Configure the NFSv4.1 protocol

The following guide shows you how to implement the NFSv4.1 protocol with a new Filestore instance.

About NFSv4.1

Filestore offers NFSv4.1 protocol support (Preview) for instances created in enterprise or zonal service tiers.

This capability can be integrated with Managed Service for Microsoft Active Directory (Managed Microsoft AD) to support workloads that require client and server authentication, message data integrity checks, and in-transit data encryption, capabilities previously unavailable in Filestore.

  • Authentication is supported using LDAP and Kerberos and includes the following security flavors (settings):

    • Client and server authentication (krb5).
    • Message integrity checks (krb5i). Includes the capabilities of the previous setting.
    • In-transit data encryption (krb5p). Includes the capabilities of the previous setting.

Managed Microsoft AD is the only fully-managed Google Cloud solution that supports both LDAP and Kerberos, requirements for the NFSv4.1 protocol and its security and privacy benefits. While integration with Managed Microsoft AD is not required, it is highly recommended for an optimal Google Cloud user experience to manage user accounts and fluctuating groups and permissions.

Should you use NFSv4.1?

Many enterprise organizations rely on legacy systems for business-critical operations. Many of these systems require authentication and in-transit encryption for their network file storage. NFSv3 was not designed with authentication in mind. Filestore's NFSv4.1 protocol integration with Managed Microsoft AD now meets this critical user requirement.

Objectives

In this guide, you'll learn how to complete the following tasks:

Create a Filestore instance that uses NFSv4.1

To use Managed Microsoft AD with a Filestore instance, the Managed Microsoft AD domain must be created before the Filestore instance.

Before you begin

  1. Both the Managed Microsoft AD domain and the Filestore instance must use the same VPC while on the same project.

    If your Managed Microsoft AD service is hosted in a project separate from the Filestore instance you want to use, then the Filestore VPC network needs to be peered to the Managed Microsoft AD domain.

    For more information, see Deploy Managed Microsoft AD with cross-project access using domain peering.

  2. Complete all the setup steps to create a Filestore instance.

  3. Ensure that Managed Microsoft AD users have POSIX RFC 2307 and RFC 2307bis fields populated, similar to the following.

    For more information on how to configure objects in Managed Microsoft AD, see Managed Active Directory objects.

    Active Directory Users and Computers

    The following steps describe the attributes you need to set for LDAP users and groups. You can manage POSIX attributes by using the Active Directory Users and Computers MMC snap-in.

    You open the Attribute Editor as follows:

    1. Click Start.

    2. Click Windows Administrative Tools, and select Active Directory Users and Computers.

      The Active Directory Users and Computers window opens.

    3. Select the domain name that you want to view. To expand its contents, click the expander arrow.

    4. In the Active Directory Users and Computers View menu, select Advanced Features.

    5. In the left pane, double-click Users.

    6. In the users list, double-click a user to see its Attribute Editor tab.

      LDAP users must have the following attributes set:

      • uid
      • uidNumber
      • cn
      • gidNumber
      • objectClass

      Each user must have a unique uidNumber. Note that the value for the uid attribute is case sensitive. For the objectClass attribute, user is the default setting on most Active Directory (AD) deployments. The following is an example:

      uid: Alice
uidNumber: 139
gidNumber: 555
objectClass: user

      LDAP groups must have the following attributes set:

      • cn
      • gidNumber
      • objectClass

      Each group must have a unique gidNumber. Note that the value for the cn attribute is case sensitive. For the objectClass attribute, group is the default setting on most AD deployments. The following is an example:

      cn: AliceGroup
gidNumber: 555
objectClass: group

  4. Grant Filestore access to create and manage objects in Managed Microsoft AD using the gcloud projects add-iam-policy-binding command:

    gcloud projects add-iam-policy-binding MANAGED_MICROSOFT_AD_PROJECT_ID \
--member=serviceAccount:service-$(gcloud projects describe PROJECT_ID \
--format='value(PROJECT_ID)')@cloud-filer.iam.gserviceaccount.com \
--role=roles/managedidentities.filestoreintegrator

    Replace the following:

    • MANAGED_MICROSOFT_AD_PROJECT_ID is the project ID of the project where the Managed Microsoft AD domain is located.
    • PROJECT_ID is the project ID of the project where the Filestore instance is located.

    You might see the following error:

    INVALID_ARGUMENT: Service account service-PROJECT_ID@cloud-filer.iam.gserviceaccount.com does not exist.

    If so, use the following command to resolve it:

    gcloud beta services identity create --service=file.googleapis.com -project \ MANAGED_MICROSOFT_AD_PROJECT_ID

Create a Filestore instance with or without Managed Microsoft AD

In this section, you'll create a Filestore instance configured for use with the NFSv4.1 protocol. Optional steps are included for users electing not to use Managed Microsoft AD.

  • Ensure you have enough quota.

    Instance quota ranges by the region location and service tier you want to use. To increase available quota, you must submit a quota increase request.

Google Cloud console

Set up the instance parameters

  1. In the Google Cloud console, go to the Filestore instances page.

    Go to the Filestore instances page

  2. Click Create Instance.

  3. Specify the basic parameters of the instance including the name, instance type, and capacity:

    1. In the Instance ID field, enter the name you want to use for the Filestore instance.
    2. In Instance Type, select Enterprise or Zonal.
    3. In Allocated Capacity, enter the capacity you want to use. You must enter a value between 1 TB and 10 TB, in increments of 256 GiB (0.25 TiB).
    4. In Region, select the region you want to use.
    5. In VPC Network, select the network you want to use for the Filestore instance and NFS clients.
      • If Managed Microsoft AD is in the same project as the Filestore instance, the VPC network needs to be authorized in the Managed Microsoft AD domain.
      • If Managed Microsoft AD is in a separate project, then the VPC network should be configured with Active Directory network peering on the Managed Microsoft AD configuration.
    6. In Allocated IP range, select Use an automatically allocated IP range (recommended).
    7. In Protocol, select NFSv4.1.

Configure the instance's authentication settings

  1. Configure the instance's authentication settings.
    1. Click Authentication.
    2. Select the project hosting Managed Microsoft AD. For the purpose of this guide, we'll assume the current project is the one we want to use.
    3. In the Join an Active Directory domain list, select the Managed Microsoft AD domain you want to use.
    4. In the Computer account name field, enter the computer account name you want to use to identify the Filestore instance in the Managed Microsoft AD domain. The name is limited to 15 alphanumeric characters.
    5. In the File share name field, enter the name of the share as it will be used by the NFSv4.1 clients.

  2. In the Access Control pane, complete either of the following steps:

    • If using Managed Microsoft AD, select Restrict access by IP address or range.

      1. Set the access rule by IP or subnet you want to define. For the purpose of this guide, use the following settings:
      2. In the IP address or range 1 field, enter the IP address or range you want to use.
      3. Click the Access 1 drop-down list, and select Admin.
      4. Click the Mountsec= 1 drop-down list, and select the sys checkbox.

      The Filestore default / owner is root. To enable access to the instance for other users and groups, you must create an access rule that enables management VM access using the Admin role and the sec=sys security setting.

    • If you're not using Managed Microsoft AD, select Grant access to all clients on the VPC network.

      If Managed Microsoft AD is not used, the only supported security setting is sec=sys.

  3. Click Create to create the instance.

gcloud

  1. Install and initialize the gcloud CLI.

    If you already have the gcloud CLI installed, run the following command to update it:

    gcloud components update

  2. Complete either of the following steps:

    1. If using Managed Microsoft AD, run the following gcloud beta filestore instances create command to create a Filestore enterprise or zonal instance:

      gcloud beta filestore instances create INSTANCE-ID \
--description="DESCRIPTION" \
--region=LOCATION \
--tier=TIER \
--protocol=PROTOCOL \
--file-share=name="FILE_SHARE_NAME",capacity=CAPACITYTB \
--network=name="VPC_NETWORK",connect-mode=CONNECT_MODE,reserved-ip-range="RESERVED_IP_RANGE" \
--managed-ad=domain=projects/MANAGED_AD_PROJECT_ID/locations/global/domains/MANAGED_AD_DOMAIN_NAME,computer=DOMAIN_COMPUTER_ACCOUNT \
--project=CONSUMER_PROJECT_ID

      Replace the following:

      • INSTANCE_ID is the instance ID of the Filestore instance that you want to create. See Name your instance.
      • DESCRIPTION is a description for the instance you want to use.
      • LOCATION is the location where you want the Filestore instance to reside.
      • TIER is the service tier you want to use.
      • PROTOCOL is NFS_v4_1.
      • FILE_SHARE_NAME is the name you specify for the NFS file share that is served from the instance.
      • CAPACITY is the size you want for the file share, between 1 TiB to 10 TiB.

