
This assumes you have already:
- Create an Elastic File System (EFS) using Terraform
- Create Elastic File System (EFS) Access Points using Terraform
- Create Elastic File System (EFS) Mount Targets using Terraform
Ensure the Elastic File System has a Mount Target is in the same Availability Zone (such as us-east-1b) as the Docker system. Check out my article List Elastic File Systems (EFS) Mount Targets using the AWS CLI. In this example, there is a Mount Target in Availability Zone us-east-1b.
~]# aws efs describe-mount-targets --file-system-id fs-0d1500aa4f4b50839
{
"MountTargets": [
{
"OwnerId": "123456789012",
"MountTargetId": "fsmt-0481f8dfc2b5c6488",
"FileSystemId": "fs-0d1500aa4f4b50839",
"SubnetId": "subnet-0316e4d9fcd4efccc",
"LifeCycleState": "available",
"IpAddress": "172.31.81.6",
"NetworkInterfaceId": "eni-02b54b783c735dcba",
"AvailabilityZoneId": "use1-az2",
"AvailabilityZoneName": "us-east-1b",
"VpcId": "vpc-014d2fcfa335d3c01"
}
]
}
Ensure the Mount Target is associated with a Security Group. Check out my article List Elastic File Systems (EFS) Mount Target Security Groups using the AWS CLI.
~]# aws efs describe-mount-target-security-groups --mount-target-id fsmt-0481f8dfc2b5c6488
{
"SecurityGroups": [
"sg-04c441ca1ce1b121b"
]
}
And that the Security Group allows incoming (ingress) on TCP NFS port 2049.
~]# aws ec2 describe-security-group-rules --filter Name="group-id",Values="sg-04c441ca1ce1b121b"
{
"SecurityGroupRules": [
{
"SecurityGroupRuleId": "sgr-0aa26ef2018a66ca3",
"GroupId": "sg-04c441ca1ce1b121b",
"GroupOwnerId": "123456789012",
"IsEgress": false,
"IpProtocol": "tcp",
"FromPort": 2049,
"ToPort": 2049,
"CidrIpv4": "0.0.0.0/0",
"Description": "Allow NFS",
"Tags": []
},
{
"SecurityGroupRuleId": "sgr-0b91959bb3ab49c3b",
"GroupId": "sg-04c441ca1ce1b121b",
"GroupOwnerId": "123456789012",
"IsEgress": true,
"IpProtocol": "-1",
"FromPort": -1,
"ToPort": -1,
"CidrIpv4": "0.0.0.0/0",
"Tags": []
}
]
}
According to https://docs.aws.amazon.com/efs/latest/ug/efs-access-points.html, "if you do not specify the ownership and permissions for an access point root directory, Amazon EFS will not create the root directory. All attempts to mount the access point will fail". So let's first use the docker exec command to get the ID of your user in the container.
~]$ sudo docker exec mycontainer id
uid=0(root) gid=0(root) groups=0(root)
In this example, since the UID is 0 and the GID is 0 let's set the Access Point POSIX user and Creation Info to have UID 0 and GID 0. Check out my article List Elastic File Systems (EFS) Access Points using the AWS CLI.
~]$ aws efs describe-access-points
{
"AccessPoints": [
{
"ClientToken": "666D79BA-AD33-4727-878B-550CB3A87FF7",
"Name": "foo Access Point",
"Tags": [
{
"Key": "Name",
"Value": "foo Access Point"
},
{
"Key": "Role",
"Value": "foo Access Point"
}
],
"AccessPointId": "fsap-04164a446398febd3",
"AccessPointArn": "arn:aws:elasticfilesystem:us-east-1:123456789012:access-point/fsap-04164a446398febd3",
"FileSystemId": "fs-0d1500aa4f4b50839",
"PosixUser": {
"Uid": 0,
"Gid": 0
},
"RootDirectory": {
"Path": "/foo",
"CreationInfo": {
"OwnerUid": 0,
"OwnerGid": 0,
"Permissions": "0775"
}
},
"OwnerId": "123456789012",
"LifeCycleState": "available"
}
]
}
Did you find this article helpful?
If so, consider buying me a coffee over at