ECS代理无法成功从ECR提取图像 [英] ECS agent can not successfully pull image from ECR
问题描述
我有一个在VPC(在一个私有子网中)中运行的ECS托管EC2实例.尝试在此实例上运行任务时,似乎无法拉取映像.据我所知,ECS代理无需从存储库中提取映像就可以进行特殊配置.
I have an ECS managed EC2 instance running in a VPC (in one of the private subnets). When trying to run a task on this instance it doesn't seem to be able to pull the image. As far as I can make out from the documentation there is no special configuration needed for the ECS agent to pull the image from the repo.
查看Docker日志,我反复看到以下内容:
Looking at the Docker logs I repeatedly see the following:
level=error msg="Download failed, retrying: dial tcp 54.231.17.81:443: i/o timeout"
ecs-agent日志反复向我显示该映像未下载:
The ecs-agent logs repeatedly show me that the image is not downloading:
Pulling image module="TaskEngine" image="REDACTED.dkr.ecr.us-east-1.amazonaws.com/REDACTED:latest" status="Retrying in 19 seconds"
它最终尝试运行映像,但显然失败并退出.在群集任务"选项卡中给我以下消息:
It eventually tries to run image, but obviously fails and exits. Giving me the message below in the Cluster Tasks tab:
STOPPED (Essential container in task exited)
amzn-ami-2016.03.e和amzn-ami-2016.03.d AMI均已发生此错误
This error has been occurring with both amzn-ami-2016.03.e and amzn-ami-2016.03.d AMIs
要从ECR中提取信息,是否需要应用任何特定的配置或联网规则?
Is there any specific configuration or networking rules that I need to apply to be able to pull from ECR?
这里的任何帮助将不胜感激.
Any help here would be greatly appreciated.
请注意,该实例确实可以访问互联网(ping google.com可以正常工作),当我尝试从Docker Hub中提取图像时,它也可以正常工作.
As a side note, the instance does have access to the internet (pinging google.com works fine), and when I try to pull an image from Docker Hub, it also works fine.
推荐答案
要从ECR下载图像,容器实例需要访问ECR/S3端点.
To download image from ECR, Container Instance needs access to ECR/S3 endpoints.
如果您的子网是私有的,则必须使用PrivateLink功能或必须使用NAT网关才能到达ECR端点.
If your subnet is private you have to either use PrivateLink feature or have to use NAT gateway to reach to ECR endpoints.
如果您选择使用PrivateLink,则包括:
If you choose to use PrivateLink, this includes:
- 为Amazon ECR创建VPC端点
- 创建Amazon S3网关终端节点
如果您选择使用NatGateway,请将所有流量路由到NATGateway并将白名单AWS IP范围列入白名单.
If you choose to use NatGateway, route all traffic to NATGateway and whitelist AWS IP ranges.
参考链接: https://docs.aws. amazon.com/AmazonECR/latest/userguide/vpc-endpoints.html
这篇关于ECS代理无法成功从ECR提取图像的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!