SOA_EN

Install EFS Client According to Best Practices

スポンサーリンク
Install EFS Client According to Best Practices. SOA_EN
スポンサーリンク
スポンサーリンク

Install amazon-efs-utils using SSM Distributor AmazoneFsutils

This is one of the AWS SOA topics related to deployment, provisioning, and automation.

The following page provides a basic configuration of EFS.

In the page we presented, we used the SSM Document AWS-RunShellScript to execute the commands to install the EFS client.
This is officially listed by AWS as a manual installation of the EFS client.

Manually installing the Amazon EFS client - Amazon Elastic File System
You can manually install the Amazon EFS client on your Amazon EC2 Linux instances running Amazon Linux and Amazon Linux 2, and EC2 Mac instances running macOS B...

This time we will see how to install the EFS client according to best practices.

Using AWS Systems Manager to automatically install or update Amazon EFS clients - Amazon Elastic File System
Use AWS Systems Manager to manage installing and updating the amazon-efs-utils Amazon EFS clients on your Amazon EC2 instances.

Specifically, this method uses SSM Distributor AmazoneFsutils.
By using AmazoneFsutils, you can install new or periodically update the EFS client.

Environment

Diagram of install EFS client according to best practice.

Basically, the configuration is the same as in the previous page.

The difference is the network configuration.
The EC2 instances in the private subnet will use a NAT Gateway instead of a VPC endpoint to access resources outside the VPC.
This is because the sequence of actions performed by AmazoneFsutils includes accessing third-party resources on the Internet using pip and yum, and VPC endpoints cannot meet the action requirements.

CloudFormation template files

The above configuration is built with CloudFormation.
The CloudFormation templates are located at the following URL

awstut-soa/03/002 at main · awstut-an-r/awstut-soa
Contribute to awstut-an-r/awstut-soa development by creating an account on GitHub.

Explanation of key points of the template files

This page focuses on how to install amazon-efs-utils using AmazoneFsutils.
For basic EFS matters, please refer to the page introduced at the beginning of this document.

IAM Roles for EC2 Instances

Resources: InstanceRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: sts:AssumeRole Principal: Service: - ec2.amazonaws.com Policies: - PolicyName: SSMStateManagerPolicy PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - s3:GetObject - s3:PutObject - s3:PutObjectAcl - s3:ListBucket Resource: - !Sub "arn:aws:s3:::${LogBucketName}" - !Sub "arn:aws:s3:::${LogBucketName}/*" ManagedPolicyArns: - arn:aws:iam::aws:policy/AmazonElasticFileSystemsUtils
Code language: YAML (yaml)

The key point is the setting regarding AWS management policy (ManagedPolicyArns property).

Use the AmazonElasticFileSystemsUtils AWS managed permission policy to assign the appropriate permissions to roles.

Using AWS Systems Manager to automatically install or update Amazon EFS clients

Add the AmazonElasticFileSystemsUtils policy to the IAM role for the instance according to the above.

In addition, an inline policy is defined that allows access to the S3 bucket.
This permission is necessary to distribute the SSM Document execution logs as described below.

Running SSM Distributor

Resources: ConfigureAWSPackageAssociation: Type: AWS::SSM::Association Properties: AssociationName: !Sub "${Prefix}-configure-awspackage-association" Name: AWS-ConfigureAWSPackage OutputLocation: S3Location: OutputS3BucketName: !Ref LogBucketName OutputS3KeyPrefix: !Sub "${Prefix}/configure-awspackage-association-log" Parameters: action: - Install installationType: - In-place update name: - AmazonEFSUtils ScheduleExpression: rate(30 days) Targets: - Key: InstanceIds Values: - !Ref Instance1 - !Ref Instance2 WaitForSuccessTimeoutSeconds: !Ref WaitForSuccessTimeoutSeconds
Code language: YAML (yaml)

To run the SSM Distributor, the SSM Document AWS-ConfigureAWSPackage must be executed.
This means creating an association between AWS-ConfigureAWSPackage and the instance.

Specify the parameters for executing AWS-ConfigureAWSPackage in the Parameters property.
Specify “Install” for action and “In-place update” for installationType.
These values are as specified in the AWS official documentation.

