I feel this might be an IAM question, but I don't really know where to begin. I have a Docker-based EBS environment that works great when I update it manually. However, when I update it with GitHub Actions, the container fails with the following message.
unable to start container process: exec: "./docker/entrypoint.sh": permission denied: unknown.
My CD pipeline authenticates, push a new Docker image to the registry, and then updates the Dockerrun.aws.js by editing the image name. The workflow runs ok: the image is pushed, and the Dockerrun.aws.js is correct... and yet the environment fails to launch.
name: Release
on:
push:
tags:
- 'v*'
jobs:
deploy-to-aws-ebs:
runs-on: ubuntu-latest
environment: staging
permissions:
id-token: write
contents: read
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
steps:
- name: Check out the repository
uses: actions/checkout@v3
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/ServiceRoleForEBSDeploy
aws-region: ${{ secrets.AWS_DEFAULT_REGION }}
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v1
- name: Get tag name
run: echo "tag=`echo ${{ github.ref }} | sed -e 's/\./-/g' | cut -c11-`-`echo ${{ github.sha }} | cut -c1-8`" >> $GITHUB_ENV
- name: Build, tag, and push docker image to Amazon ECR
env:
REGISTRY: ${{ steps.login-ecr.outputs.registry }}
REPOSITORY: docker_repository
IMAGE_TAG: ${{ env.tag }}
run: |
docker build -t $REGISTRY/$REPOSITORY:$IMAGE_TAG .
docker push $REGISTRY/$REPOSITORY:$IMAGE_TAG
echo "IMAGE_NAME=$REGISTRY/$REPOSITORY:$IMAGE_TAG" >> $GITHUB_ENV
- name: Create deployment package
run: |
sed -e "s|<IMAGE_NAME>|${{ env.IMAGE_NAME }}|g" \
docker/Dockerrun.aws.template.json > Dockerrun.aws.json
cat Dockerrun.aws.json
- name: Deploy to AWS Elastic Beanstalk
env:
AWS_EBS_APP_NAME: app_name
AWS_EBS_ENV_NAME: env_name
run: |
aws s3 cp Dockerrun.aws.json s3://${{ secrets.AWS_S3_BUCKET_NAME }}/versions/${{ env.tag }}-Dockerrun.aws.json
aws elasticbeanstalk create-application-version \
--application-name $AWS_EBS_APP_NAME \
--source-bundle S3Bucket=${{ secrets.AWS_S3_BUCKET_NAME }},S3Key=versions/${{ env.tag }}-Dockerrun.aws.json \
--version-label ${{ env.tag }}
aws elasticbeanstalk update-environment \
--application-name $AWS_EBS_APP_NAME \
--environment-name $AWS_EBS_ENV_NAME \
--version-label ${{ env.tag }}
Meanwhile, the Dockerfile is your basic Django stuff.
FROM python:3.10-slim-buster
ARG APP_HOME=/code \
USERNAME=user101
WORKDIR ${APP_HOME}
RUN addgroup --system ${USERNAME} \
&& adduser --system --ingroup ${USERNAME} ${USERNAME}
RUN apt-get update --yes --quiet && apt-get install --no-install-recommends --yes --quiet \
# dependencies for building Python packages
build-essential \
# psycopg2 dependencies
libpq-dev \
# dev utils
git \
# cleanup
&& rm -rf /var/lib/apt/lists/*
COPY . --chown=${USERNAME}:${USERNAME} ${APP_HOME} ${APP_HOME}
RUN pip install --upgrade pip
RUN pip install poetry
RUN poetry install --no-interaction --no-ansi
EXPOSE 80
USER ${USERNAME}
ENTRYPOINT ["./docker/entrypoint.sh" ]
CMD ["gunicorn", "config.wsgi:application", "--bind", ":80"]
My guess is that EBS is trying to build the environment with the GitHub Actions service user? Does that make sense? Should it be using the user defined in the Dockerfile?
CodePudding user response:
This has nothing to do with IAM permissions. You just need to make your script executable:
$ chmod x ./docker/entrypoint.sh
You can also run it inside the Dockerfile before the ENTRYPOINT command:
RUN chmod x ./docker/entrypoint.sh
ENTRYPOINT ["./docker/entrypoint.sh" ]