From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id A0FB51FF17A for ; Fri, 18 Jul 2025 09:38:58 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 820AD1473F; Fri, 18 Jul 2025 09:40:06 +0200 (CEST) Message-ID: Date: Fri, 18 Jul 2025 09:40:03 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird To: Proxmox Backup Server development discussion , Christian Ebner References: <20250715125332.954494-1-c.ebner@proxmox.com> <20250715125332.954494-14-c.ebner@proxmox.com> Content-Language: de-AT, en-US From: Lukas Wagner In-Reply-To: <20250715125332.954494-14-c.ebner@proxmox.com> X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1752824400814 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.032 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment PROLO_LEO1 0.1 Meta Catches all Leo drug variations so far RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [datastore.rs] Subject: Re: [pbs-devel] [PATCH proxmox-backup v8 04/45] api: datastore: check s3 backend bucket access on datastore create X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox Backup Server development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pbs-devel-bounces@lists.proxmox.com Sender: "pbs-devel" With the two string constants moved: Reviewed-by: Lukas Wagner On 2025-07-15 14:52, Christian Ebner wrote: > Check if the configured S3 object store backend can be reached and > the provided secrets have the permissions to access the bucket. > > Perform the check before creating the chunk store, so it is not left > behind if the bucket cannot be reached. > > Signed-off-by: Christian Ebner > --- > changes since version 7: > - no changes > > Cargo.toml | 2 +- > src/api2/config/datastore.rs | 48 ++++++++++++++++++++++++++++++++---- > 2 files changed, 44 insertions(+), 6 deletions(-) > > diff --git a/Cargo.toml b/Cargo.toml > index c7a77060e..a5954635a 100644 > --- a/Cargo.toml > +++ b/Cargo.toml > @@ -77,7 +77,7 @@ proxmox-rest-server = { version = "1", features = [ "templates" ] } > proxmox-router = { version = "3.2.2", default-features = false } > proxmox-rrd = "1" > proxmox-rrd-api-types = "1.0.2" > -proxmox-s3-client = "1.0.0" > +proxmox-s3-client = { version = "1.0.0", features = [ "impl" ] } > # everything but pbs-config and pbs-client use "api-macro" > proxmox-schema = "4" > proxmox-section-config = "3" > diff --git a/src/api2/config/datastore.rs b/src/api2/config/datastore.rs > index b133be707..0fb822c79 100644 > --- a/src/api2/config/datastore.rs > +++ b/src/api2/config/datastore.rs > @@ -1,21 +1,22 @@ > use std::path::{Path, PathBuf}; > > use ::serde::{Deserialize, Serialize}; > -use anyhow::{bail, Context, Error}; > +use anyhow::{bail, format_err, Context, Error}; > use hex::FromHex; > use serde_json::Value; > use tracing::{info, warn}; > > use proxmox_router::{http_bail, Permission, Router, RpcEnvironment, RpcEnvironmentType}; > +use proxmox_s3_client::{S3Client, S3ClientConfig, S3ClientOptions, S3ClientSecretsConfig}; > use proxmox_schema::{api, param_bail, ApiType}; > use proxmox_section_config::SectionConfigData; > use proxmox_uuid::Uuid; > > use pbs_api_types::{ > - Authid, DataStoreConfig, DataStoreConfigUpdater, DatastoreNotify, DatastoreTuning, KeepOptions, > - MaintenanceMode, PruneJobConfig, PruneJobOptions, DATASTORE_SCHEMA, PRIV_DATASTORE_ALLOCATE, > - PRIV_DATASTORE_AUDIT, PRIV_DATASTORE_MODIFY, PRIV_SYS_MODIFY, PROXMOX_CONFIG_DIGEST_SCHEMA, > - UPID_SCHEMA, > + Authid, DataStoreConfig, DataStoreConfigUpdater, DatastoreBackendConfig, DatastoreBackendType, > + DatastoreNotify, DatastoreTuning, KeepOptions, MaintenanceMode, PruneJobConfig, > + PruneJobOptions, DATASTORE_SCHEMA, PRIV_DATASTORE_ALLOCATE, PRIV_DATASTORE_AUDIT, > + PRIV_DATASTORE_MODIFY, PRIV_SYS_MODIFY, PROXMOX_CONFIG_DIGEST_SCHEMA, UPID_SCHEMA, > }; > use pbs_config::BackupLockGuard; > use pbs_datastore::chunk_store::ChunkStore; > @@ -116,6 +117,43 @@ pub(crate) fn do_create_datastore( > .parse_property_string(datastore.tuning.as_deref().unwrap_or(""))?, > )?; > > + if let Some(ref backend_config) = datastore.backend { > + let backend_config: DatastoreBackendConfig = backend_config.parse()?; > + match backend_config.ty.unwrap_or_default() { > + DatastoreBackendType::Filesystem => (), > + DatastoreBackendType::S3 => { > + let s3_client_id = backend_config > + .client > + .as_ref() > + .ok_or_else(|| format_err!("missing required client"))?; > + let bucket = backend_config > + .bucket > + .clone() > + .ok_or_else(|| format_err!("missing required bucket"))?; > + let (config, _config_digest) = > + pbs_config::s3::config().context("failed to get s3 config")?; > + let (secrets, _secrets_digest) = > + pbs_config::s3::secrets_config().context("failed to get s3 secrets")?; > + let config: S3ClientConfig = config > + .lookup("s3client", s3_client_id) > + .with_context(|| format!("no '{s3_client_id}' in config"))?; > + let secrets: S3ClientSecretsConfig = secrets > + .lookup("s3secrets", s3_client_id) > + .with_context(|| format!("no '{s3_client_id}' in secrets"))?; The "s3client" and "s3secrets" section type strings should be `pub const` where the the config parser is defined. > + let options = S3ClientOptions::from_config( > + config, > + secrets, > + bucket, > + datastore.name.to_owned(), > + ); > + let s3_client = S3Client::new(options).context("failed to create s3 client")?; > + // Fine to block since this runs in worker task > + proxmox_async::runtime::block_on(s3_client.head_bucket()) > + .context("failed to access bucket")?; I wonder whether we should add some kind of retry logic not only here, but also for anywhere else where we interact with S3. Might of course be easier to implement that right in the s3 client crate. Also, no need to add this right away, just some idea for future improvements. > + } > + } > + } > + > let unmount_guard = if datastore.backing_device.is_some() { > do_mount_device(datastore.clone())?; > UnmountGuard::new(Some(path.clone())) -- - Lukas _______________________________________________ pbs-devel mailing list pbs-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel