OCI File Storage

File Storage Service

File Storage Service(FSS) provides a NFS-like experience for workflows that require a shared environement or for lift-and-shift applications that use NFS on-prem.
FSS is AD local
Supports NFS v.3 protocol
FSS uses Network Lock Mode (NLM) for file locking
FSS uses Full POSIX semantics
Data at REST is encrypted for all filesystems and metadata using 128bit keys
Up to 10000 snapshots can be executed per file system
Up to 100 file systems and 2 mount targets per AD per account (soft limit) can be configured.

Mount Targets

The mount target is a NFS endpoint that lives in your subnet of choice.
It has an IP address and a DNS name that that you can use in your mount commands.
It requires 3 private IP addresses in the subnet so the minimum subnet size that should be used is /29.
- Two IPs are used during mount target creation. The thrid IP is for HA.
Placing NFS clients and mount targets in the same subnet CAN result in IP conflicts as users are not shown which IPs are used for mount targets.
- Best practice: place FSS in its own subnet where it can cosume IPs as needed.

File Systems

To access your file system you create a new or use an existing mount target.
Up to 100 file systems cab be created per mount target.
The file systems will reside in the AD where FSS is configured (based on subnet assignment) but it can be accessible from on-prem through FastConnect/VPN.

Export Paths

A unique path specified when the file system is associated with a mount target during creation.
No 2 file systems can have overalapping pahts!
E.g:
- Mount target: 10.0.0.5
- Export path: /dir1/dir2
- Linux command: sudo mount 10.0.0.5:/dir1/dir2 /mnt/mountpointA

File System Service Security

The service is prottected by several layers:

IAM Service - groups should be allowed to access or manage the service
Security Lists:
- In the subnet where the service is attached the following ingress rules should be allowed: Stateful ingress: TCP/111, 2048-2050 and UDP/111,2048
- A similar rule should allow egress traffic to the service on the above ports from the subnets where connections to this service are expected.
Export Options
- controls how NFS clients access the file system. Information is stored in an export includes the file system OCID, export path and client access options.
- By default, it allows full access to all NFS clients. {"source": "0.0.0.0/0", "Privileged Source Port":"False", "Access":"Read_Write", "Identity Squash":"None"}
- The defaults can be altered only using a RESTI API call for now.
NFS v.3 Unix Security

Mounting OCI File Systems

The proeper NFS packages need to be installed on the hosts:
- nfs-utlis for Oracle Linux or CentOS
- nfs-common for Ubuntu
Mount commands are provided in the WebUI for easy setup of the clients.

Snapshots

Snapshots are read-only, space efficient, point-in-time backups of a file-system
Snapshots are created in the /.snapshots/ directory
You can restore a file using cp or an entire directory using rsync
It is always incremental so if no additional changes, no additional space is used.

PreviousOCI Object Storage NextOCI Key Management

Last updated 3 years ago

Was this helpful?

File Storage Service

File Storage Service(FSS) provides a NFS-like experience for workflows that require a shared environement or for lift-and-shift applications that use NFS on-prem.

FSS is AD local

Supports NFS v.3 protocol

FSS uses Network Lock Mode (NLM) for file locking

FSS uses Full POSIX semantics

Data at REST is encrypted for all filesystems and metadata using 128bit keys

Up to 10000 snapshots can be executed per file system

Up to 100 file systems and 2 mount targets per AD per account (soft limit) can be configured.

Mount Targets

The mount target is a NFS endpoint that lives in your subnet of choice.

It has an IP address and a DNS name that that you can use in your mount commands.

It requires 3 private IP addresses in the subnet so the minimum subnet size that should be used is /29.

Two IPs are used during mount target creation. The thrid IP is for HA.

Placing NFS clients and mount targets in the same subnet CAN result in IP conflicts as users are not shown which IPs are used for mount targets.

Best practice: place FSS in its own subnet where it can cosume IPs as needed.

File Systems

To access your file system you create a new or use an existing mount target.

Up to 100 file systems cab be created per mount target.

The file systems will reside in the AD where FSS is configured (based on subnet assignment) but it can be accessible from on-prem through FastConnect/VPN.

Export Paths

A unique path specified when the file system is associated with a mount target during creation.

No 2 file systems can have overalapping pahts!

E.g:

Mount target: 10.0.0.5
Export path: /dir1/dir2
Linux command: sudo mount 10.0.0.5:/dir1/dir2 /mnt/mountpointA

File System Service Security

The service is prottected by several layers:

IAM Service - groups should be allowed to access or manage the service

Security Lists:

In the subnet where the service is attached the following ingress rules should be allowed: Stateful ingress: TCP/111, 2048-2050 and UDP/111,2048
A similar rule should allow egress traffic to the service on the above ports from the subnets where connections to this service are expected.

Export Options

controls how NFS clients access the file system. Information is stored in an export includes the file system OCID, export path and client access options.
By default, it allows full access to all NFS clients. {"source": "0.0.0.0/0", "Privileged Source Port":"False", "Access":"Read_Write", "Identity Squash":"None"}
The defaults can be altered only using a RESTI API call for now.

NFS v.3 Unix Security

Mounting OCI File Systems

The proeper NFS packages need to be installed on the hosts:

nfs-utlis for Oracle Linux or CentOS
nfs-common for Ubuntu

Mount commands are provided in the WebUI for easy setup of the clients.

Snapshots

Snapshots are read-only, space efficient, point-in-time backups of a file-system

Snapshots are created in the /.snapshots/ directory

You can restore a file using cp or an entire directory using rsync

It is always incremental so if no additional changes, no additional space is used.