When can I enable the lifecycle management feature?

You can enable the lifecycle management feature if the files in a General-purpose Apsara File Storage NAS file system are accessed less than twice per month. You can enable the lifecycle management feature to save costs. The files that meet a specified lifecycle management policy are automatically transferred to the Infrequent Access (IA) storage medium. In this case, the billing method for the IA storage medium is adopted.

Why am I unable to configure lifecycle management policies for my file system?

You cannot enable the lifecycle management feature or configure lifecycle management policies if the General-purpose NAS file system is created before June 1, 2020. The lifecycle management feature is unavailable for General-purpose NAS file systems that use the Server Message Block (SMB) protocol or whose data encryption feature is enabled. In the Product Announcement section of the NAS console, you can view the updates of the lifecycle management feature.

How do I configure lifecycle management polices?

To configure lifecycle management policies, use the NAS console or OpenAPI Explorer. For more information, see Manage a lifecycle management policy and API reference for lifecycle management policies.

When is a file transferred to the IA storage medium?

A file is transferred to the IA storage medium only if the file meets the following conditions:
  • A lifecycle management policy is configured for the directory where the file resides.
  • The size of the file is at least 64 KB.
  • The file is not accessed during the period of time that is specified in the lifecycle management policy.
    When you create a lifecycle management policy, you can specify a rule to transfer the files that are not accessed for 14 days, 30 days, 60 days, or 90 days to the IA storage medium. The lifecycle management feature can check whether a file is not accessed for a period of time based on the last access time (atime) of the file.
    • The following operations update the atime of a file:
      • Read data from the file
      • Write data to the file
    • The following operations do not update the atime of a file:
      • Rename the file
      • Modify the user, group, mode, or other attributes of the file

What happens if multiple lifecycle management policies are configured for a single directory?

The files in the directory are transferred to the IA storage medium if the files meet a rule in one of the lifecycle management policies.

What happens if the lifecycle management policies that are configured for a directory and its subdirectory are different?

The files in the subdirectory are transferred to the IA storage medium based on both policies.

For example, if a policy whose atime threshold is 60 days is configured for a directory and a policy whose atime threshold is 14 days is configured for the subdirectory, the files in the subdirectory that are not accessed for 14 days are transferred to the IA storage medium. Then, the files in the IA storage medium are skipped when the lifecycle management feature checks for infrequently accessed files based on the policy of the parent directory.

Is a lifecycle management policy valid for all data in the specified directory?

Yes, a lifecycle management policy is valid for all data in the specified directory. If the file data in the directory meets the lifecycle management policy, the data is automatically transferred to the IA storage medium.

How long does a lifecycle management policy require to take effect?

A lifecycle management policy requires less than 2 hours to take effect. Therefore, the first file that meets a rule in the policy is transferred to the IA storage medium within 2 hours after the policy is configured.

How is the lifecycle management feature affected if a directory is renamed?

If you rename a directory for which a lifecycle management policy is configured, the lifecycle management policy no longer applies to the files in the directory. The files in the IA storage medium remain in the IA storage medium.

If you configure a lifecycle management policy for the renamed directory, the files in the directory that meet the rule in the policy are transferred to the IA storage medium.

What happens if a lifecycle management policy is deleted?

The files in the directory for which the policy is configured will no longer be transferred to the IA storage medium. The files in the IA storage medium remain in the IA storage medium.

Are the files in a directory repeatedly transferred to the IA storage medium if a policy is deleted and reconfigured for the directory?

No, the files are not repeatedly transferred to the IA storage medium. After you reconfigure the policy, the lifecycle management feature checks for files that meet a rule in the policy. The files in the IA storage medium are skipped in the check. This prevents repeated file transfers.

Are the files in the IA storage medium accessible?

Yes, you can read and write the files in the IA storage medium the same way as you read and write other files in a file system.

Why is Resource Access Management (RAM) authorization required when I create a mount target in the classic network?

RAM authorization is required because the classic network does not support resource isolation at the network layer. To ensure data security, NAS allows only the ECS instances of your Alibaba Cloud account to access the file systems by using mount targets in the classic network. To enable NAS to query the ECS instances of your Alibaba Cloud account, you must use RAM to authorize NAS.
Notice
  • After the authorization, NAS has only permissions to call the DescribeInstances operation. NAS uses the ECS instances only for authentication.
  • We recommend that you do not delete or modify the AliyunNASDefaultRole role in RAM. Otherwise, exceptions such as mount failure may occur.

How can I obtain an AccessKey pair?

To obtain an AccessKey pair, create an AccessKey pair for an Alibaba Cloud account or a RAM user. When you call API operations, you must use the AccessKey pair to complete identity authentication.

An AccessKey pair consists of an AccessKey ID and an AccessKey secret.
  • The AccessKey ID is used to identify a user.
  • The AccessKey secret is used to verify the identity of the user. You must keep the AccessKey secret strictly confidential.
Notice We recommend that you use the AccessKey pair of a RAM user to call API operations. This prevents the AccessKey pair of your Alibaba Cloud account from being leaked. If the AccessKey pair of your Alibaba Cloud account is leaked, your resources are exposed to potential risks.
  1. Log on to the Alibaba Cloud Management Console by using your Alibaba Cloud account.
  2. Move the pointer over the profile picture in the upper-right corner of the page and click AccessKey Management.
  3. In the Note dialog box, click Use Current AccessKey Pair or Use AccessKey Pair of RAM User.
    • Create an AccessKey pair for the Alibaba Cloud account.
      1. In the Note dialog box, click Use Current AccessKey Pair.
      2. On the AccessKey Management page, click Create AccessKey.
      3. In the Phone Verification dialog box, enter the verification code in the Verification Code field and click OK.
      4. In the Create AccessKey dialog box, view the AccessKey ID and AccessKey secret.

