通过 Linux 使用 Azure 文件Use Azure Files with Linux

Azure 文件是易于使用的云文件系统。Azure Files is an easy to use cloud file system. 可以使用 SMB 内核客户端在 Linux 分发版中装载 Azure 文件共享。Azure file shares can be mounted in Linux distributions using the SMB kernel client. 本文介绍装载 Azure 文件共享的两种方法:使用 mount 命令按需装载,以及通过在 /etc/fstab 中创建一个条目在启动时装载。This article shows two ways to mount an Azure File share: on-demand with the mount command and on-boot by creating an entry in /etc/fstab.

在 Linux 上装载 Azure 文件共享的建议方法是使用 SMB 3.0。The recommended way to mount an Azure file share on Linux is using SMB 3.0. 默认情况下,Azure 文件存储要求进行传输中加密,而只有 SMB 3.0 支持传输中加密。By default, Azure Files requires encryption in transit, which is only supported by SMB 3.0. Azure 文件存储也支持 SMB 2.1,但后者不支持传输中加密,同时出于安全原因,不可以使用 SMB 2.1 从另一 Azure 区域或本地装载 Azure 文件共享。Azure Files also supports SMB 2.1, which does not support encryption in transit, but you may not mount Azure file shares with SMB 2.1 from another Azure region or on-premises for security reasons. 除非应用程序专门需要用到 SMB 2.1,否则几乎没有任何理由使用它,因为最近发布的最流行 Linux 分发版都支持 SMB 3.0:Unless your application specifically requires SMB 2.1, there is little reason to use it since most popular, recently released Linux distributions support SMB 3.0:

Linux 分发版Linux distribution SMB 2.1SMB 2.1
(装载在同一 Azure 区域内的 VM 上)(Mounts on VMs within same Azure region)
SMB 3.0SMB 3.0
(从本地和跨区域装载)(Mounts from on premises and cross-region)
UbuntuUbuntu 14.04+14.04+ 16.04+16.04+
Red Hat Enterprise Linux (RHEL)Red Hat Enterprise Linux (RHEL) 7+7+ 7.5+7.5+
CentOSCentOS 7+7+ 7.5+7.5+
DebianDebian 8+8+ 10+10+
openSUSEopenSUSE 13.2+13.2+ 42.3+42.3+
SUSE Linux Enterprise ServerSUSE Linux Enterprise Server 12+12+ 12 SP2+12 SP2+

如果使用的是上表中未列出的 Linux 分发版,可以通过检查 Linux 内核版本,来确定所用 Linux 分发版是否支持提供加密功能的 SMB 3.0。If you're using a Linux distribution not listed in the above table, you can check to see if your Linux distribution supports SMB 3.0 with encryption by checking the Linux kernel version. 提供加密功能的 SMB 3.0 已添加到 Linux 内核版本 4.11。SMB 3.0 with encryption was added to Linux kernel version 4.11. uname 命令将返回所用 Linux 内核的版本:The uname command will return the version of the Linux kernel in use:

uname -r

先决条件Prerequisites

  • 确保已安装 cifs-utils 包。Ensure the cifs-utils package is installed.
    可在所选的 Linux 分发版上使用包管理器安装 cifs-utils 包。The cifs-utils package can be installed using the package manager on the Linux distribution of your choice.

    Ubuntu基于 Debian 的分发版上,请使用 apt 包管理器:On Ubuntu and Debian-based distributions, use the apt package manager:

    sudo apt update
    sudo apt install cifs-utils
    

    在“Fedora”、“Red Hat Enterprise Linux 8+”和“CentOS 8+”中,请使用 dnf 包管理器: On Fedora, Red Hat Enterprise Linux 8+, and CentOS 8 +, use the dnf package manager:

    sudo dnf install cifs-utils
    

    在旧版的“Red Hat Enterprise Linux”和“CentOS”中,请使用 yum 包管理器: On older versions of Red Hat Enterprise Linux and CentOS, use the yum package manager:

    sudo yum install cifs-utils 
    

    openSUSE 上,请使用 zypper 包管理器:On openSUSE, use the zypper package manager:

    sudo zypper install cifs-utils
    

    在其他分发版上,请使用相应的包管理器,或从源编译On other distributions, use the appropriate package manager or compile from source

  • 最新版本的 Azure 命令行接口 (CLI)。The most recent version of the Azure Command Line Interface (CLI). 若要详细了解如何安装 Azure CLI,请参阅安装 Azure CLI 并选择操作系统。For more information on how to install the Azure CLI, see Install the Azure CLI and select your operating system. 如果你想要在 PowerShell 6+ 中使用 Azure PowerShell 模块,也可以使用,不过,下面的说明适用于 Azure CLI。If you prefer to use the Azure PowerShell module in PowerShell 6+, you may, however the instructions below are presented for the Azure CLI.

  • 确保端口 445 处于打开状态:SMB 通过 TCP 端口 445 通信 - 请查看防火墙是否未阻止 TCP 端口 445 与客户端计算机通信。Ensure port 445 is open: SMB communicates over TCP port 445 - check to see if your firewall is not blocking TCP ports 445 from client machine. 请替换 Replace and

    $resourceGroupName="<your-resource-group>"
    $storageAccountName="<your-storage-account>"
    
    # This command assumes you have logged in with az login
    httpEndpoint=$(az storage account show \
        --resource-group $resourceGroupName \
        --name $storageAccountName \
        --query "primaryEndpoints.file" | tr -d '"')
    smbPath=$(echo $httpEndpoint | cut -c7-$(expr length $httpEndpoint))
    fileHost=$(echo $smbPath | tr -d "/")
    
    nc -zvw3 $fileHost 445
    

    如果连接成功,应会看到如下所示的输出:If the connection was successful, you should see something similar to the following output:

    Connection to <your-storage-account> 445 port [tcp/microsoft-ds] succeeded!
    

    如果无法在企业网络中打开端口 445,或者 ISP 阻止此类操作,可以使用 VPN 连接或 ExpressRoute 来解决端口 445 的相关问题。If you are unable to open up port 445 on your corporate network or are blocked from doing so by an ISP, you may use a VPN connection or ExpressRoute to work around port 445. 有关详细信息,请参阅直接访问 Azure 文件共享时的网络注意事项For more information, see Networking considerations for direct Azure file share access..

装载 Azure 文件共享Mounting Azure file share

若要在 Linux 分发版中使用 Azure 文件共享,必须创建一个充当 Azure 文件共享装入点的目录。To use an Azure file share with your Linux distribution, you must create a directory to serve as the mount point for the Azure file share. 可以在 Linux 系统上的任何位置创建装入点,但是通用约定是在 /mnt 下创建此装入点。A mount point can be created anywhere on your Linux system, but it's common convention to create this under /mnt. 创建装入点之后,使用 mount 命令访问 Azure 文件共享。After the mount point, you use the mount command to access the Azure file share.

如果需要,可将同一个 Azure 文件共享装载到多个装入点。You can mount the same Azure file share to multiple mount points if desired.

使用 mount 按需装载 Azure 文件共享Mount the Azure file share on-demand with mount

  1. 为装入点创建一个文件夹:请将 <your-resource-group><your-storage-account><your-file-share> 替换为适合你的环境的信息。Create a folder for the mount point: Replace <your-resource-group>, <your-storage-account>, and <your-file-share> with the appropriate information for your environment:

    $resourceGroupName="<your-resource-group>"
    $storageAccountName="<your-storage-account>"
    $fileShareName="<your-file-share>"
    
