使用AWS CodeBuild进行docker push失败，退出状态为1。

Question

使用AWS CodeBuild进行docker push失败，退出状态为1。

dockeraws-codebuildamazon-ecrdocker-push

4

我用CodePipeline触发CodeBuild项目，但“docker push”步骤总是失败，显示“Reason: exit status 1”的错误信息。

以下是我的构建日志（将我的机构ID替换为<MY_ORG_ID>）：

[Container] 2021/06/12 14:39:47 Entering phase INSTALL
[Container] 2021/06/12 14:39:47 Phase complete: INSTALL State: SUCCEEDED
[Container] 2021/06/12 14:39:47 Phase context status code:  Message: 
[Container] 2021/06/12 14:39:47 Entering phase PRE_BUILD
[Container] 2021/06/12 14:39:47 Running command echo Logging in to Amazon ECR...
Logging in to Amazon ECR...

[Container] 2021/06/12 14:39:47 Running command aws ecr get-login-password --region eu-west-2 | docker login --username AWS --password-stdin <MY_ORG_ID>.dkr.ecr.eu-west-2.amazonaws.com
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

[Container] 2021/06/12 14:39:51 Running command docker push <MY_ORG_ID>.dkr.ecr.eu-west-2.amazonaws.com/reponame/core-service:latest
The push refers to repository [<MY_ORG_ID>.dkr.ecr.eu-west-2.amazonaws.com/reponame/core-service]
An image does not exist locally with the tag: <MY_ORG_ID>.dkr.ecr.eu-west-2.amazonaws.com/reponame/core-service

[Container] 2021/06/12 14:39:51 Command did not exit successfully docker push <MY_ORG_ID>.dkr.ecr.eu-west-2.amazonaws.com/reponame/core-service:latest exit status 1
[Container] 2021/06/12 14:39:51 Phase complete: PRE_BUILD State: FAILED
[Container] 2021/06/12 14:39:51 Phase context status code: COMMAND_EXECUTION_ERROR Message: Error while executing command: docker push <MY_ORG_ID>.dkr.ecr.eu-west-2.amazonaws.com/reponame/core-service:latest. Reason: exit status 1

以下是我的 buildspec.yaml 文件：

version: 0.2

env:
  git-credential-helper: yes
phases:
  pre_build:
    commands:
      - echo Logging in to Amazon ECR...
      - aws ecr get-login-password --region eu-west-2 | docker login --username AWS --password-stdin <MY_ORG_ID>.dkr.ecr.eu-west-2.amazonaws.com
  build:
    commands:
     - echo Pushing Docker image <MY_ORG_ID>.dkr.ecr.eu-west-2.amazonaws.com/reponame/core-service:latest
    - DOCKER_REPO=<MY_ORG_ID>.dkr.ecr.eu-west-2.amazonaws.com
    - IMAGE_TAG=${DOCKER_REPO}/reponame/core-service:${EKS_CLUSTER_NAME}-${CODEBUILD_RESOLVED_SOURCE_VERSION}-v${CODEBUILD_BUILD_NUMBER}
    - echo Set IMAGE TAG = $IMAGE_TAG
    - docker build --build-arg NODE_ENV=production --build-arg DOCKER_REPO=${DOCKER_REPO} -t $IMAGE_TAG core-service/.
  - docker push $IMAGE_TAG

许多参考资料都指出，我已经将此声明添加到相应的AWS CodeBuild服务角色附加的策略中，但仍然不起作用。

{
  "Statement": [
    ### BEGIN ADDING STATEMENT HERE ###
    {
      "Action": [
        "ecr:BatchCheckLayerAvailability",
        "ecr:CompleteLayerUpload",
        "ecr:GetAuthorizationToken",
        "ecr:InitiateLayerUpload",
        "ecr:PutImage",
        "ecr:UploadLayerPart"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    ### END ADDING STATEMENT HERE ###
    ...
  ],
  "Version": "2012-10-17"
}

我可以手动运行这些步骤，但在 CodeBuild 上总是出现此错误。

如果您能提供帮助，那太好了。虽然有类似的讨论贴，但没有一个能够解释这个特定问题的解决方案。谢谢。

- julinho

1

你可能需要使用以下命令为已构建的 Docker 镜像打标签，并将其与 ECR 存储库 URI 进行关联：docker tag image-name:tag ecr-repo:tag - Kavish Baghel

谢谢你，@KavishBaghel！我专注于图像标记，确实存在问题。我添加了更多的命令。显然，将图像标记为“latest”会引发错误，因为它已经存在，每次docker push命令都会失败。我无法看到任何构建日志的详细选项，这会有所帮助！ - julinho

2个回答

0

问题可能出在策略上，没有定义对 ECR 的访问权限。这可能有所帮助，但请记住它会提供对 ECR 的完全访问权限。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "ecr:*",
            "Resource": "*"
        }
    ]
}

我相信你至少需要这些：

"ecr:GetAuthorizationToken"
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:CompleteLayerUpload",
"ecr:GetDownloadUrlForLayer",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart"

一些细节可能会在这里找到

关于访问的一些细节也可以在这里找到

- Evgeny Solncev

它还需要 ecr:GetRepositoryPolicy、ecr:SetRepositoryPolicy、ecr:InitiateLayerUpload。 - Harsh Rohila

网页内容由stack overflow 提供, 点击上面的

可以查看英文原文，
原文链接

- julinho · Accepted Answer

从错误信息中可以看出，尝试使用此标签推送图像时会引发错误：

<MY_ORG_ID>.dkr.ecr.eu-west-2.amazonaws.com/reponame/core-service:latest

这是因为我的仓库中已经存在了图像标签“latest”。

通过多次运行相同的docker push命令，我发现有时CodeBuild会打印完整的错误消息，有时则不会。推送唯一的图像名称标签解决了这个问题：

<MY_ORG_ID>.dkr.ecr.eu-west-2.amazonaws.com/reponame/core-service:${CODEBUILD_RESOLVED_SOURCE_VERSION}-v${CODEBUILD_BUILD_NUMBER}

权限和身份验证都没问题。