The encryption in transit feature of Apsara File Storage NAS protects the data transmitted between your Elastic Compute Service (ECS) instances and NAS file systems against interception or tampering by using the Transport Layer Security (TLS) protocol. The topic describes how to enable encryption in transit when you use the NAS client to mount a file system.
How it works
The NAS client defines a type of network file system (NFS) called alinas. The NFS
is compatible with the standard form of the mount command. If you specify the tls
parameter when you mount an alinas NFS on an ECS instance, the NAS client starts
a process named stunnel. The process forwards and encrypts access requests from the
ECS instance to the NAS server. The process also triggers a backend process named
aliyun-alinas-mount-watchdog
to ensure the availability of the stunnel process.
Usage notes
- Operating systems supported by the NAS client
Operating system Operating system version Alibaba Cloud Linux Alibaba Cloud 2.1903 64-bit Red Hat - Red Hat Enterprise Linux 7.x 64-bit
- Red Hat Enterprise Linux 8.x 64-bit
CentOS - CentOS 7.x 64-bit
- CentOS 8.x 64-bit
Ubuntu - Ubuntu 16.04 64-bit
- Ubuntu 18.04 64-bit
- Ubuntu 20.04 64-bit
Debian - Debian 9.x 64-bit
- Debian 10.x 64-bit
- Performance loss
Compared with a file system for which you disable encryption in transit, a file system for which you enable encryption in transit can be accessed with a 10% more latency and 10% less IOPS.
- Usage notes of the NAS client
- The NAS client uses the stunnel process as an TLS encryption wrapper. For high-throughput applications, the stunnel process consumes a large number of CPU resources to perform encryption and decryption. In extreme cases, each mount operation consumes the capacity of an entire core.
- The NAS client requires a third-party certificate to encrypt data in transit. The certificate must be updated at regular intervals. NAS sends update notifications to you one month in advance by using emails and internal messages. After you receive these notifications, you must update the aliyun-alinas-utils tool at your earliest opportunity. Otherwise, the mounted NAS file system stops responding after the certificate expires.
- If you use the NAS client, the /etc/hosts file of the ECS instances within your Alibaba Cloud account is modified. Therefore, when you mount a file system, the new mount target is written to the /etc/hosts file. When you unmount the file system, the mount target is deleted from the file.
- When the NAS client uses the stunnel process as an TLS encryption wrapper, the stunnel
process listens on an IP address from 127.0.1.1 to 127.0.255.254 on port 12049. You
must make sure that IP addresses and port are available.
You can run the SS -ant grep -w 12049 command to check whether the port is occupied. If no value is returned, the port is available. If the port is occupied, modify the configuration file. For more information about how to modify the configuration file of the NAS client, see Troubleshooting in this topic.
Supported regions
The encryption in transit feature is available in all regions of the Alibaba Cloud public cloud, and all regions of Alibaba Finance Cloud except China South 1 Finance.
Step 1: Download and install the NAS client
Step 2: Mount a NFS file system with encryption in transit enabled
NAS client logs
You can locate the mount error by opening the log file of the NAS client in the /var/log/aliyun/alinas/ directory. You can also modify the parameters in the log configuration file /etc/aliyun/alinas/alinas-utils.conf to configure the NAS client log. After you modify the configuration file, run the sudo service aliyun-alinas-mount-watchdog restart command. Then, the backend watchdog is restarted.
Parameter | Description |
---|---|
logging_level | The level of the log entry. Default value: INFO. |
logging_max_bytes | The maximum size of log files. Default value: 1048576 bytes. The maximum size of a single log file is 1 MB. |
logging_file_count | The maximum number of log files that are retained. Default value: 10. A maximum of 10 log files can be retained. |
stunnel_debug_enabled | The debug logs of stunnel. Default value: false. When the parameter is enabled, a large amount of storage capacity is used. |
stunnel_check_cert_hostname | Checks the hostname in the certificate. Default value: false. |
stunnel_check_cert_validity | Checks the validity of the certificate. Default value: false. |
Troubleshooting
- Issue
When the file system is being mounted, the following error message is returned:
- Cause
The IP address or port 12049 on which stunnel listens is used by other processes. As a result, the file system fails to be mounted.
- Solution
- Solution 1: Find and terminate the process that uses port 12049. Then, mount the file system again.
- Solution 2: Edit the configuration file of the client tool in the /etc/aliyun/alinas/alinas-utils.conf directory. Modify the proxy_port parameter to an unused port number. Then, mount the file system again.