AWS CLI ecs run-task CannotPullContainerError: inspect image has been retried 5 time(s): failed to resolve ref

Question

I'm trying to move from the Console to the CLI.

I have an ECS Cluster and a Task Definition. From the console, I can run a task WITHOUT any issue. The task comes green and I can use the public IP to access my service.

Now, I'd like to do the same but instead of creating the task using the Console, I'd like to use AWS cli.

I thought this was enough:

aws ecs run-task --cluster my-cluster \
  --task-definition ecs-task-def:9 \
  --launch-type FARGATE \
  --network-configuration '{ "awsvpcConfiguration": { "subnets": ["subnet-XX1","subnet-XX2"], "securityGroups": ["sg-XXX"],"assignPublicIp": "ENABLED" }}'

However, the task gets stuck in PENDING state and after a while is STOPPED with the following error message:

CannotPullContainerError: inspect image has been retried 5 time(s): failed to resolve ref "docker.io/username/container:latest": failed to do request: Head https://registry-1.docker.io/v2/username/container/manifests/latest: dial tcp x.x.x.x:443: i/o timeout

What concerns me is that I can run tasks from the Console using the same arguments (VPC, Subnets, Sec Group, etc) but I cannot make it work using the CLI. If the issue was missing/wrong rules both Console and CLI should not work.

Anyone knows why?

Answer 1

Look like ECS cannot pull image from registry

CannotPullContainerError: inspect image has been retried 5 time(s): failed to resolve ref "docker.io/username/container:latest": failed to do request: Head https://registry-1.docker.io/v2/username/container/manifests/latest: dial tcp x.x.x.x:443: i/o timeout

suggested that network through 443 has been blocked!? hence cannot pull image. Have you tried allow all traffic inbound & outbound on attached sg as well as check network connectivity from within attached subnet?

You can create a simple Lambda function with similar associated subnets & security groups then executing telnet/curl to registry endpoint to check connectivity. example:

def test_book():
    http = urllib3.PoolManager()
    
    url = 'https://your-endpoint-here'
    headers = {
        "Accept": "application/json"
    }


    r = http.request(method='GET', url=url, headers=headers)
    print(f'response_status: {r.status}\nresonse_headers: {r.headers}\nresponse_data: {r.data}')