ECS代理无法成功从ECR提取图像 [英] ECS agent can not successfully pull image from ECR

问题描述

我有一个在VPC(在一个私有子网中)中运行的ECS托管EC2实例.尝试在此实例上运行任务时，似乎无法拉取映像.据我所知，ECS代理无需从存储库中提取映像就可以进行特殊配置.

I have an ECS managed EC2 instance running in a VPC (in one of the private subnets). When trying to run a task on this instance it doesn't seem to be able to pull the image. As far as I can make out from the documentation there is no special configuration needed for the ECS agent to pull the image from the repo.

查看Docker日志，我反复看到以下内容:

Looking at the Docker logs I repeatedly see the following:

level=error msg="Download failed, retrying: dial tcp 54.231.17.81:443: i/o timeout"

ecs-agent日志反复向我显示该映像未下载:

The ecs-agent logs repeatedly show me that the image is not downloading:

Pulling image module="TaskEngine" image="REDACTED.dkr.ecr.us-east-1.amazonaws.com/REDACTED:latest" status="Retrying in 19 seconds"

它最终尝试运行映像，但显然失败并退出.在群集任务"选项卡中给我以下消息:

It eventually tries to run image, but obviously fails and exits. Giving me the message below in the Cluster Tasks tab:

STOPPED (Essential container in task exited)

amzn-ami-2016.03.e和amzn-ami-2016.03.d AMI均已发生此错误

This error has been occurring with both amzn-ami-2016.03.e and amzn-ami-2016.03.d AMIs

要从ECR中提取信息，是否需要应用任何特定的配置或联网规则?

Is there any specific configuration or networking rules that I need to apply to be able to pull from ECR?

这里的任何帮助将不胜感激.

Any help here would be greatly appreciated.

请注意，该实例确实可以访问互联网(ping google.com可以正常工作)，当我尝试从Docker Hub中提取图像时，它也可以正常工作.

As a side note, the instance does have access to the internet (pinging google.com works fine), and when I try to pull an image from Docker Hub, it also works fine.

推荐答案

要从ECR下载图像，容器实例需要访问ECR/S3端点.

To download image from ECR, Container Instance needs access to ECR/S3 endpoints.

如果您的子网是私有的，则必须使用PrivateLink功能或必须使用NAT网关才能到达ECR端点.

If your subnet is private you have to either use PrivateLink feature or have to use NAT gateway to reach to ECR endpoints.

如果您选择使用PrivateLink，则包括:

If you choose to use PrivateLink, this includes:

1. 为Amazon ECR创建VPC端点
2. 创建Amazon S3网关终端节点

如果您选择使用NatGateway，请将所有流量路由到NATGateway并将白名单AWS IP范围列入白名单.

If you choose to use NatGateway, route all traffic to NATGateway and whitelist AWS IP ranges.

参考链接: https://docs.aws. amazon.com/AmazonECR/latest/userguide/vpc-endpoints.html

这篇关于ECS代理无法成功从ECR提取图像的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！