Overview of File Storage
Oracle Cloud Infrastructure File Storage service provides a durable, scalable, secure, enterprise-grade network file system. You can connect to a File Storage service file system from any bare metal, virtual machine, or container instance in your Virtual Cloud Network (VCN). You can also access a file system from outside the VCN using VCN peering, Oracle Cloud Infrastructure FastConnect, and Internet Protocol security (IPSec) virtual private network (VPN).
Large Compute clusters of thousands of instances can use the File Storage service for high-performance shared storage. Storage provisioning is fully managed and automatic as your use scales from a single byte to exabytes without upfront provisioning.
The File Storage service supports the Network File System version 3.0 (NFSv3) protocol. The service supports the Network Lock Manager (NLM) protocol for file locking functionality.
Oracle Cloud Infrastructure File Storage employs 5-way replicated storage, located in different fault domains, to provide redundancy for resilient data protection. Data is protected with erasure encoding.
The File Storage service uses the "eventual overwrite" method of data eradication. Files are created in the file system with a unique encryption key. When you delete a single file, its associated encryption key is eradicated, making the file inaccessible. When you delete an entire file system, the file system is marked as inaccessible. The service systematically traverses deleted files and file systems, frees all the used space, and eradicates all residual files.
Use the File Storage service when your application or workload includes big data and analytics, media processing, or content management, and you require Portable Operating System Interface (POSIX)-compliant file system access semantics and concurrently accessible storage. The File Storage service is designed to meet the needs of applications and users that need an enterprise file system across a wide range of use cases, including the following:
- General Purpose File Storage: Access to an unlimited pool of file systems to manage growth of structured and unstructured data.
- Big Data and Analytics: Run analytic workloads and use shared file systems to store persistent data.
- Lift and Shift of Enterprise Applications: Migrate existing Oracle applications that need NFS storage, such as Oracle E-Business Suite and PeopleSoft.
- Databases and Transactional Applications: Run test and development workloads with Oracle, MySQL, or other databases.
- Backups, Business Continuity, and Disaster Recovery: Host a secondary copy of relevant file systems from on premises to the cloud for backup and disaster recovery purposes.
- MicroServices and Docker: Deliver stateful persistence for containers. Easily scale as your container-based environments grow.
Watch a video introduction to the service and its capabilities.
File Storage is not available in Oracle Cloud Infrastructure Government Cloud realms.
File Storage Concepts
Using the File Storage service requires an understanding of the following concepts, including some that pertain to Oracle Cloud Infrastructure Networking:
- MOUNT TARGET
- An NFS endpoint that lives in a subnet of your choice and is highly available. The mount target provides the IP address or DNS name that is used in the mount command when connecting NFS clients to a file system. A single mount target can export many file systems. Each mount target can accept up to 100,000 NFS client connections. If you use in-transit encryption, each mount target can accept up to 64 NFS/SSL client connections. See Using In-transit Encryption for more information. By default, you can create two mount targets per account per availability domain, but you can request an increase. See Service Limits for a list of applicable limits and instructions for requesting a limit increase. See Managing Mount Targets for more information about working with this resource.
- Exports control how NFS clients access file systems when they connect to a mount target. File systems are exported (made available) through mount targets. Each mount target maintains an export set which contains one or many exports. A file system must have at least one export in one mount target in order for instances to mount the file system. The information used by an export includes the file system OCID, mount target OCID, export set OCID, export path, and client export options. For more information, see Managing Mount Targets.
- EXPORT SET
- Collection of one or more exports that control what file systems the mount target exports using NFSv3 protocol and how those file systems are found using the NFS mount protocol. Each mount target has an export set. Each file system associated with the mount target has at least one export in the export set.
- EXPORT PATH
- A path that is specified when an export is created. It uniquely identifies the file system within the mount target, letting you associate up to 100 file systems to a single mount target. This path is unrelated to any path within the file system itself, or the client mount point path.
- The File Storage service adds an export that pairs the file system's Oracle Cloud Identifier (OCID) and path.
- See Paths in File Systems for more information.
- EXPORT OPTIONS
- NFS export options are a set of parameters within the export that specify the level of access granted to NFS clients when they connect to a mount target. An NFS export options entry within an export defines access for a single IP address or CIDR block range. For more information, see Working with NFS Export Options.
- VIRTUAL CLOUD NETWORK (VCN)
- A private network that you set up in the Oracle data centers, with firewall rules and specific types of communication gateways that you can choose to use. A VCN covers a single, contiguous IPv4 CIDR block of your choice. For more information about VCNs, see VCNs and Subnets in the Oracle Cloud Infrastructure Networking documentation.
- You can set up a service gateway and give your VCN private access to the File Storage service. A service gateway can be used only by resources in the gateway's own VCN. Traffic to the service will not travel through the internet. When creating the service gateway, enable the service label called All <region> Services in Oracle Services Network. It includes the File Storage service. Be sure to update route tables for any subnets that need to access File Storage through the service gateway.
- For more information and detailed instructions, see Setting Up a Service Gateway in the Console
- Subdivisions you define in a VCN (for example, 10.0.0.0/24 and 10.0.1.0/24). Subnets contain virtual network interface cards (VNICs), which attach to instances. A subnet can span a region or exist in a single availability domain . A subnet consists of a contiguous range of IP addresses that do not overlap with other subnets in the VCN. For each subnet, you specify the routing rules and security lists that apply to it. For more information about subnets, see VCNs and Subnets in the Oracle Cloud Infrastructure Networking documentation.
