1

I have an EC2 Ubuntu 22.04.1 LTS (Jammy Jellyfish)" which should pull from AWS ECR, replace and restart running docker container whenever there is a new image in ECR. I found Watchtower for that and tried to configure it, but it didn't work out so far. It pulls and runs the container only once. For the second attempt it returns error "No basic auth credentials." Can anyone help or suggest another simple tool to update containers automatically?

I used dockerfile with test ubuntu image and sleep command:

$ cat Dockerfile
FROM ubuntu
RUN echo "Hi there!"
CMD sleep 2500

and my docker-compose.yml file now looks like this. Where ****** is aws account id.

$ cat docker-compose.yml
version: "3"
services:
  ubuntu:
    image: ******.dkr.ecr.us-east-1.amazonaws.com/mytest:latest
    container_name: mytest

  watchtower:
    image: containrrr/watchtower
    container_name: watchtower
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - .docker/config.json:/home/administrator/.docker/config.json
      - helper:/go/bin
    environment:
      - HOME=/
      - PATH=$PATH:/go/bin
      - AWS_REGION=us-east-1
    command: ['mytest','--schedule','30 * * * * *']
volumes:
  helper:
    external: true

My ~/.docker/config.json :

$ cat ~/.docker/config.json
{
        "credsStore" : "ecr-login",
        "HttpHeaders" : {
        "User-Agent" : "Docker-Client/19.03.1 (XXXXXX)"
        },
        "auths": {
                "******.dkr.ecr.us-east-1.amazonaws.com": {
                        "auth": "Lot of random letters"
                }
        },
        "credHelpers": {
        "******.dkr.ecr.us-east-1.amazonaws.com" : "ecr-login"
        }
}

I have installed docker-credential-ecr-login and put it in /go/bin/

$ ls /go/bin/
docker-credential-ecr-login

When I run docker-compose up -d it pulls the image and starts the container normally, but then it can't lookup in the registry for the second time with error: no basic auth credentials Watchtower logs:

$ docker logs 27238edee0b1
time="2022-12-24T03:44:02Z" level=info msg="Watchtower 1.5.1"
time="2022-12-24T03:44:02Z" level=info msg="Using no notifications"
time="2022-12-24T03:44:02Z" level=info msg="Only checking containers which name matches \"mytest\""
time="2022-12-24T03:44:02Z" level=info msg="Scheduling first run: 2022-12-24 03:44:30 +0000 UTC"
time="2022-12-24T03:44:02Z" level=info msg="Note that the first check will be performed in 27 seconds"
time="2022-12-24T03:44:30Z" level=info msg="Unable to update container \"/mytest\": Error response from daemon: Head \"https://******.dkr.ecr.us-east-1.amazonaws.com/v2/mytest/manifests/latest\": no basic auth credentials. Proceeding to next."
time="2022-12-24T03:44:30Z" level=info msg="Session done" Failed=0 Scanned=1 Updated=0 notify=no

What I've tried:

{
    "credsStore": "ecr-login"
}

then

{
    "auths": {
        "000000000000.dkr.ecr.us-east-1.amazonaws.com": {}
    },
    "credsStore": "ecr-login"
}
  • tried removing ~/.docker/config.json and doing and doing aws ecr get-login-password --region eu-central-1 | docker login --username AWS --password-stdin ******.dkr.ecr.eu-central-1.amazonaws.com as suggested here https://jhooq.com/aws-ecr-docker-login-error-credential/
  • tried using both -- interval or schedule options
Aleksandr
  • 35
  • 5
  • Hi, came across this article where it states "Some private Docker registries (the most prominent probably being AWS ECR) use non-standard ways of authentication. To be able to use this together with watchtower, we need to use a credential helper." Reference: https://containrrr.dev/watchtower/private-registries/ – Vasanth Subramanian Dec 25 '22 at 06:08
  • Yes, that is what I did. According to the instruction. And it didn't work. – Aleksandr Dec 25 '22 at 07:32

0 Answers0