Solved: Mounting ONTAP bucket using s3fs

AlexandreOliveira · ‎2021-04-05

Hello,

I've created a S3 bucket in a system running ONTAP 9.8 and I was able to access it using the S3 browser.

I am now trying to mount it in a Linux server using s3fs. It doesn't work. I tried different parameters and nothing. I see no error logs in the ONTAP side, but in Linux side I have the errors below.

Any ideas what may be missing?

Thanks!

Alexandre

Apr 05 10:02:48 ubuntu1804 s3fs[3756]: s3fs.cpp:s3fs_destroy(3445): Could not release curl library.
Apr 05 10:02:48 ubuntu1804 s3fs[3756]: destroy
Apr 05 10:02:48 ubuntu1804 s3fs[3756]: s3fs.cpp:s3fs_exit_fuseloop(3368): Exiting FUSE event loop due to errors
Apr 05 10:02:48 ubuntu1804 s3fs[3756]: s3fs.cpp:s3fs_check_service(3820): unable to connect(host=https://ontap-bucket) - result of checking service.
Apr 05 10:02:48 ubuntu1804 s3fs[3756]: curl.cpp:CheckBucket(2953): Check bucket failed, S3 response:
Apr 05 10:02:48 ubuntu1804 s3fs[3756]: curl.cpp:RequestPerform(2078): ###curlCode: 51 msg: SSL peer certificate or SSH remote key was not OK
Apr 05 10:02:48 ubuntu1804 s3fs[3756]: URL changed is https://ontap-bucket/test-bucket/
Apr 05 10:02:48 ubuntu1804 s3fs[3756]: URL is https://ontap-bucket/test-bucket/
Apr 05 10:02:48 ubuntu1804 s3fs[3756]: check a bucket.
Apr 05 10:02:48 ubuntu1804 s3fs[3756]: check services.
Apr 05 10:02:48 ubuntu1804 s3fs[3756]: s3fs.cpp:s3fs_init(3378): init v1.82(commit:unknown) with GnuTLS(gcrypt)
Apr 05 10:02:48 ubuntu1804 s3fs[3754]: PROC(uid=0, gid=0) - MountPoint(uid=0, gid=0, mode=40755)
Apr 05 10:02:48 ubuntu1804 s3fs[3754]: s3fs.cpp:set_s3fs_log_level(257): change debug level from [CRT] to [INF]

csoza · ‎2021-04-08

Hi Alexandre,

Are you using v4 signature?

I found this on the S3 FAQ

My client application uses v2 signatures. Why am I getting errors?
Answer: S3 in ONTAP requires the use of Signature Version 4 (v4 signatures). Using v2 signatures will result in a failure to connect. It is important to be aware of this because many client applications, including commonly used S3 browsers, use v2 signatures by default. Configure client applications to use v4 signatures to avoid connectivity errors.

View solution in original post

TMACMD · ‎2021-04-05

Check your certificates

there is a message there about the peer certificate or remote ssh not ok

AlexandreOliveira · ‎2021-04-05

Same error without certificates.

Command I am running:

s3fs test-bucket /mnt/ontap-bucket/ -o passwd_file=/root/.passwd-s3fs -o url=http://ontap-bucket -o no_check_certificate -d

Logs:

Apr 05 13:28:04 ubuntu1804 s3fs[4479]: s3fs.cpp:s3fs_destroy(3445): Could not release curl library.
Apr 05 13:28:04 ubuntu1804 s3fs[4479]: destroy
Apr 05 13:28:04 ubuntu1804 s3fs[4479]: s3fs.cpp:s3fs_exit_fuseloop(3368): Exiting FUSE event loop due to errors
Apr 05 13:28:04 ubuntu1804 s3fs[4479]: s3fs.cpp:s3fs_check_service(3820): unable to connect(host=http://ontap-bucket) - result of checking service.
Apr 05 13:28:04 ubuntu1804 s3fs[4479]: curl.cpp:CheckBucket(2953): Check bucket failed, S3 response:
Apr 05 13:28:04 ubuntu1804 s3fs[4479]: curl.cpp:RequestPerform(2089): ### giving up
Apr 05 13:28:04 ubuntu1804 s3fs[4479]: Retry request. [type=5][url=http://test-bucket.ontap-bucket/][path=/]
Apr 05 13:28:04 ubuntu1804 s3fs[4479]: ### retrying...
Apr 05 13:28:02 ubuntu1804 s3fs[4479]: curl.cpp:RequestPerform(1984): ### CURLE_COULDNT_RESOLVE_HOST
Apr 05 13:28:02 ubuntu1804 s3fs[4479]: Retry request. [type=5][url=http://test-bucket.ontap-bucket/][path=/]
Apr 05 13:28:02 ubuntu1804 s3fs[4479]: ### retrying...
Apr 05 13:28:00 ubuntu1804 s3fs[4479]: curl.cpp:RequestPerform(1984): ### CURLE_COULDNT_RESOLVE_HOST
Apr 05 13:28:00 ubuntu1804 s3fs[4479]: Retry request. [type=5][url=http://test-bucket.ontap-bucket/][path=/]
Apr 05 13:28:00 ubuntu1804 s3fs[4479]: ### retrying...
Apr 05 13:27:58 ubuntu1804 s3fs[4479]: curl.cpp:RequestPerform(1984): ### CURLE_COULDNT_RESOLVE_HOST
Apr 05 13:27:57 ubuntu1804 s3fs[4479]: Libgcrypt warning: missing initialization - please fix the application
Apr 05 13:27:57 ubuntu1804 s3fs[4479]: url is http://ontap-bucket
Apr 05 13:27:57 ubuntu1804 s3fs[4479]: computing signature [GET] [/] [] []
Apr 05 13:27:57 ubuntu1804 s3fs[4479]: URL changed is http://test-bucket.ontap-bucket/
Apr 05 13:27:57 ubuntu1804 s3fs[4479]: URL is http://ontap-bucket/test-bucket/
Apr 05 13:27:57 ubuntu1804 s3fs[4479]: check a bucket.
Apr 05 13:27:57 ubuntu1804 s3fs[4479]: check services.
Apr 05 13:27:57 ubuntu1804 s3fs[4479]: s3fs.cpp:s3fs_init(3378): init v1.82(commit:unknown) with GnuTLS(gcrypt)
Apr 05 13:27:57 ubuntu1804 s3fs[4477]: PROC(uid=0, gid=0) - MountPoint(uid=0, gid=0, mode=40755)
Apr 05 13:27:57 ubuntu1804 s3fs[4477]: s3fs.cpp:set_s3fs_log_level(257): change debug level from [CRT] to [INF]

