Using Dell ECS s3 for snapshots

trwillis · February 3, 2023, 2:14pm

I am trying to configure a snapshot repository to use an on-premise s3 compatible solution - Dell ECS. When I issue the command to add the repository with our internal endpoint, ES still is attempting to connect to AWS as shown in Wireshark capture. Why is it not using the endpoint I specified?

leandrojmp · February 3, 2023, 2:19pm

Did you change the endpoint while creating your repository in elasticsearch?

In the documentation you have this example:

PUT _snapshot/my_s3_repository
{
  "type": "s3",
  "settings": {
    "client": "my-client",
    "bucket": "my-bucket",
    "endpoint": "my.s3.endpoint"
  }
}

trwillis · February 3, 2023, 2:27pm

Here is my attempt to create the repo:

curl --insecure -X PUT -u "elastic:${ELASTIC_PASSWORD}" "https://localhost:9200/_snapshot/s3_repo" -H 'Content-Type: application/json' -d'
{
  "type": "s3",
  "settings": {
    "bucket": "my-bucket",
    "client": "default",
    "endpoint": "my.s3.provider:9020",
    "protocol": "http",
    "base_path": "snapshots"
  }
}
'

trwillis · February 3, 2023, 2:28pm

The attempt gets a connection timeout error. I ran a Wireshark capture and it is attempting to connect to 54.85.240.191 which is blocked by my org.

leandrojmp · February 3, 2023, 3:40pm

It seems similar to this post.

How many nodes do you have? If you have more than one, did you set set access_key and secret_key in all of them?

As suggested in the linked post, try to run the request again with the parameter ?error_trace to get more information in the logs.

Also, share the response you get for the requests.

trwillis · February 3, 2023, 4:16pm

I found the issue. Originally, I tried to set the keystore secure settings using these commands:
bin/elasticsearch-keystore add s3.client.default.access_key
bin/elasticsearch-keystore add s3.client.default.secret_key

However, when I deleted those and included them in my definition, it works:

curl --insecure -X PUT -u "elastic:${ELASTIC_PASSWORD}" "https://localhost:9200/_snapshot/s3_repo" -H 'Content-Type: application/json' -d'
{
  "type": "s3",
  "settings": {
    "bucket": "my_bucket",
    "client": "default",
    "endpoint": "my.s3.provider:9020",
    "protocol": "http",
    "base_path": "snapshots",
    "path_style_access": "true",
    "canned_acl": "bucket-owner-full-control",
    "access_key": "my-access-key",
    "secret_key": "my-secret-key"
  }
}
'

I think the issue was ES was trying to validate the creds against AWS when they were set in the keystore. When they are set directly in the snapshot repo, it does not attempt to go out to AWS.

Regardless, I got it working.

system · March 3, 2023, 4:16pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.