Update to improve the private registry docs (#633)

* Update to improve the private registry docs * minor adjustments I know it's totally OK to enumerate a list using the same number in markdown, but for the sake of people reading the raw docs, I'd still like them to be numbered. Also removed a superfluous `version: 3` and made sure all other versions were set to `"3.4"`. Co-authored-by: Simon Aronsson <simme@arcticbit.se>
2025-10-31 00:17:44 +02:00 · 2020-10-03 16:07:42 -04:00
parent e118fd526b
commit 16a79d95b5
1 changed files with 70 additions and 36 deletions
--- a/docs/private-registries.md
+++ b/docs/private-registries.md
@@ -59,14 +59,14 @@ docker run [...] -v <PATH_TO_HOME_DIR>/.docker/config.json:/config.json containr
 When creating the watchtower container via docker-compose, use the following lines:

 ```yaml
-version: "3"
-[...]
-watchtower:
-  image: index.docker.io/containrrr/watchtower:latest
-  volumes:
+version: "3.4"
+services:
+  watchtower:
+    image: index.docker.io/containrrr/watchtower:latest
+    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - <PATH_TO_HOME_DIR>/.docker/config.json:/config.json
-[...]
+  ...
 ```

 #### Docker Config path
@@ -74,10 +74,13 @@ By default, watchtower will look for the `config.json` file in `/`, but this can
 Example usage:

 ```yaml
-watchtower:
-  image: containrrr/watchtower
-  environment:
-      DOCKER_CONFIG: /config
+version: "3.4"
+
+services: 
+  watchtower:
+    image: containrrr/watchtower
+    environment:
+        DOCKER_CONFIG: /config
    volumes:
      - /etc/watchtower/config/:/config/
      - /var/run/docker.sock:/var/run/docker.sock
@@ -94,6 +97,12 @@ helper in a separate container and mount it using volumes.
 ### Example
 Example implementation for use with [amazon-ecr-credential-helper](https://github.com/awslabs/amazon-ecr-credential-helper):

+
+Use the dockerfile below to build the [amazon-ecr-credential-helper](https://github.com/awslabs/amazon-ecr-credential-helper),
+in a volume that may be mounted onto your watchtower container.
+
+1.  Create the Dockerfile (contents below):    
+
 ```Dockerfile
 FROM golang:latest

@@ -111,43 +120,68 @@ RUN go build \
 WORKDIR /go/bin/
 ```

+2.  Use the following commands to build the aws-ecr-dock-cred-helper and store it's output in a volume:
+
+```shell script
+# Create a volume to store the command (once built)
+docker volume create helper 
+
+# Build the container
+docker build -t aws-ecr-dock-cred-helper .
+
+# Build the command and store it in the new volume in the /go/bin directory.
+docker run  -d --rm --name aws-cred-helper --volume helper:/go/bin aws-ecr-dock-cred-helper
+
+```
+
+3.  Create a configuration file for docker, and store it in $HOME/.docker/config.json (replace the <AWS_ACCOUNT_ID>
+    placeholders with your AWS Account ID):
+
+```json
+{
+    "credsStore" : "ecr-login",
+    "HttpHeaders" : {
+      "User-Agent" : "Docker-Client/19.03.1 (XXXXXX)"
+    },
+    "auths" : {
+      "<AWS_ACCOUNT_ID>.dkr.ecr.us-west-1.amazonaws.com" : {}
+    },
+    "credHelpers": {
+      "<AWS_ACCOUNT_ID>.dkr.ecr.us-west-1.amazonaws.com" : "ecr-login"
+    }
+}
+```
+
+4.  Create a docker-compose file (as an example) to help launch the container:
+
 and the docker-compose definition:
 ```yaml
-version: "3"
-
+version: "3.4"
 services:
+  # Check for new images and restart things if a new image exists
+  # for any of our containers.
  watchtower:
-    image: index.docker.io/containrrr/watchtower:latest
+    image: containrrr/watchtower:latest
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
-      - <PATH_TO_HOME_DIR>/.docker/config.json:/config.json
+      - .docker/config.json:/config.json
      - helper:/go/bin
    environment:
      - HOME=/
      - PATH=$PATH:/go/bin
-      - AWS_REGION=<AWS_REGION>
-      - AWS_ACCESS_KEY_ID=<AWS_ACCESS_KEY>
-      - AWS_SECRET_ACCESS_KEY=<AWS_SECRET_ACCESS_KEY>
+      - AWS_REGION=us-west-1
 volumes:
-  helper: {}
+  helper: 
+    external: true
 ```

-and for `<PATH_TO_HOME_DIR>/.docker/config.json`:
-```json
-  {
-    "HttpHeaders" : {
-      "User-Agent" : "Docker-Client/19.03.1 (XXXXXX)"
-    },
-    "credsStore" : "osxkeychain",
-    "auths" : {
-      "xyzxyzxyz.dkr.ecr.eu-north-1.amazonaws.com" : {},
-      "https://index.docker.io/v1/": {}
-    },
-    "credHelpers": {
-      "xyzxyzxyz.dkr.ecr.eu-north-1.amazonaws.com" : "ecr-login",
-      "index.docker.io": "osxkeychain"
-    }
-  }
-```
+A few additional notes:

-*Note:* `osxkeychain` can be changed to your preferred credentials helper.
+1.  With docker-compose the volume (helper, in this case) MUST be set to `external: true`, otherwise docker-compose 
+    will preface it with the directory name.
+2.  Note that "credsStore" : "ecr-login" is needed - and in theory if you have that you can remove the 
+    credHelpers section 
+3.  I have this running on an EC2 instance that has credentials assigned to it - so no keys are needed; however, 
+    you may need to include the `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` environment variables as well.
+4.  An alternative to adding the various variables is to create a ~/.aws/config and ~/.aws/credentials files and 
+    place the settings there, then mount the ~/.aws directory to / in the container.