In a situation where any AWS customer migrates to Oracle Cloud, they may need to find an easy way to move their container images created on AWS. The situation is difficult if they have a large number of images where manual transfer will consume considerable time of Cloud administrator.
This article discusses a potential way to automate migrating images from Elastic Container Registry (AWS) to OCI Code repository (container registry).
1. Architecture
As shown in figure 2.1, you should have a repository with images in the AWS and code repository and virtual machine to run the script on OCI.
Here, the administrator will need to provide credentials of both environments and other details in the script. Once the administrator runs the script it will pull the images from AWS, tag to OCI and push to the OCI code repository.
The script is designed to migrate one repository only, therefore in case you have multiple repositories you need to run it multiple times.
2. Step-by-Step Implementation
This section covers the implementation step-by-step. Here I assume that you already have an AWS tenant, image repository (ECR) and images already uploaded. Further you will need to have an Oracle cloud tenant and user account with necessary rights.
2.1 Explore AWS Image Repository
In this article, we are using the below example for the migration activity. The repository name is “awsrepo” and it has two images namely ‘postgres’ and ‘nginx’.
This blog will not explain how the images are pushed to ECR as the focus is to migrate the existing images.
2.2 Create OCI Image Repository
The following subsections will explain the configurations on the Oracle Cloud end. Here I assume you already have the Oracle cloud account, created the necessary policies to create the resources.
The first resource you need to create is the ‘OCI code repository’ which is located under the ‘Developer Services’.
You can provide a preferred name for the repository and choose the compartment it should reside in.
Once the script starts migrating the images from AWS, they will store in this code repository. So, this is the target repository.
2.3 Create and Configure OCI Virtual Machine
In this approach, a script is required to do the image migration and it needs to be hosted on a virtual machine. You can create a VCN with a public subnet to have the VM. This blog does not explain this process.
In this example I created an ‘Oracle Linux 8’ image for the virtual machine with 2 OCPUs. If you have to migrate a large number of images, you need to size the virtual machine accordingly.
This VM requires installing and configuring docker, AWS CLI and OCI CLI as prerequisites. This section will explain the details of this.
Install Docker
Logging into the VM with ssh and executing the below command to install docker. This is a straightforward installation.
sudo yum install -y docker
Install AWS CLI
Since we need to login to AWS to obtain the images, we need to install and configure the AWS CLI tool.
The following will download, unzip and install the AWS CLI tool on the migration VM.
curl “https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip” -o “awscliv2.zip”
unzip awscliv2.zip
sudo ./aws/install
Configure AWS CLI
Once the AWS CLI is installed, you need to configure it to access the environment. For this you need to get ‘AWS Access Key ID’, ‘AWS Secret Access Key’ and ‘Default region name’ from the AWS cloud administrator.
aws configure
You can run AWS CLI command as in figure 2.3.4 in order to verify whether the tool is configured successfully.
Install OCI CLI
The OCI CLI can be downloaded as below. This will request a few input values, where you can enter to accept default values.
bash -c “$(curl -L https://raw.githubusercontent.com/oracle/oci-cli/master/scripts/install/install.sh)”
In case you need to change paths, directories you do so in by changing the input values.
Configure OCI CLI
The next step is to configure the OCI CLI so that we can communicate with the OCI command line.
As figure 2.3.7, you need to initiate the configuration. The total configuration will be explained in the rest of the section.
oci setup config
Initially you need to provide user OCID, tenancy OCID and the region where your repository resides. This information needs to obtain from your Cloud administrator.
In order to establish secure communication, OCI depends on API keys. In this example, I created new API keys for the configuration.
Then we can copy the public key generated by navigating to the location we provided to create the keys.
Next step is to add the copied contents to the OCI tenant. As in figure 2.3.11, we need to create an API key in the console for the user profile. This user might be the person who’s going to run the script.
The profile can be found on the top left corner of the console.
Under the resources section you can find the API keys to add.
Then select ‘Paste a public key’ option and paste the copied public key earlier.
Once it’s created successfully, you will see a summary as shown in figure 2.3.14.
You can then issue a sample oci cli command and verify whether the tool is working as expected.
2.4 Deploy Migration Script
This section reveals the migration script and preparation of the configuration details required. Below is the sample script that you can use to migrate images from AWS to OCI. At the end of the script you find the details of obtaining the variables to provide.
