Re: [PATCH 2/2] block/curl: add support for S3 presigned URLs

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Markus Armbruster <armbru@redhat.com>
To: Antoine Damhet <adamhet@scaleway.com>
Cc: qemu-devel@nongnu.org,  qemu-block@nongnu.org,
	 Kevin Wolf <kwolf@redhat.com>,  Hanna Reitz <hreitz@redhat.com>,
	 Pierrick Bouvier <pierrick.bouvier@linaro.org>,
	 Eric Blake <eblake@redhat.com>
Subject: Re: [PATCH 2/2] block/curl: add support for S3 presigned URLs
Date: Tue, 17 Feb 2026 09:53:11 +0100	[thread overview]
Message-ID: <878qcroio8.fsf@pond.sub.org> (raw)
In-Reply-To: <20260212162730.440855-3-adamhet@scaleway.com> (Antoine Damhet's message of "Thu, 12 Feb 2026 17:27:25 +0100")

Antoine Damhet <adamhet@scaleway.com> writes:

> S3 presigned URLs are signed for a specific HTTP method (typically GET
> for our use cases). The curl block driver currently issues a HEAD
> request to discover the backend features and the file size, which fails
> with 403.
>
> Add a 'force-range' option that skips the HEAD request and instead
> issues a minimal GET request (querying 1 byte from the server) to
> extract the file size from the 'Content-Range' response header. To
> achieve this the 'curl_header_cb' is redesigned to generically parse
> HTTP headers.
>
> $ $QEMU -drive driver=http,\
>              'url=https://s3.example.com/some.img?X-Amz-Security-Token=XXX',
>              force-range=true
>
> Enabling the 'force-range' option without the backend supporting it is
> undefined behavior and untested

"Undefined behavior" suggests it could do anything, even destroy data.
I hope that's not the case.  What is the case?

What is "the backend"?  The web server specified with @url?

>                                 but the libcurl should ignore the body
> and stop reading after the HTTP headers then we would fail with the
> expected `Server does not support 'range' (byte ranges).` error.
>
> Signed-off-by: Antoine Damhet <adamhet@scaleway.com>
> ---

[...]

> diff --git a/qapi/block-core.json b/qapi/block-core.json
> index b82af7425614..ff018c2d6bfb 100644
> --- a/qapi/block-core.json
> +++ b/qapi/block-core.json
> @@ -4582,12 +4582,17 @@
>  # @cookie-secret: ID of a QCryptoSecret object providing the cookie
>  #     data in a secure way.  See @cookie for the format.  (since 2.10)
>  #
> +# @force-range: Don't issue a HEAD HTTP request to discover if the
> +#     backend supports range requests and rely only on GET requests.
> +#     This is especially useful for S3 presigned URLs.  (since 11.0)

Unlike the commit message, this doesn't mention the need for "the
backend" (whatever that may be) supporting it.

> +#
>  # Since: 2.9
>  ##
>  { 'struct': 'BlockdevOptionsCurlHttp',
>    'base': 'BlockdevOptionsCurlBase',
>    'data': { '*cookie': 'str',
> -            '*cookie-secret': 'str'} }
> +            '*cookie-secret': 'str',
> +            '*force-range': 'bool'} }
>  
>  ##
>  # @BlockdevOptionsCurlHttps:
> @@ -4605,13 +4610,18 @@
>  # @cookie-secret: ID of a QCryptoSecret object providing the cookie
>  #     data in a secure way.  See @cookie for the format.  (since 2.10)
>  #
> +# @force-range: Don't issue a HEAD HTTP request to discover if the
> +#     backend supports range requests and rely only on GET requests.
> +#     This is especially useful for S3 presigned URLs.  (since 11.0)
> +#
>  # Since: 2.9
>  ##

@force-range is is duplicated between BlockdevOptionsCurlHttp and
BlockdevOptionsCurlHttps.  @cookie and @cookie-secret is already
duplicated before the patch.  Time to factor out a common base type?

>  { 'struct': 'BlockdevOptionsCurlHttps',
>    'base': 'BlockdevOptionsCurlBase',
>    'data': { '*cookie': 'str',
>              '*sslverify': 'bool',
> -            '*cookie-secret': 'str'} }
> +            '*cookie-secret': 'str',
> +            '*force-range': 'bool'} }
>  
>  ##
>  # @BlockdevOptionsCurlFtp:

next prev parent reply	other threads:[~2026-02-17  8:53 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-02-12 16:27 [PATCH 0/2] block/curl: fix S3 presigned URL support Antoine Damhet
2026-02-12 16:27 ` [PATCH 1/2] block/curl: fix concurrent completion handling Antoine Damhet
2026-02-24 13:54   ` Kevin Wolf
2026-02-12 16:27 ` [PATCH 2/2] block/curl: add support for S3 presigned URLs Antoine Damhet
2026-02-17  8:53   ` Markus Armbruster [this message]
2026-02-23 17:18     ` Antoine Damhet
2026-02-24  8:30       ` Markus Armbruster

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=878qcroio8.fsf@pond.sub.org \
    --to=armbru@redhat.com \
    --cc=adamhet@scaleway.com \
    --cc=eblake@redhat.com \
    --cc=hreitz@redhat.com \
    --cc=kwolf@redhat.com \
    --cc=pierrick.bouvier@linaro.org \
    --cc=qemu-block@nongnu.org \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.