Container Registry for EC2 on the AWS Cloud
Quick Start Reference Deployment
September 2020
Mark Bennett, Trace3
Yaniv Bossem and Dylan Owen, AWS Quick Start team
| Visit our GitHub repository for source files and to post feedback, report bugs, or submit feature ideas for this Quick Start. |
This Quick Start was created by JFrog Ltd. in collaboration with Amazon Web Services (AWS). Quick Starts are automated reference deployments that use AWS CloudFormation templates to deploy key technologies on AWS, following AWS best practices.
Overview
JFrog Container Registry is a comprehensive and advanced repository manager, supporting Docker containers and Helm Chart repositories for your Kubernetes deployments. This Quick Start deploys Container Registry in a highly scalable and redundant configuration in the Amazon Web Services (AWS) Cloud.
This Quick Start is for administrators who want the flexibility, scale, and availability of AWS through products such as Amazon Virtual Private Cloud (Amazon VPC), Amazon Elastic Compute Cloud (Amazon EC2), Amazon Simple Storage Service (Amazon S3), Elastic Load Balancing (ELB), and Amazon Relational Database Service (Amazon RDS) to deploy Container Registry as their Docker container and Helm Chart repository manager.
Amazon EC2, Amazon S3, and Amazon RDS form the foundation for the deployment. Using Amazon S3 as persistent storage for artifacts and Amazon RDS for configuration, Container Registry can be completely redeployed or upgraded in place depending on your requirements.
The default installation creates a single Amazon EC2 Auto Scaling group:
-
The Auto Scaling group is responsible for the single Container Registry node. Spanning multiple Availability Zones within a Region, the Auto Scaling group provides the best possible recovery in the event of an infrastructure failure.
The Auto Scaling group is monitored by the Network Load Balancer, which is configured with health checks that validate that the Container Registry service is up and running. If the endpoint returns an error response, a new node is recovered within 10 minutes.
| Amazon may share user-deployment information with the AWS Partner that collaborated with AWS on the Quick Start. |
Container Registry for EC2 on AWS
Once you deploy JFrog’s Container Registry, you can use it as a production service. For further information about setting up Container Registry, see the Getting started with Container Registry section, later in this guide.
| The deployment is configured as “infrastructure as code.” Any changes to the infrastructure should be done by updating the CloudFormation stack. Any changes performed on the boxes themselves (including reverse-proxy configurations) are lost when an instance reboots. By design, upon shutdown of an instance — or when Container Registry is unavailable — an Auto Scaling group replaces the node, following a load-balancing health check. |
AWS costs
You are responsible for the cost of the AWS services and any third-party licenses used while running this Quick Start. There is no additional cost for using the Quick Start.
The AWS CloudFormation templates for Quick Starts include configuration parameters that you can customize. Some of the settings, such as the instance type, affect the cost of deployment. For cost estimates, see the pricing pages for each AWS service you use. Prices are subject to change.
| After you deploy the Quick Start, create AWS Cost and Usage Reports to deliver billing metrics to an Amazon Simple Storage Service (Amazon S3) bucket in your account. These reports provide cost estimates based on usage throughout each month and aggregate the data at the end of the month. For more information, see What are AWS Cost and Usage Reports? |
Software licenses
The Quick Start requires a subscription to the Amazon Machine Image (AMI) for Container Registry, which is available from the AWS Marketplace. Additional pricing, terms, and conditions may apply. For instructions, see Subscribe to the Container Registry AMI in the deployment section.
This Quick Start does not require you to purchase any license as JFrog Container Registry is a free product.
Architecture
Deploying this Quick Start for a new Virtual Private Cloud (VPC) with default parameters builds the following Container Registry environment in the AWS Cloud.
As shown in Figure 1, the Quick Start sets up the following:
-
A highly resilient architecture that spans two Availability Zones.*
-
A VPC configured with public and private subnets, according to AWS best practices, to provide you with your own virtual network on AWS.*
-
A private and encrypted S3 bucket for repository storage.
-
A Network Load Balancer attached to the public subnets connecting via port 80 or 443 to the Container Registry primary node in the private subnets.
In the public subnets:
-
Managed network address translation (NAT) gateways to allow outbound internet access for resources in the private subnets.*
-
A Linux bastion host in an Auto Scaling group to allow inbound Secure Shell (SSH) access from the
RemoteAccessCIDR to the EC2 instances in public and private subnets.
In the private subnets:
-
One Amazon EC2 Auto Scaling group for the Container Registry node.
-
A PostgreSQL instance on Amazon RDS that’s accessible from the private subnets on port 5532.
| The purpose of the Automatic Scaling groups is for automatic deployment of the Container Registry node into another Availability Zone if a failure occurs. Do not modify the number of instances. |
*The template that deploys the Quick Start into an existing VPC skips the components marked by asterisks and prompts you for your existing VPC configuration.
Auto Scaling groups
The Auto Scaling group is designed to have one Container Registry node. When an EC2 node or service fail, Auto Scaling groups automatically recreate the instances. For this reason, all configurations are done on boot and result in a loss of any data that are not stored in the Amazon RDS instance or S3 bucket.
Ansible init script
Ansible is installed and configured to run only on initial boot. Ansible, in cooperation with the Auto Scaling group, initiates the required configuration to run Container Registry.
|
Do not change the master key of the stack when updating the stack. Doing so results in an unsupported configuration that future nodes cannot join. To update an expired Secure Sockets Layer (SSL) certificate, change the CloudFormation stack certificate and certificate key inputs, and then redeploy the nodes (see Updating Container Registry). If you change the certificate and certificate key manually on the EC2 instances (instead of updating the CloudFormation stack), your manual changes are lost at the next update or reboot, which results in an unwanted configuration. |
Planning the deployment
Specialized knowledge
This deployment requires a moderate level of familiarity with AWS services. If you’re new to AWS, see Getting Started Resource Center and AWS Training and Certification. These sites provide materials for learning how to design, deploy, and operate your infrastructure and applications on the AWS Cloud.
This Quick Start assumes familiarity with JFrog Container Registry and infrastructure as code.
AWS account
If you don’t already have an AWS account, create one at https://aws.amazon.com by following the on-screen instructions. Part of the sign-up process involves receiving a phone call and entering a PIN using the phone keypad.
Your AWS account is automatically signed up for all AWS services. You are charged only for the services you use.
Technical requirements
Before you launch the Quick Start, review the following information and ensure that your account is properly configured. Otherwise, deployment might fail.
Resource quotas
If necessary, request service quota increases for the following resources. You might request quota increases to avoid exceeding the default limits for any resources that are shared across multiple deployments. The Service Quotas console displays your usage and quotas for some aspects of some services. For more information, see What is Service Quotas? and AWS service quotas.
| Resource | This deployment uses |
|---|---|
VPCs |
1 |
Elastic IP addresses |
3 |
AWS Identity and Access Management (IAM) security groups |
1 |
IAM roles |
2 |
Security groups |
4 |
Auto Scaling groups |
2 |
Load Balancers |
1 |
m4.xlarge instances |
4 |
t2.micro instances |
1 |
db.m4.large (RDS) |
2 |
S3 Buckets |
1 |
Supported Regions
-
us-east-1 (N. Virginia)
-
us-east-2 (Ohio)
-
us-west-1 (N. California)
-
us-west-2 (Oregon)
-
ca-central-1 (Canada Central)
-
eu-central-1 (Frankfurt)
-
eu-west-1 (Ireland)
-
ap-southeast-1 (Singapore)
-
ap-southeast-2 (Sydney)
-
ap-northeast-1 (Tokyo)
-
ap-northeast-2 (Seoul)
-
sa-east-1 (South America)
| Certain Regions are available on an opt-in basis. For more information, see Managing AWS Regions. |
IAM permissions
Before launching the Quick Start, you must sign in to the AWS Management Console with IAM permissions for the resources that the templates deploy. The AdministratorAccess managed policy within IAM provides sufficient permissions, although your organization may choose to use a custom policy with more restrictions. For more information, see AWS managed policies for job functions.
Deployment options
This Quick Start provides two deployment options:
-
Deploy Container Registry for EC2 into a new VPC (end-to-end deployment). This option builds a new AWS environment consisting of the VPC, subnets, NAT gateways, security groups, bastion hosts, and other infrastructure components. It then deploys Container Registry for EC2 into this new VPC.
-
Deploy Container Registry for EC2 into an existing VPC. This option provisions Container Registry for EC2 in your existing AWS infrastructure.
The Quick Start provides separate templates for these options. It also lets you configure Classless Inter-Domain Routing (CIDR) blocks, instance types, and Container Registry for EC2 settings, as discussed later in this guide.
Deployment steps
Sign in to your AWS account
-
Sign in to your AWS account at https://aws.amazon.com with an IAM user role that has the necessary permissions. For details, see Planning the deployment earlier in this guide.
-
Make sure that your AWS account is configured correctly, as discussed in the Technical requirements section.
Prepare the certificate and certificate key
Due to the underlying JSON system, the parameters for both the certificate and certificate key must be edited by replacing their line endings.
-
Copy the certificate into a text editor, and view line endings. Line endings on Windows and Linux terminate in CRFL and LF, respectively.
-
Remove all CRFL or LF characters, and replace them with the | (pipe) character. This puts the certificate on a single line.
-
Follow the same process for the certificate key.
Add the certificate to AWS Secrets Manager
-
Open AWS Secrets Manager in the same Region in which you deploy the Quick Start.
-
Choose Store a new secret.
-
Choose Other type of secret.
-
For the secret key value, create three rows for the certificate information.
-
Key names should be as follows, with the key values being the certificate details (see Figure 2):
-
Certificate -
CertificateKey -
CertificateDomain
-
-
Choose Next.
-
Provide a secret name. This name is used to deploy this Quick Start.
-
Choose Next twice.
-
Choose Store.
Subscribe to the Container Registry for EC2 AMI
This Quick Start requires a subscription to the AMI for Container Registry for EC2 in AWS Marketplace.
-
Sign in to your AWS account.
-
Open the page for the Container Registry for EC2 AMI in AWS Marketplace, and then choose Continue to Subscribe.
-
Review the terms and conditions for software usage, and then choose Accept Terms.
A confirmation page loads, and an email confirmation is sent to the account owner. For detailed subscription instructions, see the AWS Marketplace documentation. -
When the subscription process is complete, exit out of AWS Marketplace without further action. Do not provision the software from AWS Marketplace—the Quick Start deploys the AMI for you.
Launch the Quick Start
| You are responsible for the cost of the AWS services used while running this Quick Start reference deployment. There is no additional cost for using this Quick Start. For full details, see the pricing pages for each AWS service used by this Quick Start. Prices are subject to change. |
-
Sign in to your AWS account, and choose one of the following options to launch the AWS CloudFormation template. For help with choosing an option, see deployment options earlier in this guide.
Deploy Container Registry for EC2 into an existing VPC on AWS |
| If you’re deploying Container Registry into an existing VPC, make sure that your VPC has two private subnets in different Availability Zones for the workload instances, and that the subnets aren’t shared. This Quick Start doesn’t support shared subnets. These subnets require NAT gateways in their route tables, to allow the instances to download packages and software without exposing them to the internet. |
Also, make sure that the domain name option in the DHCP options is configured as explained in the Amazon VPC documentation. You provide your VPC settings when you launch the Quick Start.
Each deployment takes about 40 minutes to complete.
-
Check the AWS Region that’s displayed in the upper-right corner of the navigation bar, and change it if necessary. This is where the network infrastructure for Container Registry for EC2 will be built. The template is launched in the us-east-1 Region by default.
-
On the Create stack page, keep the default setting for the template URL, and then choose Next.
-
On the Specify stack details page, change the stack name if needed. Review the parameters for the template. Provide values for the parameters that require input. For all other parameters, review the default settings and customize them as necessary.
In the following tables, parameters are listed by category and described separately for the deployment options. When you finish reviewing and customizing the parameters, choose Next.
