5.3. Exporting Storage via NFS

Acronis Cyber Infrastructure allows you to organize nodes into a highly available NFS cluster in which you can create NFS shares. In Acronis Cyber Infrastructure terms, an NFS share is an access point for a volume and as such it can be assigned an IP address or DNS name. The volume, in turn, can be assigned the usual properties: redundancy type, tier, and failure domain. In each share you can create multiple NFS exports which are actual exported directories for user data. Each export has, among other properties, a path that, combined with share’s IP address, uniquely identifies the export on the network and allows you to mount it using standard commands.

On the technical side, NFS volumes are based on object storage. Aside from offering high availability and scalability, object storage eliminates the limit on the amount of files and the size of data you can keep in the NFS cluster. Each share is perfect for keeping billions of files of any size. However, such scalability implies IO overhead that is wasted on file size changes and rewrites. For this reason, an NFS cluster makes a perfect cold and warm file storage but is not recommended for hot and high performance, often rewritten data (like running virtual machines). Integration of Acronis Cyber Infrastructure with solutions from VMware, for example, is best done via iSCSI to achieve better performance.

Note

Acronis Cyber Infrastructure only supports NFS version 4 and newer, including pNFS.

5.3.1. Setting Up an NFS Cluster

Since NFS is based on object storage, creating an NFS cluster is similar to creating an S3 one. Do the following:

  1. On the INFRASTRUCTURE > Networks screen, make sure that the OSTOR private and NFS traffic types are added to your networks.

  2. In the left menu, click STORAGE SERVICES > NFS.

  3. Select one or more nodes and click Create NFS cluster in the right menu.

  4. Make sure the correct network interface is selected in the drop-down list.

    If necessary, click the cogwheel icon and configure node’s network interfaces on the Network Configuration screen.

  5. Click CREATE.

After the NFS cluster has been created, you can proceed to creating NFS shares.

5.3.2. Creating NFS Shares

To create an NFS share, do the following:

  1. On the STORAGE SERVICES > NFS > SHARES screen, click ADD NFS SHARE.

  2. On the Add NFS Share panel, specify a unique name and an IP address, which must be unused and, if authentication is enabled, domain resolvable. In addition, this IP address should be within the network subnet of the node’s interface. Click PROCEED.

  3. In Share size, specify the size of the share in gigabytes. For users accessing exports, this value will be the filesystem size.

  4. Select the desired tier, failure domain, and data redundancy type. For more details on these volume properties, see the Installation Guide.

    You will be able to change the redundancy mode later.

  5. Click DONE.

After the share has been created, you can proceed to creating NFS exports.

5.3.3. Creating NFS Exports

The process of creating NFS exports includes the following steps:

  1. Creating a root export that will contain user exports.
  2. Mounting the root export.
  3. Creating user exports in the mounted root export.

5.3.3.1. Creating the Root Export

To create a root NFS export, do the following:

  1. On the STORAGE SERVICES > NFS > SHARES screen, click the number in the Exports column in the row of the desired share. This will open the share screen.

  2. On the share screen, click ADD EXPORT, specify root as the export name and / as path and select the read and write access mode.

    Important

    Do not use other names or paths for the root export.

    ../_images/stor_image65_1_ac.png

    This will create a directory with a default path that designates export location inside the share. This path is automatically generated based on the share name and used (alongside the share’s IP address) to mount the export.

    Important

    Do not give the users access to the root export.

The root export will be shown in the export list.

After creating the root export, mount it as described in the Storage User’s Guide.

Warning

Do not mount NFS shares on cluster nodes. It may lead to node freeze.

5.3.3.2. Creating User Exports

After creating and mounting the root export, you can proceed to creating user NFS exports. To do this:

  1. In the mounted root export, create a subdirectory for a user export, e.g., export1.
  2. On the share screen, click ADD EXPORT, enter a user export name, specify /export1 as path, and select the access mode.
  3. Click Done.

The user export will appear in the export list.

5.3.4. Setting Up User Authentication and Authorization

Acronis Cyber Infrastructure allows you to authenticate users for access to specific NFS shares via Kerberos and authorize them to access specific NFS exports inside these shares via LDAP.

5.3.4.1. Authenticating NFS Share Users with Kerberos

To enable user authentication in an NFS share, do the following:

  1. Assign a forward and reverse resolvable FQDN (fully qualified domain name) to share’s IP address.

  2. On the SETTINGS > Security > KERBEROS tab, specify the following Kerberos information:

    1. In Realm, your DNS name in uppercase letters.

    2. In KDC service, the DNS name or IP address of the host running the realm’s KDC (key distribution center) service.

    3. In KDC administration service, the DNS name or IP address of the host running the realm’s KDC administration service.

      Usually, the KDC and its administration service run on the same host.

  3. On the Kerberos server, perform these steps:

    1. Log in as administrator to the Kerberos database administration program.

    2. Add a principal for the share with the command addprinc -randkey nfs/<share_FQDN>@<realm>. For example:

      # addprinc -randkey nfs/share1.example.com@example.com
      
    3. Generate a keytab (key table) for the principal and save it to a directory you can upload from. For example:

      # ktadd -k /tmp/krb5.keytab nfs/share1.example.com@example.com
      
  4. On the STORAGE SERVICES > NFS > SHARE tab, select a share and click Authentication.

  5. Upload the keytab file and click SAVE.

Important

Each share and client (user that mounts the export) must have their own principal and keytab.

5.3.4.2. Authorizing NFS Export Users with LDAP

By configuring access to a user directory via LDAP, you can control which users can access which NFS exports. You will need a directory of user accounts with desired NFS access parameters.

To configure access to an LDAP server, do the following:

  1. On the SETTINGS > Security > LDAP tab, specify the following information:
    • Address, the IP address of the LDAP server;
    • Base DN, the distinguished name of the search starting point;
  2. Click Save.