Script
#!/bin/bash
# AWS and OCI configurations
AWS_REGION="<oci-region>"
AWS_ACCOUNT_ID="<aws-account-id>"
OCI_REGION_KEY="<region-key>"
OCI_NAMESPACE="<tenancy-namespace>"
OCI_REPO_NAME="<oci-repository-name>"
AWS_REPO_NAME="<aws-repository-name>"
OCI_USERNAME="<oci-username>"
OCI_AUTH_TOKEN="<oci-auth-token>"
# Authenticate Docker with AWS ECR
$(aws ecr get-login-password --region $AWS_REGION | docker login --username AWS --password-stdin "$AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com")
# Authenticate Docker with OCIR
docker login -u "$OCI_NAMESPACE/oracleidentitycloudservice/$OCI_USERNAME" -p "$OCI_AUTH_TOKEN" "$OCI_REGION_KEY.ocir.io"
# Get all tags for each image in the specified AWS ECR repository
TAGS=$(aws ecr list-images --repository-name "$AWS_REPO_NAME" --region $AWS_REGION --query 'imageIds[*].imageTag' --output text)
# Get all tags for each image in the current repository
echo "images are : " $TAGS
# Loop through each tag
for TAG in $TAGS; do
if [ -z "$TAG" ]; then
echo "Skipping untagged image in " $AWS_REPO_NAME "."
continue
fi
# Define the source and target image names with tags
AWS_IMAGE="$AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$AWS_REPO_NAME:$TAG"
OCI_IMAGE="$OCI_REGION_KEY.ocir.io/$OCI_NAMESPACE/$OCI_REPO_NAME:$TAG"
echo "================================================================"
echo "1.) Pulling " $AWS_IMAGE" ..."
echo "================================================================"
docker pull "$AWS_IMAGE"
echo "================================================================"
echo "2.) Tagging " $AWS_IMAGE "as" $OCI_IMAGE "..."
echo "================================================================"
docker tag "$AWS_IMAGE" "$OCI_IMAGE"
echo "================================================================"
echo "3.) Pushing " $OCI_IMAGE "..."
echo "================================================================"
docker push "$OCI_IMAGE"
# Optionally, remove local images to free up space
docker rmi "$AWS_IMAGE" "$OCI_IMAGE"
done
echo "================================================================"
echo " Migration completed for repository " $AWS_REPO_NAME "."
echo "================================================================"
Script Configurations
The following variables will need to be updated prior to running the script.
- AWS_REGION : region code where source images located
- AWS_ACCOUNT_ID : 12 digit AWS account id
- OCI_REGION_KEY : Oracle cloud region ID where repository resides
- OCI_NAMESPACE : OCI tenancy namespace
- OCI_REPO_NAME : OCI repository name or target repository
- AWS_REPO_NAME : AWS repository name or source repository
- OCI_USERNAME : Oracle username running the script (usually the email)
- OCI_AUTH_TOKEN : OCI auth token- obtaining auth token will explain later in this section
Below is an example of values that can be provided for the script.
Creating auth token
Now we need to create an auth token for the user expected to run the script. Firstly navigate to the ‘My profile’ section from the OCI console.
Under the resources section, you can find the ‘Auth tokens’. Now we need to generate an auth token.
Provide any meaningful description as in figure 2.4.3.
Once the token is generated, you will need to record it as it will not be shown again.
With this you are now ready to do the migration.
2.5 Migrating Images
In this example I created the script with the name ‘migrate_images.sh’ and now need to give execution rights.
chmod +x migrate_images.sh
Then we can run the script from the location it was saved.
./migrate_images.sh
At the start of the script it will authenticate into AWS and OCI environments based on the configuration details provided in the variables section of the script.
It then migrates image by image from AWS to OCI. The logs will be provided for pulling the image from AWS, tagging and pushing to the OCI tenant.
Once all images are migrated, tagging and intermediate images on VM will be deleted.
Now you can login to OCI tenant and verify the migrated images available at OCI container registry.
3. Summary
This article explains how to migrate images in AWS image repository to OCI container repository. The approach was to create a script to automate the migration and the script was deployed on a VM residing on OCI tenancy.
All views expressed in this blog are personal.