Json Can';t在ECS实例中挂载EFS
我的cloudformation模板中的Json Can';t在ECS实例中挂载EFS,json,amazon-web-services,amazon-cloudformation,user-data,Json,Amazon Web Services,Amazon Cloudformation,User Data,我的cloudformation模板中的configurationConfig资源中有此用户数据: "UserData":{ "Fn::Base64" : { "Fn::Join" : ["", [ "#!/bin/bash -xv\n", "yum -y update\n", "yum -y install aws-cfn-bootstrap\n", "yu
configurationConfig
资源中有此用户数据:
"UserData":{ "Fn::Base64" : {
"Fn::Join" : ["", [
"#!/bin/bash -xv\n",
"yum -y update\n",
"yum -y install aws-cfn-bootstrap\n",
"yum -y install awslogs jq\n",
"#Install NFS client\n",
"yum -y install nfs-utils\n",
"#Install pip\n",
"yum -y install python27 python27-pip\n",
"#Install awscli\n",
"pip install awscli\n",
"#Upgrade to the latest version of the awscli\n",
"#pip install --upgrade awscli\n",
"#Add support for EFS to the CLI configuration\n",
"aws configure set preview.efs true\n",
"#Get region of EC2 from instance metadata\n",
"EC2_AVAIL_ZONE=`curl -s http://169.254.169.254/latest/meta-data/placement/availability-zone`\n",
"EC2_REGION=",{ "Ref": "AWS::Region"} ,"\n",
"mkdir /efs-tmp/\n",
"chown -R ec2-user:ec2-user /efs-tmp/\n",
"DIR_SRC=$EC2_AVAIL_ZONE.",{ "Fn::FindInMap" : [ "FileSystemMap", {"Ref" : "EnvParam"}, "FileSystemID"] },".efs.$EC2_REGION.amazonaws.com\n",
"DIR_TGT=/efs-tmp/\n",
"touch /home/ec2-user/echo.res\n",
"echo ",{ "Fn::FindInMap" : [ "FileSystemMap", {"Ref" : "EnvParam"}, "FileSystemID"] }," >> /home/ec2-user/echo.res\n",
"echo $EC2_AVAIL_ZONE >> /home/ec2-user/echo.res\n",
"echo $EC2_REGION >> /home/ec2-user/echo.res\n",
"echo $DIR_SRC >> /home/ec2-user/echo.res\n",
"echo $DIR_TGT >> /home/ec2-user/echo.res\n",
"#Mount EFS file system\n",
"mount -t nfs4 -o vers=4.1 $DIR_SRC:/ $DIR_TGT >> /home/ec2-user/echo.res\n",
"#Backup fstab\n",
"cp -p /etc/fstab /etc/fstab.back-$(date +%F)\n",
"echo -e \"$DIR_SRC:/ $DIR_TGT nfs4 nfsvers=4.1 0 0 | tee -a /etc/fstab\n",
"docker ps\n",
"service docker stop\n",
"service docker start\n",
"/opt/aws/bin/cfn-init -v",
" --stack ", { "Ref": "AWS::StackName" },
" --resource ContainerInstances",
" --region ", { "Ref" : "AWS::Region" },"\n",
"service awslogs start\n",
"chkconfig awslogs on\n"
]]}
以下是ECS容器的安全组:
"EcsSecurityGroup":{
"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {
"GroupDescription" : "ECS SecurityGroup",
"SecurityGroupIngress" : [
{
"IpProtocol" : "tcp",
"FromPort" : "2049",
"ToPort" : "2049",
"CidrIp" : {"Ref" : "CIDRVPC"}
},
{
"IpProtocol" : "tcp",
"FromPort" : "22",
"ToPort" : "22",
"CidrIp" : "0.0.0.0/0"
}
],
"SecurityGroupEgress" : [
{
"IpProtocol" : "-1",
"FromPort" : "-1",
"ToPort" : "-1",
"CidrIp" : "0.0.0.0/0"
}
],
"VpcId":{ "Ref":"VpcId" }
}
},
运行模板后,我使用ssh连接到实例中,等待userdata
完成执行,然后在/var/log/cloud init-ouptut.log
中发现以下错误:
mount.nfs4: Connection timed out
此外,/etc/fstab
文件不包含装载线。
我无法访问文件系统,因为为EFS创建的文件夹为空
请告诉我问题出在哪里
\“
),导致尝试写入/etc/fstab
失败:
echo -e \"$DIR_SRC:/ $DIR_TGT nfs4 nfsvers=4.1 0 0 | tee -a /etc/fstab\n",
应改为:
echo -e \"$DIR_SRC:/ $DIR_TGT nfs4 nfsvers=4.1 0 0\" | tee -a /etc/fstab\n",
\“
),导致尝试写入/etc/fstab
失败:
echo -e \"$DIR_SRC:/ $DIR_TGT nfs4 nfsvers=4.1 0 0 | tee -a /etc/fstab\n",
应改为:
echo -e \"$DIR_SRC:/ $DIR_TGT nfs4 nfsvers=4.1 0 0\" | tee -a /etc/fstab\n",
确保已创建EFS安全组,并在入口规则中允许ec2安全:
"EfsSecurityGroup": {
"Properties": {
"GroupDescription": "EFS security group",
"SecurityGroupIngress": [
{
"FromPort": 2049,
"IpProtocol": "tcp",
"SourceSecurityGroupId": {
"Ref": "YOUR_EC2_SECURITY_GROUP"
},
"ToPort": 2049
},
],
"Tags": [
{
"Key": "Application",
"Value": {
"Ref": "AWS::StackName"
}
},
{
"Key": "Name",
"Value": "efs-sg"
}
],
"VpcId": {
"Ref": "YOUR_VPC_ID"
}
},
"Type": "AWS::EC2::SecurityGroup"
}
确保EFS MountTarget存在:
"EFSMountTargetYourAZ": {
"Properties": {
"FileSystemId": "EFS_id",
"SecurityGroups": [
{
"Ref": "EFS_SECURITY_GROUP"
}
],
"SubnetId": {
"Ref": "SUBNET_ID"
}
},
"Type": "AWS::EFS::MountTarget"
},
确保已创建EFS安全组,并在入口规则中允许ec2安全:
"EfsSecurityGroup": {
"Properties": {
"GroupDescription": "EFS security group",
"SecurityGroupIngress": [
{
"FromPort": 2049,
"IpProtocol": "tcp",
"SourceSecurityGroupId": {
"Ref": "YOUR_EC2_SECURITY_GROUP"
},
"ToPort": 2049
},
],
"Tags": [
{
"Key": "Application",
"Value": {
"Ref": "AWS::StackName"
}
},
{
"Key": "Name",
"Value": "efs-sg"
}
],
"VpcId": {
"Ref": "YOUR_VPC_ID"
}
},
"Type": "AWS::EC2::SecurityGroup"
}
确保EFS MountTarget存在:
"EFSMountTargetYourAZ": {
"Properties": {
"FileSystemId": "EFS_id",
"SecurityGroups": [
{
"Ref": "EFS_SECURITY_GROUP"
}
],
"SubnetId": {
"Ref": "SUBNET_ID"
}
},
"Type": "AWS::EFS::MountTarget"
},
在您的ec2安全组中,您不应该拥有用于EFS的端口2049的入口规则,您应该创建一个EFS安全组,并在该端口2049上允许您的ec2安全作为
SourceSecurityGroupId
。在您的ec2安全组中,您不应该拥有用于EFS的端口2049的入口规则,您应该创建一个efs安全组,并在该端口2049上允许您的ec2安全设置为SourceSecurityGroupId
。