Problem
On hosts where the DNS resolver returns both IPv4-mapped IPv6 (NAT64) and IPv4 addresses, efs-utils connects using the IPv6 address, which either times out or is unreachable on port 2049. The mount fails with mount.nfs4: Connection timed out.
Reproduction
# DNS returns IPv6 (NAT64-mapped) address first
$ getent ahosts fs-07aa54b903aedf48c.efs.us-east-1.amazonaws.com
64:ff9b::c0a8:6188 STREAM fs-07aa54b903aedf48c.efs.us-east-1.amazonaws.com
64:ff9b::c0a8:6188 DGRAM
64:ff9b::c0a8:6188 RAW
192.168.97.136 STREAM
192.168.97.136 DGRAM
192.168.97.136 RAW
# EFS CSI node pod logs
E0617 10:26:40.650836 mount_linux.go:272] Mount failed: exit status 32
Mounting command: mount
Mounting arguments: -t efs -o accesspoint=fsap-...,tls fs-07aa54b903aedf48c:/ /var/lib/kubelet/...
Output: Could not start amazon-efs-mount-watchdog, unrecognized init system "aws-efs-csi-dri"
Mount attempt 1/3 failed due to timeout after 15 sec, wait 0 sec before next attempt.
Mount attempt 2/3 failed due to timeout after 15 sec, wait 0 sec before next attempt.
b'mount.nfs4: Connection timed out'
Root cause
efs-utils uses AF_UNSPEC for DNS resolution, so the OS picks the first address returned — which on NAT64/dual-stack hosts is an IPv6 address. The EFS mount target is only reachable over IPv4 (port 2049), so the connection times out.
Workaround
None currently. A DNS-level workaround (suppressing AAAA records via CoreDNS) is possible but requires cluster-level config changes.
Expected behaviour
- A config option (e.g.
prefer_ipv4 = true in efs-utils.conf) to force AF_INET resolution and connect over IPv4.
- Dynamically detect/discover whether IPv4 should be used or IPv6 should be used at the time.
Problem
On hosts where the DNS resolver returns both IPv4-mapped IPv6 (NAT64) and IPv4 addresses, efs-utils connects using the IPv6 address, which either times out or is unreachable on port 2049. The mount fails with
mount.nfs4: Connection timed out.Reproduction
Root cause
efs-utils uses
AF_UNSPECfor DNS resolution, so the OS picks the first address returned — which on NAT64/dual-stack hosts is an IPv6 address. The EFS mount target is only reachable over IPv4 (port 2049), so the connection times out.Workaround
None currently. A DNS-level workaround (suppressing AAAA records via CoreDNS) is possible but requires cluster-level config changes.
Expected behaviour
prefer_ipv4 = trueinefs-utils.conf) to forceAF_INETresolution and connect over IPv4.