Here you will learn how VMware Tanzu Application Service for VMs (TAS for VMs) operators can deploy NFS or SMB volume services.

A volume service gives apps access to a persistent filesystem, such as NFS or SMB. By performing the procedures in this topic, operators can add a volume service to the Marketplace that provides an NFS filesystem or an SMB share. For more information about adding a volume service to the Marketplace, see Services.

Developers can then use the Cloud Foundry Command Line Interface (cf CLI) to create service instances of the volume service and bind them to their apps. For more information, see Using an External File System (Volume Services).

You must have a running NFS or SMB server to test NFS or SMB volume services. TAS for VMs packages the necessary software to provide app connectivity to remote network-attached storage (NAS), but does not supply the NAS itself.

Enable NFS volume services

To enable NFS volume services in TAS for VMs:

  1. Go to the Ops Manager Installation Dashboard.

  2. Click the TAS for VMs tile.

  3. Select App Containers.

  4. Under NFSv3 volume services, select Enable.

    In a clean install, NFS volume services are enabled by default. In an upgrade, NFS volume services match the setting of the previous deployment.

  5. (Optional) To configure LDAP for NFS volume services: If you already use an LDAP server with your network-attached storage (NAS) file server, enter its information below. This ensures that the identities known to the file server match those checked by the NFS driver.

    • For LDAP service account user, enter either the full domain name for the service account or the username of the service account that manages volume services. This value must be what you enter when binding the account to your LDAP server.
    • For LDAP service account password, enter the password for the service account.
    • For LDAP server host, enter the hostname or IP address of the LDAP server.
    • For LDAP server port, enter the LDAP server port number. If you do not specify a port number, Ops Manager uses 389.
    • For LDAP user search base, enter the location in the LDAP directory tree from which any LDAP user search begins. The typical LDAP search base matches your domain name. For example, a domain named cloud.example.com typically uses the following LDAP user search base: ou=Users,dc=example,dc=com.

      Additionally, your LDAP user records must be configured with an attribute objectClass: User, which is used by the NFS driver to identify records as user records. They must also have uidNumber and gidNumber fields, which are used to establish the correct UID for a named user.

    • (Optional) For LDAP server CA certificate, you can enter a Certificate Authority (CA) certificate if your LDAP server supports TLS. Enter a certificate if you want to enable TLS connections from the NFS driver to your LDAP server. Paste in the root certificate from your CA certificate or your self-signed certificate.
  6. Click Save.

  7. Return to the Ops Manager Installation Dashboard, click Review Pending Changes, and click Apply Changes to redeploy.

  8. Using the cf CLI, enable access to the service by running:

    cf enable-service-access nfs
    

    To limit access to a specific org, use the -o flag, followed by the name of the org where you want to enable access. For more information, see Access Control.

  9. (Optional) Enable access to the nfs-legacy service by running:

    cf enable-service-access nfs-legacy
    

    For details about the differences between the two nfs services, see the NFS Volume Service section of the Using an External File System (Volume Services) topic.

After completing these steps, developers can use the cf CLI to create service instances of the nfs service and bind them to their apps.

NFS security

You can use ASGs and LDAP to secure your NFS server against traffic apps running on TAS for VMs:

  • App Security Groups (ASGs): Prevent apps from sending traffic directly to your NFS ports. Apps must never need to use NFS ports directly. VMware recommends defining an ASG that blocks direct access to your NFS server IP, especially ports 111 and 2049. For more information on setting up ASGs, see App Security Groups.

  • LDAP: In addition to ASGs, secures the NFS volume service so that app developers cannot bind to the service using an arbitrary UID. App developers also cannot gain access to sensitive data. With LDAP support enabled, app developers must provide credentials for any user they want to bind as.

The Diego Cells running on TAS for VMs must be able to reach your LDAP server on the port you use for connections, which are typically 389 or 636. You cannot limit which Diego Cells have access to your NFS or LDAP servers.

Activate SMB volume services

In a clean install, SMB volume services are activated by default. In an upgrade, SMB volume services match the setting of the previous deployment.

To enable SMB volume services in TAS for VMs:

  1. Go to the Ops Manager Installation Dashboard.

  2. Click the TAS for VMs tile.

  3. Select App Containers.

  4. Select the Enable SMB volume services check box.

  5. Click Save.

  6. Select Errands.

  7. Set the SMB Broker Errand to On.

  8. Click Save.

  9. Return to the Ops Manager Installation Dashboard, click Review Pending Changes, and click Apply Changes to redeploy.

  10. Using the cf CLI, enable access to the service by running:

    cf enable-service-access smb
    

    To limit access to a specific org, use the -o flag, followed by the name of the org where you want to enable access. For more information, see Access Control.

After you complete these steps, developers can use the cf CLI to create service instances of the smb service and bind them to their apps.

check-circle-line exclamation-circle-line close-line
Scroll to top icon