ECS - Container cannot pull public image from Docker Hub

Question

When deploying Task in ECS Cluster with a public repo Docker Hub, the task always Stopped with this error in the Task Container:

Stopped reason
Cannotpullcontainererror: 
    pull image manifest has been retried 5 time(s): 
        failed to resolve ref docker.io/username/repo: 
            failed to do request: 
                Head "https://registry-1.docker.io/v2/username/repo/manifests/latest": 
                    dial tcp 44.205.64.79:443: i/o timeout

This is my Task Definition:

{
    "taskDefinitionArn": "arn:aws:ecs:ap-southeast-1:...:task-definition/taskname_task:6",
    "containerDefinitions": [
        {
            "name": "containername_container",
            "image": "username/repo",
            "cpu": 0,
            "links": [],
            "portMappings": [
                {
                    "name": "containername_container-8888-tcp",
                    "containerPort": 8888,
                    "hostPort": 8888,
                    "protocol": "tcp",
                    "appProtocol": "http"
                }
            ],
            "essential": true,
            "entryPoint": [],
            "command": [],
            "environment": [],
            "environmentFiles": [],
            "mountPoints": [],
            "volumesFrom": [],
            "secrets": [],
            "dnsServers": [],
            "dnsSearchDomains": [],
            "extraHosts": [],
            "dockerSecurityOptions": [],
            "dockerLabels": {},
            "ulimits": [],
            "logConfiguration": {
                "logDriver": "awslogs",
                "options": {
                    "awslogs-create-group": "true",
                    "awslogs-group": "/ecs/taskname_task",
                    "awslogs-region": "ap-southeast-1",
                    "awslogs-stream-prefix": "ecs"
                },
                "secretOptions": []
            },
            "systemControls": []
        }
    ],
    "family": "taskname_task",
    "taskRoleArn": "arn:aws:iam::...:role/ecsTaskExecutionRole",
    "executionRoleArn": "arn:aws:iam::...:role/ecsTaskExecutionRole",
    "networkMode": "awsvpc",
    "revision": 6,
    "volumes": [],
    "status": "ACTIVE",
    "requiresAttributes": [
        {
            "name": "com.amazonaws.ecs.capability.logging-driver.awslogs"
        },
        {
            "name": "ecs.capability.execution-role-awslogs"
        },
        {
            "name": "com.amazonaws.ecs.capability.docker-remote-api.1.19"
        },
        {
            "name": "com.amazonaws.ecs.capability.docker-remote-api.1.17"
        },
        {
            "name": "com.amazonaws.ecs.capability.task-iam-role"
        },
        {
            "name": "ecs.capability.extensible-ephemeral-storage"
        },
        {
            "name": "com.amazonaws.ecs.capability.docker-remote-api.1.18"
        },
        {
            "name": "ecs.capability.task-eni"
        },
        {
            "name": "com.amazonaws.ecs.capability.docker-remote-api.1.29"
        }
    ],
    "placementConstraints": [],
    "compatibilities": [
        "EC2",
        "FARGATE"
    ],
    "requiresCompatibilities": [
        "FARGATE"
    ],
    "cpu": "1024",
    "memory": "2048",
    "ephemeralStorage": {
        "sizeInGiB": 21
    },
    "runtimePlatform": {
        "cpuArchitecture": "X86_64",
        "operatingSystemFamily": "LINUX"
    },
    "registeredAt": "...",
    "registeredBy": "arn:aws:iam::...:root",
    "tags": [
        {
            "key": "ecs:taskDefinition:createdFrom",
            "value": "ecs-console-v2"
        },
        {
            "key": "ecs:taskDefinition:stackId",
            "value": "arn:aws:cloudformation:ap-southeast-1:...:stack/ECS-Console-V2-TaskDefinition-.../..."
        }
    ]
}

I'm new to ECS and AWS also. I have try the request https://registry-1.docker.io/v2/username/repo/manifests/latest in the error of Task Container above and received this:

{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"repository","Class":"","Name":"username/repo","Action":"pull"}]}]}

Is it about the request docker.io configured? I have done a lot of research but not figure anything out.

Answer 1

You can use Dockerhub image from within Amazon ECS Tasks
The format of Dockerhub image would be [registry-url]/[namespace]/[image]:[tag], you do not need registry-url for Dockerhub as the docker client assumes Dockerhub if one is not specified
Alternatively Docker official images should be present on ECR public in addition to Dockerhub so you can reference the ECR public repositories instead from within the ECS Tasks
Now Fargate uses the awsvpc network mode so essentially there are two options to run the task in Fargate:

• If the task is being run inside a public subnet, then Auto assign Public IP must be enabled and we need to ensure that public subnet route table has Internet Gateway for internet connectivity to be able to pull the container image from public docker repository
• If the task is being run from a private subnet then Auto assign Public IP must be disabled and we need to ensure that private subnet route table has an associated NAT Gateway allowing the task inside private subnet to pull the container image from public docker repository