ECS Fargate tasks not running. Stopping with error CannotPullContainerError
I am testing out the Unity Fargate serverless solution at github link https://github.com/aws-samples/fargate-game-servers . After going through all the steps - my client is not able to connect with the ECS Fargate tasks because the latter are not starting (not getting into RUNNING state). They get as far as PROVISIONING but then sputter - giving the CannotPullContainerError error. On top of that, I am a noob and cannot figure out where to find the complete error log entry, because it gets cut out. Nor do the cloudwatch logs show me the error. So I'm at a loss of how to troubleshoot.
Image attached in problem description video https://youtu.be/AKkPpEOQDGA
Thanks for the answers. However it will help me a lot if one could show me how to read the actual error log - which is getting cut off when I look at the task stopped details. Please see how the error is showing up - marked in red: https://imgur.com/a/vhdLQIO It's clipped and incomplete. How to read the complete log message so I can actual drill down on the actual error??
As for the image repository - the container image is present in the ECS repository with URI https://446446443139.dkr.ecr.us-east-1.amazonaws.com/fargate-game-servers:2022-02-16.113828
How do I check if the IAM role for ECS has permissions for pulling the image? Do I check for a particular entry in the IAM policies? My tasks are launched by specific lambda services. Should I check into the AWSServiceRoleForECS for the permissions or the role for the specific lambda service?
The VPC seems to be an internet gateway attached to NAT on route table attached to the VPC. Is there something specific I should look for?
It will be best if I can read the complete error log . Noob. Please help...
The important role here is the Task Execution Role, located in your Task Definition. This Role, which you must create, must have the ability to perform several ECR actions. You can either manually specify a policy document, or you can attach the managed policy
AmazonECSTaskExecutionRolePolicyto the Role, and this will allow Fargate to pull the container images for you.
CannotPullContainerError would occur if
- Your image does not exist in repository
- Your ECS IAM role does not have permissions to pull the image
- If the image comes from Dockerhub, it could be failing due to rate limiting.
Usually in the console you can see the description of the error that gives you the reason why the CannotPullContainerError exception occurred.
Another reason why Fargate may be unable to pull your container image is due to a networking issue. The subnet in which you place your tasks must have access to the Internet (unless you are building a VPC without Internet access, in which case you must set up VPC Endpoints for Amazon ECR).
First, your VPC must have an Internet Gateway attached.
If you are launching your tasks in a private subnet, make sure you've created a NAT Gateway, and make sure your subnet route table has a default route to the NAT Gateway.
If you are launching your tasks in a public subnet, make sure you have enabled public IP address assignments for your task ENIs (elastic network interfaces). See, for example, step 11 (Networking) in the Creating a Service documentation.
Why do deployments with CodeDeploy to ECS (fargate) without tasks succeed?asked 6 days ago
How to solve the ECS Error: You've reached the limit on the number of tasks you can run concurrently.asked 5 months ago
ECS Fargate service stops scaling at 100 tasks - why?asked a year ago
Overriding Hostname on ECS FargateAccepted Answerasked 3 months ago
NLB doesn't send traffic to new healthy Fargate tasksasked 5 months ago
ECS Fargate tasks not running. Stopping with error CannotPullContainerErrorasked 2 months ago
AWS Fargate Spot - Automated Draining for Spot SupportAccepted Answerasked 2 years ago
Delayed shutdown of ECS Fargate tasks?asked 4 months ago
Use AWS FARGATE_SPOT as fallbackAccepted Answerasked 2 years ago
AWS Fargate Increase Concurrent Running tasksasked 12 days ago