Getting a CannotPullContainerError container uri not found - Fargate Task Running in Public Subnet
Hello I have task defined for a fargate cluster for an image located on the ECR, but for some reason its not able to pull the container image from ECR... As this is has been asked before I referred to the following links to perform my troubleshooting:
- https://docs.aws.amazon.com/AmazonECR/latest/userguide/ECR_on_ECS.html
- https://repost.aws/questions/QU2e6oTgeWRiiL48Y5OAmymg/ecs-fargate-tasks-not-running-stopping-with-error-cannotpullcontainererror
From what I gather there are two key considerations:
- Role access to ECR from your task
- Internet access to public subnet
My task has the following definitions:
- ecsTaskExecutionRole which has -> AmazonECSTaskExecutionRolePolicy -> which has the below actions assigned
"Effect": "Allow", "Action": [ "ecr:GetAuthorizationToken", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "*" - awsvpc networking mode
- it has the correct image URI in the definition
- its using public subnet which is mapped to an internet gateway
- the ENI for the task is getting a public IP Address Assigned
Any other considerations I'm missing?
p.s. Attaching some images in case its helpful.
- 新しい順
- 投票が多い順
- コメントが多い順
I found the answer, the task definition was referencing 'LATEST' image tag instead of the version number. Going to look into having the image push to ECR with 'Latest' as the tag so I don't have to update the Task definition everytime I update the container.
First, please review the following documents.
https://repost.aws/knowledge-center/ecs-pull-container-api-error-ecr
https://repost.aws/knowledge-center/ecs-fargate-pull-container-error
Other than the above, it has been my experience that increasing the memory capacity of the task definition has solved that error, so please try it.
関連するコンテンツ
AWS公式更新しました 1年前
Riku, thank you for your comment. So I followed those items, and one thing that I was missing was the endpoints and correct security group being attached to the VPC. I also edited the security group to accept all inbound and outbound connections for all ports, types and protocols and destination 0.0.0.0/0... The image is only 256 mb, and the task def calls for 3 GB, but I increased to 4 GB since you mentioned memory.
Still unable to pull the image, though I get a different error: Rather than reference the URI, it just says the image 'is not found'.
Just for fun I tried running the task via Fargate v1.3 -> error there is basically the same.
The image is in a private repo in my ECR, does that matter?