• NAME
• SYNOPSIS
• DESCRIPTION
• EXAMPLES
• PARAMETERS
• PERFORMANCE CONSIDERATIONS
• CREDENTIALS
• COMPARISON TO S3FS-FUSE AND S3BACKER
• FILES
• ENVIRONMENT VARIABLES
• VERSION
• SEE ALSO
• AUTHORS
• COPYRIGHT
• LICENSE

NAME

nbdkit-S3-plugin - expose data in Amazon S3 or Ceph buckets as block device

SYNOPSIS

 nbdkit S3 [access-key=...] [secret-key=...] [session-token=...]
           [endpoint-url=...]
           [size=NN object-size=NN]
           bucket=BUCKET key=STRING

DESCRIPTION

nbdkit-S3-plugin is a plugin for nbdkit(1) which lets you open objects stored in Amazon S3 or Ceph as disk images.

This plugin uses the Python Amazon Web Services SDK called Boto3.

EXAMPLES

 nbdkit S3 endpoint-url=https://ceph.example.com \
           bucket=MY-BUCKET key=disk.img

Provides read only block device holding the data contained in the "disk.img" object.

 nbdkit S3 endpoint-url=https://ceph.example.com \
           size=50G object-size=128k \
           bucket=MY-BUCKET key=disk

Provides a read-write block device with size 50G, whose contents are stored multiple in objects of size 128k, prefixed with disk/

PARAMETERS

access-key=ACCESS_KEY

access-key=+FILENAME

access-key=-

access-key=-FD

secret-key=SECRET_KEY

secret-key=+FILENAME

secret-key=-

secret-key=-FD

session-token=SESSION_TOKEN

session-token=+FILENAME

session-token=-

session-token=-FD

Pass AWS credentials. See "CREDENTIALS".

endpoint-url=ENDPOINT

If accessing Ceph or another compatible S3 service, provide the endpoint URL through this parameter.

bucket=BUCKET

The bucket containing the object(s). This parameter is required.

key=STRING

The object name (if size is not specified) or object prefix (if size is specified) to use within the bucket. This parameter is required.

size=SIZE

object-size=SIZE

These two parameters must always be specified together. If set, data will be split into blocks of object-size and stored as separate objects. The block device will report a total size of size and be writeable and trim-able.

Object names will have the form key/%16x, where %16x is the 16-digit hexadecimal block number. If there are existing objects under such name that do not have the expected size, the plugin will crash.

PERFORMANCE CONSIDERATIONS

It is highly recommended that clients do their utmost to issue requests that exactly match the object size: Smaller write requests will incur a performance penalty due to the need for read-modify-write cycles (thus also incurring latency from two network round-trips). Larger read and write requests will incur a performance penalty because of sequential execution.

The nbdkit-blocksize-filter(1) can be used to alleviate the impact of requests larger than the object size, but does not help if the client issues requests smaller than the block size.

The nbdkit-stats-filter(1) can be used to investigate what block sizes and alignments are used by the client.

When connecting through the Linux kernel's NBD module, consider setting /sys/block/nbd<X>/queue/max_sectors_kb to match the object size.

CREDENTIALS

You can pass AWS credentials in several ways:

In plaintext on the nbdkit command line

For example:

 nbdkit S3 access-key=ABC secret-key=SECRET session-token=123

This is not secure since a user on the same machine could read them using ps(1).

Via files on the nbdkit command line

(nbdkit ≥ 1.38)

For example:

 nbdkit S3 access-key=+/tmp/access [...]

Be careful with the permissions on these files to ensure that no one else can read the sensitive information.

Interactively when nbdkit starts up

(nbdkit ≥ 1.38)

For example:

 nbdkit S3 access-key=- [...]

nbdkit will ask for each key to be entered interactively.

Inherited through a file descriptor

(nbdkit ≥ 1.38)

For example:

 nbdkit S3 access-key=-3 [...]

The parent process must set up the file descriptor (FD 3 in the example) so that nbdkit can read the key from it.

Using ~/.aws/credentials file

This file takes the form:

 [default]
 aws_access_key_id = XXX
 aws_secret_access_key = YYY

 [profile]
 aws_access_key_id = XXX
 aws_secret_access_key = YYY

Different profiles from the file can be selected by setting the AWS_PROFILE environment variable.

Through environment variables

Use the environment variables AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN.

There is much more information about credentials in the Boto3 documentation.

COMPARISON TO S3FS-FUSE AND S3BACKER

s3fs-fuse (https://github.com/s3fs-fuse/s3fs-fuse) and s3backer (https://github.com/archiecobbs/s3backer) provide similar functionality but are based on FUSE (rather than NBD). They provide a regular file (backed by S3) which can then be loopback-mounted to provide a block device. s3backer also supports to optionally encrypt and compress objects.

In theory, NBD should provide better performance than FUSE, because:

• The kernel no longer serializes write and read requests but issues them concurrently.

• Read and write request size can exceed 128 kB

• The system can still be reliably hibernated (a running FUSE daemon may prevent this)

• Requests pass through the VFS only once, not twice

• Data is present in the page cache only once, not twice

However, for high-bandwidth network connections s3backer and s3fs-fuse may be faster because they are written in C rather than Python.

FILES

$plugindir/nbdkit-S3-plugin

The plugin.

Use nbdkit --dump-config to find the location of $plugindir.

$HOME/.aws/credentials

AWS credentials can be passed to boto3 using this file.

ENVIRONMENT VARIABLES

AWS_*

Boto3 reads some credential information from AWS_* environment variables.

VERSION

nbdkit-S3-plugin first appeared in nbdkit 1.24.

SEE ALSO

nbdkit(1), nbdkit-plugin(3), nbdkit-python-plugin(3), nbdkit-gcs-plugin(1), https://pypi.org/project/boto3/, https://boto3.amazonaws.com/v1/documentation/api/latest/index.html, https://boto3.amazonaws.com/v1/documentation/api/latest/guide/credentials.html.

AUTHORS

Richard W.M. Jones

Nikolaus Rath

COPYRIGHT

Copyright Red Hat

LICENSE

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

• Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

• Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

• Neither the name of Red Hat nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY RED HAT AND CONTRIBUTORS ''AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RED HAT OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.