I'm getting this error when running a task on my Amazon Fargate cluster. Has anyone seen run into this before?
Go to the docs for an answer to this one.
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_cannot_pull_image.html
Since you are encountering a 500
error, I would heed the advice of the first error's description, "Connection timed out":
When a Fargate task is launched, its elastic network interface requires a route to the internet to pull container images. If you receive an error similar to the following when launching a task, it is because a route to the internet does not exist:
CannotPullContainerError: API error (500): Get https://111122223333.dkr.ecr.us-east-1.amazonaws.com/v2/: net/http: request canceled while waiting for connection
To resolve this issue, you can:
For tasks in public subnets, specify ENABLED for Auto-assign public IP when launching the task...
For tasks in private subnets, specify DISABLED for Auto-assign public IP when launching the task, and configure a NAT Gateway in your VPC to route requests to the internet...
If you encountering any other issues relating to ECS Tasks not starting or exhibiting weird behavior upon starting, then check the full list of ECS troubleshooting topics.
I was encountering a similar error (404
instead of 500
), however, the Task displayed that it was RUNNING even though the detailed status listed an error.
It turns out that the role associated with the task (same role as the EC2 Instance on which it was running, in this case) could not be assumed by ecs-tasks. Adding the following trust relationship statement to the role resolved the issue:
{
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
See the specific page on the Task Execution Roles for more details.
Public IP is not mandatory, the specification for creating a working NAT Gateway is lacking. At the GitHub issue Amazon technicians keep repeating you "just" need Private IP + NAT, however this is not true. I struggled with this myself a lot, but finally got it working properly without using a Public IP for my Fargate services.
To have Fargate services access internet without having a Public IP you need to set up a VPC which has 2 subnets:
You can create such a VPC in 2 ways: by going to Services
> VPC
> VPC Dashboard
, clicking on Launch VPC Wizard
and selecting "VPC with Public and Private Subnets"
; or manually:
NOTE: All of the following steps are performed in Services
> VPC
Your VPCs
and Create a VPC
Subnets
and Create subnet
2 times
private
subnet
public
subnet
Internet Gateways
and Create internet gateway
Internet Gateway
, Actions
, Attach to VPC
and attach it to the VPC in focusNAT Gateways
and Create NAT Gateway
public
subnetCreate New EIP
or use an existing one given that you have oneAvailable
Route Tables
and Create route table
2 times
private
route table
Routes
tab on the bottom, Edit routes
Add route
, destination: 0.0.0.0/0
, target the NAT Gateway created previously and Save routes
Actions
and Set Main Route Table
(if not already)public
route table
Routes
tab on the bottom, Edit routes
Add route
, destination: 0.0.0.0/0
, target the Internet Gateway created previously and Save routes
Subnet Associations
tab on the bottom, Edit subnet associations
public
subnet, Save
Every service you put in the public
subnet will have bidirectional internet access and every service you put in the private
subnet will have only outgoing internet access (yes, Fargate and EC2 services in the private
subnet without Public IPs will have internet access).
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With