ECR - CannotPullContainerError - Task stopped - while pulling image

wayneW · December 31, 2023, 11:58am

Anyone seen this error trying to pull an image from ECR before?

CannotPullContainerError: containerd: pull command failed: panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x40 pc=0x132e0d2] goroutine 1 [running]: main.(*puller).pullWithClient(0xc0005fbb80, {0x192b918, 0xc0004ae690}, {0x19247d0, 0xc0005be000}, 0xc0004d92b0, {0x1924848, 0xc000077800}) /root/go/src/github.com/aws/two/puller/pull.go:198 +0x4f2 main.(*puller).Pull(0xc0005fbb80, {0x192b918, 0xc0005b2660}, 0xc0004d92b0, {0x1924848, 0xc000077800}) /root/go/src/github.com/aws/two/puller/pull.go:147 +0x2a5 main.(*puller).pullImage(0x192b918?, {0x192b918, 0xc0005b2660}, 0xc0004d92b0, {0x1924848?, 0xc000077800?}) /root/go/src/github.com/aws/two/puller/pull.go:350 +0x45 main.main() /root/go/src/github.com/aws/two/puller/main.go:75 +0x57c : exit status 2```

wayneW · December 31, 2023, 12:48pm

I suspect this may be what happens when you enable a Network ACL rule that disallows a subnet from reaching ECR

wayneW · December 31, 2023, 1:18pm

Yup, that was it. Not a helpful error message!

Honestly, Network ACLs seem a particularly blunt instrument for a pen test to insist on when we already have security groups and subnets without a NAT gateway…