documentation icon indicating copy to clipboard operation
documentation copied to clipboard
verified publisher icon mastodon

Document that S3 ACLs must be enabled

Open AustinWise opened this issue 3 years ago • 7 comments

When using S3 compatible object stores to save attachments, object-level ACLs must be enabled. If they are not enabled, attaching pictures to toots will fail. For some object stores, the error message does not indicate the root cause of the problem.

Unfortunately it is likely that people will accidentally disable ACLs when first setting up Mastodon. This is because both AWS S3 and Google cloud storage disable object-level ACLs by default. The GUIs for creating buckets recommend somewhat strongly that they should not be enabled.

For example, the AWS docs say

we recommend that you disable ACLs except in unusual circumstances

And the creation UI looks like this:

image

It appears I'm not the only person who has had trouble with this:

  • mastodon/mastodon#17435
  • mastodon/mastodon#17978

AustinWise avatar Jul 02 '22 19:07 AustinWise

I'm not sure there's any good reason for Mastodon to require Object-level ACLs, maybe https://github.com/kreeti/kt-paperclip/pull/92 would be a better approach instead?

nightpool avatar Jul 02 '22 21:07 nightpool

One place that Mastodon explicitly sets ACLs is when suspending an account. All media from the suspended account is made private using ACLs. There is a PR (https://github.com/mastodon/mastodon/pull/17979) that adds support disabling the use of ACLs in Mastodon. However a comment from @Gargron suggests that hiding media from suspended accounts is an important feature.

Besides the places where Mastodon explicitly sets ACLs, I needed to enable ACLs to successfully attach a picture to a toot. I tested this using Mastodon v3.5.3 against AWS S3 and GCS.

AustinWise avatar Jul 03 '22 01:07 AustinWise

That's a great point, I wasn't aware of that feature.

On Sat, Jul 2, 2022 at 8:17 PM Austin Wise @.***> wrote:

One place that Mastodon explicitly sets ACLs is when suspending an account. All media from the suspended account is made private using ACLs https://github.com/mastodon/mastodon/blob/a233a9bfb5f384e89bdaef6e519fa20db2a99ae5/app/services/suspend_account_service.rb#L80. There is a PR (mastodon/mastodon#17979 https://github.com/mastodon/mastodon/pull/17979) that adds support disabling the use of ACLs in Mastodon. However a comment from @Gargron https://github.com/mastodon/mastodon/pull/17979#issuecomment-1091421987 suggests that hiding media from suspended accounts is an important feature.

Besides the places where Mastodon explicitly sets ACLs, I needed to enable ACLs to successfully attach a picture to a toot. I tested this using Mastodon v3.5.3 against AWS S3 and GCS.

— Reply to this email directly, view it on GitHub https://github.com/mastodon/documentation/pull/952#issuecomment-1172988288, or unsubscribe https://github.com/notifications/unsubscribe-auth/AABZCV6A2MCICW6XGORTRZ3VSDSZDANCNFSM52PQNS5Q . You are receiving this because you commented.Message ID: @.***>

nightpool avatar Jul 05 '22 00:07 nightpool

This actually took down my instance. I enabled S3 uploads but used the recommended configuration from Amazon - i.e. no ACLs. This meant that all the uploads fail because Amazon does not have a "transparently ignore public ACLs but let the uploads succeed" option.

I didn't notice that jobs were failing at the time for two reasons:

  • I was migrating old media from a local filesystem.
  • I set up Amazon Cloudfront to get around the fact that no ACLs = no public files.

This resulted in a massive queue of Sidekiq jobs piling up and Sidekiq constantly using more RAM than I had. Previously I had added swap space specifically for occasional memory excursions, but constant usage burns through EBS's burst balance really quick. And once you run out of EBS burst the instance locks up and dies.

kmeisthax avatar Nov 18 '22 00:11 kmeisthax

This just bit me. Can this one line PR please be reviewed and merged?

twilde avatar Nov 23 '22 18:11 twilde

I rebased the commit to resolve merge conflicts and update the description of this PR with more details.

AustinWise avatar Nov 26 '22 10:11 AustinWise

@nightpool Can you take another look at this PR. I updated the description with a more detailed description on why people are likely to incorrectly setup their S3-compatible storage. And there have been a couple of commenters mentioning that they hit this issue.

AustinWise avatar Dec 18 '22 03:12 AustinWise

@AustinWise I don't have permission to merge this PR but it LGTM

nightpool avatar Mar 16 '24 18:03 nightpool

Although note that the underlying bug here was fixed in 4.1.0 hopefully so it's still possible to use non-ACL services, it's just highly recommended to have ACLs enabled

On Sat, Jul 2, 2022 at 3:44 PM Austin Wise @.***> wrote:

When using the web GUI to create a bucket, both AWS S3 and Google Cloud Storage have object-level ACLs disabled by default.

It appears I'm not the only person who has had trouble with this:

You can view, comment on, or merge this pull request online at:

https://github.com/mastodon/documentation/pull/952 Commit Summary

File Changes

(1 file https://github.com/mastodon/documentation/pull/952/files)

Patch Links:

  • https://github.com/mastodon/documentation/pull/952.patch
  • https://github.com/mastodon/documentation/pull/952.diff

— Reply to this email directly, view it on GitHub https://github.com/mastodon/documentation/pull/952, or unsubscribe https://github.com/notifications/unsubscribe-auth/AABZCV7JPUQ6O7EE66CCAZTVSCL2HANCNFSM52PQNS5Q . You are receiving this because you are subscribed to this thread.Message ID: @.***>

nightpool avatar Mar 17 '24 20:03 nightpool