Re: Unknown S3 error with Swift S3 (Openstack)

Stratos Zolotas Thu, 20 Jun 2013 04:31:34 -0700

It seems that something is "confusing" the authentication.

My setup has the Swift proxy and the Keystone authentication service
on different servers.


Now i have this error:

$ amlabel DailySet1 DailySet1-1 slot 1
Reading label...
Error reading volume label: s3_open2 failed: This server could not
verify that you are authorized to access the document you requested.
Either you supplied the wrong credentials (e.g., bad password), or
your browser does not understand how to supply the credentials
required.

 Authentication required (Unauthorized) (HTTP 401)
Not writing label.

amanda.conf is:

org "DailySet1"
infofile "/srv/amanda/state/curinfo"
logdir "/srv/amanda/state/log"
indexdir "/srv/amanda/state/index"
dumpuser "amandabackup"
mailto "xxxxxxxxxxxxxxxx"

define tapetype S3 {
    comment "S3 Bucket"
    length 100 gigabytes # Bucket size
}

device_property "S3_SUBDOMAIN" "no"
device_property "S3_SSL" "ON"                                        #
Curl needs to have S3 Certification Authority (Verisign today)

# in its CA list. If connection fails, try setting this no NO
device_property "S3_STORAGE_CLASS" "STANDARD"
device-property "SSL_CA_INFO" "/etc/amanda/xxxxxxxx.ca-bundle"
device-property "S3_HOST" "<swift-proxy-url>:443"

device-property "VERBOSE" "YES"
device-property "S3_SERVICE_PATH" "/v2.0/tokens"
device-property "LEOM" "on"
device-property "STORAGE_API" "SWIFT-2.0"
device-property "USERNAME" "amanda"
device-property "PASSWORD" "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
device-property "TENANT_NAME" "xxxxxxxxx"
device-property "TENANT_ID" "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

tpchanger 
"chg-multi:s3:xxxxxxxxxxxxxxxxxxxxxxxxxx-backups/DailySet1/slot-{01,02,03,04,05,06,07,08,09,10}"
# Number of tapes in your "tapecycle"
changerfile  "s3-statefile"
# Amanda will create this file
tapetype S3

define dumptype simple-gnutar-remote {
    auth "ssh"
    ssh_keys "/etc/amanda/MyConfig/ssh-key"
    compress none
    program "GNUTAR"
}

holdingdisk hd1 {
    directory "/srv/amanda/holding"
    use 200 gbytes
    chunksize 1 mbyte
}


log now has this:

