troubleshooting-efs

仓库: aws/agent-toolkit-for-aws
安装量: 506
排名: #6887

安装

npx skills add https://github.com/aws/agent-toolkit-for-aws --skill troubleshooting-efs

Troubleshooting EFS Overview Domain expertise for diagnosing and resolving Amazon EFS issues. Covers mount failures, NFS connectivity, IAM and POSIX permissions, throughput and performance, and encryption problems. For authoritative guidance, see EFS Troubleshooting . Common Tasks 0. Verify Dependencies You MUST verify aws CLI is available You MUST check if amazon-efs-utils or nfs-utils is installed on the instance You MUST ONLY check for tool existence and version — MUST NOT execute destructive or mutating commands during verification You MUST inform the user if any required tools are missing You MUST respect the user's decision to abort if tools are unavailable You SHOULD explain what each step does and why before executing it You SHOULD display write commands and wait for user confirmation before executing 1. Classify the Issue Symptom Category "wrong fs type" or mount command fails A: Missing NFS Client Connection timed out (hangs 2+ min) B: Network/Security Group "access denied by server" C: IAM/Permissions Slow throughput or high latency D: Performance NFS server error on encrypted FS E: Encryption/KMS DNS name resolution fails F: VPC DNS 2. Category A — Missing NFS Client

Amazon Linux / RHEL / CentOS

sudo yum -y install amazon-efs-utils

preferred (includes mount helper + TLS)

OR

sudo yum -y install nfs-utils

Ubuntu / Debian

sudo apt-get install nfs-common 3. Category B — Network/Security Group Connection timeout is the #1 EFS mount failure — almost always security groups. Verify mount target exists in the instance's AZ: aws efs describe-mount-targets --file-system-id fs-ID --region REGION Verify security groups — check BOTH directions: Mount target SG: aws ec2 describe-security-groups --group-ids sg-MT — MUST have inbound TCP 2049 from compute SG Compute SG: MUST have outbound TCP 2049 to mount target SG Quick fix: aws ec2 authorize-security-group-ingress --group-id sg-MT --protocol tcp --port 2049 --source-group sg-COMPUTE Test connectivity: nc -zv fs-ID.efs.REGION.amazonaws.com 2049 Note: These security group troubleshooting steps also apply to S3 Files. The only difference is S3 Files uses aws s3files list-mount-targets instead of aws efs describe-mount-targets . 4. Category C — IAM/Permissions "access denied by server" with -o iam : Check identity-based IAM policy has elasticfilesystem:ClientMount Check file system resource policy: aws efs describe-file-system-policy --file-system-id fs-ID --region REGION Note: IAM authorization is only enforced when a file system policy exists that requires it. Without a file system policy, any client in the VPC with port 2049 access can mount — even with -o iam . To enforce IAM, you MUST create a file system policy that denies anonymous access. POSIX permission denied (not IAM): Check file/directory ownership: ls -la /mnt/efs/ Use access points to enforce UID/GID for consistent permissions 5. Category D — Performance Check throughput mode: aws efs describe-file-systems --file-system-id fs-ID --region REGION --query 'FileSystems[0].ThroughputMode' Burst credit exhaustion (Bursting mode only): aws cloudwatch get-metric-statistics --namespace AWS/EFS --metric-name BurstCreditBalance --dimensions Name = FileSystemId,Value = fs-ID --period 3600 --statistics Average --start-time $( date -u -d '24 hours ago' +%Y-%m-%dT%H:%M:%S ) --end-time $( date -u +%Y-%m-%dT%H:%M:%S ) If credits near zero, switch to Elastic throughput: aws efs update-file-system --file-system-id fs-ID --throughput-mode elastic --region REGION General Purpose vs Max I/O: Check PercentIOLimit metric — if consistently >80%, consider Max I/O Note: performance mode is IMMUTABLE — must create new FS and migrate 6. Category E — Encryption/KMS NFS server error on encrypted FS = KMS key issue. Verify key is enabled in KMS console Verify EFS service-linked role has KMS permissions If key deleted: cancel deletion if within grace period 7. Category F — VPC DNS DNS resolution failure = VPC DNS settings disabled. aws ec2 describe-vpc-attribute --vpc-id vpc-ID --attribute enableDnsHostnames aws ec2 describe-vpc-attribute --vpc-id vpc-ID --attribute enableDnsSupport Both MUST be true . If not: aws ec2 modify-vpc-attribute --vpc-id vpc-ID --enable-dns-hostnames Value = true aws ec2 modify-vpc-attribute --vpc-id vpc-ID --enable-dns-support Value = true Troubleshooting Mount hangs then times out Most common cause: security group. Verify TCP 2049 is open between compute and mount target. Auto-mount fails on reboot /etc/fstab entry MUST include _netdev option to wait for network before mounting. "nfs not responding" after reconnect Old kernel bug with TCP port reuse. Update kernel or add noresvport mount option. Enable Debug Logs Set logging_level = DEBUG in /etc/amazon/efs/efs-utils.conf . Logs at /var/log/amazon/efs/mount.log . Collect Logs for AWS Support sudo tar -czf /tmp/efs-logs.tar.gz /var/log/amazon/efs/ /etc/amazon/efs/efs-utils.conf Security Considerations IAM authorization is only enforced when a file system policy exists — without one, any VPC client with port 2049 access can mount When troubleshooting access denied, verify both identity-based and resource-based policies Use -o tls for encryption in transit — unencrypted NFS traffic is visible on the network Restrict /var/log/amazon/efs/ access — logs may contain file system IDs and mount target IPs Additional Resources EFS Troubleshooting EFS Performance EFS Mount Helper

返回排行榜