For Parameters choose Action > Install and Installation Type > In-place update.

Using AWS Systems Manager to automatically install or update Amazon EFS clients

Specify “AmazonEFSUtils” for Name.

Specify “rate(30 days)” for ScheduleExpression.
This will cause an update of amazon-efs-utils to be attempted every 30 days.
This update frequency is the official AWS recommended value.

For Specify schedule the recommended setting for AmazonEFSUtils is every 30 days.

Using AWS Systems Manager to automatically install or update Amazon EFS clients

Note that what is performed by AmazonEFSUtils is only the installation of amazon-efs-utils.
For mounting EFS, you will need to additionally perform the following

Resources: RunShellScriptAssociation: Type: AWS::SSM::Association DependsOn: - ConfigureAWSPackageAssociation Properties: AssociationName: !Sub "${Prefix}-shellscript-association" Name: AWS-RunShellScript OutputLocation: S3Location: OutputS3BucketName: !Ref LogBucketName OutputS3KeyPrefix: !Sub "${Prefix}/shellscript-association-log" Parameters: commands: - sudo mkdir /mnt/efs - sleep 90 - !Sub "sudo mount -t efs ${FileSystemId}:/ /mnt/efs" Targets: - Key: InstanceIds Values: - !Ref Instance1 - !Ref Instance2 WaitForSuccessTimeoutSeconds: !Ref WaitForSuccessTimeoutSeconds
Code language: YAML (yaml)

Architecting

Use CloudFormation to build this environment and check the actual behavior.

Create CloudFormation stacks and check resources in stacks

Create CloudFormation stacks.
For information on how to create stacks and check each stack, please refer to the following page

After checking the resources in each stack, information on the main resources created this time is as follows

  • Instance1: -i-0c59ea8cc2aeb73c2
  • Instance2: ii-0dd528e705bdd4c14
  • EFS: fs-04f30fea390abb082

The SSM status is also checked from the AWS Management Console.
First we check the status of the creation of associations.

Result of SSM Document 1.

We can see that indeed two SSM documents have been executed.

Next we check the details of the AWS-ConfigureAWSPackage association.

Result of SSM Document 2.
Result of SSM Document 3.

We see that the schedule is set to run every 30 days.
Looking at the parameters, we see that AmazonEFSUtils is set to install with in-place updates.

We have configured the execution logs to be stored in an S3 bucket.
The logs stored are as follows

Initiating AmazonEFSUtils 1.33.2-1 install Plugin aws:runShellScript ResultStatus Success install output: Running sh install.sh Loaded plugins: extras_suggestions, langpacks, priorities, update-motd Examining ./amazon-efs-utils-1.33.2-1.amzn2.noarch.rpm: amazon-efs-utils-1.33.2-1.amzn2.noarch Marking ./amazon-efs-utils-1.33.2-1.amzn2.noarch.rpm to be installed Resolving Dependencies --> Running transaction check ---> Package amazon-efs-utils.noarch 0:1.33.2-1.amzn2 will be installed --> Processing Dependency: stunnel >= 4.56 for package: amazon-efs-utils-1.33.2-1.amzn2.noarch --> Running transaction check ---> Package stunnel.aarch64 0:4.56-6.amzn2.0.3 will be installed --> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: amazon-efs-utils noarch 1.33.2-1.amzn2 /amazon-efs-utils-1.33.2-1.amzn2.noarch 198 k Installing for dependencies: stunnel aarch64 4.56-6.amzn2.0.3 amzn2-core 148 k Transaction Summary ================================================================================ Install 1 Package (+1 Dependent package) Total size: 346 k Total download size: 148 k Installed size: 627 k Downloading packages: Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : stunnel-4.56-6.amzn2.0.3.aarch64 1/2 Installing : amazon-efs-utils-1.33.2-1.amzn2.noarch 2/2 Verifying : stunnel-4.56-6.amzn2.0.3.aarch64 1/2 Verifying : amazon-efs-utils-1.33.2-1.amzn2.noarch 2/2 Installed: amazon-efs-utils.noarch 0:1.33.2-1.amzn2 Dependency Installed: stunnel.aarch64 0:4.56-6.amzn2.0.3 Complete! Loaded plugins: extras_suggestions, langpacks, priorities, update-motd Package wget-1.14-18.amzn2.1.aarch64 already installed and latest version Nothing to do Collecting pip Downloading pip-22.1.2-py3-none-any.whl (2.1 MB) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 2.1/2.1 MB 45.1 MB/s eta 0:00:00 Collecting wheel Downloading wheel-0.37.1-py2.py3-none-any.whl (35 kB) Installing collected packages: wheel, pip Attempting uninstall: pip Found existing installation: pip 20.2.2 Uninstalling pip-20.2.2: Successfully uninstalled pip-20.2.2 Successfully installed pip-22.1.2 wheel-0.37.1 Collecting botocore Downloading botocore-1.27.17-py3-none-any.whl (8.9 MB) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 8.9/8.9 MB 81.8 MB/s eta 0:00:00 Collecting urllib3<1.27,>=1.25.4 Downloading urllib3-1.26.9-py2.py3-none-any.whl (138 kB) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 139.0/139.0 kB 20.3 MB/s eta 0:00:00 Collecting jmespath<2.0.0,>=0.7.1 Downloading jmespath-1.0.1-py3-none-any.whl (20 kB) Collecting python-dateutil<3.0.0,>=2.1 Downloading python_dateutil-2.8.2-py2.py3-none-any.whl (247 kB) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 247.7/247.7 kB 45.5 MB/s eta 0:00:00 Collecting six>=1.5 Downloading six-1.16.0-py2.py3-none-any.whl (11 kB) Installing collected packages: urllib3, six, jmespath, python-dateutil, botocore Successfully installed botocore-1.27.17 jmespath-1.0.1 python-dateutil-2.8.2 six-1.16.0 urllib3-1.26.9 Successfully installed AmazonEFSUtils 1.33.2-1
Code language: plaintext (plaintext)

