Working with NFS Export Options

This topic describes the basic features of NFS export options, and how to control client access to your file system.

Overview

NFS export options enable you to create more granular access control than is possible using just security list rules to limit VCN access. You can use NFS export options to specify access levels for IP addresses or CIDR blocks connecting to file systems through exports in a mount target. Access can be restricted so that each client’s file system is inaccessible and invisible to the other, providing better security controls in multi-tenant environments.

Using NFS export option access controls, you can limit clients' ability to connect to the file system and view or write data. For example, if you want to allow clients to consume but not update resources in your file system, you can set access to Read Only. You can also reduce client root access to your file systems and map specified User IDs (UIDs) and Group IDs (GIDs) to an anonymous UID/GID of your choice. For more information about how NFS export options work with other security layers, see About Security.

Tip

Watch a video about working with NFS export options in File Storage.

Required IAM Policy

To use Oracle Cloud Infrastructure, you must be given the required type of access in a policy  written by an administrator, whether you're using the Console or the REST API with an SDK, CLI, or other tool. If you try to perform an action and get a message that you don’t have permission or are unauthorized, confirm with your administrator the type of access you've been granted and which compartment  you should work in.

For administrators: The policy in Let users create, manage, and delete file systems allows users to manage NFS export options.

If you're new to policies, see Getting Started with Policies and Common Policies.

Exports

Exports control how NFS clients access file systems when they connect to a mount target. File systems are exported (made available) through mount targets. Each mount target maintains an export set which contains one or many exports.A file system may be exported through one or more mount targets. A file system must have at least one export in one mount target in order for instances to mount the file system. The information used by an export includes the file system OCID, mount target OCID, export set OCID, export path, and client export options.Typically, an export is created in a mount target when the file system is created. Thereafter, you can create additional exports for a file system in any mount target that resides in the same availability domain as the file system.

See To create an export for a file system for more information.

NFS Export Options

NFS export options are a set of parameters within the export that specify the level of access granted to NFS clients when they connect to a mount target. An NFS export options entry within an export defines access for a single IP address or CIDR block range.

Each separate client IP address or CIDR block you want to define access for needs a separate export options entry in the export. For example, if you want to set options for NFS client IP addresses 10.0.0.6, 10.0.08, and 10.0.0.10, you need to create three separate entries, one for each IP address.

File Storage service considers the listed order of each export options entry for the export. During an NFS request by a client, File Storage service applies the first set of options that matches the client Source IP address. Only the first set is applied; the rest are ignored.

For example, consider the following two export options entries specifying access for an export:

Entry 1: Source: 10.0.0.0/16, Access: Read Only

Entry 2: Source: 10.0.0.8, Access: Read/Write

In this case, clients who connect to the export from IP address 10.0.0.8 have Read Only access. The request Source IP address is contained in the CIDR block specified in the first entry, and File Storage Service applies the options in the first match.

Important

File systems can be associated with one or more exports, contained within one or more mount targets. If the client source IP address does not match any entry on the list for a single export, then that export is not visible to the client. However, the file system could be accessed through other exports on the same or other mount targets. To completely deny client access to a file system, be sure that the client source IP address or CIDR block is not included in any export for any mount target associated with the file system.

The following options can be set to control export access:

  • Source: The IP address or CIDR block of a connecting NFS client.
  • Require Privileged Source Port (true/false): This setting determines whether the NFS clients specified in source are required to connect from a privileged source port. Privileged ports are any port including 1-1023. On Unix-like systems, only the root user can open privileged ports. Setting this value to true disallows requests from unprivileged ports. The default for this setting is different depending on how the export is created. Creating an export without an explicit ClientOption array sets the requirePrivilegedSourcePort attribute of the client option to false. When you create a ClientOption array explicitly , requirePrivilegedSourcePort defaults to true.

    For example, creating an export in the Console using the default selections sets requirePrivilegedSourcePort to false. Creating an export in the API along with a ClientOption array sets requirePrivilegedSourcePort to true.

Important

When Require Privileged Source Port is set to true, you also have to follow these additional configuration steps: 

  1. When mounting the file system from a Unix-like system, include the resvport option in your mount command when mounting. For example: 

    sudo mount -o resvport 10.x.x.x:/fs-export-path /mnt/yourmountpoint

    For more information, see Mounting File Systems From Unix-Style Instances.

  2. When mounting the file system from a Windows system, be sure the UseReserverdPorts registry key value is set to 1.

    For more information, see Mounting File Systems From Windows Instances.

  • Access (Read_Only, Read_Write): This setting specifies the source NFS client access. If unspecified, defaults to Read_Write.
  • Identity Squash: (All, Root, None): This setting determines whether the source clients accessing the file system have their User ID (UID) and Group ID (GID) remapped to anonymousUid and anonymousGid. If you choose All, all users and groups are remapped. If Root, only the root user UID/GID combination 0/0 is remapped. If None, no users are remapped. If unspecified, defaults to None.
  • anonymousUid: This setting is used along with the Identity Squash option. When remapping users, you can use this setting to change the default anonymousUid of 65534 to any user ID of your choice.
  • anonymousGid: This setting is used along with the Identity Squash option. When remapping groups, you can use this setting to change the default anonymousGid of 65534 to any group ID of your choice.

