从 Fargate ECS 任务访问 EFS 文件系统 - 没有任何类型的错误消息就无法工作
[英]Accessing EFS file system from Fargate ECS task - Not working without any kind of error message
问题描述
I tried to connect an EFS file system to an ECS Fargate Task, based on the examples in the documentation.
我尝试根据文档中的示例将 EFS 文件系统连接到 ECS Fargate 任务。 I cannot write to the volume (sadly I cannot change the container in a way to report if it can write from there)我无法写入该卷(遗憾的是我无法以某种方式更改容器以报告它是否可以从那里写入)
The task is provisioned without any error, but the starting container cannot write into the mounted volume.任务配置没有任何错误,但启动容器无法写入已安装的卷。
In contrast to some other questions here, I do NOT get any error message from AWS.与此处的其他一些问题相比,我没有从 AWS 收到任何错误消息。 Just the container reporting an AccessDeniedException.只是报告 AccessDeniedException 的容器。
I am running out of ideas how to troubleshoot this.我想不出如何解决这个问题。
- Both EFS and the ECS task run within the same security group EFS 和 ECS 任务都在同一个安全组中运行
- The security group has an inbound rule allowing traffic between all nodes in the group安全组有一个入站规则允许组中所有节点之间的流量
- Another inbound rule for NFS has been added explicitly just in case为了以防万一,已明确添加 NFS 的另一个入站规则
- I tried anonymous access as well as access point IAM role-based access我尝试了匿名访问以及访问点 IAM 基于角色的访问
- I tried a file system policy granting mount and read to anyone as well as the IAM role from above我尝试了一个文件系统策略,从上面授予任何人挂载和读取以及 IAM 角色
Whatever I change in the configuration, the behaviour stays the same.无论我更改配置,行为都保持不变。 When I add erros to the filesystem ID or access point ID those are catched however, so the console thinks the configuration is fine.但是,当我将错误添加到文件系统 ID 或访问点 ID 时,这些错误会被捕获,因此控制台认为配置没有问题。
I can see client connects for the file system in CloudWatch, however I do not see if those are successful or not.我可以在 CloudWatch 中看到文件系统的客户端连接,但是我看不到这些连接是否成功。 Does that mean networking is fine, but access permissions are wrong?这是否意味着网络很好,但访问权限是错误的?
Task config:任务配置:
"mountPoints": [
{
"sourceVolume": "controlserver-files",
"containerPath": "/application/files",
"readOnly": false
}
],
"volumes": [
{
"name": "controlserver-files",
"efsVolumeConfiguration": {
"fileSystemId": "fs-99999999999",
"rootDirectory": "/",
"transitEncryption": "ENABLED"
}
}
],
File system policy:文件系统策略:
{
"Sid": "efs-statement-08270b77-b8c4-4788-b12a-7226fbcc0e21",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"elasticfilesystem:ClientRootAccess",
"elasticfilesystem:ClientWrite",
"elasticfilesystem:ClientMount"
],
"Resource": "arn:aws:elasticfilesystem:eu-central-1:977555550711:file-system/fs-02bab7777777774"
}
1 个解决方案
解决方案1
0 2022-12-19 21:38:03
Did you have a look on permissions on the EFS volume itself?您是否查看了 EFS 卷本身的权限? There is this useful blog post: https://aws.amazon.com/blogs/containers/developers-guide-to-using-amazon-efs-with-amazon-ecs-and-aws-fargate-part-2/有这篇有用的博客文章: https ://aws.amazon.com/blogs/containers/developers-guide-to-using-amazon-efs-with-amazon-ecs-and-aws-fargate-part-2/
I would first start by mounting EFS to ie your local machine or an EC2 instance and check the permissions on the root folder.我会首先将 EFS 安装到您的本地计算机或 EC2 实例,然后检查根文件夹的权限。 For testing, you may set the permissions to 777 so that anyone, any UID, can read and write there.为了测试,您可以将权限设置为 777,这样任何人、任何 UID 都可以在那里读写。
$ sudo chmod 777 /EFSroot
If this works, I would go and be less permissive.如果这行得通,我会去而不那么宽容。 You may check this doc on permissions for NFS: https://docs.aws.amazon.com/efs/latest/ug/accessing-fs-nfs-permissions.html您可以查看有关 NFS 权限的文档: https ://docs.aws.amazon.com/efs/latest/ug/accessing-fs-nfs-permissions.html
Feel free to share the results.随时分享结果。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.