Fargate错误:无法从专用子网拉出ECR中托管的容器 [英] Fargate error: cannot pull container hosted in ECR from a private subnet

问题描述

我正在尝试创建以下架构:具有两个子网的vpc(一个是包含NatGateway和InternetGateway的公共子网，另一个是私有的.

I am trying to create a following architecture: a vpc with two subnets (one is public containing a NatGateway and an InternetGateway, and another one is private.

我在专用子网中启动Fargate服务，但失败并出现以下错误:

I start a fargate service in a private subnet and it fails with this error:

CannotPullContainerError:API错误(500):获取 https://XYZ.dkr.ecr.us-east-1.amazonaws.com/v2/:net/http:等待连接时请求被取消(超出了Client.Timeout等待标题时

CannotPullContainerError: API error (500): Get https://XYZ.dkr.ecr.us-east-1.amazonaws.com/v2/: net/http: request cancelled while waiting for connection (Client.Timeout exceeded while awaiting headers)

这是我的CloudFormation模板(该服务被有意地注释掉了，并且ECR图像的URL被打乱了):

Here's my CloudFormation template (the service is intentionally commented out, and the ECR image url is scrambled):

Resources:
#Network resources: VPC 
  WorkflowVpc:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: "10.0.0.0/16"
      EnableDnsSupport: false
      Tags:
        - Key: Project
          Value: Workflow
#PublicSubnet
  WorkflowPublicSubnet:
    Type: AWS::EC2::Subnet
    Properties:
      CidrBlock: "10.0.0.0/24"
      VpcId: 
        Ref: WorkflowVpc
  WorkflowInternetGateway:
    Type: AWS::EC2::InternetGateway
  WorkflowVCPGatewayAttachment:
    DependsOn: 
      - WorkflowInternetGateway
      - WorkflowVpc
    Type: AWS::EC2::VPCGatewayAttachment
    Properties:
      InternetGatewayId:
        Ref: WorkflowInternetGateway
      VpcId:
        Ref: WorkflowVpc
  WorkflowElasticIp:
    Type: AWS::EC2::EIP
    Properties:
      Domain: vpc
  WorkflowPublicSubnetRouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: 
        Ref: WorkflowVpc
  PublicSubnetToRouteTable:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      RouteTableId:
        Ref: WorkflowPublicSubnetRouteTable
      SubnetId: 
        Ref: WorkflowPublicSubnet
  WorkflowInternetRoute:
    Type: AWS::EC2::Route
    Properties:
      RouteTableId:
        Ref: WorkflowPublicSubnetRouteTable
      DestinationCidrBlock: 0.0.0.0/0
      GatewayId: 
        Ref: WorkflowInternetGateway
  WorkflowNat:
    DependsOn: 
      - WorkflowVCPGatewayAttachment
      - WorkflowElasticIp
    Type: AWS::EC2::NatGateway
    Properties:
      AllocationId: 
        Fn::GetAtt:
          - WorkflowElasticIp
          - AllocationId
      SubnetId:
        Ref: WorkflowPublicSubnet
#Private subnet          
  WorkflowPrivateSubnet:
    Type: AWS::EC2::Subnet
    Properties:
      CidrBlock: "10.0.1.0/24"
      VpcId: 
        Ref: WorkflowVpc
  WorkflowPrivateSubnetRouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: 
        Ref: WorkflowVpc
  PrivateSubnetToRouteTable:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      RouteTableId:
        Ref: WorkflowPrivateSubnetRouteTable
      SubnetId: 
        Ref: WorkflowPrivateSubnet
  WorkflowNatRoute:
    Type: AWS::EC2::Route
    Properties:
      RouteTableId:
        Ref: WorkflowPrivateSubnetRouteTable
      DestinationCidrBlock: 0.0.0.0/0
      NatGatewayId: 
        Ref: WorkflowNat
#Fargate:
  WorkflowFargateTask:
    Type: AWS::ECS::TaskDefinition
    Properties:
      RequiresCompatibilities: 
        - "FARGATE"
      Cpu: "256"
      Memory: "0.5GB"
      ContainerDefinitions:
        - Name: WorkflowFargateContainer
          Image: "XYZ.dkr.ecr.us-east-1.amazonaws.com/workflow:latest"
      NetworkMode: awsvpc
      ExecutionRoleArn: "arn:aws:iam::XXX:role/ecsTaskExecutionRole"

  WorkflowCluster:
    Type: AWS::ECS::Cluster
    Properties:
      ClusterName: WorkflowServiceCluster

#  WorkflowService:
#    DependsOn: 
#      - WorkflowNatRoute
#    Type: AWS::ECS::Service
#    Properties:
#      Cluster: 
#        Ref: WorkflowCluster
#      DesiredCount: 1
#      TaskDefinition:
#        Ref: WorkflowFargateTask
#      NetworkConfiguration:
#        AwsvpcConfiguration: 
#          AssignPublicIp: DISABLED
#          Subnets: 
#            - Ref: WorkflowPrivateSubnet
#      LaunchType: FARGATE

我还尝试在公共子网中设置AssignPublicIp:ENABLED，它可以正常工作，但这不是我的目标.

I also tried to set AssignPublicIp: ENABLED within the public subnet, and it works just fine, but it is not what I'm aiming for.

所以，我的问题是:我的模板还可以，而且是Fargate/ECR的问题吗?

So, the questions that I have: is my template ok and is it the problem of Fargate/ECR?

此外，调试这种行为的最佳方法是什么?似乎CloudWatch没有有关此错误的日志...

Also, what would be the best way to debug such a behaviour? It seems that CloudWatch has no logs concerning this error...

推荐答案

遵循史蒂夫E 的提示已经发现存在Internet访问，唯一的问题是VPC的此参数:

Following Steve E's hints I've figured out that the internet access is present, the only problem is in this parameter for the VPC:

EnableDnsSupport:错误

EnableDnsSupport: false

自然，当我尝试更新linux软件包或ping google.com时，它无法解析主机名.将其切换为"true"即可解决问题.

Naturally, when I tried to update linux packages, or ping google.com, it couldn't resolve the host names. Switching it to "true" resolved the problem.

这篇关于Fargate错误:无法从专用子网拉出ECR中托管的容器的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！