Can't get AWS_NO_SIGN_REQUEST working

[valpesendorfer]

datacube-ows version: datacube-ows-update --version

Open Data Cube Open Web Services (datacube-ows) version 1.8.0-rc1.0

Description

I'm running a test deployment on OWS inside a docker container on a single EC2 instance. The data is stored as COGs on a co-located S3 bucket, which is open to the public for read.

Since I found out that using the IAM role as authentication for reading from S3 is a major slowdown (new token for each request), I wanted to see what the difference is compared to the unsigned AWS access on a public dateset.

I've set the following env variables:

AWS_DEFAULT_REGION=eu-central-1
AWS_NO_SIGN_REQUEST=TRUE

and confirmed that the variables are set in the running container.

I've started the docker container using the production settings (so with gunicorn) and behind an nginx container. Then using postman & locust I've set a getMap request for a tile of the dataset.

Still, it looks like for each request, botocore.credentials is roaming around for credentials, either using again the attached IAM role, or if detached, just returning a 404 error - in both cases an API call for a token is performed. The request keeps on going and eventually returning the data requested just fine. I'll attach a log below this message.

After playing a bit around with rasterio and the datacube.utils.rio functions, I think this happens each time activate_from_config is called, which seems to be in this case for each request. I've set up a test script, calling the config once, and the reading a raster from S3 multiple times. The search for credentials only happens after activate_from_config is called, for the successive reads, everything works as expected.

Not sure if I missed something with the setup, or if there's maybe a more persistent way to set up the rio env for the workers / threads that perform the read.

Thanks!

Here's the log for a request:

ows      | [2020-08-25 17:06:05 +0000] [9] [DEBUG] GET /wms
ows      | [2020-08-25 17:06:05,500] root [d8a43d09-e232-4a70-ac09-d96a8946a26d] [DEBUG] handle_wms args: ({'version': '1.1.1', 'request': 'GetMap', 'format': 'image/png', 'transparent': 'true', 'exceptions': 'application/vnd.ogc.se_inimage', 'bboxsr': '3857', 'imagesr': '3857', 'width': '256', 'height': '256', 'srs': 'EPSG:3857', 'styles': 'rfh', 'layers': 'rfh_dekad_pr', 'bbox': '11153691.16737292,6183449.840157617,11192826.925854929,6222585.59863963', 'referer': None, 'origin': None, 'requestid': None, 'host': '***', 'url_root': '***'},) kwargs: {}
ows      | [2020-08-25 17:06:05,501] root [d8a43d09-e232-4a70-ac09-d96a8946a26d] [DEBUG] get_map args: ({'version': '1.1.1', 'request': 'GetMap', 'format': 'image/png', 'transparent': 'true', 'exceptions': 'application/vnd.ogc.se_inimage', 'bboxsr': '3857', 'imagesr': '3857', 'width': '256', 'height': '256', 'srs': 'EPSG:3857', 'styles': 'rfh', 'layers': 'rfh_dekad_pr', 'bbox': '11153691.16737292,6183449.840157617,11192826.925854929,6222585.59863963', 'referer': None, 'origin': None, 'requestid': None, 'host': '***', 'url_root': '***'},) kwargs: {}
ows      | [2020-08-25 17:06:05,503] root [d8a43d09-e232-4a70-ac09-d96a8946a26d] [DEBUG] __init__ args: (<datacube_ows.data.DataStacker object at 0x7fbeb1a6e438>, <datacube_ows.ows_configuration.OWSProductLayer object at 0x7fbec7570c88>, GeoBox(256, 256, Affine(152.87405657034833, 0.0, 11153691.16737292,
ows      |        0.0, -152.87405657036288, 6222585.59863963), EPSG:3857), [datetime.date(2020, 6, 1)], <Resampling.nearest: 0>) kwargs: {'style': <datacube_ows.styles.ramp.ColorRampDef object at 0x7fbeb30e66a0>}
ows      | [2020-08-25 17:06:05,503] root [d8a43d09-e232-4a70-ac09-d96a8946a26d] [DEBUG] datasets args: (<datacube_ows.data.DataStacker object at 0x7fbeb1a6e438>, Index<db=PostgresDb<engine=Engine(postgresql://postgres:***@***.com:5432/datacube)>>) kwargs: {'mode': <MVSelectOpts.COUNT: 2>}
ows      | [2020-08-25 17:06:05,550] root [d8a43d09-e232-4a70-ac09-d96a8946a26d] [DEBUG] datasets args: (<datacube_ows.data.DataStacker object at 0x7fbeb1a6e438>, Index<db=PostgresDb<engine=Engine(postgresql://postgres:***@***.com:5432/datacube)>>) kwargs: {}
ows      | [2020-08-25 17:06:05,613] datacube_ows.data [d8a43d09-e232-4a70-ac09-d96a8946a26d] [DEBUG] load start 17:06:05.613807 None
ows      | [2020-08-25 17:06:05,614] root [d8a43d09-e232-4a70-ac09-d96a8946a26d] [DEBUG] data args: (<datacube_ows.data.DataStacker object at 0x7fbeb1a6e438>, <xarray.DataArray (time: 1)>
ows      | array([(Dataset <id=12b1546d-7c8f-4a9f-957d-3d7c59b5272b product=rfh_dekad_pr location=s3://***l>,)],
ows      |       dtype=object)
ows      | Coordinates:
ows      |   * time     (time) datetime64[ns] 2020-06-01) kwargs: {'manual_merge': False, 'fuse_func': None}
ows      | [2020-08-25 17:06:05,615] root [d8a43d09-e232-4a70-ac09-d96a8946a26d] [DEBUG] read_data args: (<datacube_ows.data.DataStacker object at 0x7fbeb1a6e438>, <xarray.DataArray (time: 1)>
ows      | array([(Dataset <id=12b1546d-7c8f-4a9f-957d-3d7c59b5272b product=rfh_dekad_pr location=s3://***l>,)],
ows      |       dtype=object)
ows      | Coordinates:
ows      |   * time     (time) datetime64[ns] 2020-06-01, OrderedDict([('band', Measurement({'name': 'band', 'dtype': 'int16', 'units': '1', 'nodata': -9999}))]), GeoBox(256, 256, Affine(152.87405657034833, 0.0, 11153691.16737292,
ows      |        0.0, -152.87405657036288, 6222585.59863963), EPSG:3857), <Resampling.nearest: 0>) kwargs: {'fuse_func': None}
ows      | [2020-08-25 17:06:05,640] botocore.hooks [d8a43d09-e232-4a70-ac09-d96a8946a26d] [DEBUG] Changing event name from creating-client-class.iot-data to creating-client-class.iot-data-plane
ows      | [2020-08-25 17:06:05,643] botocore.hooks [d8a43d09-e232-4a70-ac09-d96a8946a26d] [DEBUG] Changing event name from before-call.apigateway to before-call.api-gateway
ows      | [2020-08-25 17:06:05,644] botocore.hooks [d8a43d09-e232-4a70-ac09-d96a8946a26d] [DEBUG] Changing event name from request-created.machinelearning.Predict to request-created.machine-learning.Predict
