Mount a dynamically provisioned NAS volume - Container Service for Kubernetes

File Storage NAS (NAS) volumes are suitable for scenarios such as big data analysis, data sharing, web applications, and log storage. In addition to static provisioning, you can use dynamic provisioning to configure the system to automatically reserve persistent volumes (PVs) based on persistent volume claims (PVCs) and StorageClasses. You can use the subpath, sharepath, or filesystem mode to mount a dynamically provisioned NAS volume.

Prerequisites

The CSI plug-in is installed in the cluster. For more information about how to update csi-plugin and csi-provisioner, see Update csi-plugin and csi-provisioner.
Note
If FlexVolume is used in your cluster, upgrade FlexVolume to CSI because FlexVolume is deprecated. For more information, see Upgrade from FlexVolume to CSI. Choose Operations > Add-ons and click the Storage tab to check the storage component type.

A kubectl client is connected to the cluster. For more information, see Obtain the kubeconfig file of a cluster and use kubectl to connect to the cluster.
NAS is activated.
If this is the first time you visit the product page of NAS, follow the instructions to activate it as prompted.

Limits

You cannot mount NAS file systems that use the Server Message Block (SMB) protocol.
General-purpose and Extreme NAS file systems have different limits on mounting scenarios, the number of file systems, and file sharing protocols. For more information about the supported states, see Limits.

Usage notes

NAS is a shared storage service. A NAS volume can be mounted to multiple pods. If multiple pods write data at the same time, applications must independently ensure data consistency. For more information about the limits on concurrent writes to NAS, see How do I prevent exceptions that may occur when multiple processes or clients concurrently write data to a log file? and How do I resolve the latency in writing data to an NFS file system?
After a mount target is created, wait until the Status of the mount target changes to Available. Do not delete the mount target. Otherwise, the system does not respond.
To mount an Extreme NAS file system, set the path parameter of the NAS volume to a subdirectory of /share. For example, a value of 0cd8b4a576-g****.cn-hangzhou.nas.aliyuncs.com:/share/subpath specifies that the mounted subdirectory of the NAS file system is /share/subpath.
If the securityContext.fsgroup parameter is configured in the application template, kubelet performs the chmod or chown operation after the volume is mounted, which increases the time consumption. For more information about how to accelerate the mounting process when the securityContext.fsgroup parameter is configured, see Why does it require a long time to mount a NAS volume?

Mount description

You can use the subpath, sharepath, or filesystem mode to mount a dynamically provisioned NAS volume. If you use the subpath or sharepath mode, you must create a NAS file system and a mount target in advance. If you use the filesystem mode, you do not need to create a NAS file system or a mount target in advance.

subpath mode: If multiple applications or pods require the same NAS file system to share data, or you want to mount different subdirectories of a NAS file system to different pods, use the subpath mode.
sharepath mode: If you want to mount the NAS file system to multiple pods that are in different namespaces, use the sharepath mode.
filesystem mode: If your application needs to dynamically create or delete NAS file systems and mount targets, the Container Storage Interface (CSI) plug-in automatically creates a NAS file system and mount target when a PVC is created. If a PVC is created, a NAS file system is created. When the PVC is deleted, the mount target and the NAS file system are dynamically deleted. Only kubectl can be used to mount NAS volumes in filesystem mode.

Step 1: Create a NAS file system and a mount target

NAS file systems of different types are available in different regions and zones. Specify the NAS file system and mount target that you want to create based on the your business requirements, the region of the ACK cluster, and the VPC and vSwitch that are used by pods in the Container Service for Kubernetes (ACK) cluster.

For more information about the specifications, performance, billing, and supported regions and zones of different types of NAS file systems, see General-purpose NAS file systems and Extreme NAS file systems.
General-purpose and Extreme NAS file systems have different limits on mounting connectivity, the number of file systems, and file sharing protocols. For more information, see Limits.

Log on to the NAS console.

Create a NAS file system. For more information, see Create a file system.

On the File System List page, click Create File System. Then, select Create General-purpose NAS File System or Create Extreme NAS File System.

In the panel that appears, configure the file system parameters and click Buy Now.

In this example, a General-purpose NAS file system is created. The following table describes some of the file system parameters. For more information, see Create a file system.

Parameter	Description
Region	Select a region where the cluster is located.
Zone	Select a zone.
Protocol Type	Select NFS. You cannot mount NAS file systems that use the SMB protocol.
VPC and vSwitch	This parameter is available only for General-purpose NAS file systems. Select the VPC and vSwitch used by the pod in the cluster.

