feat(aws): use ecr as cache for container builds

2026-02-15 16:24:24 +00:00 · 2024-11-09 12:49:33 +01:00
parent b0f0930a51
commit c9a86c3c1b
4 changed files with 35 additions and 3 deletions
--- a/computing/aws/ecr.md
+++ b/computing/aws/ecr.md
@@ -69,8 +69,10 @@ aws ecr describe-repositories --repository-names 'docker-tools/image-builder' \

 ## Pull through cache feature

-> **Note:** when requesting an image for the first time using the pull through cache, the ECR creates a new repository for that image.<br>
-> This might™ introduce a small latency and be cause of pull failures. Pulling that (not-yet)cached image from an interactive shell session worked flawlessly.
+> **Note:** when requesting an image for the first time using the pull through cache, the ECR creates a new repository
+> for that image.<br>
+> This might™ introduce a small latency and be cause of pull failures. Pulling that (not-yet)cached image from an
+> interactive shell session worked flawlessly.

 ## Troubleshooting

@@ -88,6 +90,7 @@ Context: trying to pull an image on an EC2 instance that is using the amazon-ecr

 - [Amazon Web Services]
 - AWS' [CLI]
+- [Use ECR as cache for BuildKit][announcing remote cache support in amazon ecr for buildkit clients]

 ### Sources

@@ -106,6 +109,7 @@ Context: trying to pull an image on an EC2 instance that is using the amazon-ecr

 <!-- Files -->
 <!-- Upstream -->
+[announcing remote cache support in amazon ecr for buildkit clients]: https://aws.amazon.com/blogs/containers/announcing-remote-cache-support-in-amazon-ecr-for-buildkit-clients/
 [cli subcommand reference]: https://docs.aws.amazon.com/cli/latest/reference/ecr/
 [creating a lifecycle policy preview]: https://docs.aws.amazon.com/AmazonECR/latest/userguide/lpp_creation.html
 [using pull through cache rules]: https://docs.aws.amazon.com/AmazonECR/latest/userguide/pull-through-cache.html
--- a/base/docker.md
+++ b/base/docker.md
@@ -195,6 +195,8 @@ docker buildx create --node 'builder_name'
 docker buildx build -t 'image:tag' --load '.'
 docker buildx build … -t 'image:tag' --load --platform 'linux/amd64' '.'
 docker buildx build … --push \
+  --cache-to 'mode=max,image-manifest=true,oci-mediatypes=true,type=registry,ref=012345678901.dkr.ecr.eu-west-2.amazonaws.com/buildkit-test:cache \
+  --cache-from type=registry,ref=012345678901.dkr.ecr.eu-west-2.amazonaws.com/buildkit-test:cache \
  --platform 'linux/amd64,linux/arm64,linux/arm/v7' '.'

 # Remove builders.
@@ -423,6 +425,7 @@ docker load …
 - [Containerd]
 - [Kaniko]
 - [`amazon-ecr-credential-helper`][amazon-ecr-credential-helper]
+- [Announcing remote cache support in Amazon ECR for BuildKit clients]

 ### Sources

@@ -459,6 +462,7 @@ docker load …

 <!-- Others -->
 [amazon-ecr-credential-helper]: https://github.com/awslabs/amazon-ecr-credential-helper
+[announcing remote cache support in amazon ecr for buildkit clients]: https://aws.amazon.com/blogs/containers/announcing-remote-cache-support-in-amazon-ecr-for-buildkit-clients/
 [arch linux wiki]: https://wiki.archlinux.org/index.php/Docker
 [cheatsheet]: https://collabnix.com/docker-cheatsheet/
 [configuring dns]: https://dockerlabs.collabnix.com/intermediate/networking/Configuring_DNS.html
--- a/base/kaniko.md
+++ b/base/kaniko.md
@@ -60,7 +60,7 @@ docker run … \
    --destination 'gcr.io/gcp-project-id/custom-image:1.2.3' \
    --destination 'mycr.azurecr.io/azure-repository:1.2.3'
 docker run … -v "$PWD/config.json:/kaniko/.docker/config.json:ro" 'gcr.io/kaniko-project/executor:latest'
-docker run … 'gcr.io/kaniko-project/executor' … --cache true --custom-platform 'linux/amd64' --build-arg VERSION='1.2'
+docker run … 'gcr.io/kaniko-project/executor' … --cache --custom-platform 'linux/amd64' --build-arg VERSION='1.2'
 ```

 </details>
--- a/snippets/aws/other
+++ b/snippets/aws/other
@@ -112,8 +112,32 @@ curl 'http://169.254.169.254/latest/meta-data/iam/security-credentials/s3access'
 # ------------------
 ###

+aws ecr describe-repositories
+aws ecr create-repository --repository-name 'bananaslug' --registry-id '012345678901'
 aws ecr delete-repository --repository-name 'bananaslug'

+aws ecr get-login-password \
+| docker login --username AWS --password-stdin '012345678901.dkr.ecr.eu-west-1.amazonaws.com'
+
+aws ecr describe-pull-through-cache-rules --registry-id '012345678901'
+aws ecr validate-pull-through-cache-rule --ecr-repository-prefix 'ecr-public'
+
+docker pull '012345678901.dkr.ecr.eu-west-1.amazonaws.com/ecr-public/repository_name/image_name:tag'
+docker pull '012345678901.dkr.ecr.eu-west-1.amazonaws.com/quay/repository_name/image_name:tag'
+
+docker pull 'quay.io/argoproj/argocd:v2.10.0'
+docker pull '012345678901.dkr.ecr.eu-west-1.amazonaws.com/me/argoproj/argocd:v2.10.0'
+
+aws ecr create-pull-through-cache-rule --registry-id '012345678901' \
+	--ecr-repository-prefix 'cache/docker-hub' \
+	--upstream-registry 'docker-hub' --upstream-registry-url 'registry-1.docker.io' \
+	--credential-arn "$(\
+		aws secretsmanager describe-secret --secret-id 'ecr-pullthroughcache/docker-hub' --query 'ARN' --output 'text' \
+	)"
+aws ecr describe-pull-through-cache-rules --registry-id '012345678901' --ecr-repository-prefixes 'cache/docker-hub'
+
+aws ecr list-images --registry-id '012345678901' --repository-name 'cache/docker-hub'
+

 ###
 # ECS