frostfs-s3-gw/docs/configuration.md
Denis Kirillov 4646f0f445
Some checks failed
/ DCO (pull_request) Successful in 1m36s
/ Vulncheck (pull_request) Successful in 1m59s
/ Builds (1.20) (pull_request) Successful in 2m43s
/ Builds (1.21) (pull_request) Successful in 2m41s
/ Lint (pull_request) Failing after 2m51s
/ Tests (1.20) (pull_request) Successful in 2m58s
/ Tests (1.21) (pull_request) Successful in 1m40s
[#306] Add flag to enable old ACL bucket creation
Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
2024-02-14 17:04:35 +03:00

39 KiB

Configuration

There are three ways to configure the S3 GW:

  1. CLI parameters
  2. YAML file
  3. Environment variables

Everything available as a CLI parameter can also be specified via environment variables and almost everything can be specified via .yaml configuration file.

But not vice versa, some parameters can be configured only with environment variables/configuration file. Most of these parameters have default values, therefore, these ways to configure the gateway are optional and basic configuration can be completed with CLI parameters only.

  1. CLI parameters
    1. Nodes and weights
    2. Wallet
    3. Binding and TLS
    4. RPC endpoint and resolving of bucket names
    5. Processing of requests
    6. Connection to FrostFS
    7. Monitoring and metrics
  2. YAML file and environment variables
    1. Configuration file

CLI parameters

Nodes and weights

You can specify multiple -p options to add more FrostFS nodes; this will make a gateway spread requests equally among them (using weight 1 for every node):

$ frostfs-s3-gw -p 192.168.130.72:8080 -p 192.168.130.71:8080

If you want some specific load distribution proportions, use weights and priorities, they can only be specified via environment variables or a configuration file.

Wallet

Wallet (--wallet) is a mandatory parameter. It is a path to a wallet file. You can provide a passphrase to decrypt a wallet via env variable or conf file, or you will be asked to enter a password interactively. You can also specify an account address to use from a wallet using the --address parameter.

Listening on address and TLS

You can make the gateway listen on specific address using the --listen_address option.

It can also provide TLS interface for its users, just specify paths to the key and certificate files via --tls.key_file and --tls.cert_file parameters. Note that using these options makes gateway TLS-only. If you need to serve both TLS and plain text, you either have to run two gateway instances or use some external redirecting solution.

Example to bind to 192.168.130.130:443 and serve TLS there (keys and nodes are omitted):

$ frostfs-s3-gw --listen_address 192.168.130.130:443 \
  --tls.key_file=key.pem --tls.cert_file=cert.pem

Using these flag you can configure only one address. To set multiple addresses use yaml config.

RPC endpoint and resolving of bucket names

To set RPC endpoint specify a value of parameter -r or --rpc_endpoint. The parameter is required if another parameter's --resolve_order value contains nns.

$ frostfs-s3-gw --rpc_endpoint http://morph-chain.frostfs.devenv:30333/ --resolve_order nns,dns

Processing of requests

Maximum number of clients whose requests can be handled by the gateway can be specified by the value of --max_clients_count parameter. --max_clients_deadline defines deadline after which the gate sends error RequestTimeout to a client.

$ frostfs-s3-gw --max_clients_count 150 --max_clients_deadline 1m

Connection to FrostFS

Timeout to connect to FrostFS nodes can be set with --connect_timeout and timeout to check node health during rebalance--healthcheck_timeout.

Also, interval to check node health can be specified by --rebalance_interval value.

$ frostfs-s3-gw --healthcheck_timeout 15s --connect_timeout 1m --rebalance_interval 1h

Monitoring and metrics

Pprof and Prometheus are integrated into the gateway. To enable them, use --pprof and --metrics flags or S3_GW_PPROF_ENABLED/S3_GW_PROMETHEUS_ENABLED environment variables.

YAML file and environment variables

Example of a YAML configuration file: yaml-example Examples of environment variables: env-example.

A path to a configuration file can be specified with --config parameter:

$ frostfs-s3-gw --config your-config.yaml

Multiple configs

You can use several config files when running application. It allows you to split configuration into parts. For example, you can use separate yaml file for pprof and prometheus section in config (see config examples). You can either provide several files with repeating --config flag or provide path to the dir that contains all configs using --config-dir flag. Also, you can combine these flags:

$ frostfs-s3-gw --config ./config/config.yaml --config /your/partial/config.yaml --config-dir ./config/dir

Note: next file in --config flag overwrites values from the previous one. Files from --config-dir directory overwrite values from --config files. So the command above run frostfs-s3-gw to listen on 0.0.0.0:8080 address (value from ./config/config.yaml), applies parameters from /your/partial/config.yaml, enable pprof (value from ./config/dir/pprof.yaml) and prometheus (value from ./config/dir/prometheus.yaml).

Reload on SIGHUP

Some config values can be reloaded on SIGHUP signal. Such parameters have special mark in tables below.

You can send SIGHUP signal to app using the following command:

$ kill -s SIGHUP <app_pid>

Example:

$ ./bin/frostfs-s3-gw --config config.yaml  &> s3.log &
[1] 998346

$ cat s3.log
# ...
2022-09-30T17:38:22.338+0300    info    s3-gw/app.go:371        application started     {"name": "frostfs-s3-gw", "version": "v0.24.0"}
# ...

$ kill -s SIGHUP 998346

$ cat s3.log
# ...
2022-09-30T17:38:40.909+0300    info    s3-gw/app.go:491        SIGHUP config reload completed

FrostFS S3 Gateway configuration file

This section contains detailed FrostFS S3 Gateway configuration file description including default config values and some tips to set up configurable values.

There are some custom types used for brevity:

  • duration -- string consisting of a number and a suffix. Suffix examples include s (seconds), m (minutes), ms ( milliseconds).

Structure

Section Description
no section General parameters
wallet Wallet configuration
peers Nodes configuration
placement_policy Placement policy configuration
server Server configuration
control Control API configuration
logger Logger configuration
cache Cache configuration
nats NATS configuration
cors CORS configuration
pprof Pprof configuration
prometheus Prometheus configuration
tracing Tracing configuration
frostfs Parameters of requests to FrostFS
resolve_bucket Bucket name resolving configuration
kludge Different kludge configuration
runtime Runtime configuration
features Features configuration
web Web server configuration
frostfsid FrostfsID configuration
policy Policy contract configuration
proxy Proxy contract configuration
namespaces Namespaces configuration

General section

listen_domains:
   - s3dev.frostfs.devenv
   - s3dev2.frostfs.devenv

rpc_endpoint: http://morph-chain.frostfs.devenv:30333
resolve_order:
  - nns
  - dns

connect_timeout: 10s
stream_timeout: 10s
healthcheck_timeout: 15s
rebalance_interval: 60s
pool_error_threshold: 100

max_clients_count: 100
max_clients_deadline: 30s

allowed_access_key_id_prefixes:
   - Ck9BHsgKcnwfCTUSFm6pxhoNS4cBqgN2NQ8zVgPjqZDX
   - 3stjWenX15YwYzczMr88gy3CQr4NYFBQ8P7keGzH5QFn
Parameter Type SIGHUP reload Default value Description
listen_domains []string no Domains to be able to use virtual-hosted-style access to bucket.
rpc_endpoint string no The address of the RPC host to which the gateway connects to resolve bucket names and interact with frostfs contracts (required to use the nns resolver and frostfsid contract).
resolve_order []string yes [dns] Order of bucket name resolvers to use. Available resolvers: dns, nns.
connect_timeout duration no 10s Timeout to connect to a node.
stream_timeout duration no 10s Timeout for individual operations in streaming RPC.
healthcheck_timeout duration no 15s Timeout to check node health during rebalance.
rebalance_interval duration no 60s Interval to check node health.
pool_error_threshold uint32 no 100 The number of errors on connection after which node is considered as unhealthy.
max_clients_count int no 100 Limits for processing of clients' requests.
max_clients_deadline duration no 30s Deadline after which the gate sends error RequestTimeout to a client.
allowed_access_key_id_prefixes []string no List of allowed AccessKeyID prefixes which S3 GW serve. If the parameter is omitted, all AccessKeyID will be accepted.

wallet section

wallet:
   path: /path/to/wallet.json # Path to wallet
   passphrase: "" # Passphrase to decrypt wallet.
   address: NfgHwwTi3wHAS8aFAN243C5vGbkYDpqLHP
Parameter Type Default value Description
path string Path to wallet
passphrase string Passphrase to decrypt wallet.
address string Account address to get from wallet. If omitted default one will be used.

peers section

# Nodes configuration
# This configuration makes the gateway use the first node (node1.frostfs:8080)
# while it's healthy. Otherwise, gateway uses the second node (node2.frostfs:8080)
# for 10% of requests and the third node (node3.frostfs:8080) for 90% of requests.
# Until nodes with the same priority level are healthy
# nodes with other priority are not used.
# The lower the value, the higher the priority.
peers:
  0:
    address: node1.frostfs:8080
    priority: 1
    weight: 1
  1:
    address: node2.frostfs:8080
    priority: 2
    weight: 0.1
  2:
    address: node3.frostfs:8080
    priority: 2
    weight: 0.9
Parameter Type Default value Description
address string Address of storage node.
priority int 1 It allows to group nodes and don't switch group until all nodes with the same priority will be unhealthy. The lower the value, the higher the priority.
weight float 1 Weight of node in the group with the same priority. Distribute requests to nodes proportionally to these values.

placement_policy section

placement_policy:
  default: REP 3
  region_mapping: /path/to/mapping/rules.json
  copies_numbers:
    - location_constraint: one-dc
      vector:
        - 1
        - 2
        - 3
Parameter Type SIGHUP reload Default value Description
default string yes REP 3 Default policy of placing containers in FrostFS. If a user sends a request CreateBucket and doesn't define policy for placing of a container in FrostFS, the S3 Gateway will put the container with default policy.
region_mapping string yes Path to file that maps aws LocationContraint values to FrostFS placement policy. The similar to --container-policy flag in frostfs-s3-authmate util, see in docs
copies_numbers []Copies numbers no Array of configured location constraints and their copies numbers.

File for region_mapping must contain something like this:

{
   "rep-3": "REP 3",
   "complex": "REP 1 IN X CBF 1 SELECT 1 FROM * AS X",
   "example-json-policy": "{\"replicas\":[{\"count\":3,\"selector\":\"SelASD0\"}],\"container_backup_factor\":3,\"selectors\":[{\"name\":\"SelASD0\",\"count\":3,\"filter\":\"*\"}],\"filters\":[]}"
}

Note: on SIGHUP reload policies will be updated only if both parameters are valid. So if you change default to some valid value and set invalid path in region_mapping the default value won't be changed.

copies_numbers subsection

- location_constraint: sample-01
  vector:
    - 1
    - 2
    - 3
Parameter Type SIGHUP reload Default value Description
location_constraint string no Location constraint text label.
vector []int no Array of copies numbers corresponding to the constraint.

server section

You can specify several listeners for server. For example, for http and https.

server:
  - address: 0.0.0.0:8080
    tls:
      enabled: false
      cert_file: /path/to/cert
      key_file: /path/to/key
  - address: 0.0.0.0:8081
    tls:
      enabled: true
      cert_file: /path/to/another/cert
      key_file: /path/to/another/key
Parameter Type SIGHUP reload Default value Description
address string 0.0.0.0:8080 The address that the gateway is listening on.
tls.enabled bool false Enable TLS or not.
tls.cert_file string yes Path to the TLS certificate.
tls.key_file string yes Path to the key.

control section

Control API parameters.

control:
  authorized_keys:  
    - 035839e45d472a3b7769a2a1bd7d54c4ccd4943c3b40f547870e83a8fcbfb3ce11
    - 028f42cfcb74499d7b15b35d9bff260a1c8d27de4f446a627406a382d8961486d6
  grpc:
    endpoint: localhost:8083
Parameter Type SIGHUP reload Default value Description
authorized_keys []string yes List of hex-encoded public keys that have rights to use the Control Service.
grpc.endpoint string localhost:8083 Endpoint that is listened by the Control Service.

logger section

logger:
  level: debug
  destination: stdout
Parameter Type SIGHUP reload Default value Description
level string yes debug Logging level.
Possible values: debug, info, warn, error, dpanic, panic, fatal.
destination string no stdout Destination for logger: stdout or journald

cache section

cache:
  objects:
    lifetime: 300s
    size: 150
  list:
    lifetime: 1m
    size: 100
  list_session:
    lifetime: 1m
    size: 100
  names:
    lifetime: 1m
    size: 1000
  buckets:
    lifetime: 1m
    size: 500
  system:
    lifetime: 2m
    size: 1000
  accessbox:
    removing_check_interval: 5m
    lifetime: 10m
    size: 100
  accesscontrol:
    lifetime: 1m
    size: 100000
  morph_policy:
    lifetime: 30s
    size: 10000
Parameter Type Default value Description
objects Cache config lifetime: 5m
size: 1000000
Cache for objects (FrostFS headers).
list Cache config lifetime: 60s
size: 100000
Cache which keeps lists of objects in buckets.
list_session Cache config lifetime: 60s
size: 100
Cache which keeps listing session.
names Cache config lifetime: 60s
size: 10000
Cache which contains mapping of nice name to object addresses.
buckets Cache config lifetime: 60s
size: 1000
Cache which contains mapping of bucket name to bucket info.
system Cache config lifetime: 5m
size: 10000
Cache for system objects in a bucket: bucket settings, notification configuration etc.
accessbox Accessbox cache config lifetime: 10m
size: 100
Cache which stores access box with tokens by its address.
accesscontrol Cache config lifetime: 1m
size: 100000
Cache which stores owner to cache operation mapping.
morph_policy Cache config lifetime: 1m
size: 10000
Cache which stores list of policy chains.

cache subsection

lifetime: 2m
size: 1000
Parameter Type Default value Description
lifetime duration depends on cache Lifetime of entries in cache.
size int depends on cache LRU cache size.

accessbox subsection


lifetime: 10m
size: 100
Parameter Type Default value Description
removing_check_interval duration `5m' Time after which creds should be checked for removal.
lifetime duration '10m' Lifetime of entries in cache.
size int '100 LRU cache size.

nats section

This is an advanced section, use with caution. You can turn on notifications about successful completions of basic operations, and the gateway will send notifications via NATS JetStream.

  1. to configure the NATS server with JetStream
  2. to specify NATS parameters for the S3 GW. It's necessary to define a values of nats.enable or S3_GW_NATS_ENABLED as True
  3. to configure notifications in a bucket
nats:
  enabled: true
  endpoint: nats://localhost:4222
  timeout: 30s
  cert_file: /path/to/cert
  key_file: /path/to/key
  root_ca: /path/to/ca
Parameter Type Default value Description
enabled bool false Flag to enable the service.
endpoint string NATS endpoint to connect to.
timeout duration 30s Timeout for the object notification operation.
certificate string Path to the client certificate.
key string Path to the client key.
ca string Override root CA used to verify server certificates.

cors section

cors:
  default_max_age: 600
Parameter Type Default value Description
default_max_age int 600 Value of Access-Control-Max-Age header in seconds.

pprof section

Contains configuration for the pprof profiler.

pprof:
  enabled: true
  address: localhost:8085
Parameter Type SIGHUP reload Default value Description
enabled bool yes false Flag to enable the service.
address string yes localhost:8085 Address that service listener binds to.

prometheus section

Contains configuration for the prometheus metrics service. General metrics are available on /metrics url path, billing metrics on /metrics/billing.

prometheus:
  enabled: true
  address: localhost:8086
Parameter Type SIGHUP reload Default value Description
enabled bool yes false Flag to enable the service.
address string yes localhost:8086 Address that service listener binds to.

tracing section

Contains configuration for the tracing service.

tracing:
  enabled: false
  exporter: "otlp_grpc"
  endpoint: "localhost:4318"
Parameter Type SIGHUP reload Default value Description
enabled bool yes false Flag to enable the service.
exporter string yes `` Type of tracing exporter.
endpoint string yes `` Address that service listener binds to.

frostfs section

Contains parameters of requests to FrostFS.

The set_copies_number value can be overridden with X-Amz-Meta-Frostfs-Copies-Number (value is comma separated numbers: 1,2,3) header for PutObject, CopyObject, CreateMultipartUpload.

frostfs:
  set_copies_number: [0]
  client_cut: false
  buffer_max_size_for_put: 1048576 # 1mb
  tree_pool_max_attempts: 0
Parameter Type SIGHUP reload Default value Description
set_copies_number []uint32 yes [0] Numbers of the object copies (for each replica) to consider PUT to FrostFS successful.
Default value [0] or empty list means that object will be processed according to the container's placement policy
client_cut bool yes false This flag enables client side object preparing.
buffer_max_size_for_put uint64 yes 1048576 Sets max buffer size for read payload in put operations.
tree_pool_max_attempts uint32 no 0 Sets max attempt to make successful tree request. Value 0 means the number of attempts equals to number of nodes in pool.

resolve_bucket section

Bucket name resolving parameters from and to container ID.

resolve_bucket:
  namespace_header: X-Frostfs-Namespace
  allow:
    - container
  deny:
Parameter Type SIGHUP reload Default value Description
namespace_header string yes X-Frostfs-Namespace Header to determine zone to resolve bucket name.
allow []string no List of container zones which are available to resolve. Mutual exclusive with deny list. Prioritized over deny list.
deny []string no List of container zones which are restricted to resolve. Mutual exclusive with allow list.

kludge section

Workarounds for non-standard use cases.

kludge:
  use_default_xmlns: false
  bypass_content_encoding_check_in_chunks: false
  default_namespaces: [ "", "root" ]
  acl_enabled: false
Parameter Type SIGHUP reload Default value Description
use_default_xmlns bool yes false Enable using default xml namespace http://s3.amazonaws.com/doc/2006-03-01/ when parse xml bodies.
bypass_content_encoding_check_in_chunks bool yes false Use this flag to be able to use chunked upload approach without having aws-chunked value in Content-Encoding header.
default_namespaces []string yes ["","root"] Namespaces that should be handled as default.
acl_enabled bool yes false Enable bucket/object ACL support for newly created buckets.

runtime section

Contains runtime parameters.

runtime:
  soft_memory_limit: 1gb
Parameter Type SIGHUP reload Default value Description
soft_memory_limit size yes maxint64 Soft memory limit for the runtime. Zero or no value stands for no limit. If GOMEMLIMIT environment variable is set, the value from the configuration file will be ignored.

features section

Contains parameters for enabling features.

features:
   policy:
      deny_by_default: false
   md5:
      enabled: false
Parameter Type SIGHUP reload Default value Description
md5.enabled bool yes false Flag to enable return MD5 checksum in ETag headers and fields.
policy.deny_by_default bool yes false Enable denying access for request that doesn't match any policy chain rules.

web section

Contains web server configuration parameters.

web:
  read_timeout: 0
  read_header_timeout: 30s
  write_timeout: 0
  idle_timeout: 30s
Parameter Type SIGHUP reload Default value Description
read_timeout duration no 0 The maximum duration for reading the entire request, including the body. A zero or negative value means there will be no timeout.
read_header_timeout duration no 30s The amount of time allowed to read request headers. If read_header_timeout is zero, the value of read_timeout is used. If both are zero, there is no timeout.
write_timeout duration no 0 The maximum duration before timing out writes of the response. A zero or negative value means there will be no timeout.
idle_timeout duration no 30s The maximum amount of time to wait for the next request when keep-alives are enabled. If idle_timeout is zero, the value of read_timeout is used. If both are zero, there is no timeout.

frostfsid section

FrostfsID contract configuration. To enable this functionality the rpc_endpoint param must be also set.

frostfsid:
  contract: frostfsid.frostfs
  validation:
   enabled: false
Parameter Type SIGHUP reload Default value Description
contract string no frostfsid.frostfs FrostfsID contract hash (LE) or name in NNS.
validation.enabled bool no false Enables a check to only allow requests to users registered in the FrostfsID contract.

policy section

Policy contract configuration. To enable this functionality the rpc_endpoint param must be also set.

policy:
  enabled: false
  contract: policy.frostfs
Parameter Type SIGHUP reload Default value Description
enabled bool no true Enables using policies from Policy contract to check permissions.
contract string no policy.frostfs Policy contract hash (LE) or name in NNS.

proxy section

Proxy contract configuration. To enable this functionality the rpc_endpoint param must be also set.

proxy:
  contract: proxy.frostfs
Parameter Type SIGHUP reload Default value Description
contract string no proxy.frostfs Proxy contract hash (LE) or name in NNS.

namespaces section

Namespaces configuration.

namespaces:
  config: namespace.json
Parameter Type SIGHUP reload Default value Description
config string yes Path to json file with config value for namespaces.

namespaces.config subsection

Example of namespaces.json. Note that config values from namespaces.json can override config values for default namespaces (value for which are fetched from regular config value e.g. placement-policy). To override config values for default namespaces use namespace names that are provided in kludge.default_namespaces.

{
  "namespaces": {
    "namespace1": {
      "location_constraints": {
        "default": "REP 3",
        "test": "{\"replicas\":[{\"count\":1,\"selector\":\"\"}],\"containerBackupFactor\":0,\"selectors\":[],\"filters\":[],\"unique\":false}"
      },
      "copies_numbers": {
        "default": [ 0 ],
        "test": [ 1 ]
      }
    }
  }
}