Configuring Object Container
QoreStor's Object container provides an object storage interface which enables customers to write Object data(S3 format) directly to Qore. This allows solutions that leverage an S3-based connection to send data directly to a QoreStor instance instead of Amazon S3 with the added benefits of deduplication, encryption, replication and network optimized data transfer.
Object storage is configured by adding a container with the Object (S3 Compatible) protocol. Doing so will create the ObjectStorageGroup storage group. QoreStor supports only one object container at a time.
|
|
NOTE: Object containers internally use an RDA connection. |
Creating an Object container
Adding an object container can be accomplished through the QoreStor UI or via the object_container command in the QoreStor CLI. Refer to the QoreStor Command Line Reference Guide for more information on the object_container command.
|
|
NOTE: QoreStor object container does not support object lifecycle management, which means transitioning storage classes or server side expiration of objects is not supported. |
To create an object container
- In the navigation menu, click Containers.
- On the Containers pane, click Add Container. The Add Container dialog will be displayed.
- In the Protocol field, select Object (S3 Compatible). The Name and Storage Group are populated by default.
- Click Next.
- To apply encryption, select Encryption and enter the following:
- Passphrase — the passphrase is user-defined and is used to generate a passphrase key that encrypts the file in which the content encryption keys are kept. The passphrase is a human readable key, which can be up to 255 bytes in length. It is mandatory to define a passphrase to enable encryption.
|
|
NOTE: It is mandatory to define a passphrase to enable encryption. If the passphrase is compromised or lost, the administrator should change it immediately so that the content encryption keys do not become vulnerable. |
- Confirm Passphrase — re-enter the passphrase used above.
- Encryption Mode — Select either static or internal.
- static - A global mode of key management in which a fixed key is used to encrypt all data.
- internal - A mode of key lifecycle management in which the keys are periodically generated and rotated. The minimum key rotation period before the content encryption key can be rotated and a new key is generated is 7 days. This rotation period is user-configurable and can be specified in days.
- Optionally, configure a Quota by entering an amount and setting the unit (GiB or TiB). If no value is set, the quota will be unlimited.
- Optionally, select Use HTTP instead of HTTPS. To use an HTTP connection, you must also follow the steps below:
-
On the QoreStor server, copy the aws.conf file to a new location:
cp /etc/oca/aws.conf.oca /etc/oca/aws.conf
-
Open the aws.conf file and update the endpoint connection protocol to http:
vi /etc/oca/aws.conf
Find the line containing AWS_ENDPOINT_PROTOCOL and set the value to http .
-
|
|
NOTE: The QoreStor implementation of object storage uses a self-signed certificate. If your data management application requires third party certificates, you must use HTTP to connect to the object container. |
- Click Next.
- Review the summary and click Finish.
When the process is completed and the object container has been added to QoreStor, you will see the storage group ObjectContainer and the container ObjectStorageGroup added to the Storage Groups and Container pages, respectively. See the topics below for information on working with object storage.
Adding an object container through the command line
To add an object container, complete the following steps.
-
- Access the QoreStor CLI. Refer to Accessing the CLI commands for more information.
- Add an object tier using the command
object_container --add [--quota <Quota value in GiB or TiB][--use_http <yes|no>]
Refer to the QoreStor Command LIne Reference Guide for more information.
- To apply encryption to the data in this object tier, use the command:
object_container --encryption [--set <ON | OFF>] [--mode <static|internal> <--interval <7 days to 70 years>]
|
|
NOTE: Due to export regulations, the encryption at rest feature is not available in certain markets, and, therefore, may not be available in your locale. For more information about recommended guidelines for encryption, see Understanding Encryption at Rest |
|
|
NOTE: It is mandatory to define a passphrase to enable encryption. If the passphrase is compromised or lost, the administrator should change it immediately so that the content encryption keys do not become vulnerable. |
|
|
NOTE: After encryption is enabled, all of the data that is backed up is encrypted and is kept encrypted until it is expired and cleaned by the system cleaner. Note that encryption is an irreversible process. |
|
|
NOTE: When QoreStor is installed in Object direct mode, only Static encryption is supported. |
For more information, refer to the QoreStor Command Line Reference Guide.