Typical Access Control Scenarios

When you create file system and export, the NFS export options for that file system are set to the following defaults, which allow full access for all NFS client source connections. These defaults must be changed if you want to restrict access:

  • Source: 0.0.0.0/0 (All)
  • Require Privileged Source Port: False
  • Access: Read_Write
  • Identity Squash: None

Scenario A: Control Host Based Access

Provide a managed hosted environment for two clients. The clients share a mount target, but each has their own file system, and cannot access each other's data. For example:

  • Client A, who is assigned to CIDR block 10.0.0.0/24, requires Read/Write access to file system A, but not file system B.
  • Client B, who is assigned to CIDR block 10.1.1.0/24, requires Read/Write access to file system B, but not file system A.
  • Client C, who is assigned to CIDR block 10.2.2.0/24, has no access of any kind to file system A or file system B.
  • Both file systems A and B are associated to a single mount target, MT1. Each file system has an export contained in the export set of MT1.

Since Client A and Client B access the mount target from different CIDR blocks, you can set the client options for both file system exports to allow access to only a single CIDR block. Client C is denied access by not including its IP address or CIDR block in the NFS export options for any export of either file system.

Console Example

Set the export options for file system A to allow Read/Write access only to Client A, who is assigned to CIDR block 10.0.0.0/24. Client B and Client C are not included in this CIDR block, and cannot access the file system.

This image shows the export options configuration for file system A.

Set the export options for file system B to allow Read/Write access only to Client B, who is assigned to CIDR block 10.1.1.0/24. Client A and Client C are not included in this CIDR block, and cannot access the file system.

This image shows the export options configuration for file system B.

CLI Example

Set the export options for file system A to allow Read_Write access only to Client A, who is assigned to CIDR block 10.0.0.0/24. Client B and Client C are not included in this CIDR block, and cannot access the file system.

oci fs export update --export-id <File_system_A_export_ID> --export-options '[{"source":"10.0.0.0/24","require-privileged-source-port":"true","access":"READ_WRITE","identity-squash":"NONE","anonymous-uid":"65534","anonymous-gid":"65534"}]'

Set the export options for file system B to allow Read_Write access only to Client B, who is assigned to CIDR block 10.1.1.0/24. Client A and Client C are not included in this CIDR block, and cannot access the file system.

oci fs export update --export-id <File_system_B_export_ID> --export-options '[{"source":"10.1.1.0/24 ","require-privileged-source-port":"true","access":"READ_WRITE","identity-squash":"NONE","anonymous-uid":"65534","anonymous-gid":"65534"}]'
API Example

Set the export options for file system A to allow READ_WRITE access only to Client A, who is assigned to CIDR block 10.0.0.0/24. Client B and Client C are not included in this CIDR block, and cannot access the file system.

PUT/<Current_API_Version>/exports/<File_System_A_export_OCID>
Host: filestorage.us-phoenix-1.oraclecloud.com
<authorization and other headers>
{
    "exportOptions": [
        {
          "source": "10.0.0.0/24",
          "requirePrivilegedSourcePort": true,
          "access": "READ_WRITE",
          "identitySquash": "NONE",
          "anonymousUid": 65534,
          "anonymousGid": 65534
        }
    ]
}

Set the export options for file system B to allow READ_WRITE access only to Client B, who is assigned to CIDR block 10.1.1.0/24. Client A and Client C are not included in this CIDR block, and cannot access the file system.

PUT/<Current_API_Version>/exports/<File_System_B_export_OCID>
Host: filestorage.us-phoenix-1.oraclecloud.com
<authorization and other headers>
{
    "exportOptions": [
        {
          "source": "10.1.1.0/24",
          "requirePrivilegedSourcePort": true,
          "access": "READ_WRITE",
          "identitySquash": "NONE",
          "anonymousUid": 65534,
          "anonymousGid": 65534
        }
    ]
}

Scenario B: Limit the Ability to Write Data

Provide data to customers for consumption, but don't allow them to update the data.

For example, you'd like to publish a set of resources in file system A for an application to consume, but not change. The application connects from IP address 10.0.0.8.

Console Example

Set the source IP address 10.0.0.8 to Read Only in the export for file system A:

This image shows the export options configuration for file system A.

CLI Example

Set the source IP address 10.0.0.8 to READ_ONLY in the export for file system A:

oci fs export update --export-id <File_System_A_export_OCID> --export-options '[{"source":"10.0.0.8","require-privileged-source-port":"true","access":"READ_ONLY","identitysquash":"NONE","anonymousuid":"65534","anonymousgid":"65534"}]'
API Example

Set the source IP address 10.0.0.8 to READ_ONLY in the export for file system A:

PUT/<Current_API_Version>/exports/<File_System_A_export_OCID>
Host: filestorage.us-phoenix-1.oraclecloud.com
<authorization and other headers>
{
    "exportOptions": [
        {
          "source": "10.0.0.8",
          "requirePrivilegedSourcePort": true,
          "access": "READ_ONLY",
          "identitySquash": "NONE",
          "anonymousUid": 65534,
          "anonymousGid": 65534
        }
    ]
}

Scenario C: Improve File System Security

To increase security, you'd like to limit the root user's privileges when connecting to File System A. Use Identity Squash to remap root users to UID/GID 65534. In Unix-like systems, this UID/GID combination is reserved for 'nobody', a user with no system privileges.

CLI Example
oci fs export update --export-id <File_System_A_export_OCID> --export-options '[{"source":"0.0.0.0/0","require-privileged-source-port":"true","access":"READ_WRITE","identitysquash":"ROOT","anonymousuid":"65534","anonymousgid":"65534"}]' 
API Example
PUT/<Current_API_Version>/exports/<File_System_A_export_OCID>
Host: filestorage.us-phoenix-1.oraclecloud.com
<authorization and other headers>
{
    "exportOptions": [
        {
          "source": "0.0.0.0/0",
          "requirePrivilegedSourcePort": true,
          "access": "READ_WRITE",
          "identitySquash": "ROOT",
          "anonymousUid": 65534,
          "anonymousGid": 65534
        }
    ]
}
Tip

If you don't want a file system to be visible to any clients, you can set all of the properties in the exportOptions array to empty values. For example,

{
   "exportOptions": [
     {
      "source":"",
      "requirePrivilegedSourcePort":"",
      "access": "",
      "identitySquash":""}        
] 

Using the Console

To set export options for a file system
  1. Open the navigation menu. Under Core Infrastructure, click File Storage and then click File Systems.
  2. In the List Scope section, select a compartment. All of the file systems in the selected compartment are displayed.
  3. Find the file system you want to set export options for, click the the Actions icon (three dots), and then click View File System Details.
  4. In the Exports list, find the export you want to set export options in, click the the Actions icon (three dots), and then click View Export Details. If there is no export listed for the file system, you can create one. See To create an export for a file system for more information.

    Tip

    To be sure you be sure that you select the correct export, check the following:

  5. Click Edit Export Options.

  6. Make one or more of these changes:

    • Change an export option entry in the list.
    • Click +Another Option to create a new export option entry.
    • Click the Actions icon (three dots) for an entry and move it up or down in the list.
  7. When you're done, click Update.

Using the CLI

For information about using the CLI, see Command Line Interface (CLI).

To create an export

Open a command prompt and run oci fs export create to create an export for a specified file system within a specified export set. This example creates an export along with its NFS export options.

For example:

oci fs export create --export-set-id <export_set_OCID> --file-system-id <file_system_OCID> --path "</pathname>" --export-options '[{"source":"10.0.0.0/16","requireprivilegedsourceport":"true","access":"READWRITE","identitysquash":"NONE","anonymousuid":"0","anonymousgid":"0"}]' 

Important

Export Path Names

The path must start with a slash (/) followed by a sequence of zero or more slash-separated elements. For any two export resources associated with the same export set, the path sequence for the first export resource can’t contain the complete path element sequence of the second export sequence. Paths can't end in a slash. No path element can be a period (.) or two periods in sequence (..). Lastly, no path can exceed 255 bytes.

Examples:

Acceptable:

/example and /path

/example1 and /example2

Not Acceptable:

/example and /example/path

/ and /example

/example/

/example/path/../example1

To update export options

Open a command prompt and run oci fs export update. To update export options for a specified file system, use --export-options.

For example:


oci fs export update --export-id <export_OCID> --export-options '[{"source":"<0.0.0.0/0>","require-privileged-source-port":"true","access":"READ_ONLY","identity-squash":"ROOT","anonymous-uid":"65534","anonymous-gid":"65534"}]'
WARNING: Updates to export-options will replace any existing values. Are you sure you want to continue? [y/N]: y
Tip

If you don't want a file system to be visible to any clients, you can set all of the properties in Client Options to empty values. For example,

oci fs export update --export-id <export_OCID> --export-options '[{"source":"","require-privileged-source-port":"true","access":"READ_ONLY","identity-squash":"ROOT","anonymous-uid":"65534","anonymous-gid":"65534"}]'
To list exports

Open a command prompt and run oci fs export list to list all exports in a specified compartment.

For example:

oci fs export list --compartment-id target_compartment_id
To delete an export

Open a command prompt and run oci fs export delete to delete an export.

For example:

oci fs export delete --export-id export_OCID
Warning

When you delete an export, you can no longer mount the file system using the file path specified in the deleted export.