[pbs-devel] [RFC v2 proxmox/bookworm-stable proxmox-backup 00/42] S3 storage backend for datastores

Lukas Wagner l.wagner at proxmox.com
Wed Jun 4 13:58:19 CEST 2025 

On  2025-05-29 16:31, Christian Ebner wrote:
> Testing:
> For testing, an S3 compatible object store provided via Ceph RADOS
> gateway can be used by the following setup. This was performed on a
> pre-existing Ceph Reef 18.2 cluster.
> 

For further reference, here are the steps needed to set up a local MinIO [1] server.
Took me a bit of trial and error to get it to work, so I thought I'd share
my notes. Christian, feel free to include/reference them in upcoming revisions
of this patch series.


# Setting up a local MinIO server for testing PBS's S3 feature.

Download latest server, client and cert tool
```
wget https://dl.min.io/server/minio/release/linux-amd64/minio
wget https://dl.min.io/client/mc/release/linux-amd64/mc
wget https://github.com/minio/certgen/releases/latest/download/certgen-linux-amd64
chmod +x certgen-linux-amd64 mc minio
```

Next, create the HTTPS cert. You can also use `openssl` to create one, if you don't want
to use minio's tool.

```
mkdir certs && cd certs 
../certgen-linux-amd64 -host "localhost,s3.example.com"
cd ../
```

Start minio server:
```
MINIO_DOMAIN="s3.example.com" MINIO_ROOT_USER=admin MINIO_ROOT_PASSWORD=<admin-password> ./minio server ./data --console-address ":9001" --certs-dir ./certs
```

Create an alias for the local server in the client tool:
```
./mc alias set 'local' 'https://localhost:9000' 'admin' '<admin-password>'
```

For some reason you have to run this command twice. At first, it asks you to
confirm the certificate fingerprint but still fails with an error ('certificate
signed by an unknown authority'), but if you run it a second time, it works

Next, verify that the client connection works:
```
./mc ping local
```

After that, let's create the `pbs` bucket (mb = make bucket):
```
./mc mb local/pbs
```

After that, you need to create an entry in `/etc/hosts` on the PBS host.
S3 encodes the name of the bucket in the domain, so you have to make sure
that PBS can resolve the IP properly.
```
172.25.0.xxx pbs.s3.example.com
```

Finally, get the SHA256 fingerprint of the certificate so that you can use it in PBS later.
```
openssl x509 -noout -fingerprint -sha256 -inform pem -in certs/public.crt
```

When adding the S3 bucket in PBS, use the following values:
```
Host: pbs.s3.example.com
Port: 9000
Bucket: pbs
Access Key: admin
Secret Key: <admin-password>
Fingerprint: SHA256 from the previous command
```


[1] https://github.com/minio/minio

-- 
- Lukas

More information about the pbs-devel mailing list