You’ve hit two OVH‑specific quirks that Proxmox Backup Server’s S3 client can handle, plus one hard mismatch that explains the 501.
First, the 501 Not Implemented during “access time safety check” happens because PBS writes a tiny marker object (that name‑partition/.inuse you saw) using a conditional PUT with the If‑None‑Match header. OVH’s Swift‑based S3 layer does not implement that conditional header in all regions, so the server answers 501. PBS 4 added a provider quirk for exactly this: tell PBS to skip that header for this endpoint. In the UI, edit the S3 endpoint and enable the advanced option “Skip If‑None‑Match header”. Via CLI, recreate or update your endpoint with the quirk:
After that, run a quick sanity check:
This quirk maps 1:1 to the documented flag and resolves the 501 on OVH (and other partial S3 providers).
Second, about URLs and bucket style. PBS supports both virtual‑hosted style and path style. OVH recommends and supports virtual‑hosted style, and PBS prefers that too; only use “path style” if you must. In PBS, leave “Path style” off unless you run into DNS or certificate issues with dotted bucket names. The official PBS docs call this out, and the manpage exposes the --path-style toggle if you’re using CLI.
Third, regions. OVH’s current S3 endpoint pattern is
https://s3.<region>.io.cloud.ovh.net and the region string must match OVH’s region naming, for example gra, sbg, waw, lon, lim, or the longer US ones like us-east-va. Those meet PBS’s minimum length requirement. If you tried to use a two‑letter alias like de, PBS’s UI rejects it because it enforces a minimum of 3 characters for “Region”, and even if it didn’t, request signing can go wrong with the wrong region string. The most reliable path is to use your bucket’s actual region code from the OVH manager and the matching endpoint, for example s3.gra.io.cloud.ovh.net with region gra. OVH’s own guides document the endpoint pattern and region names, and Proxmox staff have validated similar S3 setups using the region code in the vhost endpoint without path style.
Putting this together in PBS with the GUI. Create the S3 endpoint under Configuration → Remotes → S3 Endpoints as follows. Set Endpoint to s3.<your-region>.io.cloud.ovh.net. Set Region to the same region code, all lowercase, with at least 3 characters (for example gra). Keep Path Style off. Expand Advanced and enable “Skip If‑None‑Match header”. Save, then add your datastore pointing at that endpoint, your bucket name, and a store prefix such as your datastore name. The storage guide and CLI manpage show the same knobs if you prefer commands.
Why your exact error occurs. During the datastore open, PBS writes an .inuse marker using a conditional PUT. OVH returns 501 to that header combination, which PBS reports as “access time safety check failed”. Enabling the quirk moves PBS to an unconditional create, which OVH accepts. A recent PBS forum thread confirms this precise fix for 501 on S3‑compatible providers, and another thread analyzes the If‑None‑Match behavior specifically on OVH Object Storage.
If you still see errors after setting the quirk, double‑check the two common gotchas. Ensure the endpoint and region match the bucket’s region as per OVH, and avoid path style unless required by your DNS/cert situation. Both mismatches can manifest as signing or 400/501 errors.
If you want, paste the redacted output of
and I’ll sanity‑check the exact values.
