Amazon web services Cloudformation脚本任务集无法从ECR中提取图像
在我当前的设置中,我使用cloudformation来设置环境。到目前为止配置的所有步骤似乎都有效,但任务集除外。我使用AWS ECR repo上的一个映像来启动Fargate实例,该实例被放入一个带有服务的新集群中 当我创建堆栈时,所有步骤都成功了,但是服务的创建永远停留在“create_in_PROGRESS”中。当我查看创建的服务以及更具体的任务时,我发现cloudformation无法获取映像。错误如下: 已停止(CannotPullContainerError:来自daem的错误响应) 现在,当我手动尝试在所述集群上使用相同的映像创建实例时,效果很好。通过谷歌搜索,我找到了一些解决方案。我已经实施了所有这些措施,例如:Amazon web services Cloudformation脚本任务集无法从ECR中提取图像,amazon-web-services,amazon-cloudformation,Amazon Web Services,Amazon Cloudformation,在我当前的设置中,我使用cloudformation来设置环境。到目前为止配置的所有步骤似乎都有效,但任务集除外。我使用AWS ECR repo上的一个映像来启动Fargate实例,该实例被放入一个带有服务的新集群中 当我创建堆栈时,所有步骤都成功了,但是服务的创建永远停留在“create_in_PROGRESS”中。当我查看创建的服务以及更具体的任务时,我发现cloudformation无法获取映像。错误如下: 已停止(CannotPullContainerError:来自daem的错误响应)
- 创建一个具有安全组的网络,该网络允许到所有目的地的传出流量
- 在awsvpc配置中将标志AssignPublicIp设置为“已启用”
- 将用户执行角色设置为我在手动创建中使用的角色
“MyVPC”:{
“类型”:“AWS::EC2::VPC”,
“财产”:{
“CidrBlock”:“10.0.1.0/16”,
“标签”:[
{“Key”:“Name”,“Value”:“MyVPC”
}
]
},
},
“MyInternetGateway”:{
“类型”:“AWS::EC2::InternetGateway”,
“财产”:{
}
},
“MySubPublic”:{
“类型”:“AWS::EC2::子网”,
“财产”:{
“可用区”:“eu-central-1a”,
“CidrBlock”:“10.0.1.0/28”,
“MapPublicIpOnLaunch”:正确,
“VpcId”:{
“Ref”:“MyVPC”
}
},
“DependsOn”:“MyInternetGateway”
},
“MySecGroup”:
{
“类型”:“AWS::EC2::SecurityGroup”,
“财产”:{
“GroupDescription”:“我的所有传入和传出的安全组。”,
“GroupName”:“MySecGroup”,
“安全组出口”:[{
“CidrIp”:“0.0.0.0/0”,
“说明”:“允许机器访问internet。”,
“FromPort”:-1,
“IpProtocol”:-1,
“托波特”:-1
} ],
“SecurityGroupIngress”:[{
“CidrIp”:“0.0.0.0/0”,
“说明”:“允许从整个internet访问计算机。”,
“FromPort”:-1,
“IpProtocol”:-1,
“托波特”:-1
} ],
“VpcId”:{“Ref”:“MyVPC”}
},
“DependsOn”:“MyVPC”
},
“MyCluster”:{
“类型”:“AWS::ECS::集群”,
“财产”:{
“ClusterName”:“MyCluster”
},
“DependsOn”:[
“MyVPC”
]
},
“MyDockerTask”:{
“类型”:“AWS::ECS::TaskDefinition”,
“财产”:{
“集装箱定义”:[
{
“Cpu”:512,
“图片”:“.dkr.ecr.eu-central-1.amazonaws.com/mysqs”,
“内存”:1024,
“MemoryReservation”:1024,
“名称”:“MyContainer”
}
],
“Cpu”:“512”,
“执行角色学习”:“arn:aws:iam:::角色/执行角色”,
“家庭”:“MyFam”,
“内存”:“1024”,
“网络模式”:“awsvpc”,
“需求兼容性”:[
“法尔盖特”,
“EC2”
],
“TaskRoleArn”:“arn:aws:iam:::角色/执行角色”
},
},
“我的服务”:{
“类型”:“AWS::ECS::服务”,
“财产”:{
“集群”:{“Fn::GetAtt”:[“MyCluster”,“Arn”]},
“期望计数”:1,
“LaunchType”:“FARGATE”,
“网络配置”:{
“AwsvpcConfiguration”:{
“AssignPublicIp”:“已启用”,
“SecurityGroups”:[{“Fn::GetAtt”:[“MySecGroup”,“GroupId”]}],
“子网”:[{“Ref”:“MySubPublic”}]
}
},
“计划策略”:“副本”,
“ServiceName”:“MyService”,
“任务定义”:{“Ref”:“MyDockerTask”}
},
“DependsOn”:“MySubPublic”
},
“MyTaskSet”:{
“类型”:“AWS::ECS::任务集”,
“财产”:{
“集群”:{
“Ref”:“MyCluster”
},
“LaunchType”:“FARGATE”,
“网络配置”:{
“AwsvpcConfiguration”:{
“AssignPublicIp”:“已启用”,
“SecurityGroups”:[{“Fn::GetAtt”:[“MySecGroup”,“GroupId”]}],
“子网”:[{“Ref”:“MySubPublic”}]
}
},
“服务”:{“Ref”:“MyService”},
“任务定义”:{
“参考”:“MyDockerTask”
}
},
“DependsOn”:[
“MyCluster”
]
},
以上这些都没有提供解决方案。我愿意接受来自CFN模板的任何建议/解决方案,前提是我可以得出结论,
MySubPublic
没有互联网接入
具体而言,我看到您正在创建以下VPC相关资源:
AWS::EC2::VPC
AWS::EC2::InternetGateway
AWS::EC2::子网
AWS::EC2::SecurityGroup
将连接AWS::EC2::VPCGateway附件
互联网
"MyVPC": { "Type": "AWS::EC2::VPC", "Properties": { "CidrBlock": "10.0.1.0/16", "Tags": [ {"Key":"Name", "Value":"MyVPC" } ] }, }, "MyInternetGateway" : { "Type" : "AWS::EC2::InternetGateway", "Properties" : { } }, "MySubPublic": { "Type": "AWS::EC2::Subnet", "Properties": { "AvailabilityZone": "eu-central-1a", "CidrBlock": "10.0.1.0/28", "MapPublicIpOnLaunch": true, "VpcId": { "Ref": "MyVPC" } }, "DependsOn": "MyInternetGateway" }, "MySecGroup": { "Type" : "AWS::EC2::SecurityGroup", "Properties" : { "GroupDescription" : "My security group for all incoming and outgoing.", "GroupName" : "MySecGroup", "SecurityGroupEgress" : [ { "CidrIp" : "0.0.0.0/0", "Description" : "Allow machine to reach internet.", "FromPort" : -1, "IpProtocol" : -1, "ToPort" : -1 } ], "SecurityGroupIngress" : [ { "CidrIp" : "0.0.0.0/0", "Description" : "Allow machine to be reached from the entire internet.", "FromPort" : -1, "IpProtocol" : -1, "ToPort" : -1 } ], "VpcId" : {"Ref": "MyVPC"} }, "DependsOn": "MyVPC" }, "MyCluster": { "Type": "AWS::ECS::Cluster", "Properties": { "ClusterName": "MyCluster" }, "DependsOn": [ "MyVPC" ] }, "MyDockerTask": { "Type": "AWS::ECS::TaskDefinition", "Properties": { "ContainerDefinitions": [ { "Cpu": 512, "Image": "<NRHERE>.dkr.ecr.eu-central-1.amazonaws.com/mysqs", "Memory": 1024, "MemoryReservation": 1024, "Name": "MyContainer" } ], "Cpu": "512", "ExecutionRoleArn": "arn:aws:iam::<NRHERE>:role/ecsTaskExecutionRole", "Family": "MyFam", "Memory": "1024", "NetworkMode": "awsvpc", "RequiresCompatibilities": [ "FARGATE", "EC2" ], "TaskRoleArn": "arn:aws:iam::<NRHERE>:role/ecsTaskExecutionRole" }, }, "MyService": { "Type" : "AWS::ECS::Service", "Properties" : { "Cluster" : {"Fn::GetAtt": ["MyCluster", "Arn"]}, "DesiredCount" : 1, "LaunchType" : "FARGATE", "NetworkConfiguration" : { "AwsvpcConfiguration" : { "AssignPublicIp" : "ENABLED", "SecurityGroups" : [ {"Fn::GetAtt": ["MySecGroup", "GroupId"]} ], "Subnets" : [ {"Ref": "MySubPublic"}] } }, "SchedulingStrategy" : "REPLICA", "ServiceName" : "MyService", "TaskDefinition": {"Ref": "MyDockerTask"} }, "DependsOn": "MySubPublic" }, "MyTaskSet": { "Type": "AWS::ECS::TaskSet", "Properties": { "Cluster": { "Ref": "MyCluster" }, "LaunchType": "FARGATE", "NetworkConfiguration" : { "AwsvpcConfiguration" : { "AssignPublicIp" : "ENABLED", "SecurityGroups" : [ {"Fn::GetAtt": ["MySecGroup", "GroupId"]} ], "Subnets" : [ {"Ref": "MySubPublic"}] } }, "Service": {"Ref": "MyService"}, "TaskDefinition": { "Ref": "MyDockerTask" } }, "DependsOn": [ "MyCluster" ] },