> For the complete documentation index, see [llms.txt](https://cloud.nyquist.eu/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://cloud.nyquist.eu/oci/oci-storage/oci-file-storage.md).

# OCI File Storage

## File Storage Service

* File Storage Service(FSS) provides a NFS-like experience for workflows that require a shared environement or for lift-and-shift applications that use NFS on-prem.
* FSS is AD local
* Supports NFS v.3 protocol
* FSS uses Network Lock Mode (NLM) for file locking
* FSS uses Full POSIX semantics
* Data at REST is encrypted for all filesystems and metadata using 128bit keys
* Up to 10000 snapshots can be executed per file system
* Up to 100 file systems and 2 mount targets per AD per account (soft limit) can be configured.

### Mount Targets

* The mount target is a NFS endpoint that lives in your subnet of choice.
* It has an IP address and a DNS name that that you can use in your mount commands.
* It requires 3 private IP addresses in the subnet so the minimum subnet size that should be used is /29.
  * Two IPs are used during mount target creation. The thrid IP is for HA.
* Placing NFS clients and mount targets in the same subnet CAN result in IP conflicts as users are not shown which IPs are used for mount targets.
  * Best practice: place FSS in its own subnet where it can cosume IPs as needed.

### File Systems

* To access your file system you create a new or use an existing mount target.
* Up to 100 file systems cab be created per mount target.
* The file systems will reside in the AD where FSS is configured (based on subnet assignment) but it can be accessible from on-prem through FastConnect/VPN.

### Export Paths

* A unique path specified when the file system is associated with a mount target during creation.
* No 2 file systems can have overalapping pahts!
* E.g:
  * `Mount target: 10.0.0.5`
  * `Export path: /dir1/dir2`
  * Linux command: `sudo mount 10.0.0.5:/dir1/dir2 /mnt/mountpointA`

### File System Service Security

The service is prottected by several layers:

1. **IAM Service** - groups should be allowed to access or manage the service
2. **Security Lists**:
   * In the subnet where the service is attached the following ingress rules should be allowed: Stateful ingress: TCP/111, 2048-2050 and UDP/111,2048
   * A similar rule should allow egress traffic to the service on the above ports from the subnets where connections to this service are expected.
3. **Export Options**
   * controls how NFS clients access the file system. Information is stored in an export includes the file system OCID, export path and client access options.
   * By default, it allows full access to all NFS clients. {"source": "0.0.0.0/0", "Privileged Source Port":"False", "Access":"Read\_Write", "Identity Squash":"None"}
   * The defaults can be altered only using a RESTI API call for now.
4. **NFS v.3 Unix Security**

### Mounting OCI File Systems

* The proeper NFS packages need to be installed on the hosts:
  * `nfs-utlis` for Oracle Linux or CentOS
  * `nfs-common` for Ubuntu
* Mount commands are provided in the WebUI for easy setup of the clients.

### Snapshots

* Snapshots are read-only, space efficient, point-in-time backups of a file-system
* Snapshots are created in the `/.snapshots/` directory
* You can restore a file using `cp` or an entire directory using `rsync`
* It is always incremental so if no additional changes, no additional space is used.
