Configuring Read-Only Access for DB System to Shared File System

A.

The security team has determined that the DB System in the virtual cloud network (VCN) should have read-only access to the file system provisioned using the file storage service (FSS). To satisfy this requirement, one of the following changes should be made:

Option A: Create an NFS export option that allows READ_ONLY access where the source is the CIDR range of the DB System subnet.

This option involves creating an NFS export option that allows read-only access for the CIDR range of the DB System subnet. NFS stands for Network File System and is a distributed file system protocol that allows remote access to files over a network. To implement this option, the following steps should be taken:

1. Open the File Storage service console and select the file system that was created.

2. Click on "Export Set" and then on "Create Export Set".

3. Select the VCN and subnet where the mount target is created.

4. Add the CIDR range of the DB System subnet to the "Client" field and set the "Access" field to "Read Only".

5. Click "Create Export Set" to save the changes.

Option B: Modify the security list associated with the subnet where the mount target resides. Change the ingress rules corresponding to the DB System subnet to be stateless.

This option involves modifying the security list associated with the subnet where the mount target resides. Security lists are used to control inbound and outbound traffic for instances and resources within a VCN. To implement this option, the following steps should be taken:

1. Open the VCN console and select the subnet where the mount target resides.

2. Click on "Security Lists" and select the security list associated with the subnet.

3. Click on "Edit All Rules" and locate the ingress rules corresponding to the DB System subnet.

4. Change the stateful rule to a stateless rule by removing the checkmark from the "Stateful" field.

5. Click "Save Security List Rules" to save the changes.

Option C: Create an instance principal for the DB System. Write an Identity and Access Management (IAM) policy that allows the instance principal read-only access to the file storage service.

This option involves creating an instance principal for the DB System and writing an IAM policy that allows read-only access to the file storage service. Instance principals are used to authenticate resources running on an instance to access Oracle Cloud Infrastructure services. To implement this option, the following steps should be taken:

1. Open the Identity and Access Management (IAM) console and create an instance principal for the DB System.

2. Create an IAM policy that allows read-only access to the file storage service for the instance principal.

3. Attach the IAM policy to the instance principal.

Option D: Connect via SSH to one of the application servers where the file system has been mounted. Use the Unix command chmod to change permissions on the file system directory, allowing the database user read-only access.

This option involves connecting via SSH to one of the application servers where the file system has been mounted and using the Unix command "chmod" to change permissions on the file system directory, allowing the database user read-only access. "chmod" is a Unix command used to change the permissions of files and directories. To implement this option, the following steps should be taken:

1. Connect via SSH to one of the application servers where the file system has been mounted.

2. Use the "ls -l" command to identify the file system directory.

3. Use the "chmod" command to change the permissions of the file system directory to allow read-only access for the database user.

4. Verify the changes by using the "ls -l" command again.

Out of these options, option A is the best solution because it directly addresses the requirement to provide read-only access