ows      | [2020-08-25 17:06:05,647] botocore.hooks [d8a43d09-e232-4a70-ac09-d96a8946a26d] [DEBUG] Changing event name from before-parameter-build.autoscaling.CreateLaunchConfiguration to before-parameter-build.auto-scaling.CreateLaunchConfiguration
ows      | [2020-08-25 17:06:05,647] botocore.hooks [d8a43d09-e232-4a70-ac09-d96a8946a26d] [DEBUG] Changing event name from before-parameter-build.route53 to before-parameter-build.route-53
ows      | [2020-08-25 17:06:05,648] botocore.hooks [d8a43d09-e232-4a70-ac09-d96a8946a26d] [DEBUG] Changing event name from request-created.cloudsearchdomain.Search to request-created.cloudsearch-domain.Search
ows      | [2020-08-25 17:06:05,649] botocore.hooks [d8a43d09-e232-4a70-ac09-d96a8946a26d] [DEBUG] Changing event name from docs.*.autoscaling.CreateLaunchConfiguration.complete-section to docs.*.auto-scaling.CreateLaunchConfiguration.complete-section
ows      | [2020-08-25 17:06:05,652] botocore.hooks [d8a43d09-e232-4a70-ac09-d96a8946a26d] [DEBUG] Changing event name from before-parameter-build.logs.CreateExportTask to before-parameter-build.cloudwatch-logs.CreateExportTask
ows      | [2020-08-25 17:06:05,653] botocore.hooks [d8a43d09-e232-4a70-ac09-d96a8946a26d] [DEBUG] Changing event name from docs.*.logs.CreateExportTask.complete-section to docs.*.cloudwatch-logs.CreateExportTask.complete-section
ows      | [2020-08-25 17:06:05,653] botocore.hooks [d8a43d09-e232-4a70-ac09-d96a8946a26d] [DEBUG] Changing event name from before-parameter-build.cloudsearchdomain.Search to before-parameter-build.cloudsearch-domain.Search
ows      | [2020-08-25 17:06:05,654] botocore.hooks [d8a43d09-e232-4a70-ac09-d96a8946a26d] [DEBUG] Changing event name from docs.*.cloudsearchdomain.Search.complete-section to docs.*.cloudsearch-domain.Search.complete-section
ows      | [2020-08-25 17:06:05,655] botocore.hooks [d8a43d09-e232-4a70-ac09-d96a8946a26d] [DEBUG] Changing event name from creating-client-class.iot-data to creating-client-class.iot-data-plane
ows      | [2020-08-25 17:06:05,657] botocore.hooks [d8a43d09-e232-4a70-ac09-d96a8946a26d] [DEBUG] Changing event name from before-call.apigateway to before-call.api-gateway
ows      | [2020-08-25 17:06:05,658] botocore.hooks [d8a43d09-e232-4a70-ac09-d96a8946a26d] [DEBUG] Changing event name from request-created.machinelearning.Predict to request-created.machine-learning.Predict
ows      | [2020-08-25 17:06:05,661] botocore.hooks [d8a43d09-e232-4a70-ac09-d96a8946a26d] [DEBUG] Changing event name from before-parameter-build.autoscaling.CreateLaunchConfiguration to before-parameter-build.auto-scaling.CreateLaunchConfiguration
ows      | [2020-08-25 17:06:05,661] botocore.hooks [d8a43d09-e232-4a70-ac09-d96a8946a26d] [DEBUG] Changing event name from before-parameter-build.route53 to before-parameter-build.route-53
ows      | [2020-08-25 17:06:05,662] botocore.hooks [d8a43d09-e232-4a70-ac09-d96a8946a26d] [DEBUG] Changing event name from request-created.cloudsearchdomain.Search to request-created.cloudsearch-domain.Search
ows      | [2020-08-25 17:06:05,663] botocore.hooks [d8a43d09-e232-4a70-ac09-d96a8946a26d] [DEBUG] Changing event name from docs.*.autoscaling.CreateLaunchConfiguration.complete-section to docs.*.auto-scaling.CreateLaunchConfiguration.complete-section
ows      | [2020-08-25 17:06:05,666] botocore.hooks [d8a43d09-e232-4a70-ac09-d96a8946a26d] [DEBUG] Changing event name from before-parameter-build.logs.CreateExportTask to before-parameter-build.cloudwatch-logs.CreateExportTask
ows      | [2020-08-25 17:06:05,667] botocore.hooks [d8a43d09-e232-4a70-ac09-d96a8946a26d] [DEBUG] Changing event name from docs.*.logs.CreateExportTask.complete-section to docs.*.cloudwatch-logs.CreateExportTask.complete-section
ows      | [2020-08-25 17:06:05,667] botocore.hooks [d8a43d09-e232-4a70-ac09-d96a8946a26d] [DEBUG] Changing event name from before-parameter-build.cloudsearchdomain.Search to before-parameter-build.cloudsearch-domain.Search
ows      | [2020-08-25 17:06:05,667] botocore.hooks [d8a43d09-e232-4a70-ac09-d96a8946a26d] [DEBUG] Changing event name from docs.*.cloudsearchdomain.Search.complete-section to docs.*.cloudsearch-domain.Search.complete-section
ows      | [2020-08-25 17:06:05,668] botocore.session [d8a43d09-e232-4a70-ac09-d96a8946a26d] [DEBUG] Setting config variable for region to 'eu-central-1'
ows      | [2020-08-25 17:06:05,671] botocore.credentials [d8a43d09-e232-4a70-ac09-d96a8946a26d] [DEBUG] Looking for credentials via: env
ows      | [2020-08-25 17:06:05,671] botocore.credentials [d8a43d09-e232-4a70-ac09-d96a8946a26d] [DEBUG] Looking for credentials via: assume-role
ows      | [2020-08-25 17:06:05,671] botocore.credentials [d8a43d09-e232-4a70-ac09-d96a8946a26d] [DEBUG] Looking for credentials via: assume-role-with-web-identity
ows      | [2020-08-25 17:06:05,672] botocore.credentials [d8a43d09-e232-4a70-ac09-d96a8946a26d] [DEBUG] Looking for credentials via: sso
ows      | [2020-08-25 17:06:05,672] botocore.credentials [d8a43d09-e232-4a70-ac09-d96a8946a26d] [DEBUG] Looking for credentials via: shared-credentials-file
ows      | [2020-08-25 17:06:05,672] botocore.credentials [d8a43d09-e232-4a70-ac09-d96a8946a26d] [DEBUG] Looking for credentials via: custom-process
ows      | [2020-08-25 17:06:05,672] botocore.credentials [d8a43d09-e232-4a70-ac09-d96a8946a26d] [DEBUG] Looking for credentials via: config-file
ows      | [2020-08-25 17:06:05,673] botocore.credentials [d8a43d09-e232-4a70-ac09-d96a8946a26d] [DEBUG] Looking for credentials via: ec2-credentials-file
ows      | [2020-08-25 17:06:05,673] botocore.credentials [d8a43d09-e232-4a70-ac09-d96a8946a26d] [DEBUG] Looking for credentials via: boto-config
ows      | [2020-08-25 17:06:05,673] botocore.credentials [d8a43d09-e232-4a70-ac09-d96a8946a26d] [DEBUG] Looking for credentials via: container-role
ows      | [2020-08-25 17:06:05,674] botocore.credentials [d8a43d09-e232-4a70-ac09-d96a8946a26d] [DEBUG] Looking for credentials via: iam-role
ows      | [2020-08-25 17:06:05,674] urllib3.connectionpool [d8a43d09-e232-4a70-ac09-d96a8946a26d] [DEBUG] Starting new HTTP connection (1): 169.254.169.254:80
ows      | [2020-08-25 17:06:06,677] urllib3.connectionpool [d8a43d09-e232-4a70-ac09-d96a8946a26d] [DEBUG] Starting new HTTP connection (2): 169.254.169.254:80
ows      | [2020-08-25 17:06:06,679] urllib3.connectionpool [d8a43d09-e232-4a70-ac09-d96a8946a26d] [DEBUG] http://169.254.169.254:80 "GET /latest/meta-data/iam/security-credentials/ HTTP/1.1" 404 339
ows      | [2020-08-25 17:06:06,680] botocore.utils [d8a43d09-e232-4a70-ac09-d96a8946a26d] [DEBUG] Metadata service returned non-200 response with status code of 404 for url: http://169.254.169.254/latest/meta-data/iam/security-credentials/, content body: b'<?xml version="1.0" encoding="iso-8859-1"?>\n<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"\n\t\t "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">\n<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">\n <head>\n  <title>404 - Not Found</title>\n </head>\n <body>\n  <h1>404 - Not Found</h1>\n </body>\n</html>\n'
ows      | [2020-08-25 17:06:06,680] botocore.utils [d8a43d09-e232-4a70-ac09-d96a8946a26d] [DEBUG] Max number of attempts exceeded (1) when attempting to retrieve data from metadata service.
ows      | [2020-08-25 17:06:06,681] rasterio.env [d8a43d09-e232-4a70-ac09-d96a8946a26d] [DEBUG] Entering env context: <rasterio.env.Env object at 0x7fbeb2e403c8>
ows      | [2020-08-25 17:06:06,681] rasterio.env [d8a43d09-e232-4a70-ac09-d96a8946a26d] [DEBUG] Starting outermost env
ows      | [2020-08-25 17:06:06,681] rasterio.env [d8a43d09-e232-4a70-ac09-d96a8946a26d] [DEBUG] No GDAL environment exists
ows      | [2020-08-25 17:06:06,681] rasterio.env [d8a43d09-e232-4a70-ac09-d96a8946a26d] [DEBUG] New GDAL environment <rasterio._env.GDALEnv object at 0x7fbeb1dde518> created
ows      | [2020-08-25 17:06:06,682] rasterio._env [d8a43d09-e232-4a70-ac09-d96a8946a26d] [DEBUG] GDAL data files are available at built-in paths
ows      | [2020-08-25 17:06:06,683] rasterio._env [d8a43d09-e232-4a70-ac09-d96a8946a26d] [DEBUG] PROJ data files are available at built-in paths
ows      | [2020-08-25 17:06:06,683] rasterio._env [d8a43d09-e232-4a70-ac09-d96a8946a26d] [DEBUG] Started GDALEnv <rasterio._env.GDALEnv object at 0x7fbeb1dde518>.
ows      | [2020-08-25 17:06:06,683] rasterio.env [d8a43d09-e232-4a70-ac09-d96a8946a26d] [DEBUG] Entered env context: <rasterio.env.Env object at 0x7fbeb2e403c8>
ows      | [2020-08-25 17:06:06,684] datacube.storage._rio [d8a43d09-e232-4a70-ac09-d96a8946a26d] [DEBUG] opening s3://***.tif
... 

