Running a Docker image on a VM using the management console, CLI, and API
To run a Docker image on a VM using a Yandex Container Registry registry, complete these steps:
- Get your cloud ready.
- Create a registry in Container Registry.
- Create a service account.
- Create your Compute Cloud VM.
- Build and push the Docker image to Container Registry.
- Upload the Docker image to the VM.
- Check the result.
If you no longer need the resources you created, delete them.
Get your cloud ready
Sign up in Yandex Cloud and create a billing account:
- Navigate to the management console and log in to Yandex Cloud or register a new account.
- On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the
ACTIVEorTRIAL_ACTIVEstatus. If you do not have a billing account, create one and link a cloud to it.
If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure to operate in.
Learn more about clouds and folders.
Required paid resources
The infrastructure support costs include:
- Fee for a continuously running VM (see Yandex Compute Cloud pricing).
- Fee for using a dynamic or static public IP address (see Yandex Virtual Private Cloud pricing).
- Fee for storing a Docker image in the registry and outgoing traffic (see Yandex Container Registry pricing).
Create an SSH key pair
Prepare an SSH key for VM access.
-
Open the terminal.
-
Use the
ssh-keygencommand to create a new key:ssh-keygen -t ed25519 -C "<optional_comment>"You can specify an empty string in the
-Cparameter to avoid adding a comment, or you may not specify the-Cparameter at all: in this case, a default comment will be added.After running this command, you will be prompted to specify the name and path to the key files, as well as enter the password for the private key. If you only specify the name, the key pair will be created in the current directory. The public key will be saved in a file with the
.pubextension, while the private key, in a file without extension.By default, the command prompts you to save the key under the
id_ed25519name in the following directory:/home/<username>/.ssh. If there is already an SSH key namedid_ed25519in this directory, you may accidentally overwrite it and lose access to the resources it is used in. Therefore, you may want to use unique names for all SSH keys.
If you do not have OpenSSH installed yet, follow this guide to install it.
-
Run
cmd.exeorpowershell.exe(make sure to update PowerShell before doing so). -
Use the
ssh-keygencommand to create a new key:ssh-keygen -t ed25519 -C "<optional_comment>"You can specify an empty string in the
-Cparameter to avoid adding a comment, or you may not specify the-Cparameter at all: in this case, a default comment will be added.After running this command, you will be prompted to specify the name and path to the key files, as well as enter the password for the private key. If you only specify the name, the key pair will be created in the current directory. The public key will be saved in a file with the
.pubextension, while the private key, in a file without extension.By default, the command prompts you to save the key under the
id_ed25519name in the following folder:C:\Users\<username>/.ssh. If there is already an SSH key namedid_ed25519in this directory, you may accidentally overwrite it and lose access to the resources it is used in. Therefore, you may want to use unique names for all SSH keys.
Create keys using the PuTTY app:
-
Download and install PuTTY.
-
Add the folder with PuTTY to the
PATHvariable:- Click Start and type Change system environment variables in the Windows search bar.
- Click Environment Variables... at the bottom right.
- In the window that opens, find the
PATHparameter and click Edit. - Add your folder path to the list.
- Click OK.
-
Launch the PuTTYgen app.
-
Select EdDSA as the pair type to generate. Click Generate and move the cursor in the field above it until key creation is complete.
-
In Key passphrase, enter a strong password. Enter it again in the field below.
-
Click Save private key and save the private key. Do not share its key phrase with anyone.
-
Click Save public key and save the public key to a file named
<key_name>.pub.
Warning
Store your private key securely, as you will not be able to connect to the VM without it.
Install and configure Docker
-
Install Docker Engine. Use this guide to install and run Docker for your operating system.
-
After the installation is complete, add the current user to the
dockergroup:sudo groupadd docker sudo usermod -aG docker $USER newgrp docker
For information about additional Docker settings for Linux, see the developer documentation.
If you are working on a device with a GUI, you can also install Docker Desktop for Linux.
Download and install the Docker Desktop distribution for macOS. For more information, see the developer documentation.
-
Download and install the Docker Desktop distribution for Windows.
-
After the installation is complete, add the current user to the
docker-usersgroup:-
Run Computer Management as administrator:
compmgmt.msc -
Expand the (Local) Computer Management menu, then go to Utilities → Local Users and Groups → Groups and open the
docker-usersgroup. -
Click Add and add the required user to the group.
-
Click OK.
-
-
Run Docker Desktop and make sure the app status is
running.
For information about additional Docker settings for Windows, see the developer documentation.
Create a registry in Container Registry
Create a registry in Container Registry.
-
In the management console, select the folder where you want to create a registry.
-
In the list of services, select Container Registry.
-
Click Create registry.
-
Specify a name for the registry. Follow these naming requirements:
- It must be from 2 to 63 characters long.
- It can only contain lowercase Latin letters, numbers, and hyphens.
- It must start with a letter and cannot end with a hyphen.
-
Optionally, under Automatic scanning:
-
Disable Scan Docker images on push to skip scanning of Docker images at their upload to the repository.
-
Disable Scan all Docker images in the registry or set the scanning frequency.
Warning
Automatic Docker image scanning makes your registry more secure. The default vulnerability scan settings are consistent with the Yandex Cloud cloud infrastructure security standard.
-
-
Optionally, add labels.
-
Click Create registry.
If you do not have the Yandex Cloud CLI installed yet, install and initialize it.
By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.
-
Make sure that a registry has not been created in the folder yet:
yc container registry listResult:
+----+------+-----------+ | ID | NAME | FOLDER ID | +----+------+-----------+ +----+------+-----------+If the folder already contains a registry, see Updating a registry for info on how you can update it.
-
Create a registry:
-
With automated vulnerability scanning:
yc container registry create --name my-reg --secureWarning
Automatic Docker image scanning makes your registry more secure. The default vulnerability scan settings are consistent with the Yandex Cloud cloud infrastructure security standard.
-
Without automated vulnerability scanning:
yc container registry create --name my-reg
Result:
done id: crpd50616s9a******** folder_id: b1g88tflru0e******** name: my-reg status: ACTIVE created_at: "2019-01-09T14:34:06.601Z"Follow these registry naming requirements:
- It must be from 2 to 63 characters long.
- It can only contain lowercase Latin letters, numbers, and hyphens.
- It must start with a letter and cannot end with a hyphen.
The
--nameparameter is optional. You can create a registry without a name and use its ID to access it. Thenamefield is user-defined. It is used when listing in the Yandex Cloud CLI and not used in the Docker CLI. -
-
Make sure the registry was created:
yc container registry listResult:
+----------------------+--------+----------------------+ | ID | NAME | FOLDER ID | +----------------------+--------+----------------------+ | crpd50616s9a******** | my-reg | b1g88tflru0e******** | +----------------------+--------+----------------------+
Create a service account
Create a service account and assign to it the container-registry.images.puller role for the registry created earlier:
- In the management console, select the folder where you want to create your service account.
- At the top of the screen, navigate to the Service accounts tab.
- Click Create service account.
- Enter
images-pulleras the service account name and click Create. - At the top of the screen, navigate to the Folder dashboard tab.
- In the list of services, select Container Registry.
- Select the registry and click the row with its name.
- Navigate to the Access bindings tab.
- In the top-right corner, click Assign roles.
- Click Select subject and add the service account by providing its ID.
- Click Add role and select
container-registry.images.puller. - Click Save.
If you do not have the Yandex Cloud CLI installed yet, install and initialize it.
-
View a description of the CLI command to create a service account:
yc iam service-account create --help -
Create a service account:
By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the
yc config set folder-id <folder_ID>command. You can also set a different folder for any specific command using the--folder-nameor--folder-idparameter.yc iam service-account create --name images-pullerResult:
id: ajelabcde12f******** folder_id: b0g12ga82bcv******** created_at: "2020-11-30T14:32:18.900092Z" name: myservice-acc -
Assign the
container-registry.images.pullerrole to the service account:yc container registry add-access-binding <registry_name_or_ID> \ --role container-registry.images.puller \ --subject serviceAccount:<service_account_ID>Where
--subjectis the ID of the service account getting the role, e.g.,ajelabcde12f********.
-
To create a service account, use the create REST API method for the ServiceAccount resource or the ServiceAccountService/Create gRPC API call.
-
To assign the service account a role for the registry, use the updateAccessBindings REST API method for the Registry resource or the RegistryService/UpdateAccessBindings gRPC API call.
Create a Compute Cloud VM
Create a VM with a public IP address and link the service account you created to it:
-
On the folder dashboard of the management console, click Create resource and select
Virtual machine instance. -
Select Advanced setup.
-
Under Boot disk image, select an image and a Linux-based OS version.
-
Under Location, select the availability zone to create your VM in. If you are not sure which one to choose, leave the default.
-
Optionally, under Disks and file storages, specify the required boot disk type and size.
To add a new secondary disk or connect an existing one, click Add.
You can also create a VM from an existing disk.
-
Under Network settings:
- In the Subnet field, select the network and subnet to connect your VM to. If the required network or subnet is not there, create it.
- Under Public IP address, leave
Autoto assign a random external IP address from the Yandex Cloud pool to your VM. Alternatively, select a static address from the list if you reserved one. If you prefer not to assign a public IP address, selectNo address. - Expand Additional and enable DDoS protection, if required.
-
Under Access, select SSH key and specify the VM access data:
- Under Login, enter the username. Do not use
rootor other reserved usernames. To perform operations requiring root privileges, use thesudocommand. -
In the SSH key field, select the SSH key saved in your organization user profile.
If there are no saved SSH keys in your profile, or you want to add a new key:
- Click Add key.
- Enter a name for the SSH key.
- Upload or paste the contents of the public key file. You need to create a key pair for the SSH connection to a VM yourself.
- Click Add.
The SSH key will be added to your organization user profile.
If users cannot add SSH keys to their profiles in the organization, the added public SSH key will only be saved to the user profile of the VM being created.
- Under Login, enter the username. Do not use
-
Under General information, specify the VM name. Follow these naming requirements:
- It must be from 2 to 63 characters long.
- It can only contain lowercase Latin letters, numbers, and hyphens.
- It must start with a letter and cannot end with a hyphen.
Note
The VM name is used to generate an internal FQDN, which is set only once, when you create the VM. If the internal FQDN is important to you, make sure to choose an appropriate name for your VM.
-
Under Additional, select the service account you created in the previous step.
-
Click Create VM.
-
View the description of the CLI command to create a VM:
yc compute instance create --help -
Prepare a key pair (public and private keys) for SSH access to your VM.
-
Select in Cloud Marketplace a public image based on a Linux OS (for example, CentOS 7).
To get a list of available images using the CLI, run this command:
yc compute image list --folder-id standard-imagesResult:
+----------------------+-------------------------------------+--------------------------+----------------------+--------+ | ID | NAME | FAMILY | PRODUCT IDS | STATUS | +----------------------+-------------------------------------+--------------------------+----------------------+--------+ ... | fdvk34al8k5n******** | centos-7-1549279494 | centos-7 | dqni65lfhvv2******** | READY | | fdv7ooobjfl3******** | windows-2016-gvlk-1548913814 | windows-2016-gvlk | dqnnc72gj2is******** | READY | | fdv4f5kv5cvf******** | ubuntu-1604-lts-1549457823 | ubuntu-1604-lts | dqnnb6dc7640******** | READY | ... +----------------------+-------------------------------------+--------------------------+----------------------+--------+Where:
-
ID: Image ID. -
NAME: Image name. -
FAMILY: ID of the image family the image belongs to. -
PRODUCT IDS: IDs of Yandex Cloud Marketplace products associated with the image. -
STATUS: Current status of the image. It may take one of the following values:STATUS_UNSPECIFIED: Image status is not defined.CREATING: Image is being created.READY: Image is ready to use.ERROR: You cannot use the image due to an issue.DELETING: Image is being deleted.
-
-
View a list of available subnets:
yc vpc subnet listResult:
+----------------------+---------------------------+----------------------+----------------+-------------------+-----------------+ | ID | NAME | NETWORK ID | ROUTE TABLE ID | ZONE | RANGE | +----------------------+---------------------------+----------------------+----------------+-------------------+-----------------+ | b0c6n43f9lgh******** | default-ru-central1-d | enpe3m3fa00u******** | | ru-central1-d | [10.130.0.0/24] | | e2l2da8a20b3******** | default-ru-central1-b | enpe3m3fa00u******** | | ru-central1-b | [10.129.0.0/24] | | e9bnlm18l70a******** | default-ru-central1-a | enpe3m3fa00u******** | | ru-central1-a | [10.128.0.0/24] | +----------------------+---------------------------+----------------------+----------------+-------------------+-----------------+ -
Create a VM in the default folder:
yc compute instance create \ --name first-instance \ --zone ru-central1-b \ --network-interface subnet-name=default-ru-central1-b,nat-ip-version=ipv4 \ --create-boot-disk image-folder-id=standard-images,image-family=centos-7 \ --ssh-key ~/.ssh/id_ed25519.pub --service-account-name service-accWhere:
-
--name: VM name.Note
The VM name is used to generate an internal FQDN, which is set only once, when you create the VM. If the internal FQDN is important to you, make sure to choose an appropriate name for your VM.
-
--zone: Availability zone matching the selected subnet. -
subnet-name: Name of the selected subnet. -
image-family: Image family, e.g.,centos-7. This option allows you to install the latest version of the operating system from the specified image family. -
Public IP. To create a VM without a public IP address, disable the
nat-ip-version=ipv4option. -
--ssh-key: Public SSH key path. The VM will automatically create a user namedyc-userfor this key. -
--service-account-name: Name of the service account created in the previous step.
This will create a VM called
first-instance. -
Create a VM using the Create REST API method for the Instance resource:
-
Prepare a key pair (public and private keys) for SSH access to your VM.
-
Get a Yandex Identity and Access Management token used for authentication in the examples:
-
Get the ID of the folder.
-
Get information about the image to create your VM from (image ID and minimum disk size):
-
If you know the image family, get info on the latest image in that family:
export IAM_TOKEN=CggaATEVAgA... export FAMILY=ubuntu-1804 curl --header "Authorization: Bearer ${IAM_TOKEN}" \ "https://compute.api.cloud.yandex.net/compute/v1/images:latestByFamily?folderId=standard-images&family=${FAMILY}" -
You can get information on the image from the list of public images.
-
-
Get the subnet ID and availability zone ID. Specify the ID of the folder where the subnet was created in your request:
export IAM_TOKEN=CggaATEVAgA... export FOLDER_ID=b1gvmob95yys******** curl --header "Authorization: Bearer ${IAM_TOKEN}" \ "https://vpc.api.cloud.yandex.net/vpc/v1/subnets?folderId=${FOLDER_ID}" { "subnets": [ { "v4CidrBlocks": [ "10.130.0.0/24" ], "id": "b0c6n43ftldh********", "folderId": "b1gvmob95yys********", "createdAt": "2018-09-23T12:15:00Z", "name": "default-ru-central1-b", "description": "Auto-created default subnet for zone ru-central1-b", "networkId": "enpe3m3faglu********", "zoneId": "ru-central1-b" }, ... ]} -
Create a file named
body.jsonwith the body of the request to create a VM:{ "folderId": "b1gvmob95yys********", "name": "instance-demo-no-pwauth", "zoneId": "ru-central1-b", "platformId": "standard-v3", "resourcesSpec": { "memory": "2147483648", "cores": "2" }, "metadata": { "user-data": "#cloud-config\nusers:\n - name: user\n groups: sudo\n shell: /bin/bash\n sudo: 'ALL=(ALL) NOPASSWD:ALL'\n ssh_authorized_keys:\n - ssh-ed25519 AAAAB3N... user@example.com" }, "bootDiskSpec": { "diskSpec": { "size": "2621440000", "imageId": "fd8rc75pn12f********" } }, "networkInterfaceSpecs": [ { "subnetId": "b0c6n43ftldh********", "primaryV4AddressSpec": { "oneToOneNatSpec": { "ipVersion": "IPV4" } } } ], "serviceAccountId": "ajelabcde12f********" }Where:
-
folderId: Folder ID. -
name: Name the VM will get when created. -
zoneId: Availability zone matching the selected subnet. -
platformId: Platform. -
resourceSpec: Resources available to the VM. The values must match the selected platform. -
metadata: In metadata, provide the public key for accessing the VM via SSH. For more information, see VM metadata. -
bootDiskSpec: Boot disk settings. Specify the selected image ID and disk size. The disk size must not be less than the minimum value specified in the image info. -
networkInterfaceSpecs: Network settings:-
subnetId: ID of the selected subnet. -
primaryV4AddressSpec: IP address to assign to the VM. To add a public IP address to your VM, specify the following:"primaryV4AddressSpec": { "oneToOneNatSpec": { "ipVersion": "IPV4" } }
-
-
serviceAccountId: ID of the service account created in the previous step.
For more information about the request body format, see the API reference.
