From: Christian Ebner <c.ebner@proxmox.com>
To: Lukas Wagner <l.wagner@proxmox.com>,
Proxmox Backup Server development discussion
<pbs-devel@lists.proxmox.com>
Subject: Re: [pbs-devel] [PATCH proxmox-backup v8 02/45] config: introduce s3 object store client configuration
Date: Fri, 18 Jul 2025 10:37:15 +0200 [thread overview]
Message-ID: <fddd7880-47c5-46ab-a92b-b92427a6ee30@proxmox.com> (raw)
In-Reply-To: <5f86f319-23e6-4573-b63e-9432f2856b00@proxmox.com>
On 7/18/25 9:22 AM, Lukas Wagner wrote:
> With my minor complaints fixed:
>
> Reviewed-by: Lukas Wagner <l.wagner@proxmox.com>
>
> On 2025-07-15 14:52, Christian Ebner wrote:
>> Adds the client configuration for s3 object store as dedicated
>> configuration files, with secrets being stored separately from the
>> regular configuration and excluded from api responses for security
>> reasons.
>>
>> Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
>> ---
>> changes since version 7:
>> - no changes
>>
>> pbs-config/Cargo.toml | 1 +
>> pbs-config/src/lib.rs | 1 +
>> pbs-config/src/s3.rs | 83 +++++++++++++++++++++++++++++++++++++++++++
>> 3 files changed, 85 insertions(+)
>> create mode 100644 pbs-config/src/s3.rs
>>
>> diff --git a/pbs-config/Cargo.toml b/pbs-config/Cargo.toml
>> index 284149658..74afb3c64 100644
>> --- a/pbs-config/Cargo.toml
>> +++ b/pbs-config/Cargo.toml
>> @@ -19,6 +19,7 @@ serde_json.workspace = true
>>
>> proxmox-notify.workspace = true
>> proxmox-router = { workspace = true, default-features = false }
>> +proxmox-s3-client.workspace = true
>> proxmox-schema.workspace = true
>> proxmox-section-config.workspace = true
>> proxmox-shared-memory.workspace = true
>> diff --git a/pbs-config/src/lib.rs b/pbs-config/src/lib.rs
>> index 9c4d77c24..d03c079ab 100644
>> --- a/pbs-config/src/lib.rs
>> +++ b/pbs-config/src/lib.rs
>> @@ -10,6 +10,7 @@ pub mod network;
>> pub mod notifications;
>> pub mod prune;
>> pub mod remote;
>> +pub mod s3;
>> pub mod sync;
>> pub mod tape_job;
>> pub mod token_shadow;
>> diff --git a/pbs-config/src/s3.rs b/pbs-config/src/s3.rs
>> new file mode 100644
>> index 000000000..ec3998834
>> --- /dev/null
>> +++ b/pbs-config/src/s3.rs
>> @@ -0,0 +1,83 @@
>> +use std::collections::HashMap;
>> +use std::sync::LazyLock;
>> +
>> +use anyhow::Error;
>> +
>> +use proxmox_s3_client::{S3ClientConfig, S3ClientSecretsConfig};
>> +use proxmox_schema::*;
>> +use proxmox_section_config::{SectionConfig, SectionConfigData, SectionConfigPlugin};
>> +
>> +use pbs_api_types::JOB_ID_SCHEMA;
>> +
>> +use crate::{open_backup_lockfile, replace_backup_config, BackupLockGuard};
>> +
>> +pub static CONFIG: LazyLock<SectionConfig> = LazyLock::new(init);
>> +
>> +fn init() -> SectionConfig {
>> + let obj_schema = match S3ClientConfig::API_SCHEMA {
>> + Schema::Object(ref obj_schema) => obj_schema,
>> + _ => unreachable!(),
>> + };
>> + let secrets_obj_schema = match S3ClientSecretsConfig::API_SCHEMA {
>> + Schema::Object(ref obj_schema) => obj_schema,
>> + _ => unreachable!(),
>> + };
>
> You can use API_SCHEMA::unwrap_object_schema here, that's a bit nicer to read :)
agreed, incorporated this for the next iteration of the patches
>> +
>> + let plugin =
>> + SectionConfigPlugin::new("s3client".to_string(), Some(String::from("id")), obj_schema);
>> + let secrets_plugin = SectionConfigPlugin::new(
>> + "s3secrets".to_string(),
>> + Some(String::from("secrets-id")),
>> + secrets_obj_schema,
>> + );
>> + let mut config = SectionConfig::new(&JOB_ID_SCHEMA);
>> + config.register_plugin(plugin);
>> + config.register_plugin(secrets_plugin);
>> +
>> + config
>> +}
>> +
>> +pub const S3_CFG_FILENAME: &str = "/etc/proxmox-backup/s3.cfg";
>> +pub const S3_SECRETS_CFG_FILENAME: &str = "/etc/proxmox-backup/s3-secrets.cfg";
>> +pub const S3_CFG_LOCKFILE: &str = "/etc/proxmox-backup/.s3.lck";
>
> You can use the pbs_buildcfg::configdir macro to build these paths. Also please
> add some docstrings to public consts like these.
same, added the helper so we always use the configured path from
buildcfg as base path for these constans.
>
>> +
>> +/// Get exclusive lock
>> +pub fn lock_config() -> Result<BackupLockGuard, Error> {
>> + open_backup_lockfile(S3_CFG_LOCKFILE, None, true)
>> +}
>> +
>> +pub fn config() -> Result<(SectionConfigData, [u8; 32]), Error> {
>> + parse_config(S3_CFG_FILENAME)
>> +}
>> +
>> +pub fn secrets_config() -> Result<(SectionConfigData, [u8; 32]), Error> {
>> + parse_config(S3_SECRETS_CFG_FILENAME)
>> +}
>> +
>> +pub fn save_config(config: &SectionConfigData, secrets: &SectionConfigData) -> Result<(), Error> {
>> + let raw = CONFIG.write(S3_CFG_FILENAME, config)?;
>> + replace_backup_config(S3_CFG_FILENAME, raw.as_bytes())?;
>> +
>> + let secrets_raw = CONFIG.write(S3_SECRETS_CFG_FILENAME, secrets)?;
>> + // Secrets are stored with `backup` permissions to allow reading from
>> + // not protected api endpoints as well.
>> + replace_backup_config(S3_SECRETS_CFG_FILENAME, secrets_raw.as_bytes())?;
>> +
>> + Ok(())
>> +}
>
> ^ These public functions lack docstrings
added these as well ...
>
>> +
>> +// shell completion helper
... and expanded a bit on this one since already at it.
>> +pub fn complete_s3_client_id(_arg: &str, _param: &HashMap<String, String>) -> Vec<String> {
>> + match config() {
>> + Ok((data, _digest)) => data.sections.keys().map(|id| id.to_string()).collect(),
>> + Err(_) => Vec::new(),
>> + }
>> +}
>> +
>> +fn parse_config(path: &str) -> Result<(SectionConfigData, [u8; 32]), Error> {
>> + let content = proxmox_sys::fs::file_read_optional_string(path)?;
>> + let content = content.unwrap_or_default();
>> + let digest = openssl::sha::sha256(content.as_bytes());
>> + let data = CONFIG.parse(path, &content)?;
>> + Ok((data, digest))
>> +}
>
_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
next prev parent reply other threads:[~2025-07-18 8:36 UTC|newest]
Thread overview: 108+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-15 12:52 [pbs-devel] [PATCH proxmox{, -backup} v8 00/54] fix #2943: S3 storage backend for datastores Christian Ebner
2025-07-15 12:52 ` [pbs-devel] [PATCH proxmox v8 1/9] s3 client: add crate for AWS s3 compatible object store client Christian Ebner
2025-07-15 21:13 ` [pbs-devel] partially-applied-series: " Thomas Lamprecht
2025-07-15 12:52 ` [pbs-devel] [PATCH proxmox v8 2/9] s3 client: implement AWS signature v4 request authentication Christian Ebner
2025-07-15 12:52 ` [pbs-devel] [PATCH proxmox v8 3/9] s3 client: add dedicated type for s3 object keys Christian Ebner
2025-07-15 12:52 ` [pbs-devel] [PATCH proxmox v8 4/9] s3 client: add type for last modified timestamp in responses Christian Ebner
2025-07-15 12:52 ` [pbs-devel] [PATCH proxmox v8 5/9] s3 client: add helper to parse http date headers Christian Ebner
2025-07-15 12:52 ` [pbs-devel] [PATCH proxmox v8 6/9] s3 client: implement methods to operate on s3 objects in bucket Christian Ebner
2025-07-15 12:52 ` [pbs-devel] [PATCH proxmox v8 7/9] s3 client: add example usage for basic operations Christian Ebner
2025-07-15 12:52 ` [pbs-devel] [PATCH proxmox v8 8/9] pbs-api-types: extend datastore config by backend config enum Christian Ebner
2025-07-15 12:52 ` [pbs-devel] [PATCH proxmox v8 9/9] pbs-api-types: maintenance: add new maintenance mode S3 refresh Christian Ebner
2025-07-15 12:52 ` [pbs-devel] [PATCH proxmox-backup v8 01/45] datastore: add helpers for path/digest to s3 object key conversion Christian Ebner
2025-07-18 7:24 ` Lukas Wagner
2025-07-18 8:34 ` Christian Ebner
2025-07-15 12:52 ` [pbs-devel] [PATCH proxmox-backup v8 02/45] config: introduce s3 object store client configuration Christian Ebner
2025-07-18 7:22 ` Lukas Wagner
2025-07-18 8:37 ` Christian Ebner [this message]
2025-07-15 12:52 ` [pbs-devel] [PATCH proxmox-backup v8 03/45] api: config: implement endpoints to manipulate and list s3 configs Christian Ebner
2025-07-18 7:32 ` Lukas Wagner
2025-07-18 8:40 ` Christian Ebner
2025-07-18 9:07 ` Lukas Wagner
2025-07-15 12:52 ` [pbs-devel] [PATCH proxmox-backup v8 04/45] api: datastore: check s3 backend bucket access on datastore create Christian Ebner
2025-07-18 7:40 ` Lukas Wagner
2025-07-18 8:55 ` Christian Ebner
2025-07-15 12:52 ` [pbs-devel] [PATCH proxmox-backup v8 05/45] api/cli: add endpoint and command to check s3 client connection Christian Ebner
2025-07-18 7:43 ` Lukas Wagner
2025-07-18 9:04 ` Christian Ebner
2025-07-15 12:52 ` [pbs-devel] [PATCH proxmox-backup v8 06/45] datastore: allow to get the backend for a datastore Christian Ebner
2025-07-18 7:52 ` Lukas Wagner
2025-07-18 9:10 ` Christian Ebner
2025-07-15 12:52 ` [pbs-devel] [PATCH proxmox-backup v8 07/45] api: backup: store datastore backend in runtime environment Christian Ebner
2025-07-18 7:54 ` Lukas Wagner
2025-07-15 12:52 ` [pbs-devel] [PATCH proxmox-backup v8 08/45] api: backup: conditionally upload chunks to s3 object store backend Christian Ebner
2025-07-18 8:11 ` Lukas Wagner
2025-07-15 12:52 ` [pbs-devel] [PATCH proxmox-backup v8 09/45] api: backup: conditionally upload blobs " Christian Ebner
2025-07-18 8:13 ` Lukas Wagner
2025-07-15 12:52 ` [pbs-devel] [PATCH proxmox-backup v8 10/45] api: backup: conditionally upload indices " Christian Ebner
2025-07-18 8:20 ` Lukas Wagner
2025-07-18 9:24 ` Christian Ebner
2025-07-15 12:52 ` [pbs-devel] [PATCH proxmox-backup v8 11/45] api: backup: conditionally upload manifest " Christian Ebner
2025-07-18 8:26 ` Lukas Wagner
2025-07-18 9:33 ` Christian Ebner
2025-07-15 12:52 ` [pbs-devel] [PATCH proxmox-backup v8 12/45] api: datastore: conditionally upload client log to s3 backend Christian Ebner
2025-07-18 8:28 ` Lukas Wagner
2025-07-15 12:53 ` [pbs-devel] [PATCH proxmox-backup v8 13/45] sync: pull: conditionally upload content " Christian Ebner
2025-07-18 8:35 ` Lukas Wagner
2025-07-18 9:43 ` Christian Ebner
2025-07-15 12:53 ` [pbs-devel] [PATCH proxmox-backup v8 14/45] api: reader: fetch chunks based on datastore backend Christian Ebner
2025-07-18 8:38 ` Lukas Wagner
2025-07-18 9:58 ` Christian Ebner
2025-07-18 10:03 ` Lukas Wagner
2025-07-18 10:10 ` Christian Ebner
2025-07-15 12:53 ` [pbs-devel] [PATCH proxmox-backup v8 15/45] datastore: local chunk reader: read chunks based on backend Christian Ebner
2025-07-18 8:45 ` Lukas Wagner
2025-07-18 10:11 ` Christian Ebner
2025-07-15 12:53 ` [pbs-devel] [PATCH proxmox-backup v8 16/45] verify worker: add datastore backed to verify worker Christian Ebner
2025-07-15 12:53 ` [pbs-devel] [PATCH proxmox-backup v8 17/45] verify: implement chunk verification for stores with s3 backend Christian Ebner
2025-07-18 8:56 ` Lukas Wagner
2025-07-18 11:45 ` Christian Ebner
2025-07-15 12:53 ` [pbs-devel] [PATCH proxmox-backup v8 18/45] datastore: create namespace marker in " Christian Ebner
2025-07-15 12:53 ` [pbs-devel] [PATCH proxmox-backup v8 19/45] datastore: create/delete protected marker file on s3 storage backend Christian Ebner
2025-07-15 12:53 ` [pbs-devel] [PATCH proxmox-backup v8 20/45] datastore: prune groups/snapshots from s3 object store backend Christian Ebner
2025-07-15 12:53 ` [pbs-devel] [PATCH proxmox-backup v8 21/45] datastore: get and set owner for s3 " Christian Ebner
2025-07-18 9:25 ` Lukas Wagner
2025-07-18 12:12 ` Christian Ebner
2025-07-15 12:53 ` [pbs-devel] [PATCH proxmox-backup v8 22/45] datastore: implement garbage collection for s3 backend Christian Ebner
2025-07-18 9:47 ` Lukas Wagner
2025-07-18 14:31 ` Christian Ebner
2025-07-15 12:53 ` [pbs-devel] [PATCH proxmox-backup v8 23/45] ui: add datastore type selector and reorganize component layout Christian Ebner
2025-07-18 9:55 ` Lukas Wagner
2025-07-15 12:53 ` [pbs-devel] [PATCH proxmox-backup v8 24/45] ui: add s3 client edit window for configuration create/edit Christian Ebner
2025-07-15 12:53 ` [pbs-devel] [PATCH proxmox-backup v8 25/45] ui: add s3 client view for configuration Christian Ebner
2025-07-15 12:53 ` [pbs-devel] [PATCH proxmox-backup v8 26/45] ui: expose the s3 client view in the navigation tree Christian Ebner
2025-07-15 12:53 ` [pbs-devel] [PATCH proxmox-backup v8 27/45] ui: add s3 client selector and bucket field for s3 backend setup Christian Ebner
2025-07-18 10:02 ` Lukas Wagner
2025-07-19 12:28 ` Christian Ebner
2025-07-22 9:25 ` Lukas Wagner
2025-07-15 12:53 ` [pbs-devel] [PATCH proxmox-backup v8 28/45] tools: lru cache: add removed callback for evicted cache nodes Christian Ebner
2025-07-15 12:53 ` [pbs-devel] [PATCH proxmox-backup v8 29/45] tools: async lru cache: implement insert, remove and contains methods Christian Ebner
2025-07-15 12:53 ` [pbs-devel] [PATCH proxmox-backup v8 30/45] datastore: add local datastore cache for network attached storages Christian Ebner
2025-07-18 11:24 ` Lukas Wagner
2025-07-18 14:59 ` Christian Ebner
2025-07-15 12:53 ` [pbs-devel] [PATCH proxmox-backup v8 31/45] api: backup: use local datastore cache on s3 backend chunk upload Christian Ebner
2025-07-15 12:53 ` [pbs-devel] [PATCH proxmox-backup v8 32/45] api: reader: use local datastore cache on s3 backend chunk fetching Christian Ebner
2025-07-15 12:53 ` [pbs-devel] [PATCH proxmox-backup v8 33/45] datastore: local chunk reader: get cached chunk from local cache store Christian Ebner
2025-07-18 11:36 ` Lukas Wagner
2025-07-18 15:04 ` Christian Ebner
2025-07-15 12:53 ` [pbs-devel] [PATCH proxmox-backup v8 34/45] api: backup: add no-cache flag to bypass local datastore cache Christian Ebner
2025-07-18 11:41 ` Lukas Wagner
2025-07-18 15:37 ` Christian Ebner
2025-07-15 12:53 ` [pbs-devel] [PATCH proxmox-backup v8 35/45] api/datastore: implement refresh endpoint for stores with s3 backend Christian Ebner
2025-07-18 12:01 ` Lukas Wagner
2025-07-18 15:51 ` Christian Ebner
2025-07-15 12:53 ` [pbs-devel] [PATCH proxmox-backup v8 36/45] cli: add dedicated subcommand for datastore s3 refresh Christian Ebner
2025-07-15 12:53 ` [pbs-devel] [PATCH proxmox-backup v8 37/45] ui: render s3 refresh as valid maintenance type and task description Christian Ebner
2025-07-15 12:53 ` [pbs-devel] [PATCH proxmox-backup v8 38/45] ui: expose s3 refresh button for datastores backed by object store Christian Ebner
2025-07-18 12:46 ` Lukas Wagner
2025-07-15 12:53 ` [pbs-devel] [PATCH proxmox-backup v8 39/45] datastore: conditionally upload atime marker chunk to s3 backend Christian Ebner
2025-07-15 12:53 ` [pbs-devel] [PATCH proxmox-backup v8 40/45] bin: implement client subcommands for s3 configuration manipulation Christian Ebner
2025-07-15 12:53 ` [pbs-devel] [PATCH proxmox-backup v8 41/45] bin: expose reuse-datastore flag for proxmox-backup-manager Christian Ebner
2025-07-15 12:53 ` [pbs-devel] [PATCH proxmox-backup v8 42/45] datastore: mark store as in-use by setting marker on s3 backend Christian Ebner
2025-07-15 12:53 ` [pbs-devel] [PATCH proxmox-backup v8 43/45] datastore: run s3-refresh when reusing a datastore with " Christian Ebner
2025-07-15 12:53 ` [pbs-devel] [PATCH proxmox-backup v8 44/45] api/ui: add flag to allow overwriting in-use marker for " Christian Ebner
2025-07-15 12:53 ` [pbs-devel] [PATCH proxmox-backup v8 45/45] docs: Add section describing how to setup s3 backed datastore Christian Ebner
2025-07-18 13:14 ` Maximiliano Sandoval
2025-07-18 14:38 ` Christian Ebner
2025-07-18 13:16 ` [pbs-devel] [PATCH proxmox{, -backup} v8 00/54] fix #2943: S3 storage backend for datastores Lukas Wagner
2025-07-19 12:52 ` [pbs-devel] superseded: " Christian Ebner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=fddd7880-47c5-46ab-a92b-b92427a6ee30@proxmox.com \
--to=c.ebner@proxmox.com \
--cc=l.wagner@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox