我正在尝试构建一个管道,使用 AWS CodeBuild 的构建规范构建和推送 docker 图像到 ECR。我的项目是带有 docker-compose yaml 文件的多容器微服务。我为我的 CodeBuild 启用了特权模式,管道能够登录 AWS,构建和标记图像,但它在 docker push 命令中失败并出现以下错误:
[Container] 2023/02/21 17:45:38 Command did not exit successfully docker push $REPOSITORY_URL/service1:$TAG exit status 1
[Container] 2023/02/21 17:45:38 Phase complete: POST_BUILD State: FAILED
[Container] 2023/02/21 17:45:38 Phase context status code: COMMAND_EXECUTION_ERROR Message: Error while executing command: docker push $REPOSITORY_URL/service1:$TAG. Reason: exit status 1
我的 docker-compose.yaml 文件如下所示:
version: '3.4'
services:
service1:
image: service1
build:
context: .
dockerfile: Service1.API/Dockerfile
service2:
image: service2
build:
context: .
dockerfile: service2.API/Dockerfile
我的构建规范文件如下所示:
version: 0.2
phases:
install:
runtime-versions:
docker: latest
pre_build:
commands:
# This Docker Image tag will have date, time and Codecommit version
- TAG="$(date +%Y-%m-%d.%H.%M.%S).$(echo $CODEBUILD_RESOLVED_SOURCE_VERSION | head -c 8)"
# Check AWS CLI Version
- echo "Checking AWS CLI Version..."
- aws --version
# Login to ECR Registry
- echo "Logging in to Amazon ECR..."
- $(aws ecr get-login --no-include-email --region us-east-1)
build:
commands:
- echo "Docker build started on `date`"
- echo "Building the Docker images..."
- docker-compose -f docker-compose.yml build
- echo Tagging the Docker images...
- docker tag service1:latest $REPOSITORY_URL/service1:$TAG
- docker tag service2:latest $REPOSITORY_URL/service2:$TAG
post_build:
commands:
# Push Docker Image to ECR Repository
- echo "Docker build completed on `date`"
- echo "Pushing the Docker images to Amazon ECR..."
- docker push $REPOSITORY_URL/service1:$TAG
- docker push $REPOSITORY_URL/service2:$TAG
- echo "Docker Push to ECR Repository Completed - $REPOSITORY_URL:$TAG"
# Create Artifacts which we can use if we want to continue our pipeline for other stages
- echo "Writing the image details to a file...""
- echo {\"service1\":\"$REPOSITORY_URL/service1:$TAG\",\"service2\":\"$REPOSITORY_URL/service2:$TAG\"} > build.json
artifacts:
files:
- build.json
- manifests/*
我已将所有必要的政策附加到我的代码构建服务角色中,我的政策如下所示:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:CompleteLayerUpload",
"ecr:GetDownloadUrlForLayer",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart",
"ecr:SetRepositoryPolicy",
"ecr:DescribeImages",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:DeleteRepositoryPolicy",
"ecr:GetRepositoryPolicy",
"ecr:GetAuthorizationToken"
],
"Effect": "Allow",
"Resource": "arn:aws:ecr:us-east-1:<ACCOUNT_ID>:repository/dev-repo"
},
{
"Action": [
"ecr:GetAuthorizationToken"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ecr-public:GetAuthorizationToken",
"sts:GetServiceBearerToken"
],
"Resource": "*"
}
]
}
日志错误不够清楚,没有说明可能出了什么问题,我已经加入了对这些类似问题的一些回答以形成我的政策,但它仍然不适合我。
错误信息对我来说似乎很清楚:
Command did not exit successfully docker push $REPOSITORY_URL/service1:$TAG exit status 1
您的命令无效,您正在尝试推送到名为 $REPOSITORY_URL/service1:$TAG.
的目的地你在预构建阶段设置 TAG,但这不是正确的方法,无论如何正确的语法应该是
export TAG="$(date +%Y-%m-%d.%H.%M.%S).$(echo $CODEBUILD_RESOLVED_SOURCE_VERSION | head -c 8)"
按照 本指南 编写正确的构建规范。 至少,您缺少具有正确变量设置的 env 部分。
因为这是一个多容器微服务应用程序,我想我可以为两个图像使用一个单一的 ECR 存储库,原来这就是问题所在。所以我通过确保每个图像都有单独的 ECR 存储库并且图像名称必须与存储库名称匹配来解决这个问题。
示例:代替
docker tag service1:latest $REPOSITORY_URL:$TAG
$REPOSITORY_URL 应该是:
<ACCOUNT_ID>.dkr.ecr.us-east-1.amazonaws.com/service1