Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Flexibility to increase the EFS TLS Ports via /etc/amazon/efs/efs-utils.conf #1398

Open
rshiva777 opened this issue Jul 1, 2024 · 5 comments
Assignees
Labels
kind/bug Categorizes issue or PR as related to a bug. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale.

Comments

@rshiva777
Copy link

/kind bug

What happened?
When i run pods with multiple EFS volume mounts, some pods are into pending state due to EFS ports are fully occupied (20049 - 20449)

What you expected to happen?
I expect an way to increase the EFS TLS ports from (20049 - 20449) as per the requirement

How to reproduce it (as minimally and precisely as possible)?

Create a deployment with 10 EFS volume mounts, scale the replica to 50
Anything else we need to know?:

I tried adding a configmap with efs-utils.conf file with updated ports, then mounted it to the csi-node daemonset. Post that i see the below error on daemonset

F0701 15:16:18.687401 1 main.go:65] cannot create config file /etc/amazon/efs for efs-utils. Error: open /etc/amazon/efs/efs-utils.conf: read-only file system

Seems, efs-csi is trying to update the efs-utils.conf file mounted via configmap and getting failed.

Environment

  • Kubernetes version (use kubectl version): 1.28
  • Driver version: 1.7.3

Please also attach debug logs to help us better diagnose

Defaulted container "efs-plugin" out of: efs-plugin, csi-driver-registrar, liveness-probe
I0701 15:16:18.674262 1 config_dir.go:56] Symlink or directory exists at '/etc/amazon/efs', no need to create one
I0701 15:16:18.674972 1 metadata.go:65] getting MetadataService...
I0701 15:16:18.676846 1 metadata.go:70] retrieving metadata from EC2 metadata service
I0701 15:16:18.685570 1 driver.go:150] Did not find any input tags.
I0701 15:16:18.686302 1 driver.go:116] Registering Node Server
I0701 15:16:18.686420 1 driver.go:118] Registering Controller Server
I0701 15:16:18.686512 1 driver.go:121] Starting efs-utils watchdog
I0701 15:16:18.686885 1 efs_watch_dog.go:221] Skip copying /etc/amazon/efs/efs-utils.conf since it exists already
I0701 15:16:18.686964 1 efs_watch_dog.go:216] Copying /etc/amazon/efs/efs-utils.crt since it doesn't exist
F0701 15:16:18.687401 1 main.go:65] cannot create config file /etc/amazon/efs for efs-utils. Error: open /etc/amazon/efs/efs-utils.conf: read-only file system

  • Instructions to gather debug logs can be found here
@k8s-ci-robot k8s-ci-robot added the kind/bug Categorizes issue or PR as related to a bug. label Jul 1, 2024
@rshiva777 rshiva777 changed the title Flexibility is increase the EFS TLS Ports via /etc/amazon/efs/efs-utils.conf Flexibility to increase the EFS TLS Ports via /etc/amazon/efs/efs-utils.conf Jul 1, 2024
@daro1337
Copy link

I had the same error. In my case, I wanted to change the log level in /etc/amazon/efs/efs-utils.conf, but I am not able to apply my configuration.

@avanish23
Copy link
Contributor

avanish23 commented Oct 1, 2024

Hi @rshiva777
Where are you getting the 20049 - 20449 port range numbers; officially the ports allowed are 20049 to 21049.
Please share the error you see when the port range is exhausted.

Coming to the questions as to why the port range did not get updated even when you had configured the config maps is because the port range is not configurable and we do not pick the values up from the env variables; as of date only AWS_DEFAULT_REGION and FIPS_ENABLED are configurable and are picked up from the env variables.

@daro1337 even in your case since the log level is currently not configurable you could not set them to DEBUG.
However please refer to the following doc to enable DEBUG logs.

Given this maybe @rshiva777 even you can change the port range by shelling into the driver pod. Please try this and let us know if it works.

Tagging @mskanth972 to confirm the same; can we have a configurable port range and log level via a config map?

@avanish23
Copy link
Contributor

/assign

@mskanth972
Copy link
Contributor

@avanish23, you're right. However, we recently expanded the driver’s port range from 400 to 1000. I suggest trying the latest version, v2.0.8. However, if you're using addons, note that v2.0.8 hasn't been made public yet, so you'll need to use v2.0.7 instead.

The reason you're not seeing any changes after updating the config file is that the EFS CSI Driver uses a separate config file located in watchdog.go. So, even if you modify the EFS Utils config file, it defaults back to the values specified in the watchdog file.

You can refer to this PR for more details: #1402.

@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Dec 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/bug Categorizes issue or PR as related to a bug. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale.
Projects
None yet
Development

No branches or pull requests

6 participants