It seems that something is "confusing" the authentication. My setup has the Swift proxy and the Keystone authentication service on different servers.
Now i have this error: $ amlabel DailySet1 DailySet1-1 slot 1 Reading label... Error reading volume label: s3_open2 failed: This server could not verify that you are authorized to access the document you requested. Either you supplied the wrong credentials (e.g., bad password), or your browser does not understand how to supply the credentials required. Authentication required (Unauthorized) (HTTP 401) Not writing label. amanda.conf is: org "DailySet1" infofile "/srv/amanda/state/curinfo" logdir "/srv/amanda/state/log" indexdir "/srv/amanda/state/index" dumpuser "amandabackup" mailto "xxxxxxxxxxxxxxxx" define tapetype S3 { comment "S3 Bucket" length 100 gigabytes # Bucket size } device_property "S3_SUBDOMAIN" "no" device_property "S3_SSL" "ON" # Curl needs to have S3 Certification Authority (Verisign today) # in its CA list. If connection fails, try setting this no NO device_property "S3_STORAGE_CLASS" "STANDARD" device-property "SSL_CA_INFO" "/etc/amanda/xxxxxxxx.ca-bundle" device-property "S3_HOST" "<swift-proxy-url>:443" device-property "VERBOSE" "YES" device-property "S3_SERVICE_PATH" "/v2.0/tokens" device-property "LEOM" "on" device-property "STORAGE_API" "SWIFT-2.0" device-property "USERNAME" "amanda" device-property "PASSWORD" "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" device-property "TENANT_NAME" "xxxxxxxxx" device-property "TENANT_ID" "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" tpchanger "chg-multi:s3:xxxxxxxxxxxxxxxxxxxxxxxxxx-backups/DailySet1/slot-{01,02,03,04,05,06,07,08,09,10}" # Number of tapes in your "tapecycle" changerfile "s3-statefile" # Amanda will create this file tapetype S3 define dumptype simple-gnutar-remote { auth "ssh" ssh_keys "/etc/amanda/MyConfig/ssh-key" compress none program "GNUTAR" } holdingdisk hd1 { directory "/srv/amanda/holding" use 200 gbytes chunksize 1 mbyte } log now has this: # cat amlabel.20130620111031.debug Thu Jun 20 11:10:31 2013: thd-0x1da6200: amlabel: pid 10078 ruid 63998 euid 63998 version 3.3.3: start at Thu Jun 20 11:10:31 2013 Thu Jun 20 11:10:31 2013: thd-0x1da6200: amlabel: Arguments: DailySet1 DailySet1-1 slot 1 Thu Jun 20 11:10:32 2013: thd-0x1da6200: amlabel: pid 10078 ruid 63998 euid 63998 version 3.3.3: rename at Thu Jun 20 11:10:32 2013 Thu Jun 20 11:10:32 2013: thd-0x1da6200: amlabel: Using state file: /etc/amanda/DailySet1/s3-statefile Thu Jun 20 11:10:32 2013: thd-0x1da6200: amlabel: S3 driver using bucket 'xxxxxxxxxxxxxxxxxxxxx-backups', prefix 'DailySet1/slot-01' Thu Jun 20 11:10:32 2013: thd-0x1da6200: amlabel: Create 1 threads Thu Jun 20 11:10:32 2013: thd-0x1da6200: amlabel: About to connect() to <swift-proxy-url> port 443 (#0) Thu Jun 20 11:10:32 2013: thd-0x1da6200: amlabel: Trying xx.xx.xx.xx... Thu Jun 20 11:10:32 2013: thd-0x1da6200: amlabel: connected Thu Jun 20 11:10:32 2013: thd-0x1da6200: amlabel: successfully set certificate verify locations: Thu Jun 20 11:10:32 2013: thd-0x1da6200: amlabel: CAfile: /etc/amanda/xxxxxxxxx.ca-bundle Thu Jun 20 11:10:32 2013: thd-0x1da6200: amlabel: CApath: /etc/ssl/certs Thu Jun 20 11:10:32 2013: thd-0x1da6200: amlabel: SSLv3, TLS handshake, Client hello (1): Thu Jun 20 11:10:32 2013: thd-0x1da6200: amlabel: SSLv3, TLS handshake, Server hello (2): Thu Jun 20 11:10:32 2013: thd-0x1da6200: amlabel: SSLv3, TLS handshake, CERT (11): Thu Jun 20 11:10:32 2013: thd-0x1da6200: amlabel: SSLv3, TLS handshake, Server key exchange (12): Thu Jun 20 11:10:32 2013: thd-0x1da6200: amlabel: SSLv3, TLS handshake, Server finished (14): Thu Jun 20 11:10:32 2013: thd-0x1da6200: amlabel: SSLv3, TLS handshake, Client key exchange (16): Thu Jun 20 11:10:32 2013: thd-0x1da6200: amlabel: SSLv3, TLS change cipher, Client hello (1): Thu Jun 20 11:10:32 2013: thd-0x1da6200: amlabel: SSLv3, TLS handshake, Finished (20): Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel: SSLv3, TLS change cipher, Client hello (1): Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel: SSLv3, TLS handshake, Finished (20): Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel: SSL connection using DHE-RSA-AES256-SHA Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel: Server certificate: Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel: subject: OU=Domain Control Validated; OU=EssentialSSL Wildcard; CN=*.xxxxxxxxxxx.com Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel: start date: 2013-05-08 00:00:00 GMT Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel: expire date: 2015-05-08 23:59:59 GMT Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel: subjectAltName: xxxxxxx.xxxxxxxx.com matched Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel: issuer: C=GB; ST=Greater Manchester; L=Salford; O=COMODO CA Limited; CN=EssentialSSL CA Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel: SSL certificate verify ok. Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel: Hdr Out: POST /v2.0/tokens HTTP/1.1 Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel: Hdr Out: Host: <swift-proxy-url> Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel: Hdr Out: Accept: application/xml Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel: Hdr Out: Content-MD5: m0S+mtU2RZBQOvfrYImepw== Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel: Hdr Out: Content-Length: 315 Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel: Hdr Out: Content-Type: application/xml Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel: Hdr Out: Date: Thu, 20 Jun 2013 11:10:32 GMT Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel: Hdr Out: Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel: Data Out: <?xml version="1.0" encoding="UTF-8"?><auth xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://docs.openstack.org/identity/api/v2.0" tenantId="xxxxxxxxxxxxxxxxxxxxxxxxxxxx" tenantName="xxxxxxxxx"><passwordCredentials username="amanda" password="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"/></auth> Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel: We are completely uploaded and fine Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel: Hdr In: HTTP/1.1 401 Unauthorized Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel: Hdr In: Www-Authenticate: Keystone uri='https://<keystone-server-url>:5000' Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel: Hdr In: Content-Length: 276 Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel: Hdr In: Content-Type: text/plain; charset=UTF-8 Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel: Hdr In: X-Trans-Id: tx674cf7aee54240ed9efc639d1fd2d2ff Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel: Hdr In: Date: Thu, 20 Jun 2013 11:10:33 GMT Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel: Time Offset (remote - local) :0 Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel: Hdr In: Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel: Connection #0 to host <swift-proxy-url> left intact Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel: POST https://<swift-proxy-url>:443/v2.0/tokens failed with 401/Unauthorized Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel: Device s3:xxxxxxxxxxxxxxxxxxxxxxxx-backups/DailySet1/slot-01 error = 's3_open2 failed: This server could not verify that you are authorized to access the document you requested. Either you supplied the wrong credentials (e.g., bad password), or your browser does not understand how to supply the credentials required. Authentication required (Unauthorized) (HTTP 401)' Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel: Device s3:xxxxxxxxxxxxxxxxxxxxxxxxxxxx-backups/DailySet1/slot-01 setting status flag(s): DEVICE_STATUS_DEVICE_ERROR Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel: Closing connection #0 Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel: SSLv3, TLS alert, Client hello (1): Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel: pid 10078 finish time Thu Jun 20 11:10:33 2013 It seems that amanda does not ask the keystone server for a token, instead it tries to get it from the swift proxy, but maybe i'm wrong. Any help would be appreciated. Thanks in advance. Stratos. On Wed, Jun 19, 2013 at 8:32 PM, Stratos Zolotas <str...@gmail.com> wrote: > Hi Jean-Louis, thanks for the reply. I will try and report back. > > Do you any info regarding supporting S3 on Openstack? > > Thanks again. > > On Wed, Jun 19, 2013 at 8:28 PM, Jean-Louis Martineau > <martin...@zmanda.com> wrote: >> Stratos, >> >> S3 compatibility of OpenStack is not tested, you must use the SWIFT-2.0 api. >> You must specify 3 of USERNAME. PASSWORD, TENANT_NAME or TENANT_ID. >> >> define changer openstack { >> tpchanger >> "chg-multi:s3:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx-backups/DailySet/slot-{01,02,03,04,05,06,07,08,09,10}" >> device_property "S3_SUBDOMAIN" "no" >> device_property "S3_SSL" "ON" >> device_property "S3_STORAGE_CLASS" "STANDARD" >> >> device-property "SSL_CA_INFO" "/etc/amanda/xxxxxxxxx.ca-bundle" >> device-property "S3_HOST" "xxxxxxxxxxxxxxxxxxxxx:443" >> device-property "VERBOSE" "YES" >> device-property "S3_SERVICE_PATH" "/v2.0/tokens" >> device_property "LEOM" "on" >> device-property "STORAGE_API" "SWIFT-2.0" >> device_property "USERNAME" "???" >> device_property "PASSWORD" "????" >> device_property "TENANT_NAME" "???" >> device_property "TENANT_ID" "???" >> >> } >> tpchanger "openstack" >> >> >> Jean-Louis >> >> >> On 06/19/2013 12:56 PM, Stratos Zolotas wrote: >>> >>> Hi, it is my first post and just a few days with amanda. >>> >>> I'm trying to configure backups on Openstack's Swift using S3. I have >>> the following error: >>> >>> $ amlabel DailySet1 DailySet1-1 slot 1 >>> Reading label... >>> Error reading volume label: While trying to read tapestart header: >>> Unknown S3 error (None) (HTTP 403) >>> Not writing label. >>> >>> >>> amlabel.log has this: >>> >>> Fri Jun 14 21:57:33 2013: thd-0x13b5400: amlabel: pid 23948 ruid 63998 >>> euid 63998 version 3.3.3: start at Fri Jun 14 21:57:33 2013 >>> Fri Jun 14 21:57:33 2013: thd-0x13b5400: amlabel: Arguments: DailySet1 >>> DailySet1-1 slot 1 >>> Fri Jun 14 21:57:33 2013: thd-0x13b5400: amlabel: pid 23948 ruid 63998 >>> euid 63998 version 3.3.3: rename at Fri Jun 14 21:57:33 2013 >>> Fri Jun 14 21:57:33 2013: thd-0x13b5400: amlabel: Using state file: >>> /etc/amanda/DailySet1/s3-statefile >>> Fri Jun 14 21:57:33 2013: thd-0x13b5400: amlabel: S3 driver using >>> bucket 'xxxxxxxxxxxxxxxxxxxxxxxx-backups', prefix 'DailySet1/slot-01' >>> Fri Jun 14 21:57:33 2013: thd-0x13b5400: amlabel: Create 1 threads >>> Fri Jun 14 21:57:35 2013: thd-0x13b5400: amlabel: GET >>> >>> https://xxxxxxxxxxxxxxx.com:443/xxxxxxxxxxxxxxxxxxxxxxxxxxx-backups/DailySet1%2Fslot-01special-tapestart >>> failed with 403/None >>> Fri Jun 14 21:57:35 2013: thd-0x13b5400: amlabel: Device >>> s3:xxxxxxxxxxxxxxxxxxxxxxxxxx-backups/DailySet1/slot-01 error = 'While >>> trying to read tapestart header: Unknown S3 error (None) (HTTP 403)' >>> Fri Jun 14 21:57:35 2013: thd-0x13b5400: amlabel: Device >>> s3:xxxxxxxxxxxxxxxxxxxxxxxxxxxxx-backups/DailySet1/slot-01 setting >>> status flag(s): DEVICE_STATUS_DEVICE_ERROR, and >>> DEVICE_STATUS_VOLUME_ERROR >>> Fri Jun 14 21:57:35 2013: thd-0x13b5400: amlabel: pid 23948 finish >>> time Fri Jun 14 21:57:35 2013 >>> >>> My amanda.conf is: >>> >>> org "DailySet1" >>> infofile "/srv/amanda/state/curinfo" >>> logdir "/srv/amanda/state/log" >>> indexdir "/srv/amanda/state/index" >>> dumpuser "amandabackup" >>> mailto "operati...@xxxxxxxxxx.com" >>> >>> define tapetype S3 { >>> comment "S3 Bucket" >>> length 100 gigabytes # Bucket size >>> } >>> >>> device_property "S3_ACCESS_KEY" "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" # >>> Your S3 Access Key >>> device_property "S3_SECRET_KEY" "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" # >>> Your S3 Secret Key >>> >>> device_property "S3_SSL" "ON" # >>> Curl needs to have S3 Certification Authority (Verisign today) >>> >>> # in its CA list. If connection fails, try setting this no NO >>> device-property "SSL_CA_INFO" "/etc/amanda/xxxxxxxxx.ca-bundle" >>> device-property "S3_HOST" "xxxxxxxxxxxxxxxxxxxxx:443" >>> >>> tpchanger >>> "chg-multi:s3:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx-backups/DailySet1/slot-{01,02,03,04,05,06,07,08,09,10}" >>> # Number of tapes in your "tapecycle" >>> changerfile "s3-statefile" >>> tapetype S3 >>> >>> define dumptype simple-gnutar-remote { >>> auth "ssh" >>> ssh_keys "/etc/amanda/MyConfig/ssh-key" >>> compress none >>> program "GNUTAR" >>> } >>> >>> Using s3cmd and the same access/secret i have full permissions on the >>> S3 storage, so i cannot figure out why i'm getting a 403 error. >>> >>> Thank you. >> >>