[英]AWS Fargate private subnet, pulling from ECR
I've Fargate task defined in the private su.net (no inte.net access).我在私有 su.net 中定义了 Fargate 任务(没有 inte.net 访问权限)。 I defined endpoints (PrivateLinks) for the: s3 (gateway), ecr.api, ecr.dkr, ecr.logs (interfaces).
我为 s3(网关)、ecr.api、ecr.dkr、ecr.logs(接口)定义了端点 (PrivateLinks)。 I added egress on 443/TCP to the s3 gateway and ecr.
我将 443/TCP 上的出口添加到 s3 网关和 ecr。 I set
enable_dns_hostnames = true
enable_dns_support = true
in the vpc.我在 vpc 中设置
enable_dns_hostnames = true
enable_dns_support = true
。 I'm getting weird error which I do not know how to troubleshoot: CannotPullContainerError: ref pull has been retried 5 time(s): failed to copy: httpReaderSeeker: failed open: failed to do request: Get https://prod-eu-west-2-starport-layer-bucket.s3.eu-west-2.amazonaws.com/
我收到奇怪的错误,我不知道如何解决:
CannotPullContainerError: ref pull has been retried 5 time(s): failed to copy: httpReaderSeeker: failed open: failed to do request: Get https://prod-eu-west-2-starport-layer-bucket.s3.eu-west-2.amazonaws.com/
Any ideas?有任何想法吗? I spent today 7 hours going through docs, no success... I'm using Fargate 1.40.
我今天花了 7 个小时浏览文档,但没有成功……我使用的是 Fargate 1.40。
When you see that we are trying to get the pre-signed URL from S3: https://prod-eu-west-2-starport-layer-bucket...
.当您看到我们正在尝试从 S3 获取预签名的 URL 时:
https://prod-eu-west-2-starport-layer-bucket...
It means that we had passed the permission problem and is encountering networking issue
when trying to get the ECR image artifact from AWS managed S3.这意味着我们已经通过了权限问题,并且在尝试从 AWS 托管的 S3 获取 ECR 图像工件时遇到
networking issue
。
It is probably caused by one or some of the following issues:这可能是由以下一个或某些问题引起的:
Follow this document and check line by line might help to debug the problem: https://docs.aws.amazon.com/AmazonECR/latest/userguide/vpc-endpoints.html按照此文档逐行检查可能有助于调试问题: https://docs.aws.amazon.com/AmazonECR/latest/userguide/vpc-endpoints.html
the "CannotPullContainerError" seems to indicate that ECS is not able to get the container from ECR or dockerhub or wherever you're trying to pull the container from. “CannotPullContainerError”似乎表明 ECS 无法从 ECR 或 dockerhub 或您尝试从中提取容器的任何地方获取容器。
If your ECS TaskDefinition is pointing to a container in ECR, then ECS will try to pull it from there.如果您的 ECS TaskDefinition 指向 ECR 中的容器,则 ECS 将尝试从那里拉取它。 And it can only pull it from ECR if the TaskDefinition has a TaskExecutionRole which have privileges of pulling your container from ECR.
如果 TaskDefinition 有一个 TaskExecutionRole,它有权从 ECR 中提取您的容器,它只能从 ECR 中提取它。
Can you confirm that your ECS TaskDefinition has an ECS TaskExecutionRole which has proper ecr privs?你能确认你的 ECS TaskDefinition 有一个 ECS TaskExecutionRole 有适当的 ecr privs 吗?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.