[SpacemanPaul]

Val, I think this was fixed in #357 So try 1.8.1. Thanks.

[valpesendorfer]

thanks @SpacemanPaul - I've pulled the most recent master and re-built the image, but it still shows the same version. Where do I get 1.8.1?

[SpacemanPaul]

Sounds like the autoversioning might be broken - I'll take a look. In the meantime, most recent master should address this issue though.

Autoversioning relies on setup.py, so version will only be correct when installed via setup (or pip when we start publishing to PyPI). See #395

[valpesendorfer]

After pulling the most recent master, I've tried running it with an image built from the Dockerfile that's in the repo root (which seems to be using the local pull and run the pip install on that) and with the built images from the dockerhub with the latest tag, just as specified in the docker-compose.yaml file.

In both cases, the rasterio seems to be looking for credentials even with the AWS_NO_SIGN_REQUEST env variable set. In my case, I have attached a role which can read from S3, so it'll use credentials from there. If I detach the role, it'll just fail to retrieve the credentials (still trying) and read the image anyways, since it's public.

Here's what's happening for every request with AWS_NO_SIGN_REQUEST=TRUE:

ows      | [2020-08-27 09:12:38,325] botocore.session [ce7e5098-f929-4d5b-893f-b3ffcb2e22ec] [DEBUG] Setting config variable for region to 'eu-central-1'
ows      | [2020-08-27 09:12:38,333] botocore.credentials [ce7e5098-f929-4d5b-893f-b3ffcb2e22ec] [DEBUG] Looking for credentials via: env
ows      | [2020-08-27 09:12:38,334] botocore.credentials [ce7e5098-f929-4d5b-893f-b3ffcb2e22ec] [DEBUG] Looking for credentials via: assume-role
ows      | [2020-08-27 09:12:38,334] botocore.credentials [ce7e5098-f929-4d5b-893f-b3ffcb2e22ec] [DEBUG] Looking for credentials via: assume-role-with-web-identity
ows      | [2020-08-27 09:12:38,334] botocore.credentials [ce7e5098-f929-4d5b-893f-b3ffcb2e22ec] [DEBUG] Looking for credentials via: sso
ows      | [2020-08-27 09:12:38,334] botocore.credentials [ce7e5098-f929-4d5b-893f-b3ffcb2e22ec] [DEBUG] Looking for credentials via: shared-credentials-file
ows      | [2020-08-27 09:12:38,342] botocore.credentials [ce7e5098-f929-4d5b-893f-b3ffcb2e22ec] [DEBUG] Looking for credentials via: custom-process
ows      | [2020-08-27 09:12:38,347] botocore.credentials [ce7e5098-f929-4d5b-893f-b3ffcb2e22ec] [DEBUG] Looking for credentials via: config-file
ows      | [2020-08-27 09:12:38,360] botocore.credentials [ce7e5098-f929-4d5b-893f-b3ffcb2e22ec] [DEBUG] Looking for credentials via: ec2-credentials-file
ows      | [2020-08-27 09:12:38,361] botocore.credentials [ce7e5098-f929-4d5b-893f-b3ffcb2e22ec] [DEBUG] Looking for credentials via: boto-config
ows      | [2020-08-27 09:12:38,362] botocore.credentials [ce7e5098-f929-4d5b-893f-b3ffcb2e22ec] [DEBUG] Looking for credentials via: container-role
ows      | [2020-08-27 09:12:38,362] botocore.credentials [ce7e5098-f929-4d5b-893f-b3ffcb2e22ec] [DEBUG] Looking for credentials via: iam-role
ows      | [2020-08-27 09:12:38,364] urllib3.connectionpool [ce7e5098-f929-4d5b-893f-b3ffcb2e22ec] [DEBUG] Starting new HTTP connection (1): 169.254.169.254:80

