Enabling NFS Volume Services
This topic describes how Pivotal Cloud Foundry (PCF) operators can deploy NFS volume services.
A volume service gives apps access to a persistent filesystem, such as NFS. By performing the procedures in this topic, operators can add a volume service to the Marketplace that provides an NFSv3 filesystem.
Developers can then use the Cloud Foundry Command Line Interface (cf CLI) to create service instances of the volume service and bind them to their apps. For more information, see the Using an External File System (Volume Services) topic.
Note: You must have an NFS server running to enable NFS volume services. If you want to use NFS and do not currently have a server available, you can deploy the test NFS server bundled with the NFS Volume release or enable NFS volume services with the NFS Broker Errand for Pivotal Elastic Runtime. You can enable this errand during ERT tile configuration.
When it comes to securing your NFS server against traffic apps running on PCF, you can use ASGs and LDAP:
- Application Security Groups (ASGs)
Use Application Security Groups (ASGs) to prevent apps from sending traffic directly to your NFS ports. Apps should never need to use NFS ports directly. Pivotal recommends defining an ASG that blocks direct access to your NFS server IP, especially ports 111 and 2049. For more information on setting up ASGs, see Understanding Application Security Groups.
In addition to ASGs, LDAP secures the NFS volume service so that app developers cannot bind to the service using an arbitrary UID and gain access to sensitive data. With LDAP support enabled, app developers must provide credentials for any user they wish to bind as.
The Diego cells running on PCF must be able to reach your LDAP server on the port you use for connections, which are typically
636. You cannot limit which Diego cells have access to your NFS or LDAP servers.
To enable NFS volume services in PCF, do the following:
Navigate to the Ops Manager Installation Dashboard.
Click the Elastic Runtime tile.
Click Application Containers.
Under Enabling NFSv3 volume services, select Enable.
Note: In a clean install, NFSv3 volume services are enabled by default. In an upgrade, NFSv3 volume services match the setting of the previous deployment.
(Optional) To configure LDAP for NFSv3 volume services, perform the following steps:
Note: If you already use an LDAP server with your network-attached storage (NAS) file server, enter its information below. This ensures that the indentities known to the file server match those checked by the PCF NFS driver.
- For LDAP Service Account User, enter the username of the service account in LDAP that will manage volume services.
- For LDAP Service Account Password, enter the password for the service account.
- For LDAP Server Host, enter the hostname or IP address of the LDAP server.
- For LDAP Server Port, enter the LDAP server port number. If you do not specify a port number, Ops Manager uses 389.
- For LDAP Server Protocol, enter the server protocol. If you do not specify a protocol, Ops Manager uses TCP.
- For LDAP User Fully-Qualified Domain Name, enter the fully qualified path to the LDAP service account. For example, if you have a service account called
volume-servicesthat belongs to organizational units (OU) called
my-company, and your domain is called
domain, the fully qualified path looks like the following:
Return to the Ops Manager Installation Dashboard and click Apply Changes to redeploy.
Using the cf CLI, enable access to the service:
$ cf enable-service-access nfsTo limit access to a specific org, use the
-oflag, followed by the name of the org where you want to enable access. For more information, see the Access Control topic.
(Optional) Enable access to the
nfs-experimentalservice. See NFS Volume Service for details about the differences between the two
$ cf enable-service-access nfs-experimental
After completing these steps, developers can use the cf CLI to create service instances of the
nfs service and bind them to their apps.