Controlling Access to File Storage
Before you can mount a file system, you must configure security rules to allow traffic to the mount target's VNIC using specific protocols and ports. Security rules enable traffic for the following protocols:
-
Open Network Computing Remote Procedure Call (ONC RPC) rpcbind utility protocol
-
Network File System (NFS) protocol
-
Network File System (MOUNT) protocol
For more conceptual information, refer to the File Storage Overview chapter in the Oracle Private Cloud Appliance Concepts Guide.
Configuring VCN Security Rules for File Storage
You can add the required rules to a preexisting security list associated with a subnet, such as the default security list that is created along with the VCN.
For specific information about which security rules are required for the File Storage service, refer to File Storage Network Ports in the File Storage Overview chapter in the Oracle Private Cloud Appliance Concepts Guide.
For more information about managing VCNs and subnets, see Managing VCNs and Subnets.
Using the Compute Web UI
-
In the navigation menu, under Networking, click Virtual Cloud Networks.
-
Select the compartment where the VCN is located.
-
Click the name of the VCN.
-
Under Resources, click Security Lists.
-
Click the name of the security.
-
Under Resources, click Ingress Rules.
-
Click Create Ingress Security Rule, and enter the required information:
-
Stateless check box: Specify a stateful rule by leaving the check box unchecked.
-
Ingress CIDR: Enter the CIDR block for the subnet. For example, 10.0.0.0/24.
-
IP Protocol: Choose the protocol. For example, TCP.
-
Description: Enter a meaningful description for the rule.
-
-
Click Create Security List Rule.
-
Under Resources, click Egress Rules.
-
Click Create Egress Security Rule and enter the required information:
-
Stateless check box: Specify a stateful rule by leaving the check box unchecked.
-
Egress Type: To allow traffic from the subnet, select CIDR.
-
Egress CIDR: Enter the CIDR block for the subnet. For example, 10.0.0.0/24.
-
IP Protocol: Choose the protocol. For example, TCP.
-
Description: Enter a meaningful description for the rule.
-
-
Click Create Security List Rule.
Adding File Storage to a Network Security Group
Task Flow
| No. | Description | Links to Procedures |
|---|---|---|
| 1. |
Create an NSG with the required security rules. (Alternatively, you can add them to a previously existing NSG.) |
|
| 2. |
Add the mount target (or more specifically, the mount target's VNIC) to the NSG. You can do this task when you create the mount target, or you can update the mount target and add it to one or more NSGs that contain the required security rules. |
|
| 3. |
If you're setting up a mount target and instance in different subnets, add the instance (or more specifically, the instance's primary VNIC) to the NSG that contains the required security rules. You can do this task when you create the instance, or you can directly update the instance's primary VNIC. |
Adding a Mount Target to a Network Security Group
You can add the mount target to one or more Network Security Groups (NSGs). File storage requires specific rules to be configured for NSGs that are associated with mount targets.
Using the Compute Web UI
-
Ensure that an NSG with ingress and egress rules has been configured.
-
Ensure that a mount target is created.
-
In the navigation menu, under File Storage, click Mount Targets.
-
Click the mount target name to see the details page.
-
Click Edit.
-
Enable Network Security Groups.
-
Select the NSG from the list.
-
Click Save Changes.
Using the OCI CLI
-
Ensure that an NSG with ingress and egress rules has been configured.
-
Ensure that a mount target is created.
-
Gather the information that you need to run the command:
-
Mount target OCID (
oci fs mount-target list) -
NSG OCIDs (
oci network nsg list)
-
-
Run this command.
Syntax (entered on a single line):
oci fs mount-target update --mount-target-id <mount_target_OCID> --nsg-ids '["<nsg1_OCID>","i"]'
Example:
oci fs export update \ --mount-target-id ocid1.mounttarget.….….….uniqueID \ --nsg-ids '["ocid1.networksecuritygroup.….….….uniqueID-01","ocid1.networksecuritygroup.….….….uniqueID-02"]'
Setting NFS Export Options
When you create a file system and export, the NFS export options for that file system are set to the defaults listed in this table. The default values allow full access for all NFS client source connections. These defaults must be changed if you want to restrict access:
Caution:
If a file system is mounted by any clients, creating, deleting, or editing the Source value can disrupt file system I/O operations.
| Export Option in the UI | Export Option in the CLI | Default Value | Description |
|---|---|---|---|
| Source: |
|
0.0.0.0/0 |
The IP address or CIDR block of a connecting NFS client. |
| Ports: |
|
Any |
Always set to:
|
| Access: |
|
Read/Write |
Specifies the source NFS client access. Can be set to one of these values:
|
| Squash: |
|
None |
Determines whether the clients accessing the file system as root have their User ID
(UID) and Group ID (GID) remapped to the squash UID/GID. Possible values:
|
| Squash UID/GID: |
|
65534 |
This setting is used along with the Squash option. When remapping a root user, you can use this setting to change the default anonymousUid and anonymousGid to any user ID of your choice. |
Note – If you change the RW/RO permissions of an export option for an SMB share, the changes are only enforced for newly network-mapped drives of that share. Any previously mapped drives of the same share retain the original permissions. To have the changed permissions enforced on previously mapped drives on SMB clients, disconnect the shares and map them again.
For more information about configuring the options to suit various access scenarios, refer to the section titled NFS Access Control and Export Options in the File Storage Overview chapter in the Oracle Private Cloud Appliance Concepts Guide.
Using the Compute Web UI
-
In the navigation menu, under File Storage, click File Systems.
-
Select the appropriate compartment.
-
Click the file system name.
-
Under Resources, select Exports.
-
Click the export's export path.
The NFS Export Options are displayed.
-
Click Edit Options.
-
In the NFS Export Options dialog, configure the NFS options.
-
Click Update Options.
Using the OCI CLI
-
Gather the information that you need to run the command:
-
Export ID (
oci fs export list --all --compartment-id <compartment_OCID>) -
Export options, listed in json format, in a json file or as a string on the command line.
-
-
Run this command.
Note:
This procedure shows the minimum required parameters for this command. For information about optional parameters, run the command with the
--helpoption.Syntax (entered on a single line):
oci fs export update --export-id <export_id> --export-options <file://json_file or json_string>
Note – The
require-privileged-source-portoption can only be set tofalse.This example sets the export options for file system A to allow read/write access only to Client A, who is assigned to CIDR block 10.0.0.0/24. Client B and Client C are not included in this CIDR block, and cannot access the file system:
oci fs export update \ --export-id File_system_A_export_ID \ --export-options \ '[{"source":"10.0.0.0/24","require-privileged-source-port":"false","access":"READ_WRITE","identity-squash":"NONE","anonymous-uid":"65534","anonymous-gid":"65534"}]' WARNING: Updates to export-options will replace any existing values. Are you sure you want to continue? [y/N]: y { "data": { "export-options": [ { "access": "READ_WRITE", "anonymous-gid": 65534, "anonymous-uid": 65534, "identity-squash": "NONE", "require-privileged-source-port": false, "source": "10.0.0.0/24" } ], "export-set-id": "ocid1.exportset.….….….uniqueID", "file-system-id": "ocid1.filesystem.….….….uniqueID", "id": "ocid1.export.oc1.pca.….….….uniqueID", "lifecycle-state": "ACTIVE", "path": "/export/85aiiadc1w81s8id63knxdq22nt95pe63sgs9c45yp3qovhut14cq9r6eqhn", "time-created": "2021-09-27T20:20:34.231009+00:00" }, "etag": "bc660e11-644a-4043-9ad7-622d9581da9b" }