New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Restic doesn't use S3 Dual-Stack endpoints, breaking IPv6 support #2129
Comments
Thanks for reporting this issue. It's indeed rooted in the minio-go library we're using for accessing s3. As far as I know it's necessary to contact s3 and then use the endpoint provided by s3 afterwards (for region configuration maybe?). Ping @harshavardhana, is it a good idea to always use the dualstack endpoints for s3 by default in minio-go? Here's the relevant documentation that I found: https://docs.aws.amazon.com/AmazonS3/latest/dev/dual-stack-endpoints.html |
Yes we can do that is dualstack endpoints always available ? |
Based on https://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region S3 dualstack endpoints appear to be available in all non-China regions. @harshavardhana: Or did you mean/wonder something else? |
Okay then we can simply default to those endpoints instead and never have to change it. |
Cool! 👍 |
Anything I can/should help out with? |
Feel free to send a PR @andreaso to github.com/minio/minio-go |
Ok, will be doing that next year then :-) Feel I need to familiarize myself with the library a bit first, so that I'll be able to properly test my changes. |
Just a tip: don't over-complicate this, just make the change and test it with restic :) |
The [S3 dual-stack endpoints][1] map against both A and AAAA records, allowing the client to connect using either IPv4 or IPv6, depending on what is locally available. At this point there appear to be no IPv6 support for the China regions. Related to restic/restic#2129. [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/dual-stack-endpoints.html
The [S3 dual-stack endpoints][1] map against both A and AAAA records, allowing the client to connect using either IPv4 or IPv6, depending on what is locally available. At this point there appear to be no IPv6 support for the China regions. Related to restic/restic#2129. [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/dual-stack-endpoints.html
So, minio/minio-go#1055 at least partially improves the situation. You still have to explicitly provide the right dualstack endpoint to the minio/minio-go#1060 is also somewhat relevant to Restic, as it provides support for the new eu-north-1 region. These changes are available as of https://github.com/minio/minio-go/releases/tag/v6.0.12. I guess the next step would be a PR bumping Restic's minio-go version? On that note, what's the deal with the "incompatibility" of the current |
I'll update the version, the |
That's fixed as well @fd0 |
Hm, how so? I can see that there's now a |
Isn't you who should be doing that import ? @fd0 |
Yeah, every consumer of |
@harshavardhana I'm getting errors in our CI tests with AWS:
Is this a known issue? |
In this situation you haven't provided the right region
Can you check, will validate on our end as well . |
Hm, I'll have a look. It only fails occasionally, and only for Go 1.11. Our CI tests run with Go 1.9, 1.10 and 1.11, the former two pass the test... |
Doesn't look like S3 is tested with those older Go versions.
|
Oh I think the problem is perhaps in Redirect code which we have, perhaps S3 sends 301 without Location header and Go http is returning an error.. Can you provide a http trace of this situation ? using TraceOn etc? |
Oh wow, I forgot, thanks for the reminder @andreaso! I'll try to reproduce it locally, with a trace. |
Indeed, the credentials used for testing are not allowed to query the location, hm:
This worked before though, this was the IAM policy: {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1494536175000",
"Effect": "Allow",
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::restic-test-travis/*"
]
},
{
"Sid": "Stmt1494536236000",
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::restic-test-travis"
]
}
]
} I've now added {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1494536175000",
"Effect": "Allow",
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::restic-test-travis/*"
]
},
{
"Sid": "Stmt1494536236000",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::restic-test-travis"
]
}
]
} Is this something that |
I just noticed: the error message is not helpful at all, and the last response also is not a 301, but a 403. Hm. At least the error message could be better :) |
Well at that situation minio-go automatically falls back to us-east-1 and then allows S3 to send a redirect, if we see a location header we redirect there too @fd0 - so in a way lot of things failed :-) Looks like for HEAD bucket S3 doesn't set a Location header but sets 301 nonetheless. Sort of incorrect HTTP standard implementation. HEAD doesn't have a body so Location header is the only way to redirect.
S3 has many regions and people have buckets in many different regions - it is cumbersome for users to keep typing this or statically configure it which allows them to not use other buckets in different regions. This is what AWS CLI or AWS SDKs lack. So minio-go uses GetBucketLocation() to fetch the region and construct the right URL based on the bucket. So yes you need those permissions. |
Using the HTTP request debugging built into restic we can get a bit more information: First, it tries to find out the location, response is 403:
Next, it tries listing the files, and gets a 301 response without a
|
Very odd that the service returns 301 without |
When minio-go version got upgraded to 6.0.14, NetApp S3 Object Storage is giving problems. |
Output of
restic version
How did you run restic exactly?
This being on an host with only IPv6 connectivity.
The S3 bucket arrakis-v6lab-restic have been pre-created within the eu-central-1 region.
The following environment variables have been defined for AWS access.
Doing the initial init attempt, based on example in documentation.
Followed up by explicitly providing a dual-stack endpoint.
Manually providing an IPv6 address for arrakis-v6lab-restic.s3-eu-central-1.amazonaws.com did the trick.
What backend/server/service did you use to store the repository?
AWS S3
Expected behavior
That restic would either use the S3 dual-stack endpoints by default, or that there would be a way to tell restic to do so.
Actual behavior
Restic uses IPv4-only S3 endpoints, unless "lied" to it.
Steps to reproduce the behavior
Do you have any idea what may have caused this?
After having used the initially provided S3 endpoint to lookup the bucket location restic/minio-go appear to construct a new IPv4-only S3 endpoint based on github.com/minio/minio-go/s3-endpoints.go.
Confirmed by the fact that the following monkey patching solved my immediate problem.
Do you have an idea how to solve the issue?
and/or.
Did restic help you or made you happy in any way?
The text was updated successfully, but these errors were encountered: