out of Find centralized, trusted content and collaborate around the technologies you use most. Hedvig Object Storage is an S3 protocol-compatible implementation, with the following features: Access over HTTP and HTTPS. One way of finding the fully qualified SSL path to an S3 resource is to drill down to it using AWS console. You can do all this while enjoying Wekas scale, performance, security, and resiliency: Clients do not need to load any special software to gain the advantage of Wekas file system performance. How do you upload files directly to S3 over SSL? The Greenplum Database utility gpcheckcloud helps users create an s3 protocol configuration file and test a configuration file. Refer to Protecting Data Using Server-Side Encryption in the AWS documentation for additional information about AWS Server-Side Encryption. Use the gpcheckcloud utility to validate connectivity to the S3 bucket. For more information, see Protecting data using client-side encryption. Did any DOS compatibility layers exist for any UNIX-like systems before DOS started to become outmoded? Ozone-0.3.0-Alpha release adds S3 protocol as a first-class notion to Ozone. vegan) just to try it, does this inconvenience the caterers and staff? awscli.amazonaws.com/v2/documentation/api/latest/reference/, How Intuit democratizes AI development across teams through reusability. It still uses the amazon domain name (s3.amazonaws.com ) so it sucks ! 1997-document.write(new Date().getFullYear()); Commvault Systems Inc. All Rights Reserved. The default location of the s3 protocol configuration file is a file named s3.conf that resides in the data directory of each Greenplum Database segment instance: The gpseg_data_dir is the path to the Greenplum Database segment data directory, the gpseg_prefix is the segment prefix, and N is the segment ID. Thanks for contributing an answer to Server Fault! You may want to restrict maximum TLS/SSL version, when there is an interoperability problem with your server. S3 is a product from Amazon, and as such, it includes features that are outside the scope of Swift itself. Object store server: ONTAP S3 manages the objects, buckets and users. The s3 protocol obtains the S3 authentication credentials as follows: An s3 protocol configuration file contains Amazon Web Services (AWS) connection credentials and communication parameters. Browse other questions tagged, Where developers & technologists share private knowledge with coworkers, Reach developers & technologists worldwide, This didn't work for me, that is, I can still access. How safe is it to talk to S3 without SSL when running in EC2? The s3 protocol does not use the slash character (/) as a delimiter, so a slash character following a prefix is treated as part of the prefix itself. because they are from between two services that are both within Amazon's network. >, Select checkboxes from the left navigation to add pages to your PDF. WebThe s3 protocol is used in a URL that specifies the location of an Amazon S3 bucket and a prefix to use for reading or writing files in the bucket. The S3 permissions on any file that you read must include Open/Download and View for the S3 user ID that accesses the files. For information about the S3 file prefix, see the Amazon S3 documentation Listing Keys Hierarchically Using a Prefix and Delimiter. WebThe s3 protocol is used in a URL that specifies the location of an Amazon S3 bucket and a prefix to use for reading or writing files in the bucket. For example. We've documented this behavior here: http://docs.amazonwebservices.com/AmazonS3/latest/dev/BucketRestrictions.html, The only straight-forward fix for this is to use a bucket name that does not contain that character. A successful connection ends with the message: You can optionally use gpcheckcloud to validate uploading to and downloading from the S3 bucket. Note: When you use the Amazon S3 static website endpoint, connections between CloudFront and Amazon S3 are available only over HTTP. Of course, Wekas S3 performance scales linearly as more servers are added. payton109s answer is correct if youre in the default US-EAST-1 region. Are we guaranteed to be passing through only the AWS network when communicating from EC2 to S3 my.website.com.s3-website-us-east-1.amazonaws.com, How Intuit democratizes AI development across teams through reusability. >, Hedvig S3 Protocol-Compatible Object Storage User Guide This is the actual storage for the S3 protocol with up to 1,000 buckets per For example, if your bucket is in the us-west-2 (Oregon) region, you can do this: As previously stated, it's not directly possible, but you can set up Apache or nginx + SSL on a EC2 instance, CNAME your desired domain to that, and reverse-proxy to the (non-custom domain) S3 URLs. Feedback from people with some AWS experience would be appreciated. We support S3 audit logs and non-disruptive upgrades to the S3 service. The S3 file prefix is used for each new file uploaded to the S3 location as a result of inserting data to the table. Some links, resources, or references may no longer be accurate. cloud, every Kubernetes distribution, the private cloud and the edge. Watch Prayosha's video to learn more (10:18). WebThe s3 protocol is used in a URL that specifies the location of an Amazon S3 bucket and a prefix to use for reading or writing files in the bucket. If the connection fails, the utility displays information about failures such as invalid credentials, prefix, or server address (DNS error), or server not available. - the incident has nothing to do with me; can I use this this way? Is it plausible for constructed languages to be used to affect thought and control or mold people towards desired outcomes? For deflate compression, the protocol assumes a file with the .deflate suffix is a deflate compressed file. Asking for help, clarification, or responding to other answers. These applications work as is even if they call 186 This is the most advanced feature of the HTTP/2 protocol because it allows you to download web files via ASync mode from one server. For more information, see Setting permissions for website access. In Dungeon World, is the Bard's Arcane Art subject to the same failure outcomes as other spells? Greenplum Database can require up to threadnum * chunksize memory on each segment host when uploading or downloading S3 files. Expose existing data to S3 and migrate your application within the same data platform. The option is available for FTP protocol only. Do you need billing or technical support? To learn more, see our tips on writing great answers. ncdu: What's going on with this second size column? Now you need to install a SSL certificate. WebFrom the awesome comments below, here are some clarifications: this is NOT a question about HTTPS versus HTTP or the sensitivity of my data. The following is not tested but it should give you an idea of how to set it up for your case. Do you want to make http requests redirect to https? Amazon Simple Storage Service Dealing with SSL certificates when using Amazon S3 Virtual hosting and a multilevel domain? Thanks! HTTP / HTTPS outbound requests blocked in EC2 instance, AWS VPC Peering vs PrivateLink for network access to 3rd party cloud database, Styling contours by colour and by line thickness in QGIS. If your bucket is in a different region, use a slightly different URL: Where is the bucket location name. @ShaneMadden the overhead becomes significant when you upload a large number of small files, since the overhead is per REST request. Identify where you plan to locate the configuration file, and note the location and configuration option (if applicable). The nature of simulating nature: A Q&A with IBM Quantum researcher Dr. Jamie We've added a "Necessary cookies only" option to the cookie consent popup. Thanks for contributing an answer to Stack Overflow! Are we guaranteed to be passing through only the AWS network when communicating from EC2 to S3. Weka can be installed on any x86 based storage server in 15 minutes, as well as being available in AWS EC2 instances. Use the section parameter to specify the name of the configuration file section from which the s3 protocol reads configuration parameters. Mutually exclusive execution using std::atomic? If the NEWLINE parameter is not specified in the CREATE EXTERNAL TABLE command, the newline character must be identical in all data files for specific prefix. The SSL is disabled by default to protect you from its known serious vulnerabilities. If the files contain an optional header row, the column names in the header row cannot contain a newline character (\n) or a carriage return (\r). .gz is appended to the filename if compression is enabled for s3 writable tables (the default). Staging Ground Beta 1 Recap, and Reviewers needed for Beta 2. Writing a file to S3 requires that the S3 user ID have Upload/Delete permissions. For gzip compression, the protocol recognizes the format of a gzip compressed file. example cdn.example.com points to randomstring.cloudfront.net which points to your s3 bucket. For example. Create an s3 external table by specifying an s3 protocol URL in the CREATE EXTERNAL TABLE command, LOCATION clause. Amazon S3 boasts a durability rate of 99.999999999% over a given year (1 file in 100 billion may be lost every year) and it stores your files across several data rev2023.3.3.43278. Each Greenplum Database segment can download one file at a time from the S3 location using several threads. Modern Data Architecture, Weka Unleashes Its Blazingly Fast S3 Protocol Front End, WEKA Doesnt Make the GPU, WEKA Makes the GPU 20X Faster. Staging Ground Beta 1 Recap, and Reviewers needed for Beta 2. The key to implementing a cache coherence protocol is See About the s3 Protocol Configuration File. http://furniture.retailcatalog.us.s3.amazonaws.com/products/2061/6262u9665.jpg, I need it to be (https): is software-defined and is 100% open source under GNU AGPL v3. To specify an ECS endpoint (an Amazon S3 compatible service) in the LOCATION