      • VPC_NETWORK is the name of the VPC network you want the instance to use. See Select the VPC network. If you want to specify a Shared VPC from a service project, you must specify the fully-qualified network name, which is in the format projects/HOST_PROJECT_ID/global/networks/SHARED_VPC_NAME and you must specify connect-mode=PRIVATE_SERVICE_ACCESS, similar to the following:

        --network=name=projects/host/global/networks/shared-vpc-1,connect-mode=PRIVATE_SERVICE_ACCESS

        You can't specify a legacy network for the vpc_network value. If necessary, create a new VPC network to use by following the instructions in Create an auto mode VPC network.

      • MANAGED_AD_PROJECT_ID is the project ID where the Managed Microsoft AD service is located.

      • MANAGED_AD_DOMAIN_NAME is the domain name of the Managed Microsoft AD service you want to use. It is the domain name that you choose when creating a Managed Microsoft AD domain.

      • DOMAIN_COMPUTER_ACCOUNT is any name that you want the cluster to be called in the domain.

      • CONSUMER_PROJECT_ID is the project ID of the project that contains the Filestore instance.

      • CONNECT_MODE is DIRECT_PEERING or PRIVATE_SERVICE_ACCESS. If you are specifying a Shared VPC as the network, you must also specify PRIVATE_SERVICE_ACCESS as the connect mode. This flag is required for VPC Network Peering, which is a requirement when using Managed Microsoft AD.

      • RESERVED_IP_RANGE is the IP address range for the Filestore instance. If you are specifying connect-mode=PRIVATE_SERVICE_ACCESS, and want to use a reserved IP address range, you must specify the name of an allocated address range instead of a CIDR range. See Configure a reserved IP address. We recommend that you skip this flag to allow Filestore to automatically find a free IP address range and assign it to the instance.

    2. If not using Managed Microsoft AD, run the same command as the previous step to create a Filestore instance, omitting the --managed-ad flag, and the flags for VPC Network Peering, namely connect-mode and reserved-ip-range. Use the following command as an example:

      gcloud beta filestore instances create INSTANCE-ID \
--description="DESCRIPTION" \
--region=LOCATION \
--tier=TIER \
--protocol=PROTOCOL \
--file-share=name="FILE_SHARE_NAME",capacity=CAPACITYTB \
--network=name="VPC_NETWORK" \
--project=CONSUMER_PROJECT_ID

Understanding network-based access control lists (ACLs) in NFSv4.1.

In NFSv3, only the sys security flavor is supported. This setting trusts the user uid and gid provided by the client during mounting.

In the Filestore NFSv4.1 protocol, several network ACL security flavors or settings are available:

  • krb5

    Authenticates the client using a Kerberos ticket, which is validated against the Managed Microsoft AD Kerberos server.

  • krb5i

    Includes the authentication provided by krb5 and also uses Kerberos to run message integrity checks on all network traffic to and from the instance.

  • krb5p

    Includes the authentication provided by krb5 and message integrity checks of krb5i and also uses Kerberos for in-transit data encryption.

If you want to take advantage of these options, Managed Service for Microsoft Active Directory integration is required.

If a Managed Service for Microsoft Active Directory domain isn't specified, only the sys security flavor is supported.

For more information, see NFSv4.1 limitations.

Mounting Filestore NFSv4.1 instances on Linux clients

The following steps show you how to mount instances on Linux clients.

  • Mount with sec=sys for standard NFS permissions:

    sudo mount -vvvv -t nfs4 -o vers=4.1,sec=sys,rw \ FILESTORE-INSTANCE-FQDN:/INSTANCE_SHARE_POINT /MOUNT_POINT

  • Mount with sec=krb5 for Kerberos-based authentication:

    sudo mount -vvvv -t nfs4 -o vers=4.1,sec=krb5i,rw \ FILESTORE-INSTANCE-FQDN:/INSTANCE_SHARE_POINT /MOUNT_POINT

  • Mount with sec=krb5i for Kerberos-based authentication and message integrity checks:

    sudo mount -vvvv -t nfs4 -o vers=4.1,sec=krb5i,rw \ FILESTORE-INSTANCE-FQDN:/INSTANCE_SHARE_POINT /MOUNT_POINT

  • Mount with sec=krb5p for Kerberos-based authentication, integrity checks, and in-transit encryption:

    sudo mount -vvvv -t nfs4 -o vers=4.1,sec=krb5p,rw \ FILESTORE-INSTANCE-FQDN:/INSTANCE_SHARE_POINT /MOUNT_POINT

    Replace the following:

    • FILESTORE-INSTANCE-FQDN is the fully-qualified domain name where the Filestore instance is located.
    • INSTANCE_SHARE_POINT is the file share name of the Filestore instance that you want to connect.
    • MOUNT_POINT is the mount point or directory name where you want to mount.

Linux client configuration

An NFSv4.1 Filestore instance allows clients to perform NFS operations using various security flavors. These flavors are configured by the instance administrator through network ACLs on the Filestore NFSv4.1 instance, during creation or if updated after creation.

The sys security flavor uses standard Unix authentication, while krb5, krb5i, and krb5p flavors use Kerberos-based authentication.

The krb5, krb5i, and krb5p flavors require the clients to be connected to the same Managed Microsoft AD domain as the Filestore instance. Complete the following steps appropriate for your environment.

Ubuntu image

  1. SSH to the Compute Engine instance.

  2. Run the following commands to join the Managed Microsoft AD domain.

    1. Run the following setup command:

      sudo apt-get update \
sudo apt-get -y -qq install adcli realmd sssd sssd-tools packagekit krb5-user \ nfs-common expect retry

    2. When prompted for realm, replace the existing entry with the Managed Microsoft AD domain used on the Filestore instance. Enter the value in uppercase, then press the arrow key to select OK, then press Enter.

    3. When prompted for hosts, leave it empty and proceed.

    4. Complete either of the following steps:

      • For VMs with a hostname length that is less than or equal to 15 characters, run the following command:

        sudo realm join -vU JOIN_DOMAIN_USER --automatic-id-mapping=no MANAGED_AD_DOMAIN_NAME

        Replace the following:

        • JOIN_DOMAIN_USER is the name of the user account used to join the domain.
        • MANAGED_AD_DOMAIN_NAME is the domain name of the Managed Microsoft AD service you want to use.

      • For VMs with a hostname length that is greater than 15 characters, run the following command:

        sudo realm join -vU JOIN_DOMAIN_USER --automatic-id-mapping=no \ --user-principal=host/`hostname -f`@MANAGED_AD_REALM_NAME MANAGED_AD_DOMAIN_NAME

        Replace the following:

        • JOIN_DOMAIN_USER is the name of the user account used to join the domain.
        • MANAGED_AD_REALM_NAME is the realm name of the Managed Microsoft AD service you want to use.
        • MANAGED_AD_DOMAIN_NAME is the domain name of the Managed Microsoft AD service you want to use.

  3. Update Kerberos configuration. Update /etc/krb5.conf with the required realm definition and realm-domain mapping:

     [realms]
          DOMAIN_NAME = {
                   kdc = DOMAIN_NAME
                   default_domain = DOMAIN_NAME
          }
 [domain_realm]
          .domain_name_lowercase = DOMAIN_NAME
          domain_name_lowercase = DOMAIN_NAME

    Replace the following:

    • DOMAIN_NAME is the domain name you want to use, entered in uppercase.
    • domain_name_lowercase is the domain name you want to use, entered in lowercase.

