Bootstrap FreeKB - Amazon Web Services (AWS) Elastic Container Service (ECS) - Resolve CannotPullContainerError
Amazon Web Services (AWS) Elastic Container Service (ECS) - Resolve CannotPullContainerError
Updated:   |  Amazon Web Services (AWS) Elastic Container Service (ECS) articles

Let's say something like this is being returned when attempting to deploy a container from an Elastic Container Service (ECS) Task or Service.

CannotPullContainerError: pull image manifest has been retried 5 time(s): failed to resolve ref docker.io/library/nginx:latest: failed to do request: Head "https://registry-1.docker.io/v2/library/nginx/manifests/latest": dial tcp 44.205.64.79:443: i/o timeout

 

The aws ec2 describe-security-groups command can be used to ensure that:

  • all outbound requests are allowed
  • inbound requests are allowed on HTTPS port 443

Something like this should be returned.

~]# aws ec2 describe-security-groups
{
    "SecurityGroups": [
        {
            "Description": "ECS security group",
            "IpPermissions": [
                {
                    "FromPort": 443,
                    "IpProtocol": "tcp",
                    "IpRanges": [
                        {
                            "CidrIp": "0.0.0.0/0",
                            "Description": "Allow incoming (ingress) requests on port 443"
                        }
                    ],
                    "Ipv6Ranges": [],
                    "PrefixListIds": [],
                    "ToPort": 443,
                    "UserIdGroupPairs": []
                }
            ],
            "IpPermissionsEgress": [
                {
                    "IpProtocol": "-1",
                    "IpRanges": [
                        {
                            "CidrIp": "0.0.0.0/0"
                        }
                    ],
                    "UserIdGroupPairs": [],
                    "PrefixListIds": []
                }
            ],

 

The aws ecs describe-task-definition command can then be used to show the JSON of a Task Definition, using the Amazon Resource Number (ARN) of the Task Definition from the prior command, including the Docker image. By default, images in the Docker Hub registry can be used. For example, since nginx:latest is in the Docker Hub Registry at https://hub.docker.com/_/nginx, the image should be able to be pulled by just referencing the image name and tag (e.g. nginx:latest).

~]$ aws ecs describe-task-definition --task-definition arn:aws:ecs:us-east-1:123456789012:task-definition/nginx:1
{
    "taskDefinition": {
        "taskDefinitionArn": "arn:aws:ecs:us-east-1:123456789012:task-definition/nginx-task-definition:1",
        "containerDefinitions": [
            {
                "name": "nginx",
                "image": "nginx:latest",
. . .

 

The aws ecs describe-services command can be used to see if the service has a public IP assigned (enabled or disabled). If disabled, you may want to test with enabled.

]$ aws ecs describe-services --cluster arn:aws:ecs:us-east-1:123456789012:cluster/my-ecs-cluster --service arn:aws:ecs:us-east-1:123456789012:service/my-ecs-cluster/nginx-service
{
    "services": [
        {
            "serviceArn": "arn:aws:ecs:us-east-1:123456789012:service/my-ecs-cluster/nginx-service",
            "serviceName": "nginx-service",
            "deployments": [
                {
                    "networkConfiguration": {
                        "awsvpcConfiguration": {
                            "assignPublicIp": "ENABLED"

...

 

Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Comments


Add a Comment


Please enter 60d640 in the box below so that we can be sure you are a human.