clause, you must set the s3 protocol configuration file parameter version to 2. Navigation Menu. NAS vs. SAN vs. DAS For example, consider the following 5 files that each have the S3_endpoint named s3-us-west-2.amazonaws.com and the bucket_name test1: Wildcard characters are not supported in an S3_prefix; however, the S3 prefix functions as if a wildcard character immediately followed the prefix itself. (adsbygoogle = window.adsbygoogle || []).push({}); 4.8 Although the S3_prefix is an optional part of the syntax, you should always include an S3 prefix for both writable and read-only s3 tables to separate datasets as part of the CREATE EXTERNAL TABLE syntax. Why do many companies reject expired SSL certificates as bugs in bug bounties? We also support standard client-side load balancers like Sidekick. Browse other questions tagged, Start here for a quick overview of the site, Detailed answers to any questions you might have, Discuss the workings and policies of this site. Why does Mister Mxyzptlk need to have a weakness in the comics? What can a lawyer do if the client wants him to be acquitted of everything despite serious evidence? Find centralized, trusted content and collaborate around the technologies you use most. WekaFS: The Ultimate High-Performance Object Protocol Access Refer to Using the gpcheckcloud Utility for information about this utility and other usage examples. images-furniture.retailcatalog.us IN CNAME furniture-retailcatalog-us.s3.amazonaws.com. http://furniture.retailcatalog.us/products/2061/6262u9665.jpg, Which is redirecting to: Linear Algebra - Linear transformation question. Disconnect between goals and daily tasksIs it me, or the industry? Representational state transfer (REST) is a Is Your Data Infrastructure Starving Your GPU-Driven AI? No additional configuration is required. You can use the s3 protocol to read and write data files on Amazon S3. Is it possible (via IAM, bucket policy, or otherwise) to force Amazon S3 to only serve content over HTTPS/SSL and deny all regular, unencrypted HTTP access? Staging Ground Beta 1 Recap, and Reviewers needed for Beta 2, How to Configure SSL for Amazon S3 bucket, Cloudfront serving over own SSL certificate, Amazon S3: using DNS alias to bucket + HTTPS at the same time. The utility is installed in the Greenplum Database $GPHOME/bin directory. To learn more, see our tips on writing great answers. I tried that; it simply blocks every access. The s3 protocol is used in a URL that specifies the location of an Amazon S3 bucket and a prefix to use for reading or writing files in the bucket. Customers simply use standard S3 clients like Boto3. Making statements based on opinion; back them up with references or personal experience. Wekas S3 support extends the benefits of parallel, distributed file systems to cloud-native applications, which need strong consistency, multiprotocol access, and high performance/low latency, particularly for small objects. I believe this can be achieved using a bucket policy. S3 transparently decrypts data during read operations of encrypted files accessed via readable external tables you create using the s3 protocol. Buckets: Buckets are built using FlexGroups. You can find your distribution's domain name in the. Greenplum Database can access an s3 protocol configuration file when the file is located on each segment host or when the file is served up by an http/https server. I found that there is a fair deal of overhead when uploading a lot of small files to S3. Can you point out where this is described in AWS docs? Does a summoned creature play immediately after being summoned by a ready action? and wireshark reports the response protocol used is TLSv1.2. S3 access is in addition to POSIX, NFS, SMB, NVIDIA GPUDirect Storage, and CSI plug-in. For example: The protocol name s3 must be the same as the protocol of the URL specified for the external table that you create to access an S3 resource. S3 supports these environment variables. You must specify the S3 endpoint name and bucket that you want to check. You also have the option to use an http/https server to serve up the configuration file. For example, if the Greenplum Database system consists of 16 segments and there was sufficient network bandwidth, creating 16 files in the S3 location allows each segment to download a file from the S3 location. Web1996 olympic figure skating medalists; bva decision timeline 2019; ethical legislation definition health and social care; north platte health pavilion Bulk update symbol size units from mm to map units in rule-based symbology. Weka Unleashes Its Blazingly Fast S3 Protocol Front End Robert Murphy. WebCache Coherency Protocols: Multiprocessors support the notion of migration, where data is migrated to the local cache and replication, where the same data is replicated in multiple caches. All of the files selected by the S3 URL (S3_endpoint/bucket_name/S3_prefix) are used as the source for the external table, so they must have the same format. If