[英]EFS mount on ECS Fargate - Read/write permissions denied for non root user
[英]Unable to mount EFS to ECS on fargate
嘗試將 EFS 掛載到 ECS Fargate,但在執行任務時出現以下錯誤。 看起來這是一個 IAM 問題,但交叉檢查了所有角色,但無法確定問題所在。 也檢查了安全組。我允許 2049 端口並將 ecs 安全組附加到它。
“ResourceInitializationError:無法調用 EFS utils 命令來設置 EFS 卷:stderr:b'mount.nfs4:安裝 127.0.0.1 時服務器拒絕訪問:/':EFS utils 命令執行失敗;代碼:32”
Terraform 0.12 和 Fargate 1.4.0
resource "aws_efs_file_system" efs {
creation_token = "${var.prefix}-${var.appName}-ecs"
encrypted = true
kms_key_id = data.aws_kms_key.efs_kms_key.arn
performance_mode = var.performance_mode
throughput_mode = var.throughput_mode
tags = var.tags
}
resource "aws_efs_mount_target" efs_mount {
count = length(module.vpc_presets.subnet_ids)
file_system_id = aws_efs_file_system.efs.id
subnet_id = flatten(module.vpc_presets.subnet_ids)[count.index]
security_groups = data.terraform_remote_state.remote_state_sg.outputs.efs_sg
}
resource "aws_efs_access_point" this {
file_system_id = aws_efs_file_system.efs.id
}
data "template_file" jenkins_container_def {
template = file("${path.module}/templates/jenkins.json.tpl")
vars = {
name = "${var.prefix}-${var.appName}-${var.env}"
jenkins_controller_port = var.jenkins_port
jnlp_port = var.jnlp_port
source_volume = "${var.appName}-efs"
jenkins_home = "/var/jenkins_home"
container_image = var.image
region = var.deployment_region
account_id = var.account
log_group = data.terraform_remote_state.remote_state_ecs.outputs.logs_name
memory = var.jenkins_memory
cpu = var.jenkins_cpu
}
}
resource "aws_ecs_task_definition" jenkins_controller {
family = var.appName
task_role_arn = data.terraform_remote_state.remote_state_iam.outputs.master_task_arn
execution_role_arn = data.terraform_remote_state.remote_state_iam.outputs.jenkins_execution_arn
network_mode = "awsvpc"
requires_compatibilities = ["FARGATE"]
cpu = var.jenkins_cpu
memory = var.jenkins_memory
container_definitions = data.template_file.jenkins_container_def.rendered
volume {
name = "${var.appName}-efs"
efs_volume_configuration {
file_system_id = data.terraform_remote_state.remote_state_efs.outputs.efs_fs_id
transit_encryption = "ENABLED"
authorization_config {
access_point_id = flatten(data.terraform_remote_state.remote_state_efs.outputs.efs_access_point_id)[0]
iam = "ENABLED"
}
}
}
tags = var.tags
}
resource "aws_ecs_service" jenkins_controller {
name = "${var.prefix}-${var.appName}-controller-service"
task_definition = aws_ecs_task_definition.jenkins_controller.arn
cluster = data.terraform_remote_state.remote_state_ecs.outputs.ecs_cluster_id
desired_count = 1
launch_type = "FARGATE"
platform_version = "1.4.0"
// Assuming we cannot have more than one instance at a time. Ever.
deployment_maximum_percent = 100
deployment_minimum_healthy_percent = 0
service_registries {
registry_arn = aws_service_discovery_service.controller.arn
}
load_balancer {
target_group_arn = data.terraform_remote_state.remote_state_alb.outputs.tg_arn
container_name = "${var.prefix}-${var.appName}"
container_port = 8080
}
network_configuration {
subnets = flatten([module.vpc_presets.subnet_ids])
security_groups = data.terraform_remote_state.remote_state_sg.outputs.ecs_sg
assign_public_ip = false
}
tags = var.tags
}
我有一個相關的問題,因為該目錄尚未創建,root_directory 中有一個屬性允許創建具有適當權限的目錄。
在示例中,我使用 root,但您可以設置另一個 gid。
resource "aws_efs_access_point" this {
file_system_id = aws_efs_file_system.efs.id
root_directory {
path = "/desired-directory"
creation_info {
owner_gid = 0
owner_uid = 0
permissions = "755"
}
}
}
這是一個 IAM 政策問題。 更改政策后問題得到解決。
這對我有用!
以編程方式刪除舊文件系統並重新創建文件系統
export AWS_EFS_FILESYSTEM_ID=$( \
aws efs create-file-system \
--creation-token hello-world-efs \
--no-encrypt \
--throughput-mode bursting \
--performance-mode generalPurpose \
--region us-west-2 \
| jq --raw-output ".FileSystemId"
)
創建掛載目標
aws efs create-mount-target \
--file-system-id ${AWS_EFS_FILESYSTEM_ID} \
--security-groups ${AWS_EC2_SECURITY_GROUP} \
--subnet-id ${AWS_SUBNET_ID_1}
aws efs create-mount-target \
--file-system-id ${AWS_EFS_FILESYSTEM_ID} \
--security-groups ${AWS_EC2_SECURITY_GROUP} \
--subnet-id ${AWS_SUBNET_ID_2}
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.