Pull amazonlinux:2 from public.ecr.aws

[charlie-harvey]

Feature description

If I am building in AWS, for lambda, the default image is "amazonlinux:2". Great!
But if I try to build my image lots of times I will get denied pull access to Docker Hub. So I can instead pull the image from AWS's hub, public.ecr.aws. Sure, I can set this in my build.gradle.kts. But it would be just as easy to have it hardcoded to that value in the first place.

docker-plugin/src/main/java/io/micronaut/gradle/docker/NativeImageDockerfile:

        private String resolve() {
            String baseImage = getBaseImage().getOrNull();

            if (strategy == DockerBuildStrategy.LAMBDA && baseImage == null) {
                baseImage = "public.ecr.aws/amazonlinux/amazonlinux:2";
            } else if (baseImage == null) {
                baseImage = "frolvlad/alpine-glibc:alpine-" + DefaultVersions.ALPINE;
            }

            return baseImage;
        }

I will try to get to making a PR for this. Thanks.

[timyates]

There are also rate limits for unauthenticated ECR requests from outside of AWS infrastructure.

I found a blog post here which says:

Note that while pulls from ECR Public do work from outside AWS, they are rate limited if not authenticated with an Amazon account, and you should generally use the Docker Hub addresses if you are pulling from outside AWS. Please see the ECR Public quotas documentation for more about how limits work with ECR Public.

However the blog post is old, and likely to be skewed towards gaining docker signups ;-)

Also the Amazon ECR limit seems to be one pull per second (I guess per IP) for unauthenticated users

And the docker one is 100 pulls in 6 hours (again for unauthenticated users)

My gut feeling is to leave it pointing at dockerhub, and maybe adding explicit documentation around switching to public.ecr.aws if rate limits are hit...

[charlie-harvey]

About a day after creating this ticket I somehow got denied by AWS. I must not have been logged in or something. So I'm ok with keeping it pointed to Docker Hub. Thanks.

…

On Thu, Aug 24, 2023, 6:11 AM Tim Yates ***@***.***> wrote: There are also rate limits for unauthenticated ECR requests from outside of AWS infrastructure <https://docs.aws.amazon.com/AmazonECR/latest/public/public-service-quotas.html> . I found a blog post here <https://www.docker.com/blog/news-from-aws-reinvent-docker-official-images-on-amazon-ecr-public/> which says: Note that while pulls from ECR Public do work from outside AWS, they are rate limited if not authenticated with an Amazon account, and you should generally use the Docker Hub addresses if you are pulling from outside AWS. Please see the ECR Public quotas documentation <https://docs.aws.amazon.com/AmazonECR/latest/public/public-service-quotas.html> for more about how limits work with ECR Public. However the blog post is old, and likely to be skewed towards gaining docker signups ;-) Also the Amazon ECR limit seems to be one pull per second (I guess per IP) for unauthenticated users And the docker one is 100 pulls in 6 hours (again for unauthenticated users) My gut feeling is to leave it pointing at dockerhub, and maybe adding explicit documentation around switching to public.ecr.aws if rate limits are hit... — Reply to this email directly, view it on GitHub <#799 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAJPLI7ZMIYRUSUQKLT4563XW4SFZANCNFSM6AAAAAA3ITWVI4> . You are receiving this because you authored the thread.Message ID: ***@***.*** com>

[timyates]

Thanks for raising this Charlie 👍

[sdelamo]

@timyates is it document it how to change it?

[timyates]

@sdelamo Doing that now