我已经设置了一个AWS VPC,并试图在ECS其中部署一个功能容器Fargate launch type,但任务总是失败:
STOPPED (CannotPullContainerError: Error response from daem)
任务角色上下文:
ecsTaskExecutionRole
具有以下 IAM 权限:
repo 权限如下:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllowPull",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::aws_account_id:role/ecsTaskExecutionRole"
},
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:DescribeImages",
"ecr:DescribeRepositories",
"ecr:GetAuthorizationToken",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:ListImages"
]
}
]
}
为了安全起见,实际 ID 将被替换为aws_account_id
我已经关注本指南故障排除中指出:
您可能由于以下问题之一而收到此错误:
您的启动类型无权访问 Amazon ECR 终端节点
您的 Amazon ECR 存储库策略限制对存储库映像的访问
我相信它允许
pull access使用角色 - 请参阅上面的 repo 权限。您的 AWS Identity and Access Management (IAM) 角色没有正确的权限来拉取或推送映像
我相信它确实具有必要的权限——请参阅上面的任务角色上下文。
找不到该图片
图像位于 ECR 中,且权限如上所述
您的 Amazon Virtual Private Cloud (Amazon VPC) 网关终端节点策略拒绝 Amazon Simple Storage Service (Amazon S3) 访问
我相信是这样。IAM 权限是按照上述方法设置的
S3 read access,此外,没有制定明确的端点策略,根据文档,默认表示完全访问。
要提取图像,Amazon ECS 必须与 Amazon ECR 终端节点通信。
VPC中定义的路由表:
与所有 VPC 子网相关联。因此,VPC 及其中运行的任何内容都应该能够看到互联网 - 用于该任务的安全策略当前允许所有端口(在解决 ECR 问题时临时允许)。
我遗漏了什么以至于我仍然收到此错误?
这可以使用 EC2 实例- 如果我创建一个使用 EC2 实例的任务,且其他所有条件相同(如适用),但以下情况除外
EC2: Network Mode = Bridge
Fargate: Network Mode = awsvpc
容器配置并运行 - 容器中运行的 Web 应用程序正常运行。但在 Fargate 中,网络模式必须是 awsvpc
Fargate only supports network mode ‘awsvpc’.
我认为问题就在这里,但不知道如何补救。
任务定义是:
{
"ipcMode": null,
"executionRoleArn": "arn:aws:iam::aws_account_id:role/ecsTaskExecutionRole",
"containerDefinitions": [
{
"dnsSearchDomains": null,
"logConfiguration": {
"logDriver": "awslogs",
"secretOptions": null,
"options": {
"awslogs-group": "/ecs/deploy-test-web",
"awslogs-region": "us-west-2",
"awslogs-stream-prefix": "ecs"
}
},
"entryPoint": [],
"portMappings": [
{
"hostPort": 8080,
"protocol": "tcp",
"containerPort": 8080
}
],
"command": null,
"linuxParameters": null,
"cpu": 1,
"environment": [],
"resourceRequirements": null,
"ulimits": null,
"dnsServers": null,
"mountPoints": [],
"workingDirectory": null,
"secrets": null,
"dockerSecurityOptions": null,
"memory": null,
"memoryReservation": null,
"volumesFrom": [],
"stopTimeout": null,
"image": "csrepo/test-web-v4.0.6",
"startTimeout": null,
"dependsOn": null,
"disableNetworking": null,
"interactive": null,
"healthCheck": null,
"essential": true,
"links": null,
"hostname": null,
"extraHosts": null,
"pseudoTerminal": null,
"user": null,
"readonlyRootFilesystem": null,
"dockerLabels": null,
"systemControls": null,
"privileged": null,
"name": "test-web-six"
}
],
"placementConstraints": [],
"memory": "2048",
"taskRoleArn": "arn:aws:iam::aws_account_id:role/ecsTaskExecutionRole",
"compatibilities": [
"EC2",
"FARGATE"
],
"taskDefinitionArn": "arn:aws:ecs:us-west-2:aws_account_id:task-definition/deploy-test-web3:4",
"family": "deploy-test-web3",
"requiresAttributes": [
{
"targetId": null,
"targetType": null,
"value": null,
"name": "com.amazonaws.ecs.capability.logging-driver.awslogs"
},
{
"targetId": null,
"targetType": null,
"value": null,
"name": "ecs.capability.execution-role-awslogs"
},
{
"targetId": null,
"targetType": null,
"value": null,
"name": "com.amazonaws.ecs.capability.docker-remote-api.1.19"
},
{
"targetId": null,
"targetType": null,
"value": null,
"name": "ecs.capability.private-registry-authentication.secretsmanager"
},
{
"targetId": null,
"targetType": null,
"value": null,
"name": "com.amazonaws.ecs.capability.task-iam-role"
},
{
"targetId": null,
"targetType": null,
"value": null,
"name": "com.amazonaws.ecs.capability.docker-remote-api.1.18"
},
{
"targetId": null,
"targetType": null,
"value": null,
"name": "ecs.capability.task-eni"
}
],
"pidMode": null,
"requiresCompatibilities": [
"FARGATE"
],
"networkMode": "awsvpc",
"cpu": "1024",
"revision": 4,
"status": "ACTIVE",
"inferenceAccelerators": null,
"proxyConfiguration": null,
"volumes": []
}
答案1
我通过删除并再次创建 ECR 存储库解决了这个问题
答案2
尝试添加此 AWS 托管策略:AmazonEC2ContainerServiceforEC2Role