File Storage NAS:FAQ about advanced management features

When should I enable lifecycle management?

Enable lifecycle management to reduce storage costs based on file access frequency:

For maximum savings, configure lifecycle policies for both IA and Archive. When files meet the policy rules, File Storage NAS (NAS) executes the policy with minimal overhead. For details, see Lifecycle management.

Why can't I enable lifecycle management for my file system?

Lifecycle management is unavailable for file systems with data encryption enabled.

How do I configure lifecycle policies?

Use the NAS console or call the CreateLifecyclePolicy API operation. For details, see Manage a lifecycle policy and CreateLifecyclePolicy.

How do I disable lifecycle management?

Delete the lifecycle policy in the NAS console:

1. Log on to the NAS console.

2. In the left-side navigation pane, choose Lifecycle Management > Lifecycle Policies.

3. In the top navigation bar, select the resource group and region where your file system resides.

4. On the Lifecycle Policies page, find the policy and click Delete in the Actions column. Click OK to confirm.

After deletion, files already dumped to IA or Archive remain in that storage class, and you continue to be charged based on IA or Archive storage usage. No new files are dumped.

To move data back to the Standard storage class, see Create a data retrieval task.

Which files can be dumped to IA or Archive?

A file is eligible if all of the following conditions are met:

• A lifecycle policy is configured for the directory that contains the file.

• The file size is between 64 KiB and 4.88 TiB.

• The file has not been accessed during the period specified in the lifecycle policy.

Available inactivity periods:

NAS determines last access time based on the atime parameter.

Operations that update atime:

• Reading data from the file

• Writing data to the file

Operations that do not update atime:

• Renaming the file

• Modifying user, group, mode, or other file attributes

What happens with multiple lifecycle policies on a single directory?

If files meet a rule in any of the configured policies, NAS executes the policy with minimal overhead.

What happens with different policies on a directory and its parent?

NAS applies the most specific policy. For example, if a directory has a 14-day IA dump policy and its parent has a 60-day IA dump policy, files in the child directory that have not been accessed for 14 days are dumped to IA. When NAS evaluates the parent directory's policy, it skips files already dumped.

Does a lifecycle policy apply to all data in the specified directory?

Yes. All file data in the specified directory that meets the lifecycle policy is automatically dumped to the IA or Archive storage class.

How long does it take to dump a file to IA or Archive?

After lifecycle management is enabled, files meeting the policy are dumped within 2 to 24 hours. The exact time depends on total file system storage usage and file size. Subsequent dumps run at a fixed time each week.

What happens if I rename a directory with a lifecycle policy?

The lifecycle policy stops taking effect on files in the renamed directory. Files already dumped to IA or Archive remain in that storage class.

To resume lifecycle management, reconfigure a lifecycle policy for the renamed directory.

What happens if a lifecycle policy is deleted?

Files in the specified directory are no longer dumped. Files already in IA or Archive remain there.

Are files repeatedly dumped if I delete and recreate a lifecycle policy?

No. After you recreate a policy, NAS checks for infrequently accessed files and skips files already dumped to IA or Archive.

Can I read and write files stored in IA or Archive?

Yes. Read and write operations on IA and Archive files work the same as on Standard files. For performance details, see Storage classes of General-purpose NAS file systems.

How do I find which files are in IA or Archive?

Use the NAS console or call the ListDirectoriesAndFiles API operation. For details, see View the files stored in the IA or Archive storage class and ListDirectoriesAndFiles.

Is read/write latency higher for IA or Archive files than for Standard files?

For General-purpose NAS file systems (Performance, Premium, or Capacity), the first read from an IA or Archive file may have higher latency than a Standard file. Subsequent reads and all writes have latency comparable to Standard.

For performance details, see Storage classes of General-purpose NAS file systems.

How am I charged for files dumped to IA?

Files dumped to IA are charged based on IA billable items. For details, see Billing of General-purpose NAS file systems.

How am I charged for files dumped to Archive?

Files dumped to Archive are charged based on Archive billable items. The Archive storage class has a minimum storage duration of 60 days. If a file is deleted, retrieved, or reduced in size before the 60-day period (1,440 hours) is complete, you are charged for the remaining duration at the original file size.

Key details:

• The minimum storage duration starts from whichever is later: the time when the file was dumped or the time when the file was last modified (mtime).

• The penalty fee is charged only once within a 24-hour period.

• Modifying a file resets the Archive storage duration.

For details, see Billing of General-purpose NAS file systems.

Is cold data in IA automatically moved to Standard after being accessed?

No. Data dumped to IA is persistently stored in IA, regardless of access. Accessing IA data incurs read and write traffic charges. For details, see Billing of General-purpose NAS file systems.

To move frequently accessed IA data back to Standard, create a data retrieval task. For details, see Create a data retrieval task.

How do I create a data retrieval task?

Use the NAS console or call the CreateLifecycleRetrieveJob API operation. For details, see Create a data retrieval task or CreateLifecycleRetrieveJob.

Does a running data retrieval task affect file system performance?

No. Read and write performance is unaffected during a data retrieval task.

Am I charged for data retrieval tasks?

Yes. Running a data retrieval task reads data from the IA or Archive storage class. You are charged read traffic based on the file size and storage class. After retrieval, the file is stored in the Standard storage class, and you are charged for Standard storage. For details, see Billing of General-purpose NAS file systems.

How am I charged when backing up IA or Archive files?

If you use Cloud Backup to back up files in the IA or Archive storage class of a General-purpose NAS file system, two types of charges apply:

• Cloud Backup charges: Based on Cloud Backup billable items. See Billing methods and billable items.

• NAS read traffic charges: Cloud Backup reads data from IA or Archive files, which incurs read traffic fees on your NAS bill. See Billing of General-purpose NAS file systems.

How am I charged when a security service scans IA or Archive files?

Security services such as the anti-ransomware feature of Security Center read file data during scanning. NAS charges access traffic fees for the IA or Archive storage class. For details, see Billing of General-purpose NAS file systems.

How do I enable server-side encryption?

Set the encryption method to NAS-managed key or Custom Key (KMS) when creating a file system. For details, see Create a General-purpose NAS file system in the console and Create an Extreme NAS file system in the console.

Can I enable encryption on an existing file system?

No. Server-side encryption can only be enabled at file system creation time.

Can I disable server-side encryption?

No. Once enabled, server-side encryption cannot be disabled.

Can I change the encryption key?

No. The encryption key is bound at creation and cannot be changed.

How do I choose between NAS-managed keys and custom keys?

Both options use Key Management Service (KMS) for key hosting and envelope encryption to prevent unauthorized access.

Use custom keys if you need Bring-Your-Own-Key (BYOK) capability. For all other cases, NAS-managed keys are sufficient.

Does NAS encryption support the SM4 algorithm?

No. NAS server-side encryption uses the AES-256 algorithm to protect data at rest and the envelope encryption mechanism to prevent unauthorized access. Encryption keys are generated and managed by Key Management Service (KMS). For details about envelope encryption, see Use envelope encryption to encrypt and decrypt data locally.

How do I recover access if a customer master key (CMK) is accidentally disabled or deleted?

The recovery method depends on the situation:

Does my application need to handle decryption?

No. NAS handles encryption and decryption automatically. No application changes are required.

Does encryption affect file system performance?

Yes. NAS encrypts data on write and decrypts on read. Compared to an unencrypted file system of the same specifications, performance decreases by approximately 5% to 25%, depending on the read and write block size. For details, see What factors affect the read and write performance of a file system?

Does encryption reduce effective storage capacity?

No. Server-side encryption uses Advanced Encryption Standard (AES), a block cipher that pads data automatically. This padding is not counted toward the effective storage capacity of the file system.

Which deleted files go to the recycle bin?

After the recycle bin is enabled, all deleted files and directories are stored in the recycle bin, including:

• Files manually deleted on compute nodes (ECS instances, containers). Example: rm -f test01.txt.

• Files deleted by applications. Example: Python os.remove("test02.txt").

• Files overwritten by a POSIX rename. Example: mv test_a.txt test_b.txt deletes the original test_b.txt.

• Temporary files generated by applications. Example: .swp and .swpx files created by vim.

• Log files replaced during rotation. Example: Nginx log rotation replacing an existing log file.

Overwriting file content without deleting the file does not move it to the recycle bin. For example, opening a file in w+ mode with the open() function overwrites its content but does not trigger recycle bin storage.

Can I restore a file to a renamed directory?

Yes. The restore operation uses the FileId of the original directory as an identifier, so it correctly maps to the renamed directory. For example, if you delete file1.txt from dir1 and then rename dir1 to dir2, the recycle bin shows file1.txt under dir2. Restoring the file places it in dir2.

Is restoring from the recycle bin faster than from Cloud Backup?

Yes. Recycle bin restores migrate only file metadata, not the actual data. This makes restoration significantly faster than restoring from Cloud Backup, which copies all data.

Am I charged for using the recycle bin?

The recycle bin feature itself is free. However, files in the recycle bin are charged based on their original storage class. For example:

• A file deleted from a storage-optimized file system is charged at the storage-optimized capacity rate.

• A file deleted from the IA storage class is charged at the IA rate.

For details, see Billing of General-purpose NAS file systems.

How do I query files in the recycle bin?

Use the NAS console to view deleted files and their deletion times. For details, see Query files in the recycle bin.

Can I read or write files in the recycle bin?

No. Files in the recycle bin are read-only metadata entries. To access the data, restore the files first. See Restore files from the recycle bin.

Do recycle bin files count toward file system capacity or file count limits?

No. Files in the recycle bin do not occupy file system capacity or count toward the file count limits. For the capacity and file count limits of each storage class, see Limits.

Files in the recycle bin are still charged based on their original storage class. See Billing of General-purpose NAS file systems.

If I cancel a running backup job, are the backed-up files retained?

No. Canceling a running backup job clears all files that were backed up as part of that job. The files are not retained in the backup vault. To back up those files, run the backup job again.

Completed backup jobs are not affected.

If I cancel a restore job, are the restored files retained?

Files already restored before the cancellation are saved in the specified directory. Remaining files are not restored.

How is the free trial period for NAS file backup calculated?

For each NAS file system, the file backup feature is free for 30 days after you create the first backup plan.

For example, if you create a backup plan named backup01 for File System A on May 1, 2021, the free trial period ends on May 30, 2021. After the trial, switch to the paid plan or delete the backup plan. See Billing of Cloud Backup.

Does NAS support inotify?

Not as expected. The inotifywait utility relies on the Linux kernel's inotify module, which is implemented at the Virtual File System (VFS) layer. Because inotify operates at the local VFS layer, it cannot detect file operations performed by a remote client over NFS.

Example: Mount a NAS file system on both Client A and Client B. Start inotifywait on Client A to monitor the mount directory:

• File operations from Client A are detected.

• File operations from Client B are not detected.

Alternative: Use File Alteration Monitor (FAM), a user-mode library that periodically scans directories for file changes. FAM has some limitations:

• Requires a custom program to call FAM interfaces.

• Poor performance with large numbers of files.

• Higher resource consumption and lower real-time accuracy.

Why do I need RAM authorization to create a classic network mount target?

NAS must authenticate that only ECS instances belonging to your Alibaba Cloud account can access file systems through the classic network mount target. Resource Access Management (RAM) authorization grants NAS the permissions to retrieve your ECS instance list for this authentication.

Why can't a RAM user with full NAS permissions view file systems in the console?

The RAM user is missing the tag:ListTagKeys permission. Add this permission to the custom policy:

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "nas:*",
            "Resource": "acs:nas:*:*:filesystem/0ddaf487b2"
        },
        {
            "Effect": "Allow",
            "Action": "nas:CreateMountTarget",
            "Resource": "acs:vpc:*:*:vswitch/*"
        },
        {
            "Effect": "Allow",
            "Action": "cms:Describe*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "nas:DescribeFileSystems",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "tag:ListTagKeys",
            "Resource": "*"
        }
    ],
    "Version": "1"
}

For details, see Control access to NAS resources using RAM policies.

What is the relationship between access point policies and the AliyunNASFullAccess and AliyunNASReadOnlyAccess system policies?

What do I do if granting SMB permissions to a new AD domain user takes a long time?

Windows traverses all files in the directory before granting permissions, which can be slow due to network latency. Use a command-line script for concurrent execution:

• icacls: See icacls.

• PowerShell Set-Acl: See Set-Acl.

How do I verify a keytab file?

Before starting, regenerate a keytab file with the -mapuser parameter enabled.

Generate the keytab file:

ktpass -princ cifs/file-system-id.region.nas.aliyuncs.com@EXAMPLE.com -ptype KRB5_NT_PRINCIPAL -mapuser alinas@example.com -crypto All -out c:\nas-mount-target.keytab -pass <password>

Replace the following values:

• example.com: Your AD domain name (lowercase).

• EXAMPLE.com: Your AD domain name (uppercase).

Verify the keytab file:

1. Log on to a Linux client with the kinit tool installed. > Note: The client must be able to access the AD domain, or DNS must be configured to point to the AD server. For details, see Mount and use an SMB file system on a Linux client as an AD domain user.

2. Add the following content to /etc/krb5.conf: Replace iZisovkei9i*****.example with your AD server hostname.

   Note

   On CentOS clients, also add the following to the [libdefaults] section:

    > default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 > default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 > permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

      [realms]
       EXAMPLE.COM = {
           kdc = iZisovkei9i*****.example.com
           admin_server = iZisovkei9i****.example.com
       }
      [domain_realm]
       .example.com = EXAMPLE.COM
       example.com = EXAMPLE.COM

3. Verify that the client can connect to the AD server:

   • If the output contains the account information, the Kerberos configuration is correct.

   • If you see KDC replay did not match expectations while getting initial credentials, replace all AD domain names in /etc/krb5.conf with uppercase domain names.

      kinit aliyun.nas@example.com

4. (Optional) Confirm the mount target in the keytab file:

      klist -k -t <keytab_file_name>.keytab

5. Verify the keytab file: Replace file-system-id.region.nas.aliyuncs.com with your file system mount target and EXAMPLE.COM with your AD domain name (uppercase). No error output indicates the keytab file is valid.

      kinit -k -t <keytab_file_name>.keytab cifs/file-system-id.region.nas.aliyuncs.com@EXAMPLE.COM

How do I resolve Java/Tomcat access failures with NAS SMB?

Windows services like Tomcat default to the Local System account, which cannot access NAS SMB network paths mounted by the current user.

To fix this, change the Tomcat service to run under an administrator account:

1. Open Services Manager as an administrator.

2. Find the Tomcat service (named Apache Tomcat or a custom name).

3. Right-click the service and select Properties.

4. Switch to the Log On tab.

5. Select This Account and enter the administrator account credentials.

6. Click Apply, then click OK.

7. Right-click the Tomcat service and select Restart.

How do I get an AccessKey pair?

1. Log on to the Alibaba Cloud console.

2. Hover over the profile icon in the upper-right corner and click AccessKey.

3. In the dialog box, select Use Main Account AccessKey or Use RAM User AccessKey.

Use the AccessKey pair of an Alibaba Cloud account:

1. Select I am aware of the security risks of using a main account AccessKey and click Use Main Account AccessKey.

2. Click Create AccessKey.

3. Review the security risks. Select the checkbox and click Use Main Account AccessKey.

4. Save the AccessKey ID and AccessKey secret, select I have saved the AccessKey Secret, and click OK.

(Optional) Configure AccessKey network access control to restrict the source IP addresses for API requests. Click Go to Settings. For details, see Configure an AccessKey-level network access restriction policy for a RAM user.

Use the AccessKey pair of a RAM user:

1. Click Use RAM User AccessKey to go to the RAM console.

2. On the Users page, find the target RAM user. > Note: > > - If no RAM user exists, create one. See Create a RAM user. > - The AccessKey secret is displayed only at creation time. > - If an AccessKey pair is lost, create a new one. Each RAM user can have a maximum of two AccessKey pairs.

3. Click the user's logon name.

4. On the Authentication tab, in the AccessKey section, click Create AccessKey.

5. Select a scenario, select I confirm that it is necessary to create an AccessKey, and click Continue.

6. Save the AccessKey ID and AccessKey secret, and click OK.

Why do I get errors when viewing NAS monitoring data through the CloudMonitor API?

The most likely cause is an incorrect MetricName parameter value. The following tables list all supported metrics.

Capacity metrics for General-purpose NAS file systems:

Capacity metrics for Extreme NAS file systems:

Performance metrics (all file system types):

For details, see View monitoring data using the CloudMonitor API.