Mount Helper for secure file share connections
Mount Helper automates encryption in transit for File Storage for VPC. The utility configures IPsec tunnels for zonal shares and TLS connections for regional shares.
What is Mount Helper?
Mount Helper is an open source automation tool that configures and establishes secure communication between your compute resources (virtual server instances or bare metal servers) and File Storage for VPC. The utility handles the complexity of setting up encryption in transit, managing certificates, and establishing secure tunnels, so you can focus on using your file shares rather than configuring security infrastructure.
Mount Helper supports two different encryption methods depending on whether you're using zonal or regional file shares:
- IPsec encapsulation for zonal file shares
- Stunnel secure connections for regional file shares
In-transit encryption types
IPsec encapsulated connection for zonal shares
The utility uses strongSwan and swanctl to configure IPsec on the compute host that's running a Linux OS.
File Storage for VPC IPsec connection requires mutual authentication. The Mount Helper retrieves the instance or bare metal server identity token from the Metadata service. Then, it requests the creation of the instance or bare metal server identity certificate by using the identity token.
The Mount Helper makes new certificate requests every 45 minutes, as the lifetime of the certificate is 1 hour. The new certificate is generated before the old certificate expires to ensure seamless connection. The certificates are generated with the shorter life span for security reasons.
You can use the utility for encrypted or unencrypted connections. For encrypted connections, the Mount Helper uses the metadata service protocol option that is set to either http or https. For more information, see
the API reference for metadata_service option of instance provisioning and bare metal server provisioning.
Stunnel secure connection for regional shares
The Mount Helper utility installs stunnel on the compute host that's running a Linux OS. Stunnel is an application that creates encrypted TLS tunnels between clients and servers for secure communication. In client mode, Stunnel initiates a
connection from your virtual server instance of bare metal server to the file share, and tunnels data over a secure connection. Stunnel requires a PEM file, which typically contains a private key and a certificate. When stunnel operates
in client mode, it relies on the system-wide SSL/TLS configuration and certificates. It can use the default PEM file provided by the Linux distribution rather than generating a custom certificate. The PEM file is often located in /etc/ssl/private or /etc/pki/tls/private folder.
Requirements
Before you can use Mount Helper, ensure that your environment meets the following requirements:
- For setting up a secure connection with zonal file share, the Metadata service must be enabled on the virtual server instance. If it is not enabled yet, follow the instructions for enabling metadata in the consoleenabling metadata from the CLIenabling metadata from the API for virtual server instances or enabling metadata in the consoleenabling metadata from the CLIenabling metadata from the API for bare metal servers.
- The zonal or regional file share must have security group access mode, so the VPC's security access groups can be used to define which compute host can mount the share.
- Data encryption in transit must be enabled for the mount target.
- The compute host and the mount target must be members of the same security group.
- The mount target must be created with a virtual network interface, so it has an IP address within the VPC that represents the virtual NFS server.
Do not add the Mount Helper installer script to your cloud-init configuration. The utility requires a running and stable VSI to operate, as the script makes Metadata API requests for host identity verification.
Restrictions and limitations
Be aware of the following restrictions when using Mount Helper:
-
For IPsec encapsulation, the same certificates cannot be used across multiple regions.
-
The Mount Helper is supported on Linux hosts only. See the following table for the supported distributions:
Supported host OS distributions Supported OS Supported OS Supported OS RHEL_8 [8.4, 8.6, 8.8, 8.10] RHEL_9 [9.0, 9.2, 9.4] RHCOS 4.1 and newer UBUNTU_2204 UBUNTU_2404 SAP_SLES_15_SP3_HANA CENTOS_STREAM_9 CENTOS_STREAM_10 SAP_SLES_15_SP4_HANA DEBIAN_11 DEBIAN_12 SAP_SLES_15_SP3_APPLICATIONS ROCKYLINUX_8 [8.9, 8.10] ROCKYLINUX_9 [9.4, 9.5] SAP_SLES_15_SP4_APPLICATIONS