Mirroring Docker on EC2
I mentioned in a previous post that we’re looking at speeding up how long it takes for our build/test cycle. We have some more substantial improvements in the works, but found a quick win by simply mirroring our images that are hosted on Docker Hub. The mirror lives on the internal EC2 network.
To create the mirror machine we started by freezing an AMI based on CoreOS that runs the registry:latest
image from the Docker library. The machine is configured via a very simple cloud-init
file:
The above configuration simple configured a CoreOS machine to not run its typical etcd
, fleet
, locksmith
or flannel
service – we don’t need them. Aditionally, we make sure Docker is running and then specify a docker-mirror
service that will start on boot and run the registry mirror.
One thing to note is that we don’t current mount the data directory outside the container itself. We treat the data as ephemeral since it can always be refetched from the upstream Docker Hub registry.
We put the AMI inside an AWS Launch Configuration so that we can add it to an autoscaling group. We use autoscaling in this case as a quick hack to make sure that there is always n
of the machines actually running – though right now we only run a single mirror instance so the autoscaling group’s “preferred size” is 1.
We’ve also created an “internal” ELB that takes external port 80 traffic and routes it to the mirror’s port 5000. The health check is currently configured to use an HTTP
check for the /
path, which in the latest registry will return a 200
HTTP code.
Normally we’d use Route 53 to create an ALIAS record to the ELB so that we can just refer to the mirror as docker-mirror.local
internally, but we actually have our own DNS solution that we run inside the test VPC, so we needed to add a CNAME
record to the ELB there instead. Regardless, any machine inside the VPC can now communicate with http://docker-mirror.local
and reach our mirrored registry.
The last step is to teach our test (shortstack
) machines to prefer using our internal mirror instead of the public registry. Shortstacks are running CentOS 7, so their docker daemon configuration is located at /etc/sysconfig/docker
. We use the following configuration:
A reboot of the docker daemon (or for us – freezing a new shortstack
AMI and churning the test infrastructure!) and you should see faster (subsequent!) pulls.
If you’d like to see how the docker mirror is behaving, you can check out the logs by SSH’ing into the CoreOS docker mirror and tail’ing the logs:
Personally, I’m excited to see what comes out of v2
of the docker registry project; we’re already looking at running a completely internal registry backed by S3. Unfortunately, the registry:2
image currently doesn’t support mirroring.