Wednesday, 2019-11-13

« Tuesday, 2019-11-12 Index Thursday, 2019-11-14 »
*** gyee has quit IRC01:41
* kota_ is back to online02:07
kota_thx timburke for a lot of info (vdisk and storlets work)!02:08
kota_hmm... the vdsik repo explains like `mounting virtual CD-ROM images backed by object storage`, that means it's for read-only?02:09
DHEI presume so. object storage (at least swift) doesn't really lend itself to in-place modification, and .iso isn't a write-friendly filesystem format02:11
kota_DHE: make sense02:15
*** ccamacho has quit IRC03:13
*** tkajinam has quit IRC04:26
*** tkajinam has joined #openstack-swift04:33
*** tkajinam_ has joined #openstack-swift05:08
*** tkajinam has quit IRC05:11
viks___Hi, I'm testing https://docs.aws.amazon.com/cli/latest/reference/s3api/list-buckets.html against my local swift s3, and i see that it is working05:19
viks___i.e.05:19
viks___```05:19
viks___aws s3api list-buckets --endpoint-url https://10.255.252.22 --query "Buckets[].Name"05:19
viks___[05:19
viks___    "container1"05:19
viks___]05:19
viks___```05:19
viks___But in our swift doc, i.e. https://docs.openstack.org/swift/latest/s3_compat.html, it is mentioned as not supported i.e. `GET Bucket service  Advanced Feature  No`.05:19
viks___Just wanted to know if it is documentation bug or am i missing something?05:20
*** tkajinam_ has quit IRC05:34
*** tkajinam has joined #openstack-swift05:36
*** tkajinam has quit IRC06:03
*** tkajinam has joined #openstack-swift06:05
*** tkajinam has quit IRC06:30
*** tkajinam has joined #openstack-swift06:31
*** tkajinam has quit IRC06:31
kota_viks___: IIRC, GET service (i.e. list buckets) should work so I assume it's docs bug.06:38
kota_but perhaps, there would have some ristrictions.06:38
kota_there would be06:38
kota_it seems like swift s3api is able to return the bucket list but the creation date seems to be fixed value so it's not complete feature.06:41
viks___kota_:  Ok thanks06:53
*** tkajinam has joined #openstack-swift07:01
*** rdejoux_ has joined #openstack-swift07:14
viks___kota_:  Any idea why do i get the below error:07:33
viks___```07:33
viks___aws s3api put-object --bucket my-bucket --key 1mb_file.txt --body 1mb_file.txt --endpoint-url https://10.255.252.2207:33
viks___An error occurred (BadDigest) when calling the PutObject operation (reached max retries: 4): The Content-MD5 you specified did not match what we received.07:33
viks___```07:33
viks___It works if i use signature v2 for awscli07:34
viks___but not for v407:34
kota_curious07:35
kota_swift s3api supports v4 staff so it should work.07:35
kota_i'm not an expert of awscli but the error looks to be caused by etag mismatch.07:37
kota_ah... perhaps, something different from your swift setting and awscli?07:43
kota_e.g. IIRC signature v4 requires region information to verify your credential so it should match between your local client setting and s3api config.07:45
*** tesseract has joined #openstack-swift08:00
viks___kota_: Ok.. will check and get back08:02
*** rdejoux has joined #openstack-swift08:09
viks___kota_:  i have set `location = us-east-1` in `[filter:s3api]` and using `region = us-east-1` in `.aws/config`. Not sure why this is happening08:13
viks___other commands like get object. list buckets etc work..08:14
kota_viks___: oh, you have the permission to look at swift configuration?08:14
viks___kota_: yes08:14
kota_perhaps, the swift log would be helpful to figure out what exactly happens.08:14
kota_201, 503, 4xx or some error trace...08:15
*** rpittau|afk is now known as rpittau08:17
viks___it's 40008:27
*** tkajinam has quit IRC08:35
kota_viks___: ok. it seems like not md5 related but authentication error.09:01
kota_sorry, I'm running out of my time to stay my office so you would check the configuration between the cli and service09:03
kota_or possibly, the response body will be helpful to know what's exactly cause of the authentication error.09:04
kota_e.g. `AWS authentication requires a valid Date or x-amz-date header` is an example error response body of 400.09:05
*** mikecmpbll has joined #openstack-swift09:06
*** ccamacho has joined #openstack-swift09:12
*** jistr has quit IRC09:19
*** jistr has joined #openstack-swift09:20
viks___kota_:  i see  awscli is sending below headers when run with `--debug`:09:27
viks___```09:27
viks___{'Content-MD5': b'45G2LrOHl+D8Vd9FfunXVg==', 'Content-Length': '125389', 'Authorization': b'AWS4-HMAC-SHA256 Credential=1ed62d4b25aafeb5c1e2f969541405a7/20191113/us-east-1/s3/aws4_request, SignedHeaders=content-md5;host;x-amz-content-sha256;x-amz-date, Signature=ae756ea7058504cbaeee78cbf87dc03f85e65b1a3292a2ed4733488402f26275', 'User-Agent': b'aws-cli/1.16.266 Python/3.5.2 Linux/4.15.0-66-generic09:27
viks___botocore/1.13.2', 'Expect': b'100-continue', 'X-Amz-Content-SHA256': b'UNSIGNED-PAYLOAD', 'X-Amz-Date': b'20191113T085545Z'}09:27
viks___```09:27
*** jistr has quit IRC09:29
*** ccamacho has quit IRC09:32
*** jistr has joined #openstack-swift09:36
*** ccamacho has joined #openstack-swift09:36
*** ianychoi has quit IRC10:24
*** henriqueof1 has quit IRC12:04
*** rcernin has quit IRC12:54
*** ianychoi has joined #openstack-swift13:00
baffleHas there been any discussion with regards to implementing a special/magic separator for the storage_domain/domain_remap middleware? I.e. to have working SSL with virtual host-style access. Since S3 has unique bucket names, they can issue a valid wildcard certificate for "*.s3.amazonaws.com", so that requests to https://bucket.s3.amazonaws.com works great. But in swift, since bucket/container names are not unique, we14:26
bafflealso need the project-id (resellerprefix) in the requests, so we need to remap two levels; https://bucketname.AUTH_resellerprefix.objecstorage.com. Wildcard SSL certfs only supports one level of wildcards. Could we introduce something like "__" as a separator? I.e. use bucketname__resellerprefix.objecstorage.com instead. And make domain remap split on __.... Or something better/smarter. :)14:26
DHEI can only speak for myself. This isn't specific to S3 support either, but we're going to put nginx in front of swift and have it do SSL and path rewrites.14:28
*** tesseract has quit IRC14:52
*** tesseract has joined #openstack-swift14:55
timburkeviks___, what version of swift are you running? i wonder if what you're seeing may have been fixed by https://review.opendev.org/#/c/660196/15:15
patchbotpatch 660196 - swift - s3api: Allow clients to upload with UNSIGNED-PAYLOAD (MERGED) - 1 patch set15:15
claygbaffle: I'd like to see something more like a "bucket registar" that allows projects to map their /AUTH_project/container to an unclaimed "myproject.mydomain.org" bucket15:15
claygthen requests to "myproject.mydomain.org.objectstorage.com" could lookup "myproject.mydomain.org" and rewrite to "objectstorage.com/AUTH_project/container"15:16
DHEwasn't there a cname or other DNS based middleware to do something like htat?15:17
timburkeDHE, i was just thinking the same :-)15:17
timburkeyeah, cname lookup + domain remap works pretty well15:17
claygtimburke: does it?   for s3api style requests?15:18
timburkenot s3api. but i don't think that's what baffle was going for... was it?15:19
DHEit's just a domain rewrite middleware. looks like you could just put it south of the s3api middleware.15:19
baffletimburke: I'm looking to use it for S3 middleware, but it is relevant for normal Swift API access as well, esp. for public objects. But for S3 is is more important, as AWS are planning on deprecating path-style access. I.e. they are deprecating endpoints like s3.amazonaws.com/bucket/object in favor of bucket.s3.amazonaws.com. Ref:  https://aws.amazon.com/blogs/aws/amazon-s3-path-deprecation-plan-the-rest-of-the-story/15:29
baffle * timburke: I'm looking to use it for S3 middleware, but it is relevant for normal Swift API access as well, esp. for public objects. But for S3 it is more important, as AWS are planning on deprecating path-style access. I.e. they are deprecating endpoints like s3.amazonaws.com/bucket/object in favor of bucket.s3.amazonaws.com. Ref:15:32
bafflehttps://aws.amazon.com/blogs/aws/amazon-s3-path-deprecation-plan-the-rest-of-the-story/15:32
baffleSo with CNAME middleware, we could have uniquecontainername.object.com resolve to nonuniquename.AUTH_uuid.objectstorage.com then. Well, that works, but it requires an extra step, registring the unique name. Having support for a magic separator in domain remap would work out of the box.15:36
DHEyou're free to write your own middleware, and this CNAME middleware might make a good starting point.15:39
DHEbut users might also appreciate the shorter names offered by cnames15:39
timburkes3api pulls the account info out of the auth info -- bucket.objectstorage.com should work (today, even!) for multiple tenants' containers named "bucket"15:40
baffleIs "_" actually valid in a hostname per. RFCs? It would seem only a to z, numbers and "-" is valid..15:41
timburke(maybe "pulls out" isn't quite right -- but the auth info gets used to figure out which account this request should map to)15:41
timburkebaffle, yeah, i don't think _ is good... part of why AWS started requiring that bucket names not include _15:42
timburkeif you want virtual-host style s3 access, you'll need to set the storage_domain option in proxy-server.conf: https://github.com/openstack/swift/blob/2.23.0/etc/proxy-server.conf-sample#L536-L53815:43
baffle@s3api: That would only apply to authenticated requests. So one could even put "notvalid.objecstorage.com" and still reach "objecstorage.com/v1/AUTH_uuid/mybucket"?15:44
baffletimburke: I have virtual-host style enabled, but it will only work with http:// as wildcard certs are only one level.15:45
baffle * @timburkei: That would only apply to authenticated requests. So one could even put "notvalid.objecstorage.com" and still reach "objecstorage.com/v1/AUTH_uuid/mybucket"?15:49
baffle * timburke: That would only apply to authenticated requests. So one could even put "notvalid.objecstorage.com" and still reach "objecstorage.com/v1/AUTH_uuid/mybucket"?15:49
timburkeon wildcard certs: s3api only needs the one level. i've got aws-cli making requests like https://bucket.saio/?list-type=2&prefix=&delimiter=%2F&encoding-type=url that will work just fine15:59
timburkepresumably "notvalid.objecstorage.com" would get mapped to  "objecstorage.com/v1/AUTH_uuid/notvalid" -- we just take the leading part of the domain and use that as the bucket16:00
timburkenot that you can't do anonymous access, but presigned URLs will work just fine16:00
timburkenote* that ...16:00
*** mikecmpbll has quit IRC16:06
*** ccamacho has quit IRC16:06
*** mikecmpbll has joined #openstack-swift16:10
*** gyee has joined #openstack-swift16:18
*** rpittau is now known as rpittau|afk17:08
*** mikecmpbll has quit IRC17:32
*** rdejoux has quit IRC17:33
*** rdejoux_ is now known as rdejoux17:33
viks___timburke:  What i see in my set up is, if i make call via my haproxy gateway where ssl gets terminated,  i get the above error as mentioned. But if i make call directly to swift node(i.e. without ssl) it seems to be working.. I'm bit puzzled with this behaviour  :(17:34
viks___b/n i use stein..17:35
timburkeviks___, that was part of why i didn't notice the regression sooner -- per https://docs.aws.amazon.com/cli/latest/topic/s3-config.html#payload-signing-enabled "By default, this is disabled ..., but only if ... the endpoint uses HTTPS."17:37
timburkefwiw, i backported the fix to stein -- need to tag a stable release though17:38
*** diablo_rojo__ has joined #openstack-swift17:42
viks___so it's the problem with s3api middleware? am i right?17:42
timburkeyep. fixed for stein in https://github.com/openstack/swift/commit/6ed165c17:43
timburkewill get you a 2.21.1 tag later this week, hopefully17:44
viks___timburke:  Thanks... will try to test this tomorrow17:45
openstackgerritTim Burke proposed openstack/swift stable/rocky: s3api: Allow clients to upload with UNSIGNED-PAYLOAD  https://review.opendev.org/69412117:50
openstackgerritTim Burke proposed openstack/swift stable/rocky: Authors/changelog for 2.19.2  https://review.opendev.org/69413618:28
*** tesseract has quit IRC18:35
*** diablo_rojo__ has quit IRC20:05
*** mwheckmann has quit IRC20:46
claygoh neat, i'll be able to catch most of the meeting with the time change20:50
openstackgerritThiago da Silva proposed openstack/swift master: WIP: Allow internal clients to use reserved namespace  https://review.opendev.org/68213820:52
openstackgerritThiago da Silva proposed openstack/swift master: New Object Versioning mode  https://review.opendev.org/68238220:52
claygtdasilva: oh wow!  did you make symlink_path cooler?20:58
kota_mornin20:59
mattoliverauMorning20:59
clayghey guys!21:00
*** zaitcev has joined #openstack-swift21:00
*** ChanServ sets mode: +v zaitcev21:00
tdasilvaclayg: yeah, still struggling with string handling between py2 and py3. I just added some utf8 func tests, passed on my envs, hoping it passes on gate21:01
claygi hate strings!21:01
claygor bytes... i'm not sure21:01
tdasilvaheh21:02
zaitcevtimburke: are we having a meeting today?21:03
zaitcevOr is everyone still dead from Chinese food21:03
* tdasilva wants some Chinese food21:03
timburkelousy time to go installing the new fedora...21:04
timburkemeeting time!21:04
claygzaitcev: so many noodles21:05
zaitcevclayg: carbohydrates are hazardous if you're not used to them.21:06
*** patchbot has quit IRC21:11
claygseongsoocho: we're all talking about you in the #openstack-meeting for Swift - we all gab every Wednesday around this time, but we noticed it's kind of early for you21:15
clayg... maybe another time would work better!?21:15
mattoliverauor thursday morning in our side of the world ;)21:16
*** patchbot has joined #openstack-swift21:17
*** rdejoux has quit IRC21:26
seongsoochoclayg: hi !  i'm in utc+9.  but It is ok. I can join a meeting in early morning.22:03
timburkeseongsoocho, good to hear from you again! very good to meet you last week :-D22:04
rledisezseongsoocho: the one for this week is just done but you should totally join us next week. you can find some link here for the archive and co :https://wiki.openstack.org/wiki/Meetings/Swift22:04
seongsoochotimburke:  Hi ! I also very good to meet you last week :)22:06
seongsoochorledisez:  Wow, thanks I will read today meeting log.22:06
mattoliverauseongsoocho: morning o/22:13
seongsoochomattoliverau:  morning :-)22:14
*** rcernin has joined #openstack-swift22:32
*** tkajinam has joined #openstack-swift23:06
*** diablo_rojo__ has joined #openstack-swift23:33
« Tuesday, 2019-11-12 Index Thursday, 2019-11-14 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!