无法提取机密或注册表身份验证:拉命令失败::信号:已杀死
Posted
技术标签:
【中文标题】无法提取机密或注册表身份验证:拉命令失败::信号:已杀死【英文标题】:unable to pull secrets or registry auth: pull command failed: : signal: killed 【发布时间】:2021-10-12 17:08:30 【问题描述】:我花了一整天时间尝试将映像部署到 Fargate,但我一直遇到以下错误:
ResourceInitializationError:无法提取机密或注册表身份验证:拉取命令失败::信号:杀死
我正在使用以下 cloudformation 模板(删节):
Parameters:
VPC:
Type: AWS::EC2::VPC::Id
Description: VPC Id. VPC's private subnets must have a NAT Gateway to download container image.
PublicSubnets:
Description: Choose which public subnets the Load Balancer and ECS Service should be deployed to
Type: List<AWS::EC2::Subnet::Id>
IamCertificateArn:
Type: String
Description: The IAM Certificate Arn, which must exist in the same region
Image:
Type: String
Description: Docker image. You can use images in the Docker Hub registry or specify other repositories (repository-url/image:tag).
ContainerPort:
Type: Number
Description: Port on which the application listens within the docker container
Default: 80
LoadBalancerPort:
Type: Number
Default: 443
RDSSecurityGroupId:
Type: AWS::EC2::SecurityGroup::Id
Description: Security Group of the RDS Instance
HealthCheckPath:
Type: String
Description: The health check path starting with / e.g. /health
HostedZoneName:
Type: String
Description: Domain name for your website (example.com.). Note it must end in a .
HostedZoneID:
Type: String
Description: Hosted Zone Id
Resources:
TaskDefinition:
Type: AWS::ECS::TaskDefinition
DependsOn:
- LogGroup
- TaskExecutionRole
Properties:
Family: !Join ["", [!Ref "AWS::StackName", TaskDefinition]]
NetworkMode: awsvpc
RequiresCompatibilities:
- FARGATE
Cpu: 512
Memory: 1GB
ExecutionRoleArn: !Ref TaskExecutionRole
TaskRoleArn: !Ref TaskExecutionRole
ContainerDefinitions:
- Name: !Ref "AWS::StackName"
Image: !Ref Image
PortMappings:
- ContainerPort: !Ref ContainerPort
LogConfiguration:
LogDriver: awslogs
Options:
awslogs-region: !Ref AWS::Region
awslogs-group: !Ref LogGroup
awslogs-stream-prefix:
!Join ["", [!Ref "AWS::StackName", -ecs-app]]
Command: ["./app -f config.toml"]
Cluster:
Type: AWS::ECS::Cluster
Properties:
ClusterName: !Join ["", [!Ref "AWS::StackName", "-", "Cluster"]]
Service:
Type: AWS::ECS::Service
DependsOn:
- ListenerHTTPS
Properties:
ServiceName: !Join ["", [!Ref "AWS::StackName", "-", "Service"]]
Cluster: !Ref Cluster
TaskDefinition: !Ref TaskDefinition
DeploymentConfiguration:
MinimumHealthyPercent: 100
MaximumPercent: 200
DesiredCount: 1
HealthCheckGracePeriodSeconds: 30
LaunchType: FARGATE
NetworkConfiguration:
AwsvpcConfiguration:
AssignPublicIp: ENABLED
Subnets: !Ref PublicSubnets
SecurityGroups:
- !Ref ContainerSecurityGroup
LoadBalancers:
- ContainerName: !Ref AWS::StackName
ContainerPort: !Ref ContainerPort
TargetGroupArn: !Ref TargetGroup
# API Load Balancer
TargetGroup:
Type: AWS::ElasticLoadBalancingV2::TargetGroup
Properties:
HealthCheckIntervalSeconds: 30
HealthCheckPath: !Ref HealthCheckPath
HealthCheckTimeoutSeconds: 10
UnhealthyThresholdCount: 2
HealthyThresholdCount: 2
Name: !Join ["", [!Ref AWS::StackName, "-", "TrgtGrp"]]
Port: !Ref ContainerPort
Protocol: HTTP
TargetGroupAttributes:
- Key: deregistration_delay.timeout_seconds
Value: 60 # default is 300
TargetType: ip
VpcId: !Ref VPC
LoadBalancer:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
Name: !Join ["", [!Ref AWS::StackName, "-", "ELB"]]
Scheme: internet-facing
SecurityGroups:
- !Ref LoadBalancerSecurityGroup
Subnets: !Ref PublicSubnets
ListenerHTTPS:
Type: AWS::ElasticLoadBalancingV2::Listener
Properties:
DefaultActions:
- TargetGroupArn: !Ref TargetGroup
Type: forward
LoadBalancerArn: !Ref LoadBalancer
Port: !Ref LoadBalancerPort
Protocol: HTTPS
Certificates:
- CertificateArn: !Ref IamCertificateArn
TaskExecutionRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
- ecs.amazonaws.com
- ecs-tasks.amazonaws.com
Action:
- 'sts:AssumeRole'
Policies:
- PolicyDocument:
"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::config.toml"
]
]
PolicyName: !Join ["", [!Ref "AWS::StackName", "-", "DownloadConfigFromS3Policy"]]
- PolicyDocument:
"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"cr:GetDownloadUrlForLayer",
"ecr:BatchGetImage"
],
"Resource": "*"
]
PolicyName: !Join ["", [!Ref "AWS::StackName", "-", "PullImagePolicy"]]
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy
- arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role
VPCEndpointECRAPI:
Type: AWS::EC2::VPCEndpoint
Properties:
VpcEndpointType: Interface
SecurityGroupIds:
- !Ref PrivateLinkSecurityGroup
ServiceName: !Join ["", ["com.amazonaws.", !Ref "AWS::Region", ".ecr.api"]]
SubnetIds: !Ref PublicSubnets
VpcId: !Ref VPC
VPCEndpointECRDKR:
Type: AWS::EC2::VPCEndpoint
Properties:
VpcEndpointType: Interface
SecurityGroupIds:
- !Ref PrivateLinkSecurityGroup
ServiceName: !Join ["", ["com.amazonaws.", !Ref "AWS::Region", ".ecr.dkr"]]
SubnetIds: !Ref PublicSubnets
VpcId: !Ref VPC
VPCEndpointLogs:
Type: AWS::EC2::VPCEndpoint
Properties:
VpcEndpointType: Interface
SecurityGroupIds:
- !Ref PrivateLinkSecurityGroup
ServiceName: !Join ["", ["com.amazonaws.", !Ref "AWS::Region", ".logs"]]
SubnetIds: !Ref PublicSubnets
VpcId: !Ref VPC
VPCEndpointS3:
Type: AWS::EC2::VPCEndpoint
Properties:
VpcEndpointType: Interface
SecurityGroupIds:
- !Ref PrivateLinkSecurityGroup
ServiceName: !Join ["", ["com.amazonaws.", !Ref "AWS::Region", ".s3"]]
SubnetIds: !Ref PublicSubnets
VpcId: !Ref VPC
VPCEndpointSSM:
Type: AWS::EC2::VPCEndpoint
Properties:
VpcEndpointType: Interface
SecurityGroupIds:
- !Ref PrivateLinkSecurityGroup
ServiceName: !Join ["", ["com.amazonaws.", !Ref "AWS::Region", ".ssm"]]
SubnetIds: !Ref PublicSubnets
VpcId: !Ref VPC
# Security Groups
LoadBalancerSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Load balancer security group
GroupName: !Join ["", [!Ref "AWS::StackName", "-", "LoadBalancerSecurityGroup"]]
Tags:
- Key: ProjectName
Value: !Ref "AWS::StackName"
VpcId: !Ref VPC
LoadBalancerInboundRuleHTTP:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref LoadBalancerSecurityGroup
IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
LoadBalancerOutboundRuleHTTP:
Type: AWS::EC2::SecurityGroupEgress
Properties:
GroupId: !Ref LoadBalancerSecurityGroup
IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
LoadBalancerInboundRuleHTTPS:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref LoadBalancerSecurityGroup
IpProtocol: tcp
FromPort: 443
ToPort: 443
CidrIp: 0.0.0.0/0
LoadBalancerOutboundRuleHTTPS:
Type: AWS::EC2::SecurityGroupEgress
Properties:
GroupId: !Ref LoadBalancerSecurityGroup
IpProtocol: tcp
FromPort: 443
ToPort: 443
CidrIp: 0.0.0.0/0
LoadBalancerInboundRuleContainer:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref LoadBalancerSecurityGroup
IpProtocol: tcp
FromPort: !Ref ContainerPort
ToPort: !Ref ContainerPort
SourceSecurityGroupId: !GetAtt ContainerSecurityGroup.GroupId
LoadBalancerOutboundRuleContainer:
Type: AWS::EC2::SecurityGroupEgress
Properties:
GroupId: !Ref LoadBalancerSecurityGroup
IpProtocol: tcp
FromPort: !Ref ContainerPort
ToPort: !Ref ContainerPort
DestinationSecurityGroupId: !GetAtt ContainerSecurityGroup.GroupId
ContainerSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Accepts traffic from and to load balancer
GroupName: !Join ["", [!Ref "AWS::StackName", "-", "ContainerSecurityGroup"]]
Tags:
- Key: ProjectName
Value: !Ref "AWS::StackName"
VpcId: !Ref VPC
ContainerInboundRuleHTTP:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref ContainerSecurityGroup
IpProtocol: tcp
FromPort: !Ref ContainerPort
ToPort: !Ref ContainerPort
SourceSecurityGroupId: !GetAtt LoadBalancerSecurityGroup.GroupId
ContainerOutboundRuleHTTP:
Type: AWS::EC2::SecurityGroupEgress
Properties:
GroupId: !Ref ContainerSecurityGroup
IpProtocol: tcp
FromPort: !Ref ContainerPort
ToPort: !Ref ContainerPort
DestinationSecurityGroupId: !GetAtt LoadBalancerSecurityGroup.GroupId
ContainerInboundRuleRDS:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref ContainerSecurityGroup
IpProtocol: tcp
FromPort: 5432
ToPort: 5432
SourceSecurityGroupId: !Ref RDSSecurityGroupId
ContainerInboundRuleRDS:
Type: AWS::EC2::SecurityGroupEgress
Properties:
GroupId: !Ref ContainerSecurityGroup
IpProtocol: tcp
FromPort: 5432
ToPort: 5432
DestinationSecurityGroupId: !Ref RDSSecurityGroupId
PrivateLinkSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: PrivateLink-SecurityGroup
GroupDescription: PrivateLink-SecurityGroup
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 443
ToPort: 443
CidrIp: 0.0.0.0/0 #should be cidrip of vpc
VpcId: !Ref VPC
我在 *** 和 aws 论坛中查看了几个问题。我可以确认:
VPC 已启用 DNS 在 Fargate 上启用了分配公共 IP 没有使用私有子网 ECR 存储库是私有的 我没有在 secretmanager 中存储任何秘密我尝试了各种授予对 ECS 完全访问权限的 TaskExecutionPolicies,但仍然遇到同样的错误。
老实说,我不知道还能尝试什么。非常感谢您对此提供一些帮助。
【问题讨论】:
您的代码不完整。TargetGroup
和 ListenerHTTPS
未定义。所以很难推测。
@Marcin:感谢您的评论。我已将他们的定义添加到问题中
【参考方案1】:
您的问题是由于不正确 ContainerSecurityGroup
。它只允许到您的 ALB 的出站连接。因此它无法获取您的图像。我会添加以下规则:
ContainerOutboundAll:
Type: AWS::EC2::SecurityGroupEgress
Properties:
GroupId: !Ref ContainerSecurityGroup
IpProtocol: tcp
FromPort: 0
ToPort: 65535
CidrIp: 0.0.0.0/0
这将允许所有出站流量,从而导致 ECR 完成。如果需要,您可以进一步使用它,只允许访问 VPC 接口端点。
请注意:ContainerOutboundAll
应该解决您当前的错误。您的模板又长又复杂,并且可能存在更多问题,这些问题尚不明显。如果是这样,对于这些问题(如果有的话),新问题会更好。
【讨论】:
谢谢!这解决了这个问题。是的,还有其他问题,但我会解决它们或提出问题。非常感谢您的帮助:) @W.K.S 没问题。很高兴你能通过当前的问题。以上是关于无法提取机密或注册表身份验证:拉命令失败::信号:已杀死的主要内容,如果未能解决你的问题,请参考以下文章
SQLSERVER2008R WINDOWS身份验证与SA验证都无法登录 WINDOWS 8.0系统,找不到SQL SERVER 2008配置器