# OCI File Storage ## File Storage Service * File Storage Service(FSS) provides a NFS-like experience for workflows that require a shared environement or for lift-and-shift applications that use NFS on-prem. * FSS is AD local * Supports NFS v.3 protocol * FSS uses Network Lock Mode (NLM) for file locking * FSS uses Full POSIX semantics * Data at REST is encrypted for all filesystems and metadata using 128bit keys * Up to 10000 snapshots can be executed per file system * Up to 100 file systems and 2 mount targets per AD per account (soft limit) can be configured. ### Mount Targets * The mount target is a NFS endpoint that lives in your subnet of choice. * It has an IP address and a DNS name that that you can use in your mount commands. * It requires 3 private IP addresses in the subnet so the minimum subnet size that should be used is /29. * Two IPs are used during mount target creation. The thrid IP is for HA. * Placing NFS clients and mount targets in the same subnet CAN result in IP conflicts as users are not shown which IPs are used for mount targets. * Best practice: place FSS in its own subnet where it can cosume IPs as needed. ### File Systems * To access your file system you create a new or use an existing mount target. * Up to 100 file systems cab be created per mount target. * The file systems will reside in the AD where FSS is configured (based on subnet assignment) but it can be accessible from on-prem through FastConnect/VPN. ### Export Paths * A unique path specified when the file system is associated with a mount target during creation. * No 2 file systems can have overalapping pahts! * E.g: * `Mount target: 10.0.0.5` * `Export path: /dir1/dir2` * Linux command: `sudo mount 10.0.0.5:/dir1/dir2 /mnt/mountpointA` ### File System Service Security The service is prottected by several layers: 1. **IAM Service** - groups should be allowed to access or manage the service 2. **Security Lists**: * In the subnet where the service is attached the following ingress rules should be allowed: Stateful ingress: TCP/111, 2048-2050 and UDP/111,2048 * A similar rule should allow egress traffic to the service on the above ports from the subnets where connections to this service are expected. 3. **Export Options** * controls how NFS clients access the file system. Information is stored in an export includes the file system OCID, export path and client access options. * By default, it allows full access to all NFS clients. {"source": "0.0.0.0/0", "Privileged Source Port":"False", "Access":"Read\_Write", "Identity Squash":"None"} * The defaults can be altered only using a RESTI API call for now. 4. **NFS v.3 Unix Security** ### Mounting OCI File Systems * The proeper NFS packages need to be installed on the hosts: * `nfs-utlis` for Oracle Linux or CentOS * `nfs-common` for Ubuntu * Mount commands are provided in the WebUI for easy setup of the clients. ### Snapshots * Snapshots are read-only, space efficient, point-in-time backups of a file-system * Snapshots are created in the `/.snapshots/` directory * You can restore a file using `cp` or an entire directory using `rsync` * It is always incremental so if no additional changes, no additional space is used. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://cloud.nyquist.eu/oci/oci-storage/oci-file-storage.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.