CannotPullContainer task errors in Amazon ECS
The following errors indicate that the task failed to start because Amazon ECS can't retrieve the specified container image.
Note
The 1.4 Fargate platform version truncates long error messages.
To check your stopped tasks for an error message using the AWS Management Console, see Viewing Amazon ECS stopped task errors.
Errors
- The task can’t pull the image. Check that the role has the permissions to pull images from the registry.
- The task cannot pull ‘image-name’ from the Amazon ECR repository ‘repository URI’. There is a connection issue between the task and Amazon ECR. Check your task network configuration.
- The task can’t pull the image. Check your network configuration
- API error (500): Get https://111122223333.dkr.ecr.us-east-1.amazonaws.com/v2/: net/http: request canceled while waiting for connection
- API error
- write /var/lib/docker/tmp/GetImageBlob111111111: no space left on device
- ERROR: toomanyrequests: Too Many Requests or You have reached your pull rate limit.
- Error response from daemon: Get url: net/http: request canceled while waiting for connection
- ref pull has been retried 1 time(s): failed to copy: httpReaderSeeker: failed open: unexpected status code
- pull access denied
- pull command failed: panic: runtime error: invalid memory address or nil pointer dereference
- error pulling image conf/error pulling image configuration
- Context canceled
The task can’t pull the image. Check that the role has the permissions to pull images from the registry.
This error indicates that the task can't pull the image specified in the task definition because of permission issues.
To resolve this issue:
-
Check that the image exists in the
irepository
. For information about viewing your images, see Viewing image details in Amazon ECR in the Amazon Elastic Container Registry User Guide. -
Verify that the
role-arn
has the correct permissions to pull the image.For information about how to update roles, see Update permissions for a role in the AWS Identity and Access Management Use Guide.
The task uses one of the following roles:
-
For tasks with the Fargate launch type, this is the task execution role. For information about the additional permissions for Amazon ECR, Fargate tasks pulling Amazon ECR images over interface endpoints permissions.
-
For tasks with the EC2 launch type, this is the container instance role. For information about the additional permissions for Amazon ECR, Amazon ECR permissions.
-
The task cannot pull
‘image-name
’ from the Amazon ECR repository
‘repository URI
’. There is a connection issue between
the task and Amazon ECR. Check your task network configuration.
This error indicates that the task can't connect to Amazon ECR. Check the connection to the repository URI
repository.
For information about how to verify and resolve the issue, see Verifying Amazon ECS stopped task connectivity.
The task can’t pull the image. Check your network configuration
This error indicates that the task can't connect to Amazon ECR.
For information about how to verify and resolve the issue, see Verifying Amazon ECS stopped task connectivity.
API error (500): Get https://111122223333.dkr.ecr.us-east-1.amazonaws.com/v2/: net/http: request canceled while waiting for connection
This error indicates that a connection timed out, because a route to the internet doesn't exist.
To resolve this issue, you can:
-
For tasks in public subnets, specify ENABLED for Auto-assign public IP when launching the task. For more information, see Running an application as an Amazon ECS task.
-
For tasks in private subnets, specify DISABLED for Auto-assign public IP when launching the task, and configure a NAT gateway in your VPC to route requests to the internet. For more information, see NAT Gateways in the Amazon VPC User Guide.
API error
This error indicates that there is a connection issue with the Amazon ECR endpoint.
For information about how to resolve this issue, see How
can I resolve the Amazon ECR error "CannotPullContainerError: API error" in
Amazon ECS
write /var/lib/docker/tmp/GetImageBlob111111111
: no space left on device
This error indicates that there is insufficient disk space.
To resolve this issue, free up disk space.
If you are using the Amazon ECS-optimized AMI, you can use the following command to retrieve the 20 largest files on your file system:
du -Sh / | sort -rh | head -20
Example output:
5.7G /var/lib/docker/containers/50501b5f4cbf90b406e0ca60bf4e6d4ec8f773a6c1d2b451ed8e0195418ad0d2 1.2G /var/log/ecs 594M /var/lib/docker/devicemapper/mnt/c8e3010e36ce4c089bf286a623699f5233097ca126ebd5a700af023a5127633d/rootfs/data/logs ...
In some cases, the root volume might be filled out by a running container. If
the container is using the default json-file
log driver without a
max-size
limit, it may be that the log file is responsible for
most of that space used. You can use the docker ps
command to
verify which container is using the space by mapping the directory name from the
output above to the container ID. For example:
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 50501b5f4cbf amazon/amazon-ecs-agent:latest "/agent" 4 days ago Up 4 days ecs-agent
By default, when using the json-file
log driver, Docker
captures the standard output (and standard error) of all of your containers
and writes them in files using the JSON format. You can set the
max-size
as a log driver option, which prevents the log
file from taking up too much space. For more information, see JSON File logging driver
The following is a container definition snippet showing how to use this option:
{ "log-driver": "json-file", "log-opts": { "max-size": "
256m
" } }
An alternative, if your container logs are taking up too much disk space, is
to use the awslogs
log driver. The awslogs
log
driver sends the logs to CloudWatch, which frees up the disk space that would
otherwise be used for your container logs on the container instance. For
more information, see Send Amazon ECS logs to CloudWatch .
ERROR: toomanyrequests: Too Many Requests or You have reached your pull rate limit.
This error indicates that there is a Docker Hub rate limiting.
If you receive one of the following errors, you're likely hitting the Docker Hub rate limits:
For more information about the Docker Hub rate limits, see Understanding Docker
Hub rate limiting
If you have increased the Docker Hub rate limit and you need to authenticate your Docker pulls for your container instances, see Private registry authentication for container instances.
Error response from daemon: Get url
: net/http:
request canceled while waiting for connection
This error indicates that a connection timed out, because a route to the internet doesn't exist.
To resolve this issue, you can:
-
For tasks in public subnets, specify ENABLED for Auto-assign public IP when launching the task. For more information, see Running an application as an Amazon ECS task.
-
For tasks in private subnets, specify DISABLED for Auto-assign public IP when launching the task, and configure a NAT gateway in your VPC to route requests to the internet. For more information, see NAT Gateways in the Amazon VPC User Guide.
ref pull has been retried 1 time(s): failed to copy: httpReaderSeeker: failed open: unexpected status code
This error indicates that there was a failure when copying an image.
To resolve this issue, review one of the following articles:
-
For Fargate tasks, see How do I resolve the "cannotpullcontainererror" error for my Amazon ECS tasks on Fargate
. -
For other tasks, see How do I resolve the "cannotpullcontainererror" error for my Amazon ECS tasks
.
pull access denied
This error indicates that there is no access to the image.
To resolve this issue, you might need to authenticate your Docker client with Amazon ECR For more information, see Private registry authentication in the Amazon ECR User Guide.
pull command failed: panic: runtime error: invalid memory address or nil pointer dereference
This error indicates that there is no access to the image because of an invalid memory address or nil pointer dereference.
To resolve this issue:
-
Check that you have the security group rules to reach Amazon S3.
-
When you use gateway endpoints, you must add a route in the route table to access the endpoint.
error pulling image conf/error pulling image configuration
This error indicates a rate limit has been reached or there is a network error:
To resolve this issue, see How can
I resolve the "CannotPullContainerError" error in my Amazon ECS EC2 Launch Type
Task
Context canceled
This error indicates that the context was cancelled.
The common cause for this error is because the VPC your task is using doesn't have a route to pull the container image from Amazon ECR.