Step 2: Mount a dynamically provisioned NAS volume

Use the subpath mode

Use kubectl

1. Create a StorageClass

Create a file named alicloud-nas-subpath.yaml, copy the following content to the file, and then modify the parameters based on your business requirements:

allowVolumeExpansion: true
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: alicloud-nas-subpath
mountOptions:
- nolock,tcp,noresvport
- vers=3
parameters:
  volumeAs: subpath
  server: "0cd8b4a576-g****.cn-hangzhou.nas.aliyuncs.com:/k8s/"
provisioner: nasplugin.csi.alibabacloud.com
reclaimPolicy: Retain

Parameter	Description
allowVolumeExpansion	This parameter is available only for General-purpose NAS file systems. If you set this parameter to true, a NAS directory quota is configured for the dynamically provisioned PV based on the StorageClass. You can modify the PVC to expand the volume. Note The NAS directory quota takes effect in an asynchronous manner. After a PV is dynamically provisioned, the directory quota does not immediately take effect, and the quota may be exceeded if a large amount of data is written within a short period of time. For more information about NAS directory quotas, see Manage directory quotas.
mountOptions	Set the `options` of the NAS file system in the `mountOptions` field. For example, you can specify the NFS version that you want to use.
volumeAs	Set to `subpath`. Valid values: `subpath`: mounts a subdirectory of the NAS file system as a PV. You must manually create a NAS file system and a mount target. A PV corresponds to a subdirectory of a NAS file system. `sharepath`: No directory is created when the PV is created, but the specified path in the StorageClass is used. This means that each PV corresponds to the same NAS directory, which is suitable for scenarios in which directories are shared across namespaces. `filesystem`: The provisioner automatically creates a NAS file system. Each PV corresponds to a NAS file system.
server	The mount target of the NAS file system if you mount a subdirectory of the NAS file system as a PV. If you leave this parameter empty, / is used by default. Important You must specify the actual mount target. For more information about how to query the domain name of a mount target, see Manage mount targets.
provisioner	The type of driver. In this example, the parameter is set to `nasplugin.csi.alibabacloud.com`. This indicates that the NAS CSI plug-in provided by Alibaba Cloud is used.
reclaimPolicy	The reclaim policy of the PV. Default value: `Delete`. You can also set the value to `Retain`. Delete: If you use this policy, you must also specify the `archiveOnDelete` parameter. If you set the `archiveOnDelete` parameter to `true`, after you delete the PVC, the files in PV and NAS file system associated with the PVC are renamed and retained. If you set the `archiveOnDelete` parameter to `false`, after you delete the PVC, the files in PV and NAS file system associated with the PVC are deleted. Note Only the NAS subpath directories and the files within them are deleted. To delete the NAS file system, see Delete a file system. Retain: When a PVC is deleted, the files in the associated PV and NAS file system are retained and can only be manually deleted. If you have high requirements on data security, we recommend that you use the `Retain` policy to prevent data loss caused by user errors.
archiveOnDelete	Specifies whether to delete the files in the backend storage if the `reclaimPolicy` parameter is set to `Delete`. NAS is a shared storage service. You must specify both reclaimPolicy and archiveOnDelete parameters to ensure data security. Configure the policy in the `parameters` section. Default value: `true`, which indicates that the subdirectory or files are not deleted when the PVC is deleted. Instead, the subdirectory or files are renamed in the format of `archived-{pvName}.{timestamp}`. If this parameter is set to `false`, the backend storage is deleted when the PVC is deleted. Note We recommend that you do not set this parameter to false when the service receives a large amount of network traffic. For more information, see What do I do if the task queue of alicloud-nas-controller is full and PVs cannot be created when I use a dynamically provisioned NAS volume? To completely delete the file data from the backend storage, you must add `parameters.archiveOnDelete` and set it to `false` using the `kubectl` method.

Run the following command to create a StorageClass:
```
kubectl create -f alicloud-nas-subpath.yaml
```

2. Create a PVC

Create a file named pvc.yaml, copy the following content to the file, and then modify the parameters based on your business requirements:

kind: PersistentVolumeClaim
apiVersion: v1
metadata: 
  name: nas-csi-pvc
spec:
  accessModes:
  - ReadWriteMany 
  storageClassName: alicloud-nas-subpath
  resources: 
    requests:
      storage: 20Gi

Parameter	Description
name	The name of the PVC.
accessModes	The access mode of the PV. The default value is `ReadWriteMany`. You can also set the value to `ReadWriteOnce` or `ReadOnlyMany`.
storageClassName	The name of the StorageClass that you want to associate with the PVC.
storage	The storage that is claimed by the PVC. Important The capacity set in this parameter does not limit the actual capacity that applications can use, and does not allow automatic scaling. The quota of a NAS directory is set only if the NAS file system is general-purpose and the `allowVolumeExpansion` parameter of the StorageClass is set to `true`. For more information, see Expand a NAS volume. Once the quota of a directory takes effect, CSI will set the quota of a NAS directory based on the PVC capacity. The NAS directory quota is measured in GiB, and the actual quota is calculated by rounding up the PVC capacity to the nearest integer in GiB.

Create a PVC.
```
kubectl create -f pvc.yaml
```

3. Create an application and mount the NAS file system to the application

Deploy two applications named nginx-1 and nginx-2 to share the same subdirectory of the NAS file system.

Create a file named nginx-1.yaml and copy the following content to the file:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: deployment-nas-1
  labels:
    app: nginx-1
spec:
  selector:
    matchLabels:
      app: nginx-1
  template:
    metadata:
      labels:
        app: nginx-1
    spec:
      containers:
      - name: nginx
        image: anolis-registry.cn-zhangjiakou.cr.aliyuncs.com/openanolis/nginx:1.14.1-8.6
        ports:
        - containerPort: 80
        volumeMounts:
          - name: nas-pvc
            mountPath: "/data"
      volumes:
        - name: nas-pvc
          persistentVolumeClaim:
            claimName: nas-csi-pvc

mountPath: the path to which the NAS file system is mounted in the container.
claimName: the name of the PVC that the application uses to mount the NAS file system. In this example, nas-csi-pvc is used.