# cat amlabel.20130620111031.debug
Thu Jun 20 11:10:31 2013: thd-0x1da6200: amlabel: pid 10078 ruid 63998
euid 63998 version 3.3.3: start at Thu Jun 20 11:10:31 2013
Thu Jun 20 11:10:31 2013: thd-0x1da6200: amlabel: Arguments: DailySet1
DailySet1-1 slot 1
Thu Jun 20 11:10:32 2013: thd-0x1da6200: amlabel: pid 10078 ruid 63998
euid 63998 version 3.3.3: rename at Thu Jun 20 11:10:32 2013
Thu Jun 20 11:10:32 2013: thd-0x1da6200: amlabel: Using state file:
/etc/amanda/DailySet1/s3-statefile
Thu Jun 20 11:10:32 2013: thd-0x1da6200: amlabel: S3 driver using
bucket 'xxxxxxxxxxxxxxxxxxxxx-backups', prefix 'DailySet1/slot-01'
Thu Jun 20 11:10:32 2013: thd-0x1da6200: amlabel: Create 1 threads
Thu Jun 20 11:10:32 2013: thd-0x1da6200: amlabel: About to connect()
to <swift-proxy-url> port 443 (#0)
Thu Jun 20 11:10:32 2013: thd-0x1da6200: amlabel:   Trying
xx.xx.xx.xx...
Thu Jun 20 11:10:32 2013: thd-0x1da6200: amlabel: connected
Thu Jun 20 11:10:32 2013: thd-0x1da6200: amlabel: successfully set
certificate verify locations:
Thu Jun 20 11:10:32 2013: thd-0x1da6200: amlabel:   CAfile:
/etc/amanda/xxxxxxxxx.ca-bundle
Thu Jun 20 11:10:32 2013: thd-0x1da6200: amlabel:   CApath:
/etc/ssl/certs
Thu Jun 20 11:10:32 2013: thd-0x1da6200: amlabel: SSLv3, TLS
handshake, Client hello (1):
Thu Jun 20 11:10:32 2013: thd-0x1da6200: amlabel: SSLv3, TLS
handshake, Server hello (2):
Thu Jun 20 11:10:32 2013: thd-0x1da6200: amlabel: SSLv3, TLS
handshake, CERT (11):
Thu Jun 20 11:10:32 2013: thd-0x1da6200: amlabel: SSLv3, TLS
handshake, Server key exchange (12):
Thu Jun 20 11:10:32 2013: thd-0x1da6200: amlabel: SSLv3, TLS
handshake, Server finished (14):
Thu Jun 20 11:10:32 2013: thd-0x1da6200: amlabel: SSLv3, TLS
handshake, Client key exchange (16):
Thu Jun 20 11:10:32 2013: thd-0x1da6200: amlabel: SSLv3, TLS change
cipher, Client hello (1):
Thu Jun 20 11:10:32 2013: thd-0x1da6200: amlabel: SSLv3, TLS
handshake, Finished (20):
Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel: SSLv3, TLS change
cipher, Client hello (1):
Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel: SSLv3, TLS
handshake, Finished (20):
Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel: SSL connection using
DHE-RSA-AES256-SHA
Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel: Server certificate:
Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel:        subject:
OU=Domain Control Validated; OU=EssentialSSL Wildcard;
CN=*.xxxxxxxxxxx.com
Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel:        start date:
2013-05-08 00:00:00 GMT
Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel:        expire date:
2015-05-08 23:59:59 GMT
Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel:
subjectAltName: xxxxxxx.xxxxxxxx.com matched
Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel:        issuer: C=GB;
ST=Greater Manchester; L=Salford; O=COMODO CA Limited; CN=EssentialSSL
CA
Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel:        SSL
certificate verify ok.
Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel: Hdr Out: POST
/v2.0/tokens HTTP/1.1
Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel: Hdr Out: Host:
<swift-proxy-url>
Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel: Hdr Out: Accept:
application/xml
Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel: Hdr Out:
Content-MD5: m0S+mtU2RZBQOvfrYImepw==
Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel: Hdr Out: Content-Length: 315
Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel: Hdr Out:
Content-Type: application/xml
Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel: Hdr Out: Date: Thu,
20 Jun 2013 11:10:32 GMT
Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel: Hdr Out:
Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel: Data Out: <?xml
version="1.0" encoding="UTF-8"?><auth
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns="http://docs.openstack.org/identity/api/v2.0";
tenantId="xxxxxxxxxxxxxxxxxxxxxxxxxxxx"
tenantName="xxxxxxxxx"><passwordCredentials username="amanda"
password="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"/></auth>
Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel: We are completely
uploaded and fine
Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel: Hdr In: HTTP/1.1 401
Unauthorized
Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel: Hdr In:
Www-Authenticate: Keystone uri='https://<keystone-server-url>:5000'
Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel: Hdr In: Content-Length: 276
Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel: Hdr In:
Content-Type: text/plain; charset=UTF-8
Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel: Hdr In: X-Trans-Id:
tx674cf7aee54240ed9efc639d1fd2d2ff
Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel: Hdr In: Date: Thu,
20 Jun 2013 11:10:33 GMT
Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel: Time Offset (remote
- local) :0
Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel: Hdr In:
Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel: Connection #0 to
host <swift-proxy-url> left intact
Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel: POST
https://<swift-proxy-url>:443/v2.0/tokens failed with 401/Unauthorized
Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel: Device
s3:xxxxxxxxxxxxxxxxxxxxxxxx-backups/DailySet1/slot-01 error =
's3_open2 failed: This server could not verify that you are authorized
to access the document you requested. Either you supplied the wrong
credentials (e.g., bad password), or your browser does not understand
how to supply the credentials required.

 Authentication required (Unauthorized) (HTTP 401)'
Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel: Device
s3:xxxxxxxxxxxxxxxxxxxxxxxxxxxx-backups/DailySet1/slot-01 setting
status flag(s): DEVICE_STATUS_DEVICE_ERROR
Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel: Closing connection #0
Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel: SSLv3, TLS alert,
Client hello (1):
Thu Jun 20 11:10:33 2013: thd-0x1da6200: amlabel: pid 10078 finish
time Thu Jun 20 11:10:33 2013

It seems that amanda does not ask the keystone server for a token,
instead it tries to get it from the swift proxy, but maybe i'm wrong.

Any help would be appreciated.

Thanks in advance.

Stratos.

On Wed, Jun 19, 2013 at 8:32 PM, Stratos Zolotas <str...@gmail.com> wrote:
> Hi Jean-Louis, thanks for the reply. I will try and report back.
>
> Do you any info regarding supporting S3 on Openstack?
>
> Thanks again.
>
> On Wed, Jun 19, 2013 at 8:28 PM, Jean-Louis Martineau
> <martin...@zmanda.com> wrote:
>> Stratos,
>>
>> S3 compatibility of OpenStack is not tested, you must use the SWIFT-2.0 api.
>> You must specify 3 of USERNAME. PASSWORD, TENANT_NAME or TENANT_ID.
>>
>> define changer openstack {
>>    tpchanger
>> "chg-multi:s3:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx-backups/DailySet/slot-{01,02,03,04,05,06,07,08,09,10}"
>>   device_property "S3_SUBDOMAIN"  "no"
>>   device_property "S3_SSL" "ON"
>>   device_property "S3_STORAGE_CLASS"      "STANDARD"
>>
>>   device-property "SSL_CA_INFO" "/etc/amanda/xxxxxxxxx.ca-bundle"
>>   device-property "S3_HOST" "xxxxxxxxxxxxxxxxxxxxx:443"
>>   device-property "VERBOSE" "YES"
>>   device-property "S3_SERVICE_PATH" "/v2.0/tokens"
>>   device_property "LEOM"  "on"
>>   device-property "STORAGE_API" "SWIFT-2.0"
>>   device_property "USERNAME"  "???"
>>   device_property "PASSWORD"  "????"
>>   device_property "TENANT_NAME"  "???"
>>   device_property "TENANT_ID" "???"
>>
>> }
>> tpchanger "openstack"
>>
>>
>> Jean-Louis
>>
>>
>> On 06/19/2013 12:56 PM, Stratos Zolotas wrote:
>>>
>>> Hi, it is my first post and just a few days with amanda.
>>>
>>> I'm trying to configure backups on Openstack's Swift using S3. I have
>>> the following error:
>>>
>>> $ amlabel DailySet1 DailySet1-1 slot 1
>>> Reading label...
>>> Error reading volume label: While trying to read tapestart header:
>>> Unknown S3 error (None) (HTTP 403)
>>> Not writing label.
>>>
>>>
>>> amlabel.log has this:
>>>
>>> Fri Jun 14 21:57:33 2013: thd-0x13b5400: amlabel: pid 23948 ruid 63998
>>> euid 63998 version 3.3.3: start at Fri Jun 14 21:57:33 2013
>>> Fri Jun 14 21:57:33 2013: thd-0x13b5400: amlabel: Arguments: DailySet1
>>> DailySet1-1 slot 1