version is 1 or is not specified, this is an example of the LOCATION clause of the CREATE EXTERNAL TABLE command that specifies an Amazon S3 endpoint. For information about the version parameter, see About the s3 Protocol Configuration File. For example, Swift doesnt have anything to do with billing, whereas S3 buckets can be tied to Amazons billing system. Does Counterspell prevent from any further spells being cast on a given turn? The following example specifies a location in the gpadmin home directory: The /home/gpadmin/s3.conf file must reside on each segment host, and all segment instances on a host use the file. Asking for help, clarification, or responding to other answers. rev2023.3.3.43278. The pxf protocol can access data in S3 and other object store systems such as Azure, Google Cloud Storage, and Minio. To learn more, see our tips on writing great answers. Some of this overhead comes from SSL itself. The little gem to not miss is using that technique + "//" alone as your protocol beginning. Hi, I'm actually the guy who wrote the referencing link you put there "Joonha". So, yes it seems to be using SSL even for simple commands like ls. Why do small African island nations perform better than African continental nations, considering democracy and human development? How to temporarily switch profiles for AWS CLI? What sort of strategies would a medieval military use against a fantasy giant? Except for when the answer is "No". Internally, WekaFS leverages the industry-standard object stores of our partners to extend the namespace and offer great economics. For writable s3 tables, the s3 protocol URL specifies the endpoint and bucket name where Greenplum Database uploads data files for the table. If you specify an S3_prefix, then the s3 protocol selects all files that start with the specified prefix as data files for the external table. Wekas S3 front end has comprehensive S3 API support including Bucket Lifecycle, Policy, Object Tagging, and Object Multipart support. Hedvig S3 Protocol-Compatible Object Storage User Guide, Security Tokens as AWS Secret Access Keys. This is a response I got from their Premium Services. Refer to About Specifying the Configuration File Location for more information about the location options for the file. The corresponding function is called by every Greenplum Database segment instance. Click here to return to Amazon Web Services homepage, Key differences between a website endpoint and a REST API endpoint. Stack Exchange network consists of 181 Q&A communities including Stack Overflow, the largest, most trusted online community for developers to learn, share their knowledge, and build their careers. Minimising the environmental effects of my dyson brain, Short story taking place on a toroidal planet or moon involving flying. You can specify a URL that is the proxy that S3 uses to connect to a data source. Share Improve this answer Follow answered Jun 22, 2019 at 18:59 Michael OConnor 51 6 Add a comment Your Answer Post Your Answer Dealing with SSL certificates when using Amazon S3 Virtual hosting and a multilevel domain? Find centralized, trusted content and collaborate around the technologies you use most. The protocol does not support virtual hosting of S3 buckets (binding a domain name to an S3 bucket). For information about the S3 endpoints supported by each signing process, see http://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region. Using Kolmogorov complexity to measure difficulty of problems? doesn't really seems to solve it . Is it plausible for constructed languages to be used to affect thought and control or mold people towards desired outcomes? You must configure the s3 protocol before you can use it. By clicking Accept all cookies, you agree Stack Exchange can store cookies on your device and disclose information in accordance with our Cookie Policy. Improve this question. Amazon S3 - HTTPS/SSL - Is it possible? WebYes, the domain is different, but it allows you to serve content over SSL on an existing bucket on S3. To serve a static website hosted on Amazon S3, you can deploy a CloudFront distribution using one of these configurations: For more information on the two endpoint types, see Key differences between a website endpoint and a REST API endpoint. Check it out and sign up for an invite: http://aws.amazon.com/cloudfront/custom-ssl-domains, I know its a year after the fact, but using this solves it: https://s3.amazonaws.com/furniture.retailcatalog.us/products/2061/6262u9665.jpg. ", Is it safe to use S3 over HTTP from EC2, as opposed to HTTPS, aws.amazon.com/blogs/aws/new-vpc-endpoint-for-amazon-s3, How Intuit democratizes AI development across teams through reusability. You can specify options to test the ability to access an S3 bucket with a configuration file, and optionally upload data to or download data from files in the bucket. A big missing feature of S3 is accepting custom certificates for your domains. Is there a single-word adjective for "having exceptionally strong moral principles"? Similarly, log delivery is a service outside of Swift. See my new answer regarding why this works for some people and not others. Because Amazon S3 allows a maximum of 10,000 parts for multipart uploads, the minimum chunksize value of 8MB supports a maximum insert size of 80GB per Greenplum database segment. Not many! The safety or security level is a relative value that takes the risks, threats, and costs into account. Wekas data platform unifies both NVMe SSD and HDD media in a single namespace, providing fast object-over-NVMe flash and capacity object with HDD-enabled object storage from multiple partners. I saw a few other questions regarding this without any real answers or information (or so it appeared). With Wekas S3 front end, the same data can now be accessed from POSIX, S3, NFS, SMB, and GPUDirect Storage, as shown in the figure below, creating a huge strategic advantage for Weka customers. Follow these basic steps to use the s3 protocol with Greenplum Database external tables. Supported browsers are Chrome, Firefox, Edge, and Safari. Amazon Web Services protocol configuration options The Amazon Web Services (AWS) protocol is an outbound/active protocol for IBM QRadar that collects AWS CloudWatch Logs, Amazon Kinesis Data Streams, and WebThe Amazon AWS S3 REST API protocol is an active outbound protocol that collects AWS CloudTrail logs from Amazon S3 buckets. If the configuration parameter is set, the environment variables are ignored. Getting your static assets out of you application and onto S3 is a great first step in the first place. Amazon Simple Storage Service Object Storage. If you preorder a special airline meal (e.g. Connect and share knowledge within a single location that is structured and easy to search. So, yes it seems to be using SSL even for simple commands like ls. Is the S3 Protocol encrypted in transmission when using the SDK? What is the purpose of this D-shaped ring at the base of the tongue on my hiking boots? The following example specifies an IP address and port for an https server: Only the S3 endpoint is supported. See pxf:// Protocol. Did any DOS compatibility layers exist for any UNIX-like systems before DOS started to become outmoded? s3 protocol server-side encryption is deactivated by default. The default section is named default. Follow asked Jan 13, 2014 at 9:16. We can send you a link when your PDF is ready to download. Your question doesn't explain exactly what you want to do. (adsbygoogle = window.adsbygoogle || []).push({}); To reveal this page you need to select FTP or WebDAV file protocol and enable Encryption on Login dialog or select S3 protocol. Styling contours by colour and by line thickness in QGIS. Does AWS CLI use SSL when uploading data into S3? This is the perfect solution for web developers without a devops or sys-admin team. The s3 protocol configuration file is a text file that contains named sections and parameters. Site design / logo 2023 Stack Exchange Inc; user contributions licensed under CC BY-SA. AWS support for Internet Explorer ends on 07/31/2022. Connect and share knowledge within a single location that is structured and easy to search. Sure, your assets won't have an elegant domain, but how many customers inspect the html or underlying requests and tsk tsk tsk at the domain url? Everyone. Name lookups on the Internet are mostly tried first over UDP, and only fall back to TCP if that isnt going to work. So every time you lo How to upgrade AWS CLI to the latest version? rev2023.3.3.43278. The environment variables must be set must and must be accessible to Greenplum Database on all Greenplum Database hosts. Site design / logo 2023 Stack Exchange Inc; user contributions licensed under CC BY-SA. The maximum chunksize value of 128MB supports a maximum insert size 1.28TB per segment. No. Download Pricing. The AWS Access Key Id does not exist in our records. How to notate a grace note at the start of a bar with lilypond? "UNPROTECTED PRIVATE KEY FILE!" 1. On premises setup of infrastructure is much costlier than to just upload your data on the AWS S3 using few clicks. 2. S3 provides storage classe In contrast, if the location contained only 1 or 2 files, only 1 or 2 segments download data. If version is 2, this is an example LOCATION clause with the region parameter for an AWS S3 compatible service. Weka has been able to demonstrate line-rate performance with S3 access for small object and file benchmarks with linear scalability. Amazon Simple Storage Service (Amazon S3) provides secure, durable, highly-scalable object storage. Getting started with a secure static website, Granting read-only permission to an anonymous user. See Using the gpcheckcloud Utility. You can specify a proxy with the s3 protocol configuration parameter proxy or an environment variable. This example attempts to upload a local file, test-data.csv to an S3 bucket location using the s3 configuration file s3.mytestconf: A successful upload results in one or more