简体繁体 English

AWS Fargate 私有 su.net，从 ECR 中提取

[英]AWS Fargate private subnet, pulling from ECR

原文 2021-03-09 17:16:11 4 2 amazon-web-services/ amazon-s3

I've Fargate task defined in the private su.net (no inte.net access).我在私有 su.net 中定义了 Fargate 任务（没有 inte.net 访问权限）。 I defined endpoints (PrivateLinks) for the: s3 (gateway), ecr.api, ecr.dkr, ecr.logs (interfaces).我为 s3（网关）、ecr.api、ecr.dkr、ecr.logs（接口）定义了端点 (PrivateLinks)。 I added egress on 443/TCP to the s3 gateway and ecr.我将 443/TCP 上的出口添加到 s3 网关和 ecr。 I set enable_dns_hostnames = true enable_dns_support = true in the vpc.我在 vpc 中设置enable_dns_hostnames = true enable_dns_support = true 。 I'm getting weird error which I do not know how to troubleshoot: CannotPullContainerError: ref pull has been retried 5 time(s): failed to copy: httpReaderSeeker: failed open: failed to do request: Get https://prod-eu-west-2-starport-layer-bucket.s3.eu-west-2.amazonaws.com/我收到奇怪的错误，我不知道如何解决： CannotPullContainerError: ref pull has been retried 5 time(s): failed to copy: httpReaderSeeker: failed open: failed to do request: Get https://prod-eu-west-2-starport-layer-bucket.s3.eu-west-2.amazonaws.com/

Any ideas?有任何想法吗？ I spent today 7 hours going through docs, no success... I'm using Fargate 1.40.我今天花了 7 个小时浏览文档，但没有成功……我使用的是 Fargate 1.40。

2 个解决方案

When you see that we are trying to get the pre-signed URL from S3: https://prod-eu-west-2-starport-layer-bucket... .当您看到我们正在尝试从 S3 获取预签名的 URL 时： https://prod-eu-west-2-starport-layer-bucket... It means that we had passed the permission problem and is encountering networking issue when trying to get the ECR image artifact from AWS managed S3.这意味着我们已经通过了权限问题，并且在尝试从 AWS 托管的 S3 获取 ECR 图像工件时遇到networking issue 。

It is probably caused by one or some of the following issues:这可能是由以下一个或某些问题引起的：

VPC-Endpoints (PrivateLink) setting VPC-Endpoints (PrivateLink) 设置
Security Groups inbound rules安全组入站规则
VPC su.net Network-ACL restriction VPC su.net Network-ACL限制

Follow this document and check line by line might help to debug the problem: https://docs.aws.amazon.com/AmazonECR/latest/userguide/vpc-endpoints.html按照此文档逐行检查可能有助于调试问题： https://docs.aws.amazon.com/AmazonECR/latest/userguide/vpc-endpoints.html

the "CannotPullContainerError" seems to indicate that ECS is not able to get the container from ECR or dockerhub or wherever you're trying to pull the container from. “CannotPullContainerError”似乎表明 ECS 无法从 ECR 或 dockerhub 或您尝试从中提取容器的任何地方获取容器。

If your ECS TaskDefinition is pointing to a container in ECR, then ECS will try to pull it from there.如果您的 ECS TaskDefinition 指向 ECR 中的容器，则 ECS 将尝试从那里拉取它。 And it can only pull it from ECR if the TaskDefinition has a TaskExecutionRole which have privileges of pulling your container from ECR.如果 TaskDefinition 有一个 TaskExecutionRole，它有权从 ECR 中提取您的容器，它只能从 ECR 中提取它。

Can you confirm that your ECS TaskDefinition has an ECS TaskExecutionRole which has proper ecr privs?你能确认你的 ECS TaskDefinition 有一个 ECS TaskExecutionRole 有适当的 ecr privs 吗？