cloud-sdk. |
@matti and @nscavell, Thank you for following up on this topic. Sounds like there enough interest in this feature request to keep this open. This issue will be used to track an official Docker image for the AWS CLI. Please +1 it to show interest and help us prioritize this. Thanks. |
Isn't +1 considered harmful ;) Anyway this is the third (?) issue created about this... |
I have to create my own docker image to only include awsCLI in my CI. I would prefere an official one |
+1 |
+1 |
+1 |
+1 |
+1 |
+1 |
+1 |
+1 |
+1 |
+1 Heres an alpine (post fix) image with the most recent cli installed for anyone else looking for a recent version in the mean time. |
@justnance enough? |
+1 |
+1 |
+1 |
+1 |
Another reason is when using an OS like coreOS that has no package management the idiomatic way of running things is via a container. I'm surprised the need for this would even be questioned, is an obvious omission. +1 |
+1 |
+1 |
+1 |
+1 |
+1 |
As the opener of #3291 (the earliest of the three quoted Issues lol), I'm glad to see that this issue is finally gaining traction. To all future responders, when @justnance says 'Please +1 it to show interest', he means add a like on the first comment, that's the proper way to +1 things on GitHub so that you're not spamming the maintainers' mailboxes. |
+1 |
Can you stop +1? if you want to +1, do it on the top. You are wasting valuable engineer time. We are dozen subscribed to this issue... |
I have been maintaining an aws-cli image for over two years now. Feel free to use it if needed (I use it several times a day). I receive updates on new version releases (via IFTT) and push updates fairly quickly. Despite the fame and glory of running my own image (ha!), I will gladly defer and push folks to use an official image. After having used my image for a long time, I will say that it would be super helpful if the official image included |
Yet another alternative solution to the problem: https://hub.docker.com/r/somedeveloper/aws-cli/ Reasons for using:
Still hoping for an official image. Think about the people now |
https://hub.docker.com/r/google/cloud-sdk/ . Sorry, guys. It is such a hard task to do for a giant like AWS. |
+1 |
Fourth, if you consider amazonlinux/container-images#10. |
Can't we just put it in CircleCI and be done with it? Happy to help with the Dockerfile or pipeline. |
I wonder if there are any internal restrictions and/or paperworks inside Amazon that keeps the developers away from accomplishing this seemingly trivial work... |
k lol |
There are a few variants that would be nice to have in an 'official' image. For instance, I'm currently looking to grab a container with the aws cli and curl (to check the IAM metadata endpoint) and it would be really handy to find one I could just grab and plug into my k8s deployment. |
There is also a security reason for providing official images. It makes the threat model simpler by removing a dependency on a 'random person on the internet' maintaining the image that is used in high value targets like CI/CD pipelines that usually give a lot of access to your systems. |
I would like an official aws-cli docker image based from the docker:18 (current stable) image (https://hub.docker.com/_/docker) - eg. aws-cli-docker-18 because I would like to build my docker image in my CI/CD environment that currently uses |
+1 |
+1 |
It would be great if people would refrain from commenting when their comment does not contribute to the issue at hand. Comments such as '+1' just introduce spam for subscribers and make the issue lengthier than necessary. Instead, give a thumbs up to the first comment of the issue. |
This issue has been open since September of last year. I think we need to ask AWS to take a look at this issue again, since there is obviously interest in it. We should be told how much interest is 'enough'. |
Not just interest, but is the opened issue with more The 2nd with most reactions was opened in 2014 and the 3rd in 2015, while this issue was opened in September of 2018 (less than a year ago). |
+1000 |
I have on my local machine all the time issues with setting up the right dependencies to make aws-cli work. Therefore I decided to switch to aws-cli inside docker. I found several publicly available images on docker-hub BUT because they are not official I don't trust them by default so every time there is an updated version available I have to search and find again an image which can be trusted. and is secure to use. Please AWS build, maintain and provide a secure aws-cli docker image via docker hub. Thanks in advance |
There's a huge fragmentation of community provided aws-cli images. But, as mentioned earlier: people would prefer one that's officially maintain and supported by Amazon. Several reasons why:
|
+1 |
+1 It's really unfortunate that Amazon does not provide this |
I have since added another image that has been handy. It combines Docker in Docker with the AWS and SAM CLI which makes for a perfect ECR integration. |
+1 |
Whilst there are loads of unofficial images out there that are well maintained, what's to stop them one day from saying 'Pfft, what's the point of updating this anymore. This is Amazon's job!' |