Old EFS Access Points work but cannot mount a new one?


I am using EFS Access Points from an EC2 instance. I had initially set the access points I needed and can mount those with no problem using the efs file type, eg:

sudo mount -t efs -o tls,accesspoint=access-point-1-id efs-fs-id:/ mnt1

This works and I can see and update files in the mounted file system. I recently added new access point under the same file system. However when I attempt to mount the new access point I get the following:

sudo mount -t efs -o tls,accesspoint=access-point-2-id efs-fs-id:/ mnt2
mount.nfs4: access denied by server while mounting
Exception in thread Thread-1 (most likely raised during interpreter shutdown):
Traceback (most recent call last):
_File "/usr/lib64/python2.7/threading.py", line 804, in _bootstrap_inner
File "/usr/lib64/python2.7/threading.py", line 757, in run
File "/sbin/mount.efs", line 796, in poll_tunnel_process
<type 'exceptions.TypeError'>: 'NoneType' object is not callable

Yet the original Access Point can be still mounted with no problem.

These are both under the same Mount Target for the Subnet, which is available. The Network Interface shows up in the EC2 console as in-use and the associated Security Group has the NFS port accessible. It's certainly allowing access to the first Access Point.

I have tried deleting the Access Point and the Mount Target. I then recreated the Access Point and added a Mount Target back, but I have the same result, the old Access Point mounts but I cannot mount the new one.

My question is, why is access to the newly added Access Point denied? Have I forgotten to add the Access point to another security list or is there something in the system I need to restart for the new Access Point to be noticed?

Edited by: JSDev on Sep 20, 2020 11:29 AM

posta 4 anni fa1410 visualizzazioni
5 Risposte

Could you share how you are configuring your Access Point? One thing to make sure of for new EFS Access Points is that the UID/GID you are configuring for your enforced identity has at least read+execute access for its home directory. For example, if you did not specify a home directory, it will default to /, which by default is not accessible by any users other than root.

con risposta 4 anni fa

The access points are defined very simply, they both share the same filesystem, they both have paths defined and I used names to identify them. So they both look like:

efs-file-system, access-point-1-name , /path/ap1/
efs-file-system, access-point-2-name, /path/ap2/

I did not add any of the optional POSIX user or creation user definitions. For the older Access Point this is working and files can be written and updated in the directory. I never get to attempt to write to the new Access Point as it's refusing to mount :(

Edited by: JSDev on Sep 21, 2020 9:35 AM

con risposta 4 anni fa

Thanks for the details. Could you PM me your access point id? I can look from our side and see what's going on.

con risposta 4 anni fa

Thanks for the info. In your access point configuration, you left the enforced identity (UID/GID) blank, which means EFS is going to trust the identity passed from the server, which will be the UID/GID that you are logged into your server as. Also, you are specifying a directory without CreationInfo, which means the directory won't be automatically created, and must already exist and be readable+executable by your server UID/GID. Therefore, there is one of two reasons why this is not working:

  1. The directory in your second access point does not already exist in your EFS file system.
  2. The directory exists, but the UID/GID you're logged into your server as doesn't have at least read+execute access to it.

The best way to make sure you don't get permission denieds with Access Points is to specify both the UID/GID of your user and use CreationInfo with your directory to make sure it gets created. For instance, you can create an access point with uid:1000, gid:1000, directory:/mydirectory, owneruid: 1000, ownergid:1000. With this, the directory will be created for you, and the owner information will match that of the access point, so you know you'll have access to it.

con risposta 4 anni fa

Ok Thanks, that was the missing step, creating the directories in the efs file system before or after creating the mount points. They need to exist before attempting to mount, otherwise you are correct the creation user and POSIX user id's need to be specified.

con risposta 4 anni fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande