https://docs.docker.com/engine/reference/commandline/search/
# Containerization
# ECR 
# ECS 
# Security
# other
## 3 component of container :+1:
## Cognito 
## Container 
## Control Tower
## Docker
## EKS 
## Fargate 
## IAM Access analyzer policy generation/validation
## IAM identy center
## IAM: 
## Image
## Issue
## RAM
## Repositry
## Service Control Policies (SCP)
## Working Struct
## build ec2 access s3
## example
### 1. Docker hub
### 1. docker run, create container
### 1. list Image
### 2. Container operation
### 2. ECR
### 2. PULL a image
### 3. Delete image
### 3. build a image
### Account Factory
### Backup Policies
### Comprehensive Controls Management
### Dashboard
### Guardrails
### Identity pool
### Landing Zone
### Restricting Tags policies
### User pool
* Access is controlled through IAM
* Automatically enabled and enforced by AWS Control Tower
* Based on AWS best practices (optional)
* Centralize logging from AWS CloudTrail, and AWS Config stored in Amazon Simple Storage Service (Amazon S3).
* Commonly used by enterprises (optional)
* Create a multi-account environment using AWS Organizations.
* Created from Image
* EC2 instance profile, used by the EC2 instance
* ECS Task IAM Role alloweachtasktohaveaspecificrole
* Easy to find the serveice we need
* Enable cross-account security audits using AWS IAM Identity Center (successor to AWS SSO).
* Example: Disallow delete actions without MFA in S3 buckets
* Example: Disallow public Read access to the Log Archive account
* Example: Enable encryption for EBS volumes attached to EC2 instances
* Private and Public repository
* Provide federated access to accounts using AWS IAM Identity Center (successor to AWS SSO).
* Provide identity management using using the default directory found within AWS IAM Identity Center (successor to AWS SSO).
* Pull from repository
* Run application
* Store and manage Docker images on AWS
* Supports image vulnerability scanning,includ, CVE(Common Vulnerabilities and Exposures)
* Users authenticated via your own existing authentication process
* Users in an Amazon Cognito user pool
* Users who authenticate with external identity providers such as Facebook, Google, Apple, or an OIDC or SAML identity provider.
* With an identity pool, you can obtain temporary AWS credentials with permissions you define to directly access other AWS services or to access resources through Amazon API Gateway.
* a space to store Image
* a template of container
* builded from Dockerfile
* can be start stop terminate
* create a container
* have public(docker hub) and private(AWS gallery)
* isolated and parallel between container
* 提高部署速度:容器快速啟動,加快應用程式的部署。
* 易於擴展:容器化的應用程式可以快速擴展或縮小,以滿足需求。
* 簡化配置:Docker將應用程式和其依賴項打包成容器,避免了環境配置的問題。
* 跨平台:Docker容器可以在任何平台上運行,方便應用程式的遷移。
** review
**1. Error parsing parameter 'cli-input-json': Invalid JSON received.**
-i : Keep STDIN open even if not attached
-p : Publish a container's port(s) to the host
-t : Allocate a pseudo-TTY
-v : Bind mount a volume
-w : Working directory inside the container
1. Amazon Resource Names (ARNs)
1. ECR必須在上傳前先建立repositry
1. create a cluster
1. 設定 permission
1. 註冊docker hub 帳號
1.dockerfile
2. multi-factor authentication(MFA)
2. 在上傳前,我們需要把ECR連結到我們的docker中,以方便上傳到ECR當中
2. 在本機的docker 中使用 login 登入docker hub
2.Register a Linux Task Definition
3. Create Service
3. IAM Policies Conditions
3. 使用push 將image上傳至docker hub
3. 設security group
3. 跟docker hub一樣,上傳前一樣要把我們的image名稱更改成符合aws前綴的名稱,需要標記的前綴字串則可以在aws panel去顯示
4.
4. Test
4. 再docker hub網頁上就可以看到自己上傳的image有哪些了
4. 更改完後就一樣用push指令上傳,ECR中救護顯示有上傳紀錄哩。
<br>
<br>
<br>
<font color="#f00">notice :contaier cant run without image.</font>
ADD todays.py /pythoncode
AWS Backup enables you to create Backup Plans that define how to backup your AWS resources
AWS Control Tower automates the setup of a new landing zone using best-practices blueprints for identity, federated access, and account structure. Examples of blueprints that are automatically implemented in your landing zone include:
Account Factory
Amazon’s managed Kubernetes
Amazon’s own container platform
But a lot of times, we just edit something package of path, but we dont want build a container ,edit in the container and commit as image.
CMD ["python3","/pythoncode/todays.py"]
CREATED : this image create day
Cognito
Cognito是AWS的一項服務,用來協助作為使用者登入的功能,可以針對新增使用者註冊和登入功能,並控制對 Web 與行動應用程式的存取,意即使用者不需要針對使用者管理另外建立後台應用、資料庫等等,直接使用Cognito就已進行人員管理,並且可以整合第三方認證系統,可以透過 SAML,輕鬆地與社交身分供應商 (例如 Facebook、Google 和 Amazon) 以及企業身分供應商 (例如 Microsoft Active Directory) 進行整合。
Comprehensive controls management in AWS Control Tower help you reduce the time it takes to define, map, and manage the controls required to meet your most common control objectives such as enforcing least privilege, restricting network access, and enforcing data encryption. New proactive control capabilities leverage AWS CloudFormation Hooks to proactively identify and block the CloudFormation deployment of resources that are not compliant with the controls you have enabled. You can disallow actions that lead to policy violations and detect noncompliance of resources at scale.
Container:
Control Tower
Create a container with docker run command.
Create have two way, one is build with container, the other way is use dockerfile.
Define allowlist or blocklist IAM actions
Dockerfile 撰寫規則中規定必須包含至少 1 個 CMD 或 ENTRYPOINT 在內。如果有多個 CMD 指令被寫在 Dockerfile 內,只有最後 1 個有效。
Docker是一個開放原始碼的開放平臺軟體,可以用來打包、運行和分享應用程式。Docker通過容器化技術實現了應用程式的獨立性和可移植性,讓開發者和運維人員可以更加便捷地進行應用程式的開發、部署和運維。
EC2 Linux instance is not supported for integration with AWS IAM Identity Center?
ECS Cluster = EC2 instance cluster or Fargate
ECS IAM =
ECS Task a running Docker containers
ECSfullAccess的權限
Edit a JSON filew to create task
Elastic Container Registry
Elective
Error response from daemon: Container XXX is not running
Error response from daemon: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: exec: "/pythoncode/todays.py": **permission denied**: unknown
Error: failed to start containers: XXXXX
Example
FROM alpine:latest
IAM Access analyzer policy generation
IAM Roles vs Resource Based Policies
IAM policy 執行rule的順序如下
IAM users are identities in the service
IMAGE ID : unique ID of this Image
Identity Center
Image:
Issue
Issue:
List Service
List Task Definitions
MAINTAINER Sandy
Mandatory
Most users have multiple policies that together represent the permissions for that user.
Need to review
Note
Note:
Organization
Organization SCP
Permissions boundary
REPOSITORY : name of this image
RUN ["chmod", "+x", "/pythoncode/todays.py"]
RUN ["chmod", "+x", "/pythoncode/todays.py"]
RUN apk add --update --no-cache python3 && ln -sf python3 /usr/bin/python
RUN apk update
RUN cd /pythoncode
RUN mkdir pythoncode
RUN pip3 install --no-cache --upgrade pip setuptools
RUN python3 -m ensurepip
Repository:
Resource Access Manager
Resource Access Manager
Root user,只需要帳號密碼就可以存取
Run python code
SIZE : SIZE of this IMAGE
Serverless container platform,Works with ECS and with EKS
Set Task file
So usually, we use dockerfile to build a image. following is the example of dockerfile.
Strongly Recommended
TAG : version of this image
The AWS Control Tower dashboard gives you continuous visibility into your AWS environment.
The account factory automates provisioning of new accounts in your organization. As a configurable account template, it helps you standardize provisioning of new accounts with pre-approved account configurations. You can configure your account factory with pre-approved network configuration and Region selections, and enable self-service for your builders to configure and provision new accounts using AWS Service Catalog.
The issue was caused by a zero-width 'Unicode Null character' ,The solution is not to copy and paste the text from the template and instead manually type it out line by lline.
The landing zone set up by AWS Control Tower is managed using a set of mandatory and strongly recommended guardrails, which you select through a self-service console to ensure that accounts and configurations comply with your policies.
When you create an IAM user, they can't access anything in your account until you give them permission.You give permissions to a user by creating an identity-based policy, which is a policy that is attached to the user or a group to which the user belongs.
With Amazon Cognito identity pools, you can create unique identities and assign permissions for users. Your identity pool can include:
You can restrict specific Tags on AWS resources
[TOC]
```
```
```
```
```
```
```
```
```
```
```
```
```
```
```
```
```
```
```
```dockerfile
```dockerfile
```linu
```linux
```linux
```linux
```linux
```linux
```linux
```linux
```linux
```linux
```linux
```linux
```linux
alpine install python & pip & vim
also can prevent IAM Users/Roles in the affected Member accounts from creating resources if they don’t have a specific Tags
apk add --update --no-cache python3 && ln -sf python3 /usr/bin/python
apk add vim
aws ecs create-cluster --cluster-name fargate-cluster
aws ecs create-service --cluster fargate-cluster --service-name fargate-service --task-definition sample-fargate:1 --desired-count 1 --launch-type "FARGATE" --network-configuration "awsvpcConfiguration={subnets=[subnet-0343c95367635f1ac],securityGroups=[sg-09389fc0aede89dc2]}"
aws ecs list-services --cluster fargate-cluster
aws ecs list-task-definitions
aws ecs register-task-definition --cli-input-json file://$HOME/fargate-task.json
aws ecs register-task-definition --cli-input-json file://$HOME/tasks/fargate-task.json
because file import into the container, the permission will not setting right so we need change the chmod in dockerfile.
