Score:0

I cannot start an AWS task: CannotPullContainerError

in flag

My own image public.ecr.aws/f6q1r4v8/amazonlinuxwithshell:latest fails to start on AWS (FARGATE) in a very weird way:

Last status Stopped

Stopped reason CannotPullContainerError: inspect image has been retried 5 time(s): failed to resolve ref "public.ecr.aws/f6q1r4v8/amazonlinuxwithshell:latest": failed to do request: Head https://public.ecr.aws/v2/f6q1r4v8/amazonlinuxwithshell/manifests/latest: dial t...

Note that awslogs remain empty (despite with an earlier version of my image they were not empty).

What's wrong, how to make it work?

Michael Hampton avatar
cz flag
The message is cut off at the end. Please post the complete message.
in flag
@MichaelHampton No way, it is the only what AWS shows me.
in flag
It does not work when there is no public instance IP... Why? That's a weird Amazon's bug.
mreferre avatar
nl flag
@porton the infrastructure needs to go out to the public ECR endpoint to pull the image. This could only happen if your task is private and you have a way to route out to the Internet (e.g. NAT GW) or if your task has a public IP address that can route to the ECR endpoint.
in flag
@mreferre Amazon should temporarily assign a public IP to such a FARGATE task. Not doing so is a bug.
mreferre avatar
nl flag
I am not sure it's a "bug". It's a networking construct. You either enable it or you don't. Also there are customers that configure that networking construct prescriptively to avoid going out to the Internet, how could AWS possibly override it and temporarily (how long?) allow outbound communications?
in flag
@mreferre Certainly AWS should not enable networking communications for the container without an explicit user' request. But why not to enable them for the FARGATE engine itself _while the container is not running._?
mreferre avatar
nl flag
Because this would/could be seen as a policy/governance/security posture limitations for customers that do NOT want ANY internet connectivity in their own VPC. Think about customers that use AWS as an extension of their data center (via direct connect) and have very strict rules re what can go out and not.
mreferre avatar
nl flag
In a scenario like that a user would (potentially) be able to run a task that points to <put here the link of the most insecure and troublesome publicly available image out there>.
Zach avatar
ru flag
How did you trigger the ecs task? I'm curious why you were able to get 5 retry attempts. In my case, this error occurs randomly but I only got 1 retry attempt. If I could get 5 attempts, I probably won't see any failures. (btw, I'm using `boto3 run_task()` method)
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.