S3 Storage

CloudShark can store capture files in Amazon S3 or S3-compatible storage using Mountpoint for Amazon S3, an official Amazon product that mounts S3 buckets as local file systems. Note that CloudShark cannot import existing PCAPs from an S3 bucket - this feature is only for configuring CloudShark to use a new, empty S3 bucket for storing capture files.

This article describes how to configure CloudShark to store packet capture files in S3 storage instead of the local file system.

Using S3 storage requires:

• Access to an S3-compatible storage service (Amazon S3, DigitalOcean Spaces, etc.)
• S3 bucket credentials (access key and secret key)

Installation

Download and install the Mountpoint for S3 RPM on your CloudShark system by running the following commands:

curl -o mount-s3.rpm https://s3.amazonaws.com/mountpoint-s3-release/latest/x86_64/mount-s3.rpm
dnf install ./mount-s3.rpm

Configuration

First, create the directory where the S3 bucket will be mounted and set the owner to the cloudshark user:

mkdir /mnt/s3
chown cloudshark: /mnt/s3

Then, stop CloudShark, move the existing CloudShark data directory and make it a symlink to this directory:

systemctl stop cloudshark-full
mv /usr/cloudshark/data /usr/cloudshark/data.orig/
sudo -u cloudshark ln -s /mnt/s3 /usr/cloudshark/data

Now, create an AWS credentials file at /home/cloudshark/.aws/credentials with the following format and your access and secret keys:

[default]
aws_access_key_id=<YOUR_ACCESS_KEY>
aws_secret_access_key=<YOUR_SECRET_KEY>

Create a systemd service to mount the S3 bucket at /usr/lib/systemd/system/mount-s3.service. Here is an example that you can update with your S3 endpoint URL, region, and bucket name.

[Unit]
Description=Mountpoint for Amazon S3 mount
Wants=network-online.target
After=network-online.target
AssertPathIsDirectory=/mnt/s3
Before=cloudshark-autoimport.service

[Service]
Type=forking
User=cloudshark
Group=cloudshark
ExecStart=/usr/bin/mount-s3 --endpoint-url <YOUR_ENDPOINT_URL> --region <YOUR_AWS_REGION> --force-path-style --allow-delete --cache /tmp --allow-root --allow-overwrite --max-cache-size 10000 --upload-checksums off <YOUR_BUCKET_NAME> /mnt/s3
ExecStop=/usr/bin/fusermount -u /mnt/s3

[Install]
WantedBy=remote-fs.target

Enable FUSE user permissions by uncommenting the line user_allow_other in /etc/fuse.conf. This will allow other Linux users such as root to view and access the files stored in the S3 bucket. Then start and enable the systemd service by running the command:

systemctl enable --now mount-s3

If you have any existing captures stored on the file system, they can be copied to S3 by running:

sudo -u cloudshark cp -r /usr/cloudshark/data.orig/* /usr/cloudshark/data

Finally, start the CloudShark service and begin using S3 storage for all of your PCAP files:

systemctl start cloudshark-full

Cache Settings

Mountpoint for S3 implements a local cache to improve performance when accessing capture files. When a capture file is requested, it is downloaded from S3 and stored in the local cache. Subsequent access to the same file will use the cached copy instead of downloading it again from S3. The example systemd service file uses /tmp as the cache directory.

The cache size can be configured using the --max-cache-size <MiB> parameter in the example systemd service file and should be set to approximately 25% of the expected total PCAP storage.

For additional information on how Mountpoint for S3 caches files, read the official documentation.

Troubleshooting

If you encounter issues with the S3 mount try the following.

• Check the systemd service status:

systemctl status mount-s3

• Verify network connectivity to your S3 endpoint.
• Ensure the credentials file has correct permissions. It needs to be readable by the cloudshark user.
• Check system logs for mount-s3 related errors:

journalctl -u mount-s3

• See the official GitHub project for more information.

For additional assistance, please contact QA Cafe Support.