在 ECS 中附加卷 EFS
Attach Volume EFS in ECS
尝试将 EFS 文件系统与 ECS 一起挂载时,出现以下错误:
ResourceInitializationError:无法调用 EFS utils 命令来设置 EFS 卷:stderr:mount.nfs4:对等方重置连接:EFS utils 命令执行失败;代码:32
我的堆栈:
---
AWSTemplateFormatVersion: "2010-09-09"
Description: "Template Test"
Outputs:
FileSystemID:
Description: "File system ID"
Value:
Ref: FileSystem
Parameters:
VolumeName:
Default: myEFSvolume
Description: "The name to be used for the EFS volume"
MinLength: "1"
Type: String
Resources:
ECSCluster:
Properties:
ClusterName: jenkins-cluster
Type: "AWS::ECS::Cluster"
EFSMountTarget1:
Properties:
FileSystemId:
Ref: FileSystem
SecurityGroups:
- "sg-0082cea75ba714505"
SubnetId: "subnet-0f0b0d3aaada62b6c"
Type: "AWS::EFS::MountTarget"
FileSystem:
Properties:
Encrypted: true
FileSystemTags:
- Key: Name
Value:
Ref: VolumeName
PerformanceMode: generalPurpose
Type: "AWS::EFS::FileSystem"
JenkinsService:
Type: "AWS::ECS::Service"
Properties:
Cluster:
Ref: ECSCluster
DesiredCount: 2
LaunchType: FARGATE
NetworkConfiguration:
AwsvpcConfiguration:
AssignPublicIp: ENABLED
SecurityGroups:
- "sg-0082cea75ba714505"
Subnets:
- "subnet-0f0b0d3aaada62b6c"
PlatformVersion: "1.4.0"
ServiceName: JenkinsService
TaskDefinition:
Ref: JenkinsTaskDef
JenkinsTaskDef:
Type: "AWS::ECS::TaskDefinition"
Properties:
Cpu: 2048
Memory: 4096
Family: efs-example-task-fargate
NetworkMode: awsvpc
TaskRoleArn: "arn:xxxxx/ecs"
ExecutionRoleArn: "arn:xxxxxx:role/ecs"
RequiresCompatibilities:
- FARGATE
ContainerDefinitions:
- Cpu: 1024
Memory: 2048
PortMappings:
- HostPort: 8080
ContainerPort: 8080
- HostPort: 50000
ContainerPort: 50000
image: "xxxxxxx.dkr.ecr.us-east-1.amazonaws.com/sample:latest"
mountPoints:
- containerPath: /var/jenkins_home
readOnly: false
sourceVolume: myEfsVolume
name: jenkins
volumes:
- name: myEfsVolume
efsVolumeConfiguration:
fileSystemId:
Ref: FileSystem
rootDirectory: /var/jenkins_home
transitEncryption: ENABLED
我正在根据文档执行:
https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_EFSVolumeConfiguration.html
您需要在网络接口和任务定义的安全组上打开端口 2049 入站。即使您将其设置为为您创建安全组,它也不会自动设置。
现在已经有一段时间了,但我遇到了同样的问题,并且理解如何进行有点混乱。当您创建 EFS 卷时,您为每个子网选择一个 VPC 和一个安全组。
您需要去编辑此安全组以添加 type NFS 的入站规则以允许访问(tcp 端口 2049)您要允许访问的 ECS 集群服务的安全组标识符到。为此,只需在 source 字段中 select 自定义,然后在文本框中键入服务的安全组标识符。
更多信息this article描述了整个过程。
如果在将任务定义关联到卷时启用了 IAM 授权,则还需要更新其任务执行角色。您需要将访问 EFS 所需的策略附加到它。
在 AWS FARGATE 中安装 EFS 需要执行以下操作:
- 从应用层(在本例中为容器 sg)向 EFS sg 组添加 2049 端口
- 使用挂载和写入 EFS 的策略更新 ECS FARGATE 任务执行角色
- EFS 子网的 NACL 在端口 2049 上有出站
尝试将 EFS 文件系统与 ECS 一起挂载时,出现以下错误:
ResourceInitializationError:无法调用 EFS utils 命令来设置 EFS 卷:stderr:mount.nfs4:对等方重置连接:EFS utils 命令执行失败;代码:32
我的堆栈:
---
AWSTemplateFormatVersion: "2010-09-09"
Description: "Template Test"
Outputs:
FileSystemID:
Description: "File system ID"
Value:
Ref: FileSystem
Parameters:
VolumeName:
Default: myEFSvolume
Description: "The name to be used for the EFS volume"
MinLength: "1"
Type: String
Resources:
ECSCluster:
Properties:
ClusterName: jenkins-cluster
Type: "AWS::ECS::Cluster"
EFSMountTarget1:
Properties:
FileSystemId:
Ref: FileSystem
SecurityGroups:
- "sg-0082cea75ba714505"
SubnetId: "subnet-0f0b0d3aaada62b6c"
Type: "AWS::EFS::MountTarget"
FileSystem:
Properties:
Encrypted: true
FileSystemTags:
- Key: Name
Value:
Ref: VolumeName
PerformanceMode: generalPurpose
Type: "AWS::EFS::FileSystem"
JenkinsService:
Type: "AWS::ECS::Service"
Properties:
Cluster:
Ref: ECSCluster
DesiredCount: 2
LaunchType: FARGATE
NetworkConfiguration:
AwsvpcConfiguration:
AssignPublicIp: ENABLED
SecurityGroups:
- "sg-0082cea75ba714505"
Subnets:
- "subnet-0f0b0d3aaada62b6c"
PlatformVersion: "1.4.0"
ServiceName: JenkinsService
TaskDefinition:
Ref: JenkinsTaskDef
JenkinsTaskDef:
Type: "AWS::ECS::TaskDefinition"
Properties:
Cpu: 2048
Memory: 4096
Family: efs-example-task-fargate
NetworkMode: awsvpc
TaskRoleArn: "arn:xxxxx/ecs"
ExecutionRoleArn: "arn:xxxxxx:role/ecs"
RequiresCompatibilities:
- FARGATE
ContainerDefinitions:
- Cpu: 1024
Memory: 2048
PortMappings:
- HostPort: 8080
ContainerPort: 8080
- HostPort: 50000
ContainerPort: 50000
image: "xxxxxxx.dkr.ecr.us-east-1.amazonaws.com/sample:latest"
mountPoints:
- containerPath: /var/jenkins_home
readOnly: false
sourceVolume: myEfsVolume
name: jenkins
volumes:
- name: myEfsVolume
efsVolumeConfiguration:
fileSystemId:
Ref: FileSystem
rootDirectory: /var/jenkins_home
transitEncryption: ENABLED
我正在根据文档执行:
https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_EFSVolumeConfiguration.html
您需要在网络接口和任务定义的安全组上打开端口 2049 入站。即使您将其设置为为您创建安全组,它也不会自动设置。
现在已经有一段时间了,但我遇到了同样的问题,并且理解如何进行有点混乱。当您创建 EFS 卷时,您为每个子网选择一个 VPC 和一个安全组。
您需要去编辑此安全组以添加 type NFS 的入站规则以允许访问(tcp 端口 2049)您要允许访问的 ECS 集群服务的安全组标识符到。为此,只需在 source 字段中 select 自定义,然后在文本框中键入服务的安全组标识符。
更多信息this article描述了整个过程。
如果在将任务定义关联到卷时启用了 IAM 授权,则还需要更新其任务执行角色。您需要将访问 EFS 所需的策略附加到它。
在 AWS FARGATE 中安装 EFS 需要执行以下操作:
- 从应用层(在本例中为容器 sg)向 EFS sg 组添加 2049 端口
- 使用挂载和写入 EFS 的策略更新 ECS FARGATE 任务执行角色
- EFS 子网的 NACL 在端口 2049 上有出站