-
-
Create a VM:
export IAM_TOKEN=CggaATEVAgA... curl --request POST \ --header "Content-Type: application/json" \ --header "Authorization: Bearer ${IAM_TOKEN}" \ --data '@body.json' \ https://compute.api.cloud.yandex.net/compute/v1/instances
After creating the VM, build and upload the Docker image to Container Registry.
Build and push the Docker image to Container Registry
The example below is intended to be run in MacOS and Linux. To run it in Windows, see how to work with Bash in Microsoft Windows.
-
Open the terminal.
-
To make command execution easier, add the following variables:
-
Username and your VM's public IP to the
${PUBLIC_IP}variable:export PUBLIC_IP=<username>@<VM_public_IP_address> -
ID of the previously created registry in
crpc9qeoft23********format to the${REGISTRY_ID}variable:export REGISTRY_ID=<registry_ID>
-
-
Authenticate as yourself:
OAuth tokenIAM tokenDocker credential helper-
If you do not have an OAuth token yet, get one by following this link.
-
Run this command:
echo <OAuth_token> | docker login --username oauth --password-stdin cr.yandexResult:
Login Succeeded
Note
The IAM token has a short lifetime: no more than 12 hours. This makes it a good method for applications that automatically request an IAM token.
-
Get an IAM token.
-
Run this command:
yc iam create-token | docker login --username iam --password-stdin cr.yandexResult:
... Login Succeeded
-
If you do not have a CLI profile yet, create one.
-
Configure Docker to use
docker-credential-yc:yc container registry configure-dockerResult:
Credential helper is configured in '/home/<user>/.docker/config.json'The current user's profile holds the saved settings.
Warning
The credential helper only works if you use Docker without
sudo. To learn how to configure Docker to run under the current user withoutsudo, see the official documentation. -
Make sure that Docker is configured.
The following line must appear in the
/home/<user>/.docker/config.jsonconfiguration file:"cr.yandex": "yc" -
You can now use Docker, for example, to push Docker images. You do not need to run the
docker logincommand for that.
-
-
Create a file called Dockerfile:
touch .dockerfile -
Open Dockerfile in a text editor, e.g.:
nano .dockerfile -
Add the lines below to the file:
FROM ubuntu:latest CMD echo "Hi, I'm inside" -
Build the Docker image:
docker build . -t cr.yandex/${REGISTRY_ID}/ubuntu:hello -f .dockerfileResult:
... Successfully built b68ee9b6b1af Successfully tagged cr.yandex/crpmnjr98tm5********/ubuntu:hello -
Push the built Docker image to Container Registry:
docker push cr.yandex/${REGISTRY_ID}/ubuntu:helloResult:
The push refers to repository [cr.yandex/crpc9qeoft23********/ubuntu] cc9d18e90faa: Pushed 0c2689e3f920: Pushed 47dde53750b4: Pushed hello: digest: sha256:42068479274f1d4c7ea095482430dcba24dcfe8c23ebdf6d32305928******** size: 943
Push the Docker image to the VM
-
Use SSH to connect to the VM.
-
On the VM, install and configure Docker.
-
Authenticate under the service account tied to the machine:
curl --header Metadata-Flavor:Google 169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token | \ cut -f1 -d',' | \ cut -f2 -d':' | \ tr -d '"' | \ docker login --username iam --password-stdin cr.yandexResult:
Login Succeeded -
To make it easier to run commands, add the ID of the registry you created earlier to the
${REGISTRY_ID}variable:export REGISTRY_ID=<registry_ID> -
Download the Docker image to the VM:
docker pull cr.yandex/${REGISTRY_ID}/ubuntu:helloResult:
hello: Pulling from crpc9qeoft23********/ubuntu 6a5697faee43: Pulling fs layer ba13d3bc422b: Pulling fs layer ... Digest: sha256:42068479274f1d4c7ea095482430dcba24dcfe8c23ebdf6d32305928******** Status: Downloaded newer image for cr.yandex/crpc9qeoft23********/ubuntu:hello cr.yandex/crpc9qeoft23********/ubuntu:hello
Check the result
Run the Docker image on the VM:
docker run cr.yandex/${REGISTRY_ID}/ubuntu:hello
Result:
Hi, I'm inside
How to delete the resources you created
To stop paying for the resources you created:
- Delete the VM.
- Delete the static public IP address if you reserved one.
- Delete the Docker image.
- Delete the registry.