When deploying Task in ECS Cluster with a public repo Docker Hub, the task always Stopped with this error in the Task Container:
Stopped reason
Cannotpullcontainererror:
pull image manifest has been retried 5 time(s):
failed to resolve ref docker.io/username/repo:
failed to do request:
Head "https://registry-1.docker.io/v2/username/repo/manifests/latest":
dial tcp 44.205.64.79:443: i/o timeout
This is my Task Definition:
{
"taskDefinitionArn": "arn:aws:ecs:ap-southeast-1:...:task-definition/taskname_task:6",
"containerDefinitions": [
{
"name": "containername_container",
"image": "username/repo",
"cpu": 0,
"links": [],
"portMappings": [
{
"name": "containername_container-8888-tcp",
"containerPort": 8888,
"hostPort": 8888,
"protocol": "tcp",
"appProtocol": "http"
}
],
"essential": true,
"entryPoint": [],
"command": [],
"environment": [],
"environmentFiles": [],
"mountPoints": [],
"volumesFrom": [],
"secrets": [],
"dnsServers": [],
"dnsSearchDomains": [],
"extraHosts": [],
"dockerSecurityOptions": [],
"dockerLabels": {},
"ulimits": [],
"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-create-group": "true",
"awslogs-group": "/ecs/taskname_task",
"awslogs-region": "ap-southeast-1",
"awslogs-stream-prefix": "ecs"
},
"secretOptions": []
},
"systemControls": []
}
],
"family": "taskname_task",
"taskRoleArn": "arn:aws:iam::...:role/ecsTaskExecutionRole",
"executionRoleArn": "arn:aws:iam::...:role/ecsTaskExecutionRole",
"networkMode": "awsvpc",
"revision": 6,
"volumes": [],
"status": "ACTIVE",
"requiresAttributes": [
{
"name": "com.amazonaws.ecs.capability.logging-driver.awslogs"
},
{
"name": "ecs.capability.execution-role-awslogs"
},
{
"name": "com.amazonaws.ecs.capability.docker-remote-api.1.19"
},
{
"name": "com.amazonaws.ecs.capability.docker-remote-api.1.17"
},
{
"name": "com.amazonaws.ecs.capability.task-iam-role"
},
{
"name": "ecs.capability.extensible-ephemeral-storage"
},
{
"name": "com.amazonaws.ecs.capability.docker-remote-api.1.18"
},
{
"name": "ecs.capability.task-eni"
},
{
"name": "com.amazonaws.ecs.capability.docker-remote-api.1.29"
}
],
"placementConstraints": [],
"compatibilities": [
"EC2",
"FARGATE"
],
"requiresCompatibilities": [
"FARGATE"
],
"cpu": "1024",
"memory": "2048",
"ephemeralStorage": {
"sizeInGiB": 21
},
"runtimePlatform": {
"cpuArchitecture": "X86_64",
"operatingSystemFamily": "LINUX"
},
"registeredAt": "...",
"registeredBy": "arn:aws:iam::...:root",
"tags": [
{
"key": "ecs:taskDefinition:createdFrom",
"value": "ecs-console-v2"
},
{
"key": "ecs:taskDefinition:stackId",
"value": "arn:aws:cloudformation:ap-southeast-1:...:stack/ECS-Console-V2-TaskDefinition-.../..."
}
]
}
I’m new to ECS and AWS also. I have try the request https://registry-1.docker.io/v2/username/repo/manifests/latest in the error of Task Container above and received this:
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"repository","Class":"","Name":"username/repo","Action":"pull"}]}]}
Is it about the request docker.io configured? I have done a lot of research but not figure anything out.
2
Answers
After lots of tries, I have solved the problem by changing App environment from FARGATE to EC2 and the Network mode from awsvpc to bridge. Although this is not what my beginning intention to use FARGATE but it's solved the problem as well.
And I still don't know what, why, and how the problem has been caused and solved. Help me know.
This is my Task Definition in EC2:
You can use
Dockerhubimage from withinAmazon ECS TasksThe format of
Dockerhubimage would be[registry-url]/[namespace]/[image]:[tag], you do not needregistry-urlforDockerhubas the docker client assumesDockerhubif one is not specifiedAlternatively
Dockerofficial images should be present on ECR public in addition to Dockerhub so you can reference the ECR public repositories instead from within the ECS TasksNow Fargate uses the awsvpc network mode so essentially there are two options to run the task in
Fargate:Auto assign Public IPmust be enabled and we need to ensure that public subnet route table hasInternet Gatewayfor internet connectivity to be able to pull the container image from public docker repositoryAuto assign Public IPmust be disabled and we need to ensure that private subnet route table has an associatedNAT Gatewayallowing the task inside private subnet to pull the container image from public docker repository