[Docker] Re-Tag Docker Images with a lambda (#19081)

* lil lambda * Better Credential Handling * use a script for this :) * better timeout and link & echo messages
2025-03-05 10:01:43 -05:00 · 2021-10-19 14:06:31 -07:00 · 2021-10-19 14:06:31 -07:00 · 02090afc26
commit 02090afc26
parent 19eabd7a55
3 changed files with 94 additions and 41 deletions
--- a/docker/fix-docker-latest.sh
+++ b/docker/fix-docker-latest.sh
@ -1,61 +1,41 @@
 #!/bin/bash
-# This script is not for normal use and is used in the event that CI (or a user) overwrites the latest tag.
-set -x

-IMAGE="1.6.0"
-DEST="latest"
+IMAGE="1.7.0"
+
+if [ $# -eq 0 ]
+then
+echo "Please Specify the release tag (i.e. 1.7.0)"
+exit 1
+fi

 while [[ $# -gt 0 ]]
 do
 key="$1"
 case $key in
-    --source-tag)
+    --release-tag)
    shift
    IMAGE=$1
    ;;
-    --dest-tag)
-    shift
-    DEST=$1
-    ;;
    *)
-    echo "Usage: fix-docker-latest.sh --source-tag <TAG> --dest-tag <LATEST>"
+    echo "Usage: fix-docker-latest.sh --release-tag <TAG>"
    exit 1
 esac
 shift
 done

-echo "You must be logged into a user with push privileges to do this."
-# for REPO in "ray" "ray-ml" "autoscaler" "ray-deps" "base-deps"
-for REPO in "ray" "ray-ml" "autoscaler"
-do
-    for PYVERSION in "py36" "py37" "py38" "py39"
-    do
-        export SOURCE_TAG="$IMAGE"-"$PYVERSION"
-        export DEST_TAG="$DEST"-"$PYVERSION"
-        docker pull rayproject/"$REPO":"$SOURCE_TAG"
-        docker tag rayproject/"$REPO":"$SOURCE_TAG" rayproject/"$REPO":"$DEST_TAG"
-        docker tag rayproject/"$REPO":"$SOURCE_TAG" rayproject/"$REPO":"$DEST_TAG"-cpu
+ASSUME_ROLE_CREDENTIALS=$(aws sts assume-role --role-arn arn:aws:iam::"$(aws sts get-caller-identity | jq -r .Account)":role/InvokeDockerTagLatest --role-session-name push_latest)

-        docker pull rayproject/"$REPO":"$SOURCE_TAG"-gpu
-        docker tag rayproject/"$REPO":"$SOURCE_TAG"-gpu rayproject/"$REPO":"$DEST_TAG"-gpu
-
-        docker push rayproject/"$REPO":"$DEST_TAG"
-        docker push rayproject/"$REPO":"$DEST_TAG"-cpu
-        docker push rayproject/"$REPO":"$DEST_TAG"-gpu
-    done
-done
+AWS_ACCESS_KEY_ID=$(echo "$ASSUME_ROLE_CREDENTIALS" | jq -r .Credentials.AccessKeyId)
+AWS_SECRET_ACCESS_KEY=$(echo "$ASSUME_ROLE_CREDENTIALS" | jq -r .Credentials.SecretAccessKey)
+AWS_SESSION_TOKEN=$(echo "$ASSUME_ROLE_CREDENTIALS" | jq -r .Credentials.SessionToken)


-for REPO in "ray" "ray-ml" "autoscaler" "ray-deps" "base-deps"
-do
-    docker pull rayproject/"$REPO":"$IMAGE"
-    docker tag rayproject/"$REPO":"$IMAGE" rayproject/"$REPO":"$DEST"
-    docker tag rayproject/"$REPO":"$IMAGE" rayproject/"$REPO":"$DEST"-cpu

-    docker pull rayproject/"$REPO":"$IMAGE"-gpu
-    docker tag rayproject/"$REPO":"$IMAGE"-gpu rayproject/"$REPO":"$DEST"-gpu
-    
-    docker push rayproject/"$REPO":"$DEST"
-    docker push rayproject/"$REPO":"$DEST"-cpu
-    docker push rayproject/"$REPO":"$DEST"-gpu
-done
+echo -e "Invoking this lambda!\nView logs at https://us-west-2.console.aws.amazon.com/cloudwatch/home?region=us-west-2#logsV2:log-groups"
+AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN=$AWS_SESSION_TOKEN AWS_SECURITY_TOKEN='' aws \
+lambda invoke --function-name DockerTagLatest \
+--cli-binary-format raw-in-base64-out \
+--cli-read-timeout 600 \
+--payload "{\"source_tag\" : \"$IMAGE\", \"destination_tag\" : \"latest\"}" /dev/stdout
+
+echo -e "Please check logs before rerunning!!!!\n\nAt the time of writing Ray-ML/Autoscaler Images are not built for Py39\nSo retagging errors for those images are expected!"
--- a/docker/retag-lambda/README.md
+++ b/docker/retag-lambda/README.md
@ -0,0 +1,5 @@
+Get Docker Retag via wget:
+```
+wget -q https://github.com/joshdk/docker-retag/releases/download/0.0.2/docker-retag
+```
+Package this full library and upload as an AWS Lambda :) 
--- a/docker/retag-lambda/lambda_function.py
+++ b/docker/retag-lambda/lambda_function.py
@ -0,0 +1,68 @@
+import json
+import subprocess
+
+import boto3
+
+DOCKER_USER = None
+DOCKER_PASS = None
+
+
+def get_secrets():
+    global DOCKER_PASS, DOCKER_USER
+    secret_name = "dockerRetagLatestCredentials"
+    region_name = "us-west-2"
+
+    session = boto3.session.Session()
+    client = session.client(
+        service_name="secretsmanager", region_name=region_name)
+    get_secret_value_response = client.get_secret_value(SecretId=secret_name)
+    secret_string = get_secret_value_response["SecretString"]
+    dct = json.loads(secret_string)
+    DOCKER_PASS = dct["DOCKER_PASS"]
+    DOCKER_USER = dct["DOCKER_USER"]
+
+
+def retag(repo: str, source: str, destination: str) -> str:
+    global DOCKER_PASS, DOCKER_USER
+    if DOCKER_PASS is None or DOCKER_USER is None:
+        get_secrets()
+    assert (DOCKER_PASS is not None and
+            DOCKER_USER is not None), "Docker Username or Password not set()"
+    return subprocess.run(
+        ["./docker-retag", f"rayproject/{repo}:{source}", destination],
+        env={
+            "DOCKER_USER": DOCKER_USER,
+            "DOCKER_PASS": DOCKER_PASS
+        })
+
+
+def lambda_handler(event, context):
+    source_image = event["source_tag"]
+    destination_image = event["destination_tag"]
+    total_results = []
+    for repo in ["ray", "ray-ml", "autoscaler"]:
+        results = []
+        for pyversion in ["py36", "py37", "py38", "py39"]:
+            source_tag = f"{source_image}-{pyversion}"
+            destination_tag = f"{destination_image}-{pyversion}"
+            results.append(retag(repo, source_tag, destination_tag))
+            results.append(retag(repo, source_tag, destination_tag + "-cpu"))
+            results.append(
+                retag(repo, source_tag + "-gpu", destination_tag + "-gpu"))
+        [print(i) for i in results]
+        total_results.extend(results)
+
+    # Retag images without a python version specified (defaults to py37)
+    results = []
+    for repo in ["ray", "ray-ml", "autoscaler", "ray-deps", "base-deps"]:
+        results.append(retag(repo, source_image, destination_image))
+        results.append(retag(repo, source_image, destination_image + "-cpu"))
+        results.append(
+            retag(repo, source_image + "-gpu", destination_image + "-gpu"))
+    [print(i) for i in results]
+    total_results.extend(results)
+
+    if all(r.returncode == 0 for r in total_results):
+        return {"statusCode": 200, "body": json.dumps("Retagging Complete!")}
+    else:
+        return {"statusCode": 500, "body": json.dumps("Retagging Broke!!")}