You can see that amazon-efs-utils and its dependencies have been installed.

Checking Action

Now that everything is ready, access an EC2 instance and confirm that amazon-efs-utils has been installed.
This time, we will access Instance1 to check.
Use SSM Session Manager to access the instance.

% aws ssm start-session --target i-0c59ea8cc2aeb73c2 Starting session with SessionId: root-02323560c270157c7 sh-4.2$
Code language: Bash (bash)

For more information on SSM Session Manager, please see the following page

Make sure amazon-efs-utils is installed.

sh-4.2$ sudo yum list installed | grep efs amazon-efs-utils.noarch 1.33.2-1.amzn2 installed
Code language: Bash (bash)

You can see that it has been successfully installed.
Thus we see that we can install amazon-efs-utils using SSM Distributor AmazonEFSUtils.

Checking the Operation of amazon-efs-utils installed by AmazonEFSUtils.

Check the disk status with the df command.

$ sudo yum list installed | grep efs amazon-efs-utils.noarch 1.33.2-1.amzn2 installed sh-4.2$ sh-4.2$ sh-4.2$ df -hT Filesystem Type Size Used Avail Use% Mounted on devtmpfs devtmpfs 178M 0 178M 0% /dev tmpfs tmpfs 215M 0 215M 0% /dev/shm tmpfs tmpfs 215M 356K 215M 1% /run tmpfs tmpfs 215M 0 215M 0% /sys/fs/cgroup /dev/nvme0n1p1 xfs 8.0G 1.6G 6.4G 20% / /dev/nvme0n1p128 vfat 10M 3.8M 6.3M 38% /boot/efi fs-04f30fea390abb082.efs.ap-northeast-1.amazonaws.com:/ nfs4 8.0E 0 8.0E 0% /mnt/efs
Code language: Bash (bash)

EFS is mounted.
You can see that amazon-efs-utils is successfully in action.

Finally, we will perform a file write to EFS.

sh-4.2$ cd /mnt/efs sh-4.2$ sudo touch test.txt sh-4.2$ ls test.txt
Code language: Bash (bash)

We were able to write successfully.
The amazon-efs-utils installed with AmazonEFSUtils worked fine.

Summary

We have shown you how to install the EFS client according to best practices.
We have verified that amazon-efs-utils can be newly installed or periodically updated by using SSM Distributor AmazoneFsutils.

タイトルとURLをコピーしました