Set object storage bucket acl via environment variable

MakerTube · Août 25, 2023, 11:16

I’m trying to set object storage acl to null because I’m using MinIO object store as backend where acls are not supported. I’m using the official docker image and try to set it via environment variables. This is somehow not working, I still get an error when changing a private video to public. Any suggestions on this?

Chocobozzz · Septembre 1, 2023, 6:52

Can you share PEERTUBE_OBJECT_STORAGE_UPLOAD_ACL_PRIVATE and PEERTUBE_OBJECT_STORAGE_UPLOAD_ACL_PUBLIC env?
And paste the peertube error?

MakerTube · Septembre 1, 2023, 7:02

Hi @Chocobozzz thanks for your reply!

I’ve set the acl env vars to an empty string for now:

root@peertube1-peertube-86996b855d-d64hj:/app# env | grep ACL
PEERTUBE_OBJECT_STORAGE_UPLOAD_ACL_PRIVATE=
PEERTUBE_OBJECT_STORAGE_UPLOAD_ACL_PUBLIC=

I also tried null and public-read for both values - with no difference.

The error message I get is:

Backend returned code 500, errorMessage is: A header you provided implies functionality that is not implemented ()

Chocobozzz · Septembre 1, 2023, 8:15

Can you try PEERTUBE_OBJECT_STORAGE_UPLOAD_ACL_PRIVATE=""? (same for public)

MakerTube · Septembre 1, 2023, 8:28

Still the same error with

root@peertube1-peertube-86996b855d-wn28l:/app# env|grep ACL
PEERTUBE_OBJECT_STORAGE_UPLOAD_ACL_PRIVATE=""
PEERTUBE_OBJECT_STORAGE_UPLOAD_ACL_PUBLIC=""

set.

Chocobozzz · Septembre 1, 2023, 9:43

Can you try to add

object_storage:
  upload_acl:
    public: null # Set to null here because we can't using env variables
    private: null

In your container, in /app/support/docker/production/config/production.yaml? Then restart the container

MakerTube · Septembre 1, 2023, 10:05

@Chocobozzz that worked, thanks a lot!

I removed the ACL environment variables and patched the change on pod startup into production.yaml file you mentioned. My instance is running in a Kubernetes cluster and changes in the container won’t survive a restart.

Chocobozzz · Septembre 1, 2023, 11:18

It was just to know if the fix I’ll push would fix the issue.
You can also create a production.yaml in your docker-volume/config that should override default configuration.

rasos · Septembre 13, 2023, 5:17

We have a similar issue with PeerTube on k8s and Minio as S3 storage backend. When trying to change a video from private to public or the other way round, we get:

Cannot apply function on playlist-dev/hls/d18e2222-6daa-41d5-acfd-9fa848a54c79 prefix in bucket playlist-dev: no files listed.

EDIT: Got it working. Putting both ACL configs in env to "" is not sufficient, you really need to set it in production.yaml to null.

Maybe can somebody share a bucket policy for minio that fits to this scenario?

MakerTube · Septembre 13, 2023, 6:27

I’m using this bucket policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "*"
                ]
            },
            "Action": [
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::peertube"
            ]
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "*"
                ]
            },
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::peertube/*"
            ]
        }
    ]
}

Cheers!