ECS实例无法挂载EFS

Can't mount EFS in the ECS instance

我的 cloudformation 模板的 configurationConfig 资源中有这个 UserData:

"UserData":{  "Fn::Base64" : {
            "Fn::Join" : ["", [
              "#!/bin/bash -xv\n",
              "yum -y update\n",
              "yum -y install aws-cfn-bootstrap\n",
              "yum -y install awslogs jq\n",
              "#Install NFS client\n",
              "yum -y install nfs-utils\n",
              "#Install pip\n",
              "yum -y install python27 python27-pip\n",
              "#Install awscli\n",
              "pip install awscli\n",
              "#Upgrade to the latest version of the awscli\n",
              "#pip install --upgrade awscli\n",
              "#Add support for EFS to the CLI configuration\n",
              "aws configure set preview.efs true\n",
              "#Get region of EC2 from instance metadata\n",
              "EC2_AVAIL_ZONE=`curl -s http://169.254.169.254/latest/meta-data/placement/availability-zone`\n",
              "EC2_REGION=",{ "Ref": "AWS::Region"} ,"\n",
              "mkdir /efs-tmp/\n",
              "chown -R ec2-user:ec2-user /efs-tmp/\n",
              "DIR_SRC=$EC2_AVAIL_ZONE.",{ "Fn::FindInMap" : [ "FileSystemMap", {"Ref" : "EnvParam"}, "FileSystemID"] },".efs.$EC2_REGION.amazonaws.com\n",
              "DIR_TGT=/efs-tmp/\n",
              "touch /home/ec2-user/echo.res\n",
              "echo ",{ "Fn::FindInMap" : [ "FileSystemMap", {"Ref" : "EnvParam"}, "FileSystemID"] }," >> /home/ec2-user/echo.res\n",
              "echo $EC2_AVAIL_ZONE >> /home/ec2-user/echo.res\n",
              "echo $EC2_REGION >> /home/ec2-user/echo.res\n",
              "echo $DIR_SRC >> /home/ec2-user/echo.res\n",
              "echo $DIR_TGT >> /home/ec2-user/echo.res\n",
              "#Mount EFS file system\n",
              "mount -t nfs4 -o vers=4.1 $DIR_SRC:/ $DIR_TGT >> /home/ec2-user/echo.res\n",
              "#Backup fstab\n",
              "cp -p /etc/fstab /etc/fstab.back-$(date +%F)\n",
              "echo -e \"$DIR_SRC:/ $DIR_TGT nfs4 nfsvers=4.1 0 0 | tee -a /etc/fstab\n",
                      "docker ps\n",
              "service docker stop\n",
              "service docker start\n",
              "/opt/aws/bin/cfn-init -v",
              "         --stack ", { "Ref": "AWS::StackName" },
              "         --resource ContainerInstances",
              "         --region ", { "Ref" : "AWS::Region" },"\n",
              "service awslogs start\n",
              "chkconfig awslogs on\n"
            ]]}

这里是ECS容器的安全组:

  "EcsSecurityGroup":{
    "Type" : "AWS::EC2::SecurityGroup",
    "Properties" : {
      "GroupDescription" : "ECS SecurityGroup",
      "SecurityGroupIngress" : [
        {
          "IpProtocol" : "tcp",
          "FromPort" : "2049",
          "ToPort" : "2049",
          "CidrIp" : {"Ref" : "CIDRVPC"}
        },
        {
          "IpProtocol" : "tcp",
          "FromPort" : "22",
          "ToPort" : "22",
          "CidrIp" : "0.0.0.0/0"
        }
      ],
      "SecurityGroupEgress" :  [
        {
          "IpProtocol" : "-1",
          "FromPort" : "-1",
          "ToPort" : "-1",
          "CidrIp" : "0.0.0.0/0"
        }
      ],
      "VpcId":{ "Ref":"VpcId" }
    }
  },

在 运行 模板之后,我 ssh 进入实例,等待 userdata 完成执行,然后我在 /var/log/cloud-init-ouptut.log 中发现了这个错误:

mount.nfs4: Connection timed out

此外,/etc/fstab 文件不包含挂载行。 而且我无法访问文件系统,因为为 EFS 创建的文件夹是空的..

请问问题出在哪里?

  1. 您脚本中的这一行有错别字(缺少结尾 \"),导致尝试写入 /etc/fstab 失败:

    echo -e \"$DIR_SRC:/ $DIR_TGT nfs4 nfsvers=4.1 0 0 | tee -a /etc/fstab\n",
    

    这应该是:

    echo -e \"$DIR_SRC:/ $DIR_TGT nfs4 nfsvers=4.1 0 0\" | tee -a /etc/fstab\n",
    
  2. 您需要确保 AWS::EFS::MountTarget resource exists in the availability zone specified. Otherwise, the attempt to mount the filesystem using the DNS name will fail to resolve correctly. See Mounting File Systems and AWS::EFS::FileSystem 以获得进一步的文档。

确保您创建了 EFS 安全组并在入口规则中允许您的 ec2 安全:

 "EfsSecurityGroup": {
        "Properties": {
            "GroupDescription": "EFS security group",
            "SecurityGroupIngress": [
                {
                    "FromPort": 2049,
                    "IpProtocol": "tcp",
                    "SourceSecurityGroupId": {
                        "Ref": "YOUR_EC2_SECURITY_GROUP"
                    },
                    "ToPort": 2049
                },
            ],
            "Tags": [
                {
                    "Key": "Application",
                    "Value": {
                        "Ref": "AWS::StackName"
                    }
                },
                {
                    "Key": "Name",
                    "Value": "efs-sg"
                }
            ],
            "VpcId": {
                "Ref": "YOUR_VPC_ID"
            }
        },
        "Type": "AWS::EC2::SecurityGroup"
    }

确保 EFS mountarget 存在:

"EFSMountTargetYourAZ": {
        "Properties": {
            "FileSystemId": "EFS_id",
            "SecurityGroups": [
                {
                    "Ref": "EFS_SECURITY_GROUP"
                }
            ],
            "SubnetId": {
                "Ref": "SUBNET_ID"
            }
        },
        "Type": "AWS::EFS::MountTarget"
    },