patternMinor
Configure VPC for ECR access
Viewed 0 times
ecrvpcforaccessconfigure
Problem
I am creating my infrastructure with Ansible. I create a VPC and an ECS cluster where I use Fargate to run my docker containers.
When the tasks are started I am prompted that the task was not able to pull the Image from the ECR.
I know for a fact that the URI to the image and the IAM permissions are correct. Also I don't think the issue is in the AMI or docker image, because when I create the same scenario over the AWS UI, it works fine.
Therefore, I assume my VPC is not configured correctly in a way that it can not connect to the ECR.
This is how I create my VPC and Subnet:
How can I ensure my VPC and subnet is configured correctly so that the docker daemon can connect and pull the image from the ECR repo?
Am I missing an important attribute?
When the tasks are started I am prompted that the task was not able to pull the Image from the ECR.
STOPPED (CannotPullContainerError: Error response from daem)I know for a fact that the URI to the image and the IAM permissions are correct. Also I don't think the issue is in the AMI or docker image, because when I create the same scenario over the AWS UI, it works fine.
Therefore, I assume my VPC is not configured correctly in a way that it can not connect to the ECR.
This is how I create my VPC and Subnet:
- name: "2) Create VPC"
ec2_vpc_net:
name: "{{vpc_name}}"
state: present
cidr_block: 10.10.0.0/16
region: "{{ region_name }}"
register: vpc_net
- name: "3) Create VPC Subnet"
ec2_vpc_subnet:
state: present
map_public: yes
vpc_id: "{{vpc_net.vpc.id}}"
cidr: 10.10.0.0/24
tags:
name: "test-subnet"
register: vpc_subnetHow can I ensure my VPC and subnet is configured correctly so that the docker daemon can connect and pull the image from the ECR repo?
Am I missing an important attribute?
Solution
This error
Make sure you have networking configured in such a way to have an access to Internet https://stackoverflow.com/questions/48226547/aws-fargate-cannotpullcontainererror-500
Manually you can confirm everything with such steps
to your VPC.
subnet)
-
Create a route for that
$ aws ec2 create-route --route-table-id "rtb-037148d7b5967a231" --destination-cidr-block "0.0.0.0/0" --nat-gateway-id "nat-0c137ae8a2b409088"
You can also use internet gateway instead of NAT but the main idea is the same - to create connectivity from service to registry.
If you have that in place and verified you can easily rewrite that to ansible tasks.
Update
To start an ECS task you want to use
To pull image from repository and start it you can use these tasks
but in case of Fargate the above is not needed as everything is handled by task definition
CannotPullContainerError usually occurs when you have no access to the Internet from ECS and thus it doesn't able to pull an image from registry.Make sure you have networking configured in such a way to have an access to Internet https://stackoverflow.com/questions/48226547/aws-fargate-cannotpullcontainererror-500
Manually you can confirm everything with such steps
- Find route table. Check whether it belongs
to your VPC.
- Find proper NAT (you need NAT Gateway ID) (IMPORTANT: NAT should be launched in PUBLIC
subnet)
-
Create a route for that
$ aws ec2 create-route --route-table-id "rtb-037148d7b5967a231" --destination-cidr-block "0.0.0.0/0" --nat-gateway-id "nat-0c137ae8a2b409088"
You can also use internet gateway instead of NAT but the main idea is the same - to create connectivity from service to registry.
If you have that in place and verified you can easily rewrite that to ansible tasks.
Update
To start an ECS task you want to use
ecs_task module https://docs.ansible.com/ansible/latest/modules/ecs_task_module.htmlTo pull image from repository and start it you can use these tasks
- name: docker login
shell: "$(aws ecr get-login --no-include-email --region {{ default_region }})"
args:
executable: "/bin/bash"
- name: pull latest app image
docker_image:
name: "{{ ecr_repository }}/myapp:{{ image_tag }}"
force: yes
- name: run application with docker compose
docker_service: # module is called docker_service before Ansible 2.8
project_name: "myapp"
project_src: "{{ app_dir }}" # path to a directory containing a docker-compose.yml
pull: yes
recreate: always # run scheduler from a clean state
remove_orphans: yes # remove containers for services not defined in the compose file
state: present # specifying present is the same as running docker-compose up
restarted: yes # use with state present to restart all containers
register: outputbut in case of Fargate the above is not needed as everything is handled by task definition
Code Snippets
- name: docker login
shell: "$(aws ecr get-login --no-include-email --region {{ default_region }})"
args:
executable: "/bin/bash"
- name: pull latest app image
docker_image:
name: "{{ ecr_repository }}/myapp:{{ image_tag }}"
force: yes
- name: run application with docker compose
docker_service: # module is called docker_service before Ansible 2.8
project_name: "myapp"
project_src: "{{ app_dir }}" # path to a directory containing a docker-compose.yml
pull: yes
recreate: always # run scheduler from a clean state
remove_orphans: yes # remove containers for services not defined in the compose file
state: present # specifying present is the same as running docker-compose up
restarted: yes # use with state present to restart all containers
register: outputContext
StackExchange DevOps Q#10440, answer score: 4
Revisions (0)
No revisions yet.