使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

CannotPullContainerError in the private network

0

Docker, Fargate containers are being pulled into the private network. It fails. Now I have the following error:

CannotPullContainerError: ref pull has been retried 5 time(s): failed to copy: httpReadSeeker: failed open: failed to do request: Get "https://prod-eu-west-1-starport-layer-bucket.s3.eu-west-1.amazonaws.com/x-x-x/x-x-c33888f3c2b2?X-Amz-Security-Token=XXXX...

The network is public with the internet gateway but without public IP. The main idea is to close the service from the outside world and allow only ELB. I tried to add endpoints to VCP, it passed to another error. Now I am stuck.

Endpoints:

  • com.amazonaws.eu-west-1.ecr.dkr Interface
  • com.amazonaws.eu-west-1.ecr.api com.amazonaws.eu-west-1.s3 Interface
  • com.amazonaws.eu-west-1.secretsmanager Interface
  • com.amazonaws.s3-global.accesspoint Interface
  • com.amazonaws.eu-west-1.s3-outposts Interface

Honestly, I understand the idea but I do not know all details. I've not found an article on how to configure Fargate in a private network.

Help me to clarify the current case. Should I use just enable public IP for fargate? I do not like this because of a security reason that I see.

Regards, Victor.

主題
無伺服器容器
標籤
AWS Fargate
語言
English
profile picture
Victor
已提問 1 年前檢視次數 1095 次
2 個答案
1

Hi

The network is public with the internet gateway but without public IP

If you do not want to assign public ip to Fargate, you should create another subnet(private subnet) associated with route table that has default route to NAT Gateway or NAT instance. Or you should create another subnet(private subnet)  with VPC endpoint. Even though subnet has default route to internet gateway, instance used by Fargate can not reach out to the internet without public ip.

May be this article will help you. https://repost.aws/knowledge-center/ecs-fargate-pull-container-error

profile picture
專家
Hiroki Takahashi
已回答 1 年前
profile picture
專家
Riku_Kobayashi
已審閱 1 年前
0

Hello,

From the above error it is failing to connect to the "starport" S3 bucket which is used by ECR to store your image layers. Since you are deploying it your Fargate containers in a private subnet, ensure that you have a S3 gateway endpoint. If you already have a S3 gateway endpoint, ensure that you have a policy that allows access to the "starport" bucket.

Refer to: https://docs.aws.amazon.com/AmazonECR/latest/userguide/vpc-endpoints.html#ecr-setting-up-s3-gateway and https://repost.aws/knowledge-center/ecs-ecr-docker-image-error for more information.

{
  "Statement": [
    {
      "Sid": "Access-to-specific-bucket-only",
      "Principal": "*",
      "Action": [
        "s3:GetObject"
      ],
      "Effect": "Allow",
      "Resource": ["arn:aws:s3:::prod-region-starport-layer-bucket/*"]
    }
  ]
}

If any issues, please feel free to reach out.

AWS
支援工程師
Satnam_B
已回答 1 年前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容