Let's say something like this is being returned when attempting to deploy a container from an Elastic Container Service (ECS) Task or Service.
CannotPullContainerError: pull image manifest has been retried 5 time(s): failed to resolve ref docker.io/library/nginx:latest: failed to do request: Head "https://registry-1.docker.io/v2/library/nginx/manifests/latest": dial tcp 44.205.64.79:443: i/o timeout
The aws ec2 describe-security-groups command can be used to ensure that:
- all outbound requests are allowed
- inbound requests are allowed on HTTPS port 443
Something like this should be returned.
~]# aws ec2 describe-security-groups
{
"SecurityGroups": [
{
"Description": "ECS security group",
"IpPermissions": [
{
"FromPort": 443,
"IpProtocol": "tcp",
"IpRanges": [
{
"CidrIp": "0.0.0.0/0",
"Description": "Allow incoming (ingress) requests on port 443"
}
],
"Ipv6Ranges": [],
"PrefixListIds": [],
"ToPort": 443,
"UserIdGroupPairs": []
}
],
"IpPermissionsEgress": [
{
"IpProtocol": "-1",
"IpRanges": [
{
"CidrIp": "0.0.0.0/0"
}
],
"UserIdGroupPairs": [],
"PrefixListIds": []
}
],
The aws ecs describe-task-definition command can then be used to show the JSON of a Task Definition, using the Amazon Resource Number (ARN) of the Task Definition from the prior command, including the Docker image. By default, images in the Docker Hub registry can be used. For example, since nginx:latest is in the Docker Hub Registry at https://hub.docker.com/_/nginx, the image should be able to be pulled by just referencing the image name and tag (e.g. nginx:latest).
~]$ aws ecs describe-task-definition --task-definition arn:aws:ecs:us-east-1:123456789012:task-definition/nginx:1
{
"taskDefinition": {
"taskDefinitionArn": "arn:aws:ecs:us-east-1:123456789012:task-definition/nginx-task-definition:1",
"containerDefinitions": [
{
"name": "nginx",
"image": "nginx:latest",
. . .
The aws ecs describe-services command can be used to see if the service has a public IP assigned (enabled or disabled). If disabled, you may want to test with enabled.
]$ aws ecs describe-services --cluster arn:aws:ecs:us-east-1:123456789012:cluster/my-ecs-cluster --service arn:aws:ecs:us-east-1:123456789012:service/my-ecs-cluster/nginx-service
{
"services": [
{
"serviceArn": "arn:aws:ecs:us-east-1:123456789012:service/my-ecs-cluster/nginx-service",
"serviceName": "nginx-service",
"deployments": [
{
"networkConfiguration": {
"awsvpcConfiguration": {
"assignPublicIp": "ENABLED"
...
Did you find this article helpful?
If so, consider buying me a coffee over at