Create a file named nginx-2.yaml and copy the following content to the file:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: deployment-nas-2
  labels:
    app: nginx-2
spec:
  selector:
    matchLabels:
      app: nginx-2
  template:
    metadata:
      labels:
        app: nginx-2
    spec:
      containers:
      - name: nginx
        image: anolis-registry.cn-zhangjiakou.cr.aliyuncs.com/openanolis/nginx:1.14.1-8.6
        ports:
        - containerPort: 80
        volumeMounts:
          - name: nas-pvc
            mountPath: "/data"
      volumes:
        - name: nas-pvc
          persistentVolumeClaim:
            claimName: nas-csi-pvc

mountPath: the path to which the NAS file system is mounted in the container. In this example, /data is used.
claimName: Enter the name of the PVC that is used by nginx-1. In this example, the value is set to nas-csi-pvc.

Deploy the nginx-1 and nginx-2 applications.

kubectl create -f nginx-1.yaml -f nginx-2.yaml

View the pod information.
```
kubectl get pod
```
Expected output:
```
NAME                                READY   STATUS    RESTARTS   AGE
deployment-nas-1-5b5cdb85f6-a****   1/1     Running   0          32s
deployment-nas-2-c5bb4746c-b****    1/1     Running   0          32s
```
The /data subdirectory of the NAS file system is mounted to different pods. The NAS volume whose mount target is 0cd8b4a576-g****.cn-hangzhou.nas.aliyuncs.com:/k8s/nas-79438493-f3e0-11e9-bbe5-00163e09**** is mounted to the /data directory of the deployment-nas-1-5b5cdb85f6-a**** and deployment-nas-2-c5bb4746c-b**** applications.
- /k8s: the subdirectory is mounted in subpath mode as specified in the StorageClass configurations.
- nas-79438493-f3e0-11e9-bbe5-00163e09****: the name of the automatically created PV.
Note
To mount different subdirectories of a NAS file system to different pods, you must create a separate PVC for each pod. In this example, pvc-1 is created for nginx-1 and pvc-2 is created for nginx-2.

Use the ACK console

1. Create a StorageClass

Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, find the cluster that you want to manage and click its name. In the left-side pane, choose Volumes > StorageClasses.
On the StorageClasses page, click Create.

In the Create dialog box, configure the StorageClass, and click Create.

The following table describes the parameters.

Parameter	Description	Example
Name	The name of the StorageClass. The name must start with a lowercase letter, and can contain only lowercase letters, digits, periods (.), and hyphens (-).	alicloud-nas-subpath
PV Type	Select NAS.	NAS
Select Mount Target	The mount target of the NAS file system. For more information about how to query the domain name of a mount target, see Manage mount targets. If no mount target is available, create a NAS file system first. For more information, see Create a NAS file system and a mount target.	0cd8b4a576-g****.cn-hangzhou.nas.aliyuncs.com:/k8s/
Volume Mode	The access mode of the volume. Shared Directory is selected by default. Valid values: Shared Directory: The NAS volume is mounted in sharepath mode. All volumes share the same path. This means that data is stored at `<bucket>:<path>/`. Subdirectory: The NAS volume is mounted in subpath mode. When you create a volume, a subdirectory is automatically created in the mount path. This means that data is stored at `<bucket>:<path>/<pv-name>/`. Note The Subdirectory mode takes effect only if the version of the CSI plug-in is 1.31.4 or later. Otherwise, the Shared Directory mode is used.	Subdirectory
Mount Path	The mount path of the NAS file system. If the specified subdirectory does not exist, the system automatically creates the subdirectory in the NAS file system and mounts the subdirectory to the cluster. If you do not configure this parameter, the root directory of the NAS file system is mounted. If you want to mount an Extreme NAS file system, set this parameter to a subdirectory of the `/share` directory. Example: `/share/data`.	/
Reclaim Policy	The reclaim policy. Valid values: Delete and Retain. Default value: Delete. Note Parameters such as `archiveOnDelete` cannot be configured through the console. Therefore, files in backend NAS storage cannot be completely deleted. To delete them completely, use the `kubectl` method. Delete: If you use this policy, you must configure the `archiveOnDelete` parameter. If you set the `archiveOnDelete` parameter to `true`, files in the PV and NAS file system associated with a PVC are renamed and retained after you delete the PVC. If you set the `archiveOnDelete` parameter to `false`, files in the PV and NAS file system associated with a PVC are deleted after you delete the PVC. Retain: If a PVC is deleted, files in the related PV and NAS file system are retained and can only be manually deleted. If you have high requirements for data security, we recommend that you use the Retain policy to prevent data loss caused by user errors.	Retain
Mount Options	The mount options, such as the Network File System (NFS) version. We recommend that you use NFS v3. Extreme NAS file systems support only NFS v3 For more information about the NFS protocol, see NFS.	Retain the default setting.

