The transmission encryption feature of Apsara File Storage NAS protects the data transmitted between your ECS instances and NAS file systems against interception or tampering by using the TLS protocol. The topic describes how to use the NAS client to encrypt data.

Implementation

The NAS client defines a type of network file system (NFS) called alinas. The NFS is compatible with the standard form of the mount command. If you specify the tls parameter when you mount an Alinas NFS on an ECS instance, the NAS client starts a process named Stunnel. The process forwards and encrypts access requests from the ECS instance to the NAS server. The process also triggers a backend process named aliyun-alinas-mount-watchdog to ensure the availability of the Stunnel process.

Usage notes

  • Operating systems supported by the NAS clients
    Type Version
    Alibaba Cloud Linux Alibaba Cloud 2.1903 64-bit
    Red Hat
    • Red Hat Enterprise Linux 7.x 64-bit
    • Red Hat Enterprise Linux 8.x 64-bit
    CentOS
    • CentOS 7.x 64-bit
    • CentOS 8.x 64-bit
    Ubuntu
    • Ubuntu 16.04 64-bit
    • Ubuntu 18.04 64-bit
    • Ubuntu 20.04 64-bit
    Debian
    • Debian 9.x 64-bit
    • Debian 10.x 64-bit
  • Performance loss during transmission encryption

    Compared with a file system for which you disable transmission encryption, a file system for which you enable transmission encryption can be accessed with a 10% more delay and 10% less IOPS.

  • Usage notes of the NAS client
    • The NAS client uses the Stunnel process as an TLS encryption wrapper. For high-throughput applications, the Stunnel process consumes a large number of CPU resources to perform encryption and decryption. In extreme cases, each mount operation consumes the capacity of an entire core.
    • The NAS client requires a third-party certificate to encrypt data transmission. The certificate must be updated at regular intervals. NAS sends update notifications to you one month in advance by using Emails emails and internal messages. After you receive these notifications, you must update the NAS client tool aliyun-alinas-utils at your earliest opportunity.Otherwise, the NAS file systems mounted by using transmission encryption stops responding after the certificate expires.
    • If you use the NAS client, the /etc/hosts file of the ECS instances within your Alibaba Cloud account is modified. Therefore, when you mount a file system, the new mount target is written to the /etc/hosts file. When you unmount the file system, the mount target is deleted from the file.
    • When the NAS client uses the Stunnel process as an TLS encryption wrapper, the Stunnel process listens on an IP address from 127.0.1.1 to 127.0.255.254 on port 12049. You must make sure that IP addresses and port are available.

      You can run the SS -ant | grep -w 12049 command to check whether the port is occupied. If no value is returned, the port is available. If the port is occupied, modify the configuration file. For more information, see How to modify the configuration file of a NAS client.

Regional availability

Transmission encryption is supported by General-purpose NAS in the US(Silicon Valley) , US(Virginia), UK(London) and Australia(Sydney) regions.

Step 1: Download and install a NAS client

  1. Download the NAS client.
    • Alibaba Cloud Linux
      wget https://aliyun-encryption.oss-cn-beijing.aliyuncs.com/aliyun-alinas-utils-1.0-1.al7.noarch.rpm
    • Red Hat Enterprise Linux 7.x and CentOS 7.x
      wget https://aliyun-encryption.oss-cn-beijing.aliyuncs.com/aliyun-alinas-utils-1.0-1.el7.noarch.rpm
    • Red Hat Enterprise Linux 8.x and CentOS 8.x
      wget https://aliyun-encryption.oss-cn-beijing.aliyuncs.com/aliyun-alinas-utils-1.0-1.el8.noarch.rpm
    • Ubuntu and Debian
      wget https://aliyun-encryption.oss-cn-beijing.aliyuncs.com/aliyun-alinas-utils-1.0-1.deb
  2. Install the NAS client.
    • Alibaba Cloud Linux and CentOS
      sudo yum install aliyun-alinas-utils-*.rpm
    • Red Hat Enterprise Linux
      sudo yum --disablerepo=rhui-rhel-7-server-rhui-extras-debug-rpms install aliyun-alinas-utils-*.rpm
    • Ubuntu and Debian
      sudo apt update
      sudo dpkg -i aliyun-alinas-utils-*.deb
      sudo apt-get install -f
      sudo dpkg -i aliyun-alinas-utils-*.deb
  3. Check whether the NAS client is installed.
    which mount.alinas
    The echo in the following figure indicates a successful installation.Echo of the result of client installation

Step 2: Mount the file system through transmission encryption.

  1. Mount the NFS file system.
    • NFSv3 protocol
      sudo mount -t alinas -o tls,vers=3 file-system-id.region.nas.aliyuncs.com:/ /mnt
    • NFSv4.0 protocol
      sudo mount -t alinas -o tls,vers=4.0 file-system-id.region.nas.aliyuncs.com:/ /mnt
    The following table describes the parameters that are used in the mount command.
    Note The NAS client tool uses the parameters that can ensure the optimal performance when it mounts the file system. Therefore, you do not have to set the parameters by yourself. For more information, see Mount parameters.
    Parameter Description
    file-system-id.region.nas.aliyuncs.com:/ /mnt The command syntax is<Domain name of the mount target>:<Name of the shared directory><Path of the shared directory>. You must replace the domain name, directory name, and directory path to meet your specific requirements.
    • <Domain name of the mount target>: You can log on to the NAS console and obtain the mount address on the details page of the file system. For more information, see View the list of mount targets.
    • <The name of the shared directory>: Specifies the root directory (/) or a subdirectory. If you specify a subdirectory, for example, /share, you need to make sure that the subdirectory does exist.
    • <Path of the shared directory>: A subdirectory on a Linux ECS instance, for example, /mnt. You need to make sure that the subdirectory does exist.
    vers The protocol version of the file system.
    • vers=3: Uses NFSv3 to mount the file system.
    • vers=4: Uses NFSv4 to mount the file system.
    tls Enable TLS
  2. Run the mount -l command to view the mount result.
    The echo in the following figure indicates a successful mount.The echo of the encrypted mount.After the file system is mounted, you can run the df -h command to view the capacity of the file system.
  3. Optional:Enable automatic mount at startup.
    When you restart the ECS instance to which the file system is mounted, the information about all the file systems actually mounted may be lost. To prevent the loss of such information, you can edit the /etc/fstab configuration file in the Linux ECS instance to enable automatic mount of NFS file system at startup.
    1. Open the /etc/fstab configuration file and run the following command:
      file-system-id.region.nas.aliyuncs.com:/ /mnt alinas _netdev,tls 0 0
      For more information, see Mount parameters. Description of the parameters:
      Parameter Description
      _netdev Prevents the automatic mount before the network is connected.
      0 (the first value after tls) Specifies whether to back up the file system by running the dump command. If a value is not zero, it indicates that a file system is backed up. For NAS file systems, the default value is 0.
      0 (the second value after tls) Indicates the order in which the fsck command checks file systems at startup. For a NAS file system, the default value is 0. It indicates that the fsck command is not run at startup.
    2. Run the reboot command to restart the ECS instance.
      Note Before you restart the ECS instance, make sure that the manual mount is successful. Otherwise, the ECS instance may fail to restart. If the automatic mount is enabled, after the ECS instance is restarted, you can view the NAS file systems that are mounted by running the df -h command.

NAS client logs

You can locate the mount error by opening the log file of the NAS client in the /var/log/aliyun/alinas/ directory. You can also modify the parameters in the log configuration file /etc/aliyun/alinas/alinas-utils.conf to configure the NAS client log. After you modify the configuration file, run the sudo service aliyun-alinas-mount-watchdog restart command. Then, the backend watchdog is restarted.

The following table describes the parameters in the log configuration file.
Parameter Description
logging_level Level of the log. Default value: INFO.
logging_max_bytes The maximum size of log files. Default value: 1048576 bytes. The maximum size of a single log file is 1 MB.
logging_file_count The maximum number of log files that are retained. Default value: 10. A maximum of 10 log files can be retained.
stunnel_debug_enabled The debug logs of Stunnel. Default value: false. When the parameter is enabled, a large amount of storage capacity is used.
stunnel_check_cert_hostname Checks the host name in the certificate. Default value: false.
stunnel_check_cert_validity Checks the validity of the certificate. Default value: false.

Troubleshoot errors

  • Issue
    When the file system is being mounted, the following error message is returned:Error message for port occupancy
  • Possible cause

    The IP address or the port 12049 on which Stunnel listens is used by other processes. As a result, the file system fails to be mounted.

  • Solution
    • Solution 1: Find and terminate the process that uses the port 12049. Then, mount the file system once again.
    • Solution 2: Edit the configuration file of the client tool in the /etc/aliyun/alinas/alinas-utils.conf directory. Modify the proxy_port parameter to an unused port number. Then, mount the file system once again.Change the port number