Video 1. OCI Level 100 - File Storage (Demo starts at 23:00)
Oracle Cloud Infrastructure (OCI) File Storage Service (FSS) is a managed file storage service that
- Provides a durable, scalable, distributed, enterprise-grade network file system.
- Using industry-standard Network File System (NFSv3) file access protocols and file system semantics
- You can start with a file system that contains only a few kilobytes (KB) of data and scale to exabytes (EB) of data without upfront provisioning.
- It protects your data by maintaining multiple replicas, providing transparent encryption, and enabling frequent snapshots.
- Can be accessed concurrently by thousands of compute instances
- You can connect to a FSS file system from any bare metal, virtual machine, or container instance in your Virtual Cloud Network (VCN)
- You can also access a file system from outside the VCN using Oracle Cloud Infrastructure FastConnect and Internet Protocol security (IPSec) virtual private network (VPN)
FSS Security
You create users and groups in OCI. Then, you can use policies to specify which users and groups can create, access, or modify resources such as file systems, mount targets, and export options.
| This security layer... | Uses these... | To control actions like... |
|---|---|---|
| IAM Service | OCI Users and policies | Creating instances (NFS clients) and VCNs. Creating, listing, and associating file systems and mount targets. |
| Network Security | IP addresses, CIDR blocks, security lists | Connecting the client instance to the mount target. This is on an ‘all or nothing’ basis - the client either can or cannot access the mount target, and therefore all file systems associated with it. |
| NFS export options | File system exports, IP addresses, Unix users | Applying access control per-file system based on source IP CIDR blocks that bridges the Security Lists layer and the NFS v.3 Unix Security layer. See Working with NFS Export Options to specify granular controls on a per-file system basis. |
| NFS v.3 Unix security | Unix users, file mode bits | Mounting file systems, reading and writing files. |
Remember that users in UNIX aren’t the same as users in OCI - they’re not linked or associated in any way. The OCI policy layer doesn’t govern anything that happens inside the file system, the UNIX security layer does. Conversely, the UNIX security layer doesn’t govern creating file systems or mount targets in OCI.
File System is a way that your Compute instances use to organize files on your storage. You can create a shared file system in the cloud using the FSS. To access your file systems, you need to create a new (or use an existing) mount target.
When you use the Cloud Console, creating a file system also creates a mount target that your Compute instances use to access and write to the file system. Once set up, file systems can be accessed from any OCI BM/VM instance in the same or other regions. They can also be accessed from your on-premise environment using FastConnect or IPSec VPN.[3]
1 Mount Target : N File systems
Using the API or the Command Line Interface (CLI), you can create file systems and mount targets independently of each other. Both file systems and mount targets are associated with an availability domain.
Once a mount target is created, multiple file systems can be associated with it. You can create up to 100 file systems per mount target. However, no two file systems associated with the same mount target can have overlapping export path (e.g., FS paths like /example and /example/path are not allowed)
In the discussions below, we will use this mount command example:
Follow these steps to create a File System on OCI:
File Storage Service is an AD-local service, available in all OCI regions and Availability Domains, which supports
Mount Target
Mount Target is an NFS endpoint that lives in a subnet. It has the following features:
- Must be in the same availability domain as the file system.
- When you create a file system, you can create a mount target or use an existing one.
- Each mount target has an export set
- A collection of one or more exports that control what file systems the mount target exports using NFSv3 protocol and how those file systems are found using the NFS mount protocol.
- The information stored in an export includes the file system OCID, export path, and export options. For more information, see Working with NFS Export Options.
- Exports and export sets are managed through the Console by the FSS. More advanced configuration options for exports and export sets are available in the Command Line Interface (CLI) and API.
- Provides the IP address or DNS name that is used in the mount command when connecting NFS clients to the FSS.
- Requires three private IP addresses in the subnet (don't use /30 or smaller subnets for the FSS)
- Should be placed in its own subnet
- Placing NFS clients and mount target in the same subnet can result in IP conflicts, as users are not shown which private IP;s are used for mount target.
- Mount Target Limits
- By default, you can create two mount targets per account per availability domain.
File System
File System is a way that your Compute instances use to organize files on your storage. You can create a shared file system in the cloud using the FSS. To access your file systems, you need to create a new (or use an existing) mount target.
When you use the Cloud Console, creating a file system also creates a mount target that your Compute instances use to access and write to the file system. Once set up, file systems can be accessed from any OCI BM/VM instance in the same or other regions. They can also be accessed from your on-premise environment using FastConnect or IPSec VPN.[3]
1 Mount Target : N File systems
Using the API or the Command Line Interface (CLI), you can create file systems and mount targets independently of each other. Both file systems and mount targets are associated with an availability domain.
Once a mount target is created, multiple file systems can be associated with it. You can create up to 100 file systems per mount target. However, no two file systems associated with the same mount target can have overlapping export path (e.g., FS paths like /example and /example/path are not allowed)
Paths in File Systems
In the discussions below, we will use this mount command example:
sudo mount 10.0.0.6:/example/path /mnt/mountpointA
where
10.0.0.6 is the mount target IP address and /example/path is the export pathThere are three kinds of paths that are used in the FSS:
- Export Paths
- Specified when a file system is associated with a mount target
- Appended to the mount target IP address, and used to mount (logically attach) to the file system
- Used only to distinguish one file system from another within a single mount target
- Syntax Rules
- Must start with a slash (/) followed by a sequence of zero or more slash-separated elements.
- Cannot end in a slash
- Cannot be a period (.) or two periods in sequence (..)
- Cannot exceed 255 bytes
- Mount Point Paths
- Are paths within a client instance to a locally accessible directory to which the remote file system is mounted
- /mnt/mountpointA is the path to the directory on the client instance on which the external file system is mounted.
- File System Paths
- Are paths to directories within the file system, and contain the contents of the file system.
- For example, snapshots of the file system can be accessed using the file system path, under the file system's root directory at .snapshot/name.
- The following example shows the path to a snapshot called 'January 1' when navigating from the instance:
- /mnt/mountpointA/.snapshot/January1
Creating a File System
Follow these steps to create a File System on OCI:
- From the Core Infrastructure, select File Storage.
- Choose a compartment in which you have permission to work.
- Click Create File System.
- In the Create File System dialog box, provide the following information:
- Enter a name for the File System.
- Choose an availability domain.
- Choose Edit Details for Mount Target
- Choose CREATE MOUNT TARGET (or you can SELECT AN EXISTING MOUNT TARGET)
- Enter a name for the Mount Target
- Choose a VCN for Mount Target
- Choose a subnet for Mount Target (e.g., FSS-subnet as in the video)
- Click Show Advanced Options
- Before you can mount this file system, you must configure security rules to allow traffic to subnet FSS-subnet.
- Choose IP ADDRESS
- Choose HOSTNAME
- Choose PATH
- Path name cannot be currently in use in the Mount Target
- Choose MAXIMUM FREE SPACE (IN GiB)
- Click Create File System.
Configuration Details
- File System Information
- Name
- The file system name doesn't need to be unique; an Oracle Cloud Identifier (OCID) uniquely identifies it.
- Availability domain
- The availability domain in which you want to run the File System.
- Mount Target Information
- File systems must be associated with a mount target in order to be mounted by any instance.
- By default, the mount target is created in your current compartment.
- The mount target must be in the same availability domain as the file system. You cannot change the availability domain.
- Virtual Cloud Network
- The first VCN listed in the selected compartment is used as default.
- Subnet
- The first subnet listed in the selected availability domain is used as default.
- FSS requires ingress TCP ports 111, 2048,2049, and 2050, in addition to standard ingress UDP ports 111 and 2048. Opening these ports enables traffic from Solaris, Linux, and Windows instances. Read Configuring VCN Security List Rules for File Storage for more information.
- Don't place NFS client(s) and mount target in the same subnet
- IP Address (Optional)
- You can specify an unused, local, private IP address, for example, between 10.0.0.2 and 10.0.0.254 for the new mount target.
- Hostname (Optional)
- You can specify a hostname you want to assign to the mount target.
- Which will be used to created a fully qualified domain name (FQDN) which cannot be changed in this dialog.
- Path Name (Optional)
- You can replace the default export path (default path using new file system's name) with a new one.
- Maximum Free Space (in GiB; Optional)
- Specifies the maximum free space (default: 8 exabytes) reported to applications by the FSS.
- Some applications fail to install because a capacity check reports too much available capacity (i.e. the default 8 exabytes).
- Setting the Maximum Free Space reported as available to a value acceptable by your application prevents this issue.
- Setting the maximum free space affects each file system associated with the mount target.
- Setting the maximum free space does not limit the amount of data you can store.
- Export Options (Important)
- Enable the "Require Privileged Source Port" export option. For more information, see Working with NFS Export Options.
Summary
- NFS v.3
- Network Lock Management (NLM) for file locking
- Full POSIX semantics
- Data Protection
- Snapshot capabilities; 10,000 snapshots per file system
- Security
- 128-bit, data-at-rest encryption for all file systems & metadata
- Management Options
References
- OCI Storage White Papers
- Best Practices for Deploying HA Architecture on OCI
- OCI―Knowing Virtual Cloud Network Basics (XML and More)
- Configuring VCN Security List Rules for File Storage (OCI)
- How EBS can be deployed on OCI
- VCNs and Subnets (OCI)
- Developer Tools (OCI)
- OCI Security Best Practices
- Learn more about VCNs
- About Security (OCI)
- Documentation
- Blogs
- API Documentation (OCI)
1 comment:
Excellent article - with a usable example. Thanks!
Post a Comment