- After creating an object container, you must configure user access for the container. By default, the backup_user account is configured with the object role and read/write access. To set the user policy for additional user accounts, use the command:
object_container --policy [--set] [--policy_type <readonly|readwrite|none>] --name <user name> [--show] --name <user name>
|
|
IMPORTANT: The backup_user and password are to be used as access key and secret key respectively when connecting to QoreStor from the S3 clients. The default values are:
Access key: backup_user
Secret key: St0r@ge!
To see the S3 endpoint, use the command object_container CLI /opt/qorestor/bin/object_container --show --endpoint
The endpoint is displayed in the format https://<QoreStor IP address>:9000
Make sure port 9000 is allowed for access through the firewall. |
Creating a bucket
In S3 compatible storage, buckets are organizational containers that store objects. When creating a bucket, you have the option to enable or disable object locking, and select one of the available Object Locking modes. Object locking settings apply to all objects in the bucket.
- Governance mode - prevents users without the appropriate permissions from overwriting or deleting an object version or altering its lock settings. With governance mode, you protect objects against being deleted by most users, but you can still grant some users permission to alter the retention settings or delete the object if necessary. You can also use governance mode to test retention-period settings before creating a compliance-mode retention period.
- Compliance mode - prevents objects from being overwritten or deleted by any user during the specified lock period. When an object is locked in compliance mode, its retention mode can't be changed, and its retention period can't be shortened. Compliance mode ensures that an object version can't be overwritten or deleted for the duration of the retention period.
- None - no restrictions are applied.
|
|
NOTE: QoreStor supports a maximum of 100 buckets. The bucket default-bucket is created automatically when the object container is created. |
To create a bucket
- In the navigation menu, click Containers.
- On the Containers pane, find the object storage container ObjectContainer. Click the ellipses icon, and click Edit.
- Click Create bucket.
- Enter a Name for your bucket.
- Optionally, select Object Locking and configure
- Locking Mode - select between Compliance and Governance.
- Locking Duration - select the number and format (days or years) to specify the time that the object lock will be active.
|
|
IMPORTANT: The Object Locking status of a bucket cannot be changed once the bucket is created. To ensure flexibility in the future, you may set the object locking status to enabled, but the locking mode to None. If the locking mode is set to disabled, you will not be able to edit the bucket settings in the future |
- Click Save.
Editing bucket settings
The settings for existing buckets can be edited on the Object Storage page.When changing bucket settings using this procedure, the changes are applied to new objects. To change retention settings on existing objects, refer to Changing bucket retention.
To edit bucket settings
- On the Containers pane, find the object storage container ObjectContainer. Click the ellipses icon, and click Edit.
- In the Buckets section, find the desired bucket. Right-click on the ellipsis icon and click Bucket Settings.
- In the Locking Mode section, select from one of the options below:
- Compliance - prevents objects from being overwritten or deleted by any user during the specified lock period. When an object is locked in compliance mode, its retention mode can't be changed, and its retention period can't be shortened. Compliance mode ensures that an object version can't be overwritten or deleted for the duration of the retention period.
- Governing - prevents users without the appropriate permissions from overwriting or deleting an object version or altering its lock settings. With governance mode, you protect objects against being deleted by most users, but you can still grant some users permission to alter the retention settings or delete the object if necessary. You can also use governance mode to test retention-period settings before creating a compliance-mode retention period.
- None - provides no object locking.
|
|
IMPORTANT: Changes in the locking mode are applied to files written to the container after the change was applied. Existing files are locked according to the locking method in place at the time they were added to the container. |
- In the Locking Duration field, select the number and format (days or years) to specify the time that the object lock will be active.
- Click Update.
