EFS(8) | System Manager's Manual | EFS(8) |
NAME¶
mount.efs - Mount helper for using Amazon EFS file systems.
SYNOPSIS¶
mount.efs fs-id-or-dns-name mount-point [-o options]
DESCRIPTION¶
mount.efs is part of the amazon-efs-utils package. It improves mount performance and simplifies using EFS file systems.
mount.efs is meant to be used through the mount(8) command for mounting EFS file systems.
mount.efs launches a proxy process that forwards NFS traffic from the kernel's NFS client to EFS. This proxy is responsible for TLS encryption, and for providing improved throughput performance.
fs-id-or-dns-name has to be of one of the following two forms:
- An EFS filesystem ID in the form of "fs-abcd1234", generated when the file system is created.
- A domain name that has a resolvable DNS-CNAME record, which in turn points to a fully-qualified EFS DNS name in the form of "fs-abcd1234.efs.us-east-1.amazonaws.com" or "us-east-1a.fs-abcd1234.efs.us-east-1.amazonaws.com".
mount-point is the local directory on which the file system will be mounted.
mount.efs automatically applies the following NFS options:
nfsvers=4.1 rsize=1048576 wsize=1048576 hard timeo=600 retrans=2 noresvport tls (for Mac distributions)
By default, when using the Amazon EFS mount helper with Transport Layer Security (TLS), the mount helper enforces the certificate hostname checking and disables the use of Online Certificate Status Protocol (OCSP). These options can be configured in the config file located at /etc/amazon/efs/efs-utils.conf.
Additionally, the Amazon EFS mount helper has built-in logging for troubleshooting purposes. These logs are located at /var/log/amazon/efs.
It is possible to configure your Amazon EC2 instance to automatically remount your Amazon EFS file system when it reboots. For more information, see the online documentation at: https://docs.aws.amazon.com/efs/latest/ug/mount-fs-auto-mount-onreboot.html.
OPTIONS¶
-o, Options are specified with a -o flag followed by a comma separated string of options. All of the options specified in nfs(5) are available, in addition to the following EFS-specific options:
- tls
- Mounts the EFS file system over TLS. For EC2 instances using Mac distributions, this option is by default passed and the EFS file system is mounted over TLS.
- notls
- Mounts the EFS file system without TLS, applies for Mac distributions only.
- tlsport=n
- Configures the proxy process to listen for connections from the NFS client
on the specified port. This is applicable to both non-tls and tls mounts.
By default, the tlsport is chosen randomly from port range defined in the config file located at /etc/amazon/efs/efs-utils.conf. - verify=n
- Verify TLS certificates using the specified stunnel verify level. For more information, see stunnel(8).
- ocsp / noocsp
- Selects whether to perform OCSP validation on TLS certificates, overriding /etc/amazon/efs/efs-utils.conf. By default OCSP is disabled. For more information, see stunnel(8). The ocsp mount option is incompatible with the efs-proxy process, and will revert efs-utils to the legacy "stunnel" mode, which does not support improved per-client throughput performance.
- iam
- Use the system's IAM identity to authenticate with EFS. The mount helper will try to retrieve the required IAM credentials from the following locations: the aws credentials URI passed by mount option, the AWS CLI credentials file (~/.aws/credentials), and the AWS CLI config file (~/.aws/config), the AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variable, the AssumeRoleWithWebIdentity, the EC2 instance profile. The first location that has credentials will be used. This option requires the tls option.
- rolearn
- Role ARN for IAM authentication with AssumeRoleWithWebIdentity API.
- jwtpath
- Identity token for IAM authentication with AssumeRoleWithWebIdentity API.
- accesspoint
- Mount the EFS file system using the specified access point. This option requires the tls option. The access point must be in the "available" state before it can be used to mount EFS.
- awsprofile
- Use the named profile used to lookup IAM credentials in the AWS CLI credentials file (~/.aws/credentials) or AWS CLI config file (~/.aws/config). If botocore is installed, assume the named profile and use the credentials of the assumed profile. If "awsprofile" is not specified, the "default" profile is used.
- awscredsuri
- Use the relative uri to lookup IAM credentials from ecs task metadata endpoint.
- cafile
- Use the cafile as the stunnel certificate authority file.
- netns
- Mount the EFS file system to the specified network namespace.
- az
- Mount the EFS file system to the specified availability zone mount target.
- mountport
- Use the port 2049 to bypass portmapper daemon on EC2 Mac instances running macOS Big Sur.
- mounttargetip
- Mount the EFS file system to the specified mount target ip address.
- stunnel
- Forward NFS traffic from the local NFS client to EFS using stunnel instead of efs-proxy. This will enable compatibility with the ocsp mount option, but will not deliver the increased throughput performance provided by efs-proxy. This option is enabled by default for Mac clients.
EXAMPLES¶
- sudo mount -t efs fs-abcd1234 /mnt/efs
- Mount an EFS file system with file system ID "fs-abcd1234" at mount point "/mnt/efs" without encryption of data in transit.
- sudo mount -t efs -o mounttargetip=192.0.0.1 /mnt/efs
- Mount an EFS file system with file system ID "fs-abcd1234" on the mount target that belongs to the file system with address "192.0.0.1" without encryption of data in transit.
