Creating File Systems

You can create a shared file system in the cloud using the File Storage service. Network access to your file system is provided through a mount target. Exports control how NFS clients access file systems when they connect to a mount target. File systems must have at least one export in one mount target for any instance to mount and use the file system. Typically, you create your first mount target when you create your first file system.

Caution

Avoid entering confidential information when assigning descriptions, tags, or friendly names to your cloud resources through the Oracle Cloud Infrastructure Console, API, or CLI.

Required IAM Service Policy

To use Oracle Cloud Infrastructure, you must be granted security access in a policy  by an administrator. This access is required whether you're using the Console or the REST API with an SDK, CLI, or other tool. If you get a message that you don’t have permission or are unauthorized, verify with your administrator what type of access you have and which compartment  you should work in.

For administrators: The policy in Let users create, manage, and delete file systems allows users to create file systems. Since mount targets are network endpoints, users must also have "use" permissions for VNICs, private IPs, private DNS zones, and subnets to create or delete a mount target. See the Policy Reference for more information.

If you're new to policies, see Getting Started with Policies and Common Policies.

Prerequisites

Before you create a file system, you need:

  • At least one Virtual Cloud Network (VCN) in a compartment. For more information, see VCNs and Subnets.
  • Correctly configured security rules for the file system mount target. Security rules can be created in the security list for the mount target subnet, or in a Network Security Group (NSG) that you add the mount target to. See Security Rules for information about how security rules work in Oracle Cloud Infrastructure. Use the instructions in Configuring VCN Security Rules for File Storage to set up security rules correctly for your file systems

Using the Console

To create a file system
  1. Open the navigation menu. Under Core Infrastructure, click File Storage and then click File Systems.

  2. In the left-hand navigation, in the List Scope section, under Compartment, select a compartment.
  3. Click Create File System.

    Note

    File systems are encrypted by default. You cannot turn off encryption.
  4. You can choose to accept the system defaults, or change them by clicking Edit Details.

    • File System Information:
      • Name:File Storage service creates a default name using "FileSystem-YYMMDD-HHMM". Optionally, change the default name for the file system. It doesn't have to be unique; an Oracle Cloud Identifier (OCID) uniquely identifies the file system.
      • Availability domain: The first availability domain selected in the left panel list is used as default.
      • Encryption: File systems use Oracle-managed keys by default, which leaves all encryption-related matters to Oracle. Optionally, you can encrypt the data in this file system using your own Vault encryption key. To use Vault for your encryption needs, select Encrypt using customer-managed keys check box. Then, select the Vault compartment and Vault that contain the master encryption key you want to use. Also select the Master encryption key compartment and Master encryption key. For more information about encryption, see Overview of Vault.

        Caution

        Besure to back up your vaults and keys. Deleting a vault and key otherwise means losing the ability to decrypt any resource or data that the key was used to encrypt. For more information, see Backing Up Vaults and Keys.
      • Tags: If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you are not sure if you should apply tags, then skip this option (you can apply tags later) or ask your administrator.
    • Export Information

      Mount targets use exports to manage access to file systems. The path name uniquely identifies the file system within the mount target, and is used by an instance to mount the file system.

      • Export Path: The File Storage service creates a default export path using the file system name. Optionally, replace the default export path name with a new path name, preceded by a forward slash (/). For example, /fss. This value specifies the mount path to the file system (relative to the mount target IP address or hostname). Avoid entering confidential information.

        Important

        The export path must start with a slash (/) followed by a sequence of zero or more slash-separated elements. For multiple file systems associated with a single mount target, the export path sequence for the first file system cannot contain the complete path element sequence of the second file system export path sequence. Export paths cannot end in a slash. No export path element can be a period (.) or two periods in sequence (..). No export path can exceed 1024 bytes. Lastly, no export path element can exceed 255 bytes. For example:

        Acceptable:

        /example and /path

        /example and /example2

        Not Acceptable:

        /example and /example/path

        / and /example

        /example/

        /example/path/../example1

        Caution

        If one file system associated to a mount target has '/' specified as an export path, you can't associate another file system with that mount target.
        Note

        Export paths cannot be edited after the export is created. If you want to use a different export path, you must create a new export with the desired path. Optionally, you can then delete the export with the old path.

        For more information, see Paths in File Systems.

      • Use Secure Export Options: Select to set the export options to require NFS clients to use a privileged port (1-1023) as its source port. This option enhances security because only a client with root privileges can use a privileged source port. After the export is created, you can edit the export options to adjust security. See Working with NFS Export Options for more information.

        Caution

        Leaving the "Use Secure Export Options" setting disabled allows unprivileged users to read and modify any file or directory on the target file system.
    • Mount Target Information:

      File systems must be associated with a mount target to be mounted by an instance.

      If you have one or more previously created mount targets in the availability domain, the File Storage service automatically chooses the most recently created mount target in the list. If you don't have a mount target in the selected availability domain, the File Storage service creates one using the following defaults.

      • Mount Target Name: File Storage service creates a default mount target name using "Mount-YYYYMMDD-HHMM".
      • Compartment: The compartment you're currently working in.
      • Virtual Cloud Network: The first VCN listed in the current compartment is used as default.
      • Configure Network Security Groups: Select this option to add this mount target to an NSG you've created. Choose an NSG from the list. Each mount target can belong to up to five (5) NSGs.

        Important

        Rules for the NSG you select must be configured to allow traffic to the mount target's VNIC using specific protocols and ports. For more information, see Configuring VCN Security Rules for File Storage.
      • Subnet: The most recently created subnet listed in the selected availability domain is used as default. Subnets can be either AD-specific or regional (regional ones have "regional" after the name).For more information, see VCNs and Subnets.
  5. If you want to accept the defaults for the mount target, click Create. The file system is created with the information displayed. If you want to choose another mount target or change the default information, click the Edit Details link.
  6. In the Mount Target Information section, specify details for the mount target that is associated with the file system:

    • Select an Existing Mount Target: Choose this option if you want to associate the file system with a mount target you already created. Choose the Mount Target from the list. Click the click here link in the dialog box if you want to enable compartment selection for the mount target.

      Tip

      If there aren't any mount targets in the current combination of availability domain and compartment, this option is disabled. You can: 

      • Choose a different compartment.
      • Choose a different availability domain in the File System Information section.
      • Create a new mount target.
    • Create a New Mount Target: Choose this option if you want to create a new mount target associated with this file system. By default, the mount target is created in your current compartment and you can use network resources in that compartment. Click the click here link in the dialog box if you want to enable compartment selection for the mount target, its VCN, or subnet resources.

      Important

      The mount target is always in the same availability domain as the file system. While it is possible to access mount targets from any AD in a region, for optimal performance, your mount target and file system should be in the same availability domain as the Compute instances that access them. For more information, see Regions and Availability Domains.
    • Create in Compartment: Specify the compartment you want to create the mount target in.
    • New Mount Target Name: Optionally, replace the default with a friendly name for the mount target. It doesn't have to be unique; an Oracle Cloud Identifier (OCID) uniquely identifies the mount target. Avoid entering confidential information.

      Note

      The mount target name is different than the DNS hostname, which is specified in step 7.
    • Virtual Cloud Network Compartment: The compartment containing the cloud network (VCN) in which to create the mount target.
    • Virtual Cloud Network: Select the cloud network (VCN) where you want to create the new mount target.
    • Configure Network Security Groups: Select this option to add this mount target to an NSG you've created. Choose an NSG from the list.

      Important

      Rules for the NSG you select must be configured to allow traffic to the mount target's VNIC using specific protocols and ports. For more information, see Configuring VCN Security Rules for File Storage.
    • Subnet Compartment: Specify the compartment containing a subnet within the VCN to attach the mount target to.
    • Subnet: Select a subnet to attach the mount target to. Subnets can be either AD-specific or regional (regional ones have "regional" after the name). For more information, see VCNs and Subnets.

      Caution

      Each mount target requires three internal IP addresses in the subnet to function. Do not use /30 or smaller subnets for mount target creation because they do not have sufficient available IP addresses. Two of the IP addresses are used during mount target creation. The third IP address must remain available for the mount target to use for high availability failover.
    • Tags:If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you are not sure if you should apply tags, then skip this option (you can apply tags later) or ask your administrator.
  7. Optionally, click Show Advanced Options to configure the mount target's advanced options.

    • IP Address: You can specify an unused IP address in the subnet you selected for the mount target.
    • Hostname: You can specify a hostname you want to assign to the mount target.

      Note

      The File Storage service constructs a fully qualified domain name (FQDN) by combining the hostname with the FQDN of the subnet the mount target is located in.

      For example, myhostname.subnet123.dnslabel.oraclevcn.com.

      Once created, the hostname may be changed in the mount target's Details page. See Managing Mount Targets for more information.

  8. Click Create.

The File Storage service typically creates the file system and mount target within seconds. Next, mount the file system from an instance so that you can read and write directories and files in your file system. See Mounting File Systems for instructions about obtaining mount commands for your operating system type and mounting your file system.

Using the command line interface (CLI)

For information about using the CLI, see Command Line Interface (CLI).

To create a file system

Open a command prompt and run oci fs file-system create to create a file system. For example:

oci fs file-system create --availability-domain <target_availability_domain> --display-name "<My File System>" --compartment-id <target_compartment_id>
Caution

Avoid entering confidential information in the file system display-name.

The file system is created.

File systems use Oracle-managed keys by default, which leaves all encryption-related matters to Oracle. Optionally, you can encrypt the data in this file system using your own Vault encryption key. For more information, see Overview of Vault.

For example:

oci fs file-system create --availability-domain AAbC:US-ASHBURN-AD-1 --display-name "My File System" --compartment-id ocid1.compartment.oc1..<unique_id> --kms-key-id --kms-key-id ocid1.key.oc1.phx.<unique_id>
To create a mount target

You can create a mount target for file systems in a specified compartment and subnet. A file system can only be associated with a mount target in the same availability domain.

Caution

Each mount target requires three internal IP addresses in the subnet to function. Do not use /30 or smaller subnets for mount target creation because they do not have sufficient available IP addresses. Two of the IP addresses are used during mount target creation. The third IP address must remain available for the mount target to use for high availability failover.

Open a command prompt and run oci fs mount-target create to create a mount target.

For example:

oci fs mount-target create --availability-domain <target_availability domain> --compartment-id <target_compartment_id> --subnet-id <subnet_OCID> --display-name “<My Mount Target>
Caution

Avoid entering confidential information in the mount target display-name.
To create an export

An export is a file system together with the path that can be used to mount it. Each export resource belongs to one export set.

Open a command prompt and run oci fs export create to create an export for a specified file system within a specified export set.

For example:

oci fs export create --export-set-id <export_set_OCID> --file-system-id <file_system_OCID> --path "</pathname>"
Important

The export path must start with a slash (/) followed by a sequence of zero or more slash-separated elements. For multiple file systems associated with a single mount target, the export path sequence for the first file system cannot contain the complete path element sequence of the second file system export path sequence. Export paths cannot end in a slash. No export path element can be a period (.) or two periods in sequence (..). No export path can exceed 1024 bytes. Lastly, no export path element can exceed 255 bytes. For example:

Acceptable:

/example and /path

/example and /example2

Not Acceptable:

/example and /example/path

/ and /example

/example/

/example/path/../example1

Caution

If one file system associated to a mount target has '/' specified as an export path, you can't associate another file system with that mount target.
Note

Export paths cannot be edited after the export is created. If you want to use a different export path, you must create a new export with the desired path. Optionally, you can then delete the export with the old path.

For more information, see Paths in File Systems.