After you create the StorageClass, you can view the StorageClass on the StorageClasses page.

2. Create a PVC

In the left-side navigation pane of the details page, choose Volumes > Persistent Volume Claims.
On the Persistent Volume Claims page, click Create.

In the Create PVC dialog box, configure the parameters and click Create.

Parameter	Description	Example
PVC Type	Select NAS.	NAS
Name	The name of the PVC. The name must be unique in the cluster.	pvc-nas
Allocation Mode	Select Use StorageClass.	Use StorageClass
Existing Storage Class	Click Select. In the Select Storage Class dialog box, find the StorageClass that you want to use and click Select in the Actions column.	Select the alicloud-nas-subpath StorageClass created in the previous step.
Capacity	The capacity claimed by the PVC. The value of this parameter does not specify a limit for the maximum capacity that can be used by the application. Important The capacity set in this parameter does not limit the actual capacity that applications can use, and does not allow automatic scaling. The quota of a NAS directory is set only if the NAS file system is general-purpose and the `allowVolumeExpansion` parameter of the StorageClass is set to `true`. For more information, see Expand a NAS volume. Once the quota of a directory takes effect, CSI will set the quota of a NAS directory based on the PVC capacity. The NAS directory quota is measured in GiB, and the actual quota is calculated by rounding up the PVC capacity to the nearest integer in GiB.	20Gi
Access Mode	Default value: ReadWriteMany. You can also set the value to ReadWriteOnce or ReadOnlyMany.	ReadWriteMany

3. Create an application and mount the NAS file system to the application

To create the applications named deployment-nas-1 and deployment-nas-2, perform the following operations. Make sure that the applications share the same subdirectory of the NAS file system.

In the left-side navigation pane of the details page, choose Workloads > Deployments.
On the Deployments tab, click Create from Image.

Configure the application parameters.

The following table describes the key parameters. Use the default settings for other parameters. For more information, see Create a stateless application by using a Deployment.

Item	Parameter	Description	Example
Basic Information	Name	Enter a custom name for the Deployment. The name must follow the format requirements displayed in the console.	deployment-nas-1
Basic Information	Replicas	The number of replicas for the Deployment.	2
Container	Image Name	The address of the image used to deploy the application.	anolis-registry.cn-zhangjiakou.cr.aliyuncs.com/openanolis/nginx:1.14.1-8.6
	Required Resources	The required vCPU and memory resources.	0.25 vCores and 512 MiB of memory
	Volume	Click Add PVC and configure the parameters. Mount Source: Select the PVC you created. Container Path: Specify the container path to which you want to mount the NAS file system.	Mount Source: pvc-nas Container Path: /data

Run the following command to query the deployment progress of the application:
1. On the Deployments page, click the name of the application that you want to manage.
2. On the Pods tab, check whether the pod is in the Running state.

Use the sharepath mode

Use kubectl

1. Create a StorageClass

Create a file named alicloud-nas-subpath.yaml, copy the following content to the file, and modify the parameters based on your business requirements:

apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: alicloud-nas-sharepath
mountOptions:
- nolock,tcp,noresvport
- vers=3
parameters:
  volumeAs: sharepath
  server: "0cd8b4a576-g****.cn-hangzhou.nas.aliyuncs.com:/data"
provisioner: nasplugin.csi.alibabacloud.com
reclaimPolicy: Retain

Parameter	Description
mountOptions	The mount options, such as the Network File System (NFS) version. We recommend that you use NFS v3. Extreme NAS file systems support only NFS v3 For more information about the NFS protocol, see NFS.
volumeAs	Set to `sharepath`. Valid values: `subpath`: mounts a subdirectory of the NAS file system as a PV. You must manually create a NAS file system and a mount target. A PV corresponds to a subdirectory of a NAS file system. `sharepath`: No directory is created when the PV is created, but the specified path in the StorageClass is used. This means that each PV corresponds to the same NAS directory, which is suitable for scenarios in which directories are shared across namespaces. `filesystem`: The provisioner automatically creates a NAS file system. Each PV corresponds to a NAS file system.
server	The mount target and mount path of the NAS file system if you mount a subdirectory of the NAS file system as a PV. If you do not configure the mount path, `/` is used by default. Important You must specify the actual mount target. For more information about how to view the domain name of a mount target, see Manage mount targets.
provisioner	The type of driver. In this example, the parameter is set to`nasplugin.csi.alibabacloud.com`. This indicates that the CSI plug-in provided by Alibaba Cloud for NAS is used.
reclaimPolicy	You must select `Retain` if you use the `sharepath` mode.

Create a StorageClass.

kubectl create -f alicloud-nas-sharepath.yaml

2. Create PVCs in different namespaces

To mount a NAS file system to pods in different namespaces, you must create two namespaces.

