Fix encrypted recording uploads in S3#60542
Merged
Conversation
…ad part; Support skipping padded part in streamer.
…turing and combining them.
Joerger
requested review from
eriktate and
rosstimothy
and removed request for
eriktate
github-actions
bot
added
audit-log
Contributor
|
@Joerger Manual test plan looks great. Just to confirm you tested against actual S3 right? |
Contributor
Author
Yes! |
rosstimothy
reviewed
Oct 24, 2025
Contributor
rosstimothy
left a comment
rosstimothy
left a comment
There was a problem hiding this comment.
Can we add test coverage to prevent a regression?
eriktate
reviewed
Oct 24, 2025
eriktate
approved these changes
Oct 27, 2025
Joerger
force-pushed
the
joerger/pad-encrypted-recordings-s3
branch
from
5f579c7 to
34f1f23
Compare
Contributor
Author
|
@eriktate @rosstimothy I made significant changes in recent commits, mostly to accommodate the new tests. I re-ran the manual test plan in the PR description. Can you give it a second look? |
rosstimothy
approved these changes
Oct 31, 2025
| // NewMemoryUploader returns a new memory uploader implementing multipart | ||
| // upload | ||
| func NewMemoryUploader(eventsC ...chan events.UploadEvent) *MemoryUploader { | ||
| func NewMemoryUploader(cfg ...MemoryUploaderConfig) *MemoryUploader { |
Contributor
There was a problem hiding this comment.
It sure would be nice to clean this API up one day 😬.
public-teleport-github-review-bot
bot
removed the request for review
from smallinsky
rosstimothy
reviewed
Oct 31, 2025
| @@ -438,26 +445,26 @@ func TestUploadBackoff(t *testing.T) { | |||
|
|
|||
| // Fix the streamer, make sure the upload succeeds | |||
| terminateConnectionAt.Store(0) | |||
| p.clock.BlockUntil(2) | |||
| p.clock.BlockUntilContext(ctx, 2) | |||
Contributor
There was a problem hiding this comment.
The Flaky Test Detector looks to maybe be hanging here?
goroutine 17077 [select]:
github.com/jonboulle/clockwork.(*FakeClock).BlockUntilContext(0xc00521f4a0, {0x4597898, 0xc0004c1110}, 0x2)
/go/pkg/mod/github.com/jonboulle/clockwork@v0.5.0/clockwork.go:244 +0xfb
github.com/gravitational/teleport/lib/events/filesessions.TestUploadBackoff(0xc001ca0fc0)
/__w/teleport/teleport/lib/events/filesessions/fileasync_test.go:448 +0xcb8
testing.tRunner(0xc001ca0fc0, 0x42389d0)
/opt/go/src/testing/testing.go:1934 +0x21d
created by testing.(*T).Run in goroutine 1
/opt/go/src/testing/testing.go:1997 +0x9d3
Contributor
Author
There was a problem hiding this comment.
