个人中心
gpt4 book ai didi

ubuntu - 从 EC2 实例挂载 s3 存储桶时如何使 S3FS 使用 IMDS v2

转载 作者:行者123 更新时间:2023-12-04 18:42:53 24 4
gpt4 key购买 nike

我们无法在需要 IMDS v2 的 AWS EC2 实例上安装 S3 存储桶(不过,IMDS v1 可以正常工作!)。我们使用的是 s3fs-fuse v1.90,它应该支持 IMDS v2(在 Ubuntu 18.04 上)。
这就是我们尝试挂载 S3 存储桶的方式:

sudo s3fs <bucket> <mount-point> -o iam_role=auto,url=https://s3.eu-central-1.amazonaws.com,endpoint=eu-central-1,allow_other,uid=1000,gid=1000,mp_umask=007,use_cache=/tmp/s3foldercache,dbglevel=debug -f
但是,我们收到此错误消息: 
2021-09-02T12:40:53.157Z [INF]       curl.cpp:LoadIAMRoleFromMetaData(2919): Get IAM Role name
2021-09-02T12:40:53.157Z [DBG] curl_handlerpool.cpp:GetHandler(81): Get handler from pool: rest = 31
2021-09-02T12:40:53.158Z [DBG] curl.cpp:RequestPerform(2283): connecting to URL http://169.254.169.254/latest/meta-data/iam/security-credentials/
2021-09-02T12:40:53.159Z [ERR] curl.cpp:RequestPerform(2394): HTTP response code 401, returning EIO. Body Text: <?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
        "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
 <head>
  <title>401 - Unauthorized</title>
 </head>
 <body>
  <h1>401 - Unauthorized</h1>
 </body>
</html>

2021-09-02T12:40:53.160Z [CRT] s3fs.cpp:s3fs_init(3395): could not load IAM role name from meta data.
2021-09-02T12:40:53.160Z [ERR] s3fs.cpp:s3fs_exit_fuseloop(3372): Exiting FUSE event loop due to errors
同样,当我们在 EC2 实例上允许 IMDS v1 时,mount 命令可以正常工作。
我们如何确保 s3fs 将使用 IMDS v2?
编辑:
非常感谢 @Noah 为 s3fs 提供了修复。我已经提取了最新的提交,但现在看到一条新的错误消息。显然 IMDSv2 token 检索失败,无论我是否申请 iam_role=autoiam_role=some_profile (删除 -f 也不会改变任何东西): 
2021-09-06T05:43:58.857Z [INF] s3fs.cpp:s3fs_init(3382): init v1.90(commit:9d1552a) with OpenSSL
2021-09-06T05:43:58.857Z [INF]       curl.cpp:LoadIAMRoleFromMetaData(3181): Get IAM Role name
2021-09-06T05:43:58.857Z [DBG] curl_handlerpool.cpp:GetHandler(81): Get handler from pool: rest = 31
2021-09-06T05:43:58.857Z [DBG] curl.cpp:RequestPerform(2509): connecting to URL http://169.254.169.254/latest/api/token
2021-09-06T05:43:58.889Z [ERR] curl.cpp:RequestPerform(2622): HTTP response code 417, returning EIO. Body Text: <?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
         "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
 <head>
  <title>417 - Expectation Failed</title>
 </head>
 <body>
  <h1>417 - Expectation Failed</h1>
 </body>
</html>
2021-09-06T05:43:58.890Z [ERR] curl.cpp:LoadIAMRoleFromMetaData(3212): AWS IMDSv2 token retrieval failed: -5
2021-09-06T05:43:58.890Z [DBG] curl.cpp:RequestPerform(2509): connecting to URL http://169.254.169.254/latest/meta-data/iam/security-credentials/
2021-09-06T05:43:58.892Z [ERR] curl.cpp:RequestPerform(2622): HTTP response code 401, returning EIO. Body Text: <?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
        "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
 <head>
  <title>401 - Unauthorized</title>
 </head>
 <body>
  <h1>401 - Unauthorized</h1>
 </body>
</html>
2021-09-06T05:43:58.892Z [CRT] s3fs.cpp:s3fs_init(3395): could not load IAM role name from meta data.
2021-09-06T05:43:58.892Z [ERR] s3fs.cpp:s3fs_exit_fuseloop(3372): Exiting FUSE event loop due to errors

最佳答案

如果您明确指定 IAM 角色,它是否有效?
当需要 token 时,似乎检索 IAM 角色信息(需要 iam_role=auto )可能存在问题。
此外,在测试这个时,我遇到了 -f 时的问题。使用了选项,所以也尝试删除它。
以下是使用以下命令安装存储桶时显示正确 token 检索的日志。通过挂载点访问存储桶按预期工作。$ sudo s3fs <REDACTED> /mnt -o iam_role=s3fs-testing,allow_other,uid=1000,gid=1000,mp_umask=007,use_cache=/tmp/s3foldercache,dbglevel=debug

Sep 02 16:06:46 ip-10-0-0-77 s3fs[600]: init v1.89(commit:unknown) with GnuTLS(gcrypt)
Sep 02 16:06:46 ip-10-0-0-77 s3fs[600]: check services.
Sep 02 16:06:46 ip-10-0-0-77 s3fs[600]: IAM Access Token refreshing...
Sep 02 16:06:46 ip-10-0-0-77 s3fs[600]:       [IAM role=s3fs-testing]
Sep 02 16:06:46 ip-10-0-0-77 s3fs[600]: curl_handlerpool.cpp:GetHandler(81): Get handler from pool: rest = 31
Sep 02 16:06:46 ip-10-0-0-77 s3fs[600]: curl.cpp:RequestPerform(2254): connecting to URL http://169.254.169.254/latest/api/token
Sep 02 16:06:46 ip-10-0-0-77 s3fs[600]:       HTTP response code 200
Sep 02 16:06:46 ip-10-0-0-77 s3fs[600]:       Setting AWS IMDSv2 API token to <REDACTED>
Sep 02 16:06:46 ip-10-0-0-77 s3fs[600]: curl.cpp:RequestPerform(2254): connecting to URL http://169.254.169.254/latest/meta-data/iam/security-credentials/s3fs-testing
Sep 02 16:06:46 ip-10-0-0-77 s3fs[600]:       HTTP response code 200
Sep 02 16:06:46 ip-10-0-0-77 s3fs[600]:       IAM credential response = "{
                                          "Code" : "Success",
                                          "LastUpdated" : "2021-09-02T15:36:20Z",
                                          "Type" : "AWS-HMAC",
                                          "AccessKeyId" : "REDACTED",
                                          "SecretAccessKey" : "REDACTED",
                                          "Token" : "REDACTED",
                                          "Expiration" : "2021-09-02T22:10:48Z"
                                        }"
Sep 02 16:06:46 ip-10-0-0-77 s3fs[600]: IAM Access Token refreshed

关于ubuntu - 从 EC2 实例挂载 s3 存储桶时如何使 S3FS 使用 IMDS v2,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/69031023/

24 4 0
文章推荐: python - 如何实现python aiogram bot的自动重新加载?
文章推荐: python - Systemd - Python 脚本主进程退出,code=exited,status=1/FAILURE
文章推荐: Perl 模块无法识别
文章推荐: postgresql - psql : error: FATAL: Peer authentication failed for user "blog" in PostgreSQL for Ubuntu 20. 04 LTS
行者123
个人简介

我是一名优秀的程序员,十分优秀!

滴滴打车优惠券免费领取
滴滴打车优惠券
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com