AWS Fargate - CannotPullContainerError (500)?
AWS Fargate - CannotPullContainerError (500)?
我正在使用 AWS ECS 来托管我的服务。当我尝试使用 fargate 定义任务时,我遇到了以下问题。
CannotPullContainerError: API error (500): Get https://xxxxxxxxx.dkr.ecr.us-east-1.amazonaws.com/v2/: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
此外,我还授予了在 IAM 用户中访问 ECR 的完全权限。请帮我解决这个问题。
看这里:https://github.com/aws/amazon-ecs-agent/issues/1128
特别是 samuelkarp
的评论
The error you are seeing below is commonly due to lack of internet
access to pull the image. The image pull occurs over the network
interface used by the Task, and as such shares security group and
routing rules.
Please check your configuration for the following:
If you are launching a task without a public IP, make sure that the
route table on the subnet has "0.0.0.0/0" going to a NAT Gateway or
NAT instance to ensure access to the internet. If your route table has
an internet gateway, this is acting like a firewall and preventing the
connection from being made. If you are launching a task with a public
IP, make sure that the route table on the subnet has "0.0.0.0/0" going
to an internet gateway to ensure you will be able to use the public IP
successfully for ingress traffic. Verify your security group rules for
the Task allows for outbound access. The default here is typically All
Traffic to 0.0.0.0/0. If neither of those networking changes apply to
you or if they do not fix your problem, please let us know so we can
further assist.
我已经回答了这个问题 here,但是复制粘贴也无妨。
缺少创建工作 NAT 网关的规范。在 GitHub issue Amazon 技术人员不断重复您 "just" 需要私有 IP + NAT,但事实并非如此。我自己为此苦苦挣扎很多,但最终在没有为我的 Fargate 服务使用 Public IP 的情况下让它正常工作。
要让 Fargate 服务在没有 Public IP 的情况下访问互联网,您需要设置一个具有 2 个子网的 VPC:
- 一个 public 子网,带有允许 双向 互联网访问的互联网网关
- 具有 NAT 网关的 私有 子网允许仅传出 互联网访问
您可以通过两种方式创建这样的 VPC:转到 Services > VPC > VPC Dashboard,单击 Launch VPC Wizard 和 selecting "VPC with Public and Private Subnets";或手动:
注意:以下所有步骤均在 Services > VPC
中执行
- 转到
Your VPCs 和 Create a VPC
- 转到
Subnets和Create subnet2次
private 子网
- 将其附加到焦点 VPC。无论 CIDR 块,无论您喜欢什么可用区
public 子网
- 将其附加到焦点 VPC。无论 CIDR 块,无论您喜欢什么可用区
- 转到
Internet Gateways 和 Create internet gateway
- 随意命名
- Select新创建的
Internet Gateway、Actions、Attach to VPC并附加到focus 的VPC上
- 转到
NAT Gateways 和 Create NAT Gateway
- 重要: Select
public 子网
Create New EIP 或使用现有的,因为你有 - 等待网关变成
Available
- 转到
Route Tables和Create route table 2次
private路线table
- 将其附加到焦点 VPC
- 返回列表,select路线table
Routes 选项卡位于底部,Edit routesAdd route,目标:0.0.0.0/0,目标是之前创建的 NAT 网关和 Save routes- 仍然有路线 table selected、
Actions 和 Set Main Route Table(如果还没有的话)
public路线table
- 将其附加到焦点 VPC
- 返回列表,select路线table
Routes 选项卡位于底部,Edit routesAdd route,目的地:0.0.0.0/0,目标是之前创建的互联网网关和 Save routesSubnet Associations 选项卡位于底部,Edit subnet associations- Select
public 子网,Save
- 把黄瓜放在眼睛上。
您放在 public 子网中的每项服务都将具有 双向 互联网访问权限,并且您放在 private 子网将 仅传出 互联网访问(是的,private 中的 Fargate 和 EC2 服务 没有 Public IP 的子网将可以访问互联网。
我正在使用 AWS ECS 来托管我的服务。当我尝试使用 fargate 定义任务时,我遇到了以下问题。
CannotPullContainerError: API error (500): Get https://xxxxxxxxx.dkr.ecr.us-east-1.amazonaws.com/v2/: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
此外,我还授予了在 IAM 用户中访问 ECR 的完全权限。请帮我解决这个问题。
看这里:https://github.com/aws/amazon-ecs-agent/issues/1128
特别是 samuelkarp
的评论The error you are seeing below is commonly due to lack of internet access to pull the image. The image pull occurs over the network interface used by the Task, and as such shares security group and routing rules.
Please check your configuration for the following:
If you are launching a task without a public IP, make sure that the route table on the subnet has "0.0.0.0/0" going to a NAT Gateway or NAT instance to ensure access to the internet. If your route table has an internet gateway, this is acting like a firewall and preventing the connection from being made. If you are launching a task with a public IP, make sure that the route table on the subnet has "0.0.0.0/0" going to an internet gateway to ensure you will be able to use the public IP successfully for ingress traffic. Verify your security group rules for the Task allows for outbound access. The default here is typically All Traffic to 0.0.0.0/0. If neither of those networking changes apply to you or if they do not fix your problem, please let us know so we can further assist.
我已经回答了这个问题 here,但是复制粘贴也无妨。
缺少创建工作 NAT 网关的规范。在 GitHub issue Amazon 技术人员不断重复您 "just" 需要私有 IP + NAT,但事实并非如此。我自己为此苦苦挣扎很多,但最终在没有为我的 Fargate 服务使用 Public IP 的情况下让它正常工作。
要让 Fargate 服务在没有 Public IP 的情况下访问互联网,您需要设置一个具有 2 个子网的 VPC:
- 一个 public 子网,带有允许 双向 互联网访问的互联网网关
- 具有 NAT 网关的 私有 子网允许仅传出 互联网访问
您可以通过两种方式创建这样的 VPC:转到 Services > VPC > VPC Dashboard,单击 Launch VPC Wizard 和 selecting "VPC with Public and Private Subnets";或手动:
注意:以下所有步骤均在 Services > VPC
- 转到
Your VPCs和Create a VPC - 转到
Subnets和Create subnet2次private子网- 将其附加到焦点 VPC。无论 CIDR 块,无论您喜欢什么可用区
public子网- 将其附加到焦点 VPC。无论 CIDR 块,无论您喜欢什么可用区
- 转到
Internet Gateways和Create internet gateway- 随意命名
- Select新创建的
Internet Gateway、Actions、Attach to VPC并附加到focus 的VPC上
- 转到
NAT Gateways和Create NAT Gateway- 重要: Select
public子网 Create New EIP或使用现有的,因为你有- 等待网关变成
Available
- 重要: Select
- 转到
Route Tables和Create route table2次private路线table- 将其附加到焦点 VPC
- 返回列表,select路线table
Routes选项卡位于底部,Edit routesAdd route,目标:0.0.0.0/0,目标是之前创建的 NAT 网关和Save routes- 仍然有路线 table selected、
Actions和Set Main Route Table(如果还没有的话)
public路线table- 将其附加到焦点 VPC
- 返回列表,select路线table
Routes选项卡位于底部,Edit routesAdd route,目的地:0.0.0.0/0,目标是之前创建的互联网网关和Save routesSubnet Associations选项卡位于底部,Edit subnet associations- Select
public子网,Save
- 把黄瓜放在眼睛上。
您放在 public 子网中的每项服务都将具有 双向 互联网访问权限,并且您放在 private 子网将 仅传出 互联网访问(是的,private 中的 Fargate 和 EC2 服务 没有 Public IP 的子网将可以访问互联网。