如何解决将 EFS 卷附加到 Fargate?
我知道以前有人问过这个问题,我看过几个 SO 回复并阅读了有关该主题的 AWS 文档......我有一个 terraform 模块,它部分地构建了一个 ECS 服务、集群、任务和 Fargate 容器:
{
"Version": "2012-10-17","Statement": [
{
"Sid": "UseServices","Effect": "Allow","Action": [
"organizations:DescribeOrganization","cloudshell:*","compute-optimizer:*","amplify:*","appmesh:*","appmesh-preview:*","appconfig:*","appflow:*","clouddirectory:*","datapipeline:*","dms:*","dbqms:*","devicefarm:*","devops-guru:*","ds:*","autoscaling:*","imagebuilder:*","ec2-instance-connect:*","ecr-public:*","forecast:*","honeycode:*","proton:*","rds-db:*","rds-data:*","access-analyzer:*","ce:*","cur:*","health:*","pricing:*","ram:Get*","ram:List*","servicequotas:*","ssm:*","ssmmessages:*","support:*","tag:*","cloudfront:*","elasticloadbalancing:*","ecs:*","ecr:*","cloudwatch:*","synthetics:*","apigateway:*","rds:*","secretsmanager:*","route53:*","acm:*","resource-groups:*","servicediscovery:*","application-autoscaling:*","ec2messages:*","trustedadvisor:*","cloud9:*","codeartifact:*","codebuild:*","codecommit:*","codedeploy:*","codepipeline:*","codestar:*","codestar-connections:*","codestar-notifications:*","cognito-identity:*","cognito-idp:*","cognito-sync:*","dynamodb:*","eks:*","emr-containers:*","elasticache:*","elasticbeanstalk:*","elasticfilesystem:*","firehose:*","kafka:*","kinesis:*","kinesisanalytics:*","serverlessrepo:*","sqs:*","xray:*","workspaces:*","wam:*","appsync:*","athena:*","batch:*","states:*","backup:*","backup-storage:*","es:*","glue:*","databrew:*","lightsail:*","timestream:*","schemas:*","ec2:*","sts:AssumeRole","sts:TagSession","cloudformation:*","lambda:*","s3:*","sns:*","events:*","kms:*","logs:*","cloudtrail:*","iam:ListAccountAliases"
],"Resource": "*"
},{
"Sid": "AllowServiceLinkedRole","Action": [
"iam:CreateServiceLinkedRole","iam:DeleteServiceLinkedRole","iam:GetServiceLinkedRoleDeletionStatus","iam:UpdateRole"
],"Resource": [
"arn:aws:iam::*:role/aws-service-role/*"
]
},{
"Sid": "AllowPolicy","Action": [
"iam:GetPolicy","iam:DeletePolicy","iam:CreatePolicy","iam:GetPolicyVersion","iam:CreatePolicyVersion","iam:DeletePolicyVersion","iam:ListPolicyVersions"
],"Resource": [
"arn:aws:iam::*:policy/*"
]
},{
"Sid": "AllowReadRole","Action": [
"iam:GetRole","iam:DeleteRole","iam:TagRole","iam:UpdateRoleDescription","iam:ListInstanceProfilesForRole","iam:ListAttachedRolePolicies","iam:ListRolePolicies","iam:UpdateAssumeRolePolicy","iam:PassRole","iam:GetRolePolicy"
],"Resource": [
"arn:aws:iam::*:role/*"
]
},{
"Sid": "AllowWriteRole","Action": [
"iam:CreateRole","iam:DeleteRolePolicy","iam:AttachRolePolicy","iam:DetachRolePolicy","iam:PutRolePermissionsBoundary","iam:PutRolePolicy","iam:UpdateRole","iam:PassRole"
],"Resource": "*","Condition": {
"StringEquals": {
"iam:PermissionsBoundary": "arn:aws:iam::835718480179:policy/CuriPipelineAdministratorAccesspermBoundaries"
}
}
},{
"Sid": "AllowWriteInstanceProfile","Action": [
"iam:AddRoletoInstanceProfile","iam:CreateInstanceProfile","iam:DeleteInstanceProfile","iam:GetInstanceProfile","iam:ListInstanceProfiles","iam:RemoveRoleFromInstanceProfile"
],"Resource": [
"arn:aws:iam::*:instance-profile/*"
]
},{
"Sid": "DenyIamActions","Effect": "Deny","Action": [
"iam:*OpenIDConnect*","iam:*SAMLProvider*","iam:*User*","iam:*GrouP*","iam:*AccessKey*","iam:*Password*","iam:CreateAccountAliases","iam:DeleteAccountAliases","iam:*LoginProfile*","iam:*ServiceSpecificCredential*","iam:*MFADevice*","iam:*CredentialReport*","iam:*OrganizationsAccessReport*","iam:*SecurityTokenServicePreferences*","iam:GetAccountAuthorizationDetails","iam:GetAccountSummary"
],{
"Sid": "NoBoundaryPolicyEdit","Action": [
"iam:CreatePolicyVersion","iam:SetDefaultPolicyVersion"
],"Resource": [
"arn:aws:iam::835718480179:policy/CuriPipelineAdministratorAccesspermBoundaries"
]
},{
"Sid": "NoSelfRoleEdit","Action": [
"iam:Add*","iam:Attach*","iam:Change*","iam:Create*","iam:Delete*","iam:Deactivate*","iam:Detach*","iam:Enable*","iam:Update*","iam:Put*","iam:Remove*","iam:Reset*","iam:Tag*","iam:Untag*"
],"Resource": [
"arn:aws:iam::835718480179:role/CuriPipelineAdministratorAccess"
]
}
]
}
我已经在服务中明确设置了 Fargate 版本,我看到其他一些 SO 用户回答说 VPC 需要将 DNS 主机名和解析设置为 true - 他们是。我仍然收到错误:
container_linux.go:370:导致启动容器进程:process_linux.go:459:导致容器初始化:rootfs_linux.go:71:导致创建设备节点:errno 524
它似乎连接到容器定义中的“mountPoints”块,因为删除它至少会启动容器,但不会挂载 EFS 卷。
编辑:添加了 ECS 任务角色
编辑 2:添加角色权限边界:
{{1}}解决方法
整个问题与 AWS 无关,但我正在运行的服务器 (weblogic) 无法启动,因为我试图在 / 中挂载 EFS,这无法完成,因为它会覆盖许多关键的启动和凭据文件。如果我已经在 EFS 上拥有整个文件系统(我没有,我使用了一个空白文件系统),那么这可能会很好。我成功地将它挂载到较低的子目录,容器启动并正在运行。
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。
