All Products
Search
Document Center

Function Compute:Configure an OSS file system

Last Updated:Jul 18, 2023

Object Storage Service (OSS) is a secure, cost-effective, and highly reliable cloud storage service. OSS allows you to store large amounts of data in the cloud. Function Compute can seamlessly integrate with OSS. You can configure an OSS file system for a service in Function Compute. After you mount an OSS file system to the service, functions in the service can access the OSS file system in the same way they access an on-premises file system.

Limits

  • You can configure a maximum of five NAS mount targets and five OSS mount targets for a service in Function Compute in a region.

  • The local directories in the function runtime of the NAS mount target cannot be the same as the local directories in the function runtime of the OSS mount target.

For more information about how to configure a mount target of a NAS file system, see Configure a NAS file system.

Before you begin

Configure OSS mounting

After an OSS mount target is configured for a service in Function Compute, all functions in the service can access files in the specified OSS bucket.

  1. Log on to the Function Compute console. In the left-side navigation pane, click Services & Functions.
  2. In the top navigation bar, select a region. On the Services page, find the desired service and click Configure in the Actions column.
  3. In the Storage Configuration section on the Modify Service page, configure the following parameters and click Save.

    • Mount OSS: Specify whether to enable the OSS file system. Valid values:

      • Enable: enables the OSS file system.

      • Disable: disables the OSS file system.

    • OSS Mount Target: Configure the OSS mount targets.

      • Bucket: Select an existing bucket. To create an OSS bucket, click Create OSS Bucket in the lower part to go to the OSS console and create a bucket. For more information about the billing of OSS, see Billing overview.

      • Bucket Subdirectory: Specify a subdirectory in the bucket. If you leave this parameter empty or set this parameter to /, the root directory of the bucket is mounted. If it is not empty, the bucket subdirectory must be an absolute path and already exists in the bucket. You can log on to the OSS console to create a directory for the bucket.

      • OSS Endpoint: Select the endpoint. By default, the endpoint of the bucket is used. You can select Custom Endpoint to change the value of the endpoint based on your business requirements. For more information about OSS endpoints in different regions, see Regions and endpoints.

      • Local directory of a function: Specify the local directory in the function runtime environment. The directory must be a subdirectory of /home, /mnt, or /data.

      • Permissions on the local directory of the function: Select the permissions on the directory after the bucket is mounted to the local directory in the function runtime. You can select Read-only or Read and Write.

      Note
      • If you select a bucket in the same region as the service in Function Compute, we recommend that you use an OSS internal endpoint. If you select a bucket in a different region, you must use a public endpoint. In this case, you are charged for outbound traffic over the Internet. For more information about the formats of OSS endpoints, see Regions and endpoints.

      • The OSS mounting feature depends on the network configurations of the service. If you set Access to VPC to Yes and Access to Internet to No, you must use a public OSS endpoint so that the functions can access the Internet through the specified VPC. For more information, see Configure static public IP addresses.

FAQ

What do I do if OSS mounting fails and the bucket not found or bucket path does not exist error is reported?

  • Make sure that the OSS endpoint and bucket name are correct.

  • Check whether the subdirectory of the bucket is correct and whether the specified directory exists in the bucket. For example, if you specify the subdirectory of a bucket as /folderA or /folderA/, the bucket must contain the folderA/ object. An error is reported if only the following objects exist: folderA (no /at the end), folderA/file, or folderA/folderB/.

  • Check whether the static website hosting feature is enabled for the bucket. For example, if you enable the static website hosting feature of OSS and set the homepage name of the subdirectory to index.html, Function Compute requests OSS to check whether the /subdir subdirectory of the bucket exists. OSS checks whether the subdir/index.html object exists and reports an error message if the object does not exist. For more information, see Configuration examples.

What do I do if OSS mounting fails and the host resolv error or deadline exceeded error is reported?

Check whether the endpoint is correctly configured.

  • The host resolv error error is reported if the domain name in the endpoint fails to be resolved.

  • Internal endpoints cannot be used across regions. If you use an internal endpoint in another region, a connection timeout error occurs and the deadline exceeded error is reported.

What do I do if OSS mounting fails and the invalid credentials error is reported?

Check whether the RAM role that you configured for the service has the permissions on OSS. The following items describe the permissions: For more information, see Grant Function Compute permissions to access other Alibaba Cloud services.

  • Read-only: oss:ListObjects and oss:GetObject.

  • Read and write: oss:ListObjects, oss:GetObject, oss:PutObject, oss:DeleteObject, oss:ListParts, and oss:AbortMultipartUpload.

Note

oss:ListObjects is a bucket-level action. If you enable accesses to a specific bucket, the policy must include bucket-level resource indications, such as acs:oss:*:*:bucketName. For more information, see Resource element in RAM policies for OSS.

How do I use a permission policy to allow only read-only accesses to a specified bucket?

Expand to view an example policy. Replace bucketName in the example with the actual name of your bucket. For more information, see Overview of RAM policies.

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "oss:ListObjects",
        "oss:GetObject"
      ],
      "Resource": [
        "acs:oss:*:*:bucketName",
        "acs:oss:*:*:bucketName/*"
      ],
      "Effect": "Allow"
    }
  ]
}

How do I use a permission policy to allow read and write accesses to a specified bucket?

Expand to view an example policy. Replace bucketName in the example with the actual name of your bucket. For more information, see Overview of RAM policies.

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "oss:ListObjects",
        "oss:GetObject",
        "oss:PutObject",
        "oss:DeleteObject",
        "oss:AbortMultipartUpload",
        "oss:ListParts"
      ],
      "Resource": [
        "acs:oss:*:*:bucketName",
        "acs:oss:*:*:bucketName/*"
      ],
      "Effect": "Allow"
    }
  ]
}

How do I use a permission policy to allow only read-only accesses to the subdirectories of a specified bucket?

Expand to view an example policy. Replace bucketName in the example with the actual name of your bucket and replace bucketPath with the subdirectory of your bucket. For more information, see Overview of RAM policies.

{
  "Version": "1",
  "Statement": [
    {
      "Action": "oss:ListObjects",
      "Effect": "Allow",
      "Resource": [
        "acs:oss:*:*:bucketName"
      ],
      "Condition": {
        "StringLike": {
          "oss:Prefix": [
            "bucketPath/*"
          ]
        }
      }
    },
    {
      "Action": [
        "oss:GetObject"
      ],
      "Effect": "Allow",
      "Resource": [
        "acs:oss:*:*:bucketName/bucketPath/*"
      ]
    }
  ]
}

How do I use a permission policy to allow read and write accesses to subdirectories of a specified bucket?

Expand to view an example policy. Replace bucketName in the example with the actual name of your bucket and replace bucketPath with a subdirectory of your bucket. For more information, see Overview of RAM policies.

{
  "Version": "1",
  "Statement": [
    {
      "Action": "oss:ListObjects",
      "Effect": "Allow",
      "Resource": [
        "acs:oss:*:*:bucketName"
      ],
      "Condition": {
        "StringLike": {
          "oss:Prefix": [
            "bucketPath/*"
          ]
        }
      }
    },
    {
      "Action": [
        "oss:GetObject",
        "oss:PutObject",
        "oss:DeleteObject",
        "oss:AbortMultipartUpload",
        "oss:ListParts"
      ],
      "Effect": "Allow",
      "Resource": [
        "acs:oss:*:*:bucketName/bucketPath/*"
      ]
    }
  ]
}

What do I do if I cannot see the data I write from the OSS mount target on the OSS side?

When you write a file from an OSS mount target, the system uploads the content to OSS only when you call Flush or close the file.

What do I do if operations, such as compression, decompression, and file transmission, in an OSS mount target are slow?

OSS does not support file system APIs. After you mount an OSS bucket as a directory, Function Compute encapsulates OSS API as the file system API. For example, OSS does not support random writes. If you need to use the file system API to change an existing file on an OSS mount target, Function Compute downloads the source file from OSS, rewrites the file, and then uploads it to OSS again.

When the features of file system API correspond to those of OSS API, such as the sequential file read and write feature, the performance of general operations is usually better. However, for operations that require OSS APIs to be combined and encapsulated, such as random read and write operations on files during compression and decompression, multiple interactions with OSS may be required. Therefore, the performance is slightly lower than that of the local file system.

Are operations synchronized among function instances on the same OSS target?

No. Function instances are independent of each other. The content of OSS mount targets accessed by different instances may be different. For example, when Instance A creates the file F in the OSS mount target, Instance B may not be able to access the file right away.