| Unless you are customizing the Quick Start templates for your own deployment projects, keep the default settings for the parameters Quick Start S3 bucket name, Quick Start S3 bucket Region, and Quick Start S3 key prefix. Changing these settings automatically updates code references to point to a new Quick Start location. For more information, see the AWS Quick Start Contributor’s Guide. |
Launch into a new VPC
| Parameter label (name) | Default value | Description |
|---|---|---|
SSH key name
( |
|
Name of an existing key pair, which allows you to connect securely to your instance after it launches. This is the key pair you created in your preferred Region. |
Permitted IP range
( |
|
CIDR IP range permitted to access Artifactory. It is recommended that you set this value to a trusted IP range. For example, you may want to limit software access to your corporate network. |
Remote access CIDR
( |
|
Remote CIDR range that allows you to connect to the bastion instance by using SSH. It is recommended that you set this value to a trusted IP range. For example, you may want to grant specific ranges from within your corporate network that use the SSH protocol. |
| Parameter label (name) | Default value | Description |
|---|---|---|
Availability Zones
( |
|
List of Availability Zones to use for the subnets in the VPC. Two Availability Zones are used for this deployment. |
VPC CIDR
( |
|
CIDR block for the VPC. |
Private subnet 1 CIDR
( |
|
CIDR block for private subnet 1 located in Availability Zone 1. |
Private subnet 2 CIDR
( |
|
CIDR block for private subnet 2 located in Availability Zone 2. |
Public subnet 1 CIDR
( |
|
CIDR block for the public (DMZ) subnet 1 located in Availability Zone 1. |
Public subnet 2 CIDR
( |
|
CIDR block for the public (DMZ) subnet 2 located in Availability Zone 2. |
| Parameter label (name) | Default value | Description |
|---|---|---|
Bastion instance
( |
|
To skip creating a bastion instance, choose Disabled. Because Artifactory nodes are created in private subnets, it’s highly recommended to set this value to Enabled. |
Bastion instance type
( |
|
Size of the bastion instances. |
Bastion operating system
( |
|
Linux distribution for the Amazon Machine Image (AMI) to be used for the bastion instances. |
Bastion root volume size
( |
|
Size of the root volume in the bastion instances. |
Bastion enable TCP forwarding
( |
|
Choose whether to enable TCP forwarding via bootstrapping of the bastion instance. |
Number of bastion instances
( |
|
Number of bastion instances to create. |
Bastion enable X11 forwarding
( |
|
Choose true to enable X11 via bootstrapping of the bastion host. Setting this value to true enables X Windows over SSH. X11 forwarding can be useful, but it is also a security risk, so it’s recommended that you keep the default (false) setting. |
| Parameter label (name) | Default value | Description |
|---|---|---|
EBS root volume size
( |
|
Size in gigabytes of available storage. The Quick Start creates an Amazon Elastic Block Store (Amazon EBS) volumes of this size. |
EC2 instance type
( |
|
EC2 instance type for the JFrog Container Registry instances. |
| Parameter label (name) | Default value | Description |
|---|---|---|
JFrog Container Registry version
( |
|
Version of JFrog Container Registry that you want to deploy into the Quick Start. Please see the release notes to select the version you want to deploy. https://www.jfrog.com/confluence/display/RTF/Release+Notes |
JFrog Container Registry certificate secret name
( |
|
Secret name created in AWS Secrets Manager which contains the SSL certificate and certificate key. |
JFrog Container Registry server name
( |
|
Name of your JFrog Container Registry server. Ensure that this matches your certificate. |
Master server key
( |
|
Master key for the JFrog Container Registry cluster. Generate a master key by using the command '$openssl rand -hex 16'. |
Extra Java options
( |
|
Set Java options to pass to the JVM for Artifactory. For more information, see the Artifactory system requirements at https://www.jfrog.com/confluence/display/RTF/System+Requirements#SystemRequirements-RecommendedHardware. Do not add Xms or Xmx settings without disabling DefaultJavaMemSettings. |
Default Java memory settings
( |
|
Choose false to overwrite the standard calculations of memory options to pass to the JVM for Artifactory. If overwriting them, ensure they are added to the ExtraJavaOptions to avoid the stack failing to provision. |
Java keystore password
( |
|
Java keystore password. For better security the password that you specify will replace the default Java keystore password. |
Ansible Vault password
( |
|
Ansible Vault password to protect the JFrog Container Registry YAML configuration file generated during the Artifactory deployment. This YAML file is stored on the EC2 nodes and secured with this password. |
| Parameter label (name) | Default value | Description |
|---|---|---|
Database name
( |
|
Name of your database instance. The name must be unique across all instances owned by your AWS account in the current Region. The database instance identifier is case-insensitive, but it’s stored in lowercase (as in "mydbinstance"). |
Database engine
( |
|
Database engine that you want to run. |
Database user
( |
|
Login ID for the master user of your DB instance. |
Database password
( |
|
Password for the JFrog Container Registry database user. |
Database instance type
( |
|
Size of the database to be deployed as part of the Quick Start. |
Database allocated storage
( |
|
Size in gigabytes of available storage for the database instance. |
High available database
( |
|
Choose false to create an Amazon RDS instance in a single Availability Zone. |
| Parameter label (name) | Default value | Description |
|---|---|---|
Quick Start S3 bucket name.
