ECS实例无法挂载EFS
Can't mount EFS in the ECS instance
我的 cloudformation 模板的 configurationConfig
资源中有这个 UserData:
"UserData":{ "Fn::Base64" : {
"Fn::Join" : ["", [
"#!/bin/bash -xv\n",
"yum -y update\n",
"yum -y install aws-cfn-bootstrap\n",
"yum -y install awslogs jq\n",
"#Install NFS client\n",
"yum -y install nfs-utils\n",
"#Install pip\n",
"yum -y install python27 python27-pip\n",
"#Install awscli\n",
"pip install awscli\n",
"#Upgrade to the latest version of the awscli\n",
"#pip install --upgrade awscli\n",
"#Add support for EFS to the CLI configuration\n",
"aws configure set preview.efs true\n",
"#Get region of EC2 from instance metadata\n",
"EC2_AVAIL_ZONE=`curl -s http://169.254.169.254/latest/meta-data/placement/availability-zone`\n",
"EC2_REGION=",{ "Ref": "AWS::Region"} ,"\n",
"mkdir /efs-tmp/\n",
"chown -R ec2-user:ec2-user /efs-tmp/\n",
"DIR_SRC=$EC2_AVAIL_ZONE.",{ "Fn::FindInMap" : [ "FileSystemMap", {"Ref" : "EnvParam"}, "FileSystemID"] },".efs.$EC2_REGION.amazonaws.com\n",
"DIR_TGT=/efs-tmp/\n",
"touch /home/ec2-user/echo.res\n",
"echo ",{ "Fn::FindInMap" : [ "FileSystemMap", {"Ref" : "EnvParam"}, "FileSystemID"] }," >> /home/ec2-user/echo.res\n",
"echo $EC2_AVAIL_ZONE >> /home/ec2-user/echo.res\n",
"echo $EC2_REGION >> /home/ec2-user/echo.res\n",
"echo $DIR_SRC >> /home/ec2-user/echo.res\n",
"echo $DIR_TGT >> /home/ec2-user/echo.res\n",
"#Mount EFS file system\n",
"mount -t nfs4 -o vers=4.1 $DIR_SRC:/ $DIR_TGT >> /home/ec2-user/echo.res\n",
"#Backup fstab\n",
"cp -p /etc/fstab /etc/fstab.back-$(date +%F)\n",
"echo -e \"$DIR_SRC:/ $DIR_TGT nfs4 nfsvers=4.1 0 0 | tee -a /etc/fstab\n",
"docker ps\n",
"service docker stop\n",
"service docker start\n",
"/opt/aws/bin/cfn-init -v",
" --stack ", { "Ref": "AWS::StackName" },
" --resource ContainerInstances",
" --region ", { "Ref" : "AWS::Region" },"\n",
"service awslogs start\n",
"chkconfig awslogs on\n"
]]}
这里是ECS容器的安全组:
"EcsSecurityGroup":{
"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {
"GroupDescription" : "ECS SecurityGroup",
"SecurityGroupIngress" : [
{
"IpProtocol" : "tcp",
"FromPort" : "2049",
"ToPort" : "2049",
"CidrIp" : {"Ref" : "CIDRVPC"}
},
{
"IpProtocol" : "tcp",
"FromPort" : "22",
"ToPort" : "22",
"CidrIp" : "0.0.0.0/0"
}
],
"SecurityGroupEgress" : [
{
"IpProtocol" : "-1",
"FromPort" : "-1",
"ToPort" : "-1",
"CidrIp" : "0.0.0.0/0"
}
],
"VpcId":{ "Ref":"VpcId" }
}
},
在 运行 模板之后,我 ssh 进入实例,等待 userdata
完成执行,然后我在 /var/log/cloud-init-ouptut.log
中发现了这个错误:
mount.nfs4: Connection timed out
此外,/etc/fstab
文件不包含挂载行。
而且我无法访问文件系统,因为为 EFS 创建的文件夹是空的..
请问问题出在哪里?
您脚本中的这一行有错别字(缺少结尾 \"
),导致尝试写入 /etc/fstab
失败:
echo -e \"$DIR_SRC:/ $DIR_TGT nfs4 nfsvers=4.1 0 0 | tee -a /etc/fstab\n",
这应该是:
echo -e \"$DIR_SRC:/ $DIR_TGT nfs4 nfsvers=4.1 0 0\" | tee -a /etc/fstab\n",
您需要确保 AWS::EFS::MountTarget
resource exists in the availability zone specified. Otherwise, the attempt to mount the filesystem using the DNS name will fail to resolve correctly. See Mounting File Systems and AWS::EFS::FileSystem
以获得进一步的文档。
确保您创建了 EFS 安全组并在入口规则中允许您的 ec2 安全:
"EfsSecurityGroup": {
"Properties": {
"GroupDescription": "EFS security group",
"SecurityGroupIngress": [
{
"FromPort": 2049,
"IpProtocol": "tcp",
"SourceSecurityGroupId": {
"Ref": "YOUR_EC2_SECURITY_GROUP"
},
"ToPort": 2049
},
],
"Tags": [
{
"Key": "Application",
"Value": {
"Ref": "AWS::StackName"
}
},
{
"Key": "Name",
"Value": "efs-sg"
}
],
"VpcId": {
"Ref": "YOUR_VPC_ID"
}
},
"Type": "AWS::EC2::SecurityGroup"
}
确保 EFS mountarget 存在:
"EFSMountTargetYourAZ": {
"Properties": {
"FileSystemId": "EFS_id",
"SecurityGroups": [
{
"Ref": "EFS_SECURITY_GROUP"
}
],
"SubnetId": {
"Ref": "SUBNET_ID"
}
},
