Amazon ECS 任务因 STOPPED 而失败(CannotPullContainerError:来自 daem 的错误响应)
Roy*_*ley 9 permissions amazon-vpc amazon-ecr aws-fargate
我设置了一个AWS VPC,我试图在部署一个功能性的容器ECS上Fargate launch type,但任务总是失败:
STOPPED (CannotPullContainerError: Error response from daem)
任务角色上下文:
ecsTaskExecutionRole
其中具有以下 IAM 权限:
回购权限如下:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllowPull",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::aws_account_id:role/ecsTaskExecutionRole"
},
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:DescribeImages",
"ecr:DescribeRepositories",
"ecr:GetAuthorizationToken",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:ListImages"
]
}
]
}
为了安全起见,实际的 id 被替换为 aws_account_id
我已按照本指南进行故障排除,其中指出:
由于以下问题之一,您可能会收到此错误:
您的启动类型无权访问 Amazon ECR 终端节点
您的 Amazon ECR 存储库策略限制对存储库映像的访问
我相信它允许
pull access使用的角色 - 请参阅上面的 repo 权限。您的 AWS Identity and Access Management (IAM) 角色没有拉取或推送映像的正确权限
我相信它确实具有必要的权限 - 请参阅上面的任务角色上下文。
找不到图片
图像在 ECR 中,权限在上面
您的 Amazon Virtual Private Cloud (Amazon VPC) 网关终端节点策略拒绝了 Amazon Simple Storage Service (Amazon S3) 访问
我相信是这样。IAM 权限按上述设置
S3 read access,此外,还没有制定明确的端点策略,根据 docs,这意味着默认情况下具有完全访问权限。
要拉取映像,Amazon ECS 必须与 Amazon ECR 终端节点通信。
VPC中定义的路由表:
与所有 VPC 的子网关联。因此,VPC 和其中运行的任何内容都应该能够看到互联网 - 用于该任务的安全策略当前允许所有端口(临时排除 ECR 问题时)。
我错过了什么,我仍然收到这个错误?
这适用于 EC2 实例- 如果我创建一个使用 EC2 实例的任务,所有其他条件都相同(如果适用)除外
EC2: Network Mode = Bridge
Fargate: Network Mode = awsvpc
容器配置并运行 - 容器中运行的 Web 应用程序正常运行。但是在 Fargate 中,网络模式必须是 awsvpc
Fargate only supports network mode ‘awsvpc’.
我想这就是问题所在,但不知道如何补救。
任务定义是:
{
"ipcMode": null,
"executionRoleArn": "arn:aws:iam::aws_account_id:role/ecsTaskExecutionRole",
"containerDefinitions": [
{
"dnsSearchDomains": null,
"logConfiguration": {
"logDriver": "awslogs",
"secretOptions": null,
"options": {
"awslogs-group": "/ecs/deploy-test-web",
"awslogs-region": "us-west-2",
"awslogs-stream-prefix": "ecs"
}
},
"entryPoint": [],
"portMappings": [
{
"hostPort": 8080,
"protocol": "tcp",
"containerPort": 8080
}
],
"command": null,
"linuxParameters": null,
"cpu": 1,
"environment": [],
"resourceRequirements": null,
"ulimits": null,
"dnsServers": null,
"mountPoints": [],
"workingDirectory": null,
"secrets": null,
"dockerSecurityOptions": null,
"memory": null,
"memoryReservation": null,
"volumesFrom": [],
"stopTimeout": null,
"image": "csrepo/test-web-v4.0.6",
"startTimeout": null,
"dependsOn": null,
"disableNetworking": null,
"interactive": null,
"healthCheck": null,
"essential": true,
"links": null,
"hostname": null,
"extraHosts": null,
"pseudoTerminal": null,
"user": null,
"readonlyRootFilesystem": null,
"dockerLabels": null,
"systemControls": null,
"privileged": null,
"name": "test-web-six"
}
],
"placementConstraints": [],
"memory": "2048",
"taskRoleArn": "arn:aws:iam::aws_account_id:role/ecsTaskExecutionRole",
"compatibilities": [
"EC2",
"FARGATE"
],
"taskDefinitionArn": "arn:aws:ecs:us-west-2:aws_account_id:task-definition/deploy-test-web3:4",
"family": "deploy-test-web3",
"requiresAttributes": [
{
"targetId": null,
"targetType": null,
"value": null,
"name": "com.amazonaws.ecs.capability.logging-driver.awslogs"
},
{
"targetId": null,
"targetType": null,
"value": null,
"name": "ecs.capability.execution-role-awslogs"
},
{
"targetId": null,
"targetType": null,
"value": null,
"name": "com.amazonaws.ecs.capability.docker-remote-api.1.19"
},
{
"targetId": null,
"targetType": null,
"value": null,
"name": "ecs.capability.private-registry-authentication.secretsmanager"
},
{
"targetId": null,
"targetType": null,
"value": null,
"name": "com.amazonaws.ecs.capability.task-iam-role"
},
{
"targetId": null,
"targetType": null,
"value": null,
"name": "com.amazonaws.ecs.capability.docker-remote-api.1.18"
},
{
"targetId": null,
"targetType": null,
"value": null,
"name": "ecs.capability.task-eni"
}
],
"pidMode": null,
"requiresCompatibilities": [
"FARGATE"
],
"networkMode": "awsvpc",
"cpu": "1024",
"revision": 4,
"status": "ACTIVE",
"inferenceAccelerators": null,
"proxyConfiguration": null,
"volumes": []
}
| 归档时间: |
|
| 查看次数: |
5742 次 |
| 最近记录: |