Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Private ECR access for TuxSuite

Description

This is a follow up of https://linaro.atlassian.net/browse/TFC-697

We tried option 2 as mentioned in https://linaro.atlassian.net/browse/TFC-697?focusedCommentId=281598

But TuxSuite is not able to pull the ECR images Ref: https://tuxapi.tuxsuite.com/v1/groups/arm/projects/arm-open-ci-bot/tests/2rpDv3flFEu2ON7hS0fuSBRXZ1p

This is the ECR policy we have set:

{ "Version": "2012-10-17", "Statement": [ { "Sid": "new statement", "Effect": "Allow", "Principal": "*", "Action": [ "ecr:*", "ecr:BatchCheckLayerAvailability", "ecr:BatchGetImage", "ecr:DescribeImageScanFindings", "ecr:DescribeImages", "ecr:DescribeRepositories", "ecr:GetAuthorizationToken", "ecr:GetDownloadUrlForLayer", "ecr:GetLifecyclePolicy", "ecr:GetLifecyclePolicyPreview", "ecr:GetRepositoryPolicy", "ecr:ListImages", "ecr:ListTagsForResource" ], "Condition": { "StringEquals": { "aws:PrincipalAccount": "468758510126" } } } ] }

 

I think it is not working because, TuxSuite is not authenticated with Arm ECR (with something like below)

aws ecr get-login-password --region eu-west-1 | docker login --username AWS --password-stdin 637423617205.dkr.ecr.eu-west-1.amazonaws.com/fvp

 

I am running TexSuite like this:

 

python3 -u -m tuxsuite test submit --no-wait --device fvp-lava --job-definition job.yaml

 

Sorry, for the long text. So, to fix this,

  • Could you either, please run docker login (like the above statement) before executing the TuxSuite job? (I guess there will be will something similar to this done for the Linaro ECR (987685672616.dkr.ecr.us-east-1.amazonaws.com/fvp)?

  • Or if the above is complex, can you set us up with AWS creds so that we can push to 987685672616.dkr.ecr.us-east-1.amazonaws.com/fvp ?

Environment

None

Engineering Progress Update

None

Activity

Show:

Saheer Babu February 4, 2025 at 11:55 PM

created a new ticket: https://linaro.atlassian.net/browse/TFC-716 for the same.

Saheer Babu February 4, 2025 at 11:51 PM

could you login tot this repository too: 211125306678.dkr.ecr.eu-west-1.amazonaws.com/fvp

Senthil Kumaran S January 21, 2025 at 4:31 PM

The login is done for each test job that is run. It is not a cronjob.

No, this is part of the system setup and we cannot parse the job definition to know which repository we have to login to. This is hard-coded in our backend.

When you have the PROD repository ready, we will need to patch our backend to login to the same.

Saheer Babu January 21, 2025 at 2:42 PM

How often is the login performed? Is it a cronjob?

Is the docker repository, for login link taken from the tuxsuite job? 637423617205.dkr.ecr.eu-west-1.amazonaws.com/fvp is registry of our TEST environment. There will be a change to this in PROD. So, just trying to understand if it would work out of the box?

Senthil Kumaran S January 21, 2025 at 1:40 PM

This is fixed by adding the respective login action to ECR.

Verified with the following test jobs:

Done

Details

Assignee

Reporter

Upstream

No

Priority

Parent

Checklist

Sentry

Created January 19, 2025 at 12:54 AM
Updated February 4, 2025 at 11:55 PM
Resolved January 21, 2025 at 1:40 PM