By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Why do I get the error "Operation not permitted" trying to NFS mount in Fargate task?

0

I have a Fargate task which I'm trying to mount an EFS filesystem on for a Wordpress stack. I've setup an IAM role for the task and declared it in the task definition[1] for both taskRoleArn and executionRoleArn. The role defines several allowed actions[2] that I've gotten from various pieces of documentation. Also in the task definition, I tried to define (via Terraform) the Volumes:[] and mountPoints:[] too, however the task was not able to mount the EFS volume and it would fail. I removed the mount points and volumes from the task definition so it would start and then I could shell into (via SSM agent) the running container to try and debug things.

The EFS filesystem has a File System Policy[3] applied and two Mount Targets[4] configured for my efs-security-group[5] (allows TCP 2049 ingress, and all egress).

When I attempt[6] to mount the EFS filesystem on the Fargate container, I get Operation not permitted. The [Attach] button in the EFS console is where I got the mount command from but negated using sudo since I'm already running the mount command as root.

I should mention my container uses an init wrapper to start a couple services before launching Apache in the foreground. The efs mount command (again, from the [Attach] button in the EFS console) may suggest this is a problem[7]?

Any idea why the NFS mount is failing with Operation not permitted or how to get the efs mount to work with an init wrapper script?

[1]

taskRoleArn     : arn:aws:iam::123123123123:role/webhost-iam-role
executionRoleArn: arn:aws:iam::123123123123:role/webhost-iam-role

[2]

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "elasticfilesystem:ClientMount",
                "elasticfilesystem:ClientRootAccess",
                "elasticfilesystem:ClientWrite",
                "elasticfilesystem:DescribeMountTargets"
            ],
            "Resource": "*"
        }
    ]
}

[3]

{
    "Version": "2012-10-17",
    "Id": "ExamplePolicy01",
    "Statement": [
        {
            "Sid": "ExampleStatement01",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "elasticfilesystem:ClientMount",
                "elasticfilesystem:ClientWrite",
                "elasticfilesystem:ClientRootAccess",
                "elasticfilesystem:DescribeMountTargets"
            ],
            "Resource": "*"
        }
    ]
}

[4]

us-east-1a, 10.100.1.63, efs-security-group
us-east-1b, 10.100.2.171, efs-security-group

[5]

NFS, TCP, [10.100.1.0/24, 10.100.2.0/24], 2049

[6]

# mount -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport 10.100.1.63:/ /mnt/webfiles/
mount.nfs4: Operation not permitted

[7]

# mount -t efs -o tls fs-0328b5ef212381290:/ /mnt/webfiles/
Could not start amazon-efs-mount-watchdog, unrecognized init system "init_wrapper.sh"
b'mount.nfs4: Operation not permitted'
Topics
StorageServerlessContainers
Tags
Amazon Elastic File SystemAWS FargateAmazon Elastic Container ServiceContainers
Language
English
0x90
asked a year ago134 views
No Answers

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content