Share and learn in the Docker community.
Create a new stack from the Docker for AWS Beta 4 CloudFront template.
Stack status shows as “ROLLBACK_COMPLETE.”
The “Create a New Stack” screen loaded in my browser pre-filled with S3 template URL.
Could you provide more details on the error you’re seeing? The event pane will typically show what component caused the error.
It looks like the first thing that fails is the creation of a subnet in the us-east-1b availability zone. Here’s the events list:
2016-08-01 Status Type Logical ID Status reason
12:45:25 UTC-0600 ROLLBACK_COMPLETE AWS::CloudFormation::Stack Docker-Staging
12:45:24 UTC-0600 DELETE_COMPLETE AWS::SQS::Queue SwarmSQSCleanup
12:45:24 UTC-0600 DELETE_COMPLETE AWS::SQS::Queue SwarmSQS
12:44:54 UTC-0600 DELETE_COMPLETE AWS::EC2::VPC Vpc
12:44:39 UTC-0600 DELETE_COMPLETE AWS::EC2::InternetGateway InternetGateway
12:44:38 UTC-0600 DELETE_IN_PROGRESS AWS::EC2::VPC Vpc
12:44:37 UTC-0600 DELETE_COMPLETE AWS::EC2::Subnet PubSubnetAz1
12:44:27 UTC-0600 DELETE_COMPLETE AWS::EC2::SecurityGroup NodeVpcSG
12:44:23 UTC-0600 DELETE_IN_PROGRESS AWS::EC2::SecurityGroup NodeVpcSG
12:44:23 UTC-0600 DELETE_IN_PROGRESS AWS::EC2::InternetGateway InternetGateway
12:44:23 UTC-0600 DELETE_IN_PROGRESS AWS::SQS::Queue SwarmSQSCleanup
12:44:23 UTC-0600 DELETE_IN_PROGRESS AWS::SQS::Queue SwarmSQS
12:44:22 UTC-0600 DELETE_COMPLETE AWS::EC2::RouteTable RouteViaIgw
12:44:22 UTC-0600 DELETE_COMPLETE AWS::EC2::Subnet PubSubnetAz2
12:44:22 UTC-0600 DELETE_COMPLETE AWS::EC2::VPCGatewayAttachment AttachGateway
12:44:21 UTC-0600 DELETE_COMPLETE AWS::IAM::Role ProxyRole
12:44:21 UTC-0600 DELETE_COMPLETE AWS::EC2::SecurityGroup ExternalLoadBalancerSG
12:44:21 UTC-0600 DELETE_IN_PROGRESS AWS::EC2::RouteTable RouteViaIgw
12:44:21 UTC-0600 DELETE_COMPLETE AWS::EC2::SecurityGroup SSHLoadBalancerSG
12:44:21 UTC-0600 DELETE_IN_PROGRESS AWS::IAM::Role ProxyRole
12:44:21 UTC-0600 DELETE_IN_PROGRESS AWS::EC2::Subnet PubSubnetAz1
12:44:15 UTC-0600 ROLLBACK_IN_PROGRESS AWS::CloudFormation::Stack Docker-Staging The following resource(s) failed to create: [SSHLoadBalancerSG, PubSubnetAz1, RouteViaIgw, AttachGateway, NodeVpcSG, ProxyRole, ExternalLoadBalancerSG, PubSubnetAz2]. . Rollback requested by user.
12:44:14 UTC-0600 CREATE_FAILED AWS::EC2::SecurityGroup NodeVpcSG Resource creation cancelled
12:43:59 UTC-0600 CREATE_FAILED AWS::EC2::SecurityGroup SSHLoadBalancerSG Resource creation cancelled
12:43:59 UTC-0600 CREATE_FAILED AWS::EC2::VPCGatewayAttachment AttachGateway Resource creation cancelled
12:43:59 UTC-0600 CREATE_FAILED AWS::EC2::RouteTable RouteViaIgw Resource creation cancelled
12:43:59 UTC-0600 CREATE_FAILED AWS::EC2::SecurityGroup ExternalLoadBalancerSG Resource creation cancelled
12:43:59 UTC-0600 CREATE_FAILED AWS::EC2::Subnet PubSubnetAz1 Resource creation cancelled
12:43:59 UTC-0600 CREATE_FAILED AWS::IAM::Role ProxyRole Resource creation cancelled
12:43:59 UTC-0600 CREATE_IN_PROGRESS AWS::EC2::VPCGatewayAttachment AttachGateway
12:43:59 UTC-0600 CREATE_IN_PROGRESS AWS::EC2::RouteTable RouteViaIgw Resource creation Initiated
12:43:59 UTC-0600 CREATE_IN_PROGRESS AWS::EC2::SecurityGroup ExternalLoadBalancerSG
12:43:58 UTC-0600 CREATE_IN_PROGRESS AWS::EC2::SecurityGroup NodeVpcSG
12:43:58 UTC-0600 CREATE_FAILED AWS::EC2::Subnet PubSubnetAz2 Value (us-east-1b) for parameter availabilityZone is invalid. Subnets can currently only be created in the following availability zones: us-east-1d, us-east-1a, us-east-1c, us-east-1e.
12:43:58 UTC-0600 CREATE_IN_PROGRESS AWS::EC2::RouteTable RouteViaIgw
12:43:58 UTC-0600 CREATE_IN_PROGRESS AWS::EC2::Subnet PubSubnetAz1 Resource creation Initiated
12:43:58 UTC-0600 CREATE_IN_PROGRESS AWS::EC2::SecurityGroup SSHLoadBalancerSG
12:43:58 UTC-0600 CREATE_IN_PROGRESS AWS::EC2::Subnet PubSubnetAz2
12:43:57 UTC-0600 CREATE_IN_PROGRESS AWS::EC2::Subnet PubSubnetAz1
12:43:54 UTC-0600 CREATE_COMPLETE AWS::EC2::VPC Vpc
12:43:54 UTC-0600 CREATE_COMPLETE AWS::EC2::InternetGateway InternetGateway
12:43:37 UTC-0600 CREATE_IN_PROGRESS AWS::EC2::InternetGateway InternetGateway Resource creation Initiated
12:43:37 UTC-0600 CREATE_COMPLETE AWS::SQS::Queue SwarmSQS
12:43:37 UTC-0600 CREATE_IN_PROGRESS AWS::IAM::Role ProxyRole Resource creation Initiated
12:43:37 UTC-0600 CREATE_COMPLETE AWS::SQS::Queue SwarmSQSCleanup
12:43:37 UTC-0600 CREATE_IN_PROGRESS AWS::EC2::VPC Vpc Resource creation Initiated
12:43:37 UTC-0600 CREATE_IN_PROGRESS AWS::EC2::InternetGateway InternetGateway
12:43:37 UTC-0600 CREATE_IN_PROGRESS AWS::SQS::Queue SwarmSQS Resource creation Initiated
12:43:37 UTC-0600 CREATE_IN_PROGRESS AWS::SQS::Queue SwarmSQSCleanup Resource creation Initiated
12:43:37 UTC-0600 CREATE_IN_PROGRESS AWS::IAM::Role ProxyRole
12:43:36 UTC-0600 CREATE_IN_PROGRESS AWS::EC2::VPC Vpc
12:43:36 UTC-0600 CREATE_IN_PROGRESS AWS::SQS::Queue SwarmSQS
12:43:36 UTC-0600 CREATE_IN_PROGRESS AWS::SQS::Queue SwarmSQSCleanup
12:43:31 UTC-0600 CREATE_IN_PROGRESS AWS::CloudFormation::Stack Docker-Staging User Initiated
It seems probable that is causing the rest of the failures.
It is far too common for AWS to have no instances of the requested type available in an availability zone. Docker’s CloudFormation template always asks for the first two zones in the list of available zones from the region in which you deploy. If one of those zones does not have available ec2 instances matching your type you get this error.
Just a while ago I had to modify the Docker CloudFormation template and replace the selection of the first two zones with some input parameters, so I could choose the AZs where the images would be created. I was able to choose us-east-1c and us-east-1d and everything worked fine.
It is not difficult to make this change to the template. But you have to do it again when Docker releases a new template unless they build this into a future version.
Best regards,
-Don
Changing the availability zone selection from the first two to the first and third resolved the issue. It would be great to add a prompt for the user to select availability zones based on the region in the next template update.
Yes indeed, and this is pretty easy to do. I did just that, in fact. I find that in us-east-1 the first two AZs (a, and b) are quite frequently full. Probably because people tend to select the AZs from the beginning of the list.
Add two parameters to the parameters section of the template:
"Subnet1Zone" : {
"Description" : "First AZ, for the first subnet",
"Type" : "String"
},
"Subnet2Zone" : {
"Description" : "Second AZ, for the second subnet",
"Type" : "String"
}
Then change the two places where the Subnets are chosen from:
"AvailabilityZone": {
"Fn::Select": [
"0",
{
"Fn::GetAZs": {
"Ref": "AWS::Region"
}
}
]
},
to:
"AvailabilityZone": {
"Ref": "Subnet1Zone"
},
Make sure to get both AvailabilityZones, one for each subnet.
The bad part about making this change is that you will have to do it again with the next template released. I personally prefer to have separate templates: 1 for the VPC and networking, 1 for security, and 1 for the application resources such as EC2 Instances, ELBs, ASGs, SQS, etc.
Great article, and of big help. I was able to update my own parameters for the Northern California region to only use us-west-1a and us-west-1c (us-west-1b was throwing the error mentioned above).
Unfortunately, the template as it is today requires 3 subnets in unique availability zones. This means I must have 3 unique AZs. Am abandoning using Northern California as a result, and will see if I can manage to get 2 AZs in other regions. If anyone has an idea (something I have missed?), please let me know!