Run the following command to create namespaces named ns1 and ns2:
```
kubectl create ns ns1
kubectl create ns ns2
```

Create a file named pvc.yaml, copy the following content to the file, and then modify the parameters based on your business requirements:

kind: PersistentVolumeClaim
apiVersion: v1
metadata: 
  name: nas-csi-pvc
  namespace: ns1
spec:
  accessModes:
  - ReadWriteMany 
  storageClassName: alicloud-nas-sharepath
  resources: 
    requests:
      storage: 20Gi
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata: 
  name: nas-csi-pvc
  namespace: ns2
spec:
  accessModes:
  - ReadWriteMany 
  storageClassName: alicloud-nas-sharepath
  resources: 
    requests:
      storage: 20Gi

Parameter	Description
name	The name of the PVC.
accessModes	The access mode of the PV. The default value is `ReadWriteMany`. You can also set the value to `ReadWriteOnce` or `ReadOnlyMany`.
storageClassName	The name of the StorageClass that you want to associate with the PVC.
storage	The storage that is claimed by the PVC. Important If you use the sharepath mode, this parameter does not take effect.

Create a PVC.
```
kubectl create -f pvc.yaml
```

3. Create an application and mount the NAS file system to the application

Create applications in different namespaces and mount the PVCs created in the corresponding namespaces. The applications share the NAS volume defined in the StorageClass.

Create a file named nginx.yaml and copy the following content to the file. This file contains two Deployments.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx
  namespace: ns1
spec:
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: anolis-registry.cn-zhangjiakou.cr.aliyuncs.com/openanolis/nginx:1.14.1-8.6
        ports:
        - containerPort: 80
        volumeMounts:
          - name: nas-pvc
            mountPath: "/data"
      volumes:
        - name: nas-pvc
          persistentVolumeClaim:
            claimName: nas-csi-pvc
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx
  namespace: ns2
spec:
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: anolis-registry.cn-zhangjiakou.cr.aliyuncs.com/openanolis/nginx:1.14.1-8.6
        ports:
        - containerPort: 80
        volumeMounts:
          - name: nas-pvc
            mountPath: "/data"
      volumes:
        - name: nas-pvc
          persistentVolumeClaim:
            claimName: nas-csi-pvc

mountPath: the path to which the NAS file system is mounted in the container.
claimName: the name of the PVC that the application uses to mount the NAS file system. In this example, nas-csi-pvc is used.

Create an application.
```
kubectl create -f nginx.yaml
```

View the pod information.
```
kubectl get pod -A -l app=nginx
```
Expected output:
```
NAMESPACE  NAME                READY   STATUS    RESTARTS   AGE
ns1      nginx-5b5cdb85f6-a****   1/1     Running   0          32s
ns2      nginx-c5bb4746c-b****    1/1     Running   0          32s
```
Mount the /data subdirectory of the NAS file system for pods in different namespaces. The NAS volume whose mount target is 0cd8b4a576-g****.cn-hangzhou.nas.aliyuncs.com:/data is mounted to the /data directory of the nginx-5b5cdb85f6-a**** and the nginx-c5bb4746c-b**** applications.

Use the ACK console

1. Create a StorageClass

Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, find the cluster that you want to manage and click its name. In the left-side pane, choose Volumes > StorageClasses.
On the StorageClasses page, click Create.

In the Create dialog box, configure the StorageClass and click Create.

The following table describes the parameters.

Parameter	Description	Example
Name	The name of the StorageClass. The name must start with a lowercase letter, and can contain only lowercase letters, digits, periods (.), and hyphens (-).	alicloud-nas-sharepath
PV Type	Select NAS.	NAS
Select Mount Target	The mount target of the NAS file system. For more information about how to query the domain name of a mount target, see Manage mount targets. If no mount target is available, create a NAS file system first. For more information, see Create a NAS file system and a mount target.	0cd8b4a576-g****.cn-hangzhou.nas.aliyuncs.com:/data
Volume Mode	The access mode of the volume. Shared Directory is selected by default. Valid values: Shared Directory: The NAS volume is mounted in sharepath mode. No directory is created when the PV is created, but the specified path in the StorageClass is used. This means that each PV corresponds to the same NAS directory, which is suitable for scenarios in which directories are shared across namespaces. Subdirectory: The NAS volume is mounted in subpath mode. Mount a subdirectory of the NAS file system as a PV. You must manually create a NAS file system and a mount target. A PV corresponds to a subdirectory of a NAS file system.	Shared Directory
Mount Path	The mount path of the NAS file system. If the specified subdirectory does not exist, the system automatically creates the subdirectory in the NAS file system and mounts the subdirectory to the cluster. If you do not configure this parameter, the root directory of the NAS file system is mounted. If you want to mount an Extreme NAS file system, set this parameter to a subdirectory of the `/share` directory. Example: `/share/data`.	/
Reclaim Policy	You must select `Retain` if you use the `sharepath` mode.	Retain
Mount Options	The mount options, such as the Network File System (NFS) version. We recommend that you use NFS v3. Extreme NAS file systems support only NFS v3 For more information about the NFS protocol, see NFS.	Retain the default setting.

After you create the StorageClass, you can view the StorageClass on the StorageClasses page.

2. Create a PVC

To mount a shared directory across namespaces, you must create the ns1 and ns2 namespaces in the console.

Create the ns1 and ns2 namespaces. For more information, see Manage namespaces and resource quotas.
In the left-side navigation pane of the details page, choose Volumes > Persistent Volume Claims.
On the Persistent Volume Claims page, select ns1 in the Namespace section and click Create.

In the Create PVC dialog box, configure the parameters and click Create.

Parameter	Description	Example
PVC Type	Select NAS.	NAS
Name	The name of the PVC. The name must be unique in the cluster.	pvc-nas
Allocation Mode	The allocation mode of the PVC. In this example, Use StorageClass is selected.	Use StorageClass
Existing Storage Class	Click Select. In the Select Storage Class dialog box, find the StorageClass that you want to use and click Select in the Actions column.	Select the alicloud-nas-sharepath StorageClass created in the previous step.
Capacity	The capacity claimed by the PVC.	20Gi
Access Mode	Default value: ReadWriteMany. You can also set the value to ReadWriteOnce or ReadOnlyMany.	ReadWriteMany

Create pvc-nas in the ns2 namespace by performing the preceding steps.

3. Create an application and mount the NAS file system to the application

In the left-side navigation pane of the details page, choose Workloads > Deployments.
In the upper part of the Deployments page, select ns1 in the Namespace section and click Create from Image.

Configure the application parameters.

The following table describes the key parameters. Use the default settings for other parameters. For more information, see Create a stateless application by using a Deployment.

Item	Parameter	Description	Example
Basic Information	Name	Enter a custom name for the Deployment. The name must follow the format requirements displayed in the console.	nginx
Basic Information	Replicas	The number of replicas for the Deployment.	2
Container	Image Name	The address of the image used to deploy the application.	anolis-registry.cn-zhangjiakou.cr.aliyuncs.com/openanolis/nginx:1.14.1-8.6
	Required Resources	The required vCPU and memory resources.	0.25 vCores and 512 MiB of memory
	Volume	Click Add PVC and configure the parameters. Mount Source: Select the PVC you created. Container Path: Specify the container path to which you want to mount the NAS file system.	Mount Source: pvc-nas Container Path: /data

Create an application named nginx in the ns2 namespace by performing the preceding steps.
Run the following command to query the deployment progress of the application:
1. On the Deployments page, click the name of the application that you want to manage.
2. On the Pods tab, check whether the pod is in the Running state.

Verify the storage performance of NAS

The Deployment you created in the preceding steps contains two pods. The two pods are mounted to the same NAS file system. You can use one of the following methods to verify that the NAS volume can persist and share data.

Recreate the pod. Access the NAS volume from a recreated pod to check whether the original data still exists in the NAS file system. If the data still exists, data persistence is enabled.
Create a file in one pod and access the file from the other pod. If you can access the file, data sharing is enabled.

Verify that the NAS file system can be used to persist data

Run the following command to query the pods that are created for the application:

kubectl get pod

Expected output:

NAME                                READY   STATUS    RESTARTS   AGE
deployment-nas-1-5b5cdb85f6-a****   1/1     Running   0          32s
deployment-nas-2-c5bb4746c-b****    1/1     Running   0          32s

Create a file in the pod.
1. Check whether a file exists in the /data path that is mounted to the application.
  In this example, the pod deployment-nas-1-5b5cdb85f6-a**** is used.
```
kubectl exec deployment-nas-1-5b5cdb85f6-a**** -- ls /data
```
  No output is returned. This indicates that no file exists in the /data path.
2. Run the following command to create a file named nas in the /data path of the pod:
```
kubectl exec deployment-nas-1-5b5cdb85f6-a**** -- touch /data/nas
```
Access the file you created from the other pod.
In this example, the pod deployment-nas-2-c5bb4746c-b**** is used.
```
kubectl exec deployment-nas-2-c5bb4746c-b**** -- ls /data
```
Expected output:
```
nas
```
Recreate the pod.
1. Delete the pod.
```
kubectl delete pod deployment-nas-1-5b5cdb85f6-a****
```
2. Open another command-line interface (CLI) and view how the pod is deleted and recreated:
```
kubectl get pod -w -l app=nginx
```
Verify that the file still exists after the pod is deleted.
1. Query the recreated pod.
```
kubectl get pod
```
  Expected output:
```
NAME                                READY   STATUS    RESTARTS   AGE
deployment-nas-1-5b5cdm2g5-c****    1/1     Running   0          32s
deployment-nas-2-c5bb4746c-b****    1/1     Running   0          32s
```
2. Query files in the /data path of the recreated pod.
  In this example, the pod deployment-nas-1-5b5cdm2g5-c**** is used.
```
kubectl exec deployment-nas-1-5b5cdm2g5-c**** -- ls /data
```
  Expected output:
```
nas
```
  The nas file still exists in the /data path. This indicates that data is persisted in the NAS file system.

Verify that data in the NAS file system can be shared across pods

You can mount a NAS volume to multiple pods. If data is modified in one pod, the modifications are automatically synchronized to the other pods. The following example describes how to verify that data in the NAS file system can be shared across pods.

Query the pods that are created for the application and the files in the mounted NAS file system.