files placed in the S3 bucket using the filename format abc.data[.gz]. By default, the AWS CLI uses SSL when communicating with AWS services. Thats not bad for our first results. The version parameter controls whether the region parameter is used in the LOCATION clause. On my ecommerce development business, we do linking to URLs with "//" instead of "https:// or "http://" because we never have to care at that point. For writable s3 tables, you must ensure that the chunksize setting can support the anticipated table size of your table. Perform these steps in each database in which you want to use the protocol: Create the read and write functions for the s3 protocol library: Declare the s3 protocol and specify the read and write functions you created in the previous step: To allow only Greenplum Database superusers to use the protocol, create it as follows: If you want to permit non-superusers to use the s3 protocol, create it as a TRUSTED protocol and GRANT access to those users. WebS3 is accessed using web-based protocols that use standard HTTP (S) and a REST-based application programming interface (API). Using indicator constraint with two variables. Is it possible (via IAM, bucket policy, or otherwise) to force Amazon S3 to only serve content over HTTPS/SSL and deny all regular, unencrypted HTTP access? HTTP Basic Authentication credentials passed in URL and encryption, SSL certificate rejected trying to access GitHub over HTTPS behind firewall, How to Configure SSL for Amazon S3 bucket, Getting Access Denied when calling the PutObject operation with bucket-level permission. UPDATE, DELETE, and TRUNCATE operations are not supported. Mutually exclusive execution using std::atomic? Advertisement By clicking Post Your Answer, you agree to our terms of service, privacy policy and cookie policy. WebSimple Storage Service (S3) is an object store interface protocol that was invented by Amazon. Learn About HPC Storage, HPC Storage Architecture and Use Cases Deny all HTTP requests to the bucket in question using the condition aws:SecureTransport: false. Your S3 account permissions govern your access to all S3 bucket objects, whether the data is encrypted or not. Is it correct to use "the" before "materials used in making buildings are"? Data security is maintained using protocol specific permission and access controls. On a 2nd read of your question, I think you're basically asking "Is the attack surface reduced due to the fact that I'm going from EC2 to S3 directly"; i.e. This website stores cookies on your computer. SSE-S3 encrypts your object data as it writes to disk, and transparently decrypts the data for you when you access it. What is the point of Thrower's Bandolier? The TLS/SSL page on the Advanced Site Settings dialog allows you to configure options of TLS/SSL protocols for FTPS, WebDAVS and S3. By clicking Post Your Answer, you agree to our terms of service, privacy policy and cookie policy. Isilon vs. Flashblade vs. Weka Browse other questions tagged, Where developers & technologists share private knowledge with coworkers, Reach developers & technologists worldwide. Disconnect between goals and daily tasksIs it me, or the industry? Browse other questions tagged, Where developers & technologists share private knowledge with coworkers, Reach developers & technologists worldwide. With WekaFS Version 3.12, WekaIO adds front-end support for Amazons Simple Storage Service (S3) protocol. I'm trying to get a feeling for the networking and protocol particularities of EC2 and S3. I poked around in the S3 docs and finally found a small note about it on the Virtual Hosting page: http://docs.amazonwebservices.com/AmazonS3/latest/dev/VirtualHosting.html, Just got it! The full path is displayed at the bottom of the Overview tab. https://furniture.retailcatalog.us.s3.amazonaws.com/products/2061/6262u9665.jpg. Weka provides a single global namespace, consolidating storage and eliminating the need to copy data to multiple storage silos. For information about Amazon S3, see Amazon S3. Between regions, no. >, Hedvig-supported AWS CLI Reference 0. Relation between transaction data and transaction id. Then, I want to serve my website through an Amazon CloudFront distribution. S3 is accessed using web-based protocols that use standard HTTP(S) and a REST-based application programming interface (API). Representational state The region parameter specifies the S3 data source region. 2 is just a function of the way networking works. So if you're not paying for AWS > S3 traffic, then yes, your attack surface is reduced because it's only passing through one network and not networks owned by a 3rd party, but that's not an excuse to not use HTTPS where it needs to be used. I saw this on another site (http://joonhachu.blogspot.com/2010/09/helpful-tip-for-amazon-s3-urls-for-ssl.html). Advertisement How can I troubleshoot issues with using a custom SSL certificate for my CloudFront distribution? How do you ensure that a red herring doesn't violate Chekhov's gun?