TMACMD · ‎2021-04-05

Actually, not the same error.

First error:

curl.cpp:RequestPerform(2078): ###curlCode: 51 msg: SSL peer certificate or SSH remote key was not OK

Second Error:

curl.cpp:RequestPerform(1984): ### CURLE_COULDNT_RESOLVE_HOST

maybe put an entry in the linux local /etc/hosts for "test-bucket.ontap-bucket"?

I am pretty sure though, unless you forced a change on the CLI to use HTTP instead of HTTPS, that the ONTAP S3 bucket requires a certificate to work

AlexandreOliveira · ‎2021-04-06

Hi there,

I've got to a point where the error seems to be related to the signature: "The request signature we calculated does not match the signature you provided".

But no idea how to fix it....

Thanks again!

root@ubuntu1804:/# s3fs test-bucket /mnt/ontapbucket/ -o passwd_file=/root/.passwd-s3fs-alexandre -o url=http://ontap-bucket:80 -o use_path_request_style -o no_check_certificate -d -d -f -o f2 -o curldbg
[CRT] s3fs.cpp:set_s3fs_log_level(257): change debug level from [CRT] to [INF]
[CRT] s3fs.cpp:set_s3fs_log_level(257): change debug level from [INF] to [DBG]
[INF] s3fs.cpp:set_mountpoint_attribute(4193): PROC(uid=0, gid=0) - MountPoint(uid=0, gid=0, mode=40755)
FUSE library version: 2.9.7
nullpath_ok: 0
nopath: 0
utime_omit_ok: 0
unique: 2, opcode: INIT (26), nodeid: 0, insize: 56, pid: 0
INIT: 7.31
flags=0x03fffffb
max_readahead=0x00020000
[CRT] s3fs.cpp:s3fs_init(3378): init v1.82(commit:unknown) with GnuTLS(gcrypt)
[INF] s3fs.cpp:s3fs_check_service(3754): check services.
[INF] curl.cpp:CheckBucket(2914): check a bucket.
[DBG] curl.cpp:GetHandler(283): Get handler from pool: 31
[DBG] curl.cpp:ResetHandle(1599): 'no_check_certificate' option in effect.
[DBG] curl.cpp:ResetHandle(1600): The server certificate won't be checked against the available certificate authorities.
[INF] curl.cpp:prepare_url(4205): URL is http://ontap-bucket:80/test-bucket/
[INF] curl.cpp:prepare_url(4237): URL changed is http://ontap-bucket:80/test-bucket/
[INF] curl.cpp:insertV4Headers(2267): computing signature [GET] [/] [] []
[INF] curl.cpp:url_to_host(100): url is http://ontap-bucket:80
[DBG] curl.cpp:RequestPerform(1923): connecting to URL http://ontap-bucket:80/test-bucket/
* Trying 172.20.10.201...
* TCP_NODELAY set
* Connected to ontap-bucket (172.20.10.201) port 80 (#0)
> GET /test-bucket/ HTTP/1.1
host: ontap-bucket:80
User-Agent: s3fs/1.82 (commit hash unknown; GnuTLS(gcrypt))
Accept: */*
Authorization: AWS4-HMAC-SHA256 Credential=922NPP17v_eauXKcB_4N27_18QQJ3_xnpkK7rnPPB2Gh815WNabGZ2Wb62qjb403s6rQDazv3c0xYAmX_ScY97737ce0Xi54RF6k_12DLUN0ZRTb8hp2ttamOh3ccMQ7/20210406/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=992dde2cf00b32c054190db8d3d1a82019377c0a4a90d077146b4b9aba5744b0
x-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
x-amz-date: 20210406T163753Z

