使用AWS CodeBuild和GitHub操作構建多架結構容器圖像

隨著計算的景觀不斷發展，越來越強調支持各種計算體系結構。

This blog was authored by Zakiya Randall, Technical Account Manager and co-written with Muru Bhaskaran, Sr. Specialist Solutions Architect.

該博客是由技術客戶經理Zakiya Randall撰寫的，並與Sr.專業解決方案建築師Muru Bhaskaran共同撰寫。

As the landscape of computing continues to evolve, there is a growing emphasis on supporting a diverse range of computing architectures. This shift is driven by the need for flexibility, efficiency, and performance optimization across different hardware platforms. Consequently, it has become increasingly important for developers and organizations to build container images that are compatible with multiple architectures (multi-arch).

隨著計算的景觀不斷發展，越來越強調支持各種計算體系結構。這種轉變是由於對不同硬件平台的靈活性，效率和性能優化的需求所驅動的。因此，對於開發人員和組織而言，構建與多個體系結構（多核管）兼容的容器圖像變得越來越重要。

AWS CodeBuild is a fully managed continuous integration service that now supports managed GitHub Actions runners, which are self-hosted runners that allow users to configure their CodeBuild projects to receive GitHub Actions workflow job events. In this post, we demonstrate a solution that uses GitHub, GitHub Actions workflows, and CodeBuild to build native container images for both x86 and AWS Graviton-based compute on AWS. Upon completion of our GitHub Actions workflow, we will proceed to push our multi-arch images to Amazon Elastic Container Registry (Amazon ECR).

AWS CodeBuild是一項完全託管的連續集成服務，現在支持託管的GitHub Actions跑步者，它們是自託管跑步者，允許用戶配置其CodeBuild項目以接收GitHub Actions Workflow工作Flow工作事件。在這篇文章中，我們演示了一種使用GitHub，GitHub Action工作流程和CodeBuild的解決方案，以構建X86和AWS GRAVITON基於AWS的AWS COMPETE的本機容器圖像。完成GitHub Action工作流程後，我們將繼續將多ARCH圖像推向Amazon彈性容器註冊表（Amazon ECR）。

Solution overview

解決方案概述

The architecture diagram illustrates the workflow that occurs upon committing a change to the GitHub repository, detailing the subsequent steps involved in pushing the container image to Amazon ECR.

該架構圖說明了對GitHub存儲庫進行更改後發生的工作流程，詳細介紹了將容器圖像推向Amazon ECR所涉及的後續步驟。

Figure 1: Solution architecture diagram

圖1：解決方案架構圖

Prerequisites

先決條件

The following prerequisites are necessary to complete this solution:

以下先決條件是完成此解決方案的必要條件：

Walkthrough

演練

The following steps walk you through this solution.

以下步驟可以使您完成此解決方案。

Creating GitHub repository files

創建GitHub存儲庫文件

To begin creating the solution, you need a GitHub repository to store the Dockerfile, index.html file, and GitHub Actions workflow YAML file. Refer to Creating a new GitHub repository for step by step instructions. For this example, the following files should be committed to the root of the GitHub repository.

要開始創建解決方案，您需要一個GitHub存儲庫來存儲Dockerfile，index.html文件和GitHub Actions WorkFlow yaml文件。請參閱創建一個新的GitHub存儲庫，以逐步說明。在此示例中，應將以下文件定為GitHub存儲庫的根。

Create two CodeBuild projects for the x86 and arm64 compute architectures

為X86和ARM64計算體系結構創建兩個代碼建築項目

You must create two CodeBuild projects to run your GitHub Actions jobs. Your CodeBuild projects should follow the following naming structure for -x86 and -arm64. Refer to the following tutorial to set up two CodeBuild projects for the x86 and arm64 compute environments. You should use the OAuth app authentication method to connect with your GitHub repository. For the x86 and arm64 CodeBuild projects, choose a supported environment image that matches each compute architecture. Your Buildspec build specifications are ignored. Instead, CodeBuild overrides it to use commands that setup the compute runner.