>>> Fri Jun 14 21:57:33 2013: thd-0x13b5400: amlabel: pid 23948 ruid 63998
>>> euid 63998 version 3.3.3: rename at Fri Jun 14 21:57:33 2013
>>> Fri Jun 14 21:57:33 2013: thd-0x13b5400: amlabel: Using state file:
>>> /etc/amanda/DailySet1/s3-statefile
>>> Fri Jun 14 21:57:33 2013: thd-0x13b5400: amlabel: S3 driver using
>>> bucket 'xxxxxxxxxxxxxxxxxxxxxxxx-backups', prefix 'DailySet1/slot-01'
>>> Fri Jun 14 21:57:33 2013: thd-0x13b5400: amlabel: Create 1 threads
>>> Fri Jun 14 21:57:35 2013: thd-0x13b5400: amlabel: GET
>>>
>>> https://xxxxxxxxxxxxxxx.com:443/xxxxxxxxxxxxxxxxxxxxxxxxxxx-backups/DailySet1%2Fslot-01special-tapestart
>>> failed with 403/None
>>> Fri Jun 14 21:57:35 2013: thd-0x13b5400: amlabel: Device
>>> s3:xxxxxxxxxxxxxxxxxxxxxxxxxx-backups/DailySet1/slot-01 error = 'While
>>> trying to read tapestart header: Unknown S3 error (None) (HTTP 403)'
>>> Fri Jun 14 21:57:35 2013: thd-0x13b5400: amlabel: Device
>>> s3:xxxxxxxxxxxxxxxxxxxxxxxxxxxxx-backups/DailySet1/slot-01 setting
>>> status flag(s): DEVICE_STATUS_DEVICE_ERROR, and
>>> DEVICE_STATUS_VOLUME_ERROR
>>> Fri Jun 14 21:57:35 2013: thd-0x13b5400: amlabel: pid 23948 finish
>>> time Fri Jun 14 21:57:35 2013
>>>
>>> My amanda.conf is:
>>>
>>> org "DailySet1"
>>> infofile "/srv/amanda/state/curinfo"
>>> logdir "/srv/amanda/state/log"
>>> indexdir "/srv/amanda/state/index"
>>> dumpuser "amandabackup"
>>> mailto "operati...@xxxxxxxxxx.com"
>>>
>>> define tapetype S3 {
>>>      comment "S3 Bucket"
>>>      length 100 gigabytes # Bucket size
>>> }
>>>
>>> device_property "S3_ACCESS_KEY" "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"    #
>>> Your S3 Access Key
>>> device_property "S3_SECRET_KEY" "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"    #
>>> Your S3 Secret Key
>>>
>>> device_property "S3_SSL" "ON"                                        #
>>> Curl needs to have S3 Certification Authority (Verisign today)
>>>
>>> # in its CA list. If connection fails, try setting this no NO
>>> device-property "SSL_CA_INFO" "/etc/amanda/xxxxxxxxx.ca-bundle"
>>> device-property "S3_HOST" "xxxxxxxxxxxxxxxxxxxxx:443"
>>>
>>> tpchanger
>>> "chg-multi:s3:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx-backups/DailySet1/slot-{01,02,03,04,05,06,07,08,09,10}"
>>> # Number of tapes in your "tapecycle"
>>> changerfile  "s3-statefile"
>>> tapetype S3
>>>
>>> define dumptype simple-gnutar-remote {
>>>      auth "ssh"
>>>      ssh_keys "/etc/amanda/MyConfig/ssh-key"
>>>      compress none
>>>      program "GNUTAR"
>>> }
>>>
>>> Using s3cmd and the same access/secret i have full permissions on the
>>> S3 storage, so i cannot figure out why i'm getting a 403 error.
>>>
>>> Thank you.
>>
>>

Re: Unknown S3 error with Swift S3 (Openstack)

Reply via email to