< HTTP/1.1 403 Forbidden
< Server: NetApp CSS/9.8P2
< Date: Tue, 06 Apr 2021 16:37:56 GMT
< Connection: Keep-Alive
< Content-Length: 184
< Content-Type: application/xml
<
* Connection #0 to host ontap-bucket left intact
[INF] curl.cpp:RequestPerform(1957): HTTP response code 403 was returned, returning EPERM
[DBG] curl.cpp:RequestPerform(1958): Body Text: <?xml version="1.0" encoding="UTF-8"?><Error><Code>SignatureDoesNotMatch</Code><Message>The request signature we calculated does not match the signature you provided.</Message></Error>
[ERR] curl.cpp:CheckBucket(2953): Check bucket failed, S3 response: <?xml version="1.0" encoding="UTF-8"?><Error><Code>SignatureDoesNotMatch</Code><Message>The request signature we calculated does not match the signature you provided.</Message></Error>
[WAN] s3fs.cpp:s3fs_check_service(3795): Could not connect, so retry to connect by signature version 2.
[DBG] curl.cpp:ReturnHandler(306): Return handler to pool: 31
[INF] curl.cpp:CheckBucket(2914): check a bucket.
[DBG] curl.cpp:GetHandler(283): Get handler from pool: 31
[DBG] curl.cpp:ResetHandle(1599): 'no_check_certificate' option in effect.
[DBG] curl.cpp:ResetHandle(1600): The server certificate won't be checked against the available certificate authorities.
[INF] curl.cpp:prepare_url(4205): URL is http://ontap-bucket:80/test-bucket/
[INF] curl.cpp:prepare_url(4237): URL changed is http://ontap-bucket:80/test-bucket/
[DBG] curl.cpp:RequestPerform(1923): connecting to URL http://ontap-bucket:80/test-bucket/
* Found bundle for host ontap-bucket: 0x7f9a7014a6a0 [can pipeline]
* Connection 0 seems to be dead!
* Closing connection 0
* Hostname ontap-bucket was found in DNS cache
* Trying 172.20.10.201...
* TCP_NODELAY set
* Connected to ontap-bucket (172.20.10.201) port 80 (#1)
> GET /test-bucket/ HTTP/1.1
Host: ontap-bucket
User-Agent: s3fs/1.82 (commit hash unknown; GnuTLS(gcrypt))
Accept: */*
Authorization: AWS 922NPP17v_eauXKcB_4N27_18QQJ3_xnpkK7rnPPB2Gh815WNabGZ2Wb62qjb403s6rQDazv3c0xYAmX_ScY97737ce0Xi54RF6k_12DLUN0ZRTb8hp2ttamOh3ccMQ7:62AYCQeGAsekSWMJs1LxV5uA/UI=
Date: Tue, 06 Apr 2021 16:37:53 GMT

< HTTP/1.1 400 Bad Request
< Server: NetApp CSS/9.8P2
< Date: Tue, 06 Apr 2021 16:37:56 GMT
< Connection: Keep-Alive
< Content-Length: 191
< Content-Type: application/xml
<
* Connection #1 to host ontap-bucket left intact
[INF] curl.cpp:RequestPerform(1952): HTTP response code 400 was returned, returning EIO.
[DBG] curl.cpp:RequestPerform(1953): Body Text: <?xml version="1.0" encoding="UTF-8"?><Error><Code>InvalidRequest</Code><Message>The authorization mechanism you have provided is not supported. Please use AWS4-HMAC-SHA256.</Message></Error>
[ERR] curl.cpp:CheckBucket(2953): Check bucket failed, S3 response: <?xml version="1.0" encoding="UTF-8"?><Error><Code>InvalidRequest</Code><Message>The authorization mechanism you have provided is not supported. Please use AWS4-HMAC-SHA256.</Message></Error>
[CRT] s3fs.cpp:s3fs_check_service(3807): Bad Request(host=http://ontap-bucket:80) - result of checking service.
[DBG] curl.cpp:ReturnHandler(306): Return handler to pool: 31
[ERR] s3fs.cpp:s3fs_exit_fuseloop(3368): Exiting FUSE event loop due to errors

INIT: 7.19
flags=0x00000011
max_readahead=0x00020000
max_write=0x00020000
max_background=0
congestion_threshold=0
unique: 2, success, outsize: 40
[INF] s3fs.cpp:s3fs_destroy(3441): destroy
[WAN] s3fs.cpp:s3fs_destroy(3445): Could not release curl library.
root@ubuntu1804:/#

csoza · ‎2021-04-08

Hi Alexandre,

Are you using v4 signature?

I found this on the S3 FAQ

My client application uses v2 signatures. Why am I getting errors?
Answer: S3 in ONTAP requires the use of Signature Version 4 (v4 signatures). Using v2 signatures will result in a failure to connect. It is important to be aware of this because many client applications, including commonly used S3 browsers, use v2 signatures by default. Configure client applications to use v4 signatures to avoid connectivity errors.