From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pbs-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9])
	by lore.proxmox.com (Postfix) with ESMTPS id B7A651FF17A
	for <inbox@lore.proxmox.com>; Fri, 18 Jul 2025 10:54:46 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id 5B13F172F5;
	Fri, 18 Jul 2025 10:55:54 +0200 (CEST)
Message-ID: <bd3cc193-5aa7-4430-ba8c-8bee62d090ed@proxmox.com>
Date: Fri, 18 Jul 2025 10:55:50 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Lukas Wagner <l.wagner@proxmox.com>,
 Proxmox Backup Server development discussion <pbs-devel@lists.proxmox.com>
References: <20250715125332.954494-1-c.ebner@proxmox.com>
 <20250715125332.954494-14-c.ebner@proxmox.com>
 <bf318ba4-1a4d-42b6-887f-43cff5c02a00@proxmox.com>
Content-Language: en-US, de-DE
From: Christian Ebner <c.ebner@proxmox.com>
In-Reply-To: <bf318ba4-1a4d-42b6-887f-43cff5c02a00@proxmox.com>
X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2
X-Bm-Transport-Timestamp: 1752828948640
X-SPAM-LEVEL: Spam detection results:  0
 AWL -0.006 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 PROLO_LEO1                0.1 Meta Catches all Leo drug variations so far
 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
 URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more
 information. [datastore.rs]
Subject: Re: [pbs-devel] [PATCH proxmox-backup v8 04/45] api: datastore:
 check s3 backend bucket access on datastore create
X-BeenThere: pbs-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox Backup Server development discussion
 <pbs-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pbs-devel>, 
 <mailto:pbs-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pbs-devel/>
List-Post: <mailto:pbs-devel@lists.proxmox.com>
List-Help: <mailto:pbs-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel>, 
 <mailto:pbs-devel-request@lists.proxmox.com?subject=subscribe>
Reply-To: Proxmox Backup Server development discussion
 <pbs-devel@lists.proxmox.com>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: pbs-devel-bounces@lists.proxmox.com
Sender: "pbs-devel" <pbs-devel-bounces@lists.proxmox.com>

On 7/18/25 9:40 AM, Lukas Wagner wrote:
> With the two string constants moved:
> 
> Reviewed-by: Lukas Wagner <l.wagner@proxmox.com>
> 
> 
> On  2025-07-15 14:52, Christian Ebner wrote:
>> Check if the configured S3 object store backend can be reached and
>> the provided secrets have the permissions to access the bucket.
>>
>> Perform the check before creating the chunk store, so it is not left
>> behind if the bucket cannot be reached.
>>
>> Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
>> ---
>> changes since version 7:
>> - no changes
>>
>>   Cargo.toml                   |  2 +-
>>   src/api2/config/datastore.rs | 48 ++++++++++++++++++++++++++++++++----
>>   2 files changed, 44 insertions(+), 6 deletions(-)
>>
>> diff --git a/Cargo.toml b/Cargo.toml
>> index c7a77060e..a5954635a 100644
>> --- a/Cargo.toml
>> +++ b/Cargo.toml
>> @@ -77,7 +77,7 @@ proxmox-rest-server = { version = "1", features = [ "templates" ] }
>>   proxmox-router = { version = "3.2.2", default-features = false }
>>   proxmox-rrd = "1"
>>   proxmox-rrd-api-types = "1.0.2"
>> -proxmox-s3-client = "1.0.0"
>> +proxmox-s3-client = { version = "1.0.0", features = [ "impl" ] }
>>   # everything but pbs-config and pbs-client use "api-macro"
>>   proxmox-schema = "4"
>>   proxmox-section-config = "3"
>> diff --git a/src/api2/config/datastore.rs b/src/api2/config/datastore.rs
>> index b133be707..0fb822c79 100644
>> --- a/src/api2/config/datastore.rs
>> +++ b/src/api2/config/datastore.rs
>> @@ -1,21 +1,22 @@
>>   use std::path::{Path, PathBuf};
>>   
>>   use ::serde::{Deserialize, Serialize};
>> -use anyhow::{bail, Context, Error};
>> +use anyhow::{bail, format_err, Context, Error};
>>   use hex::FromHex;
>>   use serde_json::Value;
>>   use tracing::{info, warn};
>>   
>>   use proxmox_router::{http_bail, Permission, Router, RpcEnvironment, RpcEnvironmentType};
>> +use proxmox_s3_client::{S3Client, S3ClientConfig, S3ClientOptions, S3ClientSecretsConfig};
>>   use proxmox_schema::{api, param_bail, ApiType};
>>   use proxmox_section_config::SectionConfigData;
>>   use proxmox_uuid::Uuid;
>>   
>>   use pbs_api_types::{
>> -    Authid, DataStoreConfig, DataStoreConfigUpdater, DatastoreNotify, DatastoreTuning, KeepOptions,
>> -    MaintenanceMode, PruneJobConfig, PruneJobOptions, DATASTORE_SCHEMA, PRIV_DATASTORE_ALLOCATE,
>> -    PRIV_DATASTORE_AUDIT, PRIV_DATASTORE_MODIFY, PRIV_SYS_MODIFY, PROXMOX_CONFIG_DIGEST_SCHEMA,
>> -    UPID_SCHEMA,
>> +    Authid, DataStoreConfig, DataStoreConfigUpdater, DatastoreBackendConfig, DatastoreBackendType,
>> +    DatastoreNotify, DatastoreTuning, KeepOptions, MaintenanceMode, PruneJobConfig,
>> +    PruneJobOptions, DATASTORE_SCHEMA, PRIV_DATASTORE_ALLOCATE, PRIV_DATASTORE_AUDIT,
>> +    PRIV_DATASTORE_MODIFY, PRIV_SYS_MODIFY, PROXMOX_CONFIG_DIGEST_SCHEMA, UPID_SCHEMA,
>>   };
>>   use pbs_config::BackupLockGuard;
>>   use pbs_datastore::chunk_store::ChunkStore;
>> @@ -116,6 +117,43 @@ pub(crate) fn do_create_datastore(
>>               .parse_property_string(datastore.tuning.as_deref().unwrap_or(""))?,
>>       )?;
>>   
>> +    if let Some(ref backend_config) = datastore.backend {
>> +        let backend_config: DatastoreBackendConfig = backend_config.parse()?;
>> +        match backend_config.ty.unwrap_or_default() {
>> +            DatastoreBackendType::Filesystem => (),
>> +            DatastoreBackendType::S3 => {
>> +                let s3_client_id = backend_config
>> +                    .client
>> +                    .as_ref()
>> +                    .ok_or_else(|| format_err!("missing required client"))?;
>> +                let bucket = backend_config
>> +                    .bucket
>> +                    .clone()
>> +                    .ok_or_else(|| format_err!("missing required bucket"))?;
>> +                let (config, _config_digest) =
>> +                    pbs_config::s3::config().context("failed to get s3 config")?;
>> +                let (secrets, _secrets_digest) =
>> +                    pbs_config::s3::secrets_config().context("failed to get s3 secrets")?;
>> +                let config: S3ClientConfig = config
>> +                    .lookup("s3client", s3_client_id)
>> +                    .with_context(|| format!("no '{s3_client_id}' in config"))?;
>> +                let secrets: S3ClientSecretsConfig = secrets
>> +                    .lookup("s3secrets", s3_client_id)
>> +                    .with_context(|| format!("no '{s3_client_id}' in secrets"))?;
> 
> The "s3client" and "s3secrets" section type strings should be `pub const` where the the config parser is defined.

We do not do that for other configs consistently as well, but I do agree 
that this makes sense and is best placed as constants next to the s3 
config related code, so defininig it there.

>> +                let options = S3ClientOptions::from_config(
>> +                    config,
>> +                    secrets,
>> +                    bucket,
>> +                    datastore.name.to_owned(),
>> +                );
>> +                let s3_client = S3Client::new(options).context("failed to create s3 client")?;
>> +                // Fine to block since this runs in worker task
>> +                proxmox_async::runtime::block_on(s3_client.head_bucket())
>> +                    .context("failed to access bucket")?;
> 
> I wonder whether we should add some kind of retry logic not only here, but also for anywhere else
> where we interact with S3. Might of course be easier to implement that right in the s3 client crate.
> Also, no need to add this right away, just some idea for future improvements.

I would refrain from adding a retry logic everywhere, while this could 
help circumvent some inter-mitten failures, it will cause additional 
requests which we certainly do not want to have and might not help to 
debug possible issues.

Also, the retry is limited to put requests, where the API itself might 
tell that a retry is required.

quote:
If a conflicting operation occurs during the upload S3 returns a 409 
ConditionalRequestConflict response. On a 409 failure you should fetch 
the object's ETag and retry the upload.

see: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObject.html

But I did take a note to have a look at this again.

> 
>> +            }
>> +        }
>> +    }
>> +
>>       let unmount_guard = if datastore.backing_device.is_some() {
>>           do_mount_device(datastore.clone())?;
>>           UnmountGuard::new(Some(path.clone()))
> 



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel