When deploying Task in ECS Cluster with a public repo Docker Hub, the task always Stopped with this error in the Task Container:
Stopped reason
Cannotpullcontainererror:
pull image manifest has been retried 5 time(s):
failed to resolve ref docker.io/username/repo:
failed to do request:
Head "https://registry-1.docker.io/v2/username/repo/manifests/latest":
dial tcp 44.205.64.79:443: i/o timeout
This is my Task Definition:
{
"taskDefinitionArn": "arn:aws:ecs:ap-southeast-1:...:task-definition/taskname_task:6",
"containerDefinitions": [
{
"name": "containername_container",
"image": "username/repo",
"cpu": 0,
"links": [],
"portMappings": [
{
"name": "containername_container-8888-tcp",
"containerPort": 8888,
"hostPort": 8888,
"protocol": "tcp",
"appProtocol": "http"
}
],
"essential": true,
"entryPoint": [],
"command": [],
"environment": [],
"environmentFiles": [],
"mountPoints": [],
"volumesFrom": [],
"secrets": [],
"dnsServers": [],
"dnsSearchDomains": [],
"extraHosts": [],
"dockerSecurityOptions": [],
"dockerLabels": {},
"ulimits": [],
"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-create-group": "true",
"awslogs-group": "/ecs/taskname_task",
"awslogs-region": "ap-southeast-1",
"awslogs-stream-prefix": "ecs"
},
"secretOptions": []
},
"systemControls": []
}
],
"family": "taskname_task",
"taskRoleArn": "arn:aws:iam::...:role/ecsTaskExecutionRole",
"executionRoleArn": "arn:aws:iam::...:role/ecsTaskExecutionRole",
"networkMode": "awsvpc",
"revision": 6,
"volumes": [],
"status": "ACTIVE",
"requiresAttributes": [
{
"name": "com.amazonaws.ecs.capability.logging-driver.awslogs"
},
{
"name": "ecs.capability.execution-role-awslogs"
},
{
"name": "com.amazonaws.ecs.capability.docker-remote-api.1.19"
},
{
"name": "com.amazonaws.ecs.capability.docker-remote-api.1.17"
},
{
"name": "com.amazonaws.ecs.capability.task-iam-role"
},
{
"name": "ecs.capability.extensible-ephemeral-storage"
},
{
"name": "com.amazonaws.ecs.capability.docker-remote-api.1.18"
},
{
"name": "ecs.capability.task-eni"
},
{
"name": "com.amazonaws.ecs.capability.docker-remote-api.1.29"
}
],
"placementConstraints": [],
"compatibilities": [
"EC2",
"FARGATE"
],
"requiresCompatibilities": [
"FARGATE"
],
"cpu": "1024",
"memory": "2048",
"ephemeralStorage": {
"sizeInGiB": 21
},
"runtimePlatform": {
"cpuArchitecture": "X86_64",
"operatingSystemFamily": "LINUX"
},
"registeredAt": "...",
"registeredBy": "arn:aws:iam::...:root",
"tags": [
{
"key": "ecs:taskDefinition:createdFrom",
"value": "ecs-console-v2"
},
{
"key": "ecs:taskDefinition:stackId",
"value": "arn:aws:cloudformation:ap-southeast-1:...:stack/ECS-Console-V2-TaskDefinition-.../..."
}
]
}
I’m new to ECS and AWS also. I have try the request https://registry-1.docker.io/v2/username/repo/manifests/latest
in the error of Task Container above and received this:
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"repository","Class":"","Name":"username/repo","Action":"pull"}]}]}
Is it about the request docker.io configured? I have done a lot of research but not figure anything out.
2
Answers
After lots of tries, I have solved the problem by changing App environment from FARGATE to EC2 and the Network mode from awsvpc to bridge. Although this is not what my beginning intention to use FARGATE but it's solved the problem as well.
And I still don't know what, why, and how the problem has been caused and solved. Help me know.
This is my Task Definition in EC2:
You can use
Dockerhub
image from withinAmazon ECS Tasks
The format of
Dockerhub
image would be[registry-url]/[namespace]/[image]:[tag]
, you do not needregistry-url
forDockerhub
as the docker client assumesDockerhub
if one is not specifiedAlternatively
Docker
official images should be present on ECR public in addition to Dockerhub so you can reference the ECR public repositories instead from within the ECS TasksNow Fargate uses the awsvpc network mode so essentially there are two options to run the task in
Fargate
:Auto assign Public IP
must be enabled and we need to ensure that public subnet route table hasInternet Gateway
for internet connectivity to be able to pull the container image from public docker repositoryAuto assign Public IP
must be disabled and we need to ensure that private subnet route table has an associatedNAT Gateway
allowing the task inside private subnet to pull the container image from public docker repository