NTT Communications
Cloudⁿ
File Storage
Operation Manual
2
Version Date of Compil ation Revision Ver.1.0 March 23, 2013Contents
1. Introduction
Page 4 -
1) Overview of the Service 2) Making Preparation in Advance
3. Using File Storage
Page 11 -
1) Using the File Storage Console
2) Connecting IPsec to File Storage (on the Cent OS) 3) Connecting IPsec to File Storage (on Ubuntu) 4) Mounting File Storage
5) Checking File Storage
2. Taking Management of the File Storage Service
Page 6 -
1) Applying for the File Storage Service 2) Discontinuing the File Storage Service
Virtual Server (Linux)
Cloudⁿ File Storage provides the service that uses the NFS, a general-purpose protocol for Linux, to enable you to use a storage area of a large capacity and with high integrity.
4
When you use the Cloudⁿ File Storage service, you can use the NFS protocol from Cloudn Compute to make any use of the storage area with large capacity.In addition, as communications are performed by using the IPsec tunnel from Cloudn Compute, you can use the storage with guaranteed security.
You can have an access to use File Storage only from a virtual server running a Linux OS (Cent OS/Ubuntu) in a Cloudn Compute environment (East Japan Region).
1-1) Overview of the Service
Cloud
nCompute
(East
Japan
Region)
IPsec
Cloud
nFile Storage
Internet
To apply for the File Storage service, you need to specify the global IP address of the Cloudn Compute virtual server you want to use.
In addition, besides a current contract for Cloudn Compute, you need to set up another IPsec to use the service.
The File Storage service enables two or more users to share a storage device connected over an IPsec tunnel. The service quality may deteriorate depending on devices and network load.
"Cloudⁿ User's Guide"
Prepare "Guidance of the Contents for Using [Cloudn]" sent when you make a new application for Cloudⁿ.
The software that enables you to view the control panel (Web
browser software)
We recommend Firefox 18.0.1 or later.
Note that part of the control panel may not be correctly displayed if you use some other Web browser.
The service that enables you to have an access to the Internet
Prepare some service that enables you to have an access to the Internet.
Example: Always-on connection and so forth provided by OCN Dial Access Service, OCN ADSL Connection Service, Super OCN, and so on
*You can use Internet connection service provided by some other provider. Before you start using the Cloudⁿ File Storage service, prepare everything listed below:
A virtual server created on Compute to use the File Storage service
Prepare a virtual server (running such Linux OS as Cent OS and Ubuntu) created on Compute (the FLAT type in East Japan) as a server to use File Storage in the Cloudⁿ File Storage service.
For how to create a virtual server, see "Cloudⁿ Compute (FLAT Type) Operation Manual".
*Listed below are what you need to prepare as a client PC when you set up the File Storage service.
1-2) Making Preparation in Advance
You cannot use the File Storage service from a virtual server on Compute (VLAN type).
6
Apply for the File Storage service.A screen appears for you to confirm your application. If you agree, check “Agree". Click on the "Next" button.
2-1) Applying for the File Storage Service
1
2
Log in to the Cloudⁿ portal. Hover the cursor over the "File Storage" icon for the East Japan region. Click on "Sign Up Now".
Click
A screen appears for you to confirm your application for the File Storage service. Click on the “Sign Up" button.
3
Click
2-1) Applying for the File Storage Service
4
A screen appears to indicate that your application is accepted. You have just finished your application. Click on “Console" to register the IP address.
8
A screen appears for you to apply for the File Storage service. Click on the “Next" button.5
Click
2-1) Applying for the File Storage Service
Click
To check the global IP address of your virtual server, select the virtual server that uses File Storage from Instance in the menu on the left side. Click on the "NIC" tab.
A screen appears for you to confirm the IP address you want to register. Click on the “Register" button.
6
2-1) Applying for the File Storage Service
Click
7
A screen appears to indicate that the IP address is registered and you can start using volumes.
10
You can discontinue the File Storage service.2-2) Discontinuing the File Storage Service
1
2
Log in to the Cloudⁿ portal. Hover the cursor over the "File Storage" icon for your region. Click on “Cancel".
Click
A screen appears for you to confirm your discontinuation. If you agree, check “Agree". Click on the "Next" button.
A screen appears for you to reconfirm your discontinuation. Click on the “Cancel" button.
A screen pops up to indicate that your discontinuation is accepted. You have just discontinued the service.
2-2) Discontinuing the File Storage Service
3
4
12
Use the File Storage console.3-1) Using the File Storage Console
1
2
Log in to the Cloudⁿ portal. Hover the cursor over the "File Storage" icon for your region. Click on “Console".
The File Storage console opens. You see the file storage information (including the information about the connection VPN) necessary to use the file storage. You also see the information about the access terminal.
3-1) Using the File Storage Console
Click on the "Application management" tab. You see the two items, “Change Volumes” and “Change IP address”. If you want to change Volumes or IP address, please press the buttons.
3
14
Connect to File Storage over the IPsec connection from the virtual server (Cent OS) onCompute (East Japan region) having the IP address registered to start using the service.
Save the settings for the next startup.
3-2) Connecting IPsec to File Storage (on the Cent OS)
1
Install OpenSwan as it is necessary for IPsec connection.
In the steps described below, it is assumed that the following settings are made, which can be confirmed on the File Storage console.
[Information You Need to Have]
153.128.xx.xx The global IP address of the virtual server you have registered [Information Provided When You Start Using the Service]
presharedkey Preshared key for the IPsec connection
180.37.yy.yy The global IP address of the destination of Ipsec connection 192.168.zz.zz File Storage target IP address
# yum install openswan
2
Set up the filtering (iptables) to use IPsec connection.
# iptables -I INPUT -p udp -s 180.37.yy.yy -d 153.128.xx.xx –dport 500 -j ACCEPT # iptables -I FORWARD -s 153.128.xx.xx -d 192.168.zz.zz -j ACCEPT
# iptables -I FORWARD -d 153.128.xx.xx -s 192.168.zz.zz -j ACCEPT
# iptables -I OUTPUT -p udp -d 180.37.yy.yy -s 153.128.xx.xx –sport 500 -j ACCEPT # iptables -I OUTPUT -p esp -d 180.37.yy.yy -s 153.128.xx.xx -j ACCEPT
# service iptables save
Set up the setting file of OpenSwan as follows:
3
# vi /etc/ipsec.conf
(Omitted)
include /etc/ipsec.d/*.conf // (The sharp sign (#) at the start of the line is deleted.)
Follow this step only when you have a firewall specified with iptables. (This is not necessary if you have used an official template for creation.)
Disable SELinux for the IPsec connection
Create a new connection setting file as shown below:
6
# vi /etc/ipsec.d/fs.conf (←"fs" can be any number. This is used for connection.)
5
Set up the key information that is used for the IPsec connection.
# vi /etc/ipsec.secrets
4
conn fs authby=secret auto=start pfs=yes type=tunnel rekey=no keyingtries=3left=153.128.xx.xx // (←The Compute global IP address) right=180.37.yy.yy // (←The global IP address at the
destination of connection) rightsourceip=192.168.zz.zz // (←The IP address of the target of
Filestorage)
include /etc/ipsec.d/*.secrets // (←The sharp sign (#) at the start of the line is deleted.)
# vi /etc/ipsec.d/fs.secrets (←"fs" is the same number as in step 5.)
153.128.xx.xx 180.37.yy.yy : PSK " presharedkey "
16
Change the setting file of the kernel parameters as shown below:# vi /etc/sysctl.conf
8
Validate the settings shown above.
# sysctl -p
7
(Omitted)
net.ipv4.ip_forward = 1 // (←Changed from 0) (From the last line in the file, add the following lines.)
net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.lo.send_redirects = 0 net.ipv4.conf.lo.accept_redirects = 0 net.ipv4.conf.eth0.send_redirects = 0 net.ipv4.conf.eth0.accept_redirects = 0
9
Start the ipsec process.
# service ipsec start
See the log file to check the ipsec connection.
# cat /var/log/secure
10
Checking your system to see if IPsec got installed and started correctly: Version check and ipsec on-path [OK] Linux Openswan U2.6.32/K2.6.32-279.el6.x86_64 (netkey)
Checking for IPsec support in kernel [OK] SAref kernel support [N/A] NETKEY: Testing for disabled ICMP send_redirects [OK] NETKEY detected, testing for disabled ICMP accept_redirects [OK] Testing against enforced SElinux mode [OK] Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for NAT-T on udp 4500 [OK] Checking for 'ip' command [OK] Checking /bin/sh is not /bin/dash [OK] Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
11
Check the integrity of the ipsec settings.
# ipsec verify
(Omitted)
Mar 5 11:00:08 cent-with-disk pluto[27533]: "fs" #2: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+DONTREKEY+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:c5fb4624 proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048} Mar 5 11:00:08 cent-with-disk pluto[27533]: "fs" #2: transition from state
STATE_QUICK_I1 to state STATE_QUICK_I2
Mar 5 11:00:08 cent-with-disk pluto[27533]: "fs" #2: STATE_QUICK_I2: sent QI2, IPsec The settings are correct if there is no [FAILED] in the result.
18
Establish the IPsec connection to File Storage from the virtual server (Ubuntu) on Compute (East Japan region) having the IP address registered at the time of the service start.3-3) Connecting IPsec to File Storage (on Ubuntu)
1
Install OpenSwan as it is necessary for IPsec connection
3
In the steps described below, it is assumed that the following settings are made, which can be confirmed on the File Storage console.
[Information You Need to Have]
153.128.xx.xx The global IP address of the virtual server you have registered [Information Provided When You Start Using the Service]
presharedkey Preshared key for the IPsec connection
180.37.yy.yy The global IP address of the destination of Ipsec connection 192.168.zz.zz File Storage target IP address
$ sudo apt-get install openswan
2
Set up the setting file of OpenSwan as shown below:
$ sudo vi /etc/ipsec.conf
(Omitted)
protostack=netkey // (←Changed from auto)
(From the last line in the file, add the following lines.)
include /etc/ipsec.d/*.conf // (The sharp sign (#) at the start of the line is deleted.)
Create a new connection setting file as shown below:
$ sudo vi /etc/ipsec.d/fs.conf (←"fs" can be any number. This is used for connection.)
conn fs authby=secret auto=start pfs=yes type=tunnel rekey=no keyingtries=3
left=153.128.xx.xx // (←The Compute global IP address) right=180.37.yy.yy // (←The global IP address at the
destination of connection) rightsourceip=192.168.zz.zz // (←The IP address of the target of
5
Set up the key information used for IPsec connection.
$ sudo vi /etc/ipsec.secrets
4
(The last line in the file is commented out.) #include /var/lib/openswan/ipsec.secrets.inc
(From the last line in the file, add the following line.)
include /etc/ipsec.d/*.secrets // (←The sharp sign at the start of the like is deleted.)
$ sudo vi /etc/ipsec.d/fs.secrets (←"fs" is the same number as in step 3.)
153.128.xx.xx 180.37.yy.yy : PSK " presharedkey "
3-3) Connecting IPsec to File Storage (on Ubuntu)
Change the setting file of the kernel parameters as shown below:
$ sudo vi /etc/sysctl.conf
(Omitted)
net.ipv4.ip_forward = 1 // (Delete the sharp sign (#) at the start of the line to validate the statement.)
(From the last line in the file, add the following lines.) net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.lo.send_redirects = 0 net.ipv4.conf.lo.accept_redirects = 0 net.ipv4.conf.eth0.send_redirects = 0 net.ipv4.conf.eth0.accept_redirects = 0
6
20
See the log file to check the ipsec connection.$ sudo cat /var/log/auth.log
8
Checking your system to see if IPsec got installed and started correctly: Version check and ipsec on-path [OK]
Linux Openswan U2.6.37/K3.5.0-17-generic (netkey)
Checking for IPsec support in kernel [OK] SAref kernel support [N/A] NETKEY: Testing XFRM related proc values [OK] [OK]
[OK]
Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for NAT-T on udp 4500 [OK] Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [WARNING] Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
9
Check the integrity of the ipsec settings.
# ipsec verify
(Omitted)
Mar 6 11:24:29 ubuntu1210 pluto[18697]: "fs" #2: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+DONTREKEY+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:7dc84e68 proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048} Mar 6 11:24:29 ubuntu1210 pluto[18697]: "fs" #2: transition from state
STATE_QUICK_I1 to state STATE_QUICK_I2
Mar 6 11:24:29 ubuntu1210 pluto[18697]: "fs" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x153f0614 <0xbb4dd4f3
xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
The settings are correct if there is no [FAILED] in the result.
The connection is correct if the last line includes "IPsec SA established tunnel mode".
Mount File Storage over the IPsec tunnel connected in section 3-2), "Connecting IPsec to File Storage".
3-4) Mounting File Storage
In the steps described below, it is assumed that the following settings are made: [Information You Need to Have]
/mnt/filestorage The direction at the destination of mounting File Storage [Information Provided When Start Using the Service]
192.168.zz.zz File Storage target IP address
BSDN123456789_01 The volume name of the File Storage you use
1
Create a directory as the destination of mounting File Storage. (This step is not necessary if you already have a directly.)
In the cse of Ubuntu, install "nfs-common" that is necessary for mounting.
# mkdir /mnt/filestorage
2
Mount File Storage to the directory at the destination of mounting File Storage.
# mount -t nfs -o vers=3,tcp,hard 192.168.zz.zz:/BSDN123456789_01 /mnt/filestorage
①Mount option ②File Storage volume
③Mount directory
Option Name (Argument)
Description
-t Specify this option as the service is provided in NFS nfs Specify the file system as NFS
-o Specify the options to use this service. vers=3 Specify the version of the NFS
①Mount Option
22
3-4) Mounting File Storage
② File Storage Volume
Specify [File Storage target IP address]:/[The volume name of the File Storage you use].
Volume names are defined as described below. BSDN123456789_[capacity]
*”123456789” here is actually a 9-digit number uniquely assigned to the customer. <Example> In the case of a customer who applies for 30TB
First volume: BSDN123456789_01 Second volume: BSDN123456789_02 Third volume: BSDN123456789_03
Check if File Storage is correctly mounted.
3-5) Checking File Storage
Use the "mount" command to check the integrity of the mounting.
# mount
/dev/mapper/VolGroup-lv_root on / type ext4 (rw) proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
tmpfs on /dev/shm type tmpfs (rw,rootcontext="system_u:object_r:tmpfs_t:s0") /dev/vda1 on /boot type ext4 (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw) sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)
192.168.xx.xx:/ BSDN123456789_01 on /mnt/extradisk type nfs (rw,vers=3,tcp,hard,addr=192.168.xx.xx)
Use the "df" command to check the capacity and the free capacity.
# df -h
Filesystem Size Used Avail Use% Mounted on /dev/mapper/VolGroup-lv_root 36G 1.7G 32G 5% / tmpfs 939M 0 939M 0% /dev/shm /dev/vda1 485M 37M 423M 8% /boot 192.168.xx.xx:/ BSDN123456789_01 9.9T 1015G 8.4T 11% /mnt/extradisk