    Refer to the following for an example:

    [realms]
       FILE.DEMO.LOCAL = {
                kdc = FILE.DEMO.LOCAL
                default_domain = FILE.DEMO.LOCAL
       }

[domain_realm]
       .file.demo.local = FILE.DEMO.LOCAL
       file.demo.local = FILE.DEMO.LOCAL

  4. Run the rpc-gssd service. Add the following No-Strip attribute value to [General] section inside /etc/idmapd.conf:

     [General]
 No-Strip = both

  5. Run the following command:

    sudo systemctl restart rpc-gssd

Centos image

  1. Ssh to the Compute Engine instance.

  2. Join the Managed Microsoft AD domain:

    sudo yum update \
sudo yum install -y adcli realmd sssd samba-common-tools krb5-workstation nfs-utils \ bind-utils openldap-clients

  3. Complete either of the following steps:

    • For VMs with a hostname length less than or equal to 15 characters, run the following command:

      sudo realm join -vU JOIN_DOMAIN_USER --automatic-id-mapping=no MANAGED_AD_DOMAIN_NAME

      Replace the following:

      • JOIN_DOMAIN_USER is the name of the user account used to join the domain.
      • MANAGED_AD_DOMAIN_NAME is the domain name of the Managed Microsoft AD service you want to use.

    • For VMs with a hostname length greater than 15 characters, run the following command:

      sudo realm join -vU JOIN_DOMAIN_USER --automatic-id-mapping=no \ --user-principal=host/`hostname -f`@MANAGED_AD_REALM_NAME MANAGED_AD_DOMAIN_NAME

      Replace the following:

      • JOIN_DOMAIN_USER is the name of the user account used to join the domain.
      • MANAGED_AD_REALM_NAME is the realm name of the Managed Microsoft AD service you want to use.
      • MANAGED_AD_DOMAIN_NAME is the domain name of the Managed Microsoft AD service you want to use.

  4. Ensure that sssd service is running:

    sudo systemctl status sssd

  5. Run rpc-gssd service. Add the following below the No-Strip attribute value to the [General] section inside /etc/idmapd.conf:

    [General]
No-Strip = both

  6. Run the following command. This command helps ensure the NFS client won't strip the domain name from the NFS server hostname. For more information, see NFS Ganesha List Archives and Arch Linux Archive:

    sudo systemctl start rpc-gssd

Disconnect and reconnect to Managed Microsoft AD from a Filestore instance

Google Cloud console

Disconnect a Managed Microsoft AD from a Filestore instance

  1. Disconnect a Filestore instance connected to Managed Microsoft AD.

    In the Google Cloud console, go to the Filestore Instances page.

    Go to the Filestore instances page

  2. Click the instance ID of the instance you want to edit.

  3. In the NFS mount point pane, under Protocol, next to Directory service name, click Disconnect AD domain.

  4. In the Disconnect from domain failed window, read the alert, then, click Edit instance.

    At least one rule in Access control must be mapped to the Administrator role with the sys mount security setting, such as, Access=Admin Mount and sec=sys.

  5. In the Edit share pane, locate the rule where Access is set to Admin. Click Mount sec= ..., and select sys to add that option to the existing setting.

  6. Click OK.

  7. Click Save.

  8. Next to Directory service name, click Disconnect AD domain.

  9. In the field in the Disconnect from domain? window, enter the name of the domain from which you want to disconnect.

  10. Click Disconnect.

Edit the access rules

  1. Refresh the page. Note that Directory service name is now set to None.

  2. Click Edit.

  3. In the Edit share pane, locate any rule that sets access for a role other than Admin, such as Editor. In the rule, click Mount sec= ..., and select sys to add it to the existing setting. Click OK.

  4. Click Save.

  5. Refresh the page.

    The rule settings update.

Reconnect a Managed Microsoft AD to a Filestore instance

  1. Reconnect a Filestore instance to Managed Microsoft AD.

    In the NFS mount point pane, under Protocol, next to Directory service name, click Join AD domain.

  2. In the Join this instance to an Active Directory Domain window, select Use domains from the current project, in the Join an Active Directory Domain menu, select the domain you want to use.

  3. In the Computer account name menu, enter a name.

  4. Click Join Domain.

  5. Refresh the page. Note that Directory service name has been updated with your selection.

  6. Click Edit.

  7. In the Edit share pane, click Mount sec= ... in all applicable rules and remove the sys selection. Click OK.

  8. Click Save.

  9. Refresh the page.

    The rule settings update.

What's next