Which binary (stunnel vs stunnel5) is used for helper initiated EFS mounts after amazon-efs-utils 1.34.1 introduces stunnel5 as a dependency?

[MioG777829]

We are tracking behavior of AL2 instances which have the latest amazon-efs-utils version, and BOTH the stunnel and stunnel5 binary, the latter being installed as a dependency of amazon-efs-utils. We are not seeing consistency in which stunnel binary is used for mounting EFS volumes.

Is there any logic in upgraded amazon-efs-utils with the introduction of stunnel5, which decides the system preference for using stunnel vs stunnel5, or is that left entirely to the operating system? We have a preference for stunnel5 due to the leak but sample systems do not all use stunnel5, even though it is available.

[RyanStan]

On Amazon Linux 2, we will only ever use stunnel5. This change was released in v1.34.1. Any mounts that were made prior to upgrading past this version may be using stunnel. If this is the case, you can remount those directories. Or, you can kill those processes and they will be spun up as stunnel5 by the watchdog process. However, this will temporarily interrupt your EFS mount.

If you are seeing new mounts being spun up with stunnel5, then please post the output of ps -aux | grep stunnel, as well as efs-utils logs with debug mode enabled. Instructions on how to pull these logs can be found here.

---

For some more background in case others have questions about stunnel and stunnel5:

On Amazon Linux 2 instances, there is both a stunnel package and a stunnel5.

Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
Available Packages
Name        : stunnel
Arch        : x86_64
Version     : 4.56
Release     : 6.amzn2.0.3
Size        : 149 k
Repo        : amzn2-core/2/x86_64
Summary     : An SSL-encrypting socket wrapper
URL         : http://www.stunnel.org/
License     : GPLv2
Description : Stunnel is a socket wrapper which can provide SSL (Secure Sockets
            : Layer) support to ordinary applications. For example, it can be used
            : in conjunction with imapd to create an SSL secure IMAP server.

[ec2-user@ip-172-31-31-57 ~]$ yum info stunnel5
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
Available Packages
Name        : stunnel5
Arch        : x86_64
Version     : 5.58
Release     : 1.amzn2.0.1
Size        : 165 k
Repo        : amzn2-core/2/x86_64
Summary     : A TLS-encrypting socket wrapper
URL         : http://www.stunnel.org/
License     : GPLv2
Description : Stunnel is a socket wrapper which can provide TLS/SSL
            : (Transport Layer Security/Secure Sockets Layer) support
            : to ordinary applications. For example, it can be used in
            : conjunction with imapd to create a TLS secure IMAP server.

They point to different version of stunnel. On Amazon Linux 2023, stunnel points to version 5, so this stunnel5 namespacing is not necessary.

[MioG777829]

Thank you @RyanStan - this has been helpful. I assume above you meant "If you are seeing new mounts being spun up with stunnel, then please post the output of.." (going forward we want stunnel5 to be spun up, not stunnel)