- sudo mount -t efs -o netns=/proc/1/net/ns fs-abcd1234 /mnt/efs
- Mount an EFS file system with file system ID "fs-abcd1234" at mount point "/mnt/efs" without encryption of data in transit in given network namespace '/proc/1/net/ns'
- sudo mount -t efs -o az=us-east-1a fs-abcd1234 /mnt/efs
- Mount an EFS file system with file system ID "fs-abcd1234" at mount point "/mnt/efs" to the mount target in availability zone us-east-1a
- sudo mount -t efs fs-abcd1234:/child /mnt/efs
- Mount a non-root directory of an EFS file system with file system ID "fs-abcd1234" at mount point "/mnt/efs" without encryption of data in transit.
- sudo mount -t efs -o tls fs-abcd1234 /mnt/efs
- Mount an EFS file system with file system ID "fs-abcd1234" at mount point "/mnt/efs" using encryption of data in transit.
- sudo mount -t efs -o tls,verify=0 fs-abcd1234 /mnt/efs
- Mount an EFS file system with file system ID "fs-abcd1234" at mount point "/mnt/efs" using encryption of data in transit and a verify level of 0.
- sudo mount -t efs -o tls,ocsp fs-abcd1234 /mnt/efs
- Mount an EFS file system with file system ID "fs-abcd1234" at mount point "/mnt/efs" using encryption of data in transit and with OCSP validation enabled.
- sudo mount -t efs custom-cname.example.com /mnt/efs
- Mount an EFS file system using the custom DNS name "custom-cname.example.com" — which has to resolve to a fully-qualified EFS DNS name such as "fs-abcd1234.efs.us-east-1.amazonaws.com" — at mount point "/mnt/efs" without encryption of data in transit.
- sudo mount -t efs -o tls custom-cname.example.com /mnt/efs
- Mount an EFS file system using the custom DNS name "custom-cname.example.com" — which has to resolve to a fully-qualified EFS DNS name such as "fs-abcd1234.efs.us-east-1.amazonaws.com" — at mount point "/mnt/efs" using encryption of data in transit.
- sudo mount -t efs -o tls,iam fs-abcd1234 /mnt/efs
- Mount an EFS file system with file system ID "fs-abcd1234" at mount point "/mnt/efs" with encryption of data in transit. The mount helper will authenticate with EFS using the system's IAM identity.
- sudo mount -t efs -o tls,iam,rolearn="ROLE_ARN",jwtpath="PATH/JWT_TOKEN_FILE" fs-abcd1234 /mnt/efs
- Mount an EFS file system with file system ID "fs-abcd1234" at mount point "/mnt/efs" with encryption of data in transit. The mount helper will assume the role "ROLE_ARN" by calling the AssumeRoleWithWebIdentity API with the identity token at "PATH/JWT_TOKEN_FILE".
- sudo mount -t efs -o tls,iam,awsprofile=test-profile fs-abcd1234 /mnt/efs
- Mount an EFS file system with file system ID "fs-abcd1234" at mount point "/mnt/efs" with encryption of data in transit. The mount helper will authenticate with EFS using the system's IAM identity named profile "test profile", for which the credentials are retrieved either from /root/.aws/credentials or /root/.aws/config. If the credentials are not present in the credentials or config files, and there is a "[profile test-profile]" section in the /root/.aws/config file, the mount helper will assume the named profile "test-profile" based on the profile section configuration in root/.aws/config and use the credentials retrieved with botocore to mount (botocore must be pre-installed).
- sudo mount -t efs -o tls,accesspoint=fsap-12345678 fs-abcd1234 /mnt/efs
- Mount an EFS file system with file system ID "fs-abcd1234" at mount point "/mnt/efs" with encryption of data in transit. The file system is mounted using the access point "fsap-12345678".
FILES¶
- /sbin/mount.efs
- The executable for the Amazon EFS mount helper.
- /usr/bin/amazon-efs-mount-watchdog
- The executable for the supervisor process that monitors the network relay.
- /etc/amazon/efs/efs-utils.conf
- The configuration file for the Amazon EFS mount helper.
- /etc/amazon/efs/efs-utils.crt
- The default Certificate Authority file used by the Amazon EFS mount helper.
- /etc/init/amazon-efs-mount-watchdog.conf
- The configuration file for the supervisor process.
- /var/log/amazon/efs/
- The directory where logs for the Amazon EFS mount helper, the stunnel network relay, and the supervisor process are stored.
- /usr/share/man/man8/mount.efs.8
- The man page for the Amazon EFS mount helper.
NOTES¶
For more information on using the amazon-efs-utils package, see https://docs.aws.amazon.com/efs/latest/ug/using-amazon-efs-utils.html in the Amazon EFS User Guide.
The paths on EC2 MacOS instances are relocated under /usr/local/Cellar/amazon-efs-utils/<version>/libexec directory.
SEE ALSO¶
nfs(8), stunnel(8), fstab(5)
COPYING¶
Copyright 2017-2018 Amazon.com, Inc. and its affiliates. All Rights Reserved.