( |
|
S3 bucket name for the Quick Start assets. This string can include numbers, lowercase letters, and hyphens (-). It cannot start or end with a hyphen (-). |
Quick Start S3 key prefix
( |
|
S3 key prefix for the Quick Start assets. Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/). |
Quick Start S3 bucket region
( |
|
AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. When using your own bucket, you must specify this value. |
Launch into an existing VPC
| Parameter label (name) | Default value | Description |
|---|---|---|
SSH key name
( |
|
Name of an existing key pair, which allows you to connect securely to your instance after it launches. This is the key pair you created in your preferred Region. |
Permitted IP range
( |
|
CIDR IP range that is permitted to access Artifactory. We recommend that you set this value to a trusted IP range. For example, you might want to grant only your corporate network access to the software. |
Remote access CIDR
( |
|
Remote CIDR range that allows you to connect to the bastion instance by using SSH. We recommend that you set this value to a trusted IP range. For example, you might want to grant specific ranges inside your corporate network SSH access. |
| Parameter label (name) | Default value | Description |
|---|---|---|
VPC ID
( |
|
ID of your existing VPC (e.g., vpc-0343606e). |
VPC CIDR
( |
|
CIDR block for the VPC. |
Public subnet 1 ID
( |
|
ID of the public subnet in Availability Zone 1 in your existing VPC (e.g., subnet-z0376dab). |
Public subnet 2 ID
( |
|
ID of the public subnet in Availability Zone 2 in your existing VPC (e.g., subnet-a29c3d84). |
Private subnet 1 ID
( |
|
ID of the private subnet in Availability Zone 1 in your existing VPC (e.g., subnet-a0246dcd). |
Private subnet 2 ID
( |
|
ID of the private subnet in Availability Zone 2 in your existing VPC (e.g., subnet-b58c3d67). |
Private subnet 1 CIDR
( |
|
CIDR of the private subnet in Availability Zone 1 in your existing VPC (e.g., 10.0.0.0/19). |
Private subnet 2 CIDR
( |
|
Cidr of the private subnet in Availability Zone 2 in your existing VPC (e.g., 10.0.32.0/19). |
| Parameter label (name) | Default value | Description |
|---|---|---|
Bastion instance
( |
|
Choose Disabled to skip creating a bastion instance. Due to the JFrog Container Registry nodes being created in private subnets, the default setting of Enabled this is highly recommended. |
Bastion instance type
( |
|
Size of the bastion instances. |
Bastion operating system
( |
|
Linux distribution for the Amazon Machine Image (AMI) to be used for the bastion instances. |
Bastion root volume size
( |
|
Size of the root volume on the bastion instances. |
Bastion enable TCP forwarding
( |
|
Choose whether to enable TCPForwarding via the bootstrapping of the bastion instance or not. |
Number of bastion instances
( |
|
Number of bastion instances to create. |
Bastion enable X11 forwarding
( |
|
Choose true to enable X11 via the bootstrapping of the bastion host. Setting this value to true will enable X Windows over SSH. X11 forwarding can be useful, but it is also a security risk, so it’s recommended that you keep the default (false) setting. |
| Parameter label (name) | Default value | Description |
|---|---|---|
EBS root volume size
( |
|
Size in gigabytes of the available storage; the Quick Start will create an Amazon Elastic Block Store (Amazon EBS) volumes of this size. |
EC2 instance type
( |
|
EC2 instance type for the JFrog Container Registry instances. |
| Parameter label (name) | Default value | Description |
|---|---|---|
JFrog Container Registry version
( |
|
Version of JFrog Container Registry that you want to deploy into the Quick Start. Please see the release notes to select the version you want to deploy. https://www.jfrog.com/confluence/display/RTF/Release+Notes |
JFrog Container Registry certificate secret name
( |
|
Secret name created in AWS Secrets Manager which contains the SSL certificate and certificate key. |
JFrog Container Registry server name
( |
|
Name of your JFrog Container Registry server. Ensure that this matches your certificate. |
Master server key
( |
|
Master key for the JFrog Container Registry cluster. Generate a master key by using the command '$openssl rand -hex 16'. |
Extra Java options
( |
|
Set Java Ooptions to pass to the JVM for Artifactory. For more information, see the Artifactory system requirements. https://www.jfrog.com/confluence/display/RTF/System+Requirements#SystemRequirements-RecommendedHardware. Please do not add Xms or Xmx settings without disabling DefaultJavaMemSettings. |
Default Java memory settings
( |
|
Choose false to overwrite the standard calculations of memory options to pass to the JVM for Artifactory. If overwriting them, ensure they are added to the ExtraJavaOptions to avoid the stack failing to provision. |
Java keystore password
( |
|
Java keystore password. For better security the password that you specify will replace the default Java keystore password. |
Ansible Vault password
( |
|
Ansible Vault password to protect the JFrog Container Registry YAML configuration file generated during the Artifactory deployment. This YAML file is stored on the EC2 nodes and secured with this password. |
| Parameter label (name) | Default value | Description |
|---|---|---|
Database name
( |
|
Name of your database instance. The name must be unique across all instances owned by your AWS account in the current Region. The database instance identifier is case-insensitive, but it’s stored in lowercase (as in "mydbinstance"). |
Database engine
( |
|
Database engine that you want to run, currently locked to Postgres. |
Database user
( |
|
Login ID for the master user of your DB instance. |
Database password
( |
|
Password for the JFrog Container Registry database user. |
Database instance type
( |
|
Size of the database to be deployed as part of the Quick Start. |
Database allocated storage
( |
|
Size in gigabytes of the available storage for the database instance. |
High available database
( |
|
Choose false to create an Amazon RDS instance in a single Availability Zone. |
| Parameter label (name) | Default value | Description |
|---|---|---|
Quick Start S3 bucket name
( |
|
S3 bucket name for the Quick Start assets. This string can include numbers, lowercase letters, and hyphens (-). It cannot start or end with a hyphen (-). |
Quick Start S3 key prefix
( |
|
S3 key prefix for the Quick Start assets. Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/). |
Quick Start S3 bucket region
( |
|
AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. When using your own bucket, you must specify this value. |
-
On the Configure stack options page, you can specify tags (key-value pairs) for resources in your stack and set advanced options. When you’re finished, choose Next.
-
On the Review page, review and confirm the template settings. Under Capabilities, select the two check boxes to acknowledge that the template creates IAM resources and might require the ability to automatically expand macros.
-
Choose Create stack to deploy the stack.
-
Monitor the status of the stack. When the status is CREATE_COMPLETE, the Container Registry deployment is ready.
-
Use the values displayed in the Outputs tab for the stack, as shown in Figure 3, to view the created resources.
Get started with JFrog Container Registry
-
Connect to Container Registry from
JFrogContainerRegistryUrl. You can findJFrogContainerRegistryUrlon the Outputs tab of the Container Registry primary stack. Verify that you can view the login screen.
| If you use a non-CA-signed certificate, you will receive a certificate warning when you attempt to access the page. This happens because the certificate doesn’t match the ELB DNS unless you configure Amazon Route 53. |
-
The default user name and password for Container Registry are
adminandpassword, respectively. Enter your credentials, and choose Login. For more information, see Users and Groups in the JFrog documentation.
This loads the setup wizard for initial configuration. Choose Get Started. (See Figure 5.)
-
Read and accept the End User License Agreement (EULA), and then choose Next. (See Figure 6.)
-
Optionally, sign up for notifications from JFrog. (See Figure 7.)
-
Set a secure administrator password for your deployment, and then choose Next. (See Figure 8.)
-
Optionally, configure the base URL setting. (See Figure 9.) Because this deployment uses a proxy, it’s highly recommended that you update the base URL of Container Registry. Read more about JFrog Platform settings.
-
Optionally, configure proxy settings for remote resources. (See Figure 10.)
-
Select the repositories that you require, and then choose Create. (See Figure 11.)
-
Choose Finish. (See Figure 12.)
-
Complete the administrative tasks by configuring the following:
| Backups save to the local file system and do not persist if the EC2 instance is terminated. It is recommended to create snapshots of the primary instance. |
Updating Container Registry
If maintenance must be performed on the stack, ensure that you update the CloudFormation stack rather than updating the infrastructure manually (this also applies to updating Container Registry). The Container Registry version for this Quick Start is 7.0.x.
| Because the instances are backed by an AWS Marketplace AMI, the version you update must be available in AWS Marketplace, and a new map must be created in the CloudFormation templates. Otherwise, the update will fail. |
-
Choose the root stack, and then choose Update. (See Figure 13.)
-
On the Prerequisite screen, choose Use current template, and then choose Next. (See Figure 14.)
-
Find the Container Registry version field by scrolling down. (See Figure 15.)
-
Enter the version number that you want to run. (See Figure 16.)
-
Scroll down and choose Next. Choose Next again, unless you want to change any other tags or policies. Select the two I acknowledge check boxes, and choose Update stack. (See Figure 17.)
-
Shut down the ContainerRegistryMaster node. The proper process shuts down the nodes one at a time, starting with the Container Registry primary node. This will trigger a health check failure on the load balancer. The load balancer will then delete the current running primary node and deploy a new primary node with the updated version. (See Figure 18.)
Security
By default, the load balancer does not match your certificate. You must configure the DNS according to your organization’s configuration, which is highly recommended for a production deployment. When you create a new VPC, the private subnet CIDR is automatically provided to the database security group jcr-rds-sg. In the new VPC, the private subnet is accessible only from the public subnet. When you deploy to an existing VPC, ensure similar rules are followed so that your Container Registry node is not accessible directly from the internet. Also, ensure that the private CIDR is correct and locked down. Avoid using 0.0.0.0/0. If the subnet is a public subnet, it will allow your PosgressSQL database to be available from the internet.
Storage
A major difference between running on-premises and on AWS is storage. Because S3 is used, you are charged for what is currently in use rather than what may be allocated on premises. Ensure to monitor your usage.
FAQ
Q. I provisioned more than 1 node and cannot access JCR. What do I do?
A. In the AWS CloudFormation console, choose Update Stack, choose Next twice, accept the two IAM rules, then choose Update Stack to ensure the AutoScaling group is set back the required number of instances.
Q. My certificate is out of date. How do I update it?
A. The certificate is handled via Ansible or Helm. In the AWS CloudFormation console, choose Update stack, change the certificate and certificate key values. Then, by rolling restart, update the master node first, and then, one at a time, the secondary nodes. This will rebuild each node with the correct certificate.
Q. I encountered a CREATE_FAILED error when I launched the Quick Start.
A. If AWS CloudFormation fails to create the stack, we recommend that you relaunch the template with Rollback on failure set to No. (This setting is under Advanced in the AWS CloudFormation console, Options page.) With this setting, the stack’s state is retained and the instance is left running, so you can troubleshoot the issue. (For Windows, look at the log files in %ProgramFiles%\Amazon\EC2ConfigService and C:\cfn\log.)
| When you set Rollback on failure to Disabled, you continue to incur AWS charges for this stack. Please make sure to delete the stack when you finish troubleshooting. |
For additional information, see Troubleshooting AWS CloudFormation on the AWS website.
Q. I encountered a size limitation error when I deployed the AWS CloudFormation templates.
A. We recommend that you launch the Quick Start templates from the links in this guide or from another S3 bucket. If you deploy the templates from a local copy on your computer or from a location other than an S3 bucket, you might encounter template size limitations. For more information about AWS CloudFormation quotas, see AWS CloudFormation quotas.
Send us feedback
To post feedback, submit feature ideas, or report bugs, use the Issues section of the GitHub repository for this Quick Start. To submit code, see the Quick Start Contributor’s Guide.
Quick Start reference deployments
See the AWS Quick Start home page.
GitHub repository
Visit our GitHub repository to download the templates and scripts for this Quick Start, to post your comments, and to share your customizations with others.
Notices
This document is provided for informational purposes only. It represents AWS’s current product offerings and practices as of the date of issue of this document, which are subject to change without notice. Customers are responsible for making their own independent assessment of the information in this document and any use of AWS’s products or services, each of which is provided “as is” without warranty of any kind, whether expressed or implied. This document does not create any warranties, representations, contractual commitments, conditions, or assurances from AWS, its affiliates, suppliers, or licensors. The responsibilities and liabilities of AWS to its customers are controlled by AWS agreements, and this document is not part of, nor does it modify, any agreement between AWS and its customers.
The software included with this paper is licensed under the Apache License, version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at http://aws.amazon.com/apache2.0/ or in the accompanying "license" file. This code is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either expressed or implied. See the License for specific language governing permissions and limitations.