.. _Exporting Data via NFS:

Exporting Data via NFS
----------------------

|product_name| allows you to organize nodes into a highly available NFS cluster in which you can create NFS shares. In |product_name| terms, an NFS share is an access point for a volume and as such it can be assigned an IP address or DNS name. The volume, in turn, can be assigned the usual properties: redundancy type, tier, and failure domain. In each share you can create multiple NFS exports which are actual exported directories for user data. Each export has, among other properties, a path that, combined with share's IP address, uniquely identifies the export on the network and allows you to mount it using standard commands.

On the technical side, NFS volumes are based on object storage. Aside from offering high availability and scalability, object storage eliminates the limit on the amount of files and the size of data you can keep in the NFS cluster. Each share is perfect for keeping billions of files of any size. However, such scalability implies IO overhead that is wasted on file size changes and rewrites. For this reason, an NFS cluster makes a perfect cold and warm file storage but is not recommended for hot and high performance, often rewritten data (like running virtual machines). Integration of |product_name| with solutions from VMware, for example, is best done via iSCSI to achieve better performance.

.. note:: |product_name| only supports NFS version 4 and newer, including pNFS.

.. _Setting Up an NFS Cluster:

Setting Up an NFS Cluster
~~~~~~~~~~~~~~~~~~~~~~~~~

Since NFS is based on object storage, creating an NFS cluster is similar to creating an S3 one. Do the following:

#. Assign the internal **Objest Storage private** role and the public **NFS** role to a network interface on each node that will be in the NFS cluster. You can do so on the **NODES** > *node* > **NETWORK** screen.

#. On the **SERVICES** > **NFS** screen, select the desired available nodes to add to the NFS cluster.

#. Click **Create NFS cluster**.

#. Make sure that the network interface with the **Objest Storage private** role is selected in the drop-down list of each node. The corresponding interfaces with the public **NFS** roles will be selected automatically.

   .. note:: If necessary, click the cogwheel icon and configure NFS roles on the **Network Configuration** screen.

#. Click **CREATE**.

After the NFS cluster has been created, you can proceed to creating NFS shares.

.. _Creating NFS Shares:

Creating NFS Shares
~~~~~~~~~~~~~~~~~~~

To create an NFS share, do the following:

#. On the **SERVICES** > **NFS** > **SHARES** screen, click **ADD NFS SHARE**.

#. On the **Add NFS Share** panel, specify a unique name and an IP address, which must be unused and, if authentication is enabled, domain-resolvable. Click **PROCEED**.

#. In **Share size**, specify the size of the share in gigabytes. For users accessing exports, this value will be the filesystem size.

#. Select the desired tier, failure domain, and data redundancy type in the corresponding fields. For more details on these volume properties, see the `Installation Guide <https://download.acronis.com/storage2/html/AcronisStorage_2_installation_guide_en-US/planning-acronis-storage-infrastructure/index.html>`__.

   .. note:: You will be able to change the redundancy mode later.

#. Click **DONE**.

After the share has been created, you can proceed to creating NFS exports.

.. _Creating NFS Exports:

Creating NFS Exports
~~~~~~~~~~~~~~~~~~~~

The process of creating NFS exports includes the following steps: 

#. Creating a root export that will contain user exports.

#. Mounting the root export.

#. Creating user exports in the mounted root export.

.. _Creating the Root Export:

Creating the Root Export
^^^^^^^^^^^^^^^^^^^^^^^^^

To create a root NFS export, do the following:

#. On the **SERVICES** > **NFS** > **SHARES** screen, click the number in the **Exports** column in the row of the desired share. This will open the share screen.

#. On the share screen, click **ADD EXPORT**, specify ``root`` as the export name and ``/`` as path and select the ``read and write`` access mode. 

   .. image:: /images/stor_image65_1.png
      :align: center
      :class: align-center

   This will create a directory with a default path, e.g., ``/0200000000000002``. The path designates export location inside the share and is used (alongside share's IP address) to mount the export.

   .. important:: Do not give the users access to the root export.

The root export will be shown in the export list.

.. image:: /images/stor_image65_2.png
   :align: center
   :class: align-center

After creating the root export, mount it as described in the `User's Guide <https://download.acronis.com/storage2/html/AcronisStorage_2_users_guide_en-US/accessing-networkfs/index.html>`__.

.. warning:: Do not mount NFS shares on cluster nodes. It may lead to node freeze.

.. _Creating User Exports:

Creating User Exports
^^^^^^^^^^^^^^^^^^^^^

After creating and mounting the root export, you can proceed to creating user NFS exports. To do this:

#. In the mounted root export, create a subdirectory for a user export, e.g., ``export1``.

#. On the share screen, click **ADD EXPORT**, enter a user export name, specify ``/export1`` as path, and select the access mode.

   .. image:: /images/stor_image65_3.png
      :align: center
      :class: align-center

#. Click **Done**.

The user export will appear in the export list.

.. image:: /images/stor_image65_4.png
   :align: center
   :class: align-center

.. _Setting Up User Authentication and Authorization:

Setting Up User Authentication and Authorization
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

|product_name| allows you to authenticate users for access to specific NFS shares via Kerberos and authorize them to access specific NFS exports inside these shares via LDAP.

.. _Authenticating NFS Share Users with Kerberos:

Authenticating NFS Share Users with Kerberos
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

To enable user authentication in an NFS share, do the following:

#. Assign a forward and reverse resolvable FQDN (fully qualified domain name) to share's IP address.

#. On the **SETTINGS** > **Security** > **KERBEROS** tab, specify the following Kerberos information:

   #. In **Realm**, your DNS name in uppercase letters.
   #. In **KDC service**, the DNS name or IP address of the host running the realm's KDC (key distribution center) service.
   #. In **KDC administration service**, the DNS name or IP address of the host running the realm's KDC administration service.

      .. note:: Usually, the KDC and its administration service run on the same host.

#. On the Kerberos server, perform these steps:

   #. Log in as administrator to the Kerberos database administration program.

   #. Add a principal for the share with the command ``addprinc -randkey nfs/<share_FQDN>@<realm>``. For example:

      ::

           # addprinc -randkey nfs/share1.example.com@example.com

   #. Generate a keytab (key table) for the principal and save it to a directory you can upload from. For example:

      ::

           # ktadd -k /tmp/krb5.keytab nfs/share1.example.com@example.com

#. On the **SERVICES** > **NFS** > **SHARE** tab, select a share and click **Authentication**.

#. Upload the keytab file and click **SAVE**.

.. important:: Each share and client (user that mounts the export) must have its own principal and keytab. 

.. _Authorizing NFS Export Users with LDAP:

Authorizing NFS Export Users with LDAP
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

By configuring access to a user directory via LDAP, you can control which users can access which NFS exports. You will need a directory of user accounts with desired NFS access parameters.

To configure access to an LDAP server, do the following:

#. On the **SETTINGS** > **Security** > **LDAP** tab, specify the following information:

   - **Address**, the IP address of the LDAP server;
   - **Base DN**, the distinguished name of the search starting point;

#. Click **Save**.