6.3. Exporting Data via NFS

Virtuozzo Storage allows you to organize nodes into a highly available NFS cluster in which you can create NFS shares. In Virtuozzo Storage terms, an NFS share is an access point for a volume and as such it can be assigned an IP address or DNS name. The volume, in turn, can be assigned the usual properties: redundancy type, tier, and failure domain. In each share you can create multiple NFS exports which are actual exported directories for user data. Each export has, among other properties, a path that, combined with share’s IP address, uniquely identifies the export on the network and allows you to mount it using standard commands.

On the technical side, NFS volumes are based on object storage. Aside from offering high availability and scalability, object storage eliminates the limit on the amount of files and the size of data you can keep in the NFS cluster. Each share is perfect for keeping billions of files of any size. However, such scalability implies IO overhead that is wasted on file size changes and rewrites. For this reason, an Virtuozzo Storage NFS cluster makes a perfect cold and warm file storage but is not recommended for hot and high performance, often rewritten data (like running virtual machines). Integration of Virtuozzo Storage with solutions from VMware, for example, is best done via iSCSI to achieve better performance.

Note

Virtuozzo Storage only supports NFS version 4 and newer, including pNFS.

6.3.1. Setting Up an NFS Cluster

Since NFS is based on object storage, creating an NFS cluster is similar to creating an S3 one. Do the following:

  1. Assign the internal Objest Storage private role and the public NFS role to a network interface on each node that will be in the NFS cluster. You can do so on the NODES > node > NETWORK screen.

  2. On the SERVICES > NFS screen, select the desired available nodes to add to the NFS cluster.

  3. Click Create NFS cluster.

  4. Make sure that the network interface with the Objest Storage private role is selected in the drop-down list of each node. The corresponding interfaces with the public NFS roles will be selected automatically.

    Note

    If necessary, click the cogwheel icon and configure NFS roles on the Network Configuration screen.

  5. Click CREATE.

After the NFS cluster has been created, you can proceed to creating NFS shares.

6.3.2. Creating NFS Shares

To create an NFS share, do the following:

  1. On the SERVICES > NFS > SHARES screen, click ADD NFS SHARE.

  2. On the Add NFS Share panel, specify a unique name and an IP address, which must be unused and, if authentication is enabled, domain-resolvable. Click PROCEED.

  3. In Share size, specify the size of the share in gigabytes. For users accessing exports, this value will be the filesystem size.

  4. Select the desired tier, failure domain, and data redundancy type in the corresponding fields. For more details on these volume properties, see the Virtuozzo Storage 2 Installation Guide.

    Note

    You will be able to change the redundancy mode later.

  5. Click DONE.

After the share has been created, you can proceed to creating NFS exports.

Warning

Do not mount NFS shares on cluster nodes. It may lead to node freeze.

6.3.3. Creating NFS Exports

To create a user NFS export, do the following:

  1. On the SERVICES > NFS > SHARES screen, click the number in the Exports column in the row of the desired share. This will open the share screen.

  2. On the share screen, create a root export that will contain user exports. To do this, click ADD EXPORT, specify root as the export name and / as path and select the read and write access mode.

    This will create a directory with a default path, e.g., /0200000000000002. The path designates export location inside the share and is used (alongside share’s IP address) to mount the export.

    Important

    Do not give the users access to the root export.

  3. Mount the root export (e.g., as described in the Virtuozzo Storage 2 User’s Guide).

  4. In the mounted root export, create a subdirectory for a user export, e.g., export1.

  5. Back on the share screen, click ADD EXPORT, enter a user export name, specify /export1 as path, and select the access mode.

  6. Click Done.

Both the root and user exports are shown in the export list.

6.3.4. Setting Up User Authentication and Authorization

Virtuozzo Storage allows you to authenticate users for access to specific NFS shares via Kerberos and authorize them to access specific NFS exports inside these shares via LDAP.

6.3.4.1. Authenticating NFS Share Users with Kerberos

To enable user authentication in an NFS share, do the following:

  1. Assign a forward and reverse resolvable FQDN (fully qualified domain name) to share’s IP address.

  2. On the SETTINGS > Security > KERBEROS tab, specify the following Kerberos information:

    1. In Realm, your DNS name in uppercase letters.

    2. In KDC service, the DNS name or IP address of the host running the realm’s KDC (key distribution center) service.

    3. In KDC administration service, the DNS name or IP address of the host running the realm’s KDC administration service.

      Note

      Usually, the KDC and its administration service run on the same host.

  3. On the Kerberos server, perform these steps:

    1. Log in as administrator to the Kerberos database administration program.

    2. Add a principal for the share with the command addprinc -randkey nfs/<share_FQDN>@<realm>. For example:

      # addprinc -randkey nfs/share1.example.com@example.com
      
    3. Generate a keytab (key table) for the principal and save it to a directory you can upload from. For example:

      # ktadd -k /tmp/krb5.keytab nfs/share1.example.com@example.com
      
  4. On the SERVICES > NFS > SHARE tab, select a share and click Authentication.

  5. Upload the keytab file and click SAVE.

Important

Each share and client (user that mounts the export) must have its own principal and keytab.

6.3.4.2. Authorizing NFS Export Users with LDAP

By configuring access to a user directory via LDAP, you can control which users can access which NFS exports. You will need a directory of user accounts with desired NFS access parameters.

To configure access to an LDAP server, do the following:

  1. On the SETTINGS > Security > LDAP tab, specify the following information:
    • Address, the IP address of the LDAP server;
    • Base DN, the distinguished name of the search starting point;
  2. Click Save.