From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pbs-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
	by lore.proxmox.com (Postfix) with ESMTPS id A58021FF183
	for <inbox@lore.proxmox.com>; Wed,  4 Jun 2025 13:58:34 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id 881943B4A6;
	Wed,  4 Jun 2025 13:58:53 +0200 (CEST)
Message-ID: <d2e6a673-e656-4cce-8ab8-c48a53c5ab3a@proxmox.com>
Date: Wed, 4 Jun 2025 13:58:19 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Proxmox Backup Server development discussion
 <pbs-devel@lists.proxmox.com>, Christian Ebner <c.ebner@proxmox.com>
References: <20250529143207.694497-1-c.ebner@proxmox.com>
Content-Language: de-AT, en-US
From: Lukas Wagner <l.wagner@proxmox.com>
In-Reply-To: <20250529143207.694497-1-c.ebner@proxmox.com>
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.019 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 KAM_SHORT               0.001 Use of a URL Shortener for very short URL
 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
 URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more
 information. [min.io, 0.xxx]
Subject: Re: [pbs-devel] [RFC v2 proxmox/bookworm-stable proxmox-backup
 00/42] S3 storage backend for datastores
X-BeenThere: pbs-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox Backup Server development discussion
 <pbs-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pbs-devel>, 
 <mailto:pbs-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pbs-devel/>
List-Post: <mailto:pbs-devel@lists.proxmox.com>
List-Help: <mailto:pbs-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel>, 
 <mailto:pbs-devel-request@lists.proxmox.com?subject=subscribe>
Reply-To: Proxmox Backup Server development discussion
 <pbs-devel@lists.proxmox.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: pbs-devel-bounces@lists.proxmox.com
Sender: "pbs-devel" <pbs-devel-bounces@lists.proxmox.com>

On  2025-05-29 16:31, Christian Ebner wrote:
> Testing:
> For testing, an S3 compatible object store provided via Ceph RADOS
> gateway can be used by the following setup. This was performed on a
> pre-existing Ceph Reef 18.2 cluster.
> 

For further reference, here are the steps needed to set up a local MinIO [1] server.
Took me a bit of trial and error to get it to work, so I thought I'd share
my notes. Christian, feel free to include/reference them in upcoming revisions
of this patch series.


# Setting up a local MinIO server for testing PBS's S3 feature.

Download latest server, client and cert tool
```
wget https://dl.min.io/server/minio/release/linux-amd64/minio
wget https://dl.min.io/client/mc/release/linux-amd64/mc
wget https://github.com/minio/certgen/releases/latest/download/certgen-linux-amd64
chmod +x certgen-linux-amd64 mc minio
```

Next, create the HTTPS cert. You can also use `openssl` to create one, if you don't want
to use minio's tool.

```
mkdir certs && cd certs 
../certgen-linux-amd64 -host "localhost,s3.example.com"
cd ../
```

Start minio server:
```
MINIO_DOMAIN="s3.example.com" MINIO_ROOT_USER=admin MINIO_ROOT_PASSWORD=<admin-password> ./minio server ./data --console-address ":9001" --certs-dir ./certs
```

Create an alias for the local server in the client tool:
```
./mc alias set 'local' 'https://localhost:9000' 'admin' '<admin-password>'
```

For some reason you have to run this command twice. At first, it asks you to
confirm the certificate fingerprint but still fails with an error ('certificate
signed by an unknown authority'), but if you run it a second time, it works

Next, verify that the client connection works:
```
./mc ping local
```

After that, let's create the `pbs` bucket (mb = make bucket):
```
./mc mb local/pbs
```

After that, you need to create an entry in `/etc/hosts` on the PBS host.
S3 encodes the name of the bucket in the domain, so you have to make sure
that PBS can resolve the IP properly.
```
172.25.0.xxx pbs.s3.example.com
```

Finally, get the SHA256 fingerprint of the certificate so that you can use it in PBS later.
```
openssl x509 -noout -fingerprint -sha256 -inform pem -in certs/public.crt
```

When adding the S3 bucket in PBS, use the following values:
```
Host: pbs.s3.example.com
Port: 9000
Bucket: pbs
Access Key: admin
Secret Key: <admin-password>
Fingerprint: SHA256 from the previous command
```


[1] https://github.com/minio/minio

-- 
- Lukas



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel