Jump to content

S3 Object Storage on PMSS

From Pulsed Media Wiki


S3 Object Storage on PMSS means running an S3-compatible endpoint on top of your own storage box or seedbox. PMSS does not sell a managed S3 product: your account is disk space with SSH, SFTP, rclone, and Docker rootless. What you can do is put an S3 API in front of that disk yourself, in one command, and point any S3 client at it. The endpoint runs on your box, the keys are yours, and the data stays in Pulsed Media's Finnish datacenters.

This is useful when an application only speaks S3: Restic's S3 backend, a Proxmox Backup Server S3 datastore, s3fs mounts, or any app that expects a bucket. You get the S3 interface without renting cloud object storage, and without per-request or egress fees.

Two ways to run the endpoint

Both run on the box, expose an S3 API on a port, and serve files from a directory under your home.

Option A: rclone serve s3

The lightweight path. rclone is pre-installed fleet-wide; the s3 server needs rclone 1.65 or newer. Check the version first:

rclone version

If it is older than 1.65, drop the latest binary from rclone.org/downloads into ~/bin/. Run the server inside a tmux session so it survives a disconnect:

tmux new -s rclone-s3
rclone serve s3 --addr 0.0.0.0:9000 \
  --auth-key 'YOUR-ACCESS-KEY,YOUR-SECRET-KEY' \
  /home/USERNAME/s3-bucket
# Detach with Ctrl-b then d

Files written to the bucket land as normal files under /home/USERNAME/s3-bucket, so you can still reach them over SFTP or SSH.

Option B: MinIO via Docker rootless

MinIO adds a web console, bucket policies, versioning, and metrics, at the cost of more RAM. It runs as a rootless Docker container:

docker run -d --name minio --restart unless-stopped \
  -p 9000:9000 -p 9001:9001 \
  -e MINIO_ROOT_USER=YOUR-ACCESS-KEY \
  -e MINIO_ROOT_PASSWORD=YOUR-SECRET-KEY \
  -v /home/USERNAME/minio-data:/data \
  minio/minio:latest server /data --console-address :9001

The console comes up at https://SERVER.pulsedmedia.com:9001 once you allow the port. See Docker on PMSS for port and access setup.

TLS is required for most clients

Some S3 clients, Proxmox Backup Server among them, refuse plain HTTP. Give the endpoint a certificate. A self-signed cert is quick:

openssl req -x509 -newkey rsa:2048 -days 365 -nodes \
  -keyout /home/USERNAME/s3-key.pem \
  -out /home/USERNAME/s3-cert.pem \
  -subj "/CN=SERVER.pulsedmedia.com"

rclone serve s3 --addr 0.0.0.0:9000 \
  --cert /home/USERNAME/s3-cert.pem \
  --key /home/USERNAME/s3-key.pem \
  --auth-key 'YOUR-ACCESS-KEY,YOUR-SECRET-KEY' \
  /home/USERNAME/s3-bucket

For MinIO, mount public.crt and private.key into /root/.minio/certs/ inside the container. A proper Let's Encrypt certificate is the better path when your box has a stable hostname; a self-signed cert means the client must trust it or run in insecure mode.

What you can point at it

  • Restic: set the repository to s3:https://SERVER.pulsedmedia.com:9000/s3-bucket and export AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY with your access key and secret.
  • Proxmox Backup Server (4.0+): register the box as an S3 endpoint and datastore. The full walkthrough, including the PBS-side commands, is in the Proxmox backup tutorial.
  • Applications: anything with an S3 driver, backup tools, static-asset uploaders, object-store SDKs, connects with a custom endpoint URL, the access key, and the secret.
  • s3fs: mount the bucket as a local filesystem on another machine when an app needs a path instead of an API.

Security checklist

  • Use long, randomly generated values for the access key and secret. Defaults or short keys let anyone read your data.
  • Bind the listener to a VPN or a known client IP if you do not need public access. The examples bind to all interfaces for clarity.
  • Keep the bucket directory private at rest: chmod 700 /home/USERNAME/s3-bucket.
  • Combine with client-side encryption if the data is sensitive; the S3 layer moves bytes, it does not encrypt them for you.

See Also