feat(libstore): curl-based s3 #13752
Conversation
|
Would it be conceivable to just outright replace aws-sdk-cpp with this? I don't think we'd want to support it if we land this eventually. |
|
I was unsure about just removing the existing implementation outright, but I can do that if folks are OK with it? |
Can't speak for everyone, but I feel ripping out aws-sdk-cpp would be very welcome if the new thing is more lightweight and reuses the curl infrastructure with feature parity. That would definitely be better than supporting both implementations. |
|
@xokdvium I'm going to get this in a fully working state, and after I'm happy with it I'll tack on a final commit removing the old impl, so if there's tension we can discuss that point separately, or I can make it a separate PR, etc. I'm with you that if this works well, we're better off just tossing the old impl, though that would mean folks building with old curl would lose the ability to talk to s3, but idk if we care to support people building non-standard configurations like that. |
lovesegfault
force-pushed
the
curl-based-s3-v2
branch
from
cd41165 to
1046367
Compare
github-actions
bot
added
the
store
lovesegfault
force-pushed
the
curl-based-s3-v2
branch
2 times, most recently
from
2030275 to
86873ed
Compare
|
I want to definitely test this with our hydra staging instance to ensure it still can upload stuff to s3 buckets before merging. |
|
AFAICT this is ready for (very) preliminary testing; at least I was able to pull and push to an S3 store and auth just worked, like magic :) |
|
Nevermind, I messed something up, buckets outside of us-east-1 don't work :P |
lovesegfault
force-pushed
the
curl-based-s3-v2
branch
3 times, most recently
from
aefcffd to
3433232
Compare
lovesegfault
force-pushed
the
curl-based-s3-v2
branch
3 times, most recently
from
2dd60ad to
80e3327
Compare
lovesegfault
force-pushed
the
curl-based-s3-v2
branch
from
80e3327 to
3333622
Compare
This comment was marked as spam.
This comment was marked as spam.
Sorry, something went wrong.
This comment was marked as spam.
This comment was marked as spam.
Sorry, something went wrong.
|
#13803 This might also help clean some thing up. |
This commit replaces the AWS C++ SDK with a lighter curl-based approach for S3 binary cache operations. - Removed dependency on the heavy aws-cpp-sdk-s3 and aws-cpp-sdk-transfer - Added lightweight aws-crt-cpp for credential resolution only - Leverages curl's native AWS SigV4 authentication (requires curl >= 7.75.0) - S3BinaryCacheStore now delegates to HttpBinaryCacheStore - S3 URLs are converted to HTTPS URLs with proper authentication headers - Function s3ToHttpsUrl converts ParsedS3URL to ParsedURL - Multipart uploads are no longer supported (may be reimplemented later) - Build now requires curl >= 7.75.0 for AWS SigV4 support Fixes: NixOS#13084, NixOS#12671, NixOS#11748, NixOS#12403, NixOS#5947 PR: NixOS#13752
lovesegfault
force-pushed
the
curl-based-s3-v2
branch
from
1d012db to
421ce8c
Compare
This commit replaces the AWS C++ SDK with a lighter curl-based approach for S3 binary cache operations, addressing multiple issues and improving the overall architecture. ## Key Changes ### 1. Replaced AWS SDK with aws-crt-cpp + curl - Removed dependency on the heavy aws-cpp-sdk-s3 and aws-cpp-sdk-transfer - Added lightweight aws-crt-cpp for credential resolution only - Leverages curl's native AWS SigV4 authentication (requires curl >= 7.75.0) ### 2. Consolidated S3 support into HttpBinaryCacheStore - S3BinaryCacheStore now delegates to HttpBinaryCacheStore - Eliminates layer violation (S3 logic no longer in generic FileTransfer) - S3 URLs are converted to HTTPS URLs with proper authentication headers ### 3. Improved S3 URL handling - Added ParsedS3URL for structured S3 URL parsing - Function s3ToHttpsUrl converts ParsedS3URL to ParsedURL - Better support for custom endpoints and regions via query parameters ### 4. Fixed thread safety test - threadSafety_MultipleProviders now actually tests concurrent access - Spawns multiple threads accessing shared credential providers - Tests both concurrent credential fetching and provider creation ## Benefits - **Reduced memory usage**: Eliminates memory buffering issues that caused segfaults with large files (>3.5GB) - **Fixed upload reliability**: Resolves AWS SDK chunking errors (InvalidChunkSizeError) - **Resolved OpenSSL conflicts**: No more S2N engine override issues in sandboxed builds - **Lighter dependencies**: ~500 lines less code, simpler build process - **Better architecture**: Clean separation between storage and transport layers ## Breaking Changes - Multipart uploads are no longer supported (may be reimplemented later) - Build now requires curl >= 7.75.0 for AWS SigV4 support ## Migration No action required for most users. S3 URLs continue to work with the same syntax. Users directly using S3BinaryCacheStore class should migrate to standard HTTP binary cache stores with S3 endpoints. Fixes: NixOS#13084, NixOS#12671, NixOS#11748, NixOS#12403, NixOS#5947 PR: NixOS#13752 Co-authored-by: John Ericson <git@johnericson.me>
lovesegfault
force-pushed
the
curl-based-s3-v2
branch
from
421ce8c to
bff3b41
Compare
This commit replaces the AWS C++ SDK with a lighter curl-based approach for S3 binary cache operations. - Removed dependency on the heavy aws-cpp-sdk-s3 and aws-cpp-sdk-transfer - Added lightweight aws-crt-cpp for credential resolution only - Leverages curl's native AWS SigV4 authentication (requires curl >= 7.75.0) - S3BinaryCacheStore now delegates to HttpBinaryCacheStore - Function s3ToHttpsUrl converts ParsedS3URL to ParsedURL - Multipart uploads are no longer supported (may be reimplemented later) - Build now requires curl >= 7.75.0 for AWS SigV4 support Fixes: NixOS#13084, NixOS#12671, NixOS#11748, NixOS#12403, NixOS#5947 PR: NixOS#13752
lovesegfault
force-pushed
the
curl-based-s3-v2
branch
2 times, most recently
from
ea041aa to
bfb7b79
Compare
|
It's so stupid that if your PR references itself it causes this horrible rebase spam. Sorry for the noise folks |
|
This issue has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/2025-08-20-nix-team-meeting-minutes-242-241/68245/1 |
|
I'm looking at whether
Thoughts @Ericson2314 @xokdvium? |
|
I do vaguely remember caching was also already sort of broken-ish previously due to us not initializing the AWS SDK globally once but for each nix-daemon connection. It would be great if we can fix that though. Most AWS SDKs dont have the TTL tweakable. AWS temporary Credentials return an So ideally this isn't a tweakable parameter at all. The code has enough information from AWS STS API response to make TTL decisions |
|
Caching is indeed already implemented by which is used in the default credential chain: which is used here: https://github.com/awslabs/aws-crt-cpp/blob/main/source/auth/Credentials.cpp#L283 I think this is just "already working" Just gotta make sure that the |
lovesegfault
force-pushed
the
curl-based-s3-v2
branch
2 times, most recently
from
33fe27d to
102852e
Compare
|
I've implemented reusing of the |
This commit replaces the AWS C++ SDK with a lighter curl-based approach for S3 binary cache operations. - Removed dependency on the heavy aws-cpp-sdk-s3 and aws-cpp-sdk-transfer - Added lightweight aws-crt-cpp for credential resolution only - Leverages curl's native AWS SigV4 authentication (requires curl >= 7.75.0) - S3BinaryCacheStore now delegates to HttpBinaryCacheStore - Function s3ToHttpsUrl converts ParsedS3URL to ParsedURL - Multipart uploads are no longer supported (may be reimplemented later) - Build now requires curl >= 7.75.0 for AWS SigV4 support Fixes: NixOS#13084, NixOS#12671, NixOS#11748, NixOS#12403, NixOS#5947
lovesegfault
force-pushed
the
curl-based-s3-v2
branch
from
102852e to
bb0abfe
Compare
|
I got it :) |
lovesegfault
force-pushed
the
curl-based-s3-v2
branch
from
bb0abfe to
f673bb0
Compare
|
@arianvp I think that with the latest changes we now have one credential provider per profile per daemon. |
Motivation
#13084
Context
Early days, just making a draft for visibility and CI
Add 👍 to pull requests you find important.
The Nix maintainer team uses a GitHub project board to schedule and track reviews.