    $mntPath="/mnt/$storageAccountName/$fileShareName"
    
    sudo mkdir -p $mntPath
    
  2. 使用装载命令来装载 Azure 文件共享Use the mount command to mount the Azure file share. 在以下示例中,本地 Linux 文件和文件夹权限默认为 0755,表示所有者拥有读取、写入和执行权限(基于文件/目录 Linux 所有者),所有者组中的用户拥有读取和执行权限,系统中的其他用户拥有读取和执行权限。In the example below, the local Linux file and folder permissions default 0755, which means read, write, and execute for the owner (based on the file/directory Linux owner), read and execute for users in owner group, and read and execute for others on the system. 可以使用 uidgid 装载选项来设置装入点的用户 ID 和组 ID。You can use the uid and gid mount options to set the user ID and group ID for the mount. 还可根据需要使用 dir_modefile_mode 来设置自定义权限。You can also use dir_mode and file_mode to set custom permissions as desired. 有关如何设置权限的详细信息,请参阅 Wikipedia 上的 UNIX 数值表示法For more information on how to set permissions, see UNIX numeric notation on Wikipedia.

    $httpEndpoint=(az storage account show \
        --resource-group $resourceGroupName \
        --name $storageAccountName \
        --query "primaryEndpoints.file" | tr -d '"')
    smbPath=$(echo $httpEndpoint | cut -c7-$(expr length $httpEndpoint))$fileShareName
    
    storageAccountKey=$(az storage account keys list \
        --resource-group $resourceGroupName \
        --account-name $storageAccountName \
        --query "[0].value" | tr -d '"')
    
    sudo mount -t cifs $smbPath $mntPath -o vers=3.0,username=$storageAccountName,password=$storageAccountKey,serverino
    

    备注

    上述装载命令装载 SMB 3.0。The above mount command mounts with SMB 3.0. 如果你的 Linux 分发版不支持提供加密功能的 SMB 3.0,或者仅支持 SMB 2.1,则你只能从存储帐户所在的同一区域中的 Azure VM 进行装载。If your Linux distribution does not support SMB 3.0 with encryption or if it only supports SMB 2.1, you may only mount from an Azure VM within the same region as the storage account. 若要在不支持提供加密功能的 SMB 3.0 的 Linux 分发版上装载 Azure 文件共享,需要对存储帐户禁用传输中加密To mount your Azure file share on a Linux distribution that does not support SMB 3.0 with encryption, you will need to disable encryption in transit for the storage account.

使用完 Azure 文件共享后,可以使用 sudo umount $mntPath 卸载共享。When you are done using the Azure file share, you may use sudo umount $mntPath to unmount the share.

使用 /etc/fstab 为 Azure 文件共享创建持久装入点Create a persistent mount point for the Azure file share with /etc/fstab

  1. 为装入点创建一个文件夹:可以在文件系统上的任何位置创建装入点的文件夹,但是通用约定是在 /mnt 文件夹下创建此文件夹。Create a folder for the mount point: A folder for a mount point can be created anywhere on the file system, but it's common convention to create this under /mnt. 例如,以下命令(请将 <your-resource-group><your-storage-account><your-file-share> 替换为适用于你的环境的信息)会创建一个新目录:For example, the following command creates a new directory, replace <your-resource-group>, <your-storage-account>, and <your-file-share> with the appropriate information for your environment:

    $resourceGroupName="<your-resource-group>"
    $storageAccountName="<your-storage-account>"
    $fileShareName="<your-file-share>"
    
    mntPath="/mnt/$storageAccountName/$fileShareName"
    
    sudo mkdir -p $mntPath
    
  2. 创建凭据文件以存储文件共享的用户名(存储帐户名称)和密码(存储帐户密钥)。Create a credential file to store the username (the storage account name) and password (the storage account key) for the file share.

    if [ ! -d "/etc/smbcredentials" ]; then
        sudo mkdir "/etc/smbcredentials"
    fi
    
    $storageAccountKey=(az storage account keys list \
        --resource-group $resourceGroupName \
        --account-name $storageAccountName \
        --query "[0].value" | tr -d '"')
    
    $smbCredentialFile="/etc/smbcredentials/$storageAccountName.cred"
    if [ ! -f $smbCredentialFile ]; then
        echo "username=$storageAccountName" | sudo tee $smbCredentialFile > /dev/null
        echo "password=$storageAccountKey" | sudo tee -a $smbCredentialFile > /dev/null
    else 
        echo "The credential file $smbCredentialFile already exists, and was not modified."
    fi
    
  3. 更改凭据文件的权限,以便只有 root 才能读取或修改密码文件。Change permissions on the credential file so only root can read or modify the password file. 由于存储帐户密钥实质上是存储帐户的超级管理员密码,因此重要的是在文件上设置权限使只有 root 才能访问,这样较低权限的用户将无法检索存储帐户密钥。Since the storage account key is essentially a super-administrator password for the storage account, setting the permissions on the file such that only root can access is important so that lower privilege users cannot retrieve the storage account key.

    sudo chmod 600 $smbCredentialFile
    
  4. 使用以下命令将以下行追加到 /etc/fstab :在以下示例中,本地 Linux 文件和文件夹权限默认为 0755,表示所有者拥有读取、写入和执行权限(基于文件/目录 Linux 所有者),所有者组中的用户拥有读取和执行权限,系统中的其他用户拥有读取和执行权限。Use the following command to append the following line to /etc/fstab: In the example below, the local Linux file and folder permissions default 0755, which means read, write, and execute for the owner (based on the file/directory Linux owner), read and execute for users in owner group, and read and execute for others on the system. 可以使用 uidgid 装载选项来设置装入点的用户 ID 和组 ID。You can use the uid and gid mount options to set the user ID and group ID for the mount. 还可根据需要使用 dir_modefile_mode 来设置自定义权限。You can also use dir_mode and file_mode to set custom permissions as desired. 有关如何设置权限的详细信息,请参阅 Wikipedia 上的 UNIX 数值表示法For more information on how to set permissions, see UNIX numeric notation on Wikipedia.

    $httpEndpoint=(az storage account show \
        --resource-group $resourceGroupName \
        --name $storageAccountName \
        --query "primaryEndpoints.file" | tr -d '"')
    smbPath=$(echo $httpEndpoint | cut -c7-$(expr length $httpEndpoint))$fileShareName
    
    if [ -z "$(grep $smbPath\ $mntPath /etc/fstab)" ]; then
        echo "$smbPath $mntPath cifs nofail,vers=3.0,credentials=$smbCredentialFile,serverino" | sudo tee -a /etc/fstab > /dev/null
    else
        echo "/etc/fstab was not modified to avoid conflicting entries as this Azure file share was already present. You may want to double check /etc/fstab to ensure the configuration is as desired."
    fi
    
    sudo mount -a
    

    备注

    上述装载命令装载 SMB 3.0。The above mount command mounts with SMB 3.0. 如果你的 Linux 分发版不支持提供加密功能的 SMB 3.0,或者仅支持 SMB 2.1,则你只能从存储帐户所在的同一区域中的 Azure VM 进行装载。If your Linux distribution does not support SMB 3.0 with encryption or if it only supports SMB 2.1, you may only mount from an Azure VM within the same region as the storage account. 若要在不支持提供加密功能的 SMB 3.0 的 Linux 分发版上装载 Azure 文件共享,需要对存储帐户禁用传输中加密To mount your Azure file share on a Linux distribution that does not support SMB 3.0 with encryption, you will need to disable encryption in transit for the storage account.

使用 autofs 自动装载 Azure 文件共享Using autofs to automatically mount the Azure file share(s)

  1. 确保已安装 autofs 包。Ensure the autofs package is installed.

    可在所选的 Linux 分发版上使用包管理器安装 utofs 包。The autofs package can be installed using the package manager on the Linux distribution of your choice.

