Skip to content
This repository has been archived by the owner on Nov 27, 2023. It is now read-only.

Introduce support for external EFS volumes #622

Merged
merged 1 commit into from
Sep 15, 2020
Merged

Introduce support for external EFS volumes #622

merged 1 commit into from
Sep 15, 2020

Conversation

ndeloof
Copy link
Collaborator

@ndeloof ndeloof commented Sep 15, 2020

What I did
Introduce support for EFS volumes set as extrernal volumes:

services:
  foo:
    volumes:
      - "data:/tmp"

volumes:
  data:
    external: true
    name: "fs-1234abcd"

Related issue
https://github.com/docker/ecs-plugin/issues/254
https://github.com/docker/ecs-plugin/issues/220

(not mandatory) A picture of a cute animal, if possible in relation with what you did
image

@ndeloof ndeloof requested review from chris-crone, gtardif and aiordache and removed request for chris-crone September 15, 2020 10:56
@github-actions github-actions bot added the ecs label Sep 15, 2020
@ndeloof
Introduce support for external EFS volumes
30de56f 
Signed-off-by: Nicolas De Loof <nicolas.deloof@gmail.com>
@gtardif
Copy link
Contributor

gtardif commented Sep 15, 2020

How does name: "fs-1234abcd" link to the EFS? (or what are the requirement to create a valid volume we can point at?)
Just to understand a bit the magic behind this.
I guess there is no credential issues because your AWS profile must have access to the EFS volume, and security rules are defined at deploy time to resolve access from the containers

gtardif
gtardif reviewed Sep 15, 2020
View reviewed changes
go.mod
@@ -6,6 +6,8 @@ go 1.15
// we need to create a new release tag for docker/distribution
replace github.com/docker/distribution => github.com/docker/distribution v0.0.0-20200708230824-53e18a9d9bfe

replace github.com/awslabs/goformation/v4 => github.com/ndeloof/goformation/v4 v4.8.1-0.20200827081523-b7a7ac375adf
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hmmm... what's this ? :)

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

temporary workaround waiting for awslabs/goformation#300 to be fixed

gtardif
gtardif reviewed Sep 15, 2020
View reviewed changes
ecs/cloudformation.go
// as "source security group" use an arbitrary network attached to service(s) who mounts target volume
for n, vol := range project.Volumes {
err := b.SDK.WithVolumeSecurityGroups(ctx, vol.Name, func(securityGroups []string) error {
target := securityGroups[0]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why requiring a string[] as parameter if we only use the first element ? (opened question, is it just because the AWS API returns a string[] in WithVolumeSecurityGroups? )

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes indeed, I'd like to keep sdk as a thin wrapper on aws-go-sdk and not introduce too much logic there

@ndeloof
Copy link
Collaborator Author

ndeloof commented Sep 15, 2020
edited
Loading

How does name: "fs-1234abcd" link to the EFS? (or what are the requirement to create a valid volume we can point at?) Just to understand a bit the magic behind this.

this is the filesystem ID (unique). As an external volume, setting name allows to distinguish between compose model internal references (service.volumes -> volumes) and external identifier that might not be a valid compose ID.
see https://github.com/compose-spec/compose-spec/blob/master/spec.md#name-1

I guess there is no credential issues because your AWS profile must have access to the EFS volume, and security rules are defined at deploy time to resolve access from the containers

Nope, nothing helped resolve access from the container, that's why I have to register a dedicated ingress rule to allow NFS traffic between (at least one) service's securityGroup and EFS volume (a distinct mount target per A.Z)

gtardif
gtardif approved these changes Sep 15, 2020
View reviewed changes
Copy link
Contributor

@gtardif gtardif left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To be demoed on Thursday ? 🎉

@ndeloof ndeloof merged commit 5b76dda into main Sep 15, 2020
@ndeloof ndeloof deleted the efs branch September 15, 2020 16:10
@christophluehr
Copy link

christophluehr commented Sep 27, 2020
edited
Loading

Quick note, volumes can have dashes in their compose file names, with ECS/Cloudformation this leads to errors (if someone else runs into this):

    volumes:
      - data-vol:/data

volumes:
  data-vol:
    external: true
    name: "fs-xxxxxx"

ValidationError: Template format error: Resource name frontendNFSMountdata-volume is non alphanumeric.
status code: 400, request id: fb3c1-xxxxxxxx

@chris-crone chris-crone mentioned this pull request Sep 28, 2020
Closed
@ndeloof ndeloof mentioned this pull request Oct 5, 2020
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@gtardif gtardif gtardif approved these changes

@aiordache aiordache Awaiting requested review from aiordache

@chris-crone chris-crone Awaiting requested review from chris-crone

Assignees
No one assigned
Labels
ecs
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ndeloof @gtardif @christophluehr