Run the following command to query the pods that are created for the application:

kubectl get pod

Expected output:

NAME                                READY   STATUS    RESTARTS   AGE
deployment-nas-1-5b5cdb85f6-a****   1/1     Running   0          32s
deployment-nas-2-c5bb4746c-b****    1/1     Running   0          32s

View the files in the /data paths of the two pods.
```
kubectl exec deployment-nas-1-5b5cdb85f6-a**** -- ls /data
kubectl exec deployment-nas-2-c5bb4746c-b**** -- ls /data
```
No output is returned. This indicates that no file exists in the /data path.

Create a file named nas in the /data path of a pod.
In this example, the pod deployment-nas-1-5b5cdb85f6-a**** is used.
```
 kubectl exec deployment-nas-1-5b5cdb85f6-a**** -- touch /data/nas
```
View the files in the /data paths of the two pods.
1. Run the following command to query the file in the /data path of the pod deployment-nas-1-5b5cdb85f6-a****:
```
kubectl exec deployment-nas-1-5b5cdb85f6-a**** -- ls /data
```
  Expected output:
```
nas
```
2. Run the following command to query files in the /data path of the pod deployment-nas-2-c5bb4746c-b****:
```
kubectl exec deployment-nas-2-c5bb4746c-b**** -- ls /data
```
  Expected output:
```
nas
```
  After you create a file in the /data path of one pod, you can also find the file in the /data path of the other pod. This indicates that data in the NAS file system is shared by the two pods.

FAQ

How do I enable user isolation or user group isolation in the NAS file system?

To ensure the security of data between different users and user groups, perform the following steps to isolate users or user groups in the NAS file system.

Use the following YAML template to create an application. The containers of the application start processes and create directories as the nobody user. The user identifier (UID) and group identifier (GID) of the nobody user are 65534.

apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: nas-sts
spec:
  selector:
    matchLabels:
      app: busybox
  serviceName: "busybox"
  replicas: 1
  template:
    metadata:
      labels:
        app: busybox
    spec:
      securityContext:
        fsGroup: 65534    # The containers create directories as the nobody user. The UID and GID of the nobody user are 65534. 
        fsGroupChangePolicy: "OnRootMismatch"    # Permissions and ownership are changed only if the permissions and the ownership of the root directory do not meet the requirements of the volume. 
      containers:
      - name: busybox
        image: busybox
        command:
        - sleep
        - "3600"
        securityContext:
          runAsUser: 65534    # All processes in the containers run as the nobody user (UID 65534). 
          runAsGroup: 65534   # All processes in the containers run as the nobody user (GID 65534). 
          allowPrivilegeEscalation: false
        volumeMounts:
        - name: nas-pvc
          mountPath: /data
  volumeClaimTemplates:
  - metadata:
      name: nas-pvc
    spec:
      accessModes: [ "ReadWriteOnce" ]
      storageClassName: "alicloud-nas-subpath"
      resources:
        requests:
          storage: 100Gi

Run the following top command in a container to check whether the command is run as the nobody user:

kubectl exec nas-sts-0 -- "top"

Expected output:

Mem: 11538180K used, 52037796K free, 5052K shrd, 253696K buff, 8865272K cached
CPU:  0.1% usr  0.1% sys  0.0% nic 99.7% idle  0.0% io  0.0% irq  0.0% sirq
Load average: 0.76 0.60 0.58 1/1458 54
  PID  PPID USER     STAT   VSZ %VSZ CPU %CPU COMMAND
   49     0 nobody   R     1328  0.0   9  0.0 top
    1     0 nobody   S     1316  0.0  10  0.0 sleep 3600

The output shows that the top command is run as the nobody user.

Run the following command to check whether the nobody user is used to create the directories and files in the mount directory of the NAS file system:

kubectl exec nas-sts-0 -- sh -c "touch /data/test; mkdir /data/test-dir; ls -arlth /data/"

Expected output:

total 5K
drwxr-xr-x    1 root     root        4.0K Aug 30 10:14 ..
drwxr-sr-x    2 nobody   nobody      4.0K Aug 30 10:14 test-dir
-rw-r--r--    1 nobody   nobody         0 Aug 30 10:14 test
drwxrwsrwx    3 root     nobody      4.0K Aug 30 10:14 .

The output shows that the nobody user is used to create the test file and the test-dir directory in the /data directory.

How do I mount a dynamically provisioned NAS volume by using the filesystem mode?

If your want to dynamically create or delete NAS file systems and mount targets for your application, you can use the filesystem mode to mount a dynamically provisioned NAS volume. The CSI plug-in automatically creates a NAS file system and mount target when a PVC is created. When the PVC is deleted, the mount target and the NAS file system are dynamically deleted. You can create only one file system and one mount target for the pod that mounts a NAS volume in filesystem mode.

View how to mount a dynamically provisioned NAS volume by using the filesystem mode

Important

By default, if you delete a PV that is mounted in filesystem mode, the system retains the related NAS file system and mount target. To delete the NAS file system and mount target together with the PV, set reclaimPolicy to Delete and set deleteVolume to true in the StorageClass configurations.

To create a StorageClass, perform the following steps for ACK dedicated clusters. For other types of clusters, perform the following steps starting from Step 2.

1. (Optional) Configure a RAM policy and attach the policy to the RAM role assigned to your cluster

This step is required only for ACK dedicated clusters.

The filesystem mode allows you to dynamically create and delete NAS file systems and mount targets. To perform these operations in an ACK dedicated cluster, you must grant the required permissions to CSI-Provisioner. The following sample code shows a RAM policy that contains the required permissions:
```
{
    "Action": [
        "nas:DescribeMountTargets",
        "nas:CreateMountTarget",
        "nas:DeleteFileSystem",
        "nas:DeleteMountTarget",
        "nas:CreateFileSystem"
    ],
    "Resource": [
        "*"
    ],
        "Effect": "Allow"
}
```
You can grant the permissions by using one of the following methods:
- Attach the preceding RAM policy to the master RAM role of your ACK dedicated cluster. For more information, see Modify the document and description of a custom policy.
- Create a RAM user and attach the preceding RAM policy to the RAM user. Generate an AccessKey pair and then specify the AccessKey pair in the env variable in the CSI-Provisioner configurations.
```
env:
- name: CSI_ENDPOINT
  value: unix://socketDir/csi.sock
- name: ACCESS_KEY_ID
  value: ""
- name: ACCESS_KEY_SECRET
  value: ""
```

2. Create a StorageClass

Create a file named alicloud-nas-fs.yaml and copy the following content to the file:

apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: alicloud-nas-fs
mountOptions:
- nolock,tcp,noresvport
- vers=3
parameters:
  volumeAs: filesystem
  fileSystemType: standard
  storageType: Performance
  regionId: cn-beijing
  zoneId: cn-beijing-e
  vpcId: "vpc-2ze2fxn6popm8c2mzm****"
  vSwitchId: "vsw-2zwdg25a2b4y5juy****"
  accessGroupName: DEFAULT_VPC_GROUP_NAME
  deleteVolume: "false"
provisioner: nasplugin.csi.alibabacloud.com
reclaimPolicy: Retain

Parameter	Description
volumeAs	Set to `filesystem`. Valid values: `subpath`: mounts a subdirectory of the NAS file system as a PV. You must manually create a NAS file system and a mount target. A PV corresponds to a subdirectory of a NAS file system. `filesystem`: The provisioner automatically creates a NAS file system. Each PV corresponds to a NAS file system.
fileSystemType	The type of the NAS file system. Default value: `standard`. The default value indicates the General-purpose NAS type. Valid values: `standard`: General-purpose NAS file systems `extreme`: Extreme NAS file systems
storageType	The storage type of the NAS file system. If the fileSystemType parameter is set to standard, the valid values are Performance and Capacity. Default value: Performance. If the fileSystemType parameter is set to extreme, the valid values are standard and advance. Default value: standard.
regionId	The ID of the region to which the NAS file system belongs.
zoneId	The zone ID of the NAS file system.
vpcId	The ID of the VPC to which the mount target of the NAS file system belongs.
vSwitchId	The ID of the vSwitch to which the mount target of the NAS file system belongs.
accessGroupName	The permission group to which the mount target of the NAS file system belongs. Default value: DEFAULT_VPC_GROUP_NAME.
deleteVolume	The reclaim policy of the NAS file system if the related PV is deleted. NAS is a shared storage service. Therefore, you must specify the deleteVolume and reclaimPolicy parameters to ensure data security.
provisioner	The type of driver. In this example, the parameter is set to `nasplugin.csi.alibabacloud.com`. This indicates that the CSI plug-in provided by Alibaba Cloud for NAS is used.
reclaimPolicy	The reclaim policy of the PV When you delete a PVC, the related NAS file system is automatically deleted only if you set deleteVolume to true and reclaimPolicy to Delete.

Run the following command to create a StorageClass:
```
kubectl create -f alicloud-nas-fs.yaml
```

3. Create a PVC and a pod to mount a NAS volume

Create a file named pvc.yaml and copy the following content to the file:

kind: PersistentVolumeClaim
apiVersion: v1
metadata:
  name: nas-csi-pvc-fs
spec:
  accessModes:
    - ReadWriteMany
  storageClassName: alicloud-nas-fs
  resources:
    requests:
      storage: 20Gi

Create a file named nginx.yaml and copy the following content to the file:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: deployment-nas-fs
  labels:
    app: nginx
spec:
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: anolis-registry.cn-zhangjiakou.cr.aliyuncs.com/openanolis/nginx:1.14.1-8.6
        ports:
        - containerPort: 80
        volumeMounts:
          - name: nas-pvc
            mountPath: "/data"
      volumes:
        - name: nas-pvc
          persistentVolumeClaim:
            claimName: nas-csi-pvc-fs

Create a PVC and a pod.

kubectl create -f pvc.yaml -f nginx.yaml

References

For more information about how to mount a NAS file system that has TLS enabled, see How do I use CSI to mount a NAS file system that has TLS enabled?
For more information about how to use CNFS to manage NAS file systems, see Use CNFS to manage NAS file systems (recommended).
For more information about how to dynamically expand a NAS volume, see Use CNFS to automatically expand NAS volumes.
For more information about how to use the directory quota feature of NAS to manage the storage space of volumes, see Expand a NAS volume.