《SNIA-SDC23-Touretsky-Beyond-S3-Compatibility-Claims-A-Deep-Dive-into-Real-World-Incompatibilities.pdf》由会员分享,可在线阅读,更多相关《SNIA-SDC23-Touretsky-Beyond-S3-Compatibility-Claims-A-Deep-Dive-into-Real-World-Incompatibilities.pdf(23页珍藏版)》请在三个皮匠报告上搜索。
1、1|2023 SNIA.All Rights Reserved.Virtual ConferenceSeptember 28-29,2021Beyond S3 Compatibility ClaimsA Deep Dive into Real-World IncompatibilitiesGregory Touretsky,Seagate2|2021 Storage Developer Conference.Insert Company Name Here.All Rights Reserved.Is 100%compatibility with Amazon S3 just a myth?L
2、ets find outThe fine print of S3 compatibility:What vendors wont tell you3|2023 SNIA.All Rights Reserved.Amazon S3280 Trillion objects100M requests per second4B checksum calculations per second4|2023 SNIA.All Rights Reserved.Amazon S3 API90+Amazon S3 Actions60+Amazon S3 Control ActionsIAM,STS Action
3、s5|2023 SNIA.All Rights Reserved.S3-Compatible StorageSystems and Software.Cloud Services6|2023 SNIA.All Rights Reserved.Official Incompatibilities7|2023 SNIA.All Rights Reserved.Protocol Compliance Tools Home-grown 3rd party applications https:/ https:/ https:/ https:/ Mint testsMinio0Backblaze B21
4、4Google Cloud Storage S315AWS S312Is Minio more S3-compatible than Amazon S3?8|2023 SNIA.All Rights Reserved.What Is Behind the Endpoint?aws s3 ls-debug|&grep Response headers|awk-F Server print$2SolutionServer HeaderAmazon S3AmazonS3Google Cloud Storage(S3 compatible)UploadServerCeph-MinioMinIOWasa
5、biWasabiS3/7.12.1004-2023-02-17-7ff2f5bdd9(head07)Seagate Lyve CloudSeagate-LyveCloudS3Backblaze B2-9|2023 SNIA.All Rights Reserved.What Is in the Request?Example:UploadPartComponentExampleMethodPUTBucketmybucketHostus-east- Keymyprefix/myobjectpartNumber12uploadId2e1c42be-fc1d-4055-bbce-d10a55a0a66
6、2authorizationAWS4-HMAC-SHA256 Credential=REDUCTED/20230418/us-east-1/s3/aws4_request,SignedHeaders=content-length;host;user-agent;x-amz-content-sha256;x-amz-date,Signature=61b9391bc68984f634db8437779e76a8f609a5823b3ea0ac00a3df48e431d59cuser-agentAPN/1.0 Qumulo/1.0 S3Replication/6.0.210|2023 SNIA.Al
7、l Rights Reserved.What Is in the Response?Example:UploadPartComponentExampleResponse codeHTTP/1.1 200DateTue,18 Apr 2023 04:25:17 GMTEtag3ae3ac4887f98ddefde4eeb82e37280bServerSeagate-LyveCloudS3X-Amz-Request-Id1756ECD65A5EE9C211|2023 SNIA.All Rights Reserved.Authentication/Signature Sig V2 old,disco
8、ntinued in 2020But many client apps still use it!Sig V4 current,in use since 2012:Create a canonical Create a canonical requestrequestCreate signing Create signing stringstringCreate signatureCreate signatureAdd signature to Add signature to Request headerRequest headerSend API requestSend API reque
9、stReceive requestsReceive requestsCreate a canonical Create a canonical requestrequestCreate signing Create signing stringstringCreate signatureCreate signatureVerify API Verify API Signature in Signature in request matchesrequest matchesClient#Create a Canonical RequestCanonicalRequest=HTTPRequestM
10、ethod+n+CanonicalURI+n+CanonicalQueryString+n+CanonicalHeaders+n+SignedHeaders+n+HexEncode(Hash(RequestPayload)Header names,sorted by lowercasecharacter code,delimited by semi-colon Customers app fails CopyObject requests:SignatureDoesNotMatch Root cause:Server returns a mix of lower case and mixed-
11、case header names,Ex:X-Amz-Server-Side-EncryptionCustomers app sorts headers case-sensitive Signed headers string is not properly sortedAuthorization:AWS4-HMAC-SHA256 Credential=REDACTED/20230205/us-east-1/s3/aws4_request,SignedHeaders=content-type;host;user-agent;x-amz-server-side-encryption;x-amz-
12、acl;x-amz-content-sha256;x-amz-copy-source;x-amz-date;x-amz-metadata-directive,Signature=246998b7b32681af8d6dbfdf8754da20c4633509d20fc6391bfe291d0d4caba112|2023 SNIA.All Rights Reserved.Object Key(Path)Up to 1,024 bytes long The following objects can coexist in a bucket:mybucket/myfolder/obj mybucke
13、t/myfolder/obj/mybucket/myfolder/obj/mybucket/myfolder/./obj/mybucket/myfolder/Up to 1,024 bytes long“/”is interpreted as a directory Directory segments are limited to 255 bytes“/”,“.”,“.”are not allowed mybucket/myfolder and mybucket/myfolder/obj objects cant co-exist$aws-profile minio s3api put-ob
14、ject-bucket bucket1-key NameWith/Inside-body/emptyAn error occurred(XMinioInvalidObjectName)when calling the PutObject operation:Object name contains unsupported characters.13|2023 SNIA.All Rights Reserved.Complete-Multipart-Upload Response CachingComplete Multipart Upload is an idempotent operation
15、.After your first successful complete multipart upload,if you call the operation again within a short period,the operation will succeed.$aws s3api complete-multipart-upload-bucket A-key B-uploadId XX-multipart-upload filePOST 200 325$aws s3api complete-multipart-upload-bucket A-key B-uploadId XX-mul
16、tipart-upload filePOST 404 449$aws s3api complete-multipart-upload-bucket A-key B-uploadId XX-multipart-upload filePOST 200 None$aws s3api complete-multipart-upload-bucket A-key B-uploadId XX-multipart-upload filePOST 200 None14|2023 SNIA.All Rights Reserved.Dont Be Fooled by“Success”Complete-Multip
17、art-UploadProcessing of a Complete Multipart Upload request could take several minutes to complete.After Amazon S3 begins processing the request,it sends an HTTP response header that specifies a 200 OK response.While processing is in progress,Amazon S3 periodically sends white space characters to ke
18、ep the connection from timing out.A request could fail after the initial 200 OK response has been sent.This means that a 200 OK response can contain either a success or an error.2023-03-15 21:40:29,089-MainThread-urllib3.connectionpool-DEBUG-https:/gt-test-006.s3.us-east-:443 POST/largeobjecttest?up
19、loadId=szRCQ4o6dw8qjRjUjOe9WD2z2JbE5bHFuZvL27zUciZJW3um8GeIqYcPlLNu_GzUzuYCheYCYpAaWdLZF3x3I8rAdVF_7U109PBm3nd_ATIntjyYqHOcVdbS6X8vmxNI HTTP/1.1 200 None21:40:29,096-MainThread-botocore.parsers-DEBUG-Response body:bnEntityTooLargeYour proposed upload exceeds the maximum allowed size 55549
20、7558138880A1B9N8GCJ9368Z0NnXky785oI/qBz4qo1PO3M00bNF/SJSXiw6tLSEESNF1hVT2kEU2cKWKxbfG5iTw4KlVBNOk5GoY=15|2023 SNIA.All Rights Reserved.Get-object-attributes$aws s3api get-object-attributes-bucket gt-test-006-key awscliv2.zip-object-attributes ETag LastModified:2023-04-20T01:01:27+00:00,VersionId:2m1
21、EHmC6ALD_FVJ6HZBJ9znvBEbi6pNa,ETag:75c77163c337dfd5bb5a5f9f7a6473dd-1$aws s3api get-object-attributes-bucket gt-test-006-key awscliv2.zip-object-attributes ETagUnable to parse response(not well-formed(invalid token):line 1,column 2),invalid XML received.Further retries may succeed:bPKx03x04x14x00 x0
22、0 x00 x00 x00Fx8fxf4Tx00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x04x00 x00 x00aws/PKx03x04x14x00 x00 x00 x00 x00Ex8fxf4Tx00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00 x00tx00 x00 x00aws/dist/PKx03x04x14x00 x00 x00 x08x00 x1ax8exf4TWx92xbenx02x00 x00 xb16|2023 SNIA.All Rights Reserved.Head-bucket$a
23、ws s3api head-bucket-bucket gt-test-006-expected-bucket-owner wronguser-debug|&grep HEADurllib3.connectionpool-DEBUG-https:/gt-test-006.s3.us-east-:443 HEAD/HTTP/1.1 400 0$aws s3api head-bucket-bucket gt-test-006-expected-bucket-owner wronguser-debug|&grep HEADurllib3.connectionpool-DEBUG-http:/10.0
24、.0.83:9000 HEAD/gt-test-006 HTTP/1.1 200 017|2023 SNIA.All Rights Reserved.Put-object Unsupported CRC32C$./warp get-access-key=REDACTED-secret-key=REDACTED-bucket=gt-test-001-concurrent=60-host=ENDPOINT-obj.size=16MiB-tls-duration 300s-objects=2500-analyze.vwarp:upload error:The X-Amz-Checksum-Crc32
25、c you specified did not match what we received.$aws s3api put-object-bucket gt-test-001-key myobject-body myobject.zip-checksum-crc32-c 8KygcQ=An error occurred(InvalidRequest)when calling the PutObject operation:Value for x-amz-checksum-crc32c header is invalid.18|2023 SNIA.All Rights Reserved.Perf
26、ormanceRequests/sec3,500 PUTs/5,500 GETs per sec per partitioned prefixRequest rates are allocated proportionallyUp to 500 requests/sec for a single blob(object)Default max request rate per storage account:20,000 requests/secInitial 1,000 writes/sec,5,000 reads/secGradually autoscaling above limits,
27、based on prefixes.Double rate every 20 minBucket Create/delete:0.5/secUpdate:1/secS3 API:“fair use”,depends on storage volumeAccount Control API:GET 1000/min,PUT 100/min,DELETE 10/minThroughputsingle-instance up to 100 Gb/saggregate multiple TbpsDefault max ingress per storage account:10/25/60 Gbps(
28、varies per region)Default max egress per storage account:50/120 GbpsDefault egress quota:200Gbps per regionNo details19|2023 SNIA.All Rights Reserved.Consistency Model(*)Node ANode ANode BNode B1234StrongNode ANode ANode BNode B132EventualBefore Dec2020(*)Data path.Access control,etc may vary 20|202
29、3 SNIA.All Rights Reserved.SummaryComplexity+nuanceIncompatibilitiesDeep understanding of the S3 APIThorough testingS3 compatibility=customer adoption21|2023 SNIA.All Rights Reserved.22|2023 SNIA.All Rights Reserved.Driving Compatibility and Collaboration in Cloud Storage Foster Ecosystem Collaborat
30、ion Facilitate collaboration and knowledge sharing among S3 developers by establishing a platform for discussions,forums,and workshops Enable S3 Multi-Cloud Interoperability Establish Compliance Certification Documentation List of known incompatibilities Standardized compatibility testsBoF Session:Tuesday,9/19 SNIA Cloud Storage TWG Work Item23|2023 SNIA.All Rights Reserved.Please take a moment to rate this session.Your feedback is important to us.Beyond S3 Compatibility Claims