connect icon indicating copy to clipboard operation
connect copied to clipboard
verified publisher icon 1Password

ECS / EFS - User ID Issues

Open GadgetGeekNI opened this issue 2 years ago • 1 comments

Hi folks,

I'm having a few issues trying to deploy out a test environment using ECS and EFS as my data volume.

I am getting user permission errors when, I believe, the container is trying to read the mounted EFS volume.

When the containers are started, I get the following;

Error: Server: (failed to setupServer), Wrapped: (failed to NewController), Can't continue. We can't safely access "/mnt/opc/data/.op/data/files" because it's not owned by the current user. Change the owner or logged in user and try again.

Doing this with Terraform, or attempting to (!), here is my EFS Access Point & ECS Config, I assume the error will jump out at someone between these 2 as I feel like it's to do with the user id given to the EFS system but I am unsure what to set it to in order to get it working. I can't exec to the container because it tears down again immediately when this error appears.

resource "aws_efs_access_point" "opc_user_data_efs_access_point" {
  file_system_id = aws_efs_file_system.opc_ecs_volume_efs_file_system.id
  posix_user {
    gid = 1000
    uid = 1000
  }
  root_directory {
    path = local.efs_root_access_point_path
    creation_info {
      owner_gid   = 1000
      owner_uid   = 1000
      permissions = 775
    }
  }
  tags = merge({ Name = "${local.efs_name}-access-point" })
}

resource "aws_ecs_task_definition" "opc_api_ecs_task_definition" {
  family                   = "opc-api-task-def"
  ###OtherConfig
  container_definitions = jsonencode([{
    name  = "opc-api"
    image = "1password/connect-api:latest"
    portMappings = [
      {
        containerPort = 8080
        hostPort      = 8080
      }
    ]
    environment = [
      {
        name  = "OP_SESSION"
        value = var.op_base64_credentials
      },
      {
        name = "XDG_DATA_HOME"
        value = "/mnt/opc/data"
      }
    ]
    command = []
    mountPoints = [
      {
        containerPath = "/mnt/opc/data"
        sourceVolume  = "connect-data"
      }
    ]
  }])
  volume {
    name = "connect-data"
    efs_volume_configuration {
      file_system_id     = aws_efs_file_system.opc_ecs_volume_efs_file_system.id
      root_directory     = "/"
      transit_encryption = "ENABLED"
      authorization_config {
        iam             = "ENABLED"
        access_point_id = aws_efs_access_point.opc_user_data_efs_access_point.id
      }
    }
  }
  tags = merge({ Name = "opc-connect-service-task-def" })
}

GadgetGeekNI avatar Jul 04 '23 15:07 GadgetGeekNI

Hey @GadgetGeekNI! Sorry for the late reply here. Could you try using uid and gid 999 instead of 1000. That's the user and group ID that are used by the Connect Docker image.

Let me know if that works!

jpcoenen avatar Aug 01 '23 10:08 jpcoenen