        You can click Save AccessKey Information to download the AccessKey pair.

    • Obtain the AccessKey pair of the RAM user.
      1. In the Note dialog box, click Use AccessKey Pair of RAM User.
      2. On the Users page of the RAM console, click Create User.

        Skip this step if you want to create an AccessKey pair for an existing RAM user.

      3. In the left-side navigation pane, choose Identities > Users and find the RAM user.
      4. Click the logon name of the RAM user to go to the details page. In the User AccessKeys section of the Authentication tab, click Create AccessKey.
        Note
        • You can create a maximum of two AccessKey pairs for each RAM user.
        • After you create an AccessKey pair, you cannot view the AccessKey secret in the RAM console. We recommend that you keep the AccessKey secret strictly confidential.
      5. In the Phone Verification dialog box, enter the verification code in the Verification Code field and click OK.
      6. In the Create AccessKey dialog box, view the AccessKey ID and AccessKey secret.

        You can click Download CSV File or Copy to save the AccessKey pair.

How can I use the server-side encryption feature of NAS?

When you create a file system, you can select Service Key or Custom Key in the Data Encryption field of the buy page based on your business requirements. For more information, see Create a General-purpose NAS file system and Create an Extreme NAS file system.

Is the server-side encryption feature available on a file system for which this feature is disabled?

No, the server-side encryption feature is unavailable. You can enable the server-side encryption feature only when you create a file system.

Can I disable the server-side encryption feature on a file system for which this feature is enabled?

No, you cannot disable the server-side encryption feature. The server-side encryption feature takes effect immediately after this feature is enabled. In this case, you cannot disable the feature.

Can I change the key that is used to encrypt a file system?

No, you cannot change the key that is used to encrypt a file system. When you create a file system, a key is specified to encrypt the file system. The key that is specified to encrypt the file system cannot be changed.

Which data encryption method do I need to select, NAS-managed key or custom key?

Both of the two data encryption methods use KMS to host keys and envelope encryption to prevent against unauthorized data access.

If you need to use BYOK keys based on some specified security requirements, you can use custom keys. For other scenarios, we recommend that you use NAS-managed keys.
Notice A custom key that is used to encrypt a NAS file system may be disabled or deleted. In this case, the NAS file system cannot be accessed.

If a CMK that applies to a NAS file system is disabled or deleted by mistake, how can I restore access to the data of the NAS file system?

  • If you disable a CMK, re-enable the required CMK.
  • If you schedule a task to delete a key, cancel the scheduled task. For more information, see Schedule the deletion of a CMK.
  • If the key material of a BYOK key is deleted, re-upload the original key material. For more information, see Import key material.
  • If the destination CMK is deleted, the CMK cannot be restored. In this case, the data of the related file system cannot be accessed.

After I enable the server-side encryption feature, do I need an application to decrypt data each time that I access the required data?

No, you do not need an application to decrypt data. Data encryption and decryption are automated by NAS. You do not need an application to perform these operations.

Is the performance of a file system affected after the server-side encryption feature is enabled?

Yes, the performance is affected. After the server-side encryption feature is enabled for a file system, NAS encrypts data that is written to the file system. When you read data from the file system, the data is automatically decrypted. The read/write performance of a file system is subject to the size of a block that is accessed during each read or write operation. Two file system have the same type and specification. The server-side encryption feature is enabled for one of the file systems. In this case, the performance of the file system for which the server-side encryption feature is enabled decreases by 5% to 25% compared with the performance of the other file system. For more information, see What affects the read and write performance of a file system related to?

Does NAS support the inotify subsystem?

No, NAS does not support the inotify subsystem. A combination of the inotifywait and rsync commands is a common solution for real-time data backup and synchronization. However, the inotifywait command cannot be used as normal on NAS file systems due to the implementation of the inotify subsystem.

  • How inotifywait works

    The inotifywait command is a user-mode interface of the Linux inotify subsystem that is implemented at the Virtual File System (VFS) layer. After you run the inotifywait command, changes to files are monitored at the VFS layer. If a file is created, deleted, or modified, the name of the file and the type of the operation are returned to the user-mode inotifywait process. Then, the inotifywait command returns the information.

  • Known issues
    The inotify subsystem is implemented on the virtual file system (VFS) layer of the kernel. Therefore, the inotifywait process on a Network File System (NFS) client of an NFS file system cannot detect the operations that other clients perform on the file system. For example, a NAS file system is mounted on Client A and Client B at the same time. On Client A, when you start an inotifywait process to listen to the mount directory, the following issues may occur:
    • The inotifywait process can detect the operations that Client A performs on the files of the file system.
    • The inotifywait process cannot detect the operations that Client B performs on the files of the file system.
  • Alternative solution
    You can use the FAM subsystem to fix the issue. The FAM subsystem is implemented in user mode. An FAM daemon scans the directories in a file system on a regular basis to detect changes. However, the FAM subsystem has the following drawbacks:
    • You must write code to call the required FAM operation in your programs.
    • If a large number of files are monitored, the performance of the FAM subsystem may be compromised. Many resources are consumed and the timeliness of file monitoring cannot be guaranteed.