From 32bf8938107ecc5531ef9ea13dac94914861a978 Mon Sep 17 00:00:00 2001 From: akutz Date: Mon, 26 Jun 2017 13:54:47 -0500 Subject: [PATCH] EFS SecurityGroup Warning This patch fixes #511 by sending an instance's full SG list to the remote service where the EFS storage driver examines the server-side SG list with the client-side list. If any of the server-side SGs are not present in the client-side list a warning will be logged in order to assist with debugging. --- drivers/storage/efs/storage/efs_storage.go | 34 +++++++++++++++++++--- drivers/storage/efs/utils/utils.go | 2 +- 2 files changed, 31 insertions(+), 5 deletions(-) diff --git a/drivers/storage/efs/storage/efs_storage.go b/drivers/storage/efs/storage/efs_storage.go index 6db583ca..408675be 100644 --- a/drivers/storage/efs/storage/efs_storage.go +++ b/drivers/storage/efs/storage/efs_storage.go @@ -657,18 +657,44 @@ func (d *driver) VolumeAttach( // No mount targets were found if ma == nil { + var iSecGrpIDs []string secGrpIDs := d.secGroups if v, ok := iid.Fields[efs.InstanceIDFieldSecurityGroups]; ok { - iSecGrpIDs := strings.Split(v, ";") - ctx.WithField("secGrpIDs", iSecGrpIDs).Debug( - "using instance security group IDs") - secGrpIDs = iSecGrpIDs + iSecGrpIDs = strings.Split(v, ";") + if len(iSecGrpIDs) == 1 { + ctx.WithField("secGrpIDs", iSecGrpIDs).Debug( + "using instance security group IDs") + secGrpIDs = iSecGrpIDs + } } if len(secGrpIDs) == 0 { return nil, "", errInvalidSecGroups } + // make sure all of the request security groups + // are available on the instance + var missingSecGrpIDs []string + for _, csg := range secGrpIDs { + var found bool + for _, isg := range iSecGrpIDs { + if csg == isg { + found = true + break + } + } + if !found { + missingSecGrpIDs = append(missingSecGrpIDs, csg) + } + } + + // log a warning if any of the server-side defined SGs + // are not present in the list sent by the client instance + if len(missingSecGrpIDs) > 0 { + log.WithField("missingStorageGroups", missingSecGrpIDs).Warn( + "configured sec grps not present on instance") + } + request := &awsefs.CreateMountTargetInput{ FileSystemId: aws.String(vol.ID), SubnetId: aws.String(iid.ID), diff --git a/drivers/storage/efs/utils/utils.go b/drivers/storage/efs/utils/utils.go index ab41b0c3..50b0b27e 100644 --- a/drivers/storage/efs/utils/utils.go +++ b/drivers/storage/efs/utils/utils.go @@ -93,7 +93,7 @@ func InstanceID(ctx types.Context) (*types.InstanceID, error) { efs.InstanceIDFieldAvailabilityZone: iid.AvailabilityZone, } - if len(secGroups) == 1 { + if len(secGroups) > 0 { iidFields[efs.InstanceIDFieldSecurityGroups] = strings.Join( secGroups, ";") }