By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Old EFS Access Points work but cannot mount a new one?

0

I am using EFS Access Points from an EC2 instance. I had initially set the access points I needed and can mount those with no problem using the efs file type, eg:

sudo mount -t efs -o tls,accesspoint=access-point-1-id efs-fs-id:/ mnt1

This works and I can see and update files in the mounted file system. I recently added new access point under the same file system. However when I attempt to mount the new access point I get the following:

sudo mount -t efs -o tls,accesspoint=access-point-2-id efs-fs-id:/ mnt2
mount.nfs4: access denied by server while mounting 127.0.0.1:/
Exception in thread Thread-1 (most likely raised during interpreter shutdown):
Traceback (most recent call last):
_File "/usr/lib64/python2.7/threading.py", line 804, in _bootstrap_inner
File "/usr/lib64/python2.7/threading.py", line 757, in run
File "/sbin/mount.efs", line 796, in poll_tunnel_process
<type 'exceptions.TypeError'>: 'NoneType' object is not callable

Yet the original Access Point can be still mounted with no problem.

These are both under the same Mount Target for the Subnet, which is available. The Network Interface shows up in the EC2 console as in-use and the associated Security Group has the NFS port accessible. It's certainly allowing access to the first Access Point.

I have tried deleting the Access Point and the Mount Target. I then recreated the Access Point and added a Mount Target back, but I have the same result, the old Access Point mounts but I cannot mount the new one.

My question is, why is access to the newly added Access Point denied? Have I forgotten to add the Access point to another security list or is there something in the system I need to restart for the new Access Point to be noticed?

Edited by: JSDev on Sep 20, 2020 11:29 AM

Topics
Storage
Tags
Amazon Elastic File System
Language
English
JSDev
asked 5 years ago1.9K views
5 Answers
0

Could you share how you are configuring your Access Point? One thing to make sure of for new EFS Access Points is that the UID/GID you are configuring for your enforced identity has at least read+execute access for its home directory. For example, if you did not specify a home directory, it will default to /, which by default is not accessible by any users other than root.

AWS-User-4040733
answered 5 years ago
0

The access points are defined very simply, they both share the same filesystem, they both have paths defined and I used names to identify them. So they both look like:

efs-file-system, access-point-1-name , /path/ap1/
efs-file-system, access-point-2-name, /path/ap2/

I did not add any of the optional POSIX user or creation user definitions. For the older Access Point this is working and files can be written and updated in the directory. I never get to attempt to write to the new Access Point as it's refusing to mount :(

Edited by: JSDev on Sep 21, 2020 9:35 AM

JSDev
answered 5 years ago
0

Thanks for the details. Could you PM me your access point id? I can look from our side and see what's going on.

AWS-User-4040733
answered 5 years ago
0

Thanks for the info. In your access point configuration, you left the enforced identity (UID/GID) blank, which means EFS is going to trust the identity passed from the server, which will be the UID/GID that you are logged into your server as. Also, you are specifying a directory without CreationInfo, which means the directory won't be automatically created, and must already exist and be readable+executable by your server UID/GID. Therefore, there is one of two reasons why this is not working:

  1. The directory in your second access point does not already exist in your EFS file system.
  2. The directory exists, but the UID/GID you're logged into your server as doesn't have at least read+execute access to it.

The best way to make sure you don't get permission denieds with Access Points is to specify both the UID/GID of your user and use CreationInfo with your directory to make sure it gets created. For instance, you can create an access point with uid:1000, gid:1000, directory:/mydirectory, owneruid: 1000, ownergid:1000. With this, the directory will be created for you, and the owner information will match that of the access point, so you know you'll have access to it.

AWS-User-4040733
answered 5 years ago
0

Ok Thanks, that was the missing step, creating the directories in the efs file system before or after creating the mount points. They need to exist before attempting to mount, otherwise you are correct the creation user and POSIX user id's need to be specified.

JSDev
answered 5 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content