"Type": "AWS::EFS::MountTarget"
},
我的 cloudformation 模板的 configurationConfig
资源中有这个 UserData:
"UserData":{ "Fn::Base64" : {
"Fn::Join" : ["", [
"#!/bin/bash -xv\n",
"yum -y update\n",
"yum -y install aws-cfn-bootstrap\n",
"yum -y install awslogs jq\n",
"#Install NFS client\n",
"yum -y install nfs-utils\n",
"#Install pip\n",
"yum -y install python27 python27-pip\n",
"#Install awscli\n",
"pip install awscli\n",
"#Upgrade to the latest version of the awscli\n",
"#pip install --upgrade awscli\n",
"#Add support for EFS to the CLI configuration\n",
"aws configure set preview.efs true\n",
"#Get region of EC2 from instance metadata\n",
"EC2_AVAIL_ZONE=`curl -s http://169.254.169.254/latest/meta-data/placement/availability-zone`\n",
"EC2_REGION=",{ "Ref": "AWS::Region"} ,"\n",
"mkdir /efs-tmp/\n",
"chown -R ec2-user:ec2-user /efs-tmp/\n",
"DIR_SRC=$EC2_AVAIL_ZONE.",{ "Fn::FindInMap" : [ "FileSystemMap", {"Ref" : "EnvParam"}, "FileSystemID"] },".efs.$EC2_REGION.amazonaws.com\n",
"DIR_TGT=/efs-tmp/\n",
"touch /home/ec2-user/echo.res\n",
"echo ",{ "Fn::FindInMap" : [ "FileSystemMap", {"Ref" : "EnvParam"}, "FileSystemID"] }," >> /home/ec2-user/echo.res\n",
"echo $EC2_AVAIL_ZONE >> /home/ec2-user/echo.res\n",
"echo $EC2_REGION >> /home/ec2-user/echo.res\n",
"echo $DIR_SRC >> /home/ec2-user/echo.res\n",
"echo $DIR_TGT >> /home/ec2-user/echo.res\n",
"#Mount EFS file system\n",
"mount -t nfs4 -o vers=4.1 $DIR_SRC:/ $DIR_TGT >> /home/ec2-user/echo.res\n",
"#Backup fstab\n",
"cp -p /etc/fstab /etc/fstab.back-$(date +%F)\n",
"echo -e \"$DIR_SRC:/ $DIR_TGT nfs4 nfsvers=4.1 0 0 | tee -a /etc/fstab\n",
"docker ps\n",
"service docker stop\n",
"service docker start\n",
"/opt/aws/bin/cfn-init -v",
" --stack ", { "Ref": "AWS::StackName" },
" --resource ContainerInstances",
" --region ", { "Ref" : "AWS::Region" },"\n",
"service awslogs start\n",
"chkconfig awslogs on\n"
]]}
这里是ECS容器的安全组:
"EcsSecurityGroup":{
"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {
"GroupDescription" : "ECS SecurityGroup",
"SecurityGroupIngress" : [
{
"IpProtocol" : "tcp",
"FromPort" : "2049",
"ToPort" : "2049",
"CidrIp" : {"Ref" : "CIDRVPC"}
},
{
"IpProtocol" : "tcp",
"FromPort" : "22",
"ToPort" : "22",
"CidrIp" : "0.0.0.0/0"
}
],
"SecurityGroupEgress" : [
{
"IpProtocol" : "-1",
"FromPort" : "-1",
"ToPort" : "-1",
"CidrIp" : "0.0.0.0/0"
}
],
"VpcId":{ "Ref":"VpcId" }
}
},
在 运行 模板之后,我 ssh 进入实例,等待 userdata
完成执行,然后我在 /var/log/cloud-init-ouptut.log
中发现了这个错误:
mount.nfs4: Connection timed out
此外,/etc/fstab
文件不包含挂载行。
而且我无法访问文件系统,因为为 EFS 创建的文件夹是空的..
请问问题出在哪里?
您脚本中的这一行有错别字(缺少结尾
\"
),导致尝试写入/etc/fstab
失败:echo -e \"$DIR_SRC:/ $DIR_TGT nfs4 nfsvers=4.1 0 0 | tee -a /etc/fstab\n",
这应该是:
echo -e \"$DIR_SRC:/ $DIR_TGT nfs4 nfsvers=4.1 0 0\" | tee -a /etc/fstab\n",
您需要确保
AWS::EFS::MountTarget
resource exists in the availability zone specified. Otherwise, the attempt to mount the filesystem using the DNS name will fail to resolve correctly. See Mounting File Systems andAWS::EFS::FileSystem
以获得进一步的文档。
确保您创建了 EFS 安全组并在入口规则中允许您的 ec2 安全:
"EfsSecurityGroup": {
"Properties": {
"GroupDescription": "EFS security group",
"SecurityGroupIngress": [
{
"FromPort": 2049,
"IpProtocol": "tcp",
"SourceSecurityGroupId": {
"Ref": "YOUR_EC2_SECURITY_GROUP"
},
"ToPort": 2049
},
],
"Tags": [
{
"Key": "Application",
"Value": {
"Ref": "AWS::StackName"
}
},
{
"Key": "Name",
"Value": "efs-sg"
}
],
"VpcId": {
"Ref": "YOUR_VPC_ID"
}
},
"Type": "AWS::EC2::SecurityGroup"
}
确保 EFS mountarget 存在:
"EFSMountTargetYourAZ": {
"Properties": {
"FileSystemId": "EFS_id",
"SecurityGroups": [
{
"Ref": "EFS_SECURITY_GROUP"
}
],
"SubnetId": {
"Ref": "SUBNET_ID"
}
},
"Type": "AWS::EFS::MountTarget"
},