【问题标题】:Fargate error: cannot pull container hosted in ECR from a private subnetFargate 错误:无法从私有子网中提取托管在 ECR 中的容器
【发布时间】:2019-06-08 00:21:27
【问题描述】:

我正在尝试创建以下架构:具有两个子网的 vpc(一个是公共的,包含一个 NatGateway 和一个 InternetGateway,另一个是私有的。

我在私有子网中启动 Fargate 服务,但失败并出现以下错误:

CannotPullContainerError:API 错误 (500):获取 https://XYZ.dkr.ecr.us-east-1.amazonaws.com/v2/: 网/http: 请求在等待连接时取消(超出了 Client.Timeout 在等待标题时)

这是我的 CloudFormation 模板(服务被故意注释掉,并且 ECR 图像 url 被打乱了):

Resources:
#Network resources: VPC 
  WorkflowVpc:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: "10.0.0.0/16"
      EnableDnsSupport: false
      Tags:
        - Key: Project
          Value: Workflow
#PublicSubnet
  WorkflowPublicSubnet:
    Type: AWS::EC2::Subnet
    Properties:
      CidrBlock: "10.0.0.0/24"
      VpcId: 
        Ref: WorkflowVpc
  WorkflowInternetGateway:
    Type: AWS::EC2::InternetGateway
  WorkflowVCPGatewayAttachment:
    DependsOn: 
      - WorkflowInternetGateway
      - WorkflowVpc
    Type: AWS::EC2::VPCGatewayAttachment
    Properties:
      InternetGatewayId:
        Ref: WorkflowInternetGateway
      VpcId:
        Ref: WorkflowVpc
  WorkflowElasticIp:
    Type: AWS::EC2::EIP
    Properties:
      Domain: vpc
  WorkflowPublicSubnetRouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: 
        Ref: WorkflowVpc
  PublicSubnetToRouteTable:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      RouteTableId:
        Ref: WorkflowPublicSubnetRouteTable
      SubnetId: 
        Ref: WorkflowPublicSubnet
  WorkflowInternetRoute:
    Type: AWS::EC2::Route
    Properties:
      RouteTableId:
        Ref: WorkflowPublicSubnetRouteTable
      DestinationCidrBlock: 0.0.0.0/0
      GatewayId: 
        Ref: WorkflowInternetGateway
  WorkflowNat:
    DependsOn: 
      - WorkflowVCPGatewayAttachment
      - WorkflowElasticIp
    Type: AWS::EC2::NatGateway
    Properties:
      AllocationId: 
        Fn::GetAtt:
          - WorkflowElasticIp
          - AllocationId
      SubnetId:
        Ref: WorkflowPublicSubnet
#Private subnet          
  WorkflowPrivateSubnet:
    Type: AWS::EC2::Subnet
    Properties:
      CidrBlock: "10.0.1.0/24"
      VpcId: 
        Ref: WorkflowVpc
  WorkflowPrivateSubnetRouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: 
        Ref: WorkflowVpc
  PrivateSubnetToRouteTable:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      RouteTableId:
        Ref: WorkflowPrivateSubnetRouteTable
      SubnetId: 
        Ref: WorkflowPrivateSubnet
  WorkflowNatRoute:
    Type: AWS::EC2::Route
    Properties:
      RouteTableId:
        Ref: WorkflowPrivateSubnetRouteTable
      DestinationCidrBlock: 0.0.0.0/0
      NatGatewayId: 
        Ref: WorkflowNat
#Fargate:
  WorkflowFargateTask:
    Type: AWS::ECS::TaskDefinition
    Properties:
      RequiresCompatibilities: 
        - "FARGATE"
      Cpu: "256"
      Memory: "0.5GB"
      ContainerDefinitions:
        - Name: WorkflowFargateContainer
          Image: "XYZ.dkr.ecr.us-east-1.amazonaws.com/workflow:latest"
      NetworkMode: awsvpc
      ExecutionRoleArn: "arn:aws:iam::XXX:role/ecsTaskExecutionRole"

  WorkflowCluster:
    Type: AWS::ECS::Cluster
    Properties:
      ClusterName: WorkflowServiceCluster

#  WorkflowService:
#    DependsOn: 
#      - WorkflowNatRoute
#    Type: AWS::ECS::Service
#    Properties:
#      Cluster: 
#        Ref: WorkflowCluster
#      DesiredCount: 1
#      TaskDefinition:
#        Ref: WorkflowFargateTask
#      NetworkConfiguration:
#        AwsvpcConfiguration: 
#          AssignPublicIp: DISABLED
#          Subnets: 
#            - Ref: WorkflowPrivateSubnet
#      LaunchType: FARGATE

我还尝试在公共子网中设置 AssignPublicIp: ENABLED,它工作得很好,但这不是我的目标。

那么,我的问题是:我的模板是否正常,是 Fargate/ECR 的问题吗?

另外,调试这种行为的最佳方法是什么? CloudWatch 似乎没有关于此错误的日志...

【问题讨论】:

  • 模板看起来很合理。将 EC2 实例添加到私有子网中,看看它是否可以连接到 Internet。
  • 谢谢你,史蒂夫。我考虑了一下,但是由于无法从 Internet 访问它,因此我无法通过 ssh 进入该实例。知道如何测试它是否可以访问互联网吗?
  • 更新:使用堡垒技术连接到我的私有 ec2 实例。 yum update -y 在主机分辨率上超时,所以我无法访问互联网。现在将尝试调试它!非常感谢,@SteveE。!!!
  • 我用您的堆栈构建了一个 VPC,在两个子网中都有 EC2 实例,并且从任何一个连接到互联网都没有问题。然而,NAT 确实需要一分钟才能变得可用。这可能会导致您的 FARGATE 任务失败。我建议有两个 CF 堆栈,一个用于网络,一个用于 ECS。首先确保 NAT 可用。

标签: amazon-ecs aws-fargate aws-vpc


【解决方案1】:

根据Steve E 的提示,我发现可以访问互联网,唯一的问题在于 VPC 的这个参数:

EnableDnsSupport: 假

当然,当我尝试更新 linux 软件包或 ping google.com 时,它无法解析主机名。将其切换为“true”即可解决问题。

【讨论】:

    猜你喜欢
    • 2021-11-17
    • 1970-01-01
    • 2020-10-29
    • 1970-01-01
    • 1970-01-01
    • 2018-05-20
    • 2021-12-10
    • 1970-01-01
    • 2020-10-03
    相关资源
    最近更新 更多