Mix-github-actions-aws-ecs

AndyF · March 23, 2022, 9:17am

I am following the tutorial in https://docs.servicestack.net/mix-github-actions-aws-ecs

When I create a release, my Build and Push to ECR gives an error.

Starting build…

19/usr/bin/docker buildx build --tag /scadsoftware/envisionapi:v1 --iidfile /tmp/docker-build-push-nMoq35/iidfile --file Dockerfile --push .

20error: invalid tag “/scadsoftware/envisionapi:v1”: invalid reference format

21Error: buildx call failed with: error: invalid tag “/scadsoftware/envisionapi:v1”: invalid reference format

mythz · March 23, 2022, 9:53am

I’ll get @layoric who maintains our GitHub actions to look into this when he’s back on.

layoric · March 23, 2022, 10:50pm

Hi @AndyF,

The tag you are using won’t work to push to ECR since it needs to come from your ECR login and it looks like it is missing or null.

The one from the mix template builds the tags property of the docker/build-push-action using result of the login to ECR.

      - name: Login to Amazon ECR
        id: login_ecr
        uses: aws-actions/amazon-ecr-login@v1

This depends on being able to authenticate with AWS which is done the step before.

      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: ${{ secrets.AWS_REGION }}

The build + push step then constructs the tag from the login, repository name and your own release version. The first part of the tag tells where the image is going when docker push is run by the action step.

      - name: Build and push to ECR
        id: push_image_to_ecr
        uses: docker/build-push-action@v2.2.2
        with:
          file: Dockerfile
          context: .
          push: true
          tags: ${{ steps.login_ecr.outputs.registry }}/${{ env.image_repository_name }}:${{ github.event.release.tag_name }}

Can you check the output of the Configure AWS credentials and Login to Amazon ECR steps to make sure they are succeeding? And double check you have populated the related secrets?

AndyF · March 28, 2022, 4:58am

Morning. Login to Amazon ECR succeeded. “Create ECR repo if not exists” showed it succeeded, but if you go into detail it says : aws ecr describe-repositories --repository-names ${ECR_REPOSITORY} || aws ecr create-repository --repository-name ${ECR_REPOSITORY}

3 shell: /usr/bin/bash -e {0}

4 env:

5 image_repository_name: scadsoftware/envisionapi

6 AWS_DEFAULT_REGION: ***

7 AWS_REGION: ***

8 AWS_ACCESS_KEY_ID: ***

9 AWS_SECRET_ACCESS_KEY: ***

10 ECR_REPOSITORY: scadsoftware/envisionapi

11

12An error occurred (RepositoryNotFoundException) when calling the DescribeRepositories operation: The repository with name ‘scadsoftware/envisionapi’ does not exist in the registry with id ‘***’

13{

14 “repository”: {

15 “repositoryArn”: “arn:aws:ecr:::repository/scadsoftware/envisionapi”,

16 “registryId”: “***”,

17 “repositoryName”: “scadsoftware/envisionapi”,

18 “repositoryUri”: “.dkr.ecr..amazonaws.com/scadsoftware/envisionapi”,

19 “createdAt”: “2022-03-23T09:10:45+00:00”,

20 “imageTagMutability”: “MUTABLE”,

21 “imageScanningConfiguration”: {

22 “scanOnPush”: false

23 },

24 “encryptionConfiguration”: {

25 “encryptionType”: “AES256”

26 }

27 }

28}

Then when you do the Build and Push to ECR, it also fails with message as described when I logged the call.

AndyF · March 28, 2022, 5:19am

When I look in Amazon ECR repositories, it does not show any images.

layoric · March 28, 2022, 10:21pm

That error is from the first of the two commands, one to check if it exists and the next is the response from the aws ecr create-repository which looks successful, hence the step succeeded.

I take it the repositoryUri was edited to remove account ID and region? As it should look like 12345.dkr.ecr.us-east-1.amazonaws.com/my/repo. Just wanted to make sure.

If you can share the GitHub Action you are using (minus any sensitive info), that might help. I’m assuming it is the same as the mix template, noting that the mix templates are just a starting point. Since AWS environments, permissions and accounts can vary, the template should be adjusted as needed to your specific use case.

Confirm the registeryId/AWS account ID is the same as the one you are logging into the console with and you can see the repository that has been created.

The aws ecr create command is not idempotent, so if the script tried to create an ECR repository it that already exists it would throw a RepositoryAlreadyExistsException, so you should be able to see the repository with aws ecr describe-repositories --repository-names ${ECR_REPOSITORY}.

You can try enabling ACTIONS_RUNNER_DEBUG to true to see the output of the Login to Amazon ECR step. This might have more information about outputs. Also upgrading the [aws-actions/amazon-ecr-login](https://github.com/aws-actions/amazon-ecr-login) to the latest version.

It looks like the aws-action/amazon-ecr-login only outputs the registry output if there is one authorizationData response to the GetAuthroizationToken request if it contains 1 item in the array.

Check to see if the AWS credentials you are using get multiple instances back when using the aws ECR command aws ecr get-authorization-token (remember to use the same credentials as your GitHub action if running it locally using --profile). If you are specifying registries input in the Login to Amazon ECR step, you will need to replace the use of steps.login_ecr.outputs.registry since it won’t be output when multiple results are returned. If you replace this value, it should take the form of:

${AWS_ACCOUNT_ID}.dkr.ecr.{AWS_REGION}.amazonaws.com

Hope that helps.

AndyF · April 4, 2022, 1:31pm

We are still busy working on this and will revert back

AndyF · April 8, 2022, 12:33pm

Managed to get it all the way so I can see that it actually creates the docker containers for the different apps/versions, but unable to get it to run and browse to it. Not sure how to troubleshoot further. Is it possible to expand the walkthrough to have more details at the end of the process.

layoric · April 11, 2022, 1:31am

Remoting to your server running Nginx + docker-compose, you should be able to see your app, nginx-proxy, and nginx lets encrypt companion running. Your Route53 (domain config) should be setup to have an A record and even with your app not running you should get a response from Nginx server.

Opening a browser at the address you’ve configured in Route53 and your GitHub Actions secrets (this tells the Nginx proxy to forward requests) is the last step in the process.

So when you say “create the docker containers for the different apps/versions”, do you mean creates the docker images or you can see the containers on your linux host using docker ps? If the containers are running, you can create a bash session in your container by using the command docker exec -it <container name> /bin/bash, that would enable you to troubleshoot if there are missing environment variables like HOST_DOMAIN. Check the docker-compose` files that are copied to the host as well for any missing info that might be causing issues.

Without seeing your full GitHub Action yaml, and knowing more about your environment, it’s hard to say where the problem might be. Alternatively, using a standard ECS setup (which is similar to this but with an AWS Application Load Balancer, and using task definitions) is more of a managed solution, but does come at the cost of the ALB which I think is ~$25/month as the base cost. Cost scales with high usage, but pretty slowly.

AndyF · April 14, 2022, 4:20am

Thanks you can close this. Will try and get it sorted.