build docker image by dockerfile
can choose use farget or ec2 ASG
create a role with EC2accessS3
deploy role to EC2
do not provision the infrastructure
docker build -t alpine_python_example:v1.0.0 .
docker build .
docker commit
docker commit [OPTIONS] CONTAINER [REPOSITORY[:TAG]]
docker exec -it example bash
docker image ls
docker pull XXX:version
docker restart container-ID
docker rmi container-ID
docker run -it --name example_1 alpine:latest /bin/sh
docker run [OPTIONS] IMAGE [COMMAND] [ARG...]
docker search XXX
docker search [OPTIONS] TERM
docker start container-ID
docker start example_1
docker stop container-ID
entrypoint,cmd
example :
first we need to list the image in the docker enviroment.
for example:
have Guardrails
https://docs.aws.amazon.com/zh_tw/AmazonECR/latest/userguide/docker-push-ecr-image.html
https://forums.docker.com/t/docker-push-error-requested-access-to-the-resource-is-denied/64468/5
https://glints.com/tw/blog/docker-basic-tutorial/
https://tw.alphacamp.co/blog/docker
https://tw.alphacamp.co/blog/docker-introduction
it will be none repositry name and version when execute command without any tag. so we add the tag in the command.
mean's your container is not working, so need to start it, and execute operation.
normal command :
pip3 install --no-cache --upgrade pip setuptools
policy 是針對某個服務的權限進行設定,不透過帳戶B進行存取
policy: define the permissions within that account using policies. If
python3 -m ensurepip
ref:
ref:
ref:
role 是將現在的A帳號使用B帳號的權限進行操作
support ALB
user為user底下的帳號,有獨立的帳號密碼
we used follow command show the docker image.
when we need to download the image, we can search by using search command and use pull command.
you own multiple accounts, we instead recommend using the AWS Organizations service to help you manage those permissions
| ---------- |:------- |
| K8s | EKS |
| Lambda | Fargate |
| Origin | AWS |
| docker | ECS |
| docker hub | ECR |
• Can be attached to Organization Root, specific OU, or individual Member account
• Enforce PCI compliance by explicitly disabling services
• Gives you granular control over backing up your resources (e.g., backup frequency, time window, backup region, ...)
• Immutable Backup Plans appear in Member accounts (view ONLY)
• JSON documents that define Backup Plans across an AWS Organization
• Restrict access to certain services (for example: can’t use EMR)
使用ECR存放image的順序基本上與docker hub的差不多
傳
先在自己的帳號增加
具有以下四點優點:
可以在policy中針對key值進行限制
可以用兩種方法進行存取,一是使用role將A的權限替代成B,第二種是使用policy政策進行設定,讓現有的帳號可直接連線到B的S3服務中
在使用Cognito上,需要設定的為User pool及identity pool。
在啟動容器候,還會有暫停、啟動、重啟的需求,使用方式為以下幾種
如果manage permissions across multiple accounts,can use IAM roles, resource-based policies, or access control lists (ACLs) for cross-account permissions.
如果要定義某個單一帳號的權限,那可以用policies
容器化的指的是「以應用程式為核心的虛擬化,應用程式可以直接在作業系統的層面虛擬化,直接將開發應用程式所需的函式庫、程式碼、環境變數等內容打包,分別將之安置於各個容器內,並搭配相對應的Host OS資源,如此一來,則可省去安裝作業系統的步驟。
幹,有夠麻煩
是用於Web和App用程序身份驗證和授權的用戶目錄。從應用程序的角度來看,Amazon Cognito 用User pool是 OpenID Connect (OIDC) 身份提供商 (IdP)。並添加了多層附加功能,用於安全性、身份聯合、應用程序集成和用戶體驗的定制。
當我們建立好image後,需要讓別人或是另外一個地方也能夠使用這image,所以我們會需要把我們的image上傳到docker hub 以便下載使用。
簡單的來說,當我們現在不管有沒有在AWS建立服務,我們都可以使用Cognito來搭建我們的後台人員登入平台,可以搭配第三使用FB臉書或是亞馬遜等帳號進行登入,並且就內建新增人員或編輯等API可以使用,如果使用的元件是AWS的服務的話,可以在identity pool裡面使用JSON編輯user的權限,與設定IAM全線方式相同。
舉例來說如果帳號A要存取B的S3
這邊會出線denied,主要是因為我們在命名的時候格式為 alpine_python_code:v1.0.0 但是docker hub上傳的格式須為 docker_hubID/alpine_python_example:v1.0.0,再次使用push上
通常在使用Docker建立Container時,一定會接觸到這三個元件,分別為Image、Container、Repository。
針對資源整合可以透過 Amazon Cognito 控制對後端 AWS 資源和 API 的存取,讓應用程式的使用者只能獲得適當的存取權限。您可以將使用者對應到不同的角色和許可,並取得臨時 AWS 登入資料以存取 Amazon S3、Amazon DynamoDB、Amazon API Gateway 和 AWS Lambda 等 AWS 服務,且使用者不需要是AWS的註冊用戶。
Sign in with Wallet
Connect another wallet