Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ECS / EFS - User ID Issues #70

Open
GadgetGeekNI opened this issue Jul 4, 2023 · 1 comment
Open

ECS / EFS - User ID Issues #70

GadgetGeekNI opened this issue Jul 4, 2023 · 1 comment

Comments

@GadgetGeekNI
Copy link

Hi folks,

I'm having a few issues trying to deploy out a test environment using ECS and EFS as my data volume.

I am getting user permission errors when, I believe, the container is trying to read the mounted EFS volume.

When the containers are started, I get the following;

Error: Server: (failed to setupServer), Wrapped: (failed to NewController), Can't continue. We can't safely access "/mnt/opc/data/.op/data/files" because it's not owned by the current user. Change the owner or logged in user and try again.

Doing this with Terraform, or attempting to (!), here is my EFS Access Point & ECS Config, I assume the error will jump out at someone between these 2 as I feel like it's to do with the user id given to the EFS system but I am unsure what to set it to in order to get it working. I can't exec to the container because it tears down again immediately when this error appears.

resource "aws_efs_access_point" "opc_user_data_efs_access_point" {
  file_system_id = aws_efs_file_system.opc_ecs_volume_efs_file_system.id
  posix_user {
    gid = 1000
    uid = 1000
  }
  root_directory {
    path = local.efs_root_access_point_path
    creation_info {
      owner_gid   = 1000
      owner_uid   = 1000
      permissions = 775
    }
  }
  tags = merge({ Name = "${local.efs_name}-access-point" })
}

resource "aws_ecs_task_definition" "opc_api_ecs_task_definition" {
  family                   = "opc-api-task-def"
  ###OtherConfig
  container_definitions = jsonencode([{
    name  = "opc-api"
    image = "1password/connect-api:latest"
    portMappings = [
      {
        containerPort = 8080
        hostPort      = 8080
      }
    ]
    environment = [
      {
        name  = "OP_SESSION"
        value = var.op_base64_credentials
      },
      {
        name = "XDG_DATA_HOME"
        value = "/mnt/opc/data"
      }
    ]
    command = []
    mountPoints = [
      {
        containerPath = "/mnt/opc/data"
        sourceVolume  = "connect-data"
      }
    ]
  }])
  volume {
    name = "connect-data"
    efs_volume_configuration {
      file_system_id     = aws_efs_file_system.opc_ecs_volume_efs_file_system.id
      root_directory     = "/"
      transit_encryption = "ENABLED"
      authorization_config {
        iam             = "ENABLED"
        access_point_id = aws_efs_access_point.opc_user_data_efs_access_point.id
      }
    }
  }
  tags = merge({ Name = "opc-connect-service-task-def" })
}
@jpcoenen
Copy link
Member

jpcoenen commented Aug 1, 2023

Hey @GadgetGeekNI! Sorry for the late reply here. Could you try using uid and gid 999 instead of 1000. That's the user and group ID that are used by the Connect Docker image.

Let me know if that works!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jpcoenen @GadgetGeekNI