RE: Use on-prem S3 (ceph/rgw) as feed storage

Hi @atripp ,

I'm not very familiar with C# and .NET, but found here that the AmazonS3Config class has a forcePathStyle attribute and a ForcePathStyle method. by default this is false. I think setting this to true should work correctly with Ceph/RGW.

 public partial class AmazonS3Config : ClientConfig
    {
        ...
        private bool forcePathStyle = false;
        ...
        public bool ForcePathStyle
        {
            get { return forcePathStyle; }
            set { forcePathStyle = value; }
        }
        ...
}

Cheers
Karsten

Hi,

we have clair installed and it seems to be running fine so far. Initially we had some problems with reaching the sources that clair needs (e.g. nist.gov, alpinelinux.org, ...) but it all works now. There are no more such errors in the clair log. But I get the following messages in Proget when running the VulnerabilityDownloader task:

Requested vulnerability information for 38 total package versions.
Sending last 38 coordinates as a final request...
Request returned 38 vulnerability records.
Clair returned error ProxyAuthenticationRequired for layer sha256:2db29710...
Clair returned error ProxyAuthenticationRequired for layer sha256:31a7f9b4d..
...

An image with log4j in it is not detected. Any idea?

Cheers

Karsten

Hi @atripp,

yes, in general your S3 API works well with Ceph. I can only make this suggestion to improve the setting of the access data:

The difference between the two access methods to S3 is described here: https://docs.ceph.com/en/quincy/radosgw/s3/commons/

Ceph and we prefer the first method because DNS wild cards are difficult for us. AWS uses the second method, and it's the only one that ProGet supports. It would be great for all Ceph users if proget supported the first method as well.

But for now, the weekaround is OK for us.

cheers
karsten

Hi @atripp,

you are compleatly right! We need our root cert in the trusted root collection of the OS. We have an k8s deployment, so i added the cert with a config map. And bingo! I've got it working... but only with a very dirty trick. At the first try I got the error message:

System.Net.Http.HttpRequestException: Name or service not known ([bucket-name].[sub-doamin].s3.[domain]:443)

This means, proget is expecting the "virtual host spelling" for S3. Our Ceph System instead is expecting a "path spelling" like this:

https://[sub-doamin].s3.[domain]:443/[bucket-name]

My first idea was to use the prefix field in ProGet as the bucket-name, but this also dit not work, beaucause a bucket-name is required, so I used our DNS sub-domain name as the bucket-name, and this works! ;-)

May I ask one more question: I enabled "Use server-side encryption" and I was wondering if this was working wihout give an encrypten-key-ID for the KMS. Which key uses ProGet for the encryption?

Thank you!
Karsten

When I configure our on-prm S3 as feed storage , I got these error message:
System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: UntrustedRoot

We have a self-signed CA, so this error is usual, but how can we trust our own root?