您必須創建兩個代碼建築項目來運行您的GitHub操作作業。您的CodeBuild項目應遵循-X86和-ARM64的以下命名結構。請參閱以下教程，以為X86和ARM64計算環境設置兩個代碼構建項目。您應該使用OAuth應用程序身份驗證方法與GitHub存儲庫連接。對於X86和ARM64 CodeBuild項目，請選擇與每個計算體系結構相匹配的支持的環境圖像。您的buildSpec構建規格將被忽略。相反，CodeBuild將其覆蓋以使用設置Compute Runner的命令。

Figure 2: CodeBuild Projects for x86 and arm64

圖2：X86和ARM64的CodeBuild項目

Create an Amazon ECR repository

創建一個亞馬遜ECR存儲庫

You also need to create an Amazon ECR repository to store the x86 and arm64 container images. Run the following AWS CLI command to create an Amazon ECR repository.

您還需要創建一個Amazon ECR存儲庫來存儲X86和ARM64容器圖像。運行以下AWS CLI命令來創建Amazon ECR存儲庫。

After creating and defining your Amazon ECR repository, you must define a role so that the CodeBuild runners can have permission to access and push your images to your Amazon ECR repository. The following role that you create allows you to push images to your Amazon ECR repository.

在創建和定義亞馬遜ECR存儲庫後，您必須定義角色，以便CodeBuild跑步者可以允許訪問並將圖像推向亞馬遜ECR存儲庫。您創建的以下角色使您可以將圖像推向亞馬遜ECR存儲庫。

After creating the policy, go to the AWS Identity and Access Management (IAM) console to create an Identity Provider and choose OpenID Connect. For the Provider URL, choose https://token.actions.githubusercontent.com. For the Audience, choose sts.amazonaws.com.

創建策略後，轉到AWS Identity and Access Management（IAM）控制台創建身份提供商並選擇OpenID Connect。對於提供商URL，選擇https://token.actions.githubusercontent.com。對於觀眾，選擇sts.amazonaws.com。

2. After you create the provider, create a role and choose Web Identity. In the drop-down box, you should see the Provider URL for https://token.actions.githubusercontent.com. Choose this option and specify sts.amazonaws.com for your Audience. In the GitHub organization, specify your GitHub Organization and add the repository that you created in the initial setup. Choose Next.

2。創建提供商後，創建角色並選擇Web身份。在下拉框中，您應該看到https://token.actions.githubusercontent.com的提供商URL。選擇此選項並為您的聽眾指定sts.amazonaws.com。在GitHub組織中，指定您的GitHub組織，並添加您在初始設置中創建的存儲庫。選擇下一步。

Figure 3: Example of creating the role

圖3：創建角色的示例

3. On the Add Permissions page, choose the policy that you created in Step 1 so that you can push images to Amazon ECR. Choose Next. On the next screen, name the role and choose Create role.

3。在“添加權限”頁面上，選擇您在步驟1中創建的策略，以便可以將圖像推向Amazon ECR。選擇下一步。在下一個屏幕上，命名角色並選擇創建角色。

Figure 4: Example of adding policy permissions

圖4：添加策略權限的示例

4. Go to Settings within your GitHub repository, and under Security in the left pane, choose Secrets and Variables. Choose the Actions tab within Secrets and Variables. Choose New repository secret. For the name, enter AWS_ROLE_ARN, enter the AWS Role ARN of the role that you created in Step 3, and choose Add secret.

4。轉到GitHub存儲庫中的設置，並在左窗格中的安全性下選擇秘密和變量。在秘密和變量中選擇“動作”選項卡。選擇新的存儲庫秘密。對於該名稱，輸入AWS_ROLE_ARN，請輸入您在步驟3中創建的角色的AWS角色，然後選擇“添加秘密”。

Figure 5: Example of creating GitHub Actions secret for the AWS Role

圖5：為AWS角色創建GitHub動作的示例

5. Create another New repository secret for AWS_REGION. Specify the Region in which you created your resources and choose Add secret.

5。為AWS_Region創建另一個新的存儲庫秘密。指定創建資源的區域並選擇添加秘密。

Figure 6: Example of GitHub Actions secret for the AWS Region

圖6：GitHub動作的示例AWS區域的秘密

Prepare GitHub Actions workflow

準備github操作工作流程

A GitHub Actions workflow is a configurable automated process made up of one or more jobs and you can define these jobs in a YAML file. You are going to create a YAML file in the .github/workflows directory within your GitHub repository that defines the workflow for the solution. The YAML file for your GitHub Actions workflow contains the build

GitHub操作工作流程是由一個或多個作業組成的可配置的自動化過程，您可以在YAML文件中定義這些作業。您將在GitHub存儲庫中的.github/Workflows目錄中創建一個YAML文件，以定義解決方案的工作流程。 github操作工作流的yaml文件包含構建