From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id AF71C1FF191 for ; Mon, 16 Jun 2025 16:22:32 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 5B7ADA3F9; Mon, 16 Jun 2025 16:22:53 +0200 (CEST) From: Christian Ebner To: pbs-devel@lists.proxmox.com Date: Mon, 16 Jun 2025 16:21:28 +0200 Message-Id: <20250616142156.413652-16-c.ebner@proxmox.com> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20250616142156.413652-1-c.ebner@proxmox.com> References: <20250616142156.413652-1-c.ebner@proxmox.com> MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.036 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pbs-devel] [PATCH proxmox-backup v3 13/41] api: datastore: check S3 backend bucket access on datastore create X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox Backup Server development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pbs-devel-bounces@lists.proxmox.com Sender: "pbs-devel" Check if the configured S3 object store backend can be reached and the provided secrets have the permissions to access the bucket. Perform the check before creating the chunk store, so it is not left behind if the bucket cannot be reached. Signed-off-by: Christian Ebner --- src/api2/config/datastore.rs | 49 ++++++++++++++++++++++++++++++++---- 1 file changed, 44 insertions(+), 5 deletions(-) diff --git a/src/api2/config/datastore.rs b/src/api2/config/datastore.rs index b133be707..1b9219f5c 100644 --- a/src/api2/config/datastore.rs +++ b/src/api2/config/datastore.rs @@ -1,8 +1,9 @@ use std::path::{Path, PathBuf}; use ::serde::{Deserialize, Serialize}; -use anyhow::{bail, Context, Error}; +use anyhow::{bail, format_err, Context, Error}; use hex::FromHex; +use pbs_s3_client::{S3Client, S3ClientOptions}; use serde_json::Value; use tracing::{info, warn}; @@ -12,10 +13,11 @@ use proxmox_section_config::SectionConfigData; use proxmox_uuid::Uuid; use pbs_api_types::{ - Authid, DataStoreConfig, DataStoreConfigUpdater, DatastoreNotify, DatastoreTuning, KeepOptions, - MaintenanceMode, PruneJobConfig, PruneJobOptions, DATASTORE_SCHEMA, PRIV_DATASTORE_ALLOCATE, - PRIV_DATASTORE_AUDIT, PRIV_DATASTORE_MODIFY, PRIV_SYS_MODIFY, PROXMOX_CONFIG_DIGEST_SCHEMA, - UPID_SCHEMA, + Authid, DataStoreConfig, DataStoreConfigUpdater, DatastoreBackendConfig, DatastoreBackendType, + DatastoreNotify, DatastoreTuning, KeepOptions, MaintenanceMode, PruneJobConfig, + PruneJobOptions, S3ClientConfig, S3ClientSecretsConfig, DATASTORE_SCHEMA, + PRIV_DATASTORE_ALLOCATE, PRIV_DATASTORE_AUDIT, PRIV_DATASTORE_MODIFY, PRIV_SYS_MODIFY, + PROXMOX_CONFIG_DIGEST_SCHEMA, UPID_SCHEMA, }; use pbs_config::BackupLockGuard; use pbs_datastore::chunk_store::ChunkStore; @@ -116,6 +118,43 @@ pub(crate) fn do_create_datastore( .parse_property_string(datastore.tuning.as_deref().unwrap_or(""))?, )?; + if let Some(ref backend_config) = datastore.backend { + let backend_config: DatastoreBackendConfig = backend_config.parse()?; + match backend_config.ty.unwrap_or_default() { + DatastoreBackendType::Filesystem => (), + DatastoreBackendType::S3 => { + let s3_client_id = backend_config + .client + .as_ref() + .ok_or_else(|| format_err!("missing required client"))?; + let bucket = backend_config + .bucket + .clone() + .ok_or_else(|| format_err!("missing required bucket"))?; + let (config, _config_digest) = + pbs_config::s3::config().context("failed to get s3 config")?; + let (secrets, _secrets_digest) = + pbs_config::s3::secrets_config().context("failed to get s3 secrets")?; + let config: S3ClientConfig = config + .lookup("s3client", s3_client_id) + .with_context(|| format!("no '{s3_client_id}' in config"))?; + let secrets: S3ClientSecretsConfig = secrets + .lookup("s3secrets", s3_client_id) + .with_context(|| format!("no '{s3_client_id}' in secrets"))?; + let options = S3ClientOptions::from_config( + config, + secrets, + bucket, + datastore.name.to_owned(), + ); + let s3_client = S3Client::new(options).context("failed to create s3 client")?; + // Fine to block since this runs in worker task + proxmox_async::runtime::block_on(s3_client.head_bucket()) + .context("failed to access bucket")?; + } + } + } + let unmount_guard = if datastore.backing_device.is_some() { do_mount_device(datastore.clone())?; UnmountGuard::new(Some(path.clone())) -- 2.39.5 _______________________________________________ pbs-devel mailing list pbs-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel