Apsara File Storage NAS (NAS) provides the encryption in transit feature. The feature uses the Transport Layer Security (TLS) protocol to protect the data transmitted between your Elastic Compute Service (ECS) instance and NAS file system against interception or tampering. This topic describes how to enable encryption in transit when you use the NAS client to mount a file system.
How it works
The NAS client defines a type of network file system (NFS) called alinas. The NFS is compatible with the standard form of the mount command. If you specify the tls
parameter when you mount an alinas NFS on an ECS instance, the NAS client starts a process named stunnel. The process forwards and encrypts access requests from the ECS instance to the NAS server. The process also triggers a backend process named aliyun-alinas-mount-watchdog
to ensure the availability of the stunnel process.
Prerequisites
A General-purpose NFS file system is created. For more information, see Create a file system.
Internet access is enabled for the ECS instance, or an elastic IP address (EIP) is associated with the ECS instance. For more information, see Network bandwidth.
Usage notes
If an NFS file system is already mounted to a directory (for example, /mnt) of the ECS instance when you enable encryption in transit, you must unmount the NFS file system and then mount the NFS file system again. For more information about how to unmount an NFS file system, see Unmount a file system in the NAS console.
This topic applies only to General-purpose NFS file systems.
Operating systems supported by the NAS client
Operating system
Version
Alibaba Cloud Linux
Alibaba Cloud Linux 2.1903 64-bit
Alibaba Cloud Linux 3.2104 LTS 64-bit
Red Hat
Red Hat Enterprise Linux 7.x 64-bit
Red Hat Enterprise Linux 8.x 64-bit
CentOS
CentOS 7.x 64-bit
CentOS 8.x 64-bit
Ubuntu
Ubuntu 16.04 64-bit
Ubuntu 18.04 64-bit
Ubuntu 20.04 64-bit
Debian
Debian 9.x 64-bit
Debian 10.x 64-bit
Performance loss
Compared with a file system for which you disable encryption in transit, a file system for which you enable encryption in transit can be accessed with a 10% more latency and 10% less IOPS.
Usage notes of the NAS client
The NAS client uses the stunnel process as a TLS encryption wrapper. For high-throughput applications, the stunnel process consumes a large amount of CPU resources to perform encryption and decryption. In extreme cases, each mount operation consumes the capacity of an entire core.
The NAS client requires a third-party certificate to encrypt data in transit. The certificate must be updated at regular intervals. NAS sends update notifications to you one month in advance by using emails and internal messages. After you receive these notifications, you must update the aliyun-alinas-utils tool at your earliest opportunity. Otherwise, the mounted NAS file system stops responding after the certificate expires.
If you use the NAS client, the /etc/hosts file of the ECS instances within your Alibaba Cloud account is modified. Therefore, when you mount a file system, the new mount target is written to the /etc/hosts file. When you unmount the file system, the mount target is deleted from the file.
When the NAS client uses the stunnel process as a TLS encryption wrapper, the stunnel process listens on an IP address from 127.0.1.1 to 127.0.255.254 on port 12049. You must make sure that IP addresses and port are available.
You can run the ss -ant | grep -w 12049 command to check whether the port is occupied. If no value is returned, the port is available. If the port is occupied, modify the configuration file. For more information about how to modify the configuration file of the NAS client, see Troubleshooting in this topic.
Supported regions
The encryption in transit feature is available in all regions of the Alibaba Cloud public cloud, and all regions of Alibaba Finance Cloud except China South 1 Finance.
Step 1: Download and install the NAS client
Alibaba Cloud Linux
Download the NAS client.
wget https://aliyun-encryption.oss-cn-beijing.aliyuncs.com/aliyun-alinas-utils-1.3-0.20240914145556.91a304.al7.noarch.rpm
Install the NAS client.
sudo yum install aliyun-alinas-utils-*.rpm
Check the installation result.
which mount.alinas
If an output similar to the following example appears, the NAS client is installed.
Red Hat
Download the NAS client.
Red Hat Enterprise Linux 7.x
wget https://aliyun-encryption.oss-cn-beijing.aliyuncs.com/aliyun-alinas-utils-1.0-1.el7.noarch.rpm
Red Hat Enterprise Linux 8.x
wget https://aliyun-encryption.oss-cn-beijing.aliyuncs.com/aliyun-alinas-utils-1.0-1.el8.noarch.rpm
Install the NAS client.
sudo yum --disablerepo=rhui-rhel-7-server-rhui-extras-debug-rpms install aliyun-alinas-utils-*.rpm
Check the installation result.
which mount.alinas
If an output similar to the following example appears, the NAS client is installed.
CentOS
Download the NAS client.
CentOS 7.x
wget https://aliyun-encryption.oss-cn-beijing.aliyuncs.com/aliyun-alinas-utils-1.0-1.el7.noarch.rpm
CentOS 8.x
wget https://aliyun-encryption.oss-cn-beijing.aliyuncs.com/aliyun-alinas-utils-1.0-1.el8.noarch.rpm
Install the NAS client.
sudo yum install aliyun-alinas-utils-*.rpm
Check the installation result.
which mount.alinas
If an output similar to the following example appears, the NAS client is installed.
Ubuntu and Debian
Download the NAS client.
wget https://aliyun-encryption.oss-cn-beijing.aliyuncs.com/aliyun-alinas-utils-1.0-1.deb
Install the NAS client.
sudo apt update sudo dpkg -i aliyun-alinas-utils-*.deb sudo apt-get install -f sudo dpkg -i aliyun-alinas-utils-*.deb
Check the installation result.
which mount.alinas
If an output similar to the following example appears, the NAS client is installed.
Step 2: Mount the NFS file system with encryption in transit enabled
Mount the NFS file system.
NFSv3 protocol
sudo mount -t alinas -o tls,vers=3 file-system-id.region.nas.aliyuncs.com:/ /mnt
NFSv4.0 protocol
sudo mount -t alinas -o tls,vers=4.0 file-system-id.region.nas.aliyuncs.com:/ /mnt
The following table describes the parameters that you can configure in the mount command.
NoteWhen you mount a file system, the NAS client automatically uses the parameters that can ensure the optimal performance. You do not need to add parameters on your own. For more information, see the mount parameters described in Mount an NFS file system.
Parameter
Description
file-system-id.region.nas.aliyuncs.com:/ /mnt
The command syntax is <Domain name of a mount target>:<Name of a shared directory><Path of a mount directory>. You must replace the domain name, directory name, and directory path with their actual values.
Domain name of a mount target: To view the domain name, perform the following steps: Log on to the NAS console. On the File System List page, find the file system that you want to manage and click Manage in the Actions column. On the Mount Targets tab, view the domain name of the mount target. For more information, see View the domain name of a mount target.
Name of a shared directory: specifies the root directory / or a subdirectory. If you specify a subdirectory such as /share, make sure that the subdirectory exists in the NAS file system.
Path of a mount directory: specifies a subdirectory such as /mnt of a Linux ECS instance. Make sure that the subdirectory exists in the local file system.
vers
The protocol version of the NFS file system.
vers=3: uses NFSv3 to mount the file system
vers=4: uses NFSv4.0 to mount the file system
tls
Enables TLS.
Run the
mount -l
command to view the mount result.If an output similar to the following example appears, the mount is successful.
After the file system is mounted, you can run the df -h command to view the capacity of the file system.
Optional. Configure automatic mounting at startup.
When you restart the ECS instance on which the file system is mounted, the information about all the mounted file systems may be lost. To prevent the loss of such information, you can edit the /etc/fstab configuration file in the Linux ECS instance to enable automatic mount of NFS file system at startup.
Open the /etc/fstab configuration file to add mounting configurations.
file-system-id.region.nas.aliyuncs.com:/ /mnt alinas _netdev,tls 0 0
For more information about the mount parameters, see Mount an NFS file system. The following table describes the parameters that are not included in the preceding table.
Parameter
Description
_netdev
Prevents automatic mounting before the network is connected.
0 (the first value after tls)
Specifies whether to back up a file system by running the dump command. A non-zero value indicates that the file system is backed up. For a NAS file system, the default value is 0.
0 (the second value after tls)
The order in which the fsck command checks file systems at startup. For a NAS file system, the default value is 0, which indicates that the fsck command is not run at startup.
Run the
reboot
command to restart the ECS instance.If you restart the ECS instance, services are interrupted. We recommend that you perform the operation during off-peak hours.
NoteBefore you restart the ECS instance, make sure that the manual mount is successful. Otherwise, the ECS instance may fail to restart. If automatic mounting is enabled, after the ECS instance is restarted, you can run the
df -h
command to view the NAS file systems that are mounted.
NAS client logs
You can locate the mount error by opening the log file of the NAS client in the /var/log/aliyun/alinas/ directory. You can also modify the parameters in the log configuration file in the /etc/aliyun/alinas/alinas-utils.conf directory to configure the NAS client log. After you modify the configuration file, run the sudo service aliyun-alinas-mount-watchdog restart command. Then, the backend watchdog is restarted.
The following table describes the parameters in the log configuration file.
Parameter | Description |
logging_level | The log level. Default value: INFO. |
logging_max_bytes | The maximum size of log files. Default value: 1048576 bytes. The maximum size of a single log file is 1 MB. |
logging_file_count | The maximum number of log files that are retained. Default value: 10. A maximum of 10 log files can be retained. |
stunnel_debug_enabled | The debug logs of stunnel. Default value: false. When the parameter is enabled, a large amount of storage capacity is used. |
stunnel_check_cert_hostname | Checks the host name in the certificate. Default value: false. |
stunnel_check_cert_validity | Checks the validity of the certificate. Default value: false. |
Troubleshooting
Issue
When the file system is being mounted, the following error message is returned:
Cause
The IP address or port 12049 on which stunnel listens is used by other processes. As a result, the file system fails to be mounted.
Solution
Solution 1: Find and terminate the process that uses port 12049. Then, mount the file system again.
Solution 2: Edit the configuration file of the client tool in the /etc/aliyun/alinas/alinas-utils.conf directory. Change the value of the proxy_port parameter to an unused port number. Then, mount the file system again.