Description of problem: Could not mount efs volume from openshift worker server Version-Release number of selected component (if applicable): NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.0.0-0.nightly-2019-01-25-205123 True False 4h Cluster version is 4.0.0-0.nightly-2019-01-25-205123 How reproducible: Always Steps to Reproduce: 1.Install openshift env 2.Create efs volume from https://us-east-2.console.aws.amazon.com/efs/home?region=us-east-2#/filesystems 3.Opeshift worker security group: qe-piqin2_worker_sg Group ID: sg-0a9f31bc392ec8265 Group Name: terraform-20190128045437340200000006 VPC ID: vpc-0d54a4e6df8542d08 OWNER: 301721915996 Description: Managed by Terraform Openshift worker inbound rules are as below: Security Groups associated with i-0391b31f00484f990 Ports Protocol Source terraform-20190128045437340200000006 80 tcp 0.0.0.0/0 ✔ 30000-32767 tcp sg-091b999268ff1680e, sg-0a9f31bc392ec8265 ✔ 0 icmp 0.0.0.0/0 ✔ All All sg-032caf68a9ba6cb30 ✔ 22 tcp 0.0.0.0/0 ✔ 10255 tcp sg-0081e88f123f3fb7e, sg-0a9f31bc392ec8265 ✔ 10250 tcp sg-0081e88f123f3fb7e, sg-0a9f31bc392ec8265 ✔ 4789 udp sg-0081e88f123f3fb7e, sg-0a9f31bc392ec8265, sg-0fc3f2a3b2302eb23 ✔ 4194 tcp sg-0081e88f123f3fb7e, sg-0a9f31bc392ec8265 ✔ 443 tcp 0.0.0.0/0 ✔ 9100 tcp sg-0081e88f123f3fb7e, sg-0a9f31bc392ec8265 ✔ EFS: VPC: vpc-0d54a4e6df8542d08 - qe-piqin2.qe.devcluster.openshift.com Availability Zone: us-east-2a Subnet: subnet-001829760f2af164b - qe-piqin2-worker-us-east-2a IP address: 10.0.142.122 Mount target ID: fsmt-bd3f90c4 Network interface ID: eni-05ac20712bd213406 Security groups: sg-0a9f31bc392ec8265 - terraform-20190128045437340200000006 sg-032caf68a9ba6cb30 - k8s-elb-a24ac1c3122bb11e98079021de76574f Mount target state: Available 4.Mount efs volume from openshift worker server sudo mount -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport fs-0d22bf74.efs.us-east-2.amazonaws.com:/ efs mount.nfs4: Connection timed out Actual results: Efs volume failed to mount Expected results: Should mount efs volume successfully Master Log: Node Log (of failed PODs): PV Dump: PVC Dump: StorageClass Dump (if StorageClass used by PV/PVC): Additional info:
What if NFS (2049) inbound access is added to the EFS security group?
please check if 2049 is open as shown here https://docs.aws.amazon.com/efs/latest/ug/accessing-fs-create-security-groups.html
After I add the 2049 port into the security group, EFS volume can be mount 80 tcp 0.0.0.0/0 ✔ 30000-32767 tcp sg-02b3f6605a435d19f, sg-0af3df3a0948c9ef0 ✔ 0 icmp 0.0.0.0/0 ✔ All All sg-0bd95f490853b5972 ✔ 22 tcp 0.0.0.0/0 ✔ 10255 tcp sg-02b3f6605a435d19f, sg-0cadd781d9319a54a ✔ 10250 tcp sg-02b3f6605a435d19f, sg-0cadd781d9319a54a ✔ 4789 udp sg-02b3f6605a435d19f, sg-07d987ba7a62adf53, sg-0cadd781d9319a54a ✔ 4194 tcp sg-02b3f6605a435d19f, sg-0cadd781d9319a54a ✔ 443 tcp 0.0.0.0/0 ✔ 9100 tcp sg-02b3f6605a435d19f, sg-0cadd781d9319a54a ✔ 2049 tcp sg-02b3f6605a435d19f ✔
mount -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2 10.0.141.46:/ efs [root@ip-10-0-130-175 efs]# mount | grep efs rpc_pipefs on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw,relatime) 10.0.141.46:/ on /var/roothome/efs type nfs4 (rw,relatime,vers=4.1,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=10.0.130.175,local_lock=none,addr=10.0.141.46)
Marked as verified due to https://bugzilla.redhat.com/show_bug.cgi?id=1669993#c7
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:0758