    Ubuntu基于 Debian 的分发版上,请使用 apt 包管理器:On Ubuntu and Debian-based distributions, use the apt package manager:

    sudo apt update
    sudo apt install autofs
    

    在“Fedora”、“Red Hat Enterprise Linux 8+”和“CentOS 8+”中,请使用 dnf 包管理器: On Fedora, Red Hat Enterprise Linux 8+, and CentOS 8 +, use the dnf package manager:

    sudo dnf install autofs
    

    在旧版的“Red Hat Enterprise Linux”和“CentOS”中,请使用 yum 包管理器: On older versions of Red Hat Enterprise Linux and CentOS, use the yum package manager:

    sudo yum install autofs 
    

    openSUSE 上,请使用 zypper 包管理器:On openSUSE, use the zypper package manager:

    sudo zypper install autofs
    
  2. 为共享创建装入点:Create a mount point for the share(s):

     sudo mkdir /fileshares
    
  3. 创建新的自定义 autofs 配置文件Crete a new custom autofs configuration file

    sudo vi /etc/auto.fileshares
    
  4. 将以下条目添加到 /etc/auto.filesharesAdd the following entries to /etc/auto.fileshares

    echo "$fileShareName -fstype=cifs,credentials=$smbCredentialFile :$smbPath"" > /etc/auto.fileshares
    
  5. 将以下条目添加到 /etc/auto.masterAdd the following entry to /etc/auto.master

    /fileshares /etc/auto.fileshares --timeout=60
    
  6. 重启 autofsRestart autofs

    sudo systemctl restart autofs
    
  7. 访问为共享指定的文件夹Access the folder designated for the share

    cd /fileshares/$filesharename
    

保护 LinuxSecuring Linux

若要在 Linux 上装载 Azure 文件共享,端口 445 必须可访问。In order to mount an Azure file share on Linux, port 445 must be accessible. 由于 SMB 1 固有的安全风险,许多组织会阻止端口 445。Many organizations block port 445 because of the security risks inherent with SMB 1. SMB 1(也称为通用 Internet 文件系统,简称 CIFS)是许多 Linux 分发版随附的一个传统文件系统协议。SMB 1, also known as CIFS (Common Internet File System), is a legacy file system protocol included with many Linux distributions. SMB 1 是一个已过时的低效协议,最重要的是,它不安全。SMB 1 is an outdated, inefficient, and most importantly insecure protocol. 好消息是 Azure 文件存储不支持 SMB 1,并且从 Linux 内核版本 4.18 开始,可在 Linux 中禁用 SMB 1。The good news is that Azure Files does not support SMB 1, and starting with Linux kernel version 4.18, Linux makes it possible to disable SMB 1. 我们始终强烈建议在生产环境中使用 SMB 文件共享之前,禁用 Linux 客户端上的 SMB 1。We always strongly recommend disabling the SMB 1 on your Linux clients before using SMB file shares in production.

从 Linux 内核 4.18 开始,SMB 内核模块(由于历史遗留原因,称作 cifs)会公开一个名为 disable_legacy_dialects 的新模块参数(在各种外部文档中通常名为 parm)。Starting with Linux kernel 4.18, the SMB kernel module, called cifs for legacy reasons, exposes a new module parameter (often referred to as parm by various external documentations), called disable_legacy_dialects. 尽管 Linux 内核 4.18 中已引入此项更改,但某些供应商会将此项更改向后移植到他们支持的旧内核。Although introduced in Linux kernel 4.18, some vendors have backported this change to older kernels that they support. 为方便起见,下表详细描述了此模块参数在常用 Linux 分发版上的可用性。For convenience, the following table details the availability of this module parameter on common Linux distributions.

