feat: Support AWS ECR Public Container Registry

[jopemachine]

Partially fix #2337.

Test

ecr-public

Manually tested it using the following methods.

In this PR, the cr.backend.ai/stable/python:3.9-ubuntu20.04 image is used as a placeholder for testing.

Prerequisite

Create and configure the relevant users and policies appropriately through AWS IAM for testing this PR.

Then, generate the "access key" and store the access_key and secret_access_key in etcd.

---

1. Tag and push the cr.backend.ai/stable/python image to your AWS ECR package for testing.

❯ docker tag cr.backend.ai/stable/python:3.9-ubuntu20.04 public.ecr.aws/<registry_alias>/python:3.9-ubuntu20.04
❯ docker push public.ecr.aws/<registry_alias>/python:3.9-ubuntu20.04

2. Enter the following command for putting the necessary key-values in etcd.

You can get the login password through aws ecr-public get-login-password command.

❯ ./backend.ai mgr etcd put config/docker/registry/public.ecr.aws "https://public.ecr.aws"; \
./backend.ai mgr etcd put config/docker/registry/public.ecr.aws/access_key "<access_key>"; \
./backend.ai mgr etcd put config/docker/registry/public.ecr.aws/secret_access_key "<secret_access_key>"; \
./backend.ai mgr etcd put config/docker/registry/public.ecr.aws/region "us-east-1"; \
./backend.ai mgr etcd put config/docker/registry/public.ecr.aws/type "ecr-public"; \
./backend.ai mgr etcd put config/docker/registry/public.ecr.aws/username "AWS"; \
./backend.ai mgr etcd put config/docker/registry/public.ecr.aws/password "<login-password>";

3. Insert the following value into the container_registry column of the groups table.

{
	"registry": "public.ecr.aws",
	"project": "<registry_alias>"
}

4. Add public.ecr.aws value to allowed_docker_registries column of domains table using below command

❯ ./backend.ai admin domain update default --allowed-docker-registries=public.ecr.aws

Test scenarios

Verify that the container registry added in this PR is functioning based on several scenarios.

If there are additional scenarios that need testing, please leave a comment.

1. Image Rescan

Image rescanning should work through the following command.

❯ ./backend.ai mgr image rescan public.ecr.aws

2. Create a session from the pulled image

Run a session using the downloaded image.

❯ ./backend.ai session create public.ecr.aws/<registry_alias>/python:3.9-ubuntu20.04

3. Commit the changes and push it to the container registry.

For committing a session, it is necessary to assume that the Registry alias is included in config/docker/registry/public.ecr.aws/project in etcd.

Enter the key value using the following command.

❯ ./backend.ai mgr etcd put config/docker/registry/public.ecr.aws/project "<registry_alias>"

Commit the changes using the convert-to-image command and push them to the container registry.

❯ ./backend.ai session convert-to-image <session_id> test_imgname

∙ Request to commit Session(name or id: ce592e27-b90a-4859-92b1-360fdd6d8464)
100%|██████████████████████████████████████████████████████████████████████████████████████████████████| 3/3 [00:01<00:00,  2.02it/s]
✓ Session export process completed.

---

Checklist: (if applicable)

• Milestone metadata specifying the target backport version
• Mention to the original issue

---

📚 Documentation preview 📚: https://sorna--2549.org.readthedocs.build/en/2549/

---

📚 Documentation preview 📚: https://sorna-ko--2549.org.readthedocs.build/ko/2549/

[jopemachine]

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

• feat: Support AWS ECR Private Container Registry #2553
• feat: Support AWS ECR Public Container Registry #2549 👈
• feat: Support GitLab Container Registry #2348
• feat: Support GitHub Container Registry #2341
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

Join @jopemachine and the rest of your teammates on Graphite

[jopemachine]

Closed as #1917 stack was merged.