DEV Community

hayao-k for AWS Community Builders

Posted on • Originally published at hayao-k.dev

Running Amazon S3 Mountpoint Inside a Container

Introduction

Here is a simple example of running Mountpoint for Amazon S3 from inside a container

  • Created with information as of 3/21/2023 (version: 0.2.0-b8363a4)

  • Mountpoint for Amazon S3 is currently in alpha release and should not be used in production workloads

Container image is also available in ECR Public gallery.

Dockerfile



FROM rust:1.68.0 as Build

RUN apt-get update && apt-get install -y \
    clang\
    cmake \
    curl \
    fuse \
    git \
    libfuse-dev \
    pkg-config \
 && apt-get clean \
 && rm -rf /var/lib/apt/lists/* \
 && git clone --recurse-submodules https://github.com/awslabs/mountpoint-s3.git \
 && cd mountpoint-s3 \
 && cargo build --release


FROM debian:bullseye-slim
RUN apt-get update && apt-get install -y \
    ca-certificates \
    libfuse-dev \
    sudo \
 && apt-get clean \
 && rm -rf /var/lib/apt/lists/*

COPY --from=build /mountpoint-s3/target/release/mount-s3 /usr/local/bin/mount-s3

RUN chmod 777 /usr/local/bin/mount-s3

RUN useradd -ms /bin/bash mount-s3-user \
 && echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers \
 && adduser mount-s3-user sudo

USER mount-s3-user


Enter fullscreen mode Exit fullscreen mode

Getting started

Image Build



docker image build -t mount-s3:latest .


Enter fullscreen mode Exit fullscreen mode

Run



docker container run --privileged --rm -it mount-s3:latest bash


Enter fullscreen mode Exit fullscreen mode

Enjoy



mount-s3-user@ce43831fda04:~$ sudo mount-s3 <bucket_name> /mnt --allow-other --region ap-northeast-1
mount-s3-user@ce43831fda04:~$ ls -l /mnt/test.json
-rw-r--r-- 1 root root 306424 Feb 21 02:42 /mnt/test.json


Enter fullscreen mode Exit fullscreen mode

EC2 on Docker Consideration

If using EC2 IAM roles for AWS credentials, increasing the IMDSv2 hop limit from 1 to 2 in the instance metadata options is recommended.

In a container environment, if the hop limit is 1, the IMDSv2 response does not return because going to the container is considered an additional network hop. To avoid the process of falling back to IMDSv1 and the resultant delay, in a container environment we recommend that you set the hop limit to 2



aws ec2 modify-instance-metadata-options \
    --instance-id i-xxxxxxxxxxxxxxxxx \
    --http-put-response-hop-limit 2 \
    --http-endpoint enabled


Enter fullscreen mode Exit fullscreen mode

I hope this will be of help to someone else.

GitHub Repo

container-mountpoint-s3

This is a simple container image to verify the operation of Mountpoint for Amazon S3 in a container environment.

Container image is also available in ECR Public gallery.

Getting started

Image Build

docker image build -t mount-s3:latest .
Enter fullscreen mode Exit fullscreen mode

Run

docker container run --privileged --rm -it mount-s3:latest bash

Enjoy

mount-s3-user@ce43831fda04:~$ sudo mount-s3 <bucket_name> /mnt --allow-other --region ap-northeast-1
mount-s3-user@ce43831fda04:~$ ls -l /mnt/test.json
-rw-r--r-- 1 root root 306424 Feb 21 02:42 /mnt/test.json

EC2 on Docker Consideration

If using EC2 IAM roles for AWS credentials, increasing the IMDSv2 hop limit from 1 to 2 in the instance metadata options is recommended.

In a container environment, if the hop limit is 1, the IMDSv2 response does not return because going to the container is considered an additional network hop. To avoid the process of falling back to IMDSv1 and the resultant delay, in a container environment we recommend that you set the…





Top comments (0)