- SECURITY RULES
- Virtual firewall rules for your VCN. Your VCN comes with a default security list, and you can add more. These security lists provide ingress and egress rules that specify the types of traffic allowed in and out of the instances. You can choose whether a given rule is stateful or stateless. Security list rules must be set up so that clients can connect to file system mount targets.
- Network security groups (NSGs). Another method for applying security rules is to set them up in a network security group (NSG), and then add the mount target to the NSG. Unlike security list rules that apply to all VNICs in the subnet, NSGs apply only to resource VNICs you add to the NSG.
- See Security Rules, Security Lists, and Network Security Groups for more information, examples, and scenarios about how these features interact in your network. Networking Overview provides general information about networking. See Configuring VCN Security Rules for File Storage for more specific information.
- Snapshots provide a consistent, point-in-time view of your file system, and you can take as many snapshots as you need. You pay only for the storage used by your data and metadata, including storage capacity used by snapshots. Each snapshot reflects only data that changed from the previous snapshot. For more information, see Managing Snapshots.
The File Storage service encrypts all file system and snapshot data at rest. By default all file systems are encrypted using Oracle-managed encryption keys. You have the option to encrypt all of your file systems using the keys that you own and manage using the Vault service. For more information, see Overview of Vault.
FastConnect offers you the ability to accelerate data transfers. You can leverage the integration between FastConnect and the File Storage service to perform initial data migration, workflow data transfers for large files, and disaster recovery scenarios between two regions, among other things.
File Storage Space Allocation
The File Storage service allocates space in blocks of variable size in a way that is fine-tuned to minimize total customer cost and optimize performance for modern workloads. The minimum block size used is 8192 bytes. For example, if you create a 1-byte file, we allocate 8192 bytes. We use larger blocks to store larger files. To learn more about file system and snapshot usage, see File System Usage and Metering.
How File Storage Permissions Work
File Storage service resources include file systems, mount targets, and export sets. The AUTH_UNIX style of authentication and permission checking is supported for remote NFS client requests. You use Oracle Cloud Infrastructure Identity and Access Management (IAM) policy language to define access to Oracle Cloud Infrastructure resources. You can consider exports and snapshots subsidiary resources of export sets and file systems, respectively. As such, they do not need their own permissions. Related resources include Oracle Cloud Infrastructure Compute instances and Oracle Cloud Infrastructure Networking virtual cloud networks (VCNs).
Oracle Cloud Infrastructure users require resource permissions to create, delete, and manage resources. Without the appropriate IAM permissions, you cannot export a file system through a mount target. Until a file system has been exported, Compute instances cannot mount it. For more information about creating an IAM policy, see Let users create, manage, and delete file systems.
If you have successfully exported a file system on a subnet, then you use Networking security lists to control traffic to and from the subnet and, therefore, the mount target. Security lists act as a virtual firewall, allowing only the network traffic you specify to and from the IP addresses and port ranges configured in your ingress and egress rules. The security list you create for the subnet lets hosts send and receive packets and mount the file system. If you have firewalls on individual instances, use FastConnect, or use a virtual private network (VPN), the settings for those might also impact security at the networking layer. For more information about creating a security list for the File Storage service, see Creating File Systems. See About Security for more information on how different types of security work together in your file system.
Regions and Availability Domains
You can use the File Storage service in all regions. For a list of supported regions, see Regions and Availability Domains.
When you create file systems and mount targets, you specify the availability domain they are created in. All file system data is then stored entirely within the availability domain the file system resides in. Within an availability domain, the File Storage service uses synchronous replication and high availability failover to keep your data safe and available.
You cannot move a file system to a different availability
domain or region. However, you can take a snapshot of your data and use a tool such as
rsync to copy your data to a different availability domain or region. See Managing Snapshots for more information on using snapshots to protect your data.
While it is possible to access mount targets from any availability domain in a region, for optimal performance, place File Storage resources in the same availability domain as the Compute instances that access them.
Subnets can be either AD-specific or regional. You can create File Storage resources in either type of subnet. Regional subnets allow Compute instances to connect to any mount target in the subnet regardless of AD, with no additional routing configuration. However, to minimize latency, place mount targets in the same AD as Compute instances just as you would in an AD-specific subnet. For more information, see Overview of VCNs and Subnets.
Creating Automation with Events
The following File Storage resources emit events:
- File systems
- Mount targets
- Export sets
Most types of Oracle Cloud Infrastructure resources have a unique, Oracle-assigned identifier called an Oracle Cloud ID (OCID). For information about the OCID format and other ways to identify your resources, see Resource Identifiers.
Ways to Access Oracle Cloud Infrastructure
You can access Oracle Cloud Infrastructure using the Console (a browser-based interface) or the REST API. Instructions for the Console and API are included in topics throughout this guide. For a list of available SDKs, see Software Development Kits and Command Line Interface.
To access the Console, you must use a supported browser. To go to the Console sign-in page, open the navigation menu at the top of this page and click Infrastructure Console. You will be prompted to enter your cloud tenant, your user name, and your password.
Authentication and Authorization
Each service in Oracle Cloud Infrastructure integrates with IAM for authentication and authorization, for all interfaces (the Console, SDK or CLI, and REST API).
An administrator in your organization needs to set up groups , compartments , and policies that control which users can access which services, which resources, and the type of access. For example, the policies control who can create new users, create and manage the cloud network, launch instances, create buckets, download objects, etc. For more information, see Getting Started with Policies. For specific details about writing policies for each of the different services, see Policy Reference.
If you’re a regular user (not an administrator) who needs to use the Oracle Cloud Infrastructure resources that your company owns, contact your administrator to set up a user ID for you. The administrator can confirm which compartment or compartments you should be using.