分发Distribution 可以禁用 SMB 1Can disable SMB 1
Ubuntu 14.04-16.04Ubuntu 14.04-16.04 No
Ubuntu 18.04Ubuntu 18.04 Yes
Ubuntu 19.04+Ubuntu 19.04+ Yes
Debian 8-9Debian 8-9 No
Debian 10+Debian 10+ Yes
Fedora 29+Fedora 29+ Yes
CentOS 7CentOS 7 No
CentOS 8+CentOS 8+ Yes
Red Hat Enterprise Linux 6.x-7.xRed Hat Enterprise Linux 6.x-7.x No
Red Hat Enterprise Linux 8+Red Hat Enterprise Linux 8+ Yes
openSUSE Leap 15.0openSUSE Leap 15.0 No
openSUSE Leap 15.1+openSUSE Leap 15.1+ Yes
openSUSE TumbleweedopenSUSE Tumbleweed Yes
SUSE Linux Enterprise 11.x-12.xSUSE Linux Enterprise 11.x-12.x No
SUSE Linux Enterprise 15SUSE Linux Enterprise 15 No
SUSE Linux Enterprise 15.1SUSE Linux Enterprise 15.1 No

可通过以下命令检查所用 Linux 分发版是否支持 disable_legacy_dialects 模块参数。You can check to see if your Linux distribution supports the disable_legacy_dialects module parameter via the following command.

sudo modinfo -p cifs | grep disable_legacy_dialects

此命令应输出以下消息:This command should output the following message:

disable_legacy_dialects: To improve security it may be helpful to restrict the ability to override the default dialects (SMB2.1, SMB3 and SMB3.02) on mount with old dialects (CIFS/SMB1 and SMB2) since vers=1.0 (CIFS/SMB1) and vers=2.0 are weaker and less secure. Default: n/N/0 (bool)

在禁用 SMB 1 之前,必须检查并确保 SMB 模块当前尚未加载到系统中(如果已装载 SMB 共享,则此模块会自动加载到系统中)。Before disabling SMB 1, you must check to make sure that the SMB module is not currently loaded on your system (this happens automatically if you have mounted an SMB share). 可使用以下命令来执行此项检查。如果未加载 SMB,则此命令不会输出任何信息:You can do this with the following command, which should output nothing if SMB is not loaded:

lsmod | grep cifs

若要卸载该模块,请先卸载所有 SMB 共享(使用上面所述的 umount 命令)。To unload the module, first unmount all SMB shares (using the umount command as described above). 可使用以下命令识别系统上所有已装载的 SMB 共享:You can identify all the mounted SMB shares on your system with the following command:

mount | grep cifs

卸载所有 SMB 文件共享后,可以安全地卸载该模块。Once you have unmounted all SMB file shares, it's safe to unload the module. 为此,可以使用 modprobe 命令:You can do this with the modprobe command:

sudo modprobe -r cifs

可以使用 modprobe 命令手动加载已卸载 SMB 1 的模块:You can manually load the module with SMB 1 unloaded using the modprobe command:

sudo modprobe cifs disable_legacy_dialects=Y

最后,可以通过查看 /sys/module/cifs/parameters 中加载的参数,来检查是否已使用相应参数加载了 SMB 模块:Finally, you can check the SMB module has been loaded with the parameter by looking at the loaded parameters in /sys/module/cifs/parameters:

cat /sys/module/cifs/parameters/disable_legacy_dialects

若要在 Ubuntu 和基于 Debian 的分发版上永久禁用 SMB 1,必须创建一个名为 /etc/modprobe.d/local.conf 且包含相应设置的新文件(如果尚未对其他模块使用自定义选项)。To persistently disable SMB 1 on Ubuntu and Debian-based distributions, you must create a new file (if you don't already have custom options for other modules) called /etc/modprobe.d/local.conf with the setting. 为此,可以使用以下命令:You can do this with the following command:

echo "options cifs disable_legacy_dialects=Y" | sudo tee -a /etc/modprobe.d/local.conf > /dev/null

可以通过加载 SMB 模块来验证上述操作是否成功:You can verify that this has worked by loading the SMB module:

sudo modprobe cifs
cat /sys/module/cifs/parameters/disable_legacy_dialects

后续步骤Next steps

请参阅以下链接,获取有关 Azure 文件的更多信息:See these links for more information about Azure Files: