From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 0BD9A1FF185 for ; Mon, 21 Jul 2025 15:34:57 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 2644810093; Mon, 21 Jul 2025 15:36:07 +0200 (CEST) Mime-Version: 1.0 Date: Mon, 21 Jul 2025 15:35:31 +0200 Message-Id: From: "Hannes Laimer" To: "Proxmox Backup Server development discussion" Cc: "pbs-devel" X-Mailer: aerc 0.20.1-112-gd31995f1e20b References: <20250719125035.9926-1-c.ebner@proxmox.com> <20250719125035.9926-21-c.ebner@proxmox.com> In-Reply-To: <20250719125035.9926-21-c.ebner@proxmox.com> X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1753104924222 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.023 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: Re: [pbs-devel] [PATCH proxmox-backup v9 17/46] verify: implement chunk verification for stores with s3 backend X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox Backup Server development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pbs-devel-bounces@lists.proxmox.com Sender: "pbs-devel" On Sat Jul 19, 2025 at 2:50 PM CEST, Christian Ebner wrote: > For datastores backed by an S3 compatible object store, rather than > reading the chunks to be verified from the local filesystem, fetch > them via the s3 client from the configured bucket. > Could we somehow take advantage of the hash S3 provides for objects[1]? We can't use our hashes tough, so not if how we would... [1] https://docs.aws.amazon.com/AmazonS3/latest/userguide/checking-object-integrity.html > Signed-off-by: Christian Ebner > --- > changes since version 8: > - refactored corrupt chunk marking into more compact methods > > src/backup/verify.rs | 118 +++++++++++++++++++++++++++++++++++++------ > 1 file changed, 103 insertions(+), 15 deletions(-) > > diff --git a/src/backup/verify.rs b/src/backup/verify.rs > index dea10f618..9a2148b56 100644 > --- a/src/backup/verify.rs > +++ b/src/backup/verify.rs > @@ -5,6 +5,7 @@ use std::sync::{Arc, Mutex}; > use std::time::Instant; > > use anyhow::{bail, Error}; > +use http_body_util::BodyExt; > use tracing::{error, info, warn}; > > use proxmox_worker_task::WorkerTaskContext; > @@ -15,7 +16,7 @@ use pbs_api_types::{ > UPID, > }; > use pbs_datastore::backup_info::{BackupDir, BackupGroup, BackupInfo}; > -use pbs_datastore::index::IndexFile; > +use pbs_datastore::index::{ChunkReadInfo, IndexFile}; > use pbs_datastore::manifest::{BackupManifest, FileInfo}; > use pbs_datastore::{DataBlob, DataStore, DatastoreBackend, StoreProgress}; > > @@ -89,6 +90,38 @@ impl VerifyWorker { > } > } > > + if let Ok(DatastoreBackend::S3(s3_client)) = datastore.backend() { > + let suffix = format!(".{}.bad", counter); > + let target_key = > + match pbs_datastore::s3::object_key_from_digest_with_suffix(digest, &suffix) { > + Ok(target_key) => target_key, > + Err(err) => { > + info!("could not generate target key for corrupted chunk {path:?} - {err}"); > + return; > + } > + }; > + let object_key = match pbs_datastore::s3::object_key_from_digest(digest) { > + Ok(object_key) => object_key, > + Err(err) => { > + info!("could not generate object key for corrupted chunk {path:?} - {err}"); > + return; > + } > + }; > + if proxmox_async::runtime::block_on( > + s3_client.copy_object(object_key.clone(), target_key), > + ) > + .is_ok() > + { > + if proxmox_async::runtime::block_on(s3_client.delete_object(object_key)).is_err() { > + info!("failed to delete corrupt chunk on s3 backend: {digest_str}"); > + } > + } else { > + info!("failed to copy corrupt chunk on s3 backend: {digest_str}"); > + } > + } else { > + info!("failed to get s3 backend while trying to rename bad chunk: {digest_str}"); > + } > + > match std::fs::rename(&path, &new_path) { > Ok(_) => { > info!("corrupted chunk renamed to {:?}", &new_path); > @@ -189,20 +222,13 @@ impl VerifyWorker { > continue; // already verified or marked corrupt > } > > - match self.datastore.load_chunk(&info.digest) { > - Err(err) => { > - self.corrupt_chunks.lock().unwrap().insert(info.digest); > - error!("can't verify chunk, load failed - {err}"); > - errors.fetch_add(1, Ordering::SeqCst); > - Self::rename_corrupted_chunk(self.datastore.clone(), &info.digest); > - } > - Ok(chunk) => { > - let size = info.size(); > - read_bytes += chunk.raw_size(); > - decoder_pool.send((chunk, info.digest, size))?; > - decoded_bytes += size; > - } > - } > + self.verify_chunk_by_backend( > + &info, > + &mut read_bytes, > + &mut decoded_bytes, > + Arc::clone(&errors), > + &decoder_pool, > + )?; > } > > decoder_pool.complete()?; > @@ -228,6 +254,68 @@ impl VerifyWorker { > Ok(()) > } > > + fn verify_chunk_by_backend( > + &self, > + info: &ChunkReadInfo, > + read_bytes: &mut u64, > + decoded_bytes: &mut u64, > + errors: Arc, > + decoder_pool: &ParallelHandler<(DataBlob, [u8; 32], u64)>, > + ) -> Result<(), Error> { > + match &self.backend { > + DatastoreBackend::Filesystem => match self.datastore.load_chunk(&info.digest) { > + Err(err) => self.add_corrupt_chunk( > + info.digest, > + errors, > + &format!("can't verify chunk, load failed - {err}"), > + ), > + Ok(chunk) => { > + let size = info.size(); > + *read_bytes += chunk.raw_size(); > + decoder_pool.send((chunk, info.digest, size))?; > + *decoded_bytes += size; > + } > + }, > + DatastoreBackend::S3(s3_client) => { > + let object_key = pbs_datastore::s3::object_key_from_digest(&info.digest)?; > + match proxmox_async::runtime::block_on(s3_client.get_object(object_key)) { > + Ok(Some(response)) => { > + let bytes = proxmox_async::runtime::block_on(response.content.collect())? > + .to_bytes(); > + let chunk = DataBlob::from_raw(bytes.to_vec())?; > + let size = info.size(); > + *read_bytes += chunk.raw_size(); > + decoder_pool.send((chunk, info.digest, size))?; > + *decoded_bytes += size; > + } > + Ok(None) => self.add_corrupt_chunk( > + info.digest, > + errors, > + &format!( > + "can't verify missing chunk with digest {}", > + hex::encode(info.digest) > + ), > + ), > + Err(err) => self.add_corrupt_chunk( > + info.digest, > + errors, > + &format!("can't verify chunk, load failed - {err}"), > + ), > + } > + } > + } > + Ok(()) > + } > + > + fn add_corrupt_chunk(&self, digest: [u8; 32], errors: Arc, message: &str) { > + // Panic on poisoned mutex > + let mut corrupt_chunks = self.corrupt_chunks.lock().unwrap(); > + corrupt_chunks.insert(digest); > + error!(message); > + errors.fetch_add(1, Ordering::SeqCst); > + Self::rename_corrupted_chunk(self.datastore.clone(), &digest); > + } > + > fn verify_fixed_index(&self, backup_dir: &BackupDir, info: &FileInfo) -> Result<(), Error> { > let mut path = backup_dir.relative_path(); > path.push(&info.filename); _______________________________________________ pbs-devel mailing list pbs-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel