OCI File Storage

File Storage Service

  • File Storage Service(FSS) provides a NFS-like experience for workflows that require a shared environement or for lift-and-shift applications that use NFS on-prem.

  • FSS is AD local

  • Supports NFS v.3 protocol

  • FSS uses Network Lock Mode (NLM) for file locking

  • FSS uses Full POSIX semantics

  • Data at REST is encrypted for all filesystems and metadata using 128bit keys

  • Up to 10000 snapshots can be executed per file system

  • Up to 100 file systems and 2 mount targets per AD per account (soft limit) can be configured.

Mount Targets

  • The mount target is a NFS endpoint that lives in your subnet of choice.

  • It has an IP address and a DNS name that that you can use in your mount commands.

  • It requires 3 private IP addresses in the subnet so the minimum subnet size that should be used is /29.

    • Two IPs are used during mount target creation. The thrid IP is for HA.

  • Placing NFS clients and mount targets in the same subnet CAN result in IP conflicts as users are not shown which IPs are used for mount targets.

    • Best practice: place FSS in its own subnet where it can cosume IPs as needed.

File Systems

  • To access your file system you create a new or use an existing mount target.

  • Up to 100 file systems cab be created per mount target.

  • The file systems will reside in the AD where FSS is configured (based on subnet assignment) but it can be accessible from on-prem through FastConnect/VPN.

Export Paths

  • A unique path specified when the file system is associated with a mount target during creation.

  • No 2 file systems can have overalapping pahts!

  • E.g:

    • Mount target: 10.0.0.5

    • Export path: /dir1/dir2

    • Linux command: sudo mount 10.0.0.5:/dir1/dir2 /mnt/mountpointA

File System Service Security

The service is prottected by several layers:

  1. IAM Service - groups should be allowed to access or manage the service

  2. Security Lists:

    • In the subnet where the service is attached the following ingress rules should be allowed: Stateful ingress: TCP/111, 2048-2050 and UDP/111,2048

    • A similar rule should allow egress traffic to the service on the above ports from the subnets where connections to this service are expected.

  3. Export Options

    • controls how NFS clients access the file system. Information is stored in an export includes the file system OCID, export path and client access options.

    • By default, it allows full access to all NFS clients. {"source": "0.0.0.0/0", "Privileged Source Port":"False", "Access":"Read_Write", "Identity Squash":"None"}

    • The defaults can be altered only using a RESTI API call for now.

  4. NFS v.3 Unix Security

Mounting OCI File Systems

  • The proeper NFS packages need to be installed on the hosts:

    • nfs-utlis for Oracle Linux or CentOS

    • nfs-common for Ubuntu

  • Mount commands are provided in the WebUI for easy setup of the clients.

Snapshots

  • Snapshots are read-only, space efficient, point-in-time backups of a file-system

  • Snapshots are created in the /.snapshots/ directory

  • You can restore a file using cp or an entire directory using rsync

  • It is always incremental so if no additional changes, no additional space is used.

PreviousOCI Object StorageNextOCI Key Management

Last updated

Was this helpful?