Skip to content

[PL-128135] Add s3 gateway on rgw servers #1701

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
Ma27 wants to merge 7 commits into
base: fc-25.05-dev
Choose a base branch
from
Draft

[PL-128135] Add s3 gateway on rgw servers #1701

Ma27 wants to merge 7 commits into from

Conversation

@Ma27
Copy link
Contributor

@Ma27 Ma27 commented Aug 8, 2025

@flyingcircusio/release-managers

Release process

  • Created changelog entry using ./changelog.sh

PR release workflow (internal)

  • PR has internal ticket
  • internal issue ID (PL-…) part of branch name
  • internal issue ID mentioned in PR description text
  • ticket is on Platform agile board
  • ticket state set to Pull request ready
  • if ticket is more urgent than within the next few days, directly contact a member of the Platform team
  • set urgency and risk labels
  • ensure the merge bot has determined a merge date
  • ensure all checks are green
  • get a review from a colleague

Design notes

  • Provide a feature toggle if the change might need to be adjusted/reverted quickly depending on context. Consider whether the default should be on or off. Example: rate limiting.
  • All customer-facing features and (NixOS) options need to be discoverable from documentation. Add or update relevant documentation such that hosted and guided customers can understand it as well.

Security implications

@Ma27 Ma27 force-pushed the PL-128135-s3gw branch 2 times, most recently from 2300e39 to b5322e1 Compare August 12, 2025 12:10
ctheune
ctheune reviewed Aug 13, 2025
View reviewed changes
nixos/roles/ceph/rgw.nix

cephPkgs = fclib.ceph.mkPkgs role.cephRelease;

radosListenPort = toString 7480;
Copy link
Member

@ctheune ctheune Aug 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we need to leave 80 in here for pre-signed URLs?

Copy link
Contributor Author

@Ma27 Ma27 Aug 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you happen to have a reproducer for the old issue? Because I cannot reproduce on dev (and the tests are fine either):

$ cat .aws/credentials
[dev2]
endpoint_url = https://objects.dev.fcio.net
<redacted>
$ aws --profile dev2 s3 ls s3://test/
[...]
2025-07-21 13:21:18         12 testfile
$ aws --profile dev2 s3 presign s3://test/testfile
https://objects.dev.fcio.net/test/testfile?AWSAccessKeyId=03KAF2L1WU7PHIH0H66M&Signature=Oh1zNWA0TnHbdNCPerhlEEG%2FqHU%3D&Expires=1755084588
$ curl "https://objects.dev.fcio.net/test/testfile?AWSAccessKeyId=03KAF2L1WU7PHIH0H66M&Signature=Oh1zNWA0TnHbdNCPerhlEEG%2FqHU%3D&Expires=1755084588"
Hello World

ctheune
ctheune requested changes Aug 13, 2025
View reviewed changes
Copy link
Member

@ctheune ctheune left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Definitely on the right track, see the comments.

nixos/roles/ceph/rgw.nix
rgwMimeTypesFile = "${pkgs.mime-types}/etc/mime.types";
debugRados = "1 5";
rgwFrontends = "beast port=80";
rgwFrontends = "beast port=${radosListenPort}";
Copy link
Member

@ctheune ctheune Aug 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please bind explicity to srv (but also keep the firewall!)

Sets the listening address in the form address[:port], where the address is an IPv4 address string in dotted decimal form, or an IPv6 address in hexadecimal notation surrounded by square brackets. Specifying a IPv6 endpoint would listen to v6 only. The optional port defaults to 80 for endpoint and 443 for ssl_endpoint. Can be specified multiple times as in endpoint=[::1] endpoint=192.168.0.100:8000.

nixos/roles/ceph/rgw.nix
sto = fclib.network.sto;
in
lib.mkMerge [
(lib.mkOrder 700 ''
Copy link
Member

@ctheune ctheune Aug 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

those might be needed if we have to enable the port redirections again

@Ma27 Ma27 force-pushed the PL-128135-s3gw branch 2 times, most recently from 9ffbaac to 49fd404 Compare August 13, 2025 13:01
Maximilian Bosch added 2 commits August 25, 2025 11:04
roles/ceph/rgw: add s3/object gateway on rgw machines
e61ce0d 
PL-128135

We no longer let radosgw listen on port 80, but on port 7480 instead and
let the reverse proxy in front listen on port 80.

The haproxy in between uses other rgws belonging to the same cluster as
backup servers.

TLS termination is done with nginx. The ACME challenge is DNS-01 since
we usually have multiple RGW instances.
fc-ceph: code to summarize daily traffic stats of the object buckets …
b760b37 
…& GC old data

PL-128135
Maximilian Bosch added 5 commits August 25, 2025 11:13
roles/ceph/mon: add timer to run accounting regularly
7ce3e3e 
PL-128135
roles/ceph/rgw: sensu check to ensure accounting is actually happening
eb37f6b 
PL-128135
tests/ceph-nautilus: assert min_pgs instead of pgs
7092256 
PL-128135

Upon working on PL-128135, I encountered a case where in the early setup
either 64 or 320 pgs were present breaking the test. Since this is
timing-related, only check that _at least_ 64 pgs are free.
tests/ceph-nautilus: check that integration for traffic accounting works
8535f26 
PL-128135
fc-ceph: filter out internal traffic on s3 accounting
ccdaa7c 
PL-128135
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ctheune ctheune ctheune requested changes

Requested changes must be addressed to merge this pull request.

Assignees

@ctheune ctheune

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Ma27 @ctheune