It's just hitting the flaky test timeout, this is the slowest test of those that are run for this PR:
go test -run "^TestUploadBackoff$" github.com/gravitational/teleport/lib/events/filesessions --race --count=100
ok github.com/gravitational/teleport/lib/events/filesessions 164.958s
eriktate
approved these changes
Oct 31, 2025
Contributor
|
/excludeflake * |
Co-authored-by: Erik Tate <erik.tate@goteleport.com>
Contributor
Joerger
added a commit
that referenced
this pull request
Oct 31, 2025
* Add necessary padding to encrypted recordings for s3. * Add padded part instead of editing existing part; Don't pad last upload part; Support skipping padded part in streamer. * Reconstruct encrypted uploads from agent. * Concatenate upload parts into a single upload part instead of restructuring and combining them. * Make iterator buffer safe. * Remove padding from 128kb parts during concatenation. * Fix padding through gRPC service. * Cleanup; Fix discarded padding logic. * Add tests. * Fix bad upload test. * Expand test, add comments. * Minor edits. * Add padding helper with test; Add comments. * Fix tests, lint. * Don't use TELEPORT_UNSTABLE_GRPC_RECV_SIZE. * Apply suggestions from code review Co-authored-by: Erik Tate <erik.tate@goteleport.com> --------- Co-authored-by: Erik Tate <erik.tate@goteleport.com>
github-merge-queue bot
pushed a commit
that referenced
this pull request
Nov 3, 2025
* Add necessary padding to encrypted recordings for s3. * Add padded part instead of editing existing part; Don't pad last upload part; Support skipping padded part in streamer. * Reconstruct encrypted uploads from agent. * Concatenate upload parts into a single upload part instead of restructuring and combining them. * Make iterator buffer safe. * Remove padding from 128kb parts during concatenation. * Fix padding through gRPC service. * Cleanup; Fix discarded padding logic. * Add tests. * Fix bad upload test. * Expand test, add comments. * Minor edits. * Add padding helper with test; Add comments. * Fix tests, lint. * Don't use TELEPORT_UNSTABLE_GRPC_RECV_SIZE. * Apply suggestions from code review --------- Co-authored-by: Erik Tate <erik.tate@goteleport.com>
mmcallister
pushed a commit
that referenced
this pull request
Nov 19, 2025
* Add necessary padding to encrypted recordings for s3. * Add padded part instead of editing existing part; Don't pad last upload part; Support skipping padded part in streamer. * Reconstruct encrypted uploads from agent. * Concatenate upload parts into a single upload part instead of restructuring and combining them. * Make iterator buffer safe. * Remove padding from 128kb parts during concatenation. * Fix padding through gRPC service. * Cleanup; Fix discarded padding logic. * Add tests. * Fix bad upload test. * Expand test, add comments. * Minor edits. * Add padding helper with test; Add comments. * Fix tests, lint. * Don't use TELEPORT_UNSTABLE_GRPC_RECV_SIZE. * Apply suggestions from code review Co-authored-by: Erik Tate <erik.tate@goteleport.com> --------- Co-authored-by: Erik Tate <erik.tate@goteleport.com>
mmcallister
pushed a commit
that referenced
this pull request
Nov 20, 2025
* Add necessary padding to encrypted recordings for s3. * Add padded part instead of editing existing part; Don't pad last upload part; Support skipping padded part in streamer. * Reconstruct encrypted uploads from agent. * Concatenate upload parts into a single upload part instead of restructuring and combining them. * Make iterator buffer safe. * Remove padding from 128kb parts during concatenation. * Fix padding through gRPC service. * Cleanup; Fix discarded padding logic. * Add tests. * Fix bad upload test. * Expand test, add comments. * Minor edits. * Add padding helper with test; Add comments. * Fix tests, lint. * Don't use TELEPORT_UNSTABLE_GRPC_RECV_SIZE. * Apply suggestions from code review Co-authored-by: Erik Tate <erik.tate@goteleport.com> --------- Co-authored-by: Erik Tate <erik.tate@goteleport.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Changelog: Fix a bug where encrypted sessions recordings could not be uploaded to S3.
S3 buckets enforce a 5MB minimum for multipart uploads, but currently Encrypted recordings are uploaded in 128kb parts due to technical limitations.
This PR fixes this error by:
PartSize=0 && PaddingSize=1MBThis is a short term fix as the 1MB of padding per upload part is not ideal. It is also tangentially related to encrypted recordings not being processed for session summaries, metadata, or thumbnails. Note that due to the lack of metadata, this bug also results in encrypted recordings being unplayable in the WebUI in v18.2.3+. A more complete fix will be handled in a follow up PR.
Manual Testing (34f1f23):
tsh playand checked that it was the expected size in the S3 bucket.[ ] SettingTELEPORT_UNSTABLE_GRPC_RECV_SIZE=5MBshould result in the 1MB padding being skipped, as the client will create 5MB aggregated upload parts itself.[ ] SettingTELEPORT_UNSTABLE_GRPC_RECV_SIZE=5MBshould result in the 1MB padding being skipped, as the client will create 5MB aggregated upload parts itself.