Skip to content

OBJ: add ca_bundle option in obj plugin and nixlbench #806

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Sep 29, 2025
Merged

OBJ: add ca_bundle option in obj plugin and nixlbench #806

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
64c606a
obj: Add ca_bundle option for S3 compatible storage
ziruiliu Sep 17, 2025
d219fec
Merge branch 'ai-dynamo:main' into main
ziruiliu Sep 17, 2025
6651d4a
obj: Add ca_bundle option in README.md
ziruiliu Sep 18, 2025
d4514e7
Update benchmark/nixlbench/src/utils/utils.cpp
ziruiliu Sep 18, 2025
b85ef3e
obj: add ca_bundle option
ziruiliu Sep 19, 2025
5c2f091
Merge branch 'main' into main
ziruiliu Sep 19, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions benchmark/kvbench/commands/args.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -264,6 +264,11 @@ def nixl_bench_args(func):
type=str,
help="Required checksum type for S3 backend [supported, required] (only used with OBJ backend)",
)(func)
func = click.option(
"--obj_ca_bundle",
type=str,
help="Path to CA bundle for S3 backend (only used with OBJ backend)",
)(func)
return func


Expand Down
4 changes: 4 additions & 0 deletions benchmark/nixlbench/src/utils/utils.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -120,6 +120,7 @@ DEFINE_string(obj_endpoint_override, "", "Endpoint override for S3 backend");
DEFINE_string(obj_req_checksum,
XFERBENCH_OBJ_REQ_CHECKSUM_SUPPORTED,
"Required checksum for S3 backend [supported, required]");
DEFINE_string(obj_ca_bundle, "", "Path to CA bundle for S3 backend");

// HF3FS options - only used when backend is HF3FS
DEFINE_int32(hf3fs_iopool_size, 64, "Size of io memory pool");
Expand Down Expand Up @@ -169,6 +170,7 @@ std::string xferBenchConfig::obj_region = "";
bool xferBenchConfig::obj_use_virtual_addressing = false;
std::string xferBenchConfig::obj_endpoint_override = "";
std::string xferBenchConfig::obj_req_checksum = "";
std::string xferBenchConfig::obj_ca_bundle = "";
int xferBenchConfig::hf3fs_iopool_size = 0;

int
Expand Down Expand Up @@ -235,6 +237,7 @@ xferBenchConfig::loadFromFlags() {
obj_use_virtual_addressing = FLAGS_obj_use_virtual_addressing;
obj_endpoint_override = FLAGS_obj_endpoint_override;
obj_req_checksum = FLAGS_obj_req_checksum;
obj_ca_bundle = FLAGS_obj_ca_bundle;

// Validate OBJ S3 scheme
if (obj_scheme != XFERBENCH_OBJ_SCHEME_HTTP &&
Expand Down Expand Up @@ -412,6 +415,7 @@ xferBenchConfig::printConfig() {
obj_endpoint_override);
printOption("OBJ S3 required checksum (--obj_req_checksum=[supported, required])",
obj_req_checksum);
printOption("OBJ S3 CA bundle (--obj_ca_bundle=cert-path)", obj_ca_bundle);
}

if (xferBenchConfig::isStorageBackend()) {
Expand Down
1 change: 1 addition & 0 deletions benchmark/nixlbench/src/utils/utils.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -166,6 +166,7 @@ class xferBenchConfig {
static bool obj_use_virtual_addressing;
static std::string obj_endpoint_override;
static std::string obj_req_checksum;
static std::string obj_ca_bundle;
static int hf3fs_iopool_size;

static int
Expand Down
4 changes: 4 additions & 0 deletions benchmark/nixlbench/src/worker/nixl/nixl_worker.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -192,6 +192,10 @@ xferBenchNixlWorker::xferBenchNixlWorker(int *argc, char ***argv, std::vector<st
xferBenchConfig::obj_use_virtual_addressing ? "true" : "false";
backend_params["req_checksum"] = xferBenchConfig::obj_req_checksum;

if (xferBenchConfig::obj_ca_bundle != "") {
backend_params["ca_bundle"] = xferBenchConfig::obj_ca_bundle;
}

if (xferBenchConfig::obj_endpoint_override != "") {
backend_params["endpoint_override"] = xferBenchConfig::obj_endpoint_override;
}
Expand Down
4 changes: 3 additions & 1 deletion src/plugins/obj/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@ Backend parameters are passed as a key-value map (`nixl_b_params_t`) when creati
| `region` | AWS region for the S3 service | `us-east-1` | No |
| `use_virtual_addressing` | Use virtual-hosted-style addressing (`true`/`false`) | `false` | No |
| `req_checksum` | Request checksum validation (`required`/`supported`) | - | No |
| `ca_bundle` | path to a custom certificate bundle | - | No |

\* If `access_key` and `secret_key` are not provided, the AWS SDK will attempt to use default credential providers (IAM roles, environment variables, credential files, etc.)

Expand Down Expand Up @@ -115,7 +116,8 @@ nixl_b_params_t params = {
{"scheme", "http"},
{"region", "us-east-1"},
{"use_virtual_addressing", "false"},
{"req_checksum", "supported"}
{"req_checksum", "supported"},
{"ca_bundle", "/root/ca-certs/cacert.pem"}
};
agent.createBackend("obj", params);
```
Expand Down
3 changes: 3 additions & 0 deletions src/plugins/obj/obj_s3_client.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,9 @@ createClientConfiguration(nixl_b_params_t *custom_params) {
"'. Must be 'required' or 'supported'");
}

auto ca_bundle_it = custom_params->find("ca_bundle");
if (ca_bundle_it != custom_params->end()) config.caFile = ca_bundle_it->second;

return config;
}

Expand Down