By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

ECS Fargate tasks not running. Stopping with error CannotPullContainerError

0

I am testing out the Unity Fargate serverless solution at github link https://github.com/aws-samples/fargate-game-servers . After going through all the steps - my client is not able to connect with the ECS Fargate tasks because the latter are not starting (not getting into RUNNING state). They get as far as PROVISIONING but then sputter - giving the CannotPullContainerError error. On top of that, I am a noob and cannot figure out where to find the complete error log entry, because it gets cut out. Nor do the cloudwatch logs show me the error. So I'm at a loss of how to troubleshoot.

Image attached in problem description video https://youtu.be/AKkPpEOQDGA

Topics
ServerlessContainersManagement & Governance
Tags
ServerlessAWS FargateAmazon CloudWatch Logs
Language
English
shaldarworx
asked 2 years ago1250 views
3 Answers
0

Thanks for the answers. However it will help me a lot if one could show me how to read the actual error log - which is getting cut off when I look at the task stopped details. Please see how the error is showing up - marked in red: https://imgur.com/a/vhdLQIO It's clipped and incomplete. How to read the complete log message so I can actual drill down on the actual error??

As for the image repository - the container image is present in the ECS repository with URI https://446446443139.dkr.ecr.us-east-1.amazonaws.com/fargate-game-servers:2022-02-16.113828

Check https://imgur.com/a/nZlqSZQ

How do I check if the IAM role for ECS has permissions for pulling the image? Do I check for a particular entry in the IAM policies? My tasks are launched by specific lambda services. Should I check into the AWSServiceRoleForECS for the permissions or the role for the specific lambda service?

The VPC seems to be an internet gateway attached to NAT on route table attached to the VPC. Is there something specific I should look for?

It will be best if I can read the complete error log . Noob. Please help...

shaldarworx
answered 2 years ago
  • MichaelFischer EXPERT
    2 years ago

    The important role here is the Task Execution Role, located in your Task Definition. This Role, which you must create, must have the ability to perform several ECR actions. You can either manually specify a policy document, or you can attach the managed policy AmazonECSTaskExecutionRolePolicy to the Role, and this will allow Fargate to pull the container images for you.

0

CannotPullContainerError would occur if

  • Your image does not exist in repository
  • Your ECS IAM role does not have permissions to pull the image
  • If the image comes from Dockerhub, it could be failing due to rate limiting.

Usually in the console you can see the description of the error that gives you the reason why the CannotPullContainerError exception occurred.

profile picture
JohnPreston
answered 2 years ago
0

Another reason why Fargate may be unable to pull your container image is due to a networking issue. The subnet in which you place your tasks must have access to the Internet (unless you are building a VPC without Internet access, in which case you must set up VPC Endpoints for Amazon ECR).

First, your VPC must have an Internet Gateway attached.

If you are launching your tasks in a private subnet, make sure you've created a NAT Gateway, and make sure your subnet route table has a default route to the NAT Gateway.

If you are launching your tasks in a public subnet, make sure you have enabled public IP address assignments for your task ENIs (elastic network interfaces). See, for example, step 11 (Networking) in the Creating a Service documentation.

AWS
EXPERT
MichaelFischer
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content