Fargate错误:无法从专用子网拉出ECR中托管的容器 [英] Fargate error: cannot pull container hosted in ECR from a private subnet
问题描述
我正在尝试创建以下架构:具有两个子网的vpc(一个是包含NatGateway和InternetGateway的公共子网,另一个是私有的.
I am trying to create a following architecture: a vpc with two subnets (one is public containing a NatGateway and an InternetGateway, and another one is private.
我在专用子网中启动Fargate服务,但失败并出现以下错误:
I start a fargate service in a private subnet and it fails with this error:
CannotPullContainerError:API错误(500):获取 https://XYZ.dkr.ecr.us-east-1.amazonaws.com/v2/:net/http:等待连接时请求被取消(超出了Client.Timeout等待标题时
CannotPullContainerError: API error (500): Get https://XYZ.dkr.ecr.us-east-1.amazonaws.com/v2/: net/http: request cancelled while waiting for connection (Client.Timeout exceeded while awaiting headers)
这是我的CloudFormation模板(该服务被有意地注释掉了,并且ECR图像的URL被打乱了):
Here's my CloudFormation template (the service is intentionally commented out, and the ECR image url is scrambled):
Resources:
#Network resources: VPC
WorkflowVpc:
Type: AWS::EC2::VPC
Properties:
CidrBlock: "10.0.0.0/16"
EnableDnsSupport: false
Tags:
- Key: Project
Value: Workflow
#PublicSubnet
WorkflowPublicSubnet:
Type: AWS::EC2::Subnet
Properties:
CidrBlock: "10.0.0.0/24"
VpcId:
Ref: WorkflowVpc
WorkflowInternetGateway:
Type: AWS::EC2::InternetGateway
WorkflowVCPGatewayAttachment:
DependsOn:
- WorkflowInternetGateway
- WorkflowVpc
Type: AWS::EC2::VPCGatewayAttachment
Properties:
InternetGatewayId:
Ref: WorkflowInternetGateway
VpcId:
Ref: WorkflowVpc
WorkflowElasticIp:
Type: AWS::EC2::EIP
Properties:
Domain: vpc
WorkflowPublicSubnetRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId:
Ref: WorkflowVpc
PublicSubnetToRouteTable:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId:
Ref: WorkflowPublicSubnetRouteTable
SubnetId:
Ref: WorkflowPublicSubnet
WorkflowInternetRoute:
Type: AWS::EC2::Route
Properties:
RouteTableId:
Ref: WorkflowPublicSubnetRouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId:
Ref: WorkflowInternetGateway
WorkflowNat:
DependsOn:
- WorkflowVCPGatewayAttachment
- WorkflowElasticIp
Type: AWS::EC2::NatGateway
Properties:
AllocationId:
Fn::GetAtt:
- WorkflowElasticIp
- AllocationId
SubnetId:
Ref: WorkflowPublicSubnet
#Private subnet
WorkflowPrivateSubnet:
Type: AWS::EC2::Subnet
Properties:
CidrBlock: "10.0.1.0/24"
VpcId:
Ref: WorkflowVpc
WorkflowPrivateSubnetRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId:
Ref: WorkflowVpc
PrivateSubnetToRouteTable:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId:
Ref: WorkflowPrivateSubnetRouteTable
SubnetId:
Ref: WorkflowPrivateSubnet
WorkflowNatRoute:
Type: AWS::EC2::Route
Properties:
RouteTableId:
Ref: WorkflowPrivateSubnetRouteTable
DestinationCidrBlock: 0.0.0.0/0
NatGatewayId:
Ref: WorkflowNat
#Fargate:
WorkflowFargateTask:
Type: AWS::ECS::TaskDefinition
Properties:
RequiresCompatibilities:
- "FARGATE"
Cpu: "256"
Memory: "0.5GB"
ContainerDefinitions:
- Name: WorkflowFargateContainer
Image: "XYZ.dkr.ecr.us-east-1.amazonaws.com/workflow:latest"
NetworkMode: awsvpc
ExecutionRoleArn: "arn:aws:iam::XXX:role/ecsTaskExecutionRole"
WorkflowCluster:
Type: AWS::ECS::Cluster
Properties:
ClusterName: WorkflowServiceCluster
# WorkflowService:
# DependsOn:
# - WorkflowNatRoute
# Type: AWS::ECS::Service
# Properties:
# Cluster:
# Ref: WorkflowCluster
# DesiredCount: 1
# TaskDefinition:
# Ref: WorkflowFargateTask
# NetworkConfiguration:
# AwsvpcConfiguration:
# AssignPublicIp: DISABLED
# Subnets:
# - Ref: WorkflowPrivateSubnet
# LaunchType: FARGATE
我还尝试在公共子网中设置AssignPublicIp:ENABLED,它可以正常工作,但这不是我的目标.
I also tried to set AssignPublicIp: ENABLED within the public subnet, and it works just fine, but it is not what I'm aiming for.
所以,我的问题是:我的模板还可以,而且是Fargate/ECR的问题吗?
So, the questions that I have: is my template ok and is it the problem of Fargate/ECR?
此外,调试这种行为的最佳方法是什么?似乎CloudWatch没有有关此错误的日志...
Also, what would be the best way to debug such a behaviour? It seems that CloudWatch has no logs concerning this error...
推荐答案
遵循史蒂夫E 的提示已经发现存在Internet访问,唯一的问题是VPC的此参数:
Following Steve E's hints I've figured out that the internet access is present, the only problem is in this parameter for the VPC:
EnableDnsSupport:错误
EnableDnsSupport: false
自然,当我尝试更新linux软件包或ping google.com时,它无法解析主机名.将其切换为"true"即可解决问题.
Naturally, when I tried to update linux packages, or ping google.com, it couldn't resolve the host names. Switching it to "true" resolved the problem.
这篇关于Fargate错误:无法从专用子网拉出ECR中托管的容器的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!