2021-08-18 19:18:49 +00:00
# Configuration
2022-04-06 14:31:32 +00:00
There are three ways to configure the S3 GW:
2022-07-18 13:06:39 +00:00
2022-04-06 14:31:32 +00:00
1. CLI parameters
2022-07-18 13:06:39 +00:00
2. YAML file
2022-04-06 14:31:32 +00:00
3. Environment variables
2021-08-18 19:18:49 +00:00
2022-07-18 13:06:39 +00:00
Everything available as a CLI parameter can also be specified via environment variables and almost everything can be
specified via `.yaml` configuration file.
2022-04-06 14:31:32 +00:00
2022-07-18 13:06:39 +00:00
But **not vice versa** , some parameters can be configured only with environment variables/configuration file.
Most of these parameters have default values, therefore, these ways to configure the gateway are optional and
2022-04-06 14:31:32 +00:00
basic configuration can be completed with CLI parameters only.
2022-04-27 07:15:46 +00:00
1. [CLI parameters ](#cli-parameters )
1. [Nodes and weights ](#nodes-and-weights )
2. [Wallet ](#wallet )
3. [Binding and TLS ](#listening-on-address-and-TLS )
4. [RPC endpoint and resolving of bucket names ](#rpc-endpoint-and-resolving-of-bucket-names )
5. [Processing of requests ](#processing-of-requests )
6. [Connection to NeoFS ](#connection-to-NeoFS )
7. [Monitoring and metrics ](#monitoring-and-metrics )
2. [YAML file and environment variables ](#yaml-file-and-environment-variables )
2022-07-18 13:06:39 +00:00
1. [Configuration file ](#neofs-s3-gateway-configuration-file )
2022-04-06 14:31:32 +00:00
## CLI parameters
### Nodes and weights
2021-08-18 19:18:49 +00:00
2021-08-19 12:46:41 +00:00
You can specify multiple `-p` options to add more NeoFS nodes; this will make
a gateway spread requests equally among them (using weight 1 for every node):
2021-08-18 19:18:49 +00:00
2022-04-06 14:31:32 +00:00
```shell
2021-08-18 19:18:49 +00:00
$ neofs-s3-gw -p 192.168.130.72:8080 -p 192.168.130.71:8080
```
2022-07-18 13:06:39 +00:00
2022-04-06 14:31:32 +00:00
If you want some specific load distribution proportions, use weights and priorities, they
2022-04-13 16:56:58 +00:00
can only be specified via environment variables or a configuration file.
2021-08-18 19:18:49 +00:00
2022-04-06 14:31:32 +00:00
### Wallet
2021-08-18 19:18:49 +00:00
2022-07-18 13:06:39 +00:00
Wallet (`--wallet`) is a mandatory parameter. It is a path to a wallet file. You can provide a passphrase to decrypt
2022-04-06 14:31:32 +00:00
a wallet via env variable or conf file, or you will be asked to enter a password interactively.
You can also specify an account address to use from a wallet using the `--address` parameter.
2021-08-18 19:18:49 +00:00
2022-04-06 14:31:32 +00:00
### Listening on address and TLS
2021-08-18 19:18:49 +00:00
2022-07-18 13:06:39 +00:00
You can make the gateway listen on specific address using the `--listen_address` option.
2021-08-18 19:18:49 +00:00
2021-08-19 12:46:41 +00:00
It can also provide TLS interface for its users, just specify paths to the key and
2021-08-18 19:18:49 +00:00
certificate files via `--tls.key_file` and `--tls.cert_file` parameters. Note
2022-04-13 16:56:58 +00:00
that using these options makes gateway TLS-only. If you need to serve both TLS
and plain text, you either have to run two gateway instances or use some
2021-08-18 19:18:49 +00:00
external redirecting solution.
2022-04-06 14:31:32 +00:00
Example to bind to `192.168.130.130:443` and serve TLS there (keys and nodes are
2021-08-18 19:18:49 +00:00
omitted):
2022-04-06 14:31:32 +00:00
```shell
2021-08-18 19:18:49 +00:00
$ neofs-s3-gw --listen_address 192.168.130.130:443 \
--tls.key_file=key.pem --tls.cert_file=cert.pem
```
2022-04-06 14:31:32 +00:00
### RPC endpoint and resolving of bucket names
2021-08-18 19:18:49 +00:00
2022-07-18 13:06:39 +00:00
To set RPC endpoint specify a value of parameter `-r` or `--rpc_endpoint` . The parameter is **required if** another
2022-04-14 18:10:57 +00:00
parameter's `--resolve_order` value contains `nns` .
2021-08-18 19:18:49 +00:00
2022-04-06 14:31:32 +00:00
```shell
2022-04-14 18:10:57 +00:00
$ neofs-s3-gw --rpc_endpoint http://morph-chain.neofs.devenv:30333/ --resolve_order nns,dns
2021-08-18 19:18:49 +00:00
```
2022-04-06 14:31:32 +00:00
### Processing of requests
2022-07-18 13:06:39 +00:00
Maximum number of clients whose requests can be handled by the gateway can be specified by the value of
`--max_clients_count` parameter.
`--max_clients_deadline` defines deadline after which the gate sends error `RequestTimeout` to a client.
2022-04-06 14:31:32 +00:00
```shell
$ neofs-s3-gw --max_clients_count 150 --max_clients_deadline 1m
2021-08-18 19:18:49 +00:00
```
2022-04-06 14:31:32 +00:00
### Connection to NeoFS
2021-08-18 19:18:49 +00:00
2022-07-18 13:06:39 +00:00
Timeout to connect to NeoFS nodes can be set with `--connect_timeout`
and timeout to check node health during rebalance`--healthcheck_timeout`.
2021-08-18 19:18:49 +00:00
2022-07-18 13:06:39 +00:00
Also, interval to check node health can be specified by `--rebalance_interval` value.
2021-08-18 19:18:49 +00:00
2022-04-06 14:31:32 +00:00
```shell
2022-04-14 15:09:57 +00:00
$ neofs-s3-gw --healthcheck_timeout 15s --connect_timeout 1m --rebalance_interval 1h
2021-08-18 19:18:49 +00:00
```
2022-04-06 14:31:32 +00:00
### Monitoring and metrics
2021-08-18 19:18:49 +00:00
2022-07-18 13:06:39 +00:00
Pprof and Prometheus are integrated into the gateway. To enable them, use `--pprof` and `--metrics` flags or
2022-04-06 14:31:32 +00:00
`S3_GW_PPROF` /`S3_GW_METRICS` environment variables.
2021-08-23 19:06:26 +00:00
2022-04-06 14:31:32 +00:00
## YAML file and environment variables
2021-08-23 19:06:26 +00:00
2022-07-18 13:06:39 +00:00
Example of a YAML configuration file: [yaml-example ](/config/config.yaml )
Examples of environment variables: [env-example ](/config/config.env ).
2021-08-23 19:06:26 +00:00
2022-04-06 14:31:32 +00:00
A path to a configuration file can be specified with `--config` parameter:
2021-08-18 19:18:49 +00:00
2022-04-06 14:31:32 +00:00
```shell
$ neofs-s3-gw --config your-config.yaml
2021-08-18 19:18:49 +00:00
```
2022-04-06 14:31:32 +00:00
2022-09-30 14:37:01 +00:00
### Reload on SIGHUP
Some config values can be reloaded on SIGHUP signal.
Such parameters have special mark in tables below.
You can send SIGHUP signal to app using the following command:
```shell
$ kill -s SIGHUP < app_pid >
```
Example:
```shell
$ ./bin/neofs-s3-gw --config config.yaml & > s3.log &
[1] 998346
$ cat s3.log
# ...
2022-09-30T17:38:22.338+0300 info s3-gw/app.go:371 application started {"name": "neofs-s3-gw", "version": "v0.24.0"}
# ...
$ kill -s SIGHUP 998346
$ cat s3.log
# ...
2022-09-30T17:38:40.909+0300 info s3-gw/app.go:491 SIGHUP config reload completed
```
2022-07-18 13:06:39 +00:00
### NeoFS S3 Gateway configuration file
This section contains detailed NeoFS S3 Gateway configuration file description
including default config values and some tips to set up configurable values.
There are some custom types used for brevity:
* `duration` -- string consisting of a number and a suffix. Suffix examples include `s` (seconds), `m` (minutes), `ms` (
milliseconds).
### Structure
2022-08-11 23:13:02 +00:00
| Section | Description |
|--------------|---------------------------------------------------|
| no section | [General parameters ](#general-section ) |
| `wallet` | [Wallet configuration ](#wallet-section ) |
| `peers` | [Nodes configuration ](#peers-section ) |
| `tls` | [TLS configuration ](#tls-section ) |
| `logger` | [Logger configuration ](#logger-section ) |
| `tree` | [Tree configuration ](#tree-section ) |
| `cache` | [Cache configuration ](#cache-section ) |
| `nats` | [NATS configuration ](#nats-section ) |
| `cors` | [CORS configuration ](#cors-section ) |
| `pprof` | [Pprof configuration ](#pprof-section ) |
| `prometheus` | [Prometheus configuration ](#prometheus-section ) |
| `neofs` | [Parameters of requests to NeoFS ](#neofs-section ) |
2022-07-18 13:06:39 +00:00
### General section
```yaml
listen_address: 0.0.0.0:8084
2022-08-30 10:52:37 +00:00
listen_domains:
- s3dev.neofs.devenv
- s3dev2.neofs.devenv
2022-07-21 06:20:30 +00:00
rpc_endpoint: http://morph-chain.neofs.devenv:30333
2022-07-18 13:06:39 +00:00
resolve_order:
- nns
- dns
2022-07-18 13:11:25 +00:00
connect_timeout: 10s
2022-07-18 13:06:39 +00:00
healthcheck_timeout: 15s
2022-07-18 13:11:25 +00:00
rebalance_interval: 60s
2022-07-29 06:26:11 +00:00
pool_error_threshold: 100
2022-07-18 13:06:39 +00:00
max_clients_count: 100
max_clients_deadline: 30s
default_policy: REP 3
2022-08-31 23:12:02 +00:00
allowed_access_key_id_prefixes:
- Ck9BHsgKcnwfCTUSFm6pxhoNS4cBqgN2NQ8zVgPjqZDX
- 3stjWenX15YwYzczMr88gy3CQr4NYFBQ8P7keGzH5QFn
2022-07-18 13:06:39 +00:00
```
2022-09-30 14:37:01 +00:00
| Parameter | Type | SIGHUP reload | Default value | Description |
|----------------------------------|------------|---------------|----------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `listen_address` | `string` | | `0.0.0.0:8080` | The address that the gateway is listening on. |
| `listen_domains` | `[]string` | | | Domains to be able to use virtual-hosted-style access to bucket. |
| `rpc_endpoint` | `string` | yes | | The address of the RPC host to which the gateway connects to resolve bucket names (required to use the `nns` resolver). |
| `resolve_order` | `[]string` | yes | `[dns]` | Order of bucket name resolvers to use. Available resolvers: `dns` , `nns` . | |
| `connect_timeout` | `duration` | | `10s` | Timeout to connect to a node. |
| `healthcheck_timeout` | `duration` | | `15s` | Timeout to check node health during rebalance. |
| `rebalance_interval` | `duration` | | `60s` | Interval to check node health. |
| `pool_error_threshold` | `uint32` | | `100` | The number of errors on connection after which node is considered as unhealthy. |
| `max_clients_count` | `int` | | `100` | Limits for processing of clients' requests. |
| `max_clients_deadline` | `duration` | | `30s` | Deadline after which the gate sends error `RequestTimeout` to a client. |
| `default_policy` | `string` | | `REP 3` | Default policy of placing containers in NeoFS. If a user sends a request `CreateBucket` and doesn't define policy for placing of a container in NeoFS, the S3 Gateway will put the container with default policy. |
| `allowed_access_key_id_prefixes` | `[]string` | | | List of allowed `AccessKeyID` prefixes which S3 GW serve. If the parameter is omitted, all `AccessKeyID` will be accepted. |
2022-07-18 13:06:39 +00:00
### `wallet` section
```yaml
wallet:
2022-07-28 13:26:42 +00:00
path: /path/to/wallet.json # Path to wallet
passphrase: "" # Passphrase to decrypt wallet.
address: NfgHwwTi3wHAS8aFAN243C5vGbkYDpqLHP
2022-07-18 13:06:39 +00:00
```
2022-07-28 13:26:42 +00:00
| Parameter | Type | Default value | Description |
|--------------|----------|---------------|---------------------------------------------------------------------------|
| `path` | `string` | | Path to wallet |
| `passphrase` | `string` | | Passphrase to decrypt wallet. |
| `address` | `string` | | Account address to get from wallet. If omitted default one will be used. |
2022-07-18 13:06:39 +00:00
### `peers` section
```yaml
# Nodes configuration
# This configuration makes the gateway use the first node (node1.neofs:8080)
# while it's healthy. Otherwise, gateway uses the second node (node2.neofs:8080)
# for 10% of requests and the third node (node3.neofs:8080) for 90% of requests.
# Until nodes with the same priority level are healthy
# nodes with other priority are not used.
# The lower the value, the higher the priority.
peers:
0:
address: node1.neofs:8080
priority: 1
weight: 1
1:
address: node2.neofs:8080
priority: 2
weight: 0.1
2:
address: node3.neofs:8080
priority: 2
weight: 0.9
```
| Parameter | Type | Default value | Description |
|------------|----------|---------------|---------------------------------------------------------------------------------------------------------------------------------------------------------|
| `address` | `string` | | Address of storage node. |
| `priority` | `int` | `1` | It allows to group nodes and don't switch group until all nodes with the same priority will be unhealthy. The lower the value, the higher the priority. |
| `weight` | `float` | `1` | Weight of node in the group with the same priority. Distribute requests to nodes proportionally to these values. |
2022-04-06 14:31:32 +00:00
2022-07-18 13:06:39 +00:00
### `tls` section
2022-04-06 14:31:32 +00:00
2022-07-18 13:06:39 +00:00
```yaml
tls:
cert_file: /path/to/cert
key_file: /path/to/key
```
2022-09-30 14:37:01 +00:00
| Parameter | Type | SIGHUP reload | Default value | Description |
|-------------|----------|---------------|---------------|------------------------------|
| `cert_file` | `string` | yes | | Path to the TLS certificate. |
| `key_file` | `string` | yes | | Path to the key. |
2022-07-18 13:06:39 +00:00
### `logger` section
```yaml
logger:
level: debug
```
2022-09-30 14:37:01 +00:00
| Parameter | Type | SIGHUP reload | Default value | Description |
|-----------|----------|---------------|---------------|----------------------------------------------------------------------------------------------------|
| `level` | `string` | yes | `debug` | Logging level.< br /> Possible values: `debug` , `info` , `warn` , `error` , `dpanic` , `panic` , `fatal` . |
2022-07-18 13:06:39 +00:00
2022-07-22 13:24:35 +00:00
### `tree` section
```yaml
tree:
service: s01.neofs.devenv:8080
```
| Parameter | Type | Default value | Description |
|-----------|----------|---------------|------------------------------------------------------------------------------------------------------------|
| `service` | `string` | | Endpoint of the tree service. Must be provided. Can be one of the node address (from the `peers` section). |
2022-07-18 13:06:39 +00:00
### `cache` section
```yaml
cache:
objects:
lifetime: 300s
size: 150
list:
lifetime: 1m
size: 100
names:
lifetime: 1m
size: 1000
buckets:
lifetime: 1m
size: 500
system:
lifetime: 2m
size: 1000
accessbox:
lifetime: 5m
size: 10
2022-10-03 14:36:09 +00:00
accesscontrol:
lifetime: 1m
size: 100000
2022-07-18 13:06:39 +00:00
```
2022-10-03 14:36:09 +00:00
| Parameter | Type | Default value | Description |
|-----------------|-----------------------------------|-----------------------------------|----------------------------------------------------------------------------------------|
| `objects` | [Cache config ](#cache-subsection ) | `lifetime: 5m` < br > `size: 1000000` | Cache for objects (NeoFS headers). |
| `list` | [Cache config ](#cache-subsection ) | `lifetime: 60s` < br > `size: 100000` | Cache which keeps lists of objects in buckets. |
| `names` | [Cache config ](#cache-subsection ) | `lifetime: 60s` < br > `size: 10000` | Cache which contains mapping of nice name to object addresses. |
| `buckets` | [Cache config ](#cache-subsection ) | `lifetime: 60s` < br > `size: 1000` | Cache which contains mapping of bucket name to bucket info. |
| `system` | [Cache config ](#cache-subsection ) | `lifetime: 5m` < br > `size: 10000` | Cache for system objects in a bucket: bucket settings, notification configuration etc. |
| `accessbox` | [Cache config ](#cache-subsection ) | `lifetime: 10m` < br > `size: 100` | Cache which stores access box with tokens by its address. |
| `accesscontrol` | [Cache config ](#cache-subsection ) | `lifetime: 1m` < br > `size: 100000` | Cache which stores owner to cache operation mapping. |
2022-07-18 13:06:39 +00:00
#### `cache` subsection
```yaml
lifetime: 2m
size: 1000
```
| Parameter | Type | Default value | Description |
|------------|------------|------------------|-------------------------------|
| `lifetime` | `duration` | depends on cache | Lifetime of entries in cache. |
| `size` | `int` | depends on cache | LRU cache size. |
### `nats` section
This is an advanced section, use with caution.
You can turn on notifications about successful completions of basic operations, and the gateway will send notifications
2022-04-06 14:31:32 +00:00
via NATS JetStream.
1. to configure the NATS server with JetStream
2022-07-18 13:06:39 +00:00
2. to specify NATS parameters for the S3 GW. It's ** *necessary*** to define a values of `nats.enable` or
`S3_GW_NATS_ENABLED` as `True`
2022-04-06 14:31:32 +00:00
3. to configure notifications in a bucket
2022-07-18 13:06:39 +00:00
```yaml
nats:
enabled: true
endpoint: nats://localhost:4222
timeout: 30s
cert_file: /path/to/cert
key_file: /path/to/key
root_ca: /path/to/ca
```
| Parameter | Type | Default value | Description |
|---------------|------------|---------------|------------------------------------------------------|
| `enabled` | `bool` | `false` | Flag to enable the service. |
| `endpoint` | `string` | | NATS endpoint to connect to. |
| `timeout` | `duration` | `30s` | Timeout for the object notification operation. |
| `certificate` | `string` | | Path to the client certificate. |
| `key` | `string` | | Path to the client key. |
| `ca` | `string` | | Override root CA used to verify server certificates. |
### `cors` section
```yaml
cors:
default_max_age: 600
```
| Parameter | Type | Default value | Description |
|-------------------|-------|---------------|------------------------------------------------------|
| `default_max_age` | `int` | `600` | Value of `Access-Control-Max-Age` header in seconds. |
2022-07-26 13:29:07 +00:00
# `pprof` section
Contains configuration for the `pprof` profiler.
```yaml
pprof:
enabled: true
address: localhost:8085
```
2022-09-30 14:37:01 +00:00
| Parameter | Type | SIGHUP reload | Default value | Description |
|-----------|----------|---------------|------------------|-----------------------------------------|
| `enabled` | `bool` | yes | `false` | Flag to enable the service. |
| `address` | `string` | yes | `localhost:8085` | Address that service listener binds to. |
2022-07-26 13:29:07 +00:00
# `prometheus` section
Contains configuration for the `prometheus` metrics service.
```yaml
prometheus:
enabled: true
address: localhost:8086
```
2022-09-30 14:37:01 +00:00
| Parameter | Type | SIGHUP reload | Default value | Description |
|-----------|----------|---------------|------------------|-----------------------------------------|
| `enabled` | `bool` | yes | `false` | Flag to enable the service. |
| `address` | `string` | yes | `localhost:8086` | Address that service listener binds to. |
2022-08-11 23:13:02 +00:00
# `neofs` section
2022-08-17 11:24:11 +00:00
Contains parameters of requests to NeoFS.
This value can be overridden with `X-Amz-Meta-Neofs-Copies-Number` header for `PutObject` , `CopyObject` , `CreateMultipartUpload` .
2022-08-11 23:13:02 +00:00
```yaml
neofs:
set_copies_number: 0
```
| Parameter | Type | Default value | Description |
|---------------------|----------|---------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `set_copies_number` | `uint32` | `0` | Number of the object copies to consider PUT to NeoFS successful. < br /> Default value `0` means that object will be processed according to the container's placement policy |
