Join Log in
Score:0
avatar Server

I cannot start an AWS task: CannotPullContainerError

in flag
porton

My own image public.ecr.aws/f6q1r4v8/amazonlinuxwithshell:latest fails to start on AWS (FARGATE) in a very weird way:

Last status Stopped

Stopped reason CannotPullContainerError: inspect image has been retried 5 time(s): failed to resolve ref "public.ecr.aws/f6q1r4v8/amazonlinuxwithshell:latest": failed to do request: Head https://public.ecr.aws/v2/f6q1r4v8/amazonlinuxwithshell/manifests/latest: dial t...

Note that awslogs remain empty (despite with an earlier version of my image they were not empty).

What's wrong, how to make it work?

1495
0 + 9
bug
Michael Hampton avatar
cz flag
Michael Hampton
The message is cut off at the end. Please post the complete message.
0
Reply
in flag
porton
@MichaelHampton No way, it is the only what AWS shows me.
0
Reply
in flag
porton
It does not work when there is no public instance IP... Why? That's a weird Amazon's bug.
0
Reply
mreferre avatar
nl flag
mreferre
@porton the infrastructure needs to go out to the public ECR endpoint to pull the image. This could only happen if your task is private and you have a way to route out to the Internet (e.g. NAT GW) or if your task has a public IP address that can route to the ECR endpoint.
0
Reply
in flag
porton
@mreferre Amazon should temporarily assign a public IP to such a FARGATE task. Not doing so is a bug.
0
Reply
mreferre avatar
nl flag
mreferre
I am not sure it's a "bug". It's a networking construct. You either enable it or you don't. Also there are customers that configure that networking construct prescriptively to avoid going out to the Internet, how could AWS possibly override it and temporarily (how long?) allow outbound communications?
0
Reply
in flag
porton
@mreferre Certainly AWS should not enable networking communications for the container without an explicit user' request. But why not to enable them for the FARGATE engine itself _while the container is not running._?
0
Reply
mreferre avatar
nl flag
mreferre
Because this would/could be seen as a policy/governance/security posture limitations for customers that do NOT want ANY internet connectivity in their own VPC. Think about customers that use AWS as an extension of their data center (via direct connect) and have very strict rules re what can go out and not.
0
Reply
mreferre avatar
nl flag
mreferre
In a scenario like that a user would (potentially) be able to run a task that points to <put here the link of the most insecure and troublesome publicly available image out there>.
0
Reply
Zach avatar
ru flag
Zach
How did you trigger the ecs task? I'm curious why you were able to get 5 retry attempts. In my case, this error occurs randomly but I only got 1 retry attempt. If I could get 5 attempts, I probably won't see any failures. (btw, I'm using `boto3 run_task()` method)
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.