I can't think of any thing that I can still change to make that work :thinking:

[SpacemanPaul]

Do you have AWS_DEFAULT_REGION set?

Nevermind, you said:

AWS_DEFAULT_REGION=eu-central-1
AWS_NO_SIGN_REQUEST=TRUE

[SpacemanPaul]

On the one hand, things are behaving as expected - unsigned requests is the supposed to be the default, so setting AWS_NO_SIGN_REQUEST to any non-blank value should be the same as not having it set.

I am using a deprecated core API to configure S3 access though. I'll cutover to the new one and see if that helps.

[Kirill888]

Looks like this issue got "unfixed" https://github.com/mapbox/rasterio/issues/1637

[SpacemanPaul]

As @Kirill888 notes, this appears to be a rasterio bug.

[Kirill888]

@valpesendorfer work around is to setup fake credentials, rasterio won't pass them on to GDAL since unsigned is used, but it will stop it from attempting to get STS from IAM.

[SpacemanPaul]

I'm going to try writing that workaround into OWS.

[SpacemanPaul]

@valpesendorfer Can you please try with the unsigned_s3_access branch? It sets fake credentials if AWS_NO_SIGN_REQUEST is set.

[valpesendorfer]

@SpacemanPaul unsigned_s3_access works!

Log is now:

ows      | [2020-08-28 07:02:30,988] botocore.session [c7ae1a41-8e37-4448-84f0-f2cb1e9c17f3] [DEBUG] Setting config variable for region to 'eu-central-1'
ows      | [2020-08-28 07:02:30,996] botocore.credentials [c7ae1a41-8e37-4448-84f0-f2cb1e9c17f3] [DEBUG] Looking for credentials via: env
ows      | [2020-08-28 07:02:30,997] botocore.credentials [c7ae1a41-8e37-4448-84f0-f2cb1e9c17f3] [INFO] Found credentials in environment variables.

[SpacemanPaul]

Cool - thanks for verifying. Like I said, we don't have a lot of users using private buckets, but we try to support them.

[valpesendorfer]

I understand, but don't you need signed requests to get requester pays working?

Using your branch unsigned_s3_access fixes the issue with requesting credentials even when the requests are supposed to be unsigned. But it also breaks the option of sending signed requests, by hard coding unsigned=True here in line 77:

 credentials = configure_s3_access(aws_unsigned=True)

Is there any specific reason you switched from set_default_rio_config to configure_s3_access?

I've had some issues with using signed requests as a result of how the flag is handled by ogc.py (where it's the default) and how the actual env variable is handled by gdal. When you set the variable to any non empty string, it'll set unsigned to True, at least using the current master. But that does not necessarily reflect the same effect for gdal where an empty string is the same as setting it to True. To actually send a signed request, the env variable needs to be missing or set to a False value. It can't be missing or set to FALSE/NO, because that would set it to True in ogc.py (at least in the current master). I hope you see the vicious circle developing which I inevitably ended up being trapped in.

To fix this, I modified your code in unsigned_s3_access a bit, determining if the user wants a signed / unsigned request (still keeping the unsigned as the de-facto default), if it's signed force setting the env variable to NO to comply with requirements for gdal, and if unsigned using the fake credentials to prevent the attempt to retrieve credentials from IAM. The setup is then again passed to set_default_rio_config which works fine for me. This way both signed and unsigned requests can be made successfully and efficiently. I'll share a PR if you want to have a look at it.

[SpacemanPaul]

Thanks Val. I will aim to get this issue resolved this week, but I have a couple of higher priorities to knock over first.

[SpacemanPaul]

Fixed in #404