Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document s3 substitutions #2319

Merged
merged 1 commit into from Aug 1, 2018
Merged

Document s3 substitutions #2319

merged 1 commit into from Aug 1, 2018

Conversation

graham-at-target
Copy link
Contributor

Ideally this will be backported to 2.0.x.

Ideally we could get an authoritative, minimal list of privileges required but it seems most people testing grant s3:*.

cc @shlevy

@graham-at-target graham-at-target mentioned this pull request Aug 1, 2018
Merged
copumpkin
copumpkin approved these changes Aug 1, 2018
View reviewed changes
Copy link
Member

@copumpkin copumpkin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Docs seem good & taught me stuff I didn't know about it, even though I use authenticated Nix S3 reads and writes dozens of times a day 😄

doc/manual/packages/s3-substituter.xml
service.</para></listitem>

<listitem><para>The bucket must be within the
<literal>us-east-1</literal> region.</para></listitem>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suppose this is why it doesn't need s3:GetBucketLocation on reads? Seems like a problem 😦

doc/manual/packages/s3-substituter.xml
<section xml:id="ssec-s3-substituter-authenticated-writes">
<title>Authenticated Writes to your S3-compatible binary cache</title>

<para>Nix support fully supports writing to Amazon S3 and S3
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is the behavior so different between reads and writes?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In short...

Download code:

nix/src/libstore/download.cc

Lines 600 to 606 in 45bcf54

#ifdef ENABLE_S3
S3Helper s3Helper("", Aws::Region::US_EAST_1); // FIXME: make configurable
auto slash = request.uri.find('/', 5);
if (slash == std::string::npos)
throw nix::Error("bad S3 URI '%s'", request.uri);
std::string bucketName(request.uri, 5, slash - 5);
std::string key(request.uri, slash + 1);

Upload code:

nix/src/libstore/s3-binary-cache-store.cc

Line 189 in 45bcf54

, s3Helper(profile, region)

The Upload code does a fancier arg parsing, which happens in a separate function:

nix/src/libstore/store-api.cc

Lines 838 to 851 in 45bcf54

ref<Store> openStore(const std::string & uri_,
const Store::Params & extraParams)
{
auto uri(uri_);
Store::Params params(extraParams);
auto q = uri.find('?');
if (q != std::string::npos) {
for (auto s : tokenizeString<Strings>(uri.substr(q + 1), "&")) {
auto e = s.find('=');
if (e != std::string::npos)
params[s.substr(0, e)] = s.substr(e + 1);
}
uri = uri_.substr(0, q);
}
and my C++-foo isn't strong enough with the time I have to rectify it :(.

AmineChikhaoui
AmineChikhaoui reviewed Aug 1, 2018
View reviewed changes
doc/manual/packages/s3-substituter.xml
cache.</para>

<para>For AWS S3 the binary cache URL for example bucket will be
exactly <uri>https://example-bucket.s3.amazonaws.com</uri>. For S3
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this depends on the region also ? https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingBucket.html#access-bucket-intro

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, DNS is sufficient:

In a virtual-hosted–style URL, you can use either of these endpoints. If you make a request to the http://bucket.s3.amazonaws.com endpoint, the DNS has sufficient information to route your request directly to the Region where your bucket resides.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oh good to know :)

@shlevy shlevy merged commit b27431b into NixOS:master Aug 1, 2018
@graham-at-target graham-at-target deleted the doc-s3 branch August 2, 2018 12:18
@grahamc grahamc mentioned this pull request Sep 27, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AmineChikhaoui AmineChikhaoui AmineChikhaoui left review comments

@copumpkin copumpkin copumpkin approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@graham-at-target @copumpkin @AmineChikhaoui @shlevy