chore(skills): add repository-local workflow skills (#2190)

Signed-off-by: likewu <likewu@126.com>
Signed-off-by: houseme <housemecn@gmail.com>
Co-authored-by: likewu <likewu@126.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: houseme <4829346+houseme@users.noreply.github.com>
Co-authored-by: houseme <housemecn@gmail.com>

.agents/skills/code-change-verification/SKILL.md

@@ -0,0 +1,78 @@
+---
+name: code-change-verification
+description: Verify code changes by identifying correctness, regression, security, and performance risks from diffs or patches, then produce prioritized findings with file/line evidence and concrete fixes. Use when reviewing commits, PRs, and merged patches before/after release.
+---
+
+# Code Change Verification
+
+Use this skill to review code changes consistently before merge, before release, and during incident follow-up.
+
+## Quick Start
+
+1. Read the scope: commit, PR, patch, or file list.
+2. Map each changed area by risk and user impact.
+3. Inspect each risky change in context.
+4. Report findings first, ordered by severity.
+5. Close with residual risks and verification recommendations.
+
+## Core Workflow
+
+### 1) Scope and assumptions
+- Confirm change source (diff, commit, PR, files), target branch, language/runtime, and version.
+- If context is missing, state assumptions before deeper analysis.
+- Focus only on requested scope; avoid reviewing unrelated files.
+
+### 2) Risk map
+- Prioritize in this order:
+  - Data correctness and user-visible behavior
+  - API/contract compatibility
+  - Security and authz/authn boundaries
+  - Concurrency and lifecycle correctness
+  - Performance and resource usage
+- Give higher priority to stateful paths, migration logic, defaults, and error handling.
+
+### 3) Evidence-based inspection
+- Read each modified hunk with neighboring context.
+- Trace call paths and call-site expectations.
+- Check for:
+  - invariant breaks and missing guards
+  - unchecked assumptions and null/empty/error-path handling
+  - stale tests, fixtures, and configs
+  - hidden coupling to shared helpers/constants/features
+- If a point is uncertain, mark it as an open question instead of guessing.
+
+### 4) Findings-first output
+- Order findings by severity:
+  - P0: critical failure, security breach, or data loss risk
+  - P1: high-impact regression
+  - P2: medium risk correctness gap
+  - P3: low risk/quality debt
+- For each finding include:
+  - Severity
+  - `path:line` reference
+  - concise issue statement
+  - impact and likely failure mode
+  - specific fix or mitigation
+  - validation step to confirm
+- If no issues exist, explicitly state `No findings` and why.
+
+### 5) Close
+- Report assumptions and unknowns.
+- Suggest targeted checks (tests, canary checks, logs/metrics, migration validation).
+
+## Output Template
+
+1. Findings
+2. No findings (if applicable)
+3. Assumptions / Unknowns
+4. Recommended verification steps
+
+## Finding Template
+
+- `[P1] Missing timeout for downstream call`
+  - Location: `path/to/file.rs:123`
+  - Issue: ...
+  - Impact: ...
+  - Fix suggestion: ...
+  - Validation: ...
+

.agents/skills/code-change-verification/agents/openai.yaml

@@ -0,0 +1,4 @@
+interface:
+  display_name: "Code Change Verification"
+  short_description: "Prioritize risks and verify code changes before merge."
+  default_prompt: "Inspect a patch or diff, identify correctness/security/regression risks, and return prioritized findings with file/line evidence and fixes."

.agents/skills/pr-creation-checker/SKILL.md

@@ -0,0 +1,88 @@
+---
+name: pr-creation-checker
+description: Prepare PR-ready diffs by validating scope, checking required verification steps, drafting a compliant English PR title/body, and surfacing blockers before opening or updating a pull request in RustFS.
+---
+
+# PR Creation Checker
+
+Use this skill before `gh pr create`, before `gh pr edit`, or when reviewing whether a branch is ready for PR.
+
+## Read sources of truth first
+
+- Read `AGENTS.md`.
+- Read `.github/pull_request_template.md`.
+- Use `Makefile` and `.config/make/` for local quality commands.
+- Use `.github/workflows/ci.yml` for CI expectations.
+- Do not restate long command matrices or template sections from memory when the files exist.
+
+## Workflow
+
+1. Collect PR context
+- Confirm base branch, current branch, change goal, and scope.
+- Confirm whether the task is: draft a new PR, update an existing PR, or preflight-check readiness.
+- Confirm whether the branch includes only intended changes.
+
+2. Inspect change scope
+- Review the diff and summarize what changed.
+- Call out unrelated edits, generated artifacts, logs, or secrets as blockers.
+- Mark risky areas explicitly: auth, storage, config, network, migrations, breaking changes.
+
+3. Verify readiness requirements
+- Require `make pre-commit` before marking the PR ready.
+- If `make` is unavailable, use the equivalent commands from `.config/make/`.
+- Add scope-specific verification commands when the changed area needs more than the baseline.
+- If required checks fail, stop and return `BLOCKED`.
+
+4. Draft PR metadata
+- Write the PR title in English using Conventional Commits and keep it within 72 characters.
+- If a generic PR workflow suggests a different title format, ignore it and follow the repository rule instead.
+- In RustFS, do not use tool-specific prefixes such as `[codex]` when the repository requires Conventional Commits.
+- Keep the PR body in English.
+- Use the exact section headings from `.github/pull_request_template.md`.
+- Fill non-applicable sections with `N/A`.
+- Include verification commands in the PR description.
+- Do not include local filesystem paths in the PR body unless the user explicitly asks for them.
+- Prefer repo-relative paths, command names, and concise summaries over machine-specific paths such as `/Users/...`.
+
+5. Prepare reviewer context
+- Summarize why the change exists.
+- Summarize what was verified.
+- Call out risks, rollout notes, config impact, and rollback notes when applicable.
+- Mention assumptions or missing context instead of guessing.
+
+6. Prepare CLI-safe output
+- When proposing `gh pr create` or `gh pr edit`, use `--body-file`, never inline `--body` for multiline markdown.
+- Return a ready-to-save PR body plus a short title.
+- If not ready, return blockers first and list the minimum steps needed to unblock.
+
+## Output format
+
+### Status
+- `READY` or `BLOCKED`
+
+### Title
+- `<type>(<scope>): <summary>`
+
+### PR Body
+- Reproduce the repository template headings exactly.
+- Fill every section.
+- Omit local absolute paths unless explicitly required.
+
+### Verification
+- List each command run.
+- State pass/fail.
+
+### Risks
+- List breaking changes, config changes, migration impact, or `N/A`.
+
+## Blocker rules
+
+- Return `BLOCKED` if `make pre-commit` has not passed.
+- Return `BLOCKED` if the diff contains unrelated changes that are not acknowledged.
+- Return `BLOCKED` if required template sections are missing.
+- Return `BLOCKED` if the title/body is not in English.
+- Return `BLOCKED` if the title does not follow the repository's Conventional Commit rule.
+
+## Reference
+
+- Use [pr-readiness-checklist.md](references/pr-readiness-checklist.md) for a short final pass before opening or editing the PR.

.agents/skills/pr-creation-checker/agents/openai.yaml

@@ -0,0 +1,4 @@
+interface:
+  display_name: "PR Creation Checker"
+  short_description: "Draft RustFS-ready PRs with checks, template, and blockers."
+  default_prompt: "Inspect a branch or diff, verify required PR checks, and produce a compliant English PR title/body plus blockers or readiness status."

.agents/skills/pr-creation-checker/references/pr-readiness-checklist.md

@@ -0,0 +1,14 @@
+# PR Readiness Checklist
+
+- Confirm the branch is based on current `main`.
+- Confirm the diff matches the stated scope.
+- Confirm no secrets, logs, temp files, or unrelated refactors are included.
+- Confirm `make pre-commit` passed, or document why it could not run.
+- Confirm extra verification commands are listed for risky changes.
+- Confirm the PR title uses Conventional Commits and stays within 72 characters.
+- Confirm the PR title does not use tool-specific prefixes such as `[codex]`.
+- Confirm the PR body is in English.
+- Confirm the PR body keeps the exact headings from `.github/pull_request_template.md`.
+- Confirm non-applicable sections are filled with `N/A`.
+- Confirm the PR body does not include local absolute paths unless explicitly required.
+- Confirm multiline GitHub CLI commands use `--body-file`.

.agents/skills/test-coverage-improver/SKILL.md

@@ -0,0 +1,66 @@
+---
+name: test-coverage-improver
+description: Run project coverage checks, rank high-risk gaps, and propose high-impact tests to improve regression confidence for changed and critical code paths before release.
+---
+
+# Test Coverage Improver
+
+Use this skill when you need a prioritized, risk-aware plan to improve tests from coverage results.
+
+## Usage assumptions
+- Focus scope is either changed lines/files, a module, or the whole repository.
+- Coverage artifact must be generated or provided in a supported format.
+- If required context is missing, call out assumptions explicitly before proposing work.
+
+## Workflow
+
+1. Define scope and baseline
+   - Confirm target language, framework, and branch.
+   - Confirm whether the scope is changed files only or full-repo.
+
+2. Produce coverage snapshot
+   - Rust: `cargo llvm-cov` (or `cargo tarpaulin`) with existing repo config.
+   - JavaScript/TypeScript: `npm test -- --coverage` and read `coverage/coverage-final.json`.
+   - Python: `pytest --cov=<pkg> --cov-report=json` and read `coverage.json`.
+   - Collect total, per-file, and changed-line coverage.
+
+3. Rank highest-risk gaps
+   - Prioritize changed code, branch coverage gaps, and low-confidence boundaries.
+   - Apply the risk rubric in [coverage-prioritization.md](references/coverage-prioritization.md).
+   - Keep shortlist to 5–8 gaps.
+   - For each gap, capture: file, lines, uncovered branches, and estimated risk score.
+
+4. Propose high-impact tests
+   - For each shortlisted gap, output:
+     - Intent and expected behavior.
+     - Normal, edge, and failure scenarios.
+     - Assertions and side effects to verify.
+     - Setup needs (fixtures, mocks, integration dependencies).
+     - Estimated effort (`S/M/L`).
+
+5. Close with validation plan
+   - State which gaps remain after proposals.
+   - Provide concrete verification command and acceptance threshold.
+   - List assumptions or blockers (environment, fixtures, flaky dependencies).
+
+## Output template
+
+### Coverage Snapshot
+- total / branch coverage
+- changed-file coverage
+- top missing regions by size
+
+### Top Gaps (ranked)
+- `path:line-range` | risk score | why critical
+
+### Test Proposals
+- `path:line-range`
+  - Test name
+  - scenarios
+  - assertions
+  - effort
+
+### Validation Plan
+- command
+- pass criteria
+- remaining risk

.agents/skills/test-coverage-improver/agents/openai.yaml

@@ -0,0 +1,4 @@
+interface:
+  display_name: "Test Coverage Improver"
+  short_description: "Find top uncovered risk areas and propose high-impact tests."
+  default_prompt: "Run coverage checks, identify largest gaps, and recommend highest-impact test cases to improve risk coverage."

.agents/skills/test-coverage-improver/references/coverage-prioritization.md

@@ -0,0 +1,25 @@
+# Coverage Gap Prioritization Guide
+
+Use this rubric for each uncovered area.
+
+Score = (Criticality × 2) + CoverageDebt + (Volatility × 0.5)
+
+- Criticality:
+  - 5: authz/authn, data-loss, payment/consistency path
+  - 4: state mutation, cache invalidation, scheduling
+  - 3: error handling + fallbacks in user-visible flows
+  - 2: parsing/format conversion paths
+  - 1: logging-only or low-impact utilities
+
+- CoverageDebt:
+  - 0: 0–5 uncovered lines
+  - 1: 6–20 uncovered lines
+  - 2: 21–40 uncovered lines
+  - 3: 41+ uncovered lines
+
+- Volatility:
+  - 1: stable legacy code with few recent edits
+  - 2: changed in last 2 releases
+  - 3: touched in last 30 days or currently in active PR
+
+Sort by score descending, then by business impact.

.config/make/build-docker-buildx-dev.mak

@@ -0,0 +1,64 @@
+## —— Development/Source builds using direct buildx commands ---------------------------------------
+
+.PHONY: docker-dev
+docker-dev: ## Build dev multi-arch image (cannot load locally)
+	@echo "🏗️ Building multi-architecture development Docker images with buildx..."
+	@echo "💡 This builds from source code and is intended for local development and testing"
+	@echo "⚠️  Multi-arch images cannot be loaded locally, use docker-dev-push to push to registry"
+	$(DOCKER_CLI) buildx build \
+		--platform linux/amd64,linux/arm64 \
+		--file $(DOCKERFILE_SOURCE) \
+		--tag rustfs:source-latest \
+		--tag rustfs:dev-latest \
+		.
+
+.PHONY: docker-dev-local
+docker-dev-local: ## Build dev single-arch image (local load)
+	@echo "🏗️ Building single-architecture development Docker image for local use..."
+	@echo "💡 This builds from source code for the current platform and loads locally"
+	$(DOCKER_CLI) buildx build \
+		--file $(DOCKERFILE_SOURCE) \
+		--tag rustfs:source-latest \
+		--tag rustfs:dev-latest \
+		--load \
+		.
+
+.PHONY: docker-dev-push
+docker-dev-push: ## Build and push multi-arch development image # e.g (make docker-dev-push REGISTRY=xxx)
+	@if [ -z "$(REGISTRY)" ]; then \
+		echo "❌ Error: Please specify registry, example: make docker-dev-push REGISTRY=ghcr.io/username"; \
+		exit 1; \
+	fi
+	@echo "🚀 Building and pushing multi-architecture development Docker images..."
+	@echo "💡 Pushing to registry: $(REGISTRY)"
+	$(DOCKER_CLI) buildx build \
+		--platform linux/amd64,linux/arm64 \
+		--file $(DOCKERFILE_SOURCE) \
+		--tag $(REGISTRY)/rustfs:source-latest \
+		--tag $(REGISTRY)/rustfs:dev-latest \
+		--push \
+		.
+
+.PHONY: dev-env-start
+dev-env-start: ## Start development container environment
+	@echo "🚀 Starting development environment..."
+	$(DOCKER_CLI) buildx build \
+		--file $(DOCKERFILE_SOURCE) \
+		--tag rustfs:dev \
+		--load \
+		.
+	$(DOCKER_CLI) stop $(CONTAINER_NAME) 2>/dev/null || true
+	$(DOCKER_CLI) rm $(CONTAINER_NAME) 2>/dev/null || true
+	$(DOCKER_CLI) run -d --name $(CONTAINER_NAME) \
+		-p 9010:9010 -p 9000:9000 \
+		-v $(shell pwd):/workspace \
+		-it rustfs:dev
+
+.PHONY: dev-env-stop
+dev-env-stop: ## Stop development container environment
+	@echo "🛑 Stopping development environment..."
+	$(DOCKER_CLI) stop $(CONTAINER_NAME) 2>/dev/null || true
+	$(DOCKER_CLI) rm $(CONTAINER_NAME) 2>/dev/null || true
+
+.PHONY: dev-env-restart
+dev-env-restart: dev-env-stop dev-env-start ## Restart development container environment

.config/make/build-docker-buildx-production.mak

@@ -0,0 +1,41 @@
+## —— Production builds using docker buildx (for CI/CD and production) -----------------------------
+
+.PHONY: docker-buildx
+docker-buildx: ## Build production multi-arch image (no push)
+	@echo "🏗️ Building multi-architecture production Docker images with buildx..."
+	./docker-buildx.sh
+
+.PHONY: docker-buildx-push
+docker-buildx-push: ## Build and push production multi-arch image
+	@echo "🚀 Building and pushing multi-architecture production Docker images with buildx..."
+	./docker-buildx.sh --push
+
+.PHONY: docker-buildx-version
+docker-buildx-version: ## Build and version production multi-arch image # e.g (make docker-buildx-version VERSION=v1.0.0)
+	@if [ -z "$(VERSION)" ]; then \
+		echo "❌ Error: Please specify version, example: make docker-buildx-version VERSION=v1.0.0"; \
+		exit 1; \
+	fi
+	@echo "🏗️ Building multi-architecture production Docker images (version: $(VERSION))..."
+	./docker-buildx.sh --release $(VERSION)
+
+.PHONY: docker-buildx-push-version
+docker-buildx-push-version: ## Build and version and push production multi-arch image # e.g (make docker-buildx-push-version VERSION=v1.0.0)
+	@if [ -z "$(VERSION)" ]; then \
+		echo "❌ Error: Please specify version, example: make docker-buildx-push-version VERSION=v1.0.0"; \
+		exit 1; \
+	fi
+	@echo "🚀 Building and pushing multi-architecture production Docker images (version: $(VERSION))..."
+	./docker-buildx.sh --release $(VERSION) --push
+
+.PHONY: docker-buildx-production-local
+docker-buildx-production-local: ## Build production single-arch image locally
+	@echo "🏗️ Building single-architecture production Docker image locally..."
+	@echo "💡 Alternative to docker-buildx.sh for local testing"
+	$(DOCKER_CLI) buildx build \
+		--file $(DOCKERFILE_PRODUCTION) \
+		--tag rustfs:production-latest \
+		--tag rustfs:latest \
+		--load \
+		--build-arg RELEASE=latest \
+		.

.config/make/build-docker-production.mak

@@ -0,0 +1,16 @@
+## —— Single Architecture Docker Builds (Traditional) ----------------------------------------------
+
+.PHONY: docker-build-production
+docker-build-production: ## Build single-arch production image
+	@echo "🏗️ Building single-architecture production Docker image..."
+	@echo "💡 Consider using 'make docker-buildx-production-local' for multi-arch support"
+	$(DOCKER_CLI) build -f $(DOCKERFILE_PRODUCTION) -t rustfs:latest .
+
+.PHONY: docker-build-source
+docker-build-source: ## Build single-arch source image
+	@echo "🏗️ Building single-architecture source Docker image..."
+	@echo "💡 Consider using 'make docker-dev-local' for multi-arch support"
+	DOCKER_BUILDKIT=1 $(DOCKER_CLI) build \
+		--build-arg BUILDKIT_INLINE_CACHE=1 \
+		-f $(DOCKERFILE_SOURCE) -t rustfs:source .
+

.config/make/build-docker.mak

@@ -0,0 +1,22 @@
+## —— Docker-based build (alternative approach) ----------------------------------------------------
+
+# Usage: make BUILD_OS=ubuntu22.04 build-docker
+# Output: target/ubuntu22.04/release/rustfs
+
+.PHONY: build-docker
+build-docker: SOURCE_BUILD_IMAGE_NAME = rustfs-$(BUILD_OS):v1
+build-docker: SOURCE_BUILD_CONTAINER_NAME = rustfs-$(BUILD_OS)-build
+build-docker: BUILD_CMD = /root/.cargo/bin/cargo build --release --bin rustfs --target-dir /root/s3-rustfs/target/$(BUILD_OS)
+build-docker: ## Build using Docker container # e.g (make build-docker BUILD_OS=ubuntu22.04)
+	@echo "🐳 Building RustFS using Docker ($(BUILD_OS))..."
+	$(DOCKER_CLI) buildx build -t $(SOURCE_BUILD_IMAGE_NAME) -f $(DOCKERFILE_SOURCE) .
+	$(DOCKER_CLI) run --rm --name $(SOURCE_BUILD_CONTAINER_NAME) -v $(shell pwd):/root/s3-rustfs -it $(SOURCE_BUILD_IMAGE_NAME) $(BUILD_CMD)
+
+.PHONY: docker-inspect-multiarch
+docker-inspect-multiarch: ## Check image architecture support
+	@if [ -z "$(IMAGE)" ]; then \
+		echo "❌ Error: Please specify image, example: make docker-inspect-multiarch IMAGE=rustfs/rustfs:latest"; \
+		exit 1; \
+	fi
+	@echo "🔍 Inspecting multi-architecture image: $(IMAGE)"
+	docker buildx imagetools inspect $(IMAGE)

.config/make/build.mak

@@ -0,0 +1,55 @@
+## —— Local Native Build using build-rustfs.sh script (Recommended) --------------------------------
+
+.PHONY: build
+build: ## Build RustFS binary (includes console by default)
+	@echo "🔨 Building RustFS using build-rustfs.sh script..."
+	./build-rustfs.sh
+
+.PHONY: build-dev
+build-dev: ## Build RustFS in Development mode
+	@echo "🔨 Building RustFS in development mode..."
+	./build-rustfs.sh --dev
+
+.PHONY: build-musl
+build-musl: ## Build x86_64 musl version
+	@echo "🔨 Building rustfs for x86_64-unknown-linux-musl..."
+	@echo "💡 On macOS/Windows, use 'make build-docker' or 'make docker-dev' instead"
+	./build-rustfs.sh --platform x86_64-unknown-linux-musl
+
+.PHONY: build-gnu
+build-gnu: ## Build x86_64 GNU version
+	@echo "🔨 Building rustfs for x86_64-unknown-linux-gnu..."
+	@echo "💡 On macOS/Windows, use 'make build-docker' or 'make docker-dev' instead"
+	./build-rustfs.sh --platform x86_64-unknown-linux-gnu
+
+.PHONY: build-musl-arm64
+build-musl-arm64: ## Build aarch64 musl version
+	@echo "🔨 Building rustfs for aarch64-unknown-linux-musl..."
+	@echo "💡 On macOS/Windows, use 'make build-docker' or 'make docker-dev' instead"
+	./build-rustfs.sh --platform aarch64-unknown-linux-musl
+
+.PHONY: build-gnu-arm64
+build-gnu-arm64: ## Build aarch64 GNU version
+	@echo "🔨 Building rustfs for aarch64-unknown-linux-gnu..."
+	@echo "💡 On macOS/Windows, use 'make build-docker' or 'make docker-dev' instead"
+	./build-rustfs.sh --platform aarch64-unknown-linux-gnu
+
+
+.PHONY: build-cross-all
+build-cross-all: core-deps ## Build binaries for all architectures
+	@echo "🔧 Building all target architectures..."
+	@echo "💡 On macOS/Windows, use 'make docker-dev' for reliable multi-arch builds"
+	@echo "🔨 Generating protobuf code..."
+	cargo run --bin gproto || true
+
+	@echo "🔨 Building rustfs for x86_64-unknown-linux-musl..."
+	./build-rustfs.sh --platform x86_64-unknown-linux-musl
+
+	@echo "🔨 Building rustfs for x86_64-unknown-linux-gnu..."
+	./build-rustfs.sh --platform x86_64-unknown-linux-gnu
+
+	@echo "🔨 Building rustfs for aarch64-unknown-linux-musl..."
+	./build-rustfs.sh --platform aarch64-unknown-linux-musl
+
+	@echo "🔨 Building rustfs for aarch64-unknown-linux-gnu..."
+	./build-rustfs.sh --platform aarch64-unknown-linux-gnu

.config/make/check.mak

@@ -0,0 +1,24 @@
+## —— Check and Inform Dependencies ----------------------------------------------------------------
+
+# Fatal check
+# Checks all required dependencies and exits with error if not found
+# (e.g., cargo, rustfmt)
+check-%:
+	@command -v $* >/dev/null 2>&1 || { \
+		echo >&2 "❌ '$*' is not installed."; \
+		exit 1; \
+	}
+
+# Warning-only check
+# Checks for optional dependencies and issues a warning if not found
+# (e.g., cargo-nextest for enhanced testing)
+warn-%:
+	@command -v $* >/dev/null 2>&1 || { \
+		echo >&2 "⚠️ '$*' is not installed."; \
+	}
+
+# For checking dependencies use check-<dep-name> or warn-<dep-name>
+.PHONY: core-deps fmt-deps test-deps
+core-deps: check-cargo ## Check core dependencies
+fmt-deps: check-rustfmt ## Check lint and formatting dependencies
+test-deps: warn-cargo-nextest ## Check tests dependencies

.config/make/deploy.mak

@@ -0,0 +1,6 @@
+## —— Deploy using dev_deploy.sh script ------------------------------------------------------------
+
+.PHONY: deploy-dev
+deploy-dev: build-musl ## Deploy to dev server
+	@echo "🚀 Deploying to dev server: $${IP}"
+	./scripts/dev_deploy.sh $${IP}

.config/make/help.mak

@@ -0,0 +1,38 @@
+## —— Help, Help Build and Help Docker -------------------------------------------------------------
+
+
+.PHONY: help
+help: ## Shows This Help Menu
+	echo -e "$$HEADER"
+	grep -E '(^[a-zA-Z0-9_-]+:.*?## .*$$)|(^## )' $(MAKEFILE_LIST) | sed 's/^[^:]*://g' | awk 'BEGIN {FS = ":.*?## | #"} ; {printf "${cyan}%-30s${reset} ${white}%s${reset} ${green}%s${reset}\n", $$1, $$2, $$3}' | sed -e 's/\[36m##/\n[32m##/'
+
+.PHONY: help-build
+help-build: ## Shows RustFS build help
+	@echo ""
+	@echo "💡 build-rustfs.sh script provides more options, smart detection and binary verification"
+	@echo ""
+	@echo "🔧 Direct usage of build-rustfs.sh script:"
+	@echo ""
+	@echo "	./build-rustfs.sh --help                                # View script help"
+	@echo "	./build-rustfs.sh --no-console                          # Build without console resources"
+	@echo "	./build-rustfs.sh --force-console-update                # Force update console resources"
+	@echo "	./build-rustfs.sh --dev                                 # Development mode build"
+	@echo "	./build-rustfs.sh --sign                                # Sign binary files"
+	@echo "	./build-rustfs.sh --platform x86_64-unknown-linux-gnu   # Specify target platform"
+	@echo "	./build-rustfs.sh --skip-verification                   # Skip binary verification"
+	@echo ""
+
+.PHONY: help-docker
+help-docker: ## Shows docker environment and suggestion help
+	@echo ""
+	@echo "📋 Environment Variables:"
+	@echo "	REGISTRY                 Image registry address (required for push)"
+	@echo "	DOCKERHUB_USERNAME       Docker Hub username"
+	@echo "	DOCKERHUB_TOKEN          Docker Hub access token"
+	@echo "	GITHUB_TOKEN             GitHub access token"
+	@echo ""
+	@echo "💡 Suggestions:"
+	@echo "	Production use:          Use docker-buildx* commands (based on precompiled binaries)"
+	@echo "	Local development:       Use docker-dev* commands (build from source)"
+	@echo "	Development environment: Use dev-env-* commands to manage dev containers"
+	@echo ""

.config/make/lint-fmt.mak

@@ -0,0 +1,22 @@
+## —— Code quality and Formatting ------------------------------------------------------------------
+
+.PHONY: fmt
+fmt: core-deps fmt-deps ## Format code
+	@echo "🔧 Formatting code..."
+	cargo fmt --all
+
+.PHONY: fmt-check
+fmt-check: core-deps fmt-deps ## Check code formatting
+	@echo "📝 Checking code formatting..."
+	cargo fmt --all --check
+
+.PHONY: clippy-check
+clippy-check: core-deps ## Run clippy checks
+	@echo "🔍 Running clippy checks..."
+	cargo clippy --fix --allow-dirty
+	cargo clippy --all-targets --all-features -- -D warnings
+
+.PHONY: compilation-check
+compilation-check: core-deps ## Run compilation check
+	@echo "🔨 Running compilation check..."
+	cargo check --all-targets

.config/make/pre-commit.mak

@@ -0,0 +1,11 @@
+## —— Pre Commit Checks ----------------------------------------------------------------------------
+
+.PHONY: setup-hooks
+setup-hooks: ## Set up git hooks
+	@echo "🔧 Setting up git hooks..."
+	chmod +x .git/hooks/pre-commit
+	@echo "✅ Git hooks setup complete!"
+
+.PHONY: pre-commit
+pre-commit: fmt clippy-check compilation-check test ## Run pre-commit checks
+	@echo "✅ All pre-commit checks passed!"

.config/make/tests.mak

@@ -0,0 +1,22 @@
+## —— Tests and e2e test ---------------------------------------------------------------------------
+
+TEST_THREADS ?= 1
+
+.PHONY: test
+test: core-deps test-deps ## Run all tests
+	@echo "🧪 Running tests..."
+	@if command -v cargo-nextest >/dev/null 2>&1; then \
+		cargo nextest run --all --exclude e2e_test; \
+	else \
+		echo "ℹ️ cargo-nextest not found; falling back to 'cargo test'"; \
+		cargo test --workspace --exclude e2e_test -- --nocapture --test-threads="$(TEST_THREADS)"; \
+	fi
+	cargo test --all --doc
+
+.PHONY: e2e-server
+e2e-server: ## Run e2e-server tests
+	sh $(shell pwd)/scripts/run.sh
+
+.PHONY: probe-e2e
+probe-e2e: ## Probe e2e tests
+	sh $(shell pwd)/scripts/probe.sh

.cursorrules

@@ -1,910 +0,0 @@
-# RustFS Project Cursor Rules
-
-## ⚠️ CRITICAL DEVELOPMENT RULES ⚠️
-
-### 🚨 NEVER COMMIT DIRECTLY TO MASTER/MAIN BRANCH 🚨
-
-- **This is the most important rule - NEVER modify code directly on main or master branch**
-- **ALL CHANGES MUST GO THROUGH PULL REQUESTS - NO EXCEPTIONS**
-- **Always work on feature branches and use pull requests for all changes**
-- **Any direct commits to master/main branch are strictly forbidden**
-- **Pull requests are the ONLY way to merge code to main branch**
-- Before starting any development, always:
-  1. `git checkout main` (switch to main branch)
-  2. `git pull` (get latest changes)
-  3. `git checkout -b feat/your-feature-name` (create and switch to feature branch)
-  4. Make your changes on the feature branch
-  5. Commit and push to the feature branch
-  6. **Create a pull request for review - THIS IS MANDATORY**
-  7. **Wait for PR approval and merge through GitHub interface only**
-
-## Project Overview
-
-RustFS is a high-performance distributed object storage system written in Rust, compatible with S3 API. The project adopts a modular architecture, supporting erasure coding storage, multi-tenant management, observability, and other enterprise-level features.
-
-## Core Architecture Principles
-
-### 1. Modular Design
-
-- Project uses Cargo workspace structure, containing multiple independent crates
-- Core modules: `rustfs` (main service), `ecstore` (erasure coding storage), `common` (shared components)
-- Functional modules: `iam` (identity management), `madmin` (management interface), `crypto` (encryption), etc.
-- Tool modules: `cli` (command line tool), `crates/*` (utility libraries)
-
-### 2. Asynchronous Programming Pattern
-
-- Comprehensive use of `tokio` async runtime
-- Prioritize `async/await` syntax
-- Use `async-trait` for async methods in traits
-- Avoid blocking operations, use `spawn_blocking` when necessary
-
-### 3. Error Handling Strategy
-
-- **Use modular, type-safe error handling with `thiserror`**
-- Each module should define its own error type using `thiserror::Error` derive macro
-- Support error chains and context information through `#[from]` and `#[source]` attributes
-- Use `Result<T>` type aliases for consistency within each module
-- Error conversion between modules should use explicit `From` implementations
-- Follow the pattern: `pub type Result<T> = core::result::Result<T, Error>`
-- Use `#[error("description")]` attributes for clear error messages
-- Support error downcasting when needed through `other()` helper methods
-- Implement `Clone` for errors when required by the domain logic
-- **Current module error types:**
-  - `ecstore::error::StorageError` - Storage layer errors
-  - `ecstore::disk::error::DiskError` - Disk operation errors
-  - `iam::error::Error` - Identity and access management errors
-  - `policy::error::Error` - Policy-related errors
-  - `crypto::error::Error` - Cryptographic operation errors
-  - `filemeta::error::Error` - File metadata errors
-  - `rustfs::error::ApiError` - API layer errors
-  - Module-specific error types for specialized functionality
-
-## Code Style Guidelines
-
-### 1. Formatting Configuration
-
-```toml
-max_width = 130
-fn_call_width = 90
-single_line_let_else_max_width = 100
-```
-
-### 2. **🔧 MANDATORY Code Formatting Rules**
-
-**CRITICAL**: All code must be properly formatted before committing. This project enforces strict formatting standards to maintain code consistency and readability.
-
-#### Pre-commit Requirements (MANDATORY)
-
-Before every commit, you **MUST**:
-
-1. **Format your code**:
-
-   ```bash
-   cargo fmt --all
-   ```
-
-2. **Verify formatting**:
-
-   ```bash
-   cargo fmt --all --check
-   ```
-
-3. **Pass clippy checks**:
-
-   ```bash
-   cargo clippy --all-targets --all-features -- -D warnings
-   ```
-
-4. **Ensure compilation**:
-
-   ```bash
-   cargo check --all-targets
-   ```
-
-#### Quick Commands
-
-Use these convenient Makefile targets for common tasks:
-
-```bash
-# Format all code
-make fmt
-
-# Check if code is properly formatted
-make fmt-check
-
-# Run clippy checks
-make clippy
-
-# Run compilation check
-make check
-
-# Run tests
-make test
-
-# Run all pre-commit checks (format + clippy + check + test)
-make pre-commit
-
-# Setup git hooks (one-time setup)
-make setup-hooks
-```
-
-#### 🔒 Automated Pre-commit Hooks
-
-This project includes a pre-commit hook that automatically runs before each commit to ensure:
-
-- ✅ Code is properly formatted (`cargo fmt --all --check`)
-- ✅ No clippy warnings (`cargo clippy --all-targets --all-features -- -D warnings`)
-- ✅ Code compiles successfully (`cargo check --all-targets`)
-
-**Setting Up Pre-commit Hooks** (MANDATORY for all developers):
-
-Run this command once after cloning the repository:
-
-```bash
-make setup-hooks
-```
-
-Or manually:
-
-```bash
-chmod +x .git/hooks/pre-commit
-```
-
-#### 🚫 Commit Prevention
-
-If your code doesn't meet the formatting requirements, the pre-commit hook will:
-
-1. **Block the commit** and show clear error messages
-2. **Provide exact commands** to fix the issues
-3. **Guide you through** the resolution process
-
-Example output when formatting fails:
-
-```
-❌ Code formatting check failed!
-💡 Please run 'cargo fmt --all' to format your code before committing.
-
-🔧 Quick fix:
-   cargo fmt --all
-   git add .
-   git commit
-```
-
-### 3. Naming Conventions
-
-- Use `snake_case` for functions, variables, modules
-- Use `PascalCase` for types, traits, enums
-- Constants use `SCREAMING_SNAKE_CASE`
-- Global variables prefix `GLOBAL_`, e.g., `GLOBAL_Endpoints`
-- Use meaningful and descriptive names for variables, functions, and methods
-- Avoid meaningless names like `temp`, `data`, `foo`, `bar`, `test123`
-- Choose names that clearly express the purpose and intent
-
-### 4. Type Declaration Guidelines
-
-- **Prefer type inference over explicit type declarations** when the type is obvious from context
-- Let the Rust compiler infer types whenever possible to reduce verbosity and improve maintainability
-- Only specify types explicitly when:
-  - The type cannot be inferred by the compiler
-  - Explicit typing improves code clarity and readability
-  - Required for API boundaries (function signatures, public struct fields)
-  - Needed to resolve ambiguity between multiple possible types
-
-**Good examples (prefer these):**
-
-```rust
-// Compiler can infer the type
-let items = vec![1, 2, 3, 4];
-let config = Config::default();
-let result = process_data(&input);
-
-// Iterator chains with clear context
-let filtered: Vec<_> = items.iter().filter(|&&x| x > 2).collect();
-```
-
-**Avoid unnecessary explicit types:**
-
-```rust
-// Unnecessary - type is obvious
-let items: Vec<i32> = vec![1, 2, 3, 4];
-let config: Config = Config::default();
-let result: ProcessResult = process_data(&input);
-```
-
-**When explicit types are beneficial:**
-
-```rust
-// API boundaries - always specify types
-pub fn process_data(input: &[u8]) -> Result<ProcessResult, Error> { ... }
-
-// Ambiguous cases - explicit type needed
-let value: f64 = "3.14".parse().unwrap();
-
-// Complex generic types - explicit for clarity
-let cache: HashMap<String, Arc<Mutex<CacheEntry>>> = HashMap::new();
-```
-
-### 5. Documentation Comments
-
-- Public APIs must have documentation comments
-- Use `///` for documentation comments
-- Complex functions add `# Examples` and `# Parameters` descriptions
-- Error cases use `# Errors` descriptions
-- Always use English for all comments and documentation
-- Avoid meaningless comments like "debug 111" or placeholder text
-
-### 6. Import Guidelines
-
-- Standard library imports first
-- Third-party crate imports in the middle
-- Project internal imports last
-- Group `use` statements with blank lines between groups
-
-## Asynchronous Programming Guidelines
-
-### 1. Trait Definition
-
-```rust
-#[async_trait::async_trait]
-pub trait StorageAPI: Send + Sync {
-    async fn get_object(&self, bucket: &str, object: &str) -> Result<ObjectInfo>;
-}
-```
-
-### 2. Error Handling
-
-```rust
-// Use ? operator to propagate errors
-async fn example_function() -> Result<()> {
-    let data = read_file("path").await?;
-    process_data(data).await?;
-    Ok(())
-}
-```
-
-### 3. Concurrency Control
-
-- Use `Arc` and `Mutex`/`RwLock` for shared state management
-- Prioritize async locks from `tokio::sync`
-- Avoid holding locks for long periods
-
-## Logging and Tracing Guidelines
-
-### 1. Tracing Usage
-
-```rust
-#[tracing::instrument(skip(self, data))]
-async fn process_data(&self, data: &[u8]) -> Result<()> {
-    info!("Processing {} bytes", data.len());
-    // Implementation logic
-}
-```
-
-### 2. Log Levels
-
-- `error!`: System errors requiring immediate attention
-- `warn!`: Warning information that may affect functionality
-- `info!`: Important business information
-- `debug!`: Debug information for development use
-- `trace!`: Detailed execution paths
-
-### 3. Structured Logging
-
-```rust
-info!(
-    counter.rustfs_api_requests_total = 1_u64,
-    key_request_method = %request.method(),
-    key_request_uri_path = %request.uri().path(),
-    "API request processed"
-);
-```
-
-## Error Handling Guidelines
-
-### 1. Error Type Definition
-
-```rust
-// Use thiserror for module-specific error types
-#[derive(thiserror::Error, Debug)]
-pub enum MyError {
-    #[error("IO error: {0}")]
-    Io(#[from] std::io::Error),
-
-    #[error("Storage error: {0}")]
-    Storage(#[from] ecstore::error::StorageError),
-
-    #[error("Custom error: {message}")]
-    Custom { message: String },
-
-    #[error("File not found: {path}")]
-    FileNotFound { path: String },
-
-    #[error("Invalid configuration: {0}")]
-    InvalidConfig(String),
-}
-
-// Provide Result type alias for the module
-pub type Result<T> = core::result::Result<T, MyError>;
-```
-
-### 2. Error Helper Methods
-
-```rust
-impl MyError {
-    /// Create error from any compatible error type
-    pub fn other<E>(error: E) -> Self
-    where
-        E: Into<Box<dyn std::error::Error + Send + Sync>>,
-    {
-        MyError::Io(std::io::Error::other(error))
-    }
-}
-```
-
-### 3. Error Conversion Between Modules
-
-```rust
-// Convert between different module error types
-impl From<ecstore::error::StorageError> for MyError {
-    fn from(e: ecstore::error::StorageError) -> Self {
-        match e {
-            ecstore::error::StorageError::FileNotFound => {
-                MyError::FileNotFound { path: "unknown".to_string() }
-            }
-            _ => MyError::Storage(e),
-        }
-    }
-}
-
-// Provide reverse conversion when needed
-impl From<MyError> for ecstore::error::StorageError {
-    fn from(e: MyError) -> Self {
-        match e {
-            MyError::FileNotFound { .. } => ecstore::error::StorageError::FileNotFound,
-            MyError::Storage(e) => e,
-            _ => ecstore::error::StorageError::other(e),
-        }
-    }
-}
-```
-
-### 4. Error Context and Propagation
-
-```rust
-// Use ? operator for clean error propagation
-async fn example_function() -> Result<()> {
-    let data = read_file("path").await?;
-    process_data(data).await?;
-    Ok(())
-}
-
-// Add context to errors
-fn process_with_context(path: &str) -> Result<()> {
-    std::fs::read(path)
-        .map_err(|e| MyError::Custom {
-            message: format!("Failed to read {}: {}", path, e)
-        })?;
-    Ok(())
-}
-```
-
-### 5. API Error Conversion (S3 Example)
-
-```rust
-// Convert storage errors to API-specific errors
-use s3s::{S3Error, S3ErrorCode};
-
-#[derive(Debug)]
-pub struct ApiError {
-    pub code: S3ErrorCode,
-    pub message: String,
-    pub source: Option<Box<dyn std::error::Error + Send + Sync>>,
-}
-
-impl From<ecstore::error::StorageError> for ApiError {
-    fn from(err: ecstore::error::StorageError) -> Self {
-        let code = match &err {
-            ecstore::error::StorageError::BucketNotFound(_) => S3ErrorCode::NoSuchBucket,
-            ecstore::error::StorageError::ObjectNotFound(_, _) => S3ErrorCode::NoSuchKey,
-            ecstore::error::StorageError::BucketExists(_) => S3ErrorCode::BucketAlreadyExists,
-            ecstore::error::StorageError::InvalidArgument(_, _, _) => S3ErrorCode::InvalidArgument,
-            ecstore::error::StorageError::MethodNotAllowed => S3ErrorCode::MethodNotAllowed,
-            ecstore::error::StorageError::StorageFull => S3ErrorCode::ServiceUnavailable,
-            _ => S3ErrorCode::InternalError,
-        };
-
-        ApiError {
-            code,
-            message: err.to_string(),
-            source: Some(Box::new(err)),
-        }
-    }
-}
-
-impl From<ApiError> for S3Error {
-    fn from(err: ApiError) -> Self {
-        let mut s3e = S3Error::with_message(err.code, err.message);
-        if let Some(source) = err.source {
-            s3e.set_source(source);
-        }
-        s3e
-    }
-}
-```
-
-### 6. Error Handling Best Practices
-
-#### Pattern Matching and Error Classification
-
-```rust
-// Use pattern matching for specific error handling
-async fn handle_storage_operation() -> Result<()> {
-    match storage.get_object("bucket", "key").await {
-        Ok(object) => process_object(object),
-        Err(ecstore::error::StorageError::ObjectNotFound(bucket, key)) => {
-            warn!("Object not found: {}/{}", bucket, key);
-            create_default_object(bucket, key).await
-        }
-        Err(ecstore::error::StorageError::BucketNotFound(bucket)) => {
-            error!("Bucket not found: {}", bucket);
-            Err(MyError::Custom {
-                message: format!("Bucket {} does not exist", bucket)
-            })
-        }
-        Err(e) => {
-            error!("Storage operation failed: {}", e);
-            Err(MyError::Storage(e))
-        }
-    }
-}
-```
-
-#### Error Aggregation and Reporting
-
-```rust
-// Collect and report multiple errors
-pub fn validate_configuration(config: &Config) -> Result<()> {
-    let mut errors = Vec::new();
-
-    if config.bucket_name.is_empty() {
-        errors.push("Bucket name cannot be empty");
-    }
-
-    if config.region.is_empty() {
-        errors.push("Region must be specified");
-    }
-
-    if !errors.is_empty() {
-        return Err(MyError::Custom {
-            message: format!("Configuration validation failed: {}", errors.join(", "))
-        });
-    }
-
-    Ok(())
-}
-```
-
-#### Contextual Error Information
-
-```rust
-// Add operation context to errors
-#[tracing::instrument(skip(self))]
-async fn upload_file(&self, bucket: &str, key: &str, data: Vec<u8>) -> Result<()> {
-    self.storage
-        .put_object(bucket, key, data)
-        .await
-        .map_err(|e| MyError::Custom {
-            message: format!("Failed to upload {}/{}: {}", bucket, key, e)
-        })
-}
-```
-
-## Performance Optimization Guidelines
-
-### 1. Memory Management
-
-- Use `Bytes` instead of `Vec<u8>` for zero-copy operations
-- Avoid unnecessary cloning, use reference passing
-- Use `Arc` for sharing large objects
-
-### 2. Concurrency Optimization
-
-```rust
-// Use join_all for concurrent operations
-let futures = disks.iter().map(|disk| disk.operation());
-let results = join_all(futures).await;
-```
-
-### 3. Caching Strategy
-
-- Use `LazyLock` for global caching
-- Implement LRU cache to avoid memory leaks
-
-## Testing Guidelines
-
-### 1. Unit Tests
-
-```rust
-#[cfg(test)]
-mod tests {
-    use super::*;
-    use test_case::test_case;
-
-    #[tokio::test]
-    async fn test_async_function() {
-        let result = async_function().await;
-        assert!(result.is_ok());
-    }
-
-    #[test_case("input1", "expected1")]
-    #[test_case("input2", "expected2")]
-    fn test_with_cases(input: &str, expected: &str) {
-        assert_eq!(function(input), expected);
-    }
-
-    #[test]
-    fn test_error_conversion() {
-        use ecstore::error::StorageError;
-
-        let storage_err = StorageError::BucketNotFound("test-bucket".to_string());
-        let api_err: ApiError = storage_err.into();
-
-        assert_eq!(api_err.code, S3ErrorCode::NoSuchBucket);
-        assert!(api_err.message.contains("test-bucket"));
-        assert!(api_err.source.is_some());
-    }
-
-    #[test]
-    fn test_error_types() {
-        let io_err = std::io::Error::new(std::io::ErrorKind::NotFound, "file not found");
-        let my_err = MyError::Io(io_err);
-
-        // Test error matching
-        match my_err {
-            MyError::Io(_) => {}, // Expected
-            _ => panic!("Unexpected error type"),
-        }
-    }
-
-    #[test]
-    fn test_error_context() {
-        let result = process_with_context("nonexistent_file.txt");
-        assert!(result.is_err());
-
-        let err = result.unwrap_err();
-        match err {
-            MyError::Custom { message } => {
-                assert!(message.contains("Failed to read"));
-                assert!(message.contains("nonexistent_file.txt"));
-            }
-            _ => panic!("Expected Custom error"),
-        }
-    }
-}
-```
-
-### 2. Integration Tests
-
-- Use `e2e_test` module for end-to-end testing
-- Simulate real storage environments
-
-### 3. Test Quality Standards
-
-- Write meaningful test cases that verify actual functionality
-- Avoid placeholder or debug content like "debug 111", "test test", etc.
-- Use descriptive test names that clearly indicate what is being tested
-- Each test should have a clear purpose and verify specific behavior
-- Test data should be realistic and representative of actual use cases
-
-## Cross-Platform Compatibility Guidelines
-
-### 1. CPU Architecture Compatibility
-
-- **Always consider multi-platform and different CPU architecture compatibility** when writing code
-- Support major architectures: x86_64, aarch64 (ARM64), and other target platforms
-- Use conditional compilation for architecture-specific code:
-
-```rust
-#[cfg(target_arch = "x86_64")]
-fn optimized_x86_64_function() { /* x86_64 specific implementation */ }
-
-#[cfg(target_arch = "aarch64")]
-fn optimized_aarch64_function() { /* ARM64 specific implementation */ }
-
-#[cfg(not(any(target_arch = "x86_64", target_arch = "aarch64")))]
-fn generic_function() { /* Generic fallback implementation */ }
-```
-
-### 2. Platform-Specific Dependencies
-
-- Use feature flags for platform-specific dependencies
-- Provide fallback implementations for unsupported platforms
-- Test on multiple architectures in CI/CD pipeline
-
-### 3. Endianness Considerations
-
-- Use explicit byte order conversion when dealing with binary data
-- Prefer `to_le_bytes()`, `from_le_bytes()` for consistent little-endian format
-- Use `byteorder` crate for complex binary format handling
-
-### 4. SIMD and Performance Optimizations
-
-- Use portable SIMD libraries like `wide` or `packed_simd`
-- Provide fallback implementations for non-SIMD architectures
-- Use runtime feature detection when appropriate
-
-## Security Guidelines
-
-### 1. Memory Safety
-
-- Disable `unsafe` code (workspace.lints.rust.unsafe_code = "deny")
-- Use `rustls` instead of `openssl`
-
-### 2. Authentication and Authorization
-
-```rust
-// Use IAM system for permission checks
-let identity = iam.authenticate(&access_key, &secret_key).await?;
-iam.authorize(&identity, &action, &resource).await?;
-```
-
-## Configuration Management Guidelines
-
-### 1. Environment Variables
-
-- Use `RUSTFS_` prefix
-- Support both configuration files and environment variables
-- Provide reasonable default values
-
-### 2. Configuration Structure
-
-```rust
-#[derive(Debug, Deserialize, Clone)]
-pub struct Config {
-    pub address: String,
-    pub volumes: String,
-    #[serde(default)]
-    pub console_enable: bool,
-}
-```
-
-## Dependency Management Guidelines
-
-### 1. Workspace Dependencies
-
-- Manage versions uniformly at workspace level
-- Use `workspace = true` to inherit configuration
-
-### 2. Feature Flags
-
-```rust
-[features]
-default = ["file"]
-gpu = ["dep:nvml-wrapper"]
-kafka = ["dep:rdkafka"]
-```
-
-## Deployment and Operations Guidelines
-
-### 1. Containerization
-
-- Provide Dockerfile and docker-compose configuration
-- Support multi-stage builds to optimize image size
-
-### 2. Observability
-
-- Integrate OpenTelemetry for distributed tracing
-- Support Prometheus metrics collection
-- Provide Grafana dashboards
-
-### 3. Health Checks
-
-```rust
-// Implement health check endpoint
-async fn health_check() -> Result<HealthStatus> {
-    // Check component status
-}
-```
-
-## Code Review Checklist
-
-### 1. **Code Formatting and Quality (MANDATORY)**
-
-- [ ] **Code is properly formatted** (`cargo fmt --all --check` passes)
-- [ ] **All clippy warnings are resolved** (`cargo clippy --all-targets --all-features -- -D warnings` passes)
-- [ ] **Code compiles successfully** (`cargo check --all-targets` passes)
-- [ ] **Pre-commit hooks are working** and all checks pass
-- [ ] **No formatting-related changes** mixed with functional changes (separate commits)
-
-### 2. Functionality
-
-- [ ] Are all error cases properly handled?
-- [ ] Is there appropriate logging?
-- [ ] Is there necessary test coverage?
-
-### 3. Performance
-
-- [ ] Are unnecessary memory allocations avoided?
-- [ ] Are async operations used correctly?
-- [ ] Are there potential deadlock risks?
-
-### 4. Security
-
-- [ ] Are input parameters properly validated?
-- [ ] Are there appropriate permission checks?
-- [ ] Is information leakage avoided?
-
-### 5. Cross-Platform Compatibility
-
-- [ ] Does the code work on different CPU architectures (x86_64, aarch64)?
-- [ ] Are platform-specific features properly gated with conditional compilation?
-- [ ] Is byte order handling correct for binary data?
-- [ ] Are there appropriate fallback implementations for unsupported platforms?
-
-### 6. Code Commits and Documentation
-
-- [ ] Does it comply with [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/)?
-- [ ] Are commit messages concise and under 72 characters for the title line?
-- [ ] Commit titles should be concise and in English, avoid Chinese
-- [ ] Is PR description provided in copyable markdown format for easy copying?
-
-## Common Patterns and Best Practices
-
-### 1. Resource Management
-
-```rust
-// Use RAII pattern for resource management
-pub struct ResourceGuard {
-    resource: Resource,
-}
-
-impl Drop for ResourceGuard {
-    fn drop(&mut self) {
-        // Clean up resources
-    }
-}
-```
-
-### 2. Dependency Injection
-
-```rust
-// Use dependency injection pattern
-pub struct Service {
-    config: Arc<Config>,
-    storage: Arc<dyn StorageAPI>,
-}
-```
-
-### 3. Graceful Shutdown
-
-```rust
-// Implement graceful shutdown
-async fn shutdown_gracefully(shutdown_rx: &mut Receiver<()>) {
-    tokio::select! {
-        _ = shutdown_rx.recv() => {
-            info!("Received shutdown signal");
-            // Perform cleanup operations
-        }
-        _ = tokio::time::sleep(SHUTDOWN_TIMEOUT) => {
-            warn!("Shutdown timeout reached");
-        }
-    }
-}
-```
-
-## Domain-Specific Guidelines
-
-### 1. Storage Operations
-
-- All storage operations must support erasure coding
-- Implement read/write quorum mechanisms
-- Support data integrity verification
-
-### 2. Network Communication
-
-- Use gRPC for internal service communication
-- HTTP/HTTPS support for S3-compatible API
-- Implement connection pooling and retry mechanisms
-
-### 3. Metadata Management
-
-- Use FlatBuffers for serialization
-- Support version control and migration
-- Implement metadata caching
-
-These rules should serve as guiding principles when developing the RustFS project, ensuring code quality, performance, and maintainability.
-
-### 4. Code Operations
-
-#### Branch Management
-
-- **🚨 CRITICAL: NEVER modify code directly on main or master branch - THIS IS ABSOLUTELY FORBIDDEN 🚨**
-- **⚠️ ANY DIRECT COMMITS TO MASTER/MAIN WILL BE REJECTED AND MUST BE REVERTED IMMEDIATELY ⚠️**
-- **🔒 ALL CHANGES MUST GO THROUGH PULL REQUESTS - NO DIRECT COMMITS TO MAIN UNDER ANY CIRCUMSTANCES 🔒**
-- **Always work on feature branches - NO EXCEPTIONS**
-- Always check the .cursorrules file before starting to ensure you understand the project guidelines
-- **MANDATORY workflow for ALL changes:**
-   1. `git checkout main` (switch to main branch)
-   2. `git pull` (get latest changes)
-   3. `git checkout -b feat/your-feature-name` (create and switch to feature branch)
-   4. Make your changes ONLY on the feature branch
-   5. Test thoroughly before committing
-   6. Commit and push to the feature branch
-   7. **Create a pull request for code review - THIS IS THE ONLY WAY TO MERGE TO MAIN**
-   8. **Wait for PR approval before merging - NEVER merge your own PRs without review**
-- Use descriptive branch names following the pattern: `feat/feature-name`, `fix/issue-name`, `refactor/component-name`, etc.
-- **Double-check current branch before ANY commit: `git branch` to ensure you're NOT on main/master**
-- **Pull Request Requirements:**
-  - All changes must be submitted via PR regardless of size or urgency
-  - PRs must include comprehensive description and testing information
-  - PRs must pass all CI/CD checks before merging
-  - PRs require at least one approval from code reviewers
-  - Even hotfixes and emergency changes must go through PR process
-- **Enforcement:**
-  - Main branch should be protected with branch protection rules
-  - Direct pushes to main should be blocked by repository settings
-  - Any accidental direct commits to main must be immediately reverted via PR
-
-#### Development Workflow
-
-## 🎯 **Core Development Principles**
-
-- **🔴 Every change must be precise - don't modify unless you're confident**
-  - Carefully analyze code logic and ensure complete understanding before making changes
-  - When uncertain, prefer asking users or consulting documentation over blind modifications
-  - Use small iterative steps, modify only necessary parts at a time
-  - Evaluate impact scope before changes to ensure no new issues are introduced
-
-- **🚀 GitHub PR creation prioritizes gh command usage**
-  - Prefer using `gh pr create` command to create Pull Requests
-  - Avoid having users manually create PRs through web interface
-  - Provide clear and professional PR titles and descriptions
-  - Using `gh` commands ensures better integration and automation
-
-## 📝 **Code Quality Requirements**
-
-- Use English for all code comments, documentation, and variable names
-- Write meaningful and descriptive names for variables, functions, and methods
-- Avoid meaningless test content like "debug 111" or placeholder values
-- Before each change, carefully read the existing code to ensure you understand the code structure and implementation, do not break existing logic implementation, do not introduce new issues
-- Ensure each change provides sufficient test cases to guarantee code correctness
-- Do not arbitrarily modify numbers and constants in test cases, carefully analyze their meaning to ensure test case correctness
-- When writing or modifying tests, check existing test cases to ensure they have scientific naming and rigorous logic testing, if not compliant, modify test cases to ensure scientific and rigorous testing
-- **Before committing any changes, run `cargo clippy --all-targets --all-features -- -D warnings` to ensure all code passes Clippy checks**
-- After each development completion, first git add . then git commit -m "feat: feature description" or "fix: issue description", ensure compliance with [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/)
-- **Keep commit messages concise and under 72 characters** for the title line, use body for detailed explanations if needed
-- After each development completion, first git push to remote repository
-- After each change completion, summarize the changes, do not create summary files, provide a brief change description, ensure compliance with [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/)
-- Provide change descriptions needed for PR in the conversation, ensure compliance with [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/)
-- **Always provide PR descriptions in English** after completing any changes, including:
-  - Clear and concise title following Conventional Commits format
-  - Detailed description of what was changed and why
-  - List of key changes and improvements
-  - Any breaking changes or migration notes if applicable
-  - Testing information and verification steps
-- **Provide PR descriptions in copyable markdown format** enclosed in code blocks for easy one-click copying
-
-## 🚫 AI 文档生成限制
-
-### 禁止生成总结文档
-
-- **严格禁止创建任何形式的AI生成总结文档**
-- **不得创建包含大量表情符号、详细格式化表格和典型AI风格的文档**
-- **不得在项目中生成以下类型的文档：**
-  - 基准测试总结文档（BENCHMARK*.md）
-  - 实现对比分析文档（IMPLEMENTATION_COMPARISON*.md）
-  - 性能分析报告文档
-  - 架构总结文档
-  - 功能对比文档
-  - 任何带有大量表情符号和格式化内容的文档
-- **如果需要文档，请只在用户明确要求时创建，并保持简洁实用的风格**
-- **文档应当专注于实际需要的信息，避免过度格式化和装饰性内容**
-- **任何发现的AI生成总结文档都应该立即删除**
-
-### 允许的文档类型
-
-- README.md（项目介绍，保持简洁）
-- 技术文档（仅在明确需要时创建）
-- 用户手册（仅在明确需要时创建）
-- API文档（从代码生成）
-- 变更日志（CHANGELOG.md）

.docker/Dockerfile.devenv

@@ -1,27 +0,0 @@
-FROM ubuntu:22.04
-
-ENV LANG C.UTF-8
-
-RUN sed -i s@http://.*archive.ubuntu.com@http://repo.huaweicloud.com@g /etc/apt/sources.list
-
-RUN apt-get clean && apt-get update && apt-get install wget git curl unzip gcc pkg-config libssl-dev lld libdbus-1-dev libwayland-dev libwebkit2gtk-4.1-dev libxdo-dev -y
-
-# install protoc
-RUN wget https://github.com/protocolbuffers/protobuf/releases/download/v31.1/protoc-31.1-linux-x86_64.zip \
-    && unzip protoc-31.1-linux-x86_64.zip -d protoc3 \
-    && mv protoc3/bin/* /usr/local/bin/ && chmod +x /usr/local/bin/protoc \
-    && mv protoc3/include/* /usr/local/include/ && rm -rf protoc-31.1-linux-x86_64.zip protoc3
-
-# install flatc
-RUN wget https://github.com/google/flatbuffers/releases/download/v25.2.10/Linux.flatc.binary.g++-13.zip \
-    && unzip Linux.flatc.binary.g++-13.zip \
-    && mv flatc /usr/local/bin/ && chmod +x /usr/local/bin/flatc && rm -rf Linux.flatc.binary.g++-13.zip
-
-# install rust
-RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
-
-COPY .docker/cargo.config.toml /root/.cargo/config.toml
-
-WORKDIR /root/s3-rustfs
-
-CMD [ "bash", "-c", "while true; do sleep 1; done" ]

.docker/Dockerfile.rockylinux9.3

@@ -1,32 +0,0 @@
-FROM rockylinux:9.3 AS builder
-
-ENV LANG C.UTF-8
-
-RUN sed -e 's|^mirrorlist=|#mirrorlist=|g' \
-    -e 's|^#baseurl=http://dl.rockylinux.org/$contentdir|baseurl=https://mirrors.ustc.edu.cn/rocky|g' \
-    -i.bak \
-    /etc/yum.repos.d/rocky-extras.repo \
-    /etc/yum.repos.d/rocky.repo
-
-RUN dnf makecache
-
-RUN yum install wget git unzip gcc openssl-devel pkgconf-pkg-config -y
-
-# install protoc
-RUN wget https://github.com/protocolbuffers/protobuf/releases/download/v31.1/protoc-31.1-linux-x86_64.zip \
-    && unzip protoc-31.1-linux-x86_64.zip -d protoc3 \
-    && mv protoc3/bin/* /usr/local/bin/ && chmod +x /usr/local/bin/protoc \
-    && mv protoc3/include/* /usr/local/include/ && rm -rf protoc-31.1-linux-x86_64.zip protoc3
-
-# install flatc
-RUN wget https://github.com/google/flatbuffers/releases/download/v25.2.10/Linux.flatc.binary.g++-13.zip \
-    && unzip Linux.flatc.binary.g++-13.zip \
-    && mv flatc /usr/local/bin/ && chmod +x /usr/local/bin/flatc \
-    && rm -rf Linux.flatc.binary.g++-13.zip
-
-# install rust
-RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
-
-COPY .docker/cargo.config.toml /root/.cargo/config.toml
-
-WORKDIR /root/s3-rustfs

.docker/Dockerfile.ubuntu22.04

@@ -1,25 +0,0 @@
-FROM ubuntu:22.04
-
-ENV LANG C.UTF-8
-
-RUN sed -i s@http://.*archive.ubuntu.com@http://repo.huaweicloud.com@g /etc/apt/sources.list
-
-RUN apt-get clean && apt-get update && apt-get install wget git curl unzip gcc pkg-config libssl-dev lld libdbus-1-dev libwayland-dev libwebkit2gtk-4.1-dev libxdo-dev -y
-
-# install protoc
-RUN wget https://github.com/protocolbuffers/protobuf/releases/download/v31.1/protoc-31.1-linux-x86_64.zip \
-    && unzip protoc-31.1-linux-x86_64.zip -d protoc3 \
-    && mv protoc3/bin/* /usr/local/bin/ && chmod +x /usr/local/bin/protoc \
-    && mv protoc3/include/* /usr/local/include/ && rm -rf protoc-31.1-linux-x86_64.zip protoc3
-
-# install flatc
-RUN wget https://github.com/google/flatbuffers/releases/download/v25.2.10/Linux.flatc.binary.g++-13.zip \
-    && unzip Linux.flatc.binary.g++-13.zip \
-    && mv flatc /usr/local/bin/ && chmod +x /usr/local/bin/flatc && rm -rf Linux.flatc.binary.g++-13.zip
-
-# install rust
-RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
-
-COPY .docker/cargo.config.toml /root/.cargo/config.toml
-
-WORKDIR /root/s3-rustfs

.docker/README.md

@@ -0,0 +1,131 @@
+# RustFS Docker Infrastructure
+
+This directory contains the complete Docker infrastructure for building, deploying, and monitoring RustFS. It provides ready-to-use configurations for development, testing, and production-grade observability.
+
+## 📂 Directory Structure
+
+| Directory | Description | Status |
+| :--- | :--- | :--- |
+| **[`observability/`](observability/README.md)** | **[RECOMMENDED]** Full-stack observability (Prometheus, Grafana, Tempo, Loki). | ✅ Production-Ready |
+| **[`compose/`](compose/README.md)** | Specialized setups (e.g., 4-node distributed cluster testing). | ⚠️ Testing Only |
+| **[`mqtt/`](mqtt/README.md)** | EMQX Broker configuration for MQTT integration testing. | 🧪 Development |
+| **[`openobserve-otel/`](openobserve-otel/README.md)** | Alternative lightweight observability stack using OpenObserve. | 🔄 Alternative |
+
+---
+
+## 📄 Root Directory Files
+
+The following files in the project root are essential for Docker operations:
+
+### Build Scripts & Dockerfiles
+
+| File | Description | Usage |
+| :--- | :--- | :--- |
+| **`docker-buildx.sh`** | **Multi-Arch Build Script**<br>Automates building and pushing Docker images for `amd64` and `arm64`. Supports release and dev channels. | `./docker-buildx.sh --push` |
+| **`Dockerfile`** | **Production Image (Alpine)**<br>Lightweight image using musl libc. Downloads pre-built binaries from GitHub Releases. | `docker build -t rustfs:latest .` |
+| **`Dockerfile.glibc`** | **Production Image (Ubuntu)**<br>Standard image using glibc. Useful if you need specific dynamic libraries. | `docker build -f Dockerfile.glibc .` |
+| **`Dockerfile.source`** | **Development Image**<br>Builds RustFS from source code. Includes build tools. Ideal for local development and CI. | `docker build -f Dockerfile.source .` |
+
+### Docker Compose Configurations
+
+| File | Description | Usage |
+| :--- | :--- | :--- |
+| **`docker-compose.yml`** | **Main Development Setup**<br>Comprehensive setup with profiles for development, observability, and proxying. | `docker compose up -d`<br>`docker compose --profile observability up -d` |
+| **`docker-compose-simple.yml`** | **Quick Start Setup**<br>Minimal configuration running a single RustFS instance with 4 volumes. Perfect for first-time users. | `docker compose -f docker-compose-simple.yml up -d` |
+
+---
+
+## 🌟 Observability Stack (Recommended)
+
+Located in: [`.docker/observability/`](observability/README.md)
+
+We provide a comprehensive, industry-standard observability stack designed for deep insights into RustFS performance. This is the recommended setup for both development and production monitoring.
+
+### Components
+- **Metrics**: Prometheus (Collection) + Grafana (Visualization)
+- **Traces**: Tempo (Storage) + Jaeger (UI)
+- **Logs**: Loki
+- **Ingestion**: OpenTelemetry Collector
+
+### Key Features
+- **Full Persistence**: All metrics, logs, and traces are saved to Docker volumes, ensuring no data loss on restarts.
+- **Correlation**: Seamlessly jump between Logs, Traces, and Metrics in Grafana.
+- **High Performance**: Optimized configurations for batching, compression, and memory management.
+
+### Quick Start
+```bash
+cd .docker/observability
+docker compose up -d
+```
+
+---
+
+## 🧪 Specialized Environments
+
+Located in: [`.docker/compose/`](compose/README.md)
+
+These configurations are tailored for specific testing scenarios that require complex topologies.
+
+### Distributed Cluster (4-Nodes)
+Simulates a real-world distributed environment with 4 RustFS nodes running locally.
+```bash
+docker compose -f .docker/compose/docker-compose.cluster.yaml up -d
+```
+
+### Integrated Observability Test
+A self-contained environment running 4 RustFS nodes alongside the full observability stack. Useful for end-to-end testing of telemetry.
+```bash
+docker compose -f .docker/compose/docker-compose.observability.yaml up -d
+```
+
+---
+
+## 📡 MQTT Integration
+
+Located in: [`.docker/mqtt/`](mqtt/README.md)
+
+Provides an EMQX broker for testing RustFS MQTT features.
+
+### Quick Start
+```bash
+cd .docker/mqtt
+docker compose up -d
+```
+- **Dashboard**: [http://localhost:18083](http://localhost:18083) (Default: `admin` / `public`)
+- **MQTT Port**: `1883`
+
+---
+
+## 👁️ Alternative: OpenObserve
+
+Located in: [`.docker/openobserve-otel/`](openobserve-otel/README.md)
+
+For users preferring a lightweight, all-in-one solution, we support OpenObserve. It combines logs, metrics, and traces into a single binary and UI.
+
+### Quick Start
+```bash
+cd .docker/openobserve-otel
+docker compose up -d
+```
+
+---
+
+## 🔧 Common Operations
+
+### Cleaning Up
+To stop all containers and remove volumes (**WARNING**: deletes all persisted data):
+```bash
+docker compose down -v
+```
+
+### Viewing Logs
+To follow logs for a specific service:
+```bash
+docker compose logs -f [service_name]
+```
+
+### Checking Status
+To see the status of all running containers:
+```bash
+docker compose ps
+```

.docker/compose/README.md

@@ -0,0 +1,44 @@
+# Specialized Docker Compose Configurations
+
+This directory contains specialized Docker Compose configurations for specific testing scenarios.
+
+## ⚠️ Important Note
+
+**For Observability:**
+We **strongly recommend** using the new, fully integrated observability stack located in `../observability/`. It provides a production-ready setup with Prometheus, Grafana, Tempo, Loki, and OpenTelemetry Collector, all with persistent storage and optimized configurations.
+
+The `docker-compose.observability.yaml` in this directory is kept for legacy reference or specific minimal testing needs but is **not** the primary recommended setup.
+
+## 📁 Configuration Files
+
+### Cluster Testing
+
+- **`docker-compose.cluster.yaml`**
+  - **Purpose**: Simulates a 4-node RustFS distributed cluster.
+  - **Use Case**: Testing distributed storage logic, consensus, and failover.
+  - **Nodes**: 4 RustFS instances.
+  - **Storage**: Uses local HTTP endpoints.
+
+### Legacy / Minimal Observability
+
+- **`docker-compose.observability.yaml`**
+  - **Purpose**: A minimal observability setup.
+  - **Status**: **Deprecated**. Please use `../observability/docker-compose.yml` instead.
+
+## 🚀 Usage Examples
+
+### Cluster Testing
+
+To start a 4-node cluster for distributed testing:
+
+```bash
+# From project root
+docker compose -f .docker/compose/docker-compose.cluster.yaml up -d
+```
+
+### (Deprecated) Minimal Observability
+
+```bash
+# From project root
+docker compose -f .docker/compose/docker-compose.observability.yaml up -d
+```

.docker/compose/docker-compose.cluster.yaml

@@ -14,70 +14,69 @@
 
 services:
   node0:
-    image: rustfs:v1  # 替换为你的镜像名称和标签
+    image: rustfs/rustfs:latest # Replace with your image name and label
     container_name: node0
     hostname: node0
     environment:
       - RUSTFS_VOLUMES=http://node{0...3}:9000/data/rustfs{0...3}
       - RUSTFS_ADDRESS=0.0.0.0:9000
       - RUSTFS_CONSOLE_ENABLE=true
-      - RUSTFS_CONSOLE_ADDRESS=0.0.0.0:9002
+      - RUSTFS_ACCESS_KEY=rustfsadmin
+      - RUSTFS_SECRET_KEY=rustfsadmin
     platform: linux/amd64
     ports:
-      - "9000:9000"  # 映射宿主机的 9001 端口到容器的 9000 端口
-      - "8000:9001"  # 映射宿主机的 9001 端口到容器的 9000 端口
+      - "9000:9000" # Map port 9001 of the host to port 9000 of the container
     volumes:
-      - ./target/x86_64-unknown-linux-musl/release/rustfs:/app/rustfs
-      # - ./data/node0:/data  # 将当前路径挂载到容器内的 /root/data
+      - ../../target/x86_64-unknown-linux-gnu/release/rustfs:/app/rustfs
     command: "/app/rustfs"
 
   node1:
-    image: rustfs:v1
+    image: rustfs/rustfs:latest
     container_name: node1
     hostname: node1
     environment:
       - RUSTFS_VOLUMES=http://node{0...3}:9000/data/rustfs{0...3}
       - RUSTFS_ADDRESS=0.0.0.0:9000
       - RUSTFS_CONSOLE_ENABLE=true
-      - RUSTFS_CONSOLE_ADDRESS=0.0.0.0:9002
+      - RUSTFS_ACCESS_KEY=rustfsadmin
+      - RUSTFS_SECRET_KEY=rustfsadmin
     platform: linux/amd64
     ports:
-      - "9001:9000"  # 映射宿主机的 9002 端口到容器的 9000 端口
+      - "9001:9000" # Map port 9002 of the host to port 9000 of the container
     volumes:
-      - ./target/x86_64-unknown-linux-musl/release/rustfs:/app/rustfs 
-      # - ./data/node1:/data
+      - ../../target/x86_64-unknown-linux-gnu/release/rustfs:/app/rustfs
     command: "/app/rustfs"
 
   node2:
-    image: rustfs:v1
+    image: rustfs/rustfs:latest
     container_name: node2
     hostname: node2
     environment:
       - RUSTFS_VOLUMES=http://node{0...3}:9000/data/rustfs{0...3}
       - RUSTFS_ADDRESS=0.0.0.0:9000
       - RUSTFS_CONSOLE_ENABLE=true
-      - RUSTFS_CONSOLE_ADDRESS=0.0.0.0:9002
+      - RUSTFS_ACCESS_KEY=rustfsadmin
+      - RUSTFS_SECRET_KEY=rustfsadmin
     platform: linux/amd64
     ports:
-      - "9002:9000"  # 映射宿主机的 9003 端口到容器的 9000 端口
+      - "9002:9000" # Map port 9003 of the host to port 9000 of the container
     volumes:
-      - ./target/x86_64-unknown-linux-musl/release/rustfs:/app/rustfs
-      # - ./data/node2:/data
+      - ../../target/x86_64-unknown-linux-gnu/release/rustfs:/app/rustfs
     command: "/app/rustfs"
 
   node3:
-    image: rustfs:v1
+    image: rustfs/rustfs:latest
     container_name: node3
     hostname: node3
     environment:
       - RUSTFS_VOLUMES=http://node{0...3}:9000/data/rustfs{0...3}
       - RUSTFS_ADDRESS=0.0.0.0:9000
       - RUSTFS_CONSOLE_ENABLE=true
-      - RUSTFS_CONSOLE_ADDRESS=0.0.0.0:9002
+      - RUSTFS_ACCESS_KEY=rustfsadmin
+      - RUSTFS_SECRET_KEY=rustfsadmin
     platform: linux/amd64
     ports:
-      - "9003:9000"  # 映射宿主机的 9004 端口到容器的 9000 端口
+      - "9003:9000" # Map port 9004 of the host to port 9000 of the container
     volumes:
-      - ./target/x86_64-unknown-linux-musl/release/rustfs:/app/rustfs
-      # - ./data/node3:/data
+      - ../../target/x86_64-unknown-linux-gnu/release/rustfs:/app/rustfs
     command: "/app/rustfs"

.docker/compose/docker-compose.observability.yaml

@@ -0,0 +1,224 @@
+# Copyright 2024 RustFS Team
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+services:
+  # --- Observability Stack ---
+
+  tempo-init:
+    image: busybox:latest
+    command: [ "sh", "-c", "chown -R 10001:10001 /var/tempo" ]
+    volumes:
+      - tempo-data:/var/tempo
+    user: root
+    networks:
+      - rustfs-network
+    restart: "no"
+
+  tempo:
+    image: grafana/tempo:latest
+    user: "10001"
+    command: [ "-config.file=/etc/tempo.yaml" ]
+    volumes:
+      - ../../.docker/observability/tempo.yaml:/etc/tempo.yaml:ro
+      - tempo-data:/var/tempo
+    ports:
+      - "3200:3200" # tempo
+      - "4317"      # otlp grpc
+      - "4318"      # otlp http
+    restart: unless-stopped
+    networks:
+      - rustfs-network
+
+  otel-collector:
+    image: otel/opentelemetry-collector-contrib:latest
+    environment:
+      - TZ=Asia/Shanghai
+    volumes:
+      - ../../.docker/observability/otel-collector-config.yaml:/etc/otelcol-contrib/config.yaml:ro
+    ports:
+      - "1888:1888"   # pprof
+      - "8888:8888"   # Prometheus metrics for Collector
+      - "8889:8889"   # Prometheus metrics for application indicators
+      - "13133:13133" # health check
+      - "4317:4317"   # OTLP gRPC
+      - "4318:4318"   # OTLP HTTP
+      - "55679:55679" # zpages
+    networks:
+      - rustfs-network
+    depends_on:
+      - tempo
+      - jaeger
+      - prometheus
+      - loki
+
+  jaeger:
+    image: jaegertracing/jaeger:latest
+    environment:
+      - TZ=Asia/Shanghai
+      - SPAN_STORAGE_TYPE=badger
+      - BADGER_EPHEMERAL=false
+      - BADGER_DIRECTORY_VALUE=/badger/data
+      - BADGER_DIRECTORY_KEY=/badger/key
+      - COLLECTOR_OTLP_ENABLED=true
+    volumes:
+      - jaeger-data:/badger
+    ports:
+      - "16686:16686" # Web UI
+      - "14269:14269" # Admin/Metrics
+    networks:
+      - rustfs-network
+
+  prometheus:
+    image: prom/prometheus:latest
+    environment:
+      - TZ=Asia/Shanghai
+    volumes:
+      - ../../.docker/observability/prometheus.yml:/etc/prometheus/prometheus.yml:ro
+      - prometheus-data:/prometheus
+    ports:
+      - "9090:9090"
+    command:
+      - '--config.file=/etc/prometheus/prometheus.yml'
+      - '--web.enable-otlp-receiver'
+      - '--web.enable-remote-write-receiver'
+      - '--enable-feature=promql-experimental-functions'
+      - '--storage.tsdb.path=/prometheus'
+      - '--web.console.libraries=/usr/share/prometheus/console_libraries'
+      - '--web.console.templates=/usr/share/prometheus/consoles'
+    networks:
+      - rustfs-network
+
+  loki:
+    image: grafana/loki:latest
+    environment:
+      - TZ=Asia/Shanghai
+    volumes:
+      - ../../.docker/observability/loki.yaml:/etc/loki/local-config.yaml:ro
+      - loki-data:/loki
+    ports:
+      - "3100:3100"
+    command: -config.file=/etc/loki/local-config.yaml
+    networks:
+      - rustfs-network
+
+  grafana:
+    image: grafana/grafana:latest
+    ports:
+      - "3000:3000" # Web UI
+    environment:
+      - GF_SECURITY_ADMIN_PASSWORD=admin
+      - GF_SECURITY_ADMIN_USER=admin
+      - TZ=Asia/Shanghai
+      - GF_INSTALL_PLUGINS=grafana-pyroscope-datasource
+      - GF_DASHBOARDS_DEFAULT_HOME_DASHBOARD_PATH=/var/lib/grafana/dashboards/home.json
+    networks:
+      - rustfs-network
+    volumes:
+      - ../../.docker/observability/grafana/provisioning:/etc/grafana/provisioning:ro
+      - ../../.docker/observability/grafana/dashboards:/var/lib/grafana/dashboards:ro
+    depends_on:
+      - prometheus
+      - tempo
+      - loki
+
+  # --- RustFS Cluster ---
+
+  node1:
+    build:
+      context: ../..
+      dockerfile: Dockerfile.source
+    container_name: node1
+    environment:
+      - RUSTFS_VOLUMES=http://node{1...4}:9000/root/data/target/volume/test{1...4}
+      - RUSTFS_ADDRESS=:9000
+      - RUSTFS_CONSOLE_ENABLE=true
+      - RUSTFS_OBS_ENDPOINT=http://otel-collector:4318
+      - RUSTFS_OBS_LOGGER_LEVEL=debug
+    platform: linux/amd64
+    ports:
+      - "9001:9000"
+    networks:
+      - rustfs-network
+    depends_on:
+      - otel-collector
+
+  node2:
+    build:
+      context: ../..
+      dockerfile: Dockerfile.source
+    container_name: node2
+    environment:
+      - RUSTFS_VOLUMES=http://node{1...4}:9000/root/data/target/volume/test{1...4}
+      - RUSTFS_ADDRESS=:9000
+      - RUSTFS_CONSOLE_ENABLE=true
+      - RUSTFS_OBS_ENDPOINT=http://otel-collector:4318
+      - RUSTFS_OBS_LOGGER_LEVEL=debug
+    platform: linux/amd64
+    ports:
+      - "9002:9000"
+    networks:
+      - rustfs-network
+    depends_on:
+      - otel-collector
+
+  node3:
+    build:
+      context: ../..
+      dockerfile: Dockerfile.source
+    container_name: node3
+    environment:
+      - RUSTFS_VOLUMES=http://node{1...4}:9000/root/data/target/volume/test{1...4}
+      - RUSTFS_ADDRESS=:9000
+      - RUSTFS_CONSOLE_ENABLE=true
+      - RUSTFS_OBS_ENDPOINT=http://otel-collector:4318
+      - RUSTFS_OBS_LOGGER_LEVEL=debug
+    platform: linux/amd64
+    ports:
+      - "9003:9000"
+    networks:
+      - rustfs-network
+    depends_on:
+      - otel-collector
+
+  node4:
+    build:
+      context: ../..
+      dockerfile: Dockerfile.source
+    container_name: node4
+    environment:
+      - RUSTFS_VOLUMES=http://node{1...4}:9000/root/data/target/volume/test{1...4}
+      - RUSTFS_ADDRESS=:9000
+      - RUSTFS_CONSOLE_ENABLE=true
+      - RUSTFS_OBS_ENDPOINT=http://otel-collector:4318
+      - RUSTFS_OBS_LOGGER_LEVEL=debug
+    platform: linux/amd64
+    ports:
+      - "9004:9000"
+    networks:
+      - rustfs-network
+    depends_on:
+      - otel-collector
+
+volumes:
+  prometheus-data:
+  tempo-data:
+  loki-data:
+  jaeger-data:
+
+networks:
+  rustfs-network:
+    driver: bridge
+    name: "network_rustfs_config"
+    driver_opts:
+      com.docker.network.enable_ipv6: "true"

.docker/mqtt/README.md

@@ -0,0 +1,30 @@
+# MQTT Broker (EMQX)
+
+This directory contains the configuration for running an EMQX MQTT broker, which can be used for testing RustFS's MQTT integration.
+
+## 🚀 Quick Start
+
+To start the EMQX broker:
+
+```bash
+docker compose up -d
+```
+
+## 📊 Access
+
+- **Dashboard**: [http://localhost:18083](http://localhost:18083)
+- **Default Credentials**: `admin` / `public`
+- **MQTT Port**: `1883`
+- **WebSocket Port**: `8083`
+
+## 🛠️ Configuration
+
+The `docker-compose.yml` file sets up a single-node EMQX instance.
+
+- **Persistence**: Data is not persisted by default (for testing).
+- **Network**: Uses the default bridge network.
+
+## 📝 Notes
+
+- This setup is intended for development and testing purposes.
+- For production deployments, please refer to the official [EMQX Documentation](https://www.emqx.io/docs/en/latest/).

.docker/nginx/nginx.conf

@@ -0,0 +1,82 @@
+# Copyright 2024 RustFS Team
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+worker_processes auto;
+pid /var/run/nginx.pid;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+                    '$status $body_bytes_sent "$http_referer" '
+                    '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log /var/log/nginx/access.log main;
+    error_log /var/log/nginx/error.log warn;
+
+    sendfile on;
+    keepalive_timeout 65;
+
+    # RustFS Server Block
+    server {
+        listen 80;
+        server_name localhost;
+
+        # Redirect HTTP to HTTPS (optional, uncomment if SSL is configured)
+        # return 301 https://$host$request_uri;
+
+        location / {
+            proxy_pass http://rustfs:9000;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+
+            # S3 specific headers
+            proxy_set_header X-Amz-Date $http_x_amz_date;
+            proxy_set_header Authorization $http_authorization;
+
+            # Disable buffering for large uploads
+            proxy_request_buffering off;
+            client_max_body_size 0;
+        }
+
+        location /rustfs/console {
+            proxy_pass http://rustfs:9001;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+        }
+    }
+
+    # SSL Configuration (Example)
+    # server {
+    #     listen 443 ssl;
+    #     server_name localhost;
+    #
+    #     ssl_certificate /etc/nginx/ssl/server.crt;
+    #     ssl_certificate_key /etc/nginx/ssl/server.key;
+    #
+    #     location / {
+    #         proxy_pass http://rustfs:9000;
+    #         ...
+    #     }
+    # }
+}

.docker/observability/.gitignore

@@ -0,0 +1,5 @@
+jaeger-data/*
+loki-data/*
+prometheus-data/*
+tempo-data/*
+grafana-data/*

.docker/observability/README.md

@@ -1,109 +1,85 @@
-# Observability
+# RustFS Observability Stack
 
-This directory contains the observability stack for the application. The stack is composed of the following components:
+This directory contains the comprehensive observability stack for RustFS, designed to provide deep insights into application performance, logs, and traces.
 
-- Prometheus v3.2.1
-- Grafana 11.6.0
-- Loki 3.4.2
-- Jaeger 2.4.0
-- Otel Collector 0.120.0 # 0.121.0 remove loki
+## Components
 
-## Prometheus
+The stack is composed of the following best-in-class open-source components:
 
-Prometheus is a monitoring and alerting toolkit. It scrapes metrics from instrumented jobs, either directly or via an
-intermediary push gateway for short-lived jobs. It stores all scraped samples locally and runs rules over this data to
-either aggregate and record new time series from existing data or generate alerts. Grafana or other API consumers can be
-used to visualize the collected data.
+- **Prometheus** (v2.53.1): The industry standard for metric collection and alerting.
+- **Grafana** (v11.1.0): The leading platform for observability visualization.
+- **Loki** (v3.1.0): A horizontally-scalable, highly-available, multi-tenant log aggregation system.
+- **Tempo** (v2.5.0): A high-volume, minimal dependency distributed tracing backend.
+- **Jaeger** (v1.59.0): Distributed tracing system (configured as a secondary UI/storage).
+- **OpenTelemetry Collector** (v0.104.0): A vendor-agnostic implementation for receiving, processing, and exporting telemetry data.
 
-## Grafana
+## Architecture
 
-Grafana is a multi-platform open-source analytics and interactive visualization web application. It provides charts,
-graphs, and alerts for the web when connected to supported data sources.
+1. **Telemetry Collection**: Applications send OTLP (OpenTelemetry Protocol) data (Metrics, Logs, Traces) to the **OpenTelemetry Collector**.
+2. **Processing & Exporting**: The Collector processes the data (batching, memory limiting) and exports it to the respective backends:
+    - **Traces** -> **Tempo** (Primary) & **Jaeger** (Secondary/Optional)
+    - **Metrics** -> **Prometheus** (via scraping the Collector's exporter)
+    - **Logs** -> **Loki**
+3. **Visualization**: **Grafana** connects to all backends (Prometheus, Tempo, Loki, Jaeger) to provide a unified dashboard experience.
 
-## Loki
+## Features
 
-Loki is a horizontally-scalable, highly-available, multi-tenant log aggregation system inspired by Prometheus. It is
-designed to be very cost-effective and easy to operate. It does not index the contents of the logs, but rather a set of
-labels for each log stream.
+- **Full Persistence**: All data (Metrics, Logs, Traces) is persisted to Docker volumes, ensuring no data loss on restart.
+- **Correlation**: Seamless navigation between Metrics, Logs, and Traces in Grafana.
+  - Jump from a Metric spike to relevant Traces.
+  - Jump from a Trace to relevant Logs.
+- **High Performance**: Optimized configurations for batching, compression, and memory management.
+- **Standardized Protocols**: Built entirely on OpenTelemetry standards.
 
-## Jaeger
+## Quick Start
 
-Jaeger is a distributed tracing system released as open source by Uber Technologies. It is used for monitoring and
-troubleshooting microservices-based distributed systems, including:
+### Prerequisites
 
-- Distributed context propagation
-- Distributed transaction monitoring
-- Root cause analysis
-- Service dependency analysis
-- Performance / latency optimization
+- Docker
+- Docker Compose
 
-## Otel Collector
+### Deploy
 
-The OpenTelemetry Collector offers a vendor-agnostic implementation on how to receive, process, and export telemetry
-data. It removes the need to run, operate, and maintain multiple agents/collectors in order to support open-source
-observability data formats (e.g. Jaeger, Prometheus, etc.) sending to one or more open-source or commercial back-ends.
-
-## How to use
-
-To deploy the observability stack, run the following command:
-
-- docker latest version
+Run the following command to start the entire stack:
 
 ```bash
-docker compose -f docker-compose.yml -f docker-compose.override.yml up -d
+docker compose up -d
 ```
 
-- docker compose v2.0.0 or before
+### Access Dashboards
+
+| Service        | URL                                              | Credentials       | Description                    |
+| :------------- | :----------------------------------------------- | :---------------- | :----------------------------- |
+| **Grafana**    | [http://localhost:3000](http://localhost:3000)   | `admin` / `admin` | Main visualization hub.        |
+| **Prometheus** | [http://localhost:9090](http://localhost:9090)   | -                 | Metric queries and status.     |
+| **Jaeger UI**  | [http://localhost:16686](http://localhost:16686) | -                 | Secondary trace visualization. |
+| **Tempo**      | [http://localhost:3200](http://localhost:3200)   | -                 | Tempo status/metrics.          |
+
+## Configuration
+
+### Data Persistence
+
+Data is stored in the following Docker volumes:
+
+- `prometheus-data`: Prometheus metrics
+- `tempo-data`: Tempo traces (WAL and Blocks)
+- `loki-data`: Loki logs (Chunks and Rules)
+- `jaeger-data`: Jaeger traces (Badger DB)
+
+To clear all data:
 
 ```bash
-docke-compose -f docker-compose.yml -f docker-compose.override.yml up -d
+docker compose down -v
 ```
 
-To access the Grafana dashboard, navigate to `http://localhost:3000` in your browser. The default username and password
-are `admin` and `admin`, respectively.
-
-To access the Jaeger dashboard, navigate to `http://localhost:16686` in your browser.
-
-To access the Prometheus dashboard, navigate to `http://localhost:9090` in your browser.
-
-## How to stop
-
-To stop the observability stack, run the following command:
-
-```bash
-docker compose -f docker-compose.yml -f docker-compose.override.yml down
-```
-
-## How to remove data
-
-To remove the data generated by the observability stack, run the following command:
-
-```bash
-docker compose -f docker-compose.yml -f docker-compose.override.yml down -v
-```
-
-## How to configure
-
-To configure the observability stack, modify the `docker-compose.override.yml` file. The file contains the following
-
-```yaml
-services:
-  prometheus:
-    environment:
-      - PROMETHEUS_CONFIG_FILE=/etc/prometheus/prometheus.yml
-    volumes:
-      - ./prometheus.yml:/etc/prometheus/prometheus.yml
-
-  grafana:
-    environment:
-      - GF_SECURITY_ADMIN_PASSWORD=admin
-    volumes:
-      - ./grafana/provisioning:/etc/grafana/provisioning
-```
-
-The `prometheus` service mounts the `prometheus.yml` file to `/etc/prometheus/prometheus.yml`. The `grafana` service
-mounts the `grafana/provisioning` directory to `/etc/grafana/provisioning`. You can modify these files to configure the
-observability stack.
+### Customization
 
+- **Prometheus**: Edit `prometheus.yml` to add scrape targets or alerting rules.
+- **Grafana**: Dashboards and datasources are provisioned from the `grafana/` directory.
+- **Collector**: Edit `otel-collector-config.yaml` to modify pipelines, processors, or exporters.
 
+## Troubleshooting
 
+- **Service Health**: Check the health of services using `docker compose ps`.
+- **Logs**: View logs for a specific service using `docker compose logs -f <service_name>`.
+- **Otel Collector**: Check `http://localhost:13133` for health status and `http://localhost:1888/debug/pprof/` for profiling.

.docker/observability/README_ZH.md

@@ -1,27 +1,85 @@
-## 部署可观测性系统
+# RustFS 可观测性技术栈
 
-OpenTelemetry Collector 提供了一个厂商中立的遥测数据处理方案，用于接收、处理和导出遥测数据。它消除了为支持多种开源可观测性数据格式（如
-Jaeger、Prometheus 等）而需要运行和维护多个代理/收集器的必要性。
+本目录包含 RustFS 的全面可观测性技术栈，旨在提供对应用程序性能、日志和追踪的深入洞察。
 
-### 快速部署
+## 组件
 
-1. 进入 `.docker/observability` 目录
-2. 执行以下命令启动服务：
+该技术栈由以下一流的开源组件组成：
+
+- **Prometheus** (v2.53.1): 行业标准的指标收集和告警工具。
+- **Grafana** (v11.1.0): 领先的可观测性可视化平台。
+- **Loki** (v3.1.0): 水平可扩展、高可用、多租户的日志聚合系统。
+- **Tempo** (v2.5.0): 高吞吐量、最小依赖的分布式追踪后端。
+- **Jaeger** (v1.59.0): 分布式追踪系统（配置为辅助 UI/存储）。
+- **OpenTelemetry Collector** (v0.104.0): 接收、处理和导出遥测数据的供应商无关实现。
+
+## 架构
+
+1.  **遥测收集**: 应用程序将 OTLP (OpenTelemetry Protocol) 数据（指标、日志、追踪）发送到 **OpenTelemetry Collector**。
+2.  **处理与导出**: Collector 处理数据（批处理、内存限制）并将其导出到相应的后端：
+    -   **追踪** -> **Tempo** (主要) & **Jaeger** (辅助/可选)
+    -   **指标** -> **Prometheus** (通过抓取 Collector 的导出器)
+    -   **日志** -> **Loki**
+3.  **可视化**: **Grafana** 连接到所有后端（Prometheus, Tempo, Loki, Jaeger），提供统一的仪表盘体验。
+
+## 特性
+
+-   **完全持久化**: 所有数据（指标、日志、追踪）都持久化到 Docker 卷，确保重启后无数据丢失。
+-   **关联性**: 在 Grafana 中实现指标、日志和追踪之间的无缝导航。
+    -   从指标峰值跳转到相关追踪。
+    -   从追踪跳转到相关日志。
+-   **高性能**: 针对批处理、压缩和内存管理进行了优化配置。
+-   **标准化协议**: 完全基于 OpenTelemetry 标准构建。
+
+## 快速开始
+
+### 前置条件
+
+-   Docker
+-   Docker Compose
+
+### 部署
+
+运行以下命令启动整个技术栈：
 
 ```bash
-docker compose -f docker-compose.yml  up -d
+docker compose up -d
 ```
 
-### 访问监控面板
+### 访问仪表盘
 
-服务启动后，可通过以下地址访问各个监控面板：
+| 服务 | URL | 凭据 | 描述 |
+| :--- | :--- | :--- | :--- |
+| **Grafana** | [http://localhost:3000](http://localhost:3000) | `admin` / `admin` | 主要可视化中心。 |
+| **Prometheus** | [http://localhost:9090](http://localhost:9090) | - | 指标查询和状态。 |
+| **Jaeger UI** | [http://localhost:16686](http://localhost:16686) | - | 辅助追踪可视化。 |
+| **Tempo** | [http://localhost:3200](http://localhost:3200) | - | Tempo 状态/指标。 |
 
-- Grafana: `http://localhost:3000` (默认账号/密码：`admin`/`admin`)
-- Jaeger: `http://localhost:16686`
-- Prometheus: `http://localhost:9090`
+## 配置
 
-## 配置可观测性
+### 数据持久化
 
-```shell
-export RUSTFS_OBS_ENDPOINT="http://localhost:4317" # OpenTelemetry Collector 地址
+数据存储在以下 Docker 卷中：
+
+-   `prometheus-data`: Prometheus 指标
+-   `tempo-data`: Tempo 追踪 (WAL 和 Blocks)
+-   `loki-data`: Loki 日志 (Chunks 和 Rules)
+-   `jaeger-data`: Jaeger 追踪 (Badger DB)
+
+要清除所有数据：
+
+```bash
+docker compose down -v
 ```
+
+### 自定义
+
+-   **Prometheus**: 编辑 `prometheus.yml` 以添加抓取目标或告警规则。
+-   **Grafana**: 仪表盘和数据源从 `grafana/` 目录预置。
+-   **Collector**: 编辑 `otel-collector-config.yaml` 以修改管道、处理器或导出器。
+
+## 故障排除
+
+-   **服务健康**: 使用 `docker compose ps` 检查服务健康状况。
+-   **日志**: 使用 `docker compose logs -f <service_name>` 查看特定服务的日志。
+-   **Otel Collector**: 检查 `http://localhost:13133` 获取健康状态，检查 `http://localhost:1888/debug/pprof/` 进行性能分析。

.docker/observability/docker-compose-example-for-rustfs.yml

@@ -0,0 +1,270 @@
+# Copyright 2024 RustFS Team
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+services:
+  rustfs:
+    security_opt:
+      - "no-new-privileges:true"
+    image: rustfs/rustfs:latest
+    container_name: rustfs-server
+    ports:
+      - "9000:9000" # S3 API port
+      - "9001:9001" # Console port
+    environment:
+      - RUSTFS_VOLUMES=/data/rustfs
+      - RUSTFS_ADDRESS=0.0.0.0:9000
+      - RUSTFS_CONSOLE_ADDRESS=0.0.0.0:9001
+      - RUSTFS_CONSOLE_ENABLE=true
+      - RUSTFS_CORS_ALLOWED_ORIGINS=*
+      - RUSTFS_CONSOLE_CORS_ALLOWED_ORIGINS=*
+      - RUSTFS_ACCESS_KEY=rustfsadmin
+      - RUSTFS_SECRET_KEY=rustfsadmin
+      - RUSTFS_OBS_LOGGER_LEVEL=info
+      - RUSTFS_OBS_ENDPOINT=http://otel-collector:4318
+      - RUSTFS_OBS_PROFILING_ENDPOINT=http://pyroscope:4040
+    volumes:
+      - rustfs-data:/data/rustfs
+    networks:
+      - otel-network
+    restart: unless-stopped
+    healthcheck:
+      test:
+        [
+          "CMD",
+          "sh",
+          "-c",
+          "curl -f http://127.0.0.1:9000/health && curl -f http://127.0.0.1:9001/rustfs/console/health",
+        ]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 40s
+    depends_on:
+      otel-collector:
+        condition: service_started
+
+  rustfs-init:
+    image: alpine
+    container_name: rustfs-init
+    volumes:
+      - rustfs-data:/data
+    networks:
+      - otel-network
+    command: >
+      sh -c "
+        chown -R 10001:10001 /data &&
+        echo 'Volume Permissions fixed' &&
+        exit 0
+      "
+    restart: no
+
+  # --- Tracing ---
+
+  tempo:
+    image: grafana/tempo:latest
+    container_name: tempo
+    command: [ "-config.file=/etc/tempo.yaml" ]
+    volumes:
+      - ./tempo.yaml:/etc/tempo.yaml:ro
+      - tempo-data:/var/tempo
+    ports:
+      - "3200:3200" # tempo
+      - "4317" # otlp grpc
+      - "4318" # otlp http
+    networks:
+      - otel-network
+    restart: unless-stopped
+    depends_on:
+      - redpanda
+    healthcheck:
+      test: [ "CMD", "wget", "--spider", "-q", "http://localhost:3200/ready" ]
+      interval: 10s
+      timeout: 5s
+      retries: 3
+      start_period: 15s
+
+  redpanda:
+    image: redpandadata/redpanda:latest # for tempo ingest
+    container_name: redpanda
+    ports:
+      - "9092:9092"
+    networks:
+      - otel-network
+    restart: unless-stopped
+    command: >
+      redpanda start --overprovisioned
+      --mode=dev-container
+      --kafka-addr=PLAINTEXT://0.0.0.0:9092
+      --advertise-kafka-addr=PLAINTEXT://redpanda:9092
+
+  jaeger:
+    image: jaegertracing/jaeger:latest
+    container_name: jaeger
+    environment:
+      - SPAN_STORAGE_TYPE=badger
+      - BADGER_EPHEMERAL=false
+      - BADGER_DIRECTORY_VALUE=/badger/data
+      - BADGER_DIRECTORY_KEY=/badger/key
+      - COLLECTOR_OTLP_ENABLED=true
+    volumes:
+      - ./jaeger.yaml:/etc/jaeger/config.yml
+      - jaeger-data:/badger
+    ports:
+      - "16686:16686" # Web UI
+      - "14269:14269" # Admin/Metrics
+      - "4317" # otlp grpc
+      - "4318" # otlp http
+    command: [ "--config", "/etc/jaeger/config.yml" ]
+    networks:
+      - otel-network
+    restart: unless-stopped
+    healthcheck:
+      test: [ "CMD", "wget", "--spider", "-q", "http://localhost:14269" ]
+      interval: 10s
+      timeout: 5s
+      retries: 3
+      start_period: 15s
+
+  # --- Metrics ---
+
+  prometheus:
+    image: prom/prometheus:latest
+    container_name: prometheus
+    volumes:
+      - ./prometheus.yml:/etc/prometheus/prometheus.yml:ro
+      - prometheus-data:/prometheus
+    ports:
+      - "9090:9090"
+    command:
+      - "--config.file=/etc/prometheus/prometheus.yml"
+      - "--web.enable-otlp-receiver" # Enable OTLP
+      - "--web.enable-remote-write-receiver" # Enable remote write
+      - "--enable-feature=promql-experimental-functions" # Enable info()
+      - "--storage.tsdb.retention.time=30d"
+    restart: unless-stopped
+    networks:
+      - otel-network
+    healthcheck:
+      test: [ "CMD", "wget", "--spider", "-q", "http://localhost:9090/-/healthy" ]
+      interval: 10s
+      timeout: 5s
+      retries: 3
+
+  # --- Logging ---
+
+  loki:
+    image: grafana/loki:latest
+    container_name: loki
+    volumes:
+      - ./loki.yaml:/etc/loki/loki.yaml:ro
+      - loki-data:/loki
+    ports:
+      - "3100:3100"
+    command: -config.file=/etc/loki/loki.yaml
+    networks:
+      - otel-network
+    restart: unless-stopped
+    healthcheck:
+      test: [ "CMD", "wget", "--spider", "-q", "http://localhost:3100/ready" ]
+      interval: 15s
+      timeout: 10s
+      retries: 5
+      start_period: 60s
+
+  # --- Collection ---
+
+  otel-collector:
+    image: otel/opentelemetry-collector-contrib:latest
+    volumes:
+      - ./otel-collector-config.yaml:/etc/otelcol-contrib/config.yaml:ro
+    ports:
+      - "1888:1888" # pprof
+      - "8888:8888" # Prometheus metrics for Collector
+      - "8889:8889" # Prometheus metrics for application indicators
+      - "13133:13133" # health check
+      - "4317:4317" # OTLP gRPC
+      - "4318:4318" # OTLP HTTP
+      - "55679:55679" # zpages
+    networks:
+      - otel-network
+    restart: unless-stopped
+    depends_on:
+      - tempo
+      - jaeger
+      - prometheus
+      - loki
+    healthcheck:
+      test: [ "CMD", "wget", "--spider", "-q", "http://localhost:13133" ]
+      interval: 10s
+      timeout: 5s
+      retries: 3
+
+  # --- Profiles ---
+
+  pyroscope:
+    image: grafana/pyroscope:latest
+    container_name: pyroscope
+    ports:
+      - "4040:4040"
+    command:
+      - -self-profiling.disable-push=true
+    networks:
+      - otel-network
+    restart: unless-stopped
+
+  # --- Visualization ---
+
+  grafana:
+    image: grafana/grafana:latest
+    container_name: grafana
+    ports:
+      - "3000:3000"
+    environment:
+      - GF_SECURITY_ADMIN_PASSWORD=admin
+      - GF_SECURITY_ADMIN_USER=admin
+    volumes:
+      - ./grafana/provisioning:/etc/grafana/provisioning:ro
+      - ./grafana/dashboards:/etc/grafana/dashboards:ro
+      - grafana-data:/var/lib/grafana
+    networks:
+      - otel-network
+    restart: unless-stopped
+    depends_on:
+      - prometheus
+      - tempo
+      - loki
+    healthcheck:
+      test:
+        [ "CMD", "wget", "--spider", "-q", "http://localhost:3000/api/health" ]
+      interval: 10s
+      timeout: 5s
+      retries: 3
+
+volumes:
+  rustfs-data:
+  tempo-data:
+  jaeger-data:
+  prometheus-data:
+  loki-data:
+  grafana-data:
+
+networks:
+  otel-network:
+    driver: bridge
+    name: "network_otel"
+    ipam:
+      config:
+        - subnet: 172.28.0.0/16
+    driver_opts:
+      com.docker.network.enable_ipv6: "true"

.docker/observability/docker-compose-tempo-ha-override.yml

@@ -0,0 +1,62 @@
+# Copyright 2024 RustFS Team
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Docker Compose override file for High Availability Tempo setup
+#
+# Usage:
+# docker-compose -f docker-compose-example-for-rustfs.yml \
+#                -f docker-compose-tempo-ha-override.yml up
+
+services:
+  # Override Tempo to use high-availability configuration
+  tempo:
+    volumes:
+      - ./tempo-ha.yaml:/etc/tempo.yaml:ro
+      - tempo-data:/var/tempo
+    ports:
+      - "3200:3200"   # Tempo HTTP
+      - "4317:4317"   # OTLP gRPC
+      - "4318:4318"   # OTLP HTTP
+      - "7946:7946"   # Memberlist
+      - "14250:14250" # Jaeger gRPC
+      - "14268:14268" # Jaeger Thrift HTTP
+      - "9411:9411"   # Zipkin
+    environment:
+      - TEMPO_MEMBERLIST_BIND_PORT=7946
+    healthcheck:
+      test: [ "CMD", "wget", "--spider", "-q", "http://localhost:3200/ready" ]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+      start_period: 30s
+    depends_on:
+      - redpanda
+
+volumes:
+  tempo-data:
+    driver: local
+    driver_opts:
+      type: tmpfs
+      device: tmpfs
+      o: "size=4g"  # Allocate 4GB tmpfs for Tempo data (adjust based on your needs)
+
+# Network configuration remains the same
+# networks:
+#   otel-network:
+#     driver: bridge
+#     name: "network_otel"
+#     ipam:
+#       config:
+#         - subnet: 172.28.0.0/16
+

.docker/observability/docker-compose.yml

@@ -13,67 +13,187 @@
 # limitations under the License.
 
 services:
-  otel-collector:
-    image: ghcr.io/open-telemetry/opentelemetry-collector-releases/opentelemetry-collector-contrib:0.127.0
-    environment:
-      - TZ=Asia/Shanghai
+
+  # --- Tracing ---
+
+  tempo:
+    image: grafana/tempo:latest
+    container_name: tempo
+    command: [ "-config.file=/etc/tempo.yaml" ]
     volumes:
-      - ./otel-collector-config.yaml:/etc/otelcol-contrib/config.yaml
+      - ./tempo.yaml:/etc/tempo.yaml:ro
+      - tempo-data:/var/tempo
     ports:
-      - 1888:1888
-      - 8888:8888
-      - 8889:8889
-      - 13133:13133
-      - 4317:4317
-      - 4318:4318
-      - 55679:55679
+      - "3200:3200" # tempo
+      - "4317" # otlp grpc
+      - "4318" # otlp http
+      - "7946" # memberlist
     networks:
       - otel-network
+    restart: unless-stopped
+    healthcheck:
+      test: [ "CMD", "wget", "--spider", "-q", "http://localhost:3200/ready" ]
+      interval: 10s
+      timeout: 5s
+      retries: 3
+      start_period: 15s
+
   jaeger:
-    image: jaegertracing/jaeger:2.7.0
+    image: jaegertracing/jaeger:latest
+    container_name: jaeger
     environment:
-      - TZ=Asia/Shanghai
+      - SPAN_STORAGE_TYPE=badger
+      - BADGER_EPHEMERAL=false
+      - BADGER_DIRECTORY_VALUE=/badger/data
+      - BADGER_DIRECTORY_KEY=/badger/key
+      - COLLECTOR_OTLP_ENABLED=true
+    volumes:
+      - ./jaeger.yaml:/etc/jaeger/config.yml
+      - jaeger-data:/badger
     ports:
-      - "16686:16686"
-      - "14317:4317"
-      - "14318:4318"
+      - "16686:16686" # Web UI
+      - "14269:14269" # Admin/Metrics
+      - "4317" # otlp grpc
+      - "4318" # otlp http
+    command: [ "--config", "/etc/jaeger/config.yml" ]
     networks:
       - otel-network
+    restart: unless-stopped
+    healthcheck:
+      test: [ "CMD", "wget", "--spider", "-q", "http://localhost:14269" ]
+      interval: 10s
+      timeout: 5s
+      retries: 3
+      start_period: 15s
+
+  # --- Metrics ---
+
   prometheus:
-    image: prom/prometheus:v3.4.1
-    environment:
-      - TZ=Asia/Shanghai
+    image: prom/prometheus:latest
+    container_name: prometheus
     volumes:
-      - ./prometheus.yml:/etc/prometheus/prometheus.yml
+      - ./prometheus.yml:/etc/prometheus/prometheus.yml:ro
+      - prometheus-data:/prometheus
     ports:
       - "9090:9090"
+    command:
+      - "--config.file=/etc/prometheus/prometheus.yml"
+      - "--web.enable-otlp-receiver" # Enable OTLP
+      - "--web.enable-remote-write-receiver" # Enable remote write
+      - "--enable-feature=promql-experimental-functions" # Enable info()
+      - "--storage.tsdb.retention.time=30d"
+    restart: unless-stopped
     networks:
       - otel-network
+    healthcheck:
+      test: [ "CMD", "wget", "--spider", "-q", "http://localhost:9090/-/healthy" ]
+      interval: 10s
+      timeout: 5s
+      retries: 3
+
+  # --- Logging ---
+
   loki:
-    image: grafana/loki:3.5.1
-    environment:
-      - TZ=Asia/Shanghai
+    image: grafana/loki:latest
+    container_name: loki
     volumes:
-      - ./loki-config.yaml:/etc/loki/local-config.yaml
+      - ./loki.yaml:/etc/loki/loki.yaml:ro
+      - loki-data:/loki
     ports:
       - "3100:3100"
-    command: -config.file=/etc/loki/local-config.yaml
+    command: -config.file=/etc/loki/loki.yaml
     networks:
       - otel-network
-  grafana:
-    image: grafana/grafana:12.0.2
+    restart: unless-stopped
+    healthcheck:
+      test: [ "CMD", "wget", "--spider", "-q", "http://localhost:3100/ready" ]
+      interval: 15s
+      timeout: 10s
+      retries: 5
+      start_period: 60s
+
+  # --- Collection ---
+
+  otel-collector:
+    image: otel/opentelemetry-collector-contrib:latest
+    volumes:
+      - ./otel-collector-config.yaml:/etc/otelcol-contrib/config.yaml:ro
     ports:
-      - "3000:3000"  # Web UI
+      - "1888:1888" # pprof
+      - "8888:8888" # Prometheus metrics for Collector
+      - "8889:8889" # Prometheus metrics for application indicators
+      - "13133:13133" # health check
+      - "4317:4317" # OTLP gRPC
+      - "4318:4318" # OTLP HTTP
+      - "55679:55679" # zpages
+    networks:
+      - otel-network
+    restart: unless-stopped
+    depends_on:
+      - tempo
+      - jaeger
+      - prometheus
+      - loki
+    healthcheck:
+      test: [ "CMD", "wget", "--spider", "-q", "http://localhost:13133" ]
+      interval: 10s
+      timeout: 5s
+      retries: 3
+
+  # --- Profiles ---
+
+  pyroscope:
+    image: grafana/pyroscope:latest
+    container_name: pyroscope
+    ports:
+      - "4040:4040"
+    command:
+      - -self-profiling.disable-push=true
+    networks:
+      - otel-network
+    restart: unless-stopped
+
+  # --- Visualization ---
+
+  grafana:
+    image: grafana/grafana:latest
+    container_name: grafana
+    ports:
+      - "3000:3000"
     environment:
       - GF_SECURITY_ADMIN_PASSWORD=admin
-      - TZ=Asia/Shanghai
+      - GF_SECURITY_ADMIN_USER=admin
+    volumes:
+      - ./grafana/provisioning:/etc/grafana/provisioning:ro
+      - ./grafana/dashboards:/etc/grafana/dashboards:ro
+      - grafana-data:/var/lib/grafana
     networks:
       - otel-network
+    restart: unless-stopped
+    depends_on:
+      - prometheus
+      - tempo
+      - loki
+    healthcheck:
+      test:
+        [ "CMD", "wget", "--spider", "-q", "http://localhost:3000/api/health" ]
+      interval: 10s
+      timeout: 5s
+      retries: 3
 
+volumes:
+  tempo-data:
+  jaeger-data:
+  prometheus-data:
+  loki-data:
+  grafana-data:
 
 networks:
   otel-network:
     driver: bridge
-    name: "network_otel_config"
+    name: "network_otel"
+    ipam:
+      config:
+        - subnet: 172.28.0.0/16
     driver_opts:
-      com.docker.network.enable_ipv6: "true"    
+      com.docker.network.enable_ipv6: "true"

.docker/observability/grafana/provisioning/dashboards/dashboard.yml

@@ -12,8 +12,14 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-[source.crates-io]
-registry = "https://github.com/rust-lang/crates.io-index"
+apiVersion: 1
 
-[net]
-git-fetch-with-cli = true
+providers:
+  - name: "default"
+    orgId: 1
+    folder: ""
+    type: file
+    disableDeletion: false
+    updateIntervalSeconds: 10
+    options:
+      path: /etc/grafana/dashboards

.docker/observability/grafana/provisioning/datasources.yaml

@@ -0,0 +1,97 @@
+# Copyright 2024 RustFS Team
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: 1
+
+datasources:
+  - name: Prometheus
+    type: prometheus
+    uid: prometheus
+    access: proxy
+    orgId: 1
+    url: http://prometheus:9090
+    isDefault: true
+    version: 1
+    editable: false
+    jsonData:
+      httpMethod: GET
+      exemplarTraceIdDestinations:
+        - name: trace_id
+          datasourceUid: tempo
+
+  - name: Tempo
+    type: tempo
+    uid: tempo
+    access: proxy
+    orgId: 1
+    url: http://tempo:3200
+    isDefault: false
+    version: 1
+    editable: false
+    jsonData:
+      httpMethod: GET
+      serviceMap:
+        datasourceUid: prometheus
+      tracesToLogs:
+        datasourceUid: loki
+        tags: [ 'job', 'instance', 'pod', 'namespace', 'service.name' ]
+        mappedTags: [ { key: 'service.name', value: 'app' } ]
+        spanStartTimeShift: '1s'
+        spanEndTimeShift: '-1s'
+        filterByTraceID: true
+        filterBySpanID: false
+      tracesToMetrics:
+        datasourceUid: prometheus
+        tags: [ { key: 'service.name' }, { key: 'job' } ]
+        queries:
+          - name: 'Service-Level Latency'
+            query: 'sum(rate(traces_spanmetrics_latency_bucket{$$__tags}[5m])) by (le)'
+          - name: 'Service-Level Calls'
+            query: 'sum(rate(traces_spanmetrics_calls_total{$$__tags}[5m]))'
+          - name: 'Service-Level Errors'
+            query: 'sum(rate(traces_spanmetrics_calls_total{status_code="ERROR", $$__tags}[5m]))'
+      nodeGraph:
+        enabled: true
+
+  - name: Loki
+    type: loki
+    uid: loki
+    orgId: 1
+    url: http://loki:3100
+    isDefault: false
+    version: 1
+    editable: false
+    jsonData:
+      derivedFields:
+        - datasourceUid: tempo
+          matcherRegex: 'trace_id=(\w+)'
+          name: 'TraceID'
+          url: '$${__value.raw}'
+
+  - name: Jaeger
+    type: jaeger
+    uid: jaeger
+    url: http://jaeger:16686
+    access: proxy
+    isDefault: false
+    editable: false
+    jsonData:
+      tracesToLogs:
+        datasourceUid: loki
+        tags: [ 'job', 'instance', 'pod', 'namespace', 'service.name' ]
+        mappedTags: [ { key: 'service.name', value: 'app' } ]
+        spanStartTimeShift: '1s'
+        spanEndTimeShift: '-1s'
+        filterByTraceID: true
+        filterBySpanID: false

.docker/observability/grafana/provisioning/datasources/datasources.yaml

@@ -0,0 +1,98 @@
+# Copyright 2024 RustFS Team
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: 1
+
+datasources:
+  - name: Prometheus
+    type: prometheus
+    uid: prometheus
+    url: http://prometheus:9090
+    access: proxy
+    isDefault: true
+    editable: false
+    jsonData:
+      httpMethod: GET
+      exemplarTraceIdDestinations:
+        - name: trace_id
+          datasourceUid: tempo
+
+  - name: Tempo
+    type: tempo
+    uid: tempo
+    access: proxy
+    url: http://tempo:3200
+    isDefault: false
+    editable: false
+    jsonData:
+      httpMethod: GET
+      serviceMap:
+        datasourceUid: prometheus
+      tracesToLogs:
+        datasourceUid: loki
+        tags: [ 'job', 'instance', 'pod', 'namespace', 'service.name' ]
+        mappedTags: [ { key: 'service.name', value: 'app' } ]
+        spanStartTimeShift: '-1h'
+        spanEndTimeShift: '1h'
+        filterByTraceID: true
+        filterBySpanID: false
+      tracesToMetrics:
+        datasourceUid: prometheus
+        tags: [ { key: 'service.name' }, { key: 'job' } ]
+        queries:
+          - name: 'Service-Level Latency'
+            query: 'sum(rate(traces_spanmetrics_latency_bucket{$$__tags}[5m])) by (le)'
+          - name: 'Service-Level Calls'
+            query: 'sum(rate(traces_spanmetrics_calls_total{$$__tags}[5m]))'
+          - name: 'Service-Level Errors'
+            query: 'sum(rate(traces_spanmetrics_calls_total{status_code="ERROR", $$__tags}[5m]))'
+      nodeGraph:
+        enabled: true
+
+  - name: Loki
+    type: loki
+    uid: loki
+    url: http://loki:3100
+    basicAuth: false
+    isDefault: false
+    editable: false
+    jsonData:
+      derivedFields:
+        - datasourceUid: tempo
+          matcherRegex: 'trace_id=(\w+)'
+          name: 'TraceID'
+          url: '$${__value.raw}'
+
+  - name: Jaeger
+    type: jaeger
+    uid: jaeger
+    url: http://jaeger:16686
+    access: proxy
+    isDefault: false
+    editable: false
+    jsonData:
+      tracesToLogs:
+        datasourceUid: loki
+        tags: [ 'job', 'instance', 'pod', 'namespace', 'service.name' ]
+        mappedTags: [ { key: 'service.name', value: 'app' } ]
+        spanStartTimeShift: '1s'
+        spanEndTimeShift: '-1s'
+        filterByTraceID: true
+        filterBySpanID: false
+
+  - name: Pyroscope
+    type: grafana-pyroscope-datasource
+    url: http://pyroscope:4040
+    jsonData:
+      minStep: '15s'

.docker/observability/jaeger-config.yaml

@@ -1,112 +0,0 @@
-# Copyright 2024 RustFS Team
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-service:
-  extensions: [ jaeger_storage, jaeger_query, remote_sampling, healthcheckv2 ]
-  pipelines:
-    traces:
-      receivers: [ otlp, jaeger, zipkin ]
-      processors: [ batch, adaptive_sampling ]
-      exporters: [ jaeger_storage_exporter ]
-  telemetry:
-    resource:
-      service.name: jaeger
-    metrics:
-      level: detailed
-      readers:
-        - pull:
-            exporter:
-              prometheus:
-                host: 0.0.0.0
-                port: 8888
-    logs:
-      level: debug
-    # TODO Initialize telemetry tracer once OTEL released new feature.
-    # https://github.com/open-telemetry/opentelemetry-collector/issues/10663
-
-extensions:
-  healthcheckv2:
-    use_v2: true
-    http:
-
-  # pprof:
-  #   endpoint: 0.0.0.0:1777
-  # zpages:
-  #   endpoint: 0.0.0.0:55679
-
-  jaeger_query:
-    storage:
-      traces: some_store
-      traces_archive: another_store
-    ui:
-      config_file: ./cmd/jaeger/config-ui.json
-      log_access: true
-    # The maximum duration that is considered for clock skew adjustments.
-    # Defaults to 0 seconds, which means it's disabled.
-    max_clock_skew_adjust: 0s
-    grpc:
-      endpoint: 0.0.0.0:16685
-    http:
-      endpoint: 0.0.0.0:16686
-
-  jaeger_storage:
-    backends:
-      some_store:
-        memory:
-          max_traces: 1000000
-      another_store:
-        memory:
-          max_traces: 1000000
-    metric_backends:
-      some_metrics_storage:
-        prometheus:
-          endpoint: http://prometheus:9090
-          normalize_calls: true
-          normalize_duration: true
-
-  remote_sampling:
-    # You can either use file or adaptive sampling strategy in remote_sampling
-    # file:
-    #   path: ./cmd/jaeger/sampling-strategies.json
-    adaptive:
-      sampling_store: some_store
-      initial_sampling_probability: 0.1
-    http:
-    grpc:
-
-receivers:
-  otlp:
-    protocols:
-      grpc:
-      http:
-
-  jaeger:
-    protocols:
-      grpc:
-      thrift_binary:
-      thrift_compact:
-      thrift_http:
-
-  zipkin:
-
-processors:
-  batch:
-  # Adaptive Sampling Processor is required to support adaptive sampling.
-  # It expects remote_sampling extension with `adaptive:` config to be enabled.
-  adaptive_sampling:
-
-exporters:
-  jaeger_storage_exporter:
-    trace_storage: some_store
-

.docker/observability/jaeger.yaml

@@ -0,0 +1,74 @@
+# Copyright 2024 RustFS Team
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+service:
+  extensions: [jaeger_storage, jaeger_query]
+  pipelines:
+    traces:
+      receivers: [otlp]
+      processors: [batch]
+      exporters: [jaeger_storage_exporter, spanmetrics]
+    metrics/spanmetrics:
+      receivers: [spanmetrics]
+      exporters: [prometheus]
+  telemetry:
+    resource:
+      service.name: jaeger
+    metrics:
+      level: detailed
+      readers:
+        - pull:
+            exporter:
+              prometheus:
+                host: 0.0.0.0
+                port: 8888
+    logs:
+      level: DEBUG
+
+extensions:
+  jaeger_query:
+    storage:
+      traces: some_storage
+      metrics: some_metrics_storage
+  jaeger_storage:
+    backends:
+      some_storage:
+        memory:
+          max_traces: 100000
+    metric_backends:
+      some_metrics_storage:
+        prometheus:
+          endpoint: http://prometheus:9090
+          normalize_calls: true
+          normalize_duration: true
+
+connectors:
+  spanmetrics:
+
+receivers:
+  otlp:
+    protocols:
+      grpc:
+        endpoint: "0.0.0.0:4317"
+      http:
+        endpoint: "0.0.0.0:4318"
+
+processors:
+  batch:
+
+exporters:
+  jaeger_storage_exporter:
+    trace_storage: some_storage
+  prometheus:
+    endpoint: "0.0.0.0:8889"

.docker/observability/loki.yaml

@@ -11,22 +11,21 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-
 auth_enabled: false
 
 server:
   http_listen_port: 3100
-  grpc_listen_port: 9096
-  log_level: debug
+  grpc_listen_port: 9095
+  log_level: info
   grpc_server_max_concurrent_streams: 1000
 
 common:
   instance_addr: 127.0.0.1
-  path_prefix: /tmp/loki
+  path_prefix: /loki
   storage:
     filesystem:
-      chunks_directory: /tmp/loki/chunks
-      rules_directory: /tmp/loki/rules
+      chunks_directory: /loki/chunks
+      rules_directory: /loki/rules
   replication_factor: 1
   ring:
     kvstore:
@@ -39,9 +38,6 @@ query_range:
         enabled: true
         max_size_mb: 100
 
-limits_config:
-  metric_aggregation_enabled: true
-
 schema_config:
   configs:
     - from: 2020-10-24
@@ -52,26 +48,16 @@ schema_config:
         prefix: index_
         period: 24h
 
+limits_config:
+  reject_old_samples: true
+  reject_old_samples_max_age: 168h
+  allow_structured_metadata: true
+  max_line_size: 256KB
+
 pattern_ingester:
   enabled: true
   metric_aggregation:
     loki_address: localhost:3100
 
-ruler:
-  alertmanager_url: http://localhost:9093
-
 frontend:
   encoding: protobuf
-
-# By default, Loki will send anonymous, but uniquely-identifiable usage and configuration
-# analytics to Grafana Labs. These statistics are sent to https://stats.grafana.org/
-#
-# Statistics help us better understand how Loki is used, and they show us performance
-# levels for most users. This helps us prioritize features and documentation.
-# For more information on what's sent, look at
-# https://github.com/grafana/loki/blob/main/pkg/analytics/stats.go
-# Refer to the buildReport method to see what goes into a report.
-#
-# If you would like to disable reporting, uncomment the following lines:
-#analytics:
-#  reporting_enabled: false

.docker/observability/otel-collector-config.yaml

@@ -15,57 +15,102 @@
 receivers:
   otlp:
     protocols:
-      grpc: # OTLP gRPC 接收器
+      grpc:
         endpoint: 0.0.0.0:4317
-      http: # OTLP HTTP 接收器
+      http:
         endpoint: 0.0.0.0:4318
 
 processors:
-  batch: # 批处理处理器，提升吞吐量
-    timeout: 5s
-    send_batch_size: 1000
+  batch:
+    timeout: 1s
+    send_batch_size: 1024
   memory_limiter:
     check_interval: 1s
-    limit_mib: 512
+    limit_mib: 1024
+    spike_limit_mib: 256
+  transform/logs:
+    log_statements:
+      - context: log
+        statements:
+          - set(attributes["message"], body.string)
+          - set(attributes["log.body"], body.string)
 
 exporters:
-  otlp/traces: # OTLP 导出器，用于跟踪数据
-    endpoint: "jaeger:4317"  # Jaeger 的 OTLP gRPC 端点
-    tls:
-      insecure: true  # 开发环境禁用 TLS，生产环境需配置证书
-  prometheus: # Prometheus 导出器，用于指标数据
-    endpoint: "0.0.0.0:8889"  # Prometheus 刮取端点
-    namespace: "rustfs"  # 指标前缀
-    send_timestamps: true  # 发送时间戳
-    # enable_open_metrics: true
-  loki: # Loki 导出器，用于日志数据
-    # endpoint: "http://loki:3100/otlp/v1/logs"
-    endpoint: "http://loki:3100/loki/api/v1/push"
+  otlp/tempo:
+    endpoint: "tempo:4317"
     tls:
       insecure: true
+    compression: gzip
+    retry_on_failure:
+      enabled: true
+      initial_interval: 1s
+      max_interval: 30s
+      max_elapsed_time: 300s
+    sending_queue:
+      enabled: true
+      num_consumers: 10
+      queue_size: 5000
+
+  otlp/jaeger:
+    endpoint: "jaeger:4317"
+    tls:
+      insecure: true
+    compression: gzip
+    retry_on_failure:
+      enabled: true
+      initial_interval: 1s
+      max_interval: 30s
+      max_elapsed_time: 300s
+    sending_queue:
+      enabled: true
+      num_consumers: 10
+      queue_size: 5000
+
+  prometheus:
+    endpoint: "0.0.0.0:8889"
+    send_timestamps: true
+    metric_expiration: 5m
+    resource_to_telemetry_conversion:
+      enabled: true
+
+  otlphttp/loki:
+    endpoint: "http://loki:3100/otlp"
+    tls:
+      insecure: true
+    compression: gzip
+
 extensions:
   health_check:
+    endpoint: 0.0.0.0:13133
   pprof:
+    endpoint: 0.0.0.0:1888
   zpages:
+    endpoint: 0.0.0.0:55679
+
 service:
-  extensions: [ health_check, pprof, zpages ]  # 启用扩展
+  extensions: [ health_check, pprof, zpages ]
   pipelines:
     traces:
       receivers: [ otlp ]
-      processors: [ memory_limiter,batch ]
-      exporters: [ otlp/traces ]
+      processors: [ memory_limiter, batch ]
+      exporters: [ otlp/tempo, otlp/jaeger ]
     metrics:
       receivers: [ otlp ]
       processors: [ batch ]
       exporters: [ prometheus ]
     logs:
       receivers: [ otlp ]
-      processors: [ batch ]
-      exporters: [ loki ]
+      processors: [ batch, transform/logs ]
+      exporters: [ otlphttp/loki ]
   telemetry:
     logs:
-      level: "info"  # Collector 日志级别
+      level: "info"
+      encoding: "json"
     metrics:
-      address: "0.0.0.0:8888"  # Collector 自身指标暴露
-
-
+      level: "normal"
+      readers:
+        - pull:
+            exporter:
+              prometheus:
+                host: '0.0.0.0'
+                port: 8888

.docker/observability/prometheus.yml

@@ -13,13 +13,64 @@
 # limitations under the License.
 
 global:
-  scrape_interval: 5s  # 刮取间隔
+  scrape_interval: 15s # Evaluate rules every 15 seconds. The default is every 1 minute.
+  evaluation_interval: 15s
+  external_labels:
+    cluster: 'rustfs-dev'  # Label to identify the cluster
+    replica: '1'  # Replica identifier
 
 scrape_configs:
   - job_name: 'otel-collector'
     static_configs:
-      - targets: ['otel-collector:8888']  # 从 Collector 刮取指标
-  - job_name: 'otel-metrics'
+      - targets: [ 'otel-collector:8888' ]  # Scrape metrics from Collector
+    scrape_interval: 10s
+
+  - job_name: 'rustfs-app-metrics'
     static_configs:
-      - targets: ['otel-collector:8889']  # 应用指标
-      
+      - targets: [ 'otel-collector:8889' ]  # Application indicators
+    scrape_interval: 15s
+    metric_relabel_configs:
+      - source_labels: [ __name__ ]
+        regex: 'go_.*'
+        action: drop  # Drop Go runtime metrics if not needed
+
+  - job_name: 'tempo'
+    static_configs:
+      - targets: [ 'tempo:3200' ]  # Scrape metrics from Tempo
+
+  - job_name: 'jaeger'
+    static_configs:
+      - targets: [ 'jaeger:14269' ]  # Jaeger admin port (14269 is standard for admin/metrics)
+
+  - job_name: 'loki'
+    static_configs:
+      - targets: [ 'loki:3100' ]
+
+  - job_name: 'prometheus'
+    static_configs:
+      - targets: [ 'localhost:9090' ]
+
+otlp:
+  promote_resource_attributes:
+    - service.instance.id
+    - service.name
+    - service.namespace
+    - cloud.availability_zone
+    - cloud.region
+    - container.name
+    - deployment.environment.name
+    - k8s.cluster.name
+    - k8s.container.name
+    - k8s.cronjob.name
+    - k8s.daemonset.name
+    - k8s.deployment.name
+    - k8s.job.name
+    - k8s.namespace.name
+    - k8s.pod.name
+    - k8s.replicaset.name
+    - k8s.statefulset.name
+  translation_strategy: NoUTF8EscapingWithSuffixes
+
+storage:
+  tsdb:
+    out_of_order_time_window: 30m

.docker/observability/tempo-ha.yaml

@@ -0,0 +1,286 @@
+# Copyright 2024 RustFS Team
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# High Availability Tempo Configuration for docker-compose-example-for-rustfs.yml
+# Features:
+# - Distributed architecture with multiple components
+# - Kafka-based ingestion for fault tolerance
+# - Replication factor of 3 for data resilience
+# - Query frontend for load balancing
+# - Metrics generation from traces
+# - WAL for durability
+
+partition_ring_live_store: true
+stream_over_http_enabled: true
+
+server:
+  http_listen_port: 3200
+  http_server_read_timeout: 30s
+  http_server_write_timeout: 30s
+  grpc_server_max_recv_msg_size: 4194304  # 4MB
+  grpc_server_max_send_msg_size: 4194304
+  log_level: info
+  log_format: json
+
+# Memberlist configuration for distributed mode
+memberlist:
+  node_name: tempo
+  bind_port: 7946
+  join_members:
+    - tempo:7946
+  retransmit_factor: 4
+  node_timeout: 15s
+  retransmit_interval: 300ms
+  dead_node_reclaim_time: 30s
+
+# Distributor configuration - receives traces and routes to ingesters
+distributor:
+  ingester_write_path_enabled: true
+  kafka_write_path_enabled: true
+  rate_limit_bytes: 10MB
+  rate_limit_enabled: true
+  receivers:
+    otlp:
+      protocols:
+        grpc:
+          endpoint: "0.0.0.0:4317"
+          max_concurrent_streams: 0
+          max_receive_message_size: 4194304
+        http:
+          endpoint: "0.0.0.0:4318"
+          cors:
+            allowed_origins:
+              - "*"
+            max_age: 86400
+    jaeger:
+      protocols:
+        grpc:
+          endpoint: "0.0.0.0:14250"
+        thrift_http:
+          endpoint: "0.0.0.0:14268"
+    zipkin:
+      endpoint: "0.0.0.0:9411"
+  ring:
+    kvstore:
+      store: memberlist
+    heartbeat_timeout: 5s
+    replication_factor: 3
+    heartbeat_interval: 5s
+
+# Ingester configuration - stores traces and querying
+ingester:
+  lifecycler:
+    address: tempo
+    ring:
+      kvstore:
+        store: memberlist
+      replication_factor: 3
+      max_cache_freshness_per_sec: 10s
+      heartbeat_interval: 5s
+      heartbeat_timeout: 5s
+    num_tokens: 128
+    tokens_file_path: /var/tempo/tokens.json
+    claim_on_rollout: true
+  trace_idle_period: 20s
+  max_block_bytes: 10_000_000
+  max_block_duration: 10m
+  chunk_size_bytes: 1_000_000
+  chunk_encoding: snappy
+  wal:
+    checkpoint_duration: 5s
+    max_wal_blocks: 4
+  metrics:
+    enabled: true
+    level: block
+    target_info_duration: 15m
+
+# WAL configuration for data durability
+wal:
+  checkpoint_duration: 5s
+  flush_on_shutdown: true
+  path: /var/tempo/wal
+
+# Kafka ingestion configuration - for high throughput scenarios
+ingest:
+  enabled: true
+  kafka:
+    brokers: [ redpanda:9092 ]
+    topic: tempo-ingest
+    encoding: protobuf
+    consumer_group: tempo-ingest-consumer
+    session_timeout: 10s
+    rebalance_timeout: 1m
+    partition: auto
+    verbosity: 2
+
+# Query frontend configuration - distributed querying
+query_frontend:
+  compression: gzip
+  downstream_url: http://localhost:3200
+  log_queries_longer_than: 5s
+  cache_uncompressed_bytes: 100MB
+  max_outstanding_requests_per_tenant: 100
+  max_query_length: 48h
+  max_query_lookback: 30d
+  default_result_cache_ttl: 1m
+  result_cache:
+    cache:
+      enable_fifocache: true
+      default_validity: 1m
+  rf1_after: "1999-01-01T00:00:00Z"
+  mcp_server:
+    enabled: true
+
+# Querier configuration - queries traces
+querier:
+  frontend_worker:
+    frontend_address: localhost:3200
+    grpc_client_config:
+      max_recv_msg_size: 104857600
+  max_concurrent_queries: 20
+  max_metric_bytes_per_trace: 1MB
+
+# Query scheduler configuration - for distributed querying
+query_scheduler:
+  use_scheduler_ring: false
+
+# Metrics generator configuration - generates metrics from traces
+metrics_generator:
+  enabled: true
+  registry:
+    enabled: true
+    external_labels:
+      source: tempo
+      cluster: rustfs-docker-ha
+      environment: production
+  storage:
+    path: /var/tempo/generator/wal
+    remote_write:
+      - url: http://prometheus:9090/api/v1/write
+        send_exemplars: true
+        resource_to_telemetry_conversion:
+          enabled: true
+  processor:
+    batch:
+      timeout: 10s
+      send_batch_size: 1024
+    memory_limiter:
+      check_interval: 5s
+      limit_mib: 512
+      spike_limit_mib: 128
+  processors:
+    - span-metrics
+    - local-blocks
+    - service-graphs
+  generate_native_histograms: both
+
+# Backend worker configuration
+backend_worker:
+  backend_scheduler_addr: localhost:3200
+  compaction:
+    block_retention: 24h
+    compacted_block_retention: 1h
+  ring:
+    kvstore:
+      store: memberlist
+
+# Backend scheduler configuration
+backend_scheduler:
+  enabled: true
+  provider:
+    compaction:
+      compaction:
+        block_retention: 24h
+        compacted_block_retention: 1h
+        concurrency: 25
+        v2_out_path: /var/tempo/blocks/compaction
+
+# Storage configuration - local backend with proper retention
+storage:
+  trace:
+    backend: local
+    wal:
+      path: /var/tempo/wal
+      checkpoint_duration: 5s
+      flush_on_shutdown: true
+    local:
+      path: /var/tempo/blocks
+      bloom_filter_false_positive: 0.05
+      bloom_shift: 4
+      index:
+        downsample_bytes: 1000000
+        page_size_bytes: 0
+        cache_size_bytes: 0
+    pool:
+      max_workers: 400
+      queue_depth: 10000
+
+# Compactor configuration - manages block compaction
+compactor:
+  compaction:
+    block_retention: 168h  # 7 days
+    compacted_block_retention: 1h
+    concurrency: 25
+    v2_out_path: /var/tempo/blocks/compaction
+    shard_count: 32
+    max_block_bytes: 107374182400  # 100GB
+    max_compaction_objects: 6000000
+    max_time_per_tenant: 5m
+    block_size_bytes: 107374182400
+  ring:
+    kvstore:
+      store: memberlist
+    heartbeat_interval: 5s
+    heartbeat_timeout: 5s
+
+# Limits configuration - rate limiting and quotas
+limits:
+  max_traces_per_user: 10000
+  max_bytes_per_trace: 10485760  # 10MB
+  max_search_bytes_per_trace: 0
+  forgiving_oversize_traces: true
+  rate_limit_bytes: 10MB
+  rate_limit_enabled: true
+  ingestion_burst_size_bytes: 20MB
+  ingestion_rate_limit_bytes: 10MB
+  max_bytes_per_second: 10485760
+  metrics_generator_max_active_series: 10000
+  metrics_generator_max_churned_series: 10000
+  metrics_generator_forta_out_of_order_ttl: 5m
+
+# Override configuration
+overrides:
+  defaults:
+    metrics_generator:
+      processors:
+        - span-metrics
+        - local-blocks
+        - service-graphs
+      generate_native_histograms: both
+      max_active_series: 10000
+      max_churned_series: 10000
+
+# Usage reporting configuration
+usage_report:
+  reporting_enabled: false
+
+# Tracing configuration for debugging
+tracing:
+  enabled: true
+  jaeger:
+    sampler:
+      name: probabilistic
+      param: 0.1
+    reporter_log_spans: false
+

.docker/observability/tempo.yaml

@@ -0,0 +1,124 @@
+# Copyright 2024 RustFS Team
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+partition_ring_live_store: true
+stream_over_http_enabled: true
+
+server:
+  http_listen_port: 3200
+  log_level: info
+
+memberlist:
+  node_name: tempo
+  bind_port: 7946
+  join_members:
+    - tempo:7946
+
+# Distributor configuration - receives traces and writes directly to ingesters
+distributor:
+  ingester_write_path_enabled: true
+  kafka_write_path_enabled: false
+  receivers:
+    otlp:
+      protocols:
+        grpc:
+          endpoint: "tempo:4317"
+        http:
+          endpoint: "tempo:4318"
+  ring:
+    kvstore:
+      store: memberlist
+
+# Ingester configuration - consumes from Kafka and stores traces
+ingester:
+  lifecycler:
+    ring:
+      kvstore:
+        store: memberlist
+      replication_factor: 1
+    tokens_file_path: /var/tempo/tokens.json
+  trace_idle_period: 10s
+  max_block_bytes: 1_000_000
+  max_block_duration: 5m
+
+backend_scheduler:
+  provider:
+    compaction:
+      compaction:
+        block_retention: 1h
+
+backend_worker:
+  backend_scheduler_addr: localhost:3200
+  compaction:
+    block_retention: 1h
+  ring:
+    kvstore:
+      store: memberlist
+
+querier:
+  frontend_worker:
+    frontend_address: tempo:3200
+
+metrics_generator:
+  registry:
+    external_labels:
+      source: tempo
+      cluster: docker-compose
+  storage:
+    path: /var/tempo/generator/wal
+    remote_write:
+      - url: http://prometheus:9090/api/v1/write
+        send_exemplars: true
+
+query_frontend:
+  rf1_after: "1999-01-01T00:00:00Z"
+  mcp_server:
+    enabled: true
+
+storage:
+  trace:
+    backend: local
+    wal:
+      path: /var/tempo/wal
+    local:
+      path: /var/tempo/blocks
+
+overrides:
+  defaults:
+    metrics_generator:
+      processors: [ "span-metrics", "service-graphs", "local-blocks" ]
+      generate_native_histograms: both
+
+ingest:
+  enabled: false
+  # Disabled because using direct ingester write path
+  # If you want Kafka path, enable this and set:
+  # kafka:
+  #   brokers: [redpanda:9092]
+  #   topic: tempo-ingest
+  #   encoding: protobuf
+  #   consumer_group: tempo-ingest-consumer
+
+block_builder:
+  consume_cycle_duration: 30s
+
+compactor:
+  compaction:
+    block_retention: 168h  # 7 days
+  ring:
+    kvstore:
+      store: memberlist
+
+usage_report:
+  reporting_enabled: false

.docker/openobserve-otel/README.md

@@ -5,71 +5,57 @@
 
 English | [中文](README_ZH.md)
 
-This directory contains the configuration files for setting up an observability stack with OpenObserve and OpenTelemetry
-Collector.
+This directory contains the configuration for an **alternative** observability stack using OpenObserve.
 
-### Overview
+## ⚠️ Note
 
-This setup provides a complete observability solution for your applications:
+For the **recommended** observability stack (Prometheus, Grafana, Tempo, Loki), please see `../observability/`.
 
-- **OpenObserve**: A modern, open-source observability platform for logs, metrics, and traces.
-- **OpenTelemetry Collector**: Collects and processes telemetry data before sending it to OpenObserve.
+## 🌟 Overview
 
-### Setup Instructions
+OpenObserve is a lightweight, all-in-one observability platform that handles logs, metrics, and traces in a single binary. This setup is ideal for:
+- Resource-constrained environments.
+- Quick setup and testing.
+- Users who prefer a unified UI.
 
-1. **Prerequisites**:
-    - Docker and Docker Compose installed
-    - Sufficient memory resources (minimum 2GB recommended)
+## 🚀 Quick Start
 
-2. **Starting the Services**:
-   ```bash
-   cd .docker/openobserve-otel
-   docker compose -f docker-compose.yml  up -d
-   ```
-
-3. **Accessing the Dashboard**:
-    - OpenObserve UI: http://localhost:5080
-    - Default credentials:
-        - Username: root@rustfs.com
-        - Password: rustfs123
-
-### Configuration
-
-#### OpenObserve Configuration
-
-The OpenObserve service is configured with:
-
-- Root user credentials
-- Data persistence through a volume mount
-- Memory cache enabled
-- Health checks
-- Exposed ports:
-    - 5080: HTTP API and UI
-    - 5081: OTLP gRPC
-
-#### OpenTelemetry Collector Configuration
-
-The collector is configured to:
-
-- Receive telemetry data via OTLP (HTTP and gRPC)
-- Collect logs from files
-- Process data in batches
-- Export data to OpenObserve
-- Manage memory usage
-
-### Integration with Your Application
-
-To send telemetry data from your application, configure your OpenTelemetry SDK to send data to:
-
-- OTLP gRPC: `localhost:4317`
-- OTLP HTTP: `localhost:4318`
-
-For example, in a Rust application using the `rustfs-obs` library:
+### 1. Start Services
 
 ```bash
-export RUSTFS_OBS_ENDPOINT=http://localhost:4317
-export RUSTFS_OBS_SERVICE_NAME=yourservice
-export RUSTFS_OBS_SERVICE_VERSION=1.0.0
-export RUSTFS_OBS_ENVIRONMENT=development
+cd .docker/openobserve-otel
+docker compose up -d
 ```
 
+### 2. Access Dashboard
+
+- **URL**: [http://localhost:5080](http://localhost:5080)
+- **Username**: `root@rustfs.com`
+- **Password**: `rustfs123`
+
+## 🛠️ Configuration
+
+### OpenObserve
+
+- **Persistence**: Data is persisted to a Docker volume.
+- **Ports**:
+    - `5080`: HTTP API and UI
+    - `5081`: OTLP gRPC
+
+### OpenTelemetry Collector
+
+- **Receivers**: OTLP (gRPC `4317`, HTTP `4318`)
+- **Exporters**: Sends data to OpenObserve.
+
+## 🔗 Integration
+
+Configure your application to send OTLP data to the collector:
+
+- **Endpoint**: `http://localhost:4318` (HTTP) or `localhost:4317` (gRPC)
+
+Example for RustFS:
+
+```bash
+export RUSTFS_OBS_ENDPOINT=http://localhost:4318
+export RUSTFS_OBS_SERVICE_NAME=rustfs-node-1
+```

.docker/openobserve-otel/README_ZH.md

@@ -5,71 +5,57 @@
 
 [English](README.md) | 中文
 
-## 中文
+本目录包含使用 OpenObserve 的**替代**可观测性技术栈配置。
 
-本目录包含搭建 OpenObserve 和 OpenTelemetry Collector 可观测性栈的配置文件。
+## ⚠️ 注意
 
-### 概述
+对于**推荐**的可观测性技术栈（Prometheus, Grafana, Tempo, Loki），请参阅 `../observability/`。
 
-此设置为应用程序提供了完整的可观测性解决方案：
+## 🌟 概览
 
-- **OpenObserve**：现代化、开源的可观测性平台，用于日志、指标和追踪。
-- **OpenTelemetry Collector**：收集和处理遥测数据，然后将其发送到 OpenObserve。
+OpenObserve 是一个轻量级、一体化的可观测性平台，在一个二进制文件中处理日志、指标和追踪。此设置非常适合：
+- 资源受限的环境。
+- 快速设置和测试。
+- 喜欢统一 UI 的用户。
 
-### 设置说明
+## 🚀 快速开始
 
-1. **前提条件**：
-    - 已安装 Docker 和 Docker Compose
-    - 足够的内存资源（建议至少 2GB）
-
-2. **启动服务**：
-   ```bash
-   cd .docker/openobserve-otel
-   docker compose -f docker-compose.yml  up -d
-   ```
-
-3. **访问仪表板**：
-    - OpenObserve UI：http://localhost:5080
-    - 默认凭据：
-        - 用户名：root@rustfs.com
-        - 密码：rustfs123
-
-### 配置
-
-#### OpenObserve 配置
-
-OpenObserve 服务配置：
-
-- 根用户凭据
-- 通过卷挂载实现数据持久化
-- 启用内存缓存
-- 健康检查
-- 暴露端口：
-    - 5080：HTTP API 和 UI
-    - 5081：OTLP gRPC
-
-#### OpenTelemetry Collector 配置
-
-收集器配置为：
-
-- 通过 OTLP（HTTP 和 gRPC）接收遥测数据
-- 从文件中收集日志
-- 批处理数据
-- 将数据导出到 OpenObserve
-- 管理内存使用
-
-### 与应用程序集成
-
-要从应用程序发送遥测数据，将 OpenTelemetry SDK 配置为发送数据到：
-
-- OTLP gRPC:`localhost:4317`
-- OTLP HTTP:`localhost:4318`
-
-例如，在使用 `rustfs-obs` 库的 Rust 应用程序中：
+### 1. 启动服务
 
 ```bash
-export RUSTFS_OBS_ENDPOINT=http://localhost:4317
-export RUSTFS_OBS_SERVICE_NAME=yourservice
-export RUSTFS_OBS_SERVICE_VERSION=1.0.0
-export RUSTFS_OBS_ENVIRONMENT=development
-```
+cd .docker/openobserve-otel
+docker compose up -d
+```
+
+### 2. 访问仪表盘
+
+- **URL**: [http://localhost:5080](http://localhost:5080)
+- **用户名**: `root@rustfs.com`
+- **密码**: `rustfs123`
+
+## 🛠️ 配置
+
+### OpenObserve
+
+- **持久化**: 数据持久化到 Docker 卷。
+- **端口**:
+    - `5080`: HTTP API 和 UI
+    - `5081`: OTLP gRPC
+
+### OpenTelemetry Collector
+
+- **接收器**: OTLP (gRPC `4317`, HTTP `4318`)
+- **导出器**: 将数据发送到 OpenObserve。
+
+## 🔗 集成
+
+配置您的应用程序将 OTLP 数据发送到收集器：
+
+- **端点**: `http://localhost:4318` (HTTP) 或 `localhost:4317` (gRPC)
+
+RustFS 示例：
+
+```bash
+export RUSTFS_OBS_ENDPOINT=http://localhost:4318
+export RUSTFS_OBS_SERVICE_NAME=rustfs-node-1
+```

.dockerignore

@@ -0,0 +1 @@
+target

.envrc

@@ -0,0 +1 @@
+use flake

.github/AGENTS.md

@@ -0,0 +1,30 @@
+# GitHub Workflow Instructions
+
+Applies to `.github/` and repository pull-request operations.
+
+## Pull Requests
+
+- PR titles and descriptions must be in English.
+- Use `.github/pull_request_template.md` for every PR body.
+- Keep all template section headings.
+- Use `N/A` for non-applicable sections.
+- Include verification commands in the PR details.
+- For `gh pr create` and `gh pr edit`, always write markdown body to a file and pass `--body-file`.
+- Do not use multiline inline `--body`; backticks and shell expansion can corrupt content or trigger unintended commands.
+- Recommended pattern:
+  - `cat > /tmp/pr_body.md <<'EOF'`
+  - `...markdown...`
+  - `EOF`
+  - `gh pr create ... --body-file /tmp/pr_body.md`
+
+## CI Alignment
+
+When changing CI-sensitive behavior, keep local validation aligned with `.github/workflows/ci.yml`.
+
+Current `test-and-lint` gate includes:
+
+- `cargo nextest run --all --exclude e2e_test`
+- `cargo test --all --doc`
+- `cargo fmt --all --check`
+- `cargo clippy --all-targets --all-features -- -D warnings`
+- `./scripts/check_layer_dependencies.sh`

.github/actions/setup/action.yml

@@ -52,24 +52,19 @@ runs:
         sudo apt-get install -y \
           musl-tools \
           build-essential \
-          lld \
-          libdbus-1-dev \
-          libwayland-dev \
-          libwebkit2gtk-4.1-dev \
-          libxdo-dev \
           pkg-config \
           libssl-dev
 
     - name: Install protoc
       uses: arduino/setup-protoc@v3
       with:
-        version: "31.1"
+        version: "33.1"
         repo-token: ${{ inputs.github-token }}
 
     - name: Install flatc
       uses: Nugine/setup-flatc@v1
       with:
-        version: "25.2.10"
+        version: "25.9.23"
 
     - name: Install Rust toolchain
       uses: dtolnay/rust-toolchain@stable

.github/copilot-instructions.md

@@ -0,0 +1 @@
+../AGENTS.md

.github/dependabot.yml

@@ -22,8 +22,23 @@ updates:
   - package-ecosystem: "cargo" # See documentation for possible values
     directory: "/" # Location of package manifests
     schedule:
-      interval: "monthly"
+      interval: "weekly"
+      day: "monday"
+      timezone: "Asia/Shanghai"
+      time: "08:00"
+    ignore:
+      - dependency-name: "object_store"
+        versions: [ "0.13.x" ]
+      - dependency-name: "libunftp"
+        versions: [ "0.23.x" ]
     groups:
+      s3s:
+        update-types:
+          - "minor"
+          - "patch"
+        patterns:
+          - "s3s"
+          - "s3s-*"
       dependencies:
         patterns:
-          - "*"
+          - "*"

.github/pull_request_template.md

@@ -19,9 +19,7 @@ Pull Request Template for RustFS
 
 ## Checklist
 - [ ] I have read and followed the [CONTRIBUTING.md](CONTRIBUTING.md) guidelines
-- [ ] Code is formatted with `cargo fmt --all`
-- [ ] Passed `cargo clippy --all-targets --all-features -- -D warnings`
-- [ ] Passed `cargo check --all-targets`
+- [ ] Passed `make pre-commit`
 - [ ] Added/updated necessary tests
 - [ ] Documentation updated (if needed)
 - [ ] CI/CD passed (if applicable)

.github/s3tests/README.md

@@ -0,0 +1,103 @@
+# S3 Compatibility Tests Configuration
+
+This directory contains the configuration for running [Ceph S3 compatibility tests](https://github.com/ceph/s3-tests) against RustFS.
+
+## Configuration File
+
+The `s3tests.conf` file is based on the official `s3tests.conf.SAMPLE` from the ceph/s3-tests repository. It uses environment variable substitution via `envsubst` to configure the endpoint and credentials.
+
+### Key Configuration Points
+
+- **Host**: Set via `${S3_HOST}` environment variable (e.g., `rustfs-single` for single-node, `lb` for multi-node)
+- **Port**: 9000 (standard RustFS port)
+- **Credentials**: Uses `${S3_ACCESS_KEY}` and `${S3_SECRET_KEY}` from workflow environment
+- **TLS**: Disabled (`is_secure = False`)
+
+## Test Execution Strategy
+
+### Network Connectivity Fix
+
+Tests run inside a Docker container on the `rustfs-net` network, which allows them to resolve and connect to the RustFS container hostnames. This fixes the "Temporary failure in name resolution" error that occurred when tests ran on the GitHub runner host.
+
+### Performance Optimizations
+
+1. **Parallel Execution**: Uses `pytest-xdist` with `-n 4` to run tests in parallel across 4 workers
+2. **Load Distribution**: Uses `--dist=loadgroup` to distribute test groups across workers
+3. **Fail-Fast**: Uses `--maxfail=50` to stop after 50 failures, saving time on catastrophic failures
+
+### Feature Filtering
+
+Tests are filtered using pytest markers (`-m`) to skip features not yet supported by RustFS:
+
+- `lifecycle` - Bucket lifecycle policies
+- `versioning` - Object versioning
+- `s3website` - Static website hosting
+- `bucket_logging` - Bucket logging
+- `encryption` / `sse_s3` - Server-side encryption
+- `cloud_transition` / `cloud_restore` - Cloud storage transitions
+- `lifecycle_expiration` / `lifecycle_transition` - Lifecycle operations
+
+This filtering:
+1. Reduces test execution time significantly (from 1+ hour to ~10-15 minutes)
+2. Focuses on features RustFS currently supports
+3. Avoids hundreds of expected failures
+
+## Running Tests Locally
+
+### Single-Node Test
+
+```bash
+# Set credentials
+export S3_ACCESS_KEY=rustfsadmin
+export S3_SECRET_KEY=rustfsadmin
+
+# Start RustFS container
+docker run -d --name rustfs-single \
+  --network rustfs-net \
+  -e RUSTFS_ADDRESS=0.0.0.0:9000 \
+  -e RUSTFS_ACCESS_KEY=$S3_ACCESS_KEY \
+  -e RUSTFS_SECRET_KEY=$S3_SECRET_KEY \
+  -e RUSTFS_VOLUMES="/data/rustfs0 /data/rustfs1 /data/rustfs2 /data/rustfs3" \
+  rustfs-ci
+
+# Generate config
+export S3_HOST=rustfs-single
+envsubst < .github/s3tests/s3tests.conf > /tmp/s3tests.conf
+
+# Run tests
+docker run --rm \
+  --network rustfs-net \
+  -v /tmp/s3tests.conf:/etc/s3tests.conf:ro \
+  python:3.12-slim \
+  bash -c '
+    apt-get update -qq && apt-get install -y -qq git
+    git clone --depth 1 https://github.com/ceph/s3-tests.git /s3-tests
+    cd /s3-tests
+    pip install -q -r requirements.txt pytest-xdist
+    S3TEST_CONF=/etc/s3tests.conf pytest -v -n 4 \
+      s3tests/functional/test_s3.py \
+      -m "not lifecycle and not versioning and not s3website and not bucket_logging and not encryption and not sse_s3"
+  '
+```
+
+## Test Results Interpretation
+
+- **PASSED**: Test succeeded, feature works correctly
+- **FAILED**: Test failed, indicates a potential bug or incompatibility
+- **ERROR**: Test setup failed (e.g., network issues, missing dependencies)
+- **SKIPPED**: Test skipped due to marker filtering
+
+## Adding New Feature Support
+
+When adding support for a new S3 feature to RustFS:
+
+1. Remove the corresponding marker from the filter in `.github/workflows/e2e-s3tests.yml`
+2. Run the tests to verify compatibility
+3. Fix any failing tests
+4. Update this README to reflect the newly supported feature
+
+## References
+
+- [Ceph S3 Tests Repository](https://github.com/ceph/s3-tests)
+- [S3 API Compatibility](https://docs.aws.amazon.com/AmazonS3/latest/API/)
+- [pytest-xdist Documentation](https://pytest-xdist.readthedocs.io/)

.github/s3tests/s3tests.conf

@@ -0,0 +1,193 @@
+# RustFS s3-tests configuration
+# Based on: https://github.com/ceph/s3-tests/blob/master/s3tests.conf.SAMPLE
+#
+# Usage:
+#   Single-node: S3_HOST=rustfs-single envsubst < s3tests.conf > /tmp/s3tests.conf
+#   Multi-node:  S3_HOST=lb envsubst < s3tests.conf > /tmp/s3tests.conf
+
+[DEFAULT]
+## this section is just used for host, port and bucket_prefix
+
+# host set for RustFS - will be substituted via envsubst
+host = ${S3_HOST}
+
+# port for RustFS
+port = 9000
+
+## say "False" to disable TLS
+is_secure = False
+
+## say "False" to disable SSL Verify
+ssl_verify = False
+
+[fixtures]
+## all the buckets created will start with this prefix;
+## {random} will be filled with random characters to pad
+## the prefix to 30 characters long, and avoid collisions
+bucket prefix = rustfs-{random}-
+
+# all the iam account resources (users, roles, etc) created
+# will start with this name prefix
+iam name prefix = s3-tests-
+
+# all the iam account resources (users, roles, etc) created
+# will start with this path prefix
+iam path prefix = /s3-tests/
+
+[s3 main]
+# main display_name
+display_name = RustFS Tester
+
+# main user_id
+user_id = rustfsadmin
+
+# main email
+email = tester@rustfs.local
+
+# zonegroup api_name for bucket location
+api_name = default
+
+## main AWS access key
+access_key = ${S3_ACCESS_KEY}
+
+## main AWS secret key
+secret_key = ${S3_SECRET_KEY}
+
+## replace with key id obtained when secret is created, or delete if KMS not tested
+#kms_keyid = 01234567-89ab-cdef-0123-456789abcdef
+
+## Storage classes
+#storage_classes = "LUKEWARM, FROZEN"
+
+## Lifecycle debug interval (default: 10)
+#lc_debug_interval = 20
+## Restore debug interval (default: 100)
+#rgw_restore_debug_interval = 60
+#rgw_restore_processor_period = 60
+
+[s3 alt]
+# alt display_name
+display_name = RustFS Alt Tester
+
+## alt email
+email = alt@rustfs.local
+
+# alt user_id
+user_id = rustfsalt
+
+# alt AWS access key (must be different from s3 main for many tests)
+access_key = ${S3_ALT_ACCESS_KEY}
+
+# alt AWS secret key
+secret_key = ${S3_ALT_SECRET_KEY}
+
+#[s3 cloud]
+## to run the testcases with "cloud_transition" for transition
+## and "cloud_restore" for restore attribute.
+## Note: the waiting time may have to tweaked depending on
+## the I/O latency to the cloud endpoint.
+
+## host set for cloud endpoint
+# host = localhost
+
+## port set for cloud endpoint
+# port = 8001
+
+## say "False" to disable TLS
+# is_secure = False
+
+## cloud endpoint credentials
+# access_key = 0555b35654ad1656d804
+# secret_key = h7GhxuBLTrlhVUyxSPUKUV8r/2EI4ngqJxD7iBdBYLhwluN30JaT3Q==
+
+## storage class configured as cloud tier on local rgw server
+# cloud_storage_class = CLOUDTIER
+
+## Below are optional -
+
+## Above configured cloud storage class config options
+# retain_head_object = false
+# allow_read_through = false    # change it to enable read_through
+# read_through_restore_days = 2
+# target_storage_class = Target_SC
+# target_path = cloud-bucket
+
+## another regular storage class to test multiple transition rules,
+# storage_class = S1
+
+[s3 tenant]
+# tenant display_name
+display_name = RustFS Tenant Tester
+
+# tenant user_id
+# Note: Using same user_id as main to avoid teardown failures.
+# RustFS does not currently support multi-tenancy, so the tenant client
+# effectively operates as the main user. This ensures nuke_prefixed_buckets()
+# in s3-tests teardown can successfully clean up resources.
+user_id = rustfsadmin
+
+# tenant AWS access key
+access_key = ${S3_ACCESS_KEY}
+
+# tenant AWS secret key
+secret_key = ${S3_SECRET_KEY}
+
+# tenant email
+email = tenant@rustfs.local
+
+# tenant name
+# Note: Empty tenant name to avoid multi-tenant path issues during teardown.
+# When s3-tests calls get_tenant_client(), it uses this tenant value in requests.
+# An empty value makes the tenant client behave like the main client, preventing
+# "bucket not found" errors when teardown tries to clean up test buckets.
+tenant =
+
+#following section needs to be added for all sts-tests
+[iam]
+#used for iam operations in sts-tests
+#email
+email = s3@rustfs.local
+
+#user_id
+user_id = rustfsiam
+
+#access_key
+access_key = ${S3_ACCESS_KEY}
+
+#secret_key
+secret_key = ${S3_SECRET_KEY}
+
+#display_name
+display_name = RustFS IAM User
+
+# iam account root user for iam_account tests
+[iam root]
+access_key = ${S3_ACCESS_KEY}
+secret_key = ${S3_SECRET_KEY}
+user_id = RGW11111111111111111
+email = account1@rustfs.local
+
+# iam account root user in a different account than [iam root]
+[iam alt root]
+access_key = ${S3_ACCESS_KEY}
+secret_key = ${S3_SECRET_KEY}
+user_id = RGW22222222222222222
+email = account2@rustfs.local
+
+#following section needs to be added when you want to run Assume Role With Webidentity test
+[webidentity]
+#used for assume role with web identity test in sts-tests
+#all parameters will be obtained from ceph/qa/tasks/keycloak.py
+#token=<access_token>
+
+#aud=<obtained after introspecting token>
+
+#sub=<obtained after introspecting token>
+
+#azp=<obtained after introspecting token>
+
+#user_token=<access token for a user, with attribute Department=[Engineering, Marketing>]
+
+#thumbprint=<obtained from x509 certificate>
+
+#KC_REALM=<name of the realm>

.github/workflows/audit.yml

@@ -16,13 +16,13 @@ name: Security Audit
 
 on:
   push:
-    branches: [main]
+    branches: [ main ]
     paths:
       - '**/Cargo.toml'
       - '**/Cargo.lock'
       - '.github/workflows/audit.yml'
   pull_request:
-    branches: [main]
+    branches: [ main ]
     paths:
       - '**/Cargo.toml'
       - '**/Cargo.lock'
@@ -31,17 +31,20 @@ on:
     - cron: '0 0 * * 0' # Weekly on Sunday at midnight UTC
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 env:
   CARGO_TERM_COLOR: always
 
 jobs:
   security-audit:
     name: Security Audit
-    runs-on: ubuntu-latest
+    runs-on: ubicloud-standard-2
     timeout-minutes: 15
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Install cargo-audit
         uses: taiki-e/install-action@v2
@@ -54,7 +57,7 @@ jobs:
 
       - name: Upload audit results
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v6
         with:
           name: security-audit-results-${{ github.run_number }}
           path: audit-results.json
@@ -62,14 +65,14 @@ jobs:
 
   dependency-review:
     name: Dependency Review
-    runs-on: ubuntu-latest
+    runs-on: ubicloud-standard-2
     if: github.event_name == 'pull_request'
     permissions:
       contents: read
       pull-requests: write
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Dependency Review
         uses: actions/dependency-review-action@v4

.github/workflows/build.yml

@@ -12,28 +12,25 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+# Build and Release Workflow
+#
+# This workflow builds RustFS binaries and automatically triggers Docker image builds.
+#
+# Flow:
+# 1. Build binaries for multiple platforms
+# 2. Upload binaries to OSS storage
+# 3. Trigger docker.yml to build and push images using the uploaded binaries
+#
+# Manual Parameters:
+# - build_docker: Build and push Docker images (default: true)
+# - platforms: Comma-separated platform IDs or 'all' (default: all)
+
 name: Build and Release
 
 on:
   push:
-    tags: ["*"]
-    branches: [main]
-    paths-ignore:
-      - "**.md"
-      - "**.txt"
-      - ".github/**"
-      - "docs/**"
-      - "deploy/**"
-      - "scripts/dev_*.sh"
-      - "LICENSE*"
-      - "README*"
-      - "**/*.png"
-      - "**/*.jpg"
-      - "**/*.svg"
-      - ".gitignore"
-      - ".dockerignore"
-  pull_request:
-    branches: [main]
+    tags: [ "*.*.*" ]
+    branches: [ main ]
     paths-ignore:
       - "**.md"
       - "**.txt"
@@ -52,11 +49,19 @@ on:
     - cron: "0 0 * * 0" # Weekly on Sunday at midnight UTC
   workflow_dispatch:
     inputs:
-      force_build:
-        description: "Force build even without changes"
+      build_docker:
+        description: "Build and push Docker images after binary build"
         required: false
-        default: false
+        default: true
         type: boolean
+      platforms:
+        description: "Comma-separated targets or 'all' (e.g. linux-x86_64-musl,macos-aarch64)"
+        required: false
+        default: "all"
+        type: string
+
+permissions:
+  contents: read
 
 env:
   CARGO_TERM_COLOR: always
@@ -65,83 +70,147 @@ env:
   CARGO_INCREMENTAL: 0
 
 jobs:
-  # Second layer: Business logic level checks (handling build strategy)
+  # Build strategy check - determine build type based on trigger
   build-check:
     name: Build Strategy Check
-    runs-on: ubuntu-latest
+    runs-on: ubicloud-standard-2
     outputs:
       should_build: ${{ steps.check.outputs.should_build }}
       build_type: ${{ steps.check.outputs.build_type }}
+      version: ${{ steps.check.outputs.version }}
+      short_sha: ${{ steps.check.outputs.short_sha }}
+      is_prerelease: ${{ steps.check.outputs.is_prerelease }}
     steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
       - name: Determine build strategy
         id: check
         run: |
           should_build=false
           build_type="none"
+          version=""
+          short_sha=""
+          is_prerelease=false
 
-          # Business logic: when we need to build
-          if [[ "${{ github.event_name }}" == "schedule" ]] || \
-             [[ "${{ github.event_name }}" == "workflow_dispatch" ]] || \
-             [[ "${{ github.event.inputs.force_build }}" == "true" ]] || \
-             [[ "${{ contains(github.event.head_commit.message, '--build') }}" == "true" ]]; then
+          # Get short SHA for all builds
+          short_sha=$(git rev-parse --short HEAD)
+
+          # Determine build type based on trigger
+          if [[ "${{ startsWith(github.ref, 'refs/tags/') }}" == "true" ]]; then
+            # Tag push - release or prerelease
+            should_build=true
+            tag_name="${GITHUB_REF#refs/tags/}"
+            version="${tag_name}"
+
+            # Check if this is a prerelease
+            if [[ "$tag_name" == *"alpha"* ]] || [[ "$tag_name" == *"beta"* ]] || [[ "$tag_name" == *"rc"* ]]; then
+              build_type="prerelease"
+              is_prerelease=true
+              echo "🚀 Prerelease build detected: $tag_name"
+            else
+              build_type="release"
+              echo "📦 Release build detected: $tag_name"
+            fi
+          elif [[ "${{ github.ref }}" == "refs/heads/main" ]]; then
+            # Main branch push - development build
             should_build=true
             build_type="development"
-          fi
-
-          # Always build for tag pushes (version releases)
-          if [[ "${{ startsWith(github.ref, 'refs/tags/') }}" == "true" ]]; then
+            version="dev-${short_sha}"
+            echo "🛠️  Development build detected"
+          elif [[ "${{ github.event_name }}" == "schedule" ]] || \
+               [[ "${{ github.event_name }}" == "workflow_dispatch" ]] || \
+               [[ "${{ contains(github.event.head_commit.message, '--build') }}" == "true" ]]; then
+            # Scheduled or manual build
             should_build=true
-            build_type="release"
-            echo "🏷️  Tag detected: forcing release build"
+            build_type="development"
+            version="dev-${short_sha}"
+            echo "⚡ Manual/scheduled build detected"
           fi
 
           echo "should_build=$should_build" >> $GITHUB_OUTPUT
           echo "build_type=$build_type" >> $GITHUB_OUTPUT
-          echo "Build needed: $should_build (type: $build_type)"
+          echo "version=$version" >> $GITHUB_OUTPUT
+          echo "short_sha=$short_sha" >> $GITHUB_OUTPUT
+          echo "is_prerelease=$is_prerelease" >> $GITHUB_OUTPUT
+
+          echo "📊 Build Summary:"
+          echo "  - Should build: $should_build"
+          echo "  - Build type: $build_type"
+          echo "  - Version: $version"
+          echo "  - Short SHA: $short_sha"
+          echo "  - Is prerelease: $is_prerelease"
 
   # Build RustFS binaries
+  prepare-platform-matrix:
+    name: Prepare Platform Matrix
+    runs-on: ubicloud-standard-2
+    outputs:
+      matrix: ${{ steps.select.outputs.matrix }}
+      selected: ${{ steps.select.outputs.selected }}
+    steps:
+      - name: Select target platforms
+        id: select
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          selected="${{ github.event_name == 'workflow_dispatch' && github.event.inputs.platforms || 'all' }}"
+          selected="$(echo "${selected}" | tr -d '[:space:]')"
+          if [[ -z "${selected}" ]]; then
+            selected="all"
+          fi
+
+          all='{"include":[
+            {"target_id":"linux-x86_64-musl","os":"ubicloud-standard-2","target":"x86_64-unknown-linux-musl","cross":false,"platform":"linux","rustflags":""},
+            {"target_id":"linux-aarch64-musl","os":"ubicloud-standard-2","target":"aarch64-unknown-linux-musl","cross":true,"platform":"linux","rustflags":""},
+            {"target_id":"linux-x86_64-gnu","os":"ubicloud-standard-2","target":"x86_64-unknown-linux-gnu","cross":false,"platform":"linux","rustflags":""},
+            {"target_id":"linux-aarch64-gnu","os":"ubicloud-standard-2","target":"aarch64-unknown-linux-gnu","cross":true,"platform":"linux","rustflags":""},
+            {"target_id":"macos-aarch64","os":"macos-latest","target":"aarch64-apple-darwin","cross":false,"platform":"macos","rustflags":""},
+            {"target_id":"macos-x86_64","os":"macos-latest","target":"x86_64-apple-darwin","cross":false,"platform":"macos","rustflags":""},
+            {"target_id":"windows-x86_64","os":"windows-latest","target":"x86_64-pc-windows-msvc","cross":false,"platform":"windows","rustflags":""}
+          ]}'
+
+          if [[ "${selected}" == "all" ]]; then
+            matrix="$(jq -c . <<<"${all}")"
+          else
+            unknown="$(jq -rn --arg selected "${selected}" --argjson all "${all}" '
+              ($selected | split(",") | map(select(length > 0))) as $req
+              | ($all.include | map(.target_id)) as $known
+              | [$req[] | select(( $known | index(.) ) == null)]
+            ')"
+            if [[ "$(jq 'length' <<<"${unknown}")" -gt 0 ]]; then
+              echo "Unknown platforms: $(jq -r 'join(\",\")' <<<"${unknown}")" >&2
+              echo "Allowed: $(jq -r '.include[].target_id' <<<"${all}" | paste -sd ',' -)" >&2
+              exit 1
+            fi
+
+            matrix="$(jq -c --arg selected "${selected}" '
+              ($selected | split(",") | map(select(length > 0))) as $req
+              | .include |= map(select(.target_id as $id | ($req | index($id))))
+            ' <<<"${all}")"
+          fi
+
+          echo "selected=${selected}" >> "$GITHUB_OUTPUT"
+          echo "matrix=${matrix}" >> "$GITHUB_OUTPUT"
+          echo "Selected platforms: ${selected}"
+
   build-rustfs:
     name: Build RustFS
-    needs: [build-check]
-    if: needs.build-check.outputs.should_build == 'true'
+    needs: [ build-check, prepare-platform-matrix ]
+    if: needs.build-check.outputs.should_build == 'true' && needs.prepare-platform-matrix.result == 'success'
     runs-on: ${{ matrix.os }}
     timeout-minutes: 60
     env:
-      RUSTFLAGS: ${{ matrix.cross == 'false' && '-C target-cpu=native' || '' }}
+      RUSTFLAGS: ${{ matrix.rustflags }}
     strategy:
       fail-fast: false
-      matrix:
-        include:
-          # Linux builds
-          - os: ubuntu-latest
-            target: x86_64-unknown-linux-musl
-            cross: false
-            platform: linux
-          - os: ubuntu-latest
-            target: aarch64-unknown-linux-musl
-            cross: true
-            platform: linux
-          # macOS builds
-          - os: macos-latest
-            target: aarch64-apple-darwin
-            cross: false
-            platform: macos
-          - os: macos-latest
-            target: x86_64-apple-darwin
-            cross: false
-            platform: macos
-          # # Windows builds (temporarily disabled)
-          # - os: windows-latest
-          #   target: x86_64-pc-windows-msvc
-          #   cross: false
-          #   platform: windows
-          # - os: windows-latest
-          #   target: aarch64-pc-windows-msvc
-          #   cross: true
-          #   platform: windows
+      matrix: ${{ fromJson(needs.prepare-platform-matrix.outputs.matrix) }}
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
 
@@ -156,9 +225,9 @@ jobs:
           install-cross-tools: ${{ matrix.cross }}
 
       - name: Download static console assets
+        shell: bash
         run: |
           mkdir -p ./rustfs/static
-          rm -rf ./rustfs/static/*
           if [[ "${{ matrix.platform }}" == "windows" ]]; then
             curl.exe -L "https://dl.rustfs.com/artifacts/console/rustfs-console-latest.zip" -o console.zip --retry 3 --retry-delay 5 --max-time 300
             if [[ $? -eq 0 ]]; then
@@ -170,7 +239,6 @@ jobs:
             fi
           else
             chmod +w ./rustfs/static/LICENSE || true
-            rm -f ./rustfs/static/LICENSE
             curl -L "https://dl.rustfs.com/artifacts/console/rustfs-console-latest.zip" \
               -o console.zip --retry 3 --retry-delay 5 --max-time 300
             if [[ $? -eq 0 ]]; then
@@ -183,6 +251,7 @@ jobs:
           fi
 
       - name: Build RustFS
+        shell: bash
         run: |
           # Force rebuild by touching build.rs
           touch rustfs/build.rs
@@ -193,7 +262,7 @@ jobs:
               cargo install cross --git https://github.com/cross-rs/cross
               cross build --release --target ${{ matrix.target }} -p rustfs --bins
             else
-              # Use zigbuild for Linux ARM64
+              # Use zigbuild for other cross-compilation
               cargo zigbuild --release --target ${{ matrix.target }} -p rustfs --bins
             fi
           else
@@ -204,7 +273,63 @@ jobs:
         id: package
         shell: bash
         run: |
-          PACKAGE_NAME="rustfs-${{ matrix.target }}"
+          BUILD_TYPE="${{ needs.build-check.outputs.build_type }}"
+          VERSION="${{ needs.build-check.outputs.version }}"
+          SHORT_SHA="${{ needs.build-check.outputs.short_sha }}"
+
+          # Extract platform and arch from target
+          TARGET="${{ matrix.target }}"
+          PLATFORM="${{ matrix.platform }}"
+          # Map target to architecture and variant
+          case "$TARGET" in
+            *x86_64*musl*)
+              ARCH="x86_64"
+              VARIANT="musl"
+              ;;
+            *x86_64*gnu*)
+              ARCH="x86_64"
+              VARIANT="gnu"
+              ;;
+            *x86_64*)
+              ARCH="x86_64"
+              VARIANT=""
+              ;;
+            *aarch64*musl*|*arm64*musl*)
+              ARCH="aarch64"
+              VARIANT="musl"
+              ;;
+            *aarch64*gnu*|*arm64*gnu*)
+              ARCH="aarch64"
+              VARIANT="gnu"
+              ;;
+            *aarch64*|*arm64*)
+              ARCH="aarch64"
+              VARIANT=""
+              ;;
+            *armv7*)
+              ARCH="armv7"
+              VARIANT=""
+              ;;
+            *)
+              ARCH="unknown"
+              VARIANT=""
+              ;;
+          esac
+
+          # Generate package name based on build type
+          if [[ -n "$VARIANT" ]]; then
+            ARCH_WITH_VARIANT="${ARCH}-${VARIANT}"
+          else
+            ARCH_WITH_VARIANT="${ARCH}"
+          fi
+
+          if [[ "$BUILD_TYPE" == "development" ]]; then
+            # Development build: rustfs-${platform}-${arch}-${variant}-dev-${short_sha}.zip
+            PACKAGE_NAME="rustfs-${PLATFORM}-${ARCH_WITH_VARIANT}-dev-${SHORT_SHA}"
+          else
+            # Release/Prerelease build: rustfs-${platform}-${arch}-${variant}-v${version}.zip
+            PACKAGE_NAME="rustfs-${PLATFORM}-${ARCH_WITH_VARIANT}-v${VERSION}"
+          fi
 
           # Create zip packages for all platforms
           # Ensure zip is available
@@ -215,27 +340,132 @@ jobs:
           fi
 
           cd target/${{ matrix.target }}/release
-          zip "../../../${PACKAGE_NAME}.zip" rustfs
+          # Determine the binary name based on platform
+          if [[ "${{ matrix.platform }}" == "windows" ]]; then
+            BINARY_NAME="rustfs.exe"
+          else
+            BINARY_NAME="rustfs"
+          fi
+
+          # Verify the binary exists before packaging
+          if [[ ! -f "$BINARY_NAME" ]]; then
+            echo "❌ Binary $BINARY_NAME not found in $(pwd)"
+            if [[ "${{ matrix.platform }}" == "windows" ]]; then
+              dir
+            else
+              ls -la
+            fi
+            exit 1
+          fi
+
+          # Universal packaging function
+          package_zip() {
+            local src=$1
+            local dst=$2
+            if [[ "${{ matrix.platform }}" == "windows" ]]; then
+              # Windows uses PowerShell Compress-Archive
+              powershell -Command "Compress-Archive -Path '$src' -DestinationPath '$dst' -Force"
+            elif command -v zip &> /dev/null; then
+              # Unix systems use zip command
+              zip "$dst" "$src"
+            else
+              echo "❌ No zip utility available"
+              exit 1
+            fi
+          }
+
+          # Create the zip package
+          echo "Start packaging: $BINARY_NAME -> ../../../${PACKAGE_NAME}.zip"
+          package_zip "$BINARY_NAME" "../../../${PACKAGE_NAME}.zip"
+
           cd ../../..
+
+          # Verify the package was created
+          if [[ -f "${PACKAGE_NAME}.zip" ]]; then
+            echo "✅ Package created successfully: ${PACKAGE_NAME}.zip"
+            if [[ "${{ matrix.platform }}" == "windows" ]]; then
+              dir
+            else
+              ls -lh ${PACKAGE_NAME}.zip
+            fi
+          else
+            echo "❌ Failed to create package: ${PACKAGE_NAME}.zip"
+            exit 1
+          fi
+
+          # Create latest version files right after the main package
+          LATEST_FILES=""
+          if [[ "$BUILD_TYPE" == "release" ]] || [[ "$BUILD_TYPE" == "prerelease" ]]; then
+            # Create latest version filename
+            # Convert from rustfs-linux-x86_64-musl-v1.0.0 to rustfs-linux-x86_64-musl-latest
+            LATEST_FILE="${PACKAGE_NAME%-v*}-latest.zip"
+
+            echo "🔄 Creating latest version: ${PACKAGE_NAME}.zip -> $LATEST_FILE"
+            cp "${PACKAGE_NAME}.zip" "$LATEST_FILE"
+
+            if [[ -f "$LATEST_FILE" ]]; then
+              echo "✅ Latest version created: $LATEST_FILE"
+              LATEST_FILES="$LATEST_FILE"
+            fi
+          elif [[ "$BUILD_TYPE" == "development" ]]; then
+            # Development builds (only main branch triggers development builds)
+            # Create main-latest version filename
+            # Convert from rustfs-linux-x86_64-dev-abc123 to rustfs-linux-x86_64-main-latest
+            MAIN_LATEST_FILE="${PACKAGE_NAME%-dev-*}-main-latest.zip"
+
+            echo "🔄 Creating main-latest version: ${PACKAGE_NAME}.zip -> $MAIN_LATEST_FILE"
+            cp "${PACKAGE_NAME}.zip" "$MAIN_LATEST_FILE"
+
+            if [[ -f "$MAIN_LATEST_FILE" ]]; then
+              echo "✅ Main-latest version created: $MAIN_LATEST_FILE"
+              LATEST_FILES="$MAIN_LATEST_FILE"
+
+              # Also create a generic main-latest for Docker builds (Linux only)
+              if [[ "${{ matrix.platform }}" == "linux" ]]; then
+                DOCKER_MAIN_LATEST_FILE="rustfs-linux-${ARCH_WITH_VARIANT}-main-latest.zip"
+
+                echo "🔄 Creating Docker main-latest version: ${PACKAGE_NAME}.zip -> $DOCKER_MAIN_LATEST_FILE"
+                cp "${PACKAGE_NAME}.zip" "$DOCKER_MAIN_LATEST_FILE"
+
+                if [[ -f "$DOCKER_MAIN_LATEST_FILE" ]]; then
+                  echo "✅ Docker main-latest version created: $DOCKER_MAIN_LATEST_FILE"
+                  LATEST_FILES="$LATEST_FILES $DOCKER_MAIN_LATEST_FILE"
+                fi
+              fi
+            fi
+          fi
+
           echo "package_name=${PACKAGE_NAME}" >> $GITHUB_OUTPUT
           echo "package_file=${PACKAGE_NAME}.zip" >> $GITHUB_OUTPUT
-          echo "Package created: ${PACKAGE_NAME}.zip"
+          echo "latest_files=${LATEST_FILES}" >> $GITHUB_OUTPUT
+          echo "build_type=${BUILD_TYPE}" >> $GITHUB_OUTPUT
+          echo "version=${VERSION}" >> $GITHUB_OUTPUT
 
-      - name: Upload artifacts
-        uses: actions/upload-artifact@v4
+          echo "📦 Package created: ${PACKAGE_NAME}.zip"
+          if [[ -n "$LATEST_FILES" ]]; then
+            echo "📦 Latest files created: $LATEST_FILES"
+          fi
+          echo "🔧 Build type: ${BUILD_TYPE}"
+          echo "📊 Version: ${VERSION}"
+
+      - name: Upload to GitHub artifacts
+        uses: actions/upload-artifact@v6
         with:
           name: ${{ steps.package.outputs.package_name }}
-          path: ${{ steps.package.outputs.package_file }}
+          path: "rustfs-*.zip"
           retention-days: ${{ startsWith(github.ref, 'refs/tags/') && 30 || 7 }}
 
       - name: Upload to Aliyun OSS
-        if: needs.build-check.outputs.build_type == 'release' && env.OSS_ACCESS_KEY_ID != ''
+        if: env.OSS_ACCESS_KEY_ID != '' && (needs.build-check.outputs.build_type == 'release' || needs.build-check.outputs.build_type == 'prerelease' || needs.build-check.outputs.build_type == 'development')
         env:
           OSS_ACCESS_KEY_ID: ${{ secrets.ALICLOUDOSS_KEY_ID }}
           OSS_ACCESS_KEY_SECRET: ${{ secrets.ALICLOUDOSS_KEY_SECRET }}
           OSS_REGION: cn-beijing
-          OSS_ENDPOINT: https://oss-cn-beijing.aliyuncs.com
+          OSS_ENDPOINT: https://oss-accelerate.aliyuncs.com
+        shell: bash
         run: |
+          BUILD_TYPE="${{ needs.build-check.outputs.build_type }}"
+
           # Install ossutil (platform-specific)
           OSSUTIL_VERSION="2.1.1"
           case "${{ matrix.platform }}" in
@@ -271,150 +501,357 @@ jobs:
               chmod +x /usr/local/bin/ossutil
               OSSUTIL_BIN=ossutil
               ;;
+            windows)
+              OSSUTIL_ZIP="ossutil-${OSSUTIL_VERSION}-windows-amd64.zip"
+              OSSUTIL_DIR="ossutil-${OSSUTIL_VERSION}-windows-amd64"
+
+              curl -o "$OSSUTIL_ZIP" "https://gosspublic.alicdn.com/ossutil/v2/${OSSUTIL_VERSION}/${OSSUTIL_ZIP}"
+              unzip "$OSSUTIL_ZIP"
+              mv "${OSSUTIL_DIR}/ossutil.exe" ./ossutil.exe
+              rm -rf "$OSSUTIL_DIR" "$OSSUTIL_ZIP"
+              OSSUTIL_BIN=./ossutil.exe
+              ;;
           esac
 
-          # Upload the package file directly to OSS
-          echo "Uploading ${{ steps.package.outputs.package_file }} to OSS..."
-          $OSSUTIL_BIN cp "${{ steps.package.outputs.package_file }}" oss://rustfs-artifacts/artifacts/rustfs/ --force
-
-          # Create latest.json (only for the first Linux build to avoid duplication)
-          if [[ "${{ matrix.target }}" == "x86_64-unknown-linux-musl" ]]; then
-            VERSION="${GITHUB_REF#refs/tags/v}"
-            echo "{\"version\":\"${VERSION}\",\"release_date\":\"$(date -u +%Y-%m-%dT%H:%M:%SZ)\"}" > latest.json
-            $OSSUTIL_BIN cp latest.json oss://rustfs-version/latest.json --force
+          # Determine upload path based on build type
+          if [[ "$BUILD_TYPE" == "development" ]]; then
+            OSS_PATH="oss://rustfs-artifacts/artifacts/rustfs/dev/"
+            echo "📤 Uploading development build to OSS dev directory"
+          else
+            OSS_PATH="oss://rustfs-artifacts/artifacts/rustfs/release/"
+            echo "📤 Uploading release build to OSS release directory"
           fi
 
-  # Release management
-  release:
-    name: GitHub Release
-    needs: [build-check, build-rustfs]
-    if: always() && needs.build-check.outputs.build_type == 'release'
-    runs-on: ubuntu-latest
+          # Upload all rustfs zip files to OSS using glob pattern
+          echo "📤 Uploading all rustfs-*.zip files to $OSS_PATH..."
+          for zip_file in rustfs-*.zip; do
+            if [[ -f "$zip_file" ]]; then
+              echo "Uploading: $zip_file to $OSS_PATH..."
+              $OSSUTIL_BIN cp "$zip_file" "$OSS_PATH" --force
+              echo "✅ Uploaded: $zip_file"
+            fi
+          done
+
+          echo "✅ Upload completed successfully"
+
+  # Build summary
+  build-summary:
+    name: Build Summary
+    needs: [ build-check, build-rustfs ]
+    if: always() && needs.build-check.outputs.should_build == 'true'
+    runs-on: ubicloud-standard-2
+    steps:
+      - name: Build completion summary
+        shell: bash
+        run: |
+          BUILD_TYPE="${{ needs.build-check.outputs.build_type }}"
+          VERSION="${{ needs.build-check.outputs.version }}"
+
+          echo "🎉 Build completed successfully!"
+          echo "📦 Build type: $BUILD_TYPE"
+          echo "🔢 Version: $VERSION"
+          echo ""
+
+          # Check build status
+          BUILD_STATUS="${{ needs.build-rustfs.result }}"
+
+          echo "📊 Build Results:"
+          echo "  📦 All platforms: $BUILD_STATUS"
+          echo ""
+
+          case "$BUILD_TYPE" in
+            "development")
+              echo "🛠️  Development build artifacts have been uploaded to OSS dev directory"
+              echo "⚠️  This is a development build - not suitable for production use"
+              ;;
+            "release")
+              echo "🚀 Release build artifacts have been uploaded to OSS release directory"
+              echo "✅ This build is ready for production use"
+              echo "🏷️  GitHub Release will be created in this workflow"
+              ;;
+            "prerelease")
+              echo "🧪 Prerelease build artifacts have been uploaded to OSS release directory"
+              echo "⚠️  This is a prerelease build - use with caution"
+              echo "🏷️  GitHub Release will be created in this workflow"
+              ;;
+          esac
+
+          echo ""
+          echo "🐳 Docker Images:"
+          if [[ "${{ github.event.inputs.build_docker }}" == "false" ]]; then
+            echo "⏭️  Docker image build was skipped (binary only build)"
+          elif [[ "$BUILD_STATUS" == "success" ]]; then
+            echo "🔄 Docker images will be built and pushed automatically via workflow_run event"
+          else
+            echo "❌ Docker image build will be skipped due to build failure"
+          fi
+
+  # Create GitHub Release (only for tag pushes)
+  create-release:
+    name: Create GitHub Release
+    needs: [ build-check, build-rustfs ]
+    if: startsWith(github.ref, 'refs/tags/') && needs.build-check.outputs.build_type != 'development'
+    runs-on: ubicloud-standard-2
+    permissions:
+      contents: write
+    outputs:
+      release_id: ${{ steps.create.outputs.release_id }}
+      release_url: ${{ steps.create.outputs.release_url }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Create GitHub Release
+        id: create
+        env:
+          GH_TOKEN: ${{ github.token }}
+        shell: bash
+        run: |
+          TAG="${{ needs.build-check.outputs.version }}"
+          VERSION="${{ needs.build-check.outputs.version }}"
+          IS_PRERELEASE="${{ needs.build-check.outputs.is_prerelease }}"
+          BUILD_TYPE="${{ needs.build-check.outputs.build_type }}"
+
+          # Determine release type for title
+          if [[ "$BUILD_TYPE" == "prerelease" ]]; then
+            if [[ "$TAG" == *"alpha"* ]]; then
+              RELEASE_TYPE="alpha"
+            elif [[ "$TAG" == *"beta"* ]]; then
+              RELEASE_TYPE="beta"
+            elif [[ "$TAG" == *"rc"* ]]; then
+              RELEASE_TYPE="rc"
+            else
+              RELEASE_TYPE="prerelease"
+            fi
+          else
+            RELEASE_TYPE="release"
+          fi
+
+          # Check if release already exists
+          if gh release view "$TAG" >/dev/null 2>&1; then
+            echo "Release $TAG already exists"
+            RELEASE_ID=$(gh release view "$TAG" --json databaseId --jq '.databaseId')
+            RELEASE_URL=$(gh release view "$TAG" --json url --jq '.url')
+          else
+            # Get release notes from tag message
+            RELEASE_NOTES=$(git tag -l --format='%(contents)' "${TAG}")
+            if [[ -z "$RELEASE_NOTES" || "$RELEASE_NOTES" =~ ^[[:space:]]*$ ]]; then
+              if [[ "$IS_PRERELEASE" == "true" ]]; then
+                RELEASE_NOTES="Pre-release ${VERSION} (${RELEASE_TYPE})"
+              else
+                RELEASE_NOTES="Release ${VERSION}"
+              fi
+            fi
+
+            # Create release title
+            if [[ "$IS_PRERELEASE" == "true" ]]; then
+              TITLE="RustFS $VERSION (${RELEASE_TYPE})"
+            else
+              TITLE="RustFS $VERSION"
+            fi
+
+            # Create the release
+            PRERELEASE_FLAG=""
+            if [[ "$IS_PRERELEASE" == "true" ]]; then
+              PRERELEASE_FLAG="--prerelease"
+            fi
+
+            gh release create "$TAG" \
+              --title "$TITLE" \
+              --notes "$RELEASE_NOTES" \
+              $PRERELEASE_FLAG \
+              --draft
+
+            RELEASE_ID=$(gh release view "$TAG" --json databaseId --jq '.databaseId')
+            RELEASE_URL=$(gh release view "$TAG" --json url --jq '.url')
+          fi
+
+          echo "release_id=$RELEASE_ID" >> $GITHUB_OUTPUT
+          echo "release_url=$RELEASE_URL" >> $GITHUB_OUTPUT
+          echo "Created release: $RELEASE_URL"
+
+  # Prepare and upload release assets
+  upload-release-assets:
+    name: Upload Release Assets
+    needs: [ build-check, build-rustfs, create-release ]
+    if: startsWith(github.ref, 'refs/tags/') && needs.build-check.outputs.build_type != 'development'
+    runs-on: ubicloud-standard-2
+    permissions:
+      contents: write
+      actions: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Download all build artifacts
+        uses: actions/download-artifact@v7
+        with:
+          path: ./artifacts
+          pattern: rustfs-*
+          merge-multiple: true
+
+      - name: Prepare release assets
+        id: prepare
+        shell: bash
+        run: |
+          VERSION="${{ needs.build-check.outputs.version }}"
+          TAG="${{ needs.build-check.outputs.version }}"
+
+          mkdir -p ./release-assets
+
+          # Copy and verify artifacts (including latest files created during build)
+          ASSETS_COUNT=0
+          for file in ./artifacts/*.zip; do
+            if [[ -f "$file" ]]; then
+              cp "$file" ./release-assets/
+              ASSETS_COUNT=$((ASSETS_COUNT + 1))
+            fi
+          done
+
+          if [[ $ASSETS_COUNT -eq 0 ]]; then
+            echo "❌ No artifacts found!"
+            exit 1
+          fi
+
+          cd ./release-assets
+
+          # Generate checksums for all files (including latest versions)
+          if ls *.zip >/dev/null 2>&1; then
+            sha256sum *.zip > SHA256SUMS
+            sha512sum *.zip > SHA512SUMS
+          fi
+
+          # Create signature placeholder files
+          for file in *.zip; do
+            echo "# Signature for $file" > "${file}.asc"
+            echo "# GPG signature will be added in future versions" >> "${file}.asc"
+          done
+
+          echo "📦 Prepared assets:"
+          ls -la
+
+          echo "🔢 Total asset count: $ASSETS_COUNT"
+
+      - name: Upload to GitHub Release
+        env:
+          GH_TOKEN: ${{ github.token }}
+        shell: bash
+        run: |
+          TAG="${{ needs.build-check.outputs.version }}"
+
+          cd ./release-assets
+
+          # Upload all files
+          for file in *; do
+            if [[ -f "$file" ]]; then
+              echo "📤 Uploading $file..."
+              gh release upload "$TAG" "$file" --clobber
+            fi
+          done
+
+          echo "✅ All assets uploaded successfully"
+
+  # Update latest.json for stable releases only
+  update-latest-version:
+    name: Update Latest Version
+    needs: [ build-check, upload-release-assets ]
+    if: startsWith(github.ref, 'refs/tags/')
+    runs-on: ubicloud-standard-2
+    steps:
+      - name: Update latest.json
+        env:
+          OSS_ACCESS_KEY_ID: ${{ secrets.ALICLOUDOSS_KEY_ID }}
+          OSS_ACCESS_KEY_SECRET: ${{ secrets.ALICLOUDOSS_KEY_SECRET }}
+          OSS_REGION: cn-beijing
+          OSS_ENDPOINT: https://oss-cn-beijing.aliyuncs.com
+        shell: bash
+        run: |
+          if [[ -z "$OSS_ACCESS_KEY_ID" ]]; then
+            echo "⚠️ OSS credentials not available, skipping latest.json update"
+            exit 0
+          fi
+
+          VERSION="${{ needs.build-check.outputs.version }}"
+          TAG="${{ needs.build-check.outputs.version }}"
+
+          # Install ossutil
+          OSSUTIL_VERSION="2.1.1"
+          OSSUTIL_ZIP="ossutil-${OSSUTIL_VERSION}-linux-amd64.zip"
+          OSSUTIL_DIR="ossutil-${OSSUTIL_VERSION}-linux-amd64"
+
+          curl -o "$OSSUTIL_ZIP" "https://gosspublic.alicdn.com/ossutil/v2/${OSSUTIL_VERSION}/${OSSUTIL_ZIP}"
+          unzip "$OSSUTIL_ZIP"
+          mv "${OSSUTIL_DIR}/ossutil" /usr/local/bin/
+          rm -rf "$OSSUTIL_DIR" "$OSSUTIL_ZIP"
+          chmod +x /usr/local/bin/ossutil
+
+          # Create latest.json
+          cat > latest.json << EOF
+          {
+            "version": "${VERSION}",
+            "tag": "${TAG}",
+            "release_date": "$(date -u +%Y-%m-%dT%H:%M:%SZ)",
+            "release_type": "stable",
+            "download_url": "https://github.com/${{ github.repository }}/releases/tag/${TAG}"
+          }
+          EOF
+
+          # Upload to OSS
+          ossutil cp latest.json oss://rustfs-version/latest.json --force
+
+          echo "✅ Updated latest.json for stable release $VERSION"
+
+  # Publish release (remove draft status)
+  publish-release:
+    name: Publish Release
+    needs: [ build-check, create-release, upload-release-assets ]
+    if: startsWith(github.ref, 'refs/tags/') && needs.build-check.outputs.build_type != 'development'
+    runs-on: ubicloud-standard-2
     permissions:
       contents: write
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
+        uses: actions/checkout@v6
 
-      - name: Download all artifacts
-        uses: actions/download-artifact@v4
-        with:
-          path: ./release-artifacts
-
-      - name: Prepare release assets
-        id: release_prep
-        run: |
-          VERSION="${GITHUB_REF#refs/tags/}"
-          VERSION_CLEAN="${VERSION#v}"
-
-          echo "version=${VERSION}" >> $GITHUB_OUTPUT
-          echo "version_clean=${VERSION_CLEAN}" >> $GITHUB_OUTPUT
-
-          # Organize artifacts
-          mkdir -p ./release-files
-
-          # Copy all artifacts (.zip files)
-          find ./release-artifacts -name "*.zip" -exec cp {} ./release-files/ \;
-
-          # Generate checksums for all files
-          cd ./release-files
-          if ls *.zip >/dev/null 2>&1; then
-            sha256sum *.zip >> SHA256SUMS
-            sha512sum *.zip >> SHA512SUMS
-          fi
-          cd ..
-
-          # Display what we're releasing
-          echo "=== Release Files ==="
-          ls -la ./release-files/
-
-      - name: Create GitHub Release
+      - name: Update release notes and publish
         env:
           GH_TOKEN: ${{ github.token }}
+        shell: bash
         run: |
-          VERSION="${{ steps.release_prep.outputs.version }}"
-          VERSION_CLEAN="${{ steps.release_prep.outputs.version_clean }}"
+          TAG="${{ needs.build-check.outputs.version }}"
+          VERSION="${{ needs.build-check.outputs.version }}"
+          IS_PRERELEASE="${{ needs.build-check.outputs.is_prerelease }}"
+          BUILD_TYPE="${{ needs.build-check.outputs.build_type }}"
 
-          # Check if release already exists
-          if gh release view "$VERSION" >/dev/null 2>&1; then
-            echo "Release $VERSION already exists, skipping creation"
+          # Determine release type
+          if [[ "$BUILD_TYPE" == "prerelease" ]]; then
+            if [[ "$TAG" == *"alpha"* ]]; then
+              RELEASE_TYPE="alpha"
+            elif [[ "$TAG" == *"beta"* ]]; then
+              RELEASE_TYPE="beta"
+            elif [[ "$TAG" == *"rc"* ]]; then
+              RELEASE_TYPE="rc"
+            else
+              RELEASE_TYPE="prerelease"
+            fi
           else
-            # Get release notes from tag message
-            RELEASE_NOTES=$(git tag -l --format='%(contents)' "${VERSION}")
-            if [[ -z "$RELEASE_NOTES" || "$RELEASE_NOTES" =~ ^[[:space:]]*$ ]]; then
-              RELEASE_NOTES="Release ${VERSION_CLEAN}"
-            fi
-
-            # Determine if this is a prerelease
-            PRERELEASE_FLAG=""
-            if [[ "$VERSION" == *"alpha"* ]] || [[ "$VERSION" == *"beta"* ]] || [[ "$VERSION" == *"rc"* ]]; then
-              PRERELEASE_FLAG="--prerelease"
-            fi
-
-            # Create the release only if it doesn't exist
-            gh release create "$VERSION" \
-              --title "RustFS $VERSION_CLEAN" \
-              --notes "$RELEASE_NOTES" \
-              $PRERELEASE_FLAG
+            RELEASE_TYPE="release"
           fi
 
-      - name: Upload release assets
-        env:
-          GH_TOKEN: ${{ github.token }}
-        run: |
-          VERSION="${{ steps.release_prep.outputs.version }}"
-
-          cd ./release-files
-
-          # Upload all binary files
-          for file in *.zip; do
-            if [[ -f "$file" ]]; then
-              echo "Uploading $file..."
-              gh release upload "$VERSION" "$file" --clobber
+          # Get original release notes from tag
+          ORIGINAL_NOTES=$(git tag -l --format='%(contents)' "${TAG}")
+          if [[ -z "$ORIGINAL_NOTES" || "$ORIGINAL_NOTES" =~ ^[[:space:]]*$ ]]; then
+            if [[ "$IS_PRERELEASE" == "true" ]]; then
+              ORIGINAL_NOTES="Pre-release ${VERSION} (${RELEASE_TYPE})"
+            else
+              ORIGINAL_NOTES="Release ${VERSION}"
             fi
-          done
-
-          # Upload checksum files
-          if [[ -f "SHA256SUMS" ]]; then
-            echo "Uploading SHA256SUMS..."
-            gh release upload "$VERSION" "SHA256SUMS" --clobber
           fi
 
-          if [[ -f "SHA512SUMS" ]]; then
-            echo "Uploading SHA512SUMS..."
-            gh release upload "$VERSION" "SHA512SUMS" --clobber
-          fi
+          # Publish the release (remove draft status)
+          gh release edit "$TAG" --draft=false
 
-      - name: Update release notes
-        env:
-          GH_TOKEN: ${{ github.token }}
-        run: |
-          VERSION="${{ steps.release_prep.outputs.version }}"
-          VERSION_CLEAN="${{ steps.release_prep.outputs.version_clean }}"
-
-          # Check if release already has custom notes (not auto-generated)
-          EXISTING_NOTES=$(gh release view "$VERSION" --json body --jq '.body' 2>/dev/null || echo "")
-
-          # Only update if release notes are empty or auto-generated
-          if [[ -z "$EXISTING_NOTES" ]] || [[ "$EXISTING_NOTES" == *"Release ${VERSION_CLEAN}"* ]]; then
-            echo "Updating release notes for $VERSION"
-
-            # Get original release notes from tag
-            ORIGINAL_NOTES=$(git tag -l --format='%(contents)' "${VERSION}")
-            if [[ -z "$ORIGINAL_NOTES" || "$ORIGINAL_NOTES" =~ ^[[:space:]]*$ ]]; then
-              ORIGINAL_NOTES="Release ${VERSION_CLEAN}"
-            fi
-
-            # Use external template file and substitute variables
-            sed -e "s/\${VERSION}/$VERSION/g" \
-                -e "s/\${VERSION_CLEAN}/$VERSION_CLEAN/g" \
-                -e "s/\${ORIGINAL_NOTES}/$(echo "$ORIGINAL_NOTES" | sed 's/[[\.*^$()+?{|]/\\&/g')/g" \
-                .github/workflows/release-notes-template.md > enhanced_notes.md
-
-            # Update the release with enhanced notes
-            gh release edit "$VERSION" --notes-file enhanced_notes.md
-          else
-            echo "Release $VERSION already has custom notes, skipping update to preserve manual edits"
-          fi
+          echo "🎉 Released $TAG successfully!"
+          echo "📄 Release URL: ${{ needs.create-release.outputs.release_url }}"

.github/workflows/ci.yml

@@ -4,7 +4,7 @@
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
-#     http://www.apache.org/licenses/LICENSE-2.0
+#      http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
@@ -16,10 +16,9 @@ name: Continuous Integration
 
 on:
   push:
-    branches: [main]
+    branches: [ main ]
     paths-ignore:
       - "**.md"
-      - "**.txt"
       - "docs/**"
       - "deploy/**"
       - "scripts/dev_*.sh"
@@ -36,10 +35,9 @@ on:
       - ".github/workflows/audit.yml"
       - ".github/workflows/performance.yml"
   pull_request:
-    branches: [main]
+    branches: [ main ]
     paths-ignore:
       - "**.md"
-      - "**.txt"
       - "docs/**"
       - "deploy/**"
       - "scripts/dev_*.sh"
@@ -59,17 +57,26 @@ on:
     - cron: "0 0 * * 0" # Weekly on Sunday at midnight UTC
   workflow_dispatch:
 
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 env:
   CARGO_TERM_COLOR: always
   RUST_BACKTRACE: 1
+  CARGO_BUILD_JOBS: 2
 
 jobs:
+
   skip-check:
     name: Skip Duplicate Actions
     permissions:
       actions: write
       contents: read
-    runs-on: ubuntu-latest
+    runs-on: ubicloud-standard-2
     outputs:
       should_skip: ${{ steps.skip_check.outputs.should_skip }}
     steps:
@@ -80,18 +87,28 @@ jobs:
           concurrent_skipping: "same_content_newer"
           cancel_others: true
           paths_ignore: '["*.md", "docs/**", "deploy/**"]'
-          # Never skip release events and tag pushes
           do_not_skip: '["workflow_dispatch", "schedule", "merge_group", "release", "push"]'
 
+  typos:
+    name: Typos
+    needs: skip-check
+    if: needs.skip-check.outputs.should_skip != 'true'
+    runs-on: ubicloud-standard-2
+    steps:
+      - uses: actions/checkout@v6
+      - uses: dtolnay/rust-toolchain@stable
+      - name: Typos check with custom config file
+        uses: crate-ci/typos@master
+
   test-and-lint:
     name: Test and Lint
     needs: skip-check
     if: needs.skip-check.outputs.should_skip != 'true'
-    runs-on: ubuntu-latest
+    runs-on: ubicloud-standard-4
     timeout-minutes: 60
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Setup Rust environment
         uses: ./.github/actions/setup
@@ -112,35 +129,73 @@ jobs:
       - name: Run clippy lints
         run: cargo clippy --all-targets --all-features -- -D warnings
 
-  e2e-tests:
-    name: End-to-End Tests
+      - name: Check layered dependencies
+        run: ./scripts/check_layer_dependencies.sh
+
+  build-rustfs-debug-binary:
+    name: Build RustFS Debug Binary
     needs: skip-check
     if: needs.skip-check.outputs.should_skip != 'true'
-    runs-on: ubuntu-latest
+    runs-on: ubicloud-standard-4
     timeout-minutes: 30
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Setup Rust environment
         uses: ./.github/actions/setup
         with:
           rust-version: stable
-          cache-shared-key: ci-e2e-${{ hashFiles('**/Cargo.lock') }}
+          cache-shared-key: ci-rustfs-debug-binary-${{ hashFiles('**/Cargo.lock') }}
           cache-save-if: ${{ github.ref == 'refs/heads/main' }}
           github-token: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Build debug binary
+        run: |
+          touch rustfs/build.rs
+          cargo build -p rustfs --bins --jobs 2
+
+      - name: Upload debug binary
+        uses: actions/upload-artifact@v6
+        with:
+          name: rustfs-debug-binary
+          path: target/debug/rustfs
+          if-no-files-found: error
+          retention-days: 1
+
+  e2e-tests:
+    name: End-to-End Tests
+    needs: [ skip-check, build-rustfs-debug-binary ]
+    if: needs.skip-check.outputs.should_skip != 'true'
+    runs-on: ubicloud-standard-2
+    timeout-minutes: 30
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Clean up previous test run
+        run: |
+          rm -rf /tmp/rustfs
+          rm -f /tmp/rustfs.log
+
+      - name: Download debug binary
+        uses: actions/download-artifact@v7
+        with:
+          name: rustfs-debug-binary
+          path: target/debug
+
+      - name: Make binary executable
+        run: chmod +x ./target/debug/rustfs
+
+      - name: Setup Rust toolchain for s3s-e2e installation
+        uses: dtolnay/rust-toolchain@stable
+
       - name: Install s3s-e2e test tool
         uses: taiki-e/cache-cargo-install-action@v2
         with:
           tool: s3s-e2e
-          git: https://github.com/Nugine/s3s.git
-          rev: b7714bfaa17ddfa9b23ea01774a1e7bbdbfc2ca3
-
-      - name: Build debug binary
-        run: |
-          touch rustfs/build.rs
-          cargo build -p rustfs --bins
+          git: https://github.com/s3s-project/s3s.git
+          rev: 4a04a670cf41274d9be9ab65dc36f4aa3f92fbad
 
       - name: Run end-to-end tests
         run: |
@@ -149,8 +204,44 @@ jobs:
 
       - name: Upload test logs
         if: failure()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v6
         with:
           name: e2e-test-logs-${{ github.run_number }}
           path: /tmp/rustfs.log
           retention-days: 3
+
+  s3-implemented-tests:
+    name: S3 Implemented Tests
+    needs: [ skip-check, build-rustfs-debug-binary ]
+    if: needs.skip-check.outputs.should_skip != 'true'
+    runs-on: ubicloud-standard-4
+    timeout-minutes: 60
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Download debug binary
+        uses: actions/download-artifact@v7
+        with:
+          name: rustfs-debug-binary
+          path: target/debug
+
+      - name: Make binary executable
+        run: chmod +x ./target/debug/rustfs
+
+      - name: Run implemented s3-tests
+        run: |
+          DEPLOY_MODE=binary \
+          RUSTFS_BINARY=./target/debug/rustfs \
+          TEST_MODE=single \
+          MAXFAIL=1 \
+          ./scripts/s3-tests/run.sh
+
+      - name: Upload s3 test artifacts
+        if: always()
+        uses: actions/upload-artifact@v6
+        with:
+          name: s3tests-implemented-${{ github.run_number }}
+          path: artifacts/s3tests-single/**
+          if-no-files-found: ignore
+          retention-days: 3

.github/workflows/docker.yml

@@ -12,42 +12,33 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+# Docker Images Workflow
+#
+# This workflow builds Docker images using pre-built binaries from the build workflow.
+#
+# Trigger Types:
+# 1. workflow_run: Automatically triggered when "Build and Release" workflow completes
+# 2. workflow_dispatch: Manual trigger for standalone Docker builds
+#
+# Key Features:
+# - Only triggers when Linux builds (x86_64 + aarch64) are successful
+# - Independent of macOS/Windows build status
+# - Uses workflow_run event for precise control
+# - Only builds Docker images for releases and prereleases (development builds are skipped)
+
 name: Docker Images
 
+# Permissions needed for workflow_run event and Docker registry access
+permissions:
+  contents: read
+  packages: write
+
 on:
-  push:
-    tags: ["*"]
-    branches: [main]
-    paths-ignore:
-      - "**.md"
-      - "**.txt"
-      - ".github/**"
-      - "docs/**"
-      - "deploy/**"
-      - "scripts/dev_*.sh"
-      - "LICENSE*"
-      - "README*"
-      - "**/*.png"
-      - "**/*.jpg"
-      - "**/*.svg"
-      - ".gitignore"
-      - ".dockerignore"
-  pull_request:
-    branches: [main]
-    paths-ignore:
-      - "**.md"
-      - "**.txt"
-      - ".github/**"
-      - "docs/**"
-      - "deploy/**"
-      - "scripts/dev_*.sh"
-      - "LICENSE*"
-      - "README*"
-      - "**/*.png"
-      - "**/*.jpg"
-      - "**/*.svg"
-      - ".gitignore"
-      - ".dockerignore"
+  # Automatically triggered when build workflow completes
+  workflow_run:
+    workflows: [ "Build and Release" ]
+    types: [ completed ]
+  # Manual trigger with same parameters for consistency
   workflow_dispatch:
     inputs:
       push_images:
@@ -55,156 +46,403 @@ on:
         required: false
         default: true
         type: boolean
+      version:
+        description: "Version to build (latest for stable release, or specific version like v1.0.0, v1.0.0-alpha1)"
+        required: false
+        default: "latest"
+        type: string
+      force_rebuild:
+        description: "Force rebuild even if binary exists (useful for testing)"
+        required: false
+        default: false
+        type: boolean
 
 env:
+  CONCLUSION: ${{ github.event.workflow_run.conclusion }}
+  HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }}
+  HEAD_SHA: ${{ github.event.workflow_run.head_sha }}
+  TRIGGERING_EVENT: ${{ github.event.workflow_run.event }}
+  DOCKERHUB_USERNAME: rustfs
   CARGO_TERM_COLOR: always
   REGISTRY_DOCKERHUB: rustfs/rustfs
   REGISTRY_GHCR: ghcr.io/${{ github.repository }}
+  REGISTRY_QUAY: quay.io/${{ secrets.QUAY_USERNAME }}/rustfs
+  DOCKER_PLATFORMS: linux/amd64,linux/arm64
 
 jobs:
-  # Check if we should build
+  # Check if we should build Docker images
   build-check:
-    name: Build Check
-    runs-on: ubuntu-latest
+    name: Docker Build Check
+    runs-on: ubicloud-standard-2
     outputs:
       should_build: ${{ steps.check.outputs.should_build }}
       should_push: ${{ steps.check.outputs.should_push }}
+      build_type: ${{ steps.check.outputs.build_type }}
+      version: ${{ steps.check.outputs.version }}
+      short_sha: ${{ steps.check.outputs.short_sha }}
+      is_prerelease: ${{ steps.check.outputs.is_prerelease }}
+      create_latest: ${{ steps.check.outputs.create_latest }}
     steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+          # For workflow_run events, checkout the specific commit that triggered the workflow
+          ref: ${{ github.event.workflow_run.head_sha || github.sha }}
+
       - name: Check build conditions
         id: check
         run: |
           should_build=false
           should_push=false
+          build_type="none"
+          version=""
+          short_sha=""
+          is_prerelease=false
+          create_latest=false
 
-          # Always build on workflow_dispatch or when changes detected
-          if [[ "${{ github.event_name }}" == "workflow_dispatch" ]] || \
-             [[ "${{ github.event_name }}" == "push" ]] || \
-             [[ "${{ github.event_name }}" == "pull_request" ]]; then
+          if [[ "${{ github.event_name }}" == "workflow_run" ]]; then
+            # Triggered by build workflow completion
+            echo "🔗 Triggered by build workflow completion"
+
+            # Check if the triggering workflow was successful
+            # If the workflow succeeded, it means ALL builds (including Linux x86_64 and aarch64) succeeded
+            if [[ "$CONCLUSION" == "success" ]]; then
+              echo "✅ Build workflow succeeded, all builds including Linux are successful"
+              should_build=true
+              should_push=true
+            else
+              echo "❌ Build workflow failed (conclusion: $CONCLUSION), skipping Docker build"
+              should_build=false
+            fi
+
+            # Extract version info from commit message or use commit SHA
+            # Use Git to generate consistent short SHA (ensures uniqueness like build.yml)
+            short_sha=$(git rev-parse --short "$HEAD_SHA")
+
+            # Determine build type based on triggering workflow event and ref
+            triggering_event="$TRIGGERING_EVENT"
+            head_branch="$HEAD_BRANCH"
+
+            echo "🔍 Analyzing triggering workflow:"
+            echo "   📋 Event: $triggering_event"
+            echo "   🌿 Head branch: $head_branch"
+            echo "   📎 Head SHA: $HEAD_SHA"
+
+            # Check if this was triggered by a tag push
+            if [[ "$triggering_event" == "push" ]]; then
+              # For tag pushes, head_branch will be like "refs/tags/v1.0.0" or just "v1.0.0"
+              if [[ "$head_branch" == refs/tags/* ]]; then
+                # Extract tag name from refs/tags/TAG_NAME
+                tag_name="${head_branch#refs/tags/}"
+                version="$tag_name"
+              elif [[ "$head_branch" =~ ^v?[0-9]+\.[0-9]+\.[0-9]+ ]]; then
+                # Direct tag name like "v1.0.0" or "1.0.0-alpha.1"
+                version="$head_branch"
+              elif [[ "$head_branch" == "main" ]]; then
+                # Regular branch push to main
+                build_type="development"
+                version="dev-${short_sha}"
+                should_build=false
+                echo "⏭️  Skipping Docker build for development version (main branch push)"
+              else
+                # Other branch push
+                build_type="development"
+                version="dev-${short_sha}"
+                should_build=false
+                echo "⏭️  Skipping Docker build for development version (branch: $head_branch)"
+              fi
+
+              # If we extracted a version (tag), determine release type
+              if [[ -n "$version" ]] && [[ "$version" != "dev-${short_sha}" ]]; then
+                # Remove 'v' prefix if present for consistent version format
+                if [[ "$version" == v* ]]; then
+                  version="${version#v}"
+                fi
+
+                if [[ "$version" == *"alpha"* ]] || [[ "$version" == *"beta"* ]] || [[ "$version" == *"rc"* ]]; then
+                  build_type="prerelease"
+                  is_prerelease=true
+                  echo "🧪 Building Docker image for prerelease: $version"
+                else
+                  build_type="release"
+                  create_latest=true
+                  echo "🚀 Building Docker image for release: $version"
+                fi
+              fi
+            else
+              # Non-push events
+              build_type="development"
+              version="dev-${short_sha}"
+              should_build=false
+              echo "⏭️  Skipping Docker build for development version (event: $triggering_event)"
+            fi
+
+            echo "🔄 Build triggered by workflow_run:"
+            echo "   📋 Conclusion: $CONCLUSION"
+            echo "   🌿 Branch: $HEAD_BRANCH"
+            echo "   📎 SHA: $HEAD_SHA"
+            echo "   🎯 Event: $TRIGGERING_EVENT"
+
+          elif [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
+            # Manual trigger
+            input_version="${{ github.event.inputs.version }}"
+            version="${input_version}"
+            should_push="${{ github.event.inputs.push_images }}"
             should_build=true
-          fi
 
-          # Push only on main branch, tags, or manual trigger
-          if [[ "${{ github.ref }}" == "refs/heads/main" ]] || \
-             [[ "${{ startsWith(github.ref, 'refs/tags/') }}" == "true" ]] || \
-             [[ "${{ github.event.inputs.push_images }}" == "true" ]]; then
-            should_push=true
+            # Get short SHA
+            short_sha=$(git rev-parse --short HEAD)
+
+            echo "🎯 Manual Docker build triggered:"
+            echo "   📋 Requested version: $input_version"
+            echo "   🔧 Force rebuild: ${{ github.event.inputs.force_rebuild }}"
+            echo "   🚀 Push images: $should_push"
+
+            case "$input_version" in
+              "latest")
+                build_type="release"
+                create_latest=true
+                echo "🚀 Building with latest stable release version"
+                ;;
+              # Prerelease versions (must match first, more specific)
+              v*alpha*|v*beta*|v*rc*|*alpha*|*beta*|*rc*)
+                build_type="prerelease"
+                is_prerelease=true
+                echo "🧪 Building with prerelease version: $input_version"
+                ;;
+              # Release versions (match after prereleases, more general)
+              v[0-9]*|[0-9]*.*.*)
+                build_type="release"
+                create_latest=true
+                echo "📦 Building with specific release version: $input_version"
+                ;;
+              *)
+                # Invalid version for Docker build
+                should_build=false
+                echo "❌ Invalid version for Docker build: $input_version"
+                echo "⚠️  Only release versions (latest, v1.0.0, 1.0.0) and prereleases (v1.0.0-alpha1, 1.0.0-beta2) are supported"
+                ;;
+            esac
           fi
 
           echo "should_build=$should_build" >> $GITHUB_OUTPUT
           echo "should_push=$should_push" >> $GITHUB_OUTPUT
-          echo "Build: $should_build, Push: $should_push"
+          echo "build_type=$build_type" >> $GITHUB_OUTPUT
+          echo "version=$version" >> $GITHUB_OUTPUT
+          echo "short_sha=$short_sha" >> $GITHUB_OUTPUT
+          echo "is_prerelease=$is_prerelease" >> $GITHUB_OUTPUT
+          echo "create_latest=$create_latest" >> $GITHUB_OUTPUT
+
+          echo "🐳 Docker Build Summary:"
+          echo "  - Should build: $should_build"
+          echo "  - Should push: $should_push"
+          echo "  - Build type: $build_type"
+          echo "  - Version: $version"
+          echo "  - Short SHA: $short_sha"
+          echo "  - Is prerelease: $is_prerelease"
+          echo "  - Create latest: $create_latest"
 
   # Build multi-arch Docker images
+  # Strategy: Build images using pre-built binaries from dl.rustfs.com
+  # Supports both release and dev channel binaries based on build context
+  # Only runs when should_build is true (which includes workflow success check)
   build-docker:
     name: Build Docker Images
     needs: build-check
     if: needs.build-check.outputs.should_build == 'true'
-    runs-on: ubuntu-latest
+    runs-on: ubicloud-standard-2
     timeout-minutes: 60
     strategy:
-      fail-fast: false
-      matrix:
-        variant:
-          - name: production
-            dockerfile: Dockerfile
-            platforms: linux/amd64,linux/arm64
-          - name: ubuntu
-            dockerfile: .docker/Dockerfile.ubuntu22.04
-            platforms: linux/amd64,linux/arm64
-          - name: alpine
-            dockerfile: .docker/Dockerfile.alpine
-            platforms: linux/amd64,linux/arm64
+          fail-fast: false
+          matrix:
+            include:
+              - variant: musl
+                file: Dockerfile
+                suffix: ""
+              - variant: glibc
+                file: Dockerfile.glibc
+                suffix: "-glibc"
+
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ env.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ secrets.GHCR_USERNAME }}
+          password: ${{ secrets.GHCR_PASSWORD }}
+
+      - name: Login to Quay.io
+        uses: docker/login-action@v3
+        with:
+          registry: quay.io
+          username: ${{ secrets.QUAY_USERNAME }}
+          password: ${{ secrets.QUAY_PASSWORD }}
 
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
 
-      - name: Login to Docker Hub
-        if: needs.build-check.outputs.should_push == 'true' && secrets.DOCKERHUB_USERNAME != ''
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
 
-      - name: Login to GitHub Container Registry
-        if: needs.build-check.outputs.should_push == 'true'
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Extract metadata
+      - name: Extract metadata and generate tags
         id: meta
-        uses: docker/metadata-action@v5
-        with:
-          images: |
-            ${{ env.REGISTRY_DOCKERHUB }}
-            ${{ env.REGISTRY_GHCR }}
-          tags: |
-            type=ref,event=branch,suffix=-${{ matrix.variant.name }}
-            type=ref,event=pr,suffix=-${{ matrix.variant.name }}
-            type=semver,pattern={{version}},suffix=-${{ matrix.variant.name }}
-            type=semver,pattern={{major}}.{{minor}},suffix=-${{ matrix.variant.name }}
-            type=raw,value=latest,suffix=-${{ matrix.variant.name }},enable={{is_default_branch}}
-          flavor: |
-            latest=false
+        run: |
+          BUILD_TYPE="${{ needs.build-check.outputs.build_type }}"
+          VERSION="${{ needs.build-check.outputs.version }}"
+          SHORT_SHA="${{ needs.build-check.outputs.short_sha }}"
+          CREATE_LATEST="${{ needs.build-check.outputs.create_latest }}"
+          VARIANT_SUFFIX="${{ matrix.suffix }}"
+
+          # Convert version format for Dockerfile compatibility
+          case "$VERSION" in
+            "latest")
+              # For stable latest, use RELEASE=latest + release CHANNEL
+              DOCKER_RELEASE="latest"
+              DOCKER_CHANNEL="release"
+              ;;
+            v*)
+              # For versioned releases (v1.0.0), remove 'v' prefix for Dockerfile
+              DOCKER_RELEASE="${VERSION#v}"
+              DOCKER_CHANNEL="release"
+              ;;
+            *)
+              # For other versions, pass as-is
+              DOCKER_RELEASE="${VERSION}"
+              DOCKER_CHANNEL="release"
+              ;;
+          esac
+
+          echo "docker_release=$DOCKER_RELEASE" >> $GITHUB_OUTPUT
+          echo "docker_channel=$DOCKER_CHANNEL" >> $GITHUB_OUTPUT
+
+          echo "🐳 Docker build parameters:"
+          echo "  - Original version: $VERSION"
+          echo "  - Docker RELEASE: $DOCKER_RELEASE"
+          echo "  - Docker CHANNEL: $DOCKER_CHANNEL"
+
+          # Generate tags based on build type
+          # Only support release and prerelease builds (no development builds)
+          TAG_BASE="${VERSION}${VARIANT_SUFFIX}"
+          TAGS="${{ env.REGISTRY_DOCKERHUB }}:$TAG_BASE,${{ env.REGISTRY_GHCR }}:$TAG_BASE,${{ env.REGISTRY_QUAY }}:$TAG_BASE"
+
+          # Add channel tags for prereleases and latest for stable
+          if [[ "$CREATE_LATEST" == "true" ]]; then
+            # TODO: Temporary change - the current alpha version will also create the latest tag
+            # After the version is stabilized, the logic here remains unchanged, but the upstream CREATE_LATEST setting needs to be restored.
+            # Stable release (and temporary alpha versions)
+            TAGS="$TAGS,${{ env.REGISTRY_DOCKERHUB }}:latest${VARIANT_SUFFIX},${{ env.REGISTRY_GHCR }}:latest${VARIANT_SUFFIX},${{ env.REGISTRY_QUAY }}:latest${VARIANT_SUFFIX}"
+          elif [[ "$BUILD_TYPE" == "prerelease" ]]; then
+            # Prerelease channel tags (alpha, beta, rc)
+            if [[ "$VERSION" == *"alpha"* ]]; then
+              CHANNEL="alpha"
+            elif [[ "$VERSION" == *"beta"* ]]; then
+              CHANNEL="beta"
+            elif [[ "$VERSION" == *"rc"* ]]; then
+              CHANNEL="rc"
+            fi
+
+            if [[ -n "$CHANNEL" ]]; then
+              TAGS="$TAGS,${{ env.REGISTRY_DOCKERHUB }}:${CHANNEL}${VARIANT_SUFFIX},${{ env.REGISTRY_GHCR }}:${CHANNEL}${VARIANT_SUFFIX},${{ env.REGISTRY_QUAY }}:${CHANNEL}${VARIANT_SUFFIX}"
+            fi
+          fi
+
+          # Output tags
+          echo "tags=$TAGS" >> $GITHUB_OUTPUT
+
+          # Generate labels
+          LABELS="org.opencontainers.image.title=RustFS"
+          LABELS="$LABELS,org.opencontainers.image.description=RustFS distributed object storage system"
+          LABELS="$LABELS,org.opencontainers.image.version=$VERSION"
+          LABELS="$LABELS,org.opencontainers.image.revision=${{ github.sha }}"
+          LABELS="$LABELS,org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }}"
+          LABELS="$LABELS,org.opencontainers.image.created=$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
+          LABELS="$LABELS,org.opencontainers.image.build-type=$BUILD_TYPE"
+
+          echo "labels=$LABELS" >> $GITHUB_OUTPUT
+
+          echo "🐳 Generated Docker tags:"
+          echo "$TAGS" | tr ',' '\n' | sed 's/^/  - /'
+          echo "📋 Build type: $BUILD_TYPE"
+          echo "🔖 Version: $VERSION"
 
       - name: Build and push Docker image
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           context: .
-          file: ${{ matrix.variant.dockerfile }}
-          platforms: ${{ matrix.variant.platforms }}
+          file: ${{ matrix.file }}
+          platforms: ${{ env.DOCKER_PLATFORMS }}
           push: ${{ needs.build-check.outputs.should_push == 'true' }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
-          cache-from: type=gha,scope=docker-${{ matrix.variant.name }}
-          cache-to: type=gha,mode=max,scope=docker-${{ matrix.variant.name }}
+          cache-from: |
+            type=gha,scope=docker-${{ matrix.variant }}
+          cache-to: |
+            type=gha,mode=max,scope=docker-${{ matrix.variant }}
           build-args: |
-            BUILDTIME=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
-            VERSION=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }}
-            REVISION=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
+            BUILDTIME=$(date -u +'%Y-%m-%dT%H:%M:%SZ')
+            VERSION=${{ needs.build-check.outputs.version }}
+            BUILD_TYPE=${{ needs.build-check.outputs.build_type }}
+            REVISION=${{ github.sha }}
+            RELEASE=${{ steps.meta.outputs.docker_release }}
+            CHANNEL=${{ steps.meta.outputs.docker_channel }}
+            BUILDKIT_INLINE_CACHE=1
+          # Enable advanced BuildKit features for better performance
+          provenance: false
+          sbom: false
+          # Add retry mechanism by splitting the build process
+          no-cache: false
+          pull: true
 
-  # Create manifest for main production image
-  create-manifest:
-    name: Create Manifest
-    needs: [build-check, build-docker]
-    if: needs.build-check.outputs.should_push == 'true' && startsWith(github.ref, 'refs/tags/')
-    runs-on: ubuntu-latest
+  # Note: Manifest creation is no longer needed as we only build one variant
+  # Multi-arch manifests are automatically created by docker/build-push-action
+
+  # Docker build summary
+  docker-summary:
+    name: Docker Build Summary
+    needs: [ build-check, build-docker ]
+    if: always() && needs.build-check.outputs.should_build == 'true'
+    runs-on: ubicloud-standard-2
     steps:
-      - name: Login to Docker Hub
-        if: secrets.DOCKERHUB_USERNAME != ''
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Create and push manifest
+      - name: Docker build completion summary
         run: |
-          VERSION=${GITHUB_REF#refs/tags/}
+          BUILD_TYPE="${{ needs.build-check.outputs.build_type }}"
+          VERSION="${{ needs.build-check.outputs.version }}"
+          CREATE_LATEST="${{ needs.build-check.outputs.create_latest }}"
 
-          # Create main image tag (without variant suffix)
-          if [[ -n "${{ secrets.DOCKERHUB_USERNAME }}" ]]; then
-            docker buildx imagetools create \
-              -t ${{ env.REGISTRY_DOCKERHUB }}:${VERSION} \
-              -t ${{ env.REGISTRY_DOCKERHUB }}:latest \
-              ${{ env.REGISTRY_DOCKERHUB }}:${VERSION}-production
-          fi
+          echo "🐳 Docker build completed successfully!"
+          echo "📦 Build type: $BUILD_TYPE"
+          echo "🔢 Version: $VERSION"
+          echo "🚀 Strategy: Images using pre-built binaries (release channel only)"
+          echo ""
 
-          docker buildx imagetools create \
-            -t ${{ env.REGISTRY_GHCR }}:${VERSION} \
-            -t ${{ env.REGISTRY_GHCR }}:latest \
-            ${{ env.REGISTRY_GHCR }}:${VERSION}-production
+          case "$BUILD_TYPE" in
+            "release")
+              echo "🚀 Release Docker image has been built with ${VERSION} tags"
+              echo "✅ This image is ready for production use"
+              if [[ "$CREATE_LATEST" == "true" ]]; then
+                echo "🏷️  Latest tag has been created for stable release"
+              fi
+              ;;
+            "prerelease")
+              echo "🧪 Prerelease Docker image has been built with ${VERSION} tags"
+              echo "⚠️  This is a prerelease image - use with caution"
+              if [[ "$CREATE_LATEST" == "true" ]]; then
+                echo "🏷️  Latest tag has been explicitly created for prerelease"
+              else
+                echo "🚫 Latest tag NOT created for prerelease"
+              fi
+              ;;
+            *)
+              echo "❌ Unexpected build type: $BUILD_TYPE"
+              ;;
+          esac

.github/workflows/e2e-s3tests.yml

@@ -0,0 +1,443 @@
+# Copyright 2024 RustFS Team
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: e2e-s3tests
+
+on:
+  workflow_dispatch:
+    inputs:
+      test-mode:
+        description: "Test mode to run"
+        required: true
+        type: choice
+        default: "single"
+        options:
+          - single
+          - multi
+      xdist:
+        description: "Enable pytest-xdist (parallel). '0' to disable."
+        required: false
+        default: "0"
+      maxfail:
+        description: "Stop after N failures (debug friendly)"
+        required: false
+        default: "1"
+      markexpr:
+        description: "pytest -m expression (feature filters)"
+        required: false
+        default: "not lifecycle and not versioning and not s3website and not bucket_logging and not encryption"
+
+env:
+  # main user
+  S3_ACCESS_KEY: rustfsadmin
+  S3_SECRET_KEY: rustfsadmin
+  # alt user (must be different from main for many s3-tests)
+  S3_ALT_ACCESS_KEY: rustfsalt
+  S3_ALT_SECRET_KEY: rustfsalt
+
+  S3_REGION: us-east-1
+
+  RUST_LOG: info
+  PLATFORM: linux/amd64
+  BUILDX_CACHE_SCOPE: rustfs-e2e-s3tests-source
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event.inputs['test-mode'] || 'single' }}
+  cancel-in-progress: true
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  s3tests-single:
+    if: github.event.inputs['test-mode'] == 'single'
+    runs-on: ubicloud-standard-2
+    timeout-minutes: 120
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Cache pip downloads
+        uses: actions/cache@v4
+        with:
+          path: ~/.cache/pip
+          key: ${{ runner.os }}-pip-e2e-s3tests-${{ hashFiles('.github/workflows/e2e-s3tests.yml') }}
+          restore-keys: |
+            ${{ runner.os }}-pip-e2e-s3tests-
+
+      - name: Install Python tools
+        run: |
+          python3 -m pip install --user --upgrade pip awscurl tox
+          echo "$HOME/.local/bin" >> "$GITHUB_PATH"
+
+      - name: Enable buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build RustFS image (source, cached)
+        run: |
+          DOCKER_BUILDKIT=1 docker buildx build --load \
+            --platform ${PLATFORM} \
+            --cache-from type=gha,scope=${BUILDX_CACHE_SCOPE} \
+            --cache-to type=gha,mode=max,scope=${BUILDX_CACHE_SCOPE} \
+            -t rustfs-ci \
+            -f Dockerfile.source .
+
+      - name: Create network
+        run: docker network inspect rustfs-net >/dev/null 2>&1 || docker network create rustfs-net
+
+      - name: Remove existing rustfs-single (if any)
+        run: docker rm -f rustfs-single >/dev/null 2>&1 || true
+
+      - name: Start single RustFS
+        run: |
+          docker run -d --name rustfs-single \
+            --network rustfs-net \
+            -p 9000:9000 \
+            -e RUSTFS_ADDRESS=0.0.0.0:9000 \
+            -e RUSTFS_ACCESS_KEY=$S3_ACCESS_KEY \
+            -e RUSTFS_SECRET_KEY=$S3_SECRET_KEY \
+            -e RUSTFS_VOLUMES="/data/rustfs0 /data/rustfs1 /data/rustfs2 /data/rustfs3" \
+            -v /tmp/rustfs-single:/data \
+            rustfs-ci
+
+      - name: Wait for RustFS ready
+        run: |
+          for i in {1..60}; do
+            if curl -sf http://127.0.0.1:9000/health >/dev/null 2>&1; then
+              echo "RustFS is ready"
+              exit 0
+            fi
+
+            if [ "$(docker inspect -f '{{.State.Running}}' rustfs-single 2>/dev/null)" != "true" ]; then
+              echo "RustFS container not running" >&2
+              docker logs rustfs-single || true
+              exit 1
+            fi
+
+            sleep 2
+          done
+
+          echo "Health check timed out" >&2
+          docker logs rustfs-single || true
+          exit 1
+
+      - name: Generate s3tests config
+        run: |
+          export S3_HOST=127.0.0.1
+          envsubst < .github/s3tests/s3tests.conf > s3tests.conf
+
+      - name: Provision s3-tests alt user (required by suite)
+        run: |
+          # Admin API requires AWS SigV4 signing. awscurl is used by RustFS codebase as well.
+          awscurl \
+            --service s3 \
+            --region "${S3_REGION}" \
+            --access_key "${S3_ACCESS_KEY}" \
+            --secret_key "${S3_SECRET_KEY}" \
+            -X PUT \
+            -H 'Content-Type: application/json' \
+            -d '{"secretKey":"'"${S3_ALT_SECRET_KEY}"'","status":"enabled","policy":"readwrite"}' \
+            "http://127.0.0.1:9000/rustfs/admin/v3/add-user?accessKey=${S3_ALT_ACCESS_KEY}"
+
+          # Explicitly attach built-in policy via policy mapping.
+          # s3-tests relies on alt client being able to ListBuckets during setup cleanup.
+          awscurl \
+            --service s3 \
+            --region "${S3_REGION}" \
+            --access_key "${S3_ACCESS_KEY}" \
+            --secret_key "${S3_SECRET_KEY}" \
+            -X PUT \
+            "http://127.0.0.1:9000/rustfs/admin/v3/set-user-or-group-policy?policyName=readwrite&userOrGroup=${S3_ALT_ACCESS_KEY}&isGroup=false"
+
+          # Sanity check: alt user can list buckets (should not be AccessDenied).
+          awscurl \
+            --service s3 \
+            --region "${S3_REGION}" \
+            --access_key "${S3_ALT_ACCESS_KEY}" \
+            --secret_key "${S3_ALT_SECRET_KEY}" \
+            -X GET \
+            "http://127.0.0.1:9000/" >/dev/null
+
+      - name: Prepare s3-tests
+        run: |
+          git clone --depth 1 https://github.com/ceph/s3-tests.git s3-tests
+
+      - name: Run ceph s3-tests (debug friendly)
+        run: |
+          export PATH="$HOME/.local/bin:$PATH"
+          mkdir -p artifacts/s3tests-single
+
+          cd s3-tests
+
+          set -o pipefail
+
+          MAXFAIL="${{ github.event.inputs.maxfail }}"
+          if [ -z "$MAXFAIL" ]; then MAXFAIL="1"; fi
+
+          MARKEXPR="${{ github.event.inputs.markexpr }}"
+          if [ -z "$MARKEXPR" ]; then MARKEXPR="not lifecycle and not versioning and not s3website and not bucket_logging and not encryption"; fi
+
+          XDIST="${{ github.event.inputs.xdist }}"
+          if [ -z "$XDIST" ]; then XDIST="0"; fi
+          XDIST_ARGS=""
+          if [ "$XDIST" != "0" ]; then
+            # Add pytest-xdist to requirements.txt so tox installs it inside
+            # its virtualenv. Installing outside tox does NOT work.
+            echo "pytest-xdist" >> requirements.txt
+            XDIST_ARGS="-n $XDIST --dist=loadgroup"
+          fi
+
+          # Run tests from s3tests/functional (boto2+boto3 combined directory).
+          S3TEST_CONF=${GITHUB_WORKSPACE}/s3tests.conf \
+            tox -- \
+              -vv -ra --showlocals --tb=long \
+              --maxfail="$MAXFAIL" \
+              --junitxml=${GITHUB_WORKSPACE}/artifacts/s3tests-single/junit.xml \
+              $XDIST_ARGS \
+              s3tests/functional/test_s3.py \
+              -m "$MARKEXPR" \
+              2>&1 | tee ${GITHUB_WORKSPACE}/artifacts/s3tests-single/pytest.log
+
+      - name: Collect RustFS logs
+        if: always()
+        run: |
+          mkdir -p artifacts/rustfs-single
+          docker logs rustfs-single > artifacts/rustfs-single/rustfs.log 2>&1 || true
+          docker inspect rustfs-single > artifacts/rustfs-single/inspect.json || true
+
+      - name: Upload artifacts
+        if: always() && env.ACT != 'true'
+        uses: actions/upload-artifact@v6
+        with:
+          name: s3tests-single
+          path: artifacts/**
+
+  s3tests-multi:
+    if: github.event_name == 'workflow_dispatch' && github.event.inputs['test-mode'] == 'multi'
+    runs-on: ubicloud-standard-2
+    timeout-minutes: 150
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Cache pip downloads
+        uses: actions/cache@v4
+        with:
+          path: ~/.cache/pip
+          key: ${{ runner.os }}-pip-e2e-s3tests-${{ hashFiles('.github/workflows/e2e-s3tests.yml') }}
+          restore-keys: |
+            ${{ runner.os }}-pip-e2e-s3tests-
+
+      - name: Install Python tools
+        run: |
+          python3 -m pip install --user --upgrade pip awscurl tox
+          echo "$HOME/.local/bin" >> "$GITHUB_PATH"
+
+      - name: Enable buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build RustFS image (source, cached)
+        run: |
+          DOCKER_BUILDKIT=1 docker buildx build --load \
+            --platform ${PLATFORM} \
+            --cache-from type=gha,scope=${BUILDX_CACHE_SCOPE} \
+            --cache-to type=gha,mode=max,scope=${BUILDX_CACHE_SCOPE} \
+            -t rustfs-ci \
+            -f Dockerfile.source .
+
+      - name: Prepare cluster compose
+        run: |
+          cat > compose.yml <<'EOF'
+          services:
+            rustfs1:
+              image: rustfs-ci
+              hostname: rustfs1
+              networks: [rustfs-net]
+              environment:
+                RUSTFS_ADDRESS: "0.0.0.0:9000"
+                RUSTFS_ACCESS_KEY: ${S3_ACCESS_KEY}
+                RUSTFS_SECRET_KEY: ${S3_SECRET_KEY}
+                RUSTFS_VOLUMES: "/data/rustfs0 /data/rustfs1 /data/rustfs2 /data/rustfs3"
+              volumes:
+                - rustfs1-data:/data
+            rustfs2:
+              image: rustfs-ci
+              hostname: rustfs2
+              networks: [rustfs-net]
+              environment:
+                RUSTFS_ADDRESS: "0.0.0.0:9000"
+                RUSTFS_ACCESS_KEY: ${S3_ACCESS_KEY}
+                RUSTFS_SECRET_KEY: ${S3_SECRET_KEY}
+                RUSTFS_VOLUMES: "/data/rustfs0 /data/rustfs1 /data/rustfs2 /data/rustfs3"
+              volumes:
+                - rustfs2-data:/data
+            rustfs3:
+              image: rustfs-ci
+              hostname: rustfs3
+              networks: [rustfs-net]
+              environment:
+                RUSTFS_ADDRESS: "0.0.0.0:9000"
+                RUSTFS_ACCESS_KEY: ${S3_ACCESS_KEY}
+                RUSTFS_SECRET_KEY: ${S3_SECRET_KEY}
+                RUSTFS_VOLUMES: "/data/rustfs0 /data/rustfs1 /data/rustfs2 /data/rustfs3"
+              volumes:
+                - rustfs3-data:/data
+            rustfs4:
+              image: rustfs-ci
+              hostname: rustfs4
+              networks: [rustfs-net]
+              environment:
+                RUSTFS_ADDRESS: "0.0.0.0:9000"
+                RUSTFS_ACCESS_KEY: ${S3_ACCESS_KEY}
+                RUSTFS_SECRET_KEY: ${S3_SECRET_KEY}
+                RUSTFS_VOLUMES: "/data/rustfs0 /data/rustfs1 /data/rustfs2 /data/rustfs3"
+              volumes:
+                - rustfs4-data:/data
+            lb:
+              image: haproxy:2.9
+              hostname: lb
+              networks: [rustfs-net]
+              ports:
+                - "9000:9000"
+              volumes:
+                - ./haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro
+          networks:
+            rustfs-net:
+              name: rustfs-net
+          volumes:
+            rustfs1-data:
+            rustfs2-data:
+            rustfs3-data:
+            rustfs4-data:
+          EOF
+
+          cat > haproxy.cfg <<'EOF'
+          defaults
+            mode http
+            timeout connect 5s
+            timeout client  30s
+            timeout server  30s
+
+          frontend fe_s3
+            bind *:9000
+            default_backend be_s3
+
+          backend be_s3
+            balance roundrobin
+            server s1 rustfs1:9000 check
+            server s2 rustfs2:9000 check
+            server s3 rustfs3:9000 check
+            server s4 rustfs4:9000 check
+          EOF
+
+      - name: Launch cluster
+        run: docker compose -f compose.yml up -d
+
+      - name: Wait for LB ready
+        run: |
+          for i in {1..90}; do
+            if curl -sf http://127.0.0.1:9000/health >/dev/null 2>&1; then
+              echo "Load balancer is ready"
+              exit 0
+            fi
+            sleep 2
+          done
+          echo "LB or backend not ready" >&2
+          docker compose -f compose.yml logs --tail=200 || true
+          exit 1
+
+      - name: Generate s3tests config
+        run: |
+          export S3_HOST=127.0.0.1
+          envsubst < .github/s3tests/s3tests.conf > s3tests.conf
+
+      - name: Provision s3-tests alt user (required by suite)
+        run: |
+          awscurl \
+            --service s3 \
+            --region "${S3_REGION}" \
+            --access_key "${S3_ACCESS_KEY}" \
+            --secret_key "${S3_SECRET_KEY}" \
+            -X PUT \
+            -H 'Content-Type: application/json' \
+            -d '{"secretKey":"'"${S3_ALT_SECRET_KEY}"'","status":"enabled","policy":"readwrite"}' \
+            "http://127.0.0.1:9000/rustfs/admin/v3/add-user?accessKey=${S3_ALT_ACCESS_KEY}"
+
+          awscurl \
+            --service s3 \
+            --region "${S3_REGION}" \
+            --access_key "${S3_ACCESS_KEY}" \
+            --secret_key "${S3_SECRET_KEY}" \
+            -X PUT \
+            "http://127.0.0.1:9000/rustfs/admin/v3/set-user-or-group-policy?policyName=readwrite&userOrGroup=${S3_ALT_ACCESS_KEY}&isGroup=false"
+
+          awscurl \
+            --service s3 \
+            --region "${S3_REGION}" \
+            --access_key "${S3_ALT_ACCESS_KEY}" \
+            --secret_key "${S3_ALT_SECRET_KEY}" \
+            -X GET \
+            "http://127.0.0.1:9000/" >/dev/null
+
+      - name: Prepare s3-tests
+        run: |
+          git clone --depth 1 https://github.com/ceph/s3-tests.git s3-tests
+
+      - name: Run ceph s3-tests (multi, debug friendly)
+        run: |
+          export PATH="$HOME/.local/bin:$PATH"
+          mkdir -p artifacts/s3tests-multi
+
+          cd s3-tests
+
+          set -o pipefail
+
+          MAXFAIL="${{ github.event.inputs.maxfail }}"
+          if [ -z "$MAXFAIL" ]; then MAXFAIL="1"; fi
+
+          MARKEXPR="${{ github.event.inputs.markexpr }}"
+          if [ -z "$MARKEXPR" ]; then MARKEXPR="not lifecycle and not versioning and not s3website and not bucket_logging and not encryption"; fi
+
+          XDIST="${{ github.event.inputs.xdist }}"
+          if [ -z "$XDIST" ]; then XDIST="0"; fi
+          XDIST_ARGS=""
+          if [ "$XDIST" != "0" ]; then
+            # Add pytest-xdist to requirements.txt so tox installs it inside
+            # its virtualenv. Installing outside tox does NOT work.
+            echo "pytest-xdist" >> requirements.txt
+            XDIST_ARGS="-n $XDIST --dist=loadgroup"
+          fi
+
+          # Run tests from s3tests/functional (boto2+boto3 combined directory).
+          S3TEST_CONF=${GITHUB_WORKSPACE}/s3tests.conf \
+            tox -- \
+              -vv -ra --showlocals --tb=long \
+              --maxfail="$MAXFAIL" \
+              --junitxml=${GITHUB_WORKSPACE}/artifacts/s3tests-multi/junit.xml \
+              $XDIST_ARGS \
+              s3tests/functional/test_s3.py \
+              -m "$MARKEXPR" \
+              2>&1 | tee ${GITHUB_WORKSPACE}/artifacts/s3tests-multi/pytest.log
+
+      - name: Collect logs
+        if: always()
+        run: |
+          mkdir -p artifacts/cluster
+          docker compose -f compose.yml logs --no-color > artifacts/cluster/cluster.log 2>&1 || true
+
+      - name: Upload artifacts
+        if: always() && env.ACT != 'true'
+        uses: actions/upload-artifact@v6
+        with:
+          name: s3tests-multi
+          path: artifacts/**

.github/workflows/helm-package.yml

@@ -0,0 +1,94 @@
+# Copyright 2024 RustFS Team
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: Publish helm chart to artifacthub
+
+on:
+  workflow_run:
+    workflows: [ "Build and Release" ]
+    types: [ completed ]
+
+permissions:
+  contents: read
+
+env:
+  new_version: ${{ github.event.workflow_run.head_branch }}
+
+jobs:
+  build-helm-package:
+    runs-on: ubicloud-standard-2
+    # Only run on successful builds triggered by tag pushes (version format: x.y.z or x.y.z-suffix)
+    if: |
+      github.event.workflow_run.conclusion == 'success' && 
+      github.event.workflow_run.event == 'push' &&
+      contains(github.event.workflow_run.head_branch, '.')
+
+    steps:
+      - name: Checkout helm chart repo
+        uses: actions/checkout@v6
+
+      - name: Replace chart app version
+        run: |
+          set -e
+          set -x
+          old_version=$(grep "^appVersion:" helm/rustfs/Chart.yaml | awk '{print $2}')
+          sed -i "s/$old_version/$new_version/g" helm/rustfs/Chart.yaml
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4.3.0
+
+      - name: Package Helm Chart
+        run: |
+          cp helm/README.md helm/rustfs/
+          package_version=$(echo $new_version | awk -F '-' '{print $2}' | awk -F '.' '{print $NF}') 
+          helm package ./helm/rustfs --destination helm/rustfs/ --version "0.0.$package_version"
+
+      - name: Upload helm package as artifact
+        uses: actions/upload-artifact@v6
+        with:
+          name: helm-package
+          path: helm/rustfs/*.tgz
+          retention-days: 1
+
+  publish-helm-package:
+    runs-on: ubicloud-standard-2
+    needs: [ build-helm-package ]
+
+    steps:
+      - name: Checkout helm package repo
+        uses: actions/checkout@v6
+        with:
+          repository: rustfs/helm
+          token: ${{ secrets.RUSTFS_HELM_PACKAGE }}
+
+      - name: Download helm package
+        uses: actions/download-artifact@v7
+        with:
+          name: helm-package
+          path: ./
+
+      - name: Set up helm
+        uses: azure/setup-helm@v4.3.0
+
+      - name: Generate index
+        run: helm repo index . --url https://charts.rustfs.com
+
+      - name: Push helm package and index file
+        run: |
+          git config --global user.name "${{ secrets.USERNAME }}"
+          git config --global user.email "${{ secrets.EMAIL_ADDRESS }}"
+          git status .
+          git add .
+          git commit -m "Update rustfs helm package with $new_version."
+          git push origin main

.github/workflows/issue-translator.yml

@@ -1,18 +1,36 @@
-name: 'issue-translator'
-on: 
-  issue_comment: 
-    types: [created]
-  issues: 
-    types: [opened]
+# Copyright 2024 RustFS Team
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: "issue-translator"
+on:
+  issue_comment:
+    types: [ created ]
+  issues:
+    types: [ opened ]
+
+permissions:
+  contents: read
+  issues: write
 
 jobs:
   build:
-    runs-on: ubuntu-latest
+    runs-on: ubicloud-standard-4
     steps:
       - uses: usthe/issues-translate-action@v2.7
         with:
           IS_MODIFY_TITLE: false
           # not require, default false, . Decide whether to modify the issue title
           # if true, the robot account @Issues-translate-bot must have modification permissions, invite @Issues-translate-bot to your project or use your custom bot.
-          CUSTOM_BOT_NOTE: Bot detected the issue body's language is not English, translate it automatically. 
+          CUSTOM_BOT_NOTE: Bot detected the issue body's language is not English, translate it automatically.
           # not require. Customize the translation robot prefix message.

.github/workflows/nix-flake-update.yml

@@ -0,0 +1,65 @@
+# Copyright 2024 RustFS Team
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: Update Nix Flake
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 0 * * 0' # Weekly on Sundays
+
+permissions:
+  contents: write
+  pull-requests: write
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  update-flake:
+    name: Update flake.lock
+    runs-on: ubuntu-latest
+    timeout-minutes: 45
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+        
+      - name: Install Nix
+        uses: DeterminateSystems/determinate-nix-action@v3
+
+      - name: Check Nix flake inputs
+        uses: DeterminateSystems/flake-checker-action@v12
+
+      - name: Update flake.lock
+        id: update
+        uses: DeterminateSystems/update-flake-lock@main
+        with:
+          git-author-name: heihutu
+          git-author-email: heihutu@gmail.com
+          git-committer-name: heihutu
+          git-committer-email: heihutu@gmail.com
+          pr-title: "chore(deps): update flake.lock"
+          pr-labels: |
+            dependencies
+            nix
+            automated
+          commit-msg: "chore(deps): update flake.lock"
+          pr-reviewers: houseme, overtrue, majinghe
+          token: ${{ secrets.FLAKE_UPDATE_TOKEN }}
+
+      - name: Log PR details
+        if: steps.update.outputs.pull-request-number
+        run: |
+          echo "Pull Request created: ${{ steps.update.outputs.pull-request-number }}"

.github/workflows/nix.yml

@@ -0,0 +1,84 @@
+# Copyright 2024 RustFS Team
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: Nix CI
+
+on:
+  push:
+    branches: [ "main" ]
+    paths:
+      - 'flake.nix'
+      - 'flake.lock'
+      - 'Cargo.toml'
+      - 'Cargo.lock'
+      - '.github/workflows/nix.yml'
+  pull_request:
+    branches: [ "main" ]
+    paths:
+      - 'flake.nix'
+      - 'flake.lock'
+      - 'Cargo.toml'
+      - 'Cargo.lock'
+      - '.github/workflows/nix.yml'
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+permissions:
+  contents: read
+
+jobs:
+  nix-validation:
+    name: Nix Build & Check
+    runs-on: ubuntu-latest
+    timeout-minutes: 45
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Install Nix
+        uses: cachix/install-nix-action@v31
+        with:
+          github_access_token: ${{ secrets.GITHUB_TOKEN }}
+          extra_nix_config: |
+            experimental-features = nix-command flakes
+
+      - name: Setup Magic Nix Cache
+        uses: DeterminateSystems/magic-nix-cache-action@v13
+
+      - name: Setup Flake Checker
+        uses: DeterminateSystems/flake-checker-action@v12
+
+      - name: Verify Flake
+        run: |
+          echo "Checking flake structure and evaluation..."
+          nix flake show
+          nix flake check --print-build-logs
+
+      - name: Build RustFS
+        run: |
+          echo "Building the default package..."
+          nix build .#default --print-build-logs
+
+      - name: Test Binary
+        run: |
+          echo "Verifying the built binary..."
+          if [ -x "./result/bin/rustfs" ]; then
+              ./result/bin/rustfs --help
+              echo "Binary verification successful."
+          else
+              echo "Error: Binary not found or not executable at ./result/bin/rustfs"
+              exit 1
+          fi

.github/workflows/performance.yml

@@ -16,12 +16,12 @@ name: Performance Testing
 
 on:
   push:
-    branches: [main]
+    branches: [ main ]
     paths:
-      - '**/*.rs'
-      - '**/Cargo.toml'
-      - '**/Cargo.lock'
-      - '.github/workflows/performance.yml'
+      - "**/*.rs"
+      - "**/Cargo.toml"
+      - "**/Cargo.lock"
+      - ".github/workflows/performance.yml"
   workflow_dispatch:
     inputs:
       profile_duration:
@@ -30,6 +30,9 @@ on:
         default: "120"
         type: string
 
+permissions:
+  contents: read
+
 env:
   CARGO_TERM_COLOR: always
   RUST_BACKTRACE: 1
@@ -37,11 +40,11 @@ env:
 jobs:
   performance-profile:
     name: Performance Profiling
-    runs-on: ubuntu-latest
+    runs-on: ubicloud-standard-2
     timeout-minutes: 30
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Setup Rust environment
         uses: ./.github/actions/setup
@@ -73,12 +76,11 @@ jobs:
           echo "RUSTFS_VOLUMES=./target/volume/test{0...4}" >> $GITHUB_ENV
           echo "RUST_LOG=rustfs=info,ecstore=info,s3s=info,iam=info,rustfs-obs=info" >> $GITHUB_ENV
 
-      - name: Download static files
+      - name: Verify console static assets
         run: |
-          curl -L "https://dl.rustfs.com/artifacts/console/rustfs-console-latest.zip" \
-            -o tempfile.zip --retry 3 --retry-delay 5
-          unzip -o tempfile.zip -d ./rustfs/static
-          rm tempfile.zip
+          # Console static assets are already embedded in the repository
+          echo "Console static assets size: $(du -sh rustfs/static/)"
+          echo "Console static assets are embedded via rust-embed, no external download needed"
 
       - name: Build with profiling optimizations
         run: |
@@ -105,7 +107,7 @@ jobs:
 
       - name: Upload profile data
         if: steps.profiling.outputs.profile_generated == 'true'
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v6
         with:
           name: performance-profile-${{ github.run_number }}
           path: samply-profile.json
@@ -113,11 +115,11 @@ jobs:
 
   benchmark:
     name: Benchmark Tests
-    runs-on: ubuntu-latest
+    runs-on: ubicloud-standard-2
     timeout-minutes: 45
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Setup Rust environment
         uses: ./.github/actions/setup
@@ -133,7 +135,7 @@ jobs:
           tee benchmark-results.json
 
       - name: Upload benchmark results
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v6
         with:
           name: benchmark-results-${{ github.run_number }}
           path: benchmark-results.json

.github/workflows/release-notes-template.md

@@ -1,78 +0,0 @@
-## RustFS ${VERSION_CLEAN}
-
-${ORIGINAL_NOTES}
-
----
-
-### 🚀 Quick Download
-
-**Linux (Static Binaries - No Dependencies):**
-
-```bash
-# x86_64 (Intel/AMD)
-curl -LO https://github.com/rustfs/rustfs/releases/download/${VERSION}/rustfs-x86_64-unknown-linux-musl.zip
-unzip rustfs-x86_64-unknown-linux-musl.zip
-sudo mv rustfs /usr/local/bin/
-
-# ARM64 (Graviton, Apple Silicon VMs)
-curl -LO https://github.com/rustfs/rustfs/releases/download/${VERSION}/rustfs-aarch64-unknown-linux-musl.zip
-unzip rustfs-aarch64-unknown-linux-musl.zip
-sudo mv rustfs /usr/local/bin/
-```
-
-**macOS:**
-
-```bash
-# Apple Silicon (M1/M2/M3)
-curl -LO https://github.com/rustfs/rustfs/releases/download/${VERSION}/rustfs-aarch64-apple-darwin.zip
-unzip rustfs-aarch64-apple-darwin.zip
-sudo mv rustfs /usr/local/bin/
-
-# Intel
-curl -LO https://github.com/rustfs/rustfs/releases/download/${VERSION}/rustfs-x86_64-apple-darwin.zip
-unzip rustfs-x86_64-apple-darwin.zip
-sudo mv rustfs /usr/local/bin/
-```
-
-### 📁 Available Downloads
-
-| Platform | Architecture | File | Description |
-|----------|-------------|------|-------------|
-| Linux | x86_64 | `rustfs-x86_64-unknown-linux-musl.zip` | Static binary, no dependencies |
-| Linux | ARM64 | `rustfs-aarch64-unknown-linux-musl.zip` | Static binary, no dependencies |
-| macOS | Apple Silicon | `rustfs-aarch64-apple-darwin.zip` | Native binary, ZIP archive |
-| macOS | Intel | `rustfs-x86_64-apple-darwin.zip` | Native binary, ZIP archive |
-
-### 🔐 Verification
-
-Download checksums and verify your download:
-
-```bash
-# Download checksums
-curl -LO https://github.com/rustfs/rustfs/releases/download/${VERSION}/SHA256SUMS
-
-# Verify (Linux)
-sha256sum -c SHA256SUMS --ignore-missing
-
-# Verify (macOS)
-shasum -a 256 -c SHA256SUMS --ignore-missing
-```
-
-### 🛠️ System Requirements
-
-- **Linux**: Any distribution with glibc 2.17+ (CentOS 7+, Ubuntu 16.04+)
-- **macOS**: 10.15+ (Catalina or later)
-- **Windows**: Windows 10 version 1809 or later
-
-### 📚 Documentation
-
-- [Installation Guide](https://github.com/rustfs/rustfs#installation)
-- [Quick Start](https://github.com/rustfs/rustfs#quick-start)
-- [Configuration](https://github.com/rustfs/rustfs/blob/main/docs/)
-- [API Documentation](https://docs.rs/rustfs)
-
-### 🆘 Support
-
-- 🐛 [Report Issues](https://github.com/rustfs/rustfs/issues)
-- 💬 [Community Discussions](https://github.com/rustfs/rustfs/discussions)
-- 📖 [Documentation](https://github.com/rustfs/rustfs/tree/main/docs)

.github/workflows/stale.yml

@@ -0,0 +1,20 @@
+name: "Mark stale issues"
+on:
+  schedule:
+    - cron: "30 1 * * *"
+
+jobs:
+  stale:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/stale@v9
+        with:
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          stale-issue-message: 'This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.'
+          stale-issue-label: 'stale'
+          ## Mark if there is no activity for more than 7 days
+          days-before-stale: 7  
+          # If no one responds after 3 days, the tag will be closed.
+          days-before-close: 3   
+          # These tags are exempt and will not close automatically.
+          exempt-issue-labels: 'pinned,security'

.gitignore

@@ -2,9 +2,13 @@
 .DS_Store
 .idea
 .vscode
+.cursor
+.direnv/
 /test
 /logs
 /data
+/docs
+/rustfs-data/
 .devcontainer
 rustfs/static/*
 !rustfs/static/.gitkeep
@@ -19,3 +23,28 @@ deploy/certs/*
 profile.json
 .docker/openobserve-otel/data
 *.zst
+.secrets
+*.go
+*.pb
+*.svg
+deploy/logs/*.log.*
+artifacts/
+# s3-tests local artifacts (root directory only)
+/s3-tests/
+/s3-tests-local/
+/s3tests.conf
+/s3tests.conf.*
+*.events
+*.audit
+*.snappy
+PR_DESCRIPTION.md
+IMPLEMENTATION_PLAN.md
+scripts/s3-tests/selected_tests.txt
+docs
+
+# nix stuff
+result*
+*.gz
+rustfs-webdav.code-workspace
+
+.aiexclude

.pre-commit-config.yaml

@@ -0,0 +1,32 @@
+# See https://pre-commit.com for more information
+# See https://pre-commit.com/hooks.html for more hooks
+repos:
+  - repo: local
+    hooks:
+      - id: cargo-fmt
+        name: cargo fmt
+        entry: cargo fmt --all --check
+        language: system
+        types: [rust]
+        pass_filenames: false
+
+      - id: cargo-clippy
+        name: cargo clippy
+        entry: cargo clippy --all-targets --all-features -- -D warnings
+        language: system
+        types: [rust]
+        pass_filenames: false
+
+      - id: cargo-check
+        name: cargo check
+        entry: cargo check --all-targets
+        language: system
+        types: [rust]
+        pass_filenames: false
+
+      - id: cargo-test
+        name: cargo test
+        entry: bash -c 'cargo test --workspace --exclude e2e_test && cargo test --all --doc'
+        language: system
+        types: [rust]
+        pass_filenames: false

.vscode/launch.json

@@ -1,9 +1,31 @@
 {
-    // 使用 IntelliSense 了解相关属性。 
-    // 悬停以查看现有属性的描述。
-    // 欲了解更多信息，请访问: https://go.microsoft.com/fwlink/?linkid=830387
     "version": "0.2.0",
     "configurations": [
+          {
+            "type": "lldb",
+            "request": "launch",
+            "name": "Debug(only) executable 'rustfs'",
+            "env": {
+              "RUST_LOG": "rustfs=info,ecstore=info,s3s=info,iam=info",
+              "RUSTFS_SKIP_BACKGROUND_TASK": "on"
+              //"RUSTFS_OBS_LOG_DIRECTORY": "./deploy/logs",
+              // "RUSTFS_POLICY_PLUGIN_URL":"http://localhost:8181/v1/data/rustfs/authz/allow",
+              // "RUSTFS_POLICY_PLUGIN_AUTH_TOKEN":"your-opa-token"
+            },
+            "program": "${workspaceFolder}/target/debug/rustfs",
+            "args": [
+              "--access-key",
+              "rustfsadmin",
+              "--secret-key",
+              "rustfsadmin",
+              "--address",
+              "0.0.0.0:9010",
+              "--server-domains",
+              "127.0.0.1:9010",
+              "./target/volume/test{1...4}"
+            ],
+            "cwd": "${workspaceFolder}"
+        },
         {
             "type": "lldb",
             "request": "launch",
@@ -20,18 +42,22 @@
                 }
             },
             "env": {
-                "RUST_LOG": "rustfs=debug,ecstore=info,s3s=debug"
+                "RUST_LOG": "rustfs=debug,ecstore=info,s3s=debug,iam=debug",
+                "RUSTFS_SKIP_BACKGROUND_TASK": "on",
+                //"RUSTFS_OBS_LOG_DIRECTORY": "./deploy/logs",
+                // "RUSTFS_POLICY_PLUGIN_URL":"http://localhost:8181/v1/data/rustfs/authz/allow",
+                // "RUSTFS_POLICY_PLUGIN_AUTH_TOKEN":"your-opa-token" 
             },
             "args": [
                 "--access-key",
-                "AKEXAMPLERUSTFS",
+                "rustfsadmin",
                 "--secret-key",
-                "SKEXAMPLERUSTFS",
+                "rustfsadmin",
                 "--address",
                 "0.0.0.0:9010",
-                "--domain-name",
+                "--server-domains",
                 "127.0.0.1:9010",
-                "./target/volume/test{0...4}"
+                "./target/volume/test{1...4}"
             ],
             "cwd": "${workspaceFolder}"
         },
@@ -63,12 +89,8 @@
                     "test",
                     "--no-run",
                     "--lib",
-                    "--package=ecstore"
-                ],
-                "filter": {
-                    "name": "ecstore",
-                    "kind": "lib"
-                }
+                    "--package=rustfs-ecstore"
+                ]
             },
             "args": [],
             "cwd": "${workspaceFolder}"
@@ -77,14 +99,152 @@
             "name": "Debug executable target/debug/rustfs",
             "type":  "lldb",
             "request": "launch",
-            "program": "${workspaceFolder}/target/debug/rustfs",
+            "cargo": {
+                "args": [
+                    "run",
+                    "--bin",
+                    "rustfs",
+                    "-j",
+                    "1",
+                    "--profile",
+                    "dev"
+                ]
+            },
             "args": [],
             "cwd": "${workspaceFolder}",
             //"stopAtEntry": false,
             //"preLaunchTask": "cargo build",
+            "env": {
+                "RUSTFS_ACCESS_KEY": "rustfsadmin",
+                "RUSTFS_SECRET_KEY": "rustfsadmin",
+                //"RUSTFS_VOLUMES": "./target/volume/test{1...4}",
+                "RUSTFS_ADDRESS": ":9000",
+                "RUSTFS_CONSOLE_ENABLE": "true",
+                // "RUSTFS_OBS_TRACE_ENDPOINT": "http://127.0.0.1:4318/v1/traces", // jeager otlp http endpoint
+                // "RUSTFS_OBS_METRIC_ENDPOINT": "http://127.0.0.1:4318/v1/metrics", // default otlp http endpoint
+                // "RUSTFS_OBS_LOG_ENDPOINT": "http://127.0.0.1:4318/v1/logs", // default otlp http endpoint
+                // "RUSTFS_COMPRESS_ENABLE": "true",
+                "RUSTFS_CONSOLE_ADDRESS": "127.0.0.1:9001",
+                "RUSTFS_OBS_LOG_DIRECTORY": "./target/logs",
+                "RUST_LOG":"rustfs=debug,ecstore=debug,s3s=debug,iam=debug",
+            },
+            "sourceLanguages": [
+                "rust"
+            ],
+        },
+        {
+            "type": "lldb",
+            "request": "launch",
+            "name": "Debug test_lifecycle_transition_basic",
+            "cargo": {
+                "args": [
+                    "test",
+                    "-p",
+                    "rustfs-scanner",
+                    "--test",
+                    "lifecycle_integration_test",
+                    "serial_tests::test_lifecycle_transition_basic",
+                    "-j",
+                    "1"
+                ]
+            },
+            "args": [],
+            "cwd": "${workspaceFolder}"
+        },
+        {
+            "name": "Debug executable target/debug/test",
+            "type":  "lldb",
+            "request": "launch",
+            "program": "${workspaceFolder}/target/debug/deps/lifecycle_integration_test-5915cbfcab491b3b",
+            "args": [
+              "--skip",
+              "test_lifecycle_expiry_basic",
+              "--skip",
+              "test_lifecycle_expiry_deletemarker",
+              //"--skip",
+              //"test_lifecycle_transition_basic",
+            ],
+            "cwd": "${workspaceFolder}",
+            //"stopAtEntry": false,
+            //"preLaunchTask": "cargo build",
             "sourceLanguages": [
                 "rust"
             ],
-        }
+        },
+        {
+            "name": "Debug executable target/debug/rustfs with sse",
+            "type":  "lldb",
+            "request": "launch",
+            "program": "${workspaceFolder}/target/debug/rustfs",
+            "args": [],
+            "cwd": "${workspaceFolder}",
+            //"stopAtEntry": false,
+            //"preLaunchTask": "cargo build",
+            "env": {
+                "RUSTFS_ACCESS_KEY": "rustfsadmin",
+                "RUSTFS_SECRET_KEY": "rustfsadmin",
+                "RUSTFS_VOLUMES": "./target/volumes/test{1...4}",
+                "RUSTFS_ADDRESS": ":9000",
+                "RUSTFS_CONSOLE_ENABLE": "true",
+                "RUSTFS_CONSOLE_ADDRESS": "127.0.0.1:9001",
+                "RUSTFS_OBS_LOG_DIRECTORY": "./target/logs",
+                // "RUSTFS_OBS_TRACE_ENDPOINT": "http://127.0.0.1:4318/v1/traces", // jeager otlp http endpoint
+                // "RUSTFS_OBS_METRIC_ENDPOINT": "http://127.0.0.1:4318/v1/metrics", // default otlp http endpoint
+                // "RUSTFS_OBS_LOG_ENDPOINT": "http://127.0.0.1:4318/v1/logs", // default otlp http endpoint
+                // "RUSTFS_COMPRESS_ENABLE": "true",
+
+                // 1. simple sse test key (no kms system)
+                // "__RUSTFS_SSE_SIMPLE_CMK": "2dfNXGHlsEflGVCxb+5DIdGEl1sIvtwX+QfmYasi5QM=",
+
+                // 2. kms local backend test key
+                "RUSTFS_KMS_ENABLE": "true",
+                "RUSTFS_KMS_BACKEND": "local",
+                "RUSTFS_KMS_KEY_DIR": "./target/kms-key-dir",
+                "RUSTFS_KMS_LOCAL_MASTER_KEY": "my-secret-key", // Some Password
+                "RUSTFS_KMS_DEFAULT_KEY_ID": "rustfs-master-key",
+
+                // 3. kms vault backend test key
+                // "RUSTFS_KMS_ENABLE": "true",
+                // "RUSTFS_KMS_BACKEND": "vault",
+                // "RUSTFS_KMS_VAULT_ADDRESS": "http://127.0.0.1:8200",
+                // "RUSTFS_KMS_VAULT_TOKEN": "Dev Token",
+                // "RUSTFS_KMS_DEFAULT_KEY_ID": "rustfs-master-key",
+
+            },
+            "sourceLanguages": [
+                "rust"
+            ],
+        },
+        {
+            "name": "E2E test executable target/debug/rustfs",
+            "type":  "lldb",
+            "request": "launch",
+            "program": "${workspaceFolder}/target/debug/rustfs",
+            "args": [],
+            "cwd": "${workspaceFolder}",
+            //"stopAtEntry": false,
+            //"preLaunchTask": "cargo build",
+            "env": {
+                "RUST_LOG": "rustfs=debug,ecstore=info,s3s=debug,iam=debug",
+                "RUST_BACKTRACE": "full",
+                "RUSTFS_ACCESS_KEY": "rustfsadmin",
+                "RUSTFS_SECRET_KEY": "rustfsadmin",
+                "RUSTFS_VOLUMES": "./target/e2e-test/test{1...4}",
+                "RUSTFS_REGION": "us-east-1",
+                "RUSTFS_ADDRESS": ":9000",
+                "RUSTFS_CONSOLE_ENABLE": "true",
+                "RUSTFS_CONSOLE_ADDRESS": "127.0.0.1:9001",
+                "RUSTFS_OBS_LOG_DIRECTORY": "./target/logs",
+
+                "RUSTFS_KMS_ENABLE": "true",
+                "RUSTFS_KMS_BACKEND": "local",
+                "RUSTFS_KMS_KEY_DIR": "./target/e2e-key-dir",
+                "RUSTFS_KMS_LOCAL_MASTER_KEY": "my-secret-key", // Some Password
+                "RUSTFS_KMS_DEFAULT_KEY_ID": "rustfs-master-key",
+            },
+            "sourceLanguages": [
+                "rust"
+            ],
+        },
     ]
 }

AGENTS.md

@@ -0,0 +1,67 @@
+# RustFS Agent Instructions (Global)
+
+This root file keeps repository-wide rules only.
+Use the nearest subdirectory `AGENTS.md` for path-specific guidance.
+
+## Rule Precedence
+
+1. System/developer instructions.
+2. This file (global defaults).
+3. The nearest `AGENTS.md` in the current path (more specific scope wins).
+
+If repo-level instructions conflict, follow the nearest file and keep behavior aligned with CI.
+
+## Communication and Language
+
+- Respond in the same language used by the requester.
+- Keep source code, comments, commit messages, and PR title/body in English.
+
+## Sources of Truth
+
+- Workspace layout and crate membership: `Cargo.toml` (`[workspace].members`)
+- Local quality commands: `Makefile` and `.config/make/`
+- CI quality gates: `.github/workflows/ci.yml`
+- PR template: `.github/pull_request_template.md`
+
+Avoid duplicating long crate lists or command matrices in instruction files.
+Reference the source files above instead.
+
+## Mandatory Before Commit
+
+Run and pass:
+
+```bash
+make pre-commit
+```
+
+If `make` is unavailable, run the equivalent checks defined under `.config/make/`.
+Do not commit when required checks fail.
+
+## Git and PR Baseline
+
+- Use feature branches based on the latest `main`.
+- Follow Conventional Commits, with subject length <= 72 characters.
+- Keep PR title and description in English.
+- Use `.github/pull_request_template.md` and keep all section headings.
+- Use `N/A` for non-applicable template sections.
+- Include verification commands in the PR description.
+- When using `gh pr create`/`gh pr edit`, use `--body-file` instead of inline `--body` for multiline markdown.
+
+## Security Baseline
+
+- Never commit secrets, credentials, or key material.
+- Use environment variables or vault tooling for sensitive configuration.
+- For localhost-sensitive tests, verify proxy settings to avoid traffic leakage.
+
+## Scoped Guidance in This Repository
+
+- `.github/AGENTS.md`
+- `crates/AGENTS.md`
+- `crates/config/AGENTS.md`
+- `crates/ecstore/AGENTS.md`
+- `crates/e2e_test/AGENTS.md`
+- `crates/iam/AGENTS.md`
+- `crates/kms/AGENTS.md`
+- `crates/policy/AGENTS.md`
+- `rustfs/src/admin/AGENTS.md`
+- `rustfs/src/storage/AGENTS.md`

CHANGELOG.md

@@ -0,0 +1,79 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+### Fixed
+- **Helm Ingress**: `customAnnotations` are now merged with class-specific annotations (nginx/traefik) instead of being ignored when `ingress.className` is set.
+
+### Added
+- **OpenStack Keystone Authentication Integration**: Full support for OpenStack Keystone authentication via X-Auth-Token headers
+  - Tower-based middleware (`KeystoneAuthLayer`) self-contained within `rustfs-keystone` crate
+  - Task-local storage for async-safe credential passing between middleware and auth handlers
+  - Automatic detection of Keystone credentials (access keys prefixed with `keystone:`)
+  - Role-based permission mapping (admin/reseller_admin roles grant owner permissions)
+  - Token caching for high-performance validation with configurable cache size and TTL
+  - Dual authentication support: Keystone and standard AWS Signature v4 work simultaneously
+  - Immediate 401 response for invalid tokens (no fallback to local auth)
+  - XML-formatted error responses compatible with S3 API
+  - Comprehensive integration documentation with manual testing guide
+  - **32 unit and integration tests** covering middleware, auth handlers, task-local storage, and role detection
+
+### Changed
+- **HTTP Server Stack**: Integrated `KeystoneAuthLayer` middleware from `rustfs-keystone` crate into service stack (positioned after ReadinessGateLayer)
+- **IAMAuth**: Enhanced `get_secret_key()` to return empty secret for Keystone credentials (bypasses signature validation)
+- **Auth Module**: Modified `check_key_valid()` to retrieve Keystone credentials from task-local storage and determine admin status
+
+### Technical Details
+- Middleware is self-contained in `rustfs-keystone` crate following the trusted-proxies pattern for integration-specific middleware
+- Uses `BoxBody` pattern for Hyper 1.x compatibility
+- Task-local storage provides request-scoped credential passing without modifying HTTP request/response types
+- Integration preserves existing S3 authentication flow while adding Keystone support
+- Zero breaking changes to existing functionality
+- No new top-level directories in main binary crate (middleware lives in integration crate)
+
+### Documentation
+- Updated `crates/keystone/README.md` with complete integration architecture and workflow
+- Added detailed manual testing guide with 10 test scenarios
+- Updated main `README.md` to list Keystone authentication as available feature
+- Added troubleshooting section for common integration issues
+
+### Configuration
+New environment variables:
+- `RUSTFS_KEYSTONE_ENABLE` - Enable/disable Keystone authentication (default: false)
+- `RUSTFS_KEYSTONE_AUTH_URL` - Keystone API endpoint URL
+- `RUSTFS_KEYSTONE_VERSION` - Keystone API version (v3)
+- `RUSTFS_KEYSTONE_ADMIN_USER` - Admin username for privileged operations
+- `RUSTFS_KEYSTONE_ADMIN_PASSWORD` - Admin password
+- `RUSTFS_KEYSTONE_ADMIN_PROJECT` - Admin project name
+- `RUSTFS_KEYSTONE_ADMIN_DOMAIN` - Admin domain name (default: Default)
+- `RUSTFS_KEYSTONE_CACHE_SIZE` - Token cache size (default: 10000)
+- `RUSTFS_KEYSTONE_CACHE_TTL` - Token cache TTL in seconds (default: 300)
+- `RUSTFS_KEYSTONE_VERIFY_SSL` - Verify SSL certificates (default: true)
+
+### Files Modified
+- `crates/keystone/src/middleware.rs` - Created Keystone authentication middleware (self-contained in keystone crate)
+- `crates/keystone/src/lib.rs` - Exported middleware module and KEYSTONE_CREDENTIALS
+- `crates/keystone/Cargo.toml` - Added Tower/HTTP dependencies for middleware functionality
+- `rustfs/src/server/http.rs` - Integrated KeystoneAuthLayer from rustfs-keystone crate
+- `rustfs/src/auth.rs` - Enhanced IAMAuth and check_key_valid for Keystone support, imported KEYSTONE_CREDENTIALS from rustfs-keystone
+- `crates/keystone/README.md` - Comprehensive integration documentation
+- `README.md` - Added Keystone as available feature
+
+### Testing
+- 16 unit tests in rustfs-keystone crate (config, auth, middleware, identity)
+- 10 integration tests in rustfs-keystone crate (task-local storage, middleware layer, scope isolation)
+- 6 auth unit tests in rustfs crate (role detection, task-local storage, Keystone credential handling)
+- **Total: 32 tests** passing with zero compilation errors
+- Manual testing guide provided for end-to-end validation
+- All tests passing with `cargo test --all --exclude e2e_test`
+
+---
+
+## Previous Releases
+
+See [GitHub Releases](https://github.com/rustfs/rustfs/releases) for previous version history.

CLA.md

@@ -1,39 +1,60 @@
-RustFS Individual Contributor License Agreement
+# RustFS Individual Contributor License Agreement
 
-Thank you for your interest in contributing documentation and related software code to a project hosted or managed by RustFS. In order to clarify the intellectual property license granted with Contributions from any person or entity, RustFS must have a Contributor License Agreement (“CLA”) on file that has been signed by each Contributor, indicating agreement to the license terms below. This version of the Contributor License Agreement allows an individual to submit Contributions to the applicable project. If you are making a submission on behalf of a legal entity, then you should sign the separate Corporate Contributor License Agreement.
+Thank you for your interest in contributing to RustFS. In order to clarify the intellectual property license granted with Contributions from any person or entity, RustFS, Inc. ("RustFS") must have a Contributor License Agreement ("CLA") on file that has been signed by each Contributor, indicating agreement to the license terms below. This license is for your protection as a Contributor as well as the protection of RustFS and its users; it does not change your rights to use your own Contributions for any other purpose.
 
-You accept and agree to the following terms and conditions for Your present and future Contributions submitted to RustFS. You hereby irrevocably assign and transfer to RustFS all right, title, and interest in and to Your Contributions, including all copyrights and other intellectual property rights therein.
+You accept and agree to the following terms and conditions for Your present and future Contributions submitted to RustFS. Except for the license granted herein to RustFS and recipients of software distributed by RustFS, You reserve all right, title, and interest in and to Your Contributions.
 
-Definitions
+**You understand and agree that You will not receive any royalty or other compensation for Your Contributions.**
 
-“You” (or “Your”) shall mean the copyright owner or legal entity authorized by the copyright owner that is making this Agreement with RustFS. For legal entities, the entity making a Contribution and all other entities that control, are controlled by, or are under common control with that entity are considered to be a single Contributor. For the purposes of this definition, “control” means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity.
+## 1. Definitions
 
-“Contribution” shall mean any original work of authorship, including any modifications or additions to an existing work, that is intentionally submitted by You to RustFS for inclusion in, or documentation of, any of the products or projects owned or managed by RustFS (the “Work”), including without limitation any Work described in Schedule A. For the purposes of this definition, “submitted” means any form of electronic or written communication sent to RustFS or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, RustFS for the purpose of discussing and improving the Work.
+*   **"You"** (or **"Your"**) shall mean the copyright owner or legal entity authorized by the copyright owner that is making this Agreement with RustFS. For legal entities, the entity making a Contribution and all other entities that control, are controlled by, or are under common control with that entity are considered to be a single Contributor. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity.
 
-Assignment of Copyright
+*   **"Contribution"** shall mean any original work of authorship, including any modifications or additions to an existing work, that is intentionally submitted by You to RustFS for inclusion in, or documentation of, any of the products or projects owned or managed by RustFS (the "Work"). For the purposes of this definition, "submitted" means any form of electronic or written communication sent to RustFS or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, RustFS for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by You as "Not a Contribution."
 
-Subject to the terms and conditions of this Agreement, You hereby irrevocably assign and transfer to RustFS all right, title, and interest in and to Your Contributions, including all copyrights and other intellectual property rights therein, for the entire term of such rights, including all renewals and extensions. You agree to execute all documents and take all actions as may be reasonably necessary to vest in RustFS the ownership of Your Contributions and to assist RustFS in perfecting, maintaining, and enforcing its rights in Your Contributions.
+## 2. Grant of Copyright License
 
-Grant of Patent License
+Subject to the terms and conditions of this Agreement, You hereby grant to RustFS and to recipients of software distributed by RustFS a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Your Contributions and such derivative works under any license, including proprietary or commercial licenses and open-source licenses, at RustFS's sole discretion.
 
-Subject to the terms and conditions of this Agreement, You hereby grant to RustFS and to recipients of documentation and software distributed by RustFS a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by You that are necessarily infringed by Your Contribution(s) alone or by combination of Your Contribution(s) with the Work to which such Contribution(s) was submitted. If any entity institutes patent litigation against You or any other entity (including a cross-claim or counterclaim in a lawsuit) alleging that your Contribution, or the Work to which you have contributed, constitutes direct or contributory patent infringement, then any patent licenses granted to that entity under this Agreement for that Contribution or Work shall terminate as of the date such litigation is filed.
+## 3. Grant of Patent License
 
-You represent that you are legally entitled to grant the above assignment and license.
+Subject to the terms and conditions of this Agreement, You hereby grant to RustFS and to recipients of software distributed by RustFS a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by You that are necessarily infringed by Your Contribution(s) alone or by combination of Your Contribution(s) with the Work to which such Contribution(s) was submitted. If any entity institutes patent litigation against You or any other entity (including a cross-claim or counterclaim in a lawsuit) alleging that your Contribution, or the Work to which you have contributed, constitutes direct or contributory patent infringement, then any patent licenses granted to that entity under this Agreement for that Contribution or Work shall terminate as of the date such litigation is filed.
 
-You represent that each of Your Contributions is Your original creation (see section 7 for submissions on behalf of others). You represent that Your Contribution submissions include complete details of any third-party license or other restriction (including, but not limited to, related patents and trademarks) of which you are personally aware and which are associated with any part of Your Contributions.
+## 4. Representations
 
-You are not expected to provide support for Your Contributions, except to the extent You desire to provide support. You may provide support for free, for a fee, or not at all. Unless required by applicable law or agreed to in writing, You provide Your Contributions on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON- INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE.
+You represent that you are legally entitled to grant the above license. If your employer(s) has rights to intellectual property that you create that includes your Contributions, you represent that you have received permission to make Contributions on behalf of that employer, that your employer has waived such rights for your Contributions to RustFS, or that your employer has executed a separate Corporate CLA with RustFS.
 
-Should You wish to submit work that is not Your original creation, You may submit it to RustFS separately from any Contribution, identifying the complete details of its source and of any license or other restriction (including, but not limited to, related patents, trademarks, and license agreements) of which you are personally aware, and conspicuously marking the work as “Submitted on behalf of a third-party: [named here]”.
+You represent that each of Your Contributions is Your original creation. You represent that Your Contribution submissions include complete details of any third-party license or other restriction (including, but not limited to, related patents and trademarks) of which you are personally aware and which are associated with any part of Your Contributions.
 
-You agree to notify RustFS of any facts or circumstances of which you become aware that would make these representations inaccurate in any respect.
+## 5. Support and Warranty
 
-Modification of CLA
+You are not expected to provide support for Your Contributions, except to the extent You desire to provide support. You may provide support for free, for a fee, or not at all. Unless required by applicable law or agreed to in writing, You provide Your Contributions on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of **TITLE**, **NON-INFRINGEMENT**, **MERCHANTABILITY**, or **FITNESS FOR A PARTICULAR PURPOSE**.
 
-RustFS reserves the right to update or modify this CLA in the future. Any updates or modifications to this CLA shall apply only to Contributions made after the effective date of the revised CLA. Contributions made prior to the update shall remain governed by the version of the CLA that was in effect at the time of submission. It is not necessary for all Contributors to re-sign the CLA when the CLA is updated or modified.
+## 6. Third-Party Work
 
-Governing Law and Dispute Resolution
+Should You wish to submit work that is not Your original creation, You may submit it to RustFS separately from any Contribution, identifying the complete details of its source and of any license or other restriction (including, but not limited to, related patents, trademarks, and license agreements) of which you are personally aware, and conspicuously marking the work as "Submitted on behalf of a third-party: [named here]".
 
-This Agreement will be governed by and construed in accordance with the laws of the People’s Republic of China excluding that body of laws known as conflict of laws. The parties expressly agree that the United Nations Convention on Contracts for the International Sale of Goods will not apply. Any legal action or proceeding arising under this Agreement will be brought exclusively in the courts located in Beijing, China, and the parties hereby irrevocably consent to the personal jurisdiction and venue therein.
+## 7. Governing Law and Jurisdiction
 
-For your reading convenience, this Agreement is written in parallel English and Chinese sections. To the extent there is a conflict between the English and Chinese sections, the English sections shall govern.
+This Agreement shall be governed by and construed in accordance with the laws of the State of Delaware, United States of America, without regard to its conflict of laws principles. The parties expressly agree that the United Nations Convention on Contracts for the International Sale of Goods will not apply. Any legal action or proceeding arising under or in connection with this Agreement shall be brought exclusively in the state or federal courts located in the State of Delaware, United States of America, and the parties hereby irrevocably consent to the personal jurisdiction and venue therein.
+
+## 8. Severability
+
+If any provision of this Agreement is found to be invalid or unenforceable, the remaining provisions will continue in full force and effect.
+
+## 9. Entire Agreement and Assignment
+
+This Agreement constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior agreements, understandings, negotiations, and discussions, whether written or oral. RustFS may assign its rights and obligations under this Agreement to any third party. You may not assign Your rights or obligations under this Agreement without the prior written consent of RustFS.
+
+---
+
+**Please read the terms of this Agreement carefully. By submitting a Contribution to RustFS, You agree to be bound by the terms and conditions of this Agreement.**
+
+| | |
+|---|---|
+| **Full Name** | __________________________________ |
+| **GitHub Username** | __________________________________ |
+| **Email Address** | __________________________________ |
+| **Date** | __________________________________ |
+
+*(Electronic signature or acknowledgement via GitHub commit/Pull Request constitutes valid acceptance of this Agreement).*

CONTRIBUTING.md

@@ -2,6 +2,8 @@
 
 ## 📋 Code Quality Requirements
 
+For instructions on setting up and running the local development environment, please see [Development Guide](docs/DEVELOPMENT.md).
+
 ### 🔧 Code Formatting Rules
 
 **MANDATORY**: All code must be properly formatted before committing. This project enforces strict formatting standards to maintain code consistency and readability.
@@ -184,6 +186,39 @@ cargo clippy --all-targets --all-features -- -D warnings
 cargo clippy --fix --all-targets --all-features
 ```
 
+## 📝 Pull Request Guidelines
+
+### Language Requirements
+
+**All Pull Request titles and descriptions MUST be written in English.**
+
+This ensures:
+- Consistency across all contributions
+- Accessibility for international contributors
+- Better integration with automated tools and CI/CD systems
+- Clear communication in a globally understood language
+
+#### PR Description Requirements
+
+When creating a Pull Request, ensure:
+
+1. **Title**: Use English and follow Conventional Commits format (e.g., `fix: improve s3-tests readiness detection`)
+2. **Description**: Write in English, following the PR template format
+3. **Code Comments**: Must be in English (as per coding standards)
+4. **Commit Messages**: Must be in English (as per commit guidelines)
+
+#### PR Template
+
+Always use the PR template (`.github/pull_request_template.md`) and fill in all sections:
+- Type of Change
+- Related Issues
+- Summary of Changes
+- Checklist
+- Impact
+- Additional Notes
+
+**Note**: While you may communicate with reviewers in Chinese during discussions, the PR itself (title, description, and all formal documentation) must be in English.
+
 ---
 
 Following these guidelines ensures high code quality and smooth collaboration across the RustFS project! 🚀

Cargo.toml

@@ -15,41 +15,54 @@
 [workspace]
 members = [
     "rustfs", # Core file system implementation
-    "cli/rustfs-gui", # Graphical user interface client
     "crates/appauth", # Application authentication and authorization
+    "crates/audit", # Audit target management system with multi-target fan-out
+    "crates/checksums", # client checksums
     "crates/common", # Shared utilities and data structures
     "crates/config", # Configuration management
+    "crates/credentials", # Credential management system
     "crates/crypto", # Cryptography and security features
     "crates/ecstore", # Erasure coding storage implementation
     "crates/e2e_test", # End-to-end test suite
     "crates/filemeta", # File metadata management
+    "crates/heal", # Erasure set and object healing
     "crates/iam", # Identity and Access Management
+    "crates/keystone", # OpenStack Keystone integration
+    "crates/kms", # Key Management Service
     "crates/lock", # Distributed locking implementation
     "crates/madmin", # Management dashboard and admin API interface
+    "crates/mcp", # MCP server for S3 operations
+    "crates/metrics", # Metrics collection and reporting
     "crates/notify", # Notification system for events
     "crates/obs", # Observability utilities
+    "crates/policy", # Policy management
+    "crates/protocols", # Protocol implementations (FTPS, SFTP, etc.)
     "crates/protos", # Protocol buffer definitions
     "crates/rio", # Rust I/O utilities and abstractions
+    "crates/s3-common", # Common utilities and data structures for S3 compatibility
     "crates/s3select-api", # S3 Select API interface
     "crates/s3select-query", # S3 Select query engine
+    "crates/scanner", # Scanner for data integrity checks and health monitoring
     "crates/signer", # client signer
+    "crates/targets", # Target-specific configurations and utilities
+    "crates/trusted-proxies", # Trusted proxies management
     "crates/utils", # Utility functions and helpers
     "crates/workers", # Worker thread pools and task scheduling
     "crates/zip", # ZIP file handling and compression
-    "crates/ahm",
 ]
-resolver = "2"
+resolver = "3"
 
 [workspace.package]
 edition = "2024"
 license = "Apache-2.0"
 repository = "https://github.com/rustfs/rustfs"
-rust-version = "1.85"
+rust-version = "1.93.0"
 version = "0.0.5"
 homepage = "https://rustfs.com"
 description = "RustFS is a high-performance distributed object storage software built using Rust, one of the most popular languages worldwide. "
 keywords = ["RustFS", "Minio", "object-storage", "filesystem", "s3"]
 categories = ["web-programming", "development-tools", "filesystem", "network-programming"]
+authors = ["RustFS Team"]
 
 [workspace.lints.rust]
 unsafe_code = "deny"
@@ -57,223 +70,244 @@ unsafe_code = "deny"
 [workspace.lints.clippy]
 all = "warn"
 
-[patch.crates-io]
-rustfs-utils = { path = "crates/utils" }
-rustfs-filemeta = { path = "crates/filemeta" }
-rustfs-rio = { path = "crates/rio" }
-
 [workspace.dependencies]
-rustfs-ahm = { path = "crates/ahm", version = "0.0.3" }
-rustfs-s3select-api = { path = "crates/s3select-api", version = "0.0.5" }
+# RustFS Internal Crates
+rustfs = { path = "./rustfs", version = "0.0.5" }
+rustfs-heal = { path = "crates/heal", version = "0.0.5" }
 rustfs-appauth = { path = "crates/appauth", version = "0.0.5" }
+rustfs-audit = { path = "crates/audit", version = "0.0.5" }
+rustfs-checksums = { path = "crates/checksums", version = "0.0.5" }
 rustfs-common = { path = "crates/common", version = "0.0.5" }
+rustfs-config = { path = "./crates/config", version = "0.0.5" }
+rustfs-credentials = { path = "crates/credentials", version = "0.0.5" }
 rustfs-crypto = { path = "crates/crypto", version = "0.0.5" }
 rustfs-ecstore = { path = "crates/ecstore", version = "0.0.5" }
+rustfs-filemeta = { path = "crates/filemeta", version = "0.0.5" }
 rustfs-iam = { path = "crates/iam", version = "0.0.5" }
+rustfs-keystone = { path = "crates/keystone", version = "0.0.5" }
+rustfs-kms = { path = "crates/kms", version = "0.0.5" }
 rustfs-lock = { path = "crates/lock", version = "0.0.5" }
 rustfs-madmin = { path = "crates/madmin", version = "0.0.5" }
+rustfs-mcp = { path = "crates/mcp", version = "0.0.5" }
+rustfs-metrics = { path = "crates/metrics", version = "0.0.5" }
+rustfs-notify = { path = "crates/notify", version = "0.0.5" }
+rustfs-obs = { path = "crates/obs", version = "0.0.5" }
 rustfs-policy = { path = "crates/policy", version = "0.0.5" }
 rustfs-protos = { path = "crates/protos", version = "0.0.5" }
-rustfs-s3select-query = { path = "crates/s3select-query", version = "0.0.5" }
-rustfs = { path = "./rustfs", version = "0.0.5" }
-rustfs-zip = { path = "./crates/zip", version = "0.0.5" }
-rustfs-config = { path = "./crates/config", version = "0.0.5" }
-rustfs-obs = { path = "crates/obs", version = "0.0.5" }
-rustfs-notify = { path = "crates/notify", version = "0.0.5" }
-rustfs-utils = { path = "crates/utils", version = "0.0.5" }
 rustfs-rio = { path = "crates/rio", version = "0.0.5" }
-rustfs-filemeta = { path = "crates/filemeta", version = "0.0.5" }
+rustfs-s3-common = { path = "crates/s3-common", version = "0.0.5" }
+rustfs-s3select-api = { path = "crates/s3select-api", version = "0.0.5" }
+rustfs-s3select-query = { path = "crates/s3select-query", version = "0.0.5" }
+rustfs-scanner = { path = "crates/scanner", version = "0.0.5" }
 rustfs-signer = { path = "crates/signer", version = "0.0.5" }
+rustfs-trusted-proxies = { path = "crates/trusted-proxies", version = "0.0.5" }
+rustfs-targets = { path = "crates/targets", version = "0.0.5" }
+rustfs-utils = { path = "crates/utils", version = "0.0.5" }
 rustfs-workers = { path = "crates/workers", version = "0.0.5" }
-aes-gcm = { version = "0.10.3", features = ["std"] }
-arc-swap = "1.7.1"
-argon2 = { version = "0.5.3", features = ["std"] }
-atoi = "2.0.0"
-async-channel = "2.4.0"
+rustfs-zip = { path = "./crates/zip", version = "0.0.5" }
+rustfs-protocols = { path = "crates/protocols", version = "0.0.5" }
+
+# Async Runtime and Networking
+async-channel = "2.5.0"
+async-compression = { version = "0.4.41" }
 async-recursion = "1.1.1"
-async-trait = "0.1.88"
-async-compression = { version = "0.4.0" }
-atomic_enum = "0.3.0"
-aws-sdk-s3 = "1.96.0"
-axum = "0.8.4"
-axum-extra = "0.10.1"
-axum-server = { version = "0.7.2", features = ["tls-rustls"] }
-base64-simd = "0.8.0"
-base64 = "0.22.1"
-brotli = "8.0.1"
-bytes = { version = "1.10.1", features = ["serde"] }
-bytesize = "2.0.1"
+async-trait = "0.1.89"
+axum = "0.8.8"
+futures = "0.3.32"
+futures-core = "0.3.32"
+futures-util = "0.3.32"
+pollster = "0.4.0"
+hyper = { version = "1.8.1", features = ["http2", "http1", "server"] }
+hyper-rustls = { version = "0.27.7", default-features = false, features = ["native-tokio", "http1", "tls12", "logging", "http2", "aws-lc-rs", "webpki-roots"] }
+hyper-util = { version = "0.1.20", features = ["tokio", "server-auto", "server-graceful", "tracing"] }
+http = "1.4.0"
+http-body = "1.0.1"
+http-body-util = "0.1.3"
+reqwest = { version = "0.13.2", default-features = false, features = ["rustls", "charset", "http2", "system-proxy", "stream", "json", "blocking", "query", "form"] }
+socket2 = { version = "0.6.3", features = ["all"] }
+tokio = { version = "1.50.0", features = ["fs", "rt-multi-thread"] }
+tokio-rustls = { version = "0.26.4", default-features = false, features = ["logging", "tls12", "aws-lc-rs"] }
+tokio-stream = { version = "0.1.18" }
+tokio-test = "0.4.5"
+tokio-util = { version = "0.7.18", features = ["io", "compat"] }
+tonic = { version = "0.14.5", features = ["gzip"] }
+tonic-prost = { version = "0.14.5" }
+tonic-prost-build = { version = "0.14.5" }
+tower = { version = "0.5.3", features = ["timeout"] }
+tower-http = { version = "0.6.8", features = ["cors"] }
+
+# Serialization and Data Formats
+bytes = { version = "1.11.1", features = ["serde"] }
+bytesize = "2.3.1"
 byteorder = "1.5.0"
-cfg-if = "1.0.1"
-chacha20poly1305 = { version = "0.10.1" }
-chrono = { version = "0.4.41", features = ["serde"] }
-clap = { version = "4.5.40", features = ["derive", "env"] }
-const-str = { version = "0.6.2", features = ["std", "proc"] }
-crc32fast = "1.4.2"
-criterion = { version = "0.5", features = ["html_reports"] }
-dashmap = "6.1.0"
-datafusion = "46.0.1"
+flatbuffers = "25.12.19"
+form_urlencoded = "1.2.2"
+prost = "0.14.3"
+quick-xml = "0.39.2"
+rmcp = { version = "1.2.0" }
+rmp = { version = "0.8.15" }
+rmp-serde = { version = "1.3.1" }
+serde = { version = "1.0.228", features = ["derive"] }
+serde_json = { version = "1.0.149", features = ["raw_value"] }
+serde_urlencoded = "0.7.1"
+schemars = "1.2.1"
+
+# Cryptography and Security
+aes-gcm = { version = "0.11.0-rc.3", features = ["rand_core"] }
+argon2 = { version = "0.6.0-rc.7" }
+blake3 = { version = "1.8.3", features = ["rayon", "mmap"] }
+chacha20poly1305 = { version = "0.11.0-rc.3" }
+crc-fast = "1.9.0"
+hmac = { version = "0.13.0-rc.5" }
+jsonwebtoken = { version = "10.3.0", features = ["aws_lc_rs"] }
+openidconnect = { version = "4.0", default-features = false }
+pbkdf2 = "0.13.0-rc.9"
+rsa = { version = "0.10.0-rc.17" }
+rustls = { version = "0.23.37", default-features = false, features = ["aws-lc-rs", "logging", "tls12", "prefer-post-quantum", "std"] }
+rustls-pki-types = "1.14.0"
+sha1 = "0.11.0-rc.5"
+sha2 = "0.11.0-rc.5"
+subtle = "2.6"
+zeroize = { version = "1.8.2", features = ["derive"] }
+
+# Time and Date
+chrono = { version = "0.4.44", features = ["serde"] }
+humantime = "2.3.0"
+jiff = { version = "0.2.23", features = ["serde"] }
+time = { version = "0.3.47", features = ["std", "parsing", "formatting", "macros", "serde"] }
+
+# Utilities and Tools
+anyhow = "1.0.102"
+arc-swap = "1.8.2"
+astral-tokio-tar = "0.5.6"
+atoi = "2.0.0"
+atomic_enum = "0.3.0"
+aws-config = { version = "1.8.15" }
+aws-credential-types = { version = "1.2.14" }
+aws-sdk-s3 = { version = "1.126.0", default-features = false, features = ["sigv4a", "default-https-client", "rt-tokio"] }
+aws-smithy-http-client = { version = "1.1.12", default-features = false, features = ["default-client", "rustls-aws-lc"] }
+aws-smithy-types = { version = "1.4.6" }
+backtrace = "0.3.76"
+base64 = "0.22.1"
+base64-simd = "0.8.0"
+brotli = "8.0.2"
+cfg-if = "1.0.4"
+clap = { version = "4.6.0", features = ["derive", "env"] }
+const-str = { version = "1.1.0", features = ["std", "proc"] }
+convert_case = "0.11.0"
+criterion = { version = "0.8", features = ["html_reports"] }
+crossbeam-queue = "0.3.12"
+crossbeam-channel = "0.5.15"
+crossbeam-deque = "0.8.6"
+crossbeam-utils = "0.8.21"
+datafusion = "52.3.0"
 derive_builder = "0.20.2"
-dioxus = { version = "0.6.3", features = ["router"] }
-dirs = "6.0.0"
-enumset = "1.1.6"
-flatbuffers = "25.2.10"
-flate2 = "1.1.2"
-flexi_logger = { version = "0.31.2", features = ["trc", "dont_minimize_extra_stacks"] }
-form_urlencoded = "1.2.1"
-futures = "0.3.31"
-futures-core = "0.3.31"
-futures-util = "0.3.31"
-glob = "0.3.2"
+enumset = "1.1.10"
+faster-hex = "0.10.0"
+flate2 = "1.1.9"
+glob = "0.3.3"
+google-cloud-storage = "1.9.0"
+google-cloud-auth = "1.7.0"
+hashbrown = { version = "0.16.1", features = ["serde", "rayon"] }
 hex = "0.4.3"
 hex-simd = "0.8.0"
 highway = { version = "1.3.0" }
-hmac = "0.12.1"
-hyper = "1.6.0"
-hyper-util = { version = "0.1.14", features = [
-    "tokio",
-    "server-auto",
-    "server-graceful",
-] }
-hyper-rustls = "0.27.7"
-http = "1.3.1"
-http-body = "1.0.1"
-humantime = "2.2.0"
 ipnetwork = { version = "0.21.1", features = ["serde"] }
-jsonwebtoken = "9.3.1"
-keyring = { version = "3.6.2", features = [
-    "apple-native",
-    "windows-native",
-    "sync-secret-service",
-] }
 lazy_static = "1.5.0"
-libsystemd = { version = "0.7.2" }
-local-ip-address = "0.6.5"
+libc = "0.2.183"
+libsystemd = "0.7.2"
+local-ip-address = "0.6.10"
 lz4 = "1.28.1"
-matchit = "0.8.4"
-md-5 = "0.10.6"
+matchit = "0.9.1"
+md-5 = "0.11.0-rc.5"
+md5 = "0.8.0"
 mime_guess = "2.0.5"
+moka = { version = "0.12.14", features = ["future"] }
 netif = "0.1.6"
-nix = { version = "0.30.1", features = ["fs"] }
-nu-ansi-term = "0.50.1"
 num_cpus = { version = "1.17.0" }
-nvml-wrapper = "0.11.0"
-object_store = "0.11.2"
-once_cell = "1.21.3"
-opentelemetry = { version = "0.30.0" }
-opentelemetry-appender-tracing = { version = "0.30.1", features = [
-    "experimental_use_tracing_span_context",
-    "experimental_metadata_attributes",
-    "spec_unstable_logs_enabled"
-] }
-opentelemetry_sdk = { version = "0.30.0" }
-opentelemetry-stdout = { version = "0.30.0" }
-opentelemetry-otlp = { version = "0.30.0", default-features = false, features = [
-    "grpc-tonic", "gzip-tonic", "trace", "metrics", "logs", "internal-logs"
-] }
-opentelemetry-semantic-conventions = { version = "0.30.0", features = [
-    "semconv_experimental",
-] }
-parking_lot = "0.12.4"
+nvml-wrapper = "0.12.0"
+object_store = "0.12.5"
+parking_lot = "0.12.5"
 path-absolutize = "3.1.1"
 path-clean = "1.0.1"
-blake3 = { version = "1.8.2" }
-pbkdf2 = "0.12.2"
-percent-encoding = "2.3.1"
-pin-project-lite = "0.2.16"
-prost = "0.13.5"
-quick-xml = "0.37.5"
-rand = "0.9.1"
-rdkafka = { version = "0.37.0", features = ["tokio"] }
-reed-solomon-simd = { version = "3.0.1" }
-regex = { version = "1.11.1" }
-reqwest = { version = "0.12.22", default-features = false, features = [
-    "rustls-tls",
-    "charset",
-    "http2",
-    "system-proxy",
-    "stream",
-    "json",
-    "blocking",
-] }
-rfd = { version = "0.15.3", default-features = false, features = [
-    "xdg-portal",
-    "tokio",
-] }
-rmp = "0.8.14"
-rmp-serde = "1.3.0"
-rsa = "0.9.8"
-rumqttc = { version = "0.24" }
-rust-embed = { version = "8.7.2" }
-rust-i18n = { version = "3.1.5" }
-rustfs-rsc = "2025.506.1"
-rustls = { version = "0.23.28" }
-rustls-pki-types = "1.12.0"
-rustls-pemfile = "2.2.0"
-s3s = { version = "0.12.0-minio-preview.1" }
-shadow-rs = { version = "1.2.0", default-features = false }
-serde = { version = "1.0.219", features = ["derive"] }
-serde_json = { version = "1.0.140", features = ["raw_value"] }
-serde-xml-rs = "0.8.1"
-serde_urlencoded = "0.7.1"
-sha1 = "0.10.6"
-sha2 = "0.10.9"
-siphasher = "1.0.1"
+percent-encoding = "2.3.2"
+pin-project-lite = "0.2.17"
+pretty_assertions = "1.4.1"
+rand = { version = "0.10.0", features = ["serde"] }
+ratelimit = "0.10.0"
+rayon = "1.11.0"
+reed-solomon-simd = { version = "3.1.0" }
+regex = { version = "1.12.3" }
+rumqttc = { version = "0.25.1" }
+rustix = { version = "1.1.4", features = ["fs"] }
+rust-embed = { version = "8.11.0" }
+rustc-hash = { version = "2.1.1" }
+s3s = { git = "https://github.com/s3s-project/s3s", rev = "c2dc7b16535659904d4efff52c558fc039be1ef3", features = ["minio"] }
+serial_test = "3.4.0"
+shadow-rs = { version = "1.7.1", default-features = false }
+siphasher = "1.0.2"
 smallvec = { version = "1.15.1", features = ["serde"] }
-snafu = "0.8.6"
+smartstring = "1.0.1"
+snafu = "0.9.0"
 snap = "1.1.1"
-socket2 = "0.5.10"
-strum = { version = "0.27.1", features = ["derive"] }
-sysinfo = "0.35.2"
-tempfile = "3.20.0"
+starshard = { version = "1.1.0", features = ["rayon", "async", "serde"] }
+strum = { version = "0.28.0", features = ["derive"] }
+sysinfo = "0.38.4"
+temp-env = "0.3.6"
+tempfile = "3.27.0"
 test-case = "3.3.1"
-thiserror = "2.0.12"
-time = { version = "0.3.41", features = [
-    "std",
-    "parsing",
-    "formatting",
-    "macros",
-    "serde",
-] }
-tokio = { version = "1.46.1", features = ["fs", "rt-multi-thread"] }
-tokio-rustls = { version = "0.26.2", default-features = false }
-tokio-stream = { version = "0.1.17" }
-tokio-tar = "0.3.1"
-tokio-util = { version = "0.7.15", features = ["io", "compat"] }
-tonic = { version = "0.13.1", features = ["gzip"] }
-tonic-build = { version = "0.13.1" }
-tower = { version = "0.5.2", features = ["timeout"] }
-tower-http = { version = "0.6.6", features = ["cors"] }
-tracing = "0.1.41"
-tracing-core = "0.1.34"
+thiserror = "2.0.18"
+tracing = { version = "0.1.44" }
+tracing-appender = "0.2.4"
 tracing-error = "0.2.1"
-tracing-subscriber = { version = "0.3.19", features = ["env-filter", "time"] }
-tracing-appender = "0.2.3"
-tracing-opentelemetry = "0.31.0"
+tracing-opentelemetry = "0.32.1"
+tracing-subscriber = { version = "0.3.23", features = ["env-filter", "time"] }
 transform-stream = "0.3.1"
-url = "2.5.4"
+url = "2.5.8"
 urlencoding = "2.1.3"
-uuid = { version = "1.17.0", features = [
-    "v4",
-    "fast-rng",
-    "macro-diagnostics",
-] }
-wildmatch = { version = "2.4.0", features = ["serde"] }
-winapi = { version = "0.3.9" }
+uuid = { version = "1.22.0", features = ["v4", "fast-rng", "macro-diagnostics"] }
+vaultrs = { version = "0.7.4" }
+walkdir = "2.5.0"
+wildmatch = { version = "2.6.1", features = ["serde"] }
+windows = { version = "0.62.2" }
 xxhash-rust = { version = "0.8.15", features = ["xxh64", "xxh3"] }
-zip = "2.4.2"
+zip = "8.2.0"
 zstd = "0.13.3"
-anyhow = "1.0.86"
 
-[profile.wasm-dev]
-inherits = "dev"
-opt-level = 1
+# Observability and Metrics
+metrics = "0.24.3"
+opentelemetry = { version = "0.31.0" }
+opentelemetry-appender-tracing = { version = "0.31.1", features = ["experimental_use_tracing_span_context", "experimental_metadata_attributes", "spec_unstable_logs_enabled"] }
+opentelemetry-otlp = { version = "0.31.0", features = ["gzip-http", "reqwest-rustls"] }
+opentelemetry_sdk = { version = "0.31.0" }
+opentelemetry-semantic-conventions = { version = "0.31.0", features = ["semconv_experimental"] }
+opentelemetry-stdout = { version = "0.31.0" }
+pyroscope = { version = "2.0.0", features = ["backend-pprof-rs"] }
 
-[profile.server-dev]
-inherits = "dev"
+# FTP and SFTP
+libunftp = { version = "0.23.0", features = ["experimental"] }
+unftp-core = "0.1.0"
+suppaftp = { version = "8.0.2", features = ["tokio", "tokio-rustls-aws-lc-rs"] }
+rcgen = "0.14.7"
 
-[profile.android-dev]
-inherits = "dev"
+# WebDAV
+dav-server = "0.11.0"
+
+# Performance Analysis and Memory Profiling
+mimalloc = "0.1"
+# Use tikv-jemallocator as memory allocator and enable performance analysis
+tikv-jemallocator = { version = "0.6", features = ["profiling", "stats", "unprefixed_malloc_on_supported_platforms", "background_threads"] }
+# Used to control and obtain statistics for jemalloc at runtime
+tikv-jemalloc-ctl = { version = "0.6", features = ["use_std", "stats", "profiling"] }
+# Used to generate pprof-compatible memory profiling data and support symbolization and flame graphs
+jemalloc_pprof = { version = "0.8.2", features = ["symbolize", "flamegraph"] }
+# Used to generate CPU performance analysis data and flame diagrams
+# pprof = { version = "0.15.0", features = ["flamegraph", "protobuf-codec"] }
+# Pyroscope uses a patched pprof, until they merge back upstream, replace all references. Otherwise, two pprof libs with symbol collision.
+pprof = { package = "pprof-pyroscope-fork", version = "0.1500.3", features = ["flamegraph", "protobuf-codec"] }
+
+[workspace.metadata.cargo-shear]
+ignored = ["rustfs", "rustfs-mcp"]
 
 [profile.release]
 opt-level = 3

Dockerfile

@@ -12,38 +12,98 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM alpine:3.18 AS builder
+FROM alpine:3.23 AS build
 
-RUN apk add -U --no-cache \
-    ca-certificates \
-    curl \
-    bash \
-    unzip
+ARG TARGETARCH
+ARG RELEASE=latest
+
+RUN apk add --no-cache ca-certificates curl unzip
+WORKDIR /build
+
+RUN set -eux; \
+    case "$TARGETARCH" in \
+      amd64)  ARCH_SUBSTR="x86_64-musl"  ;; \
+      arm64)  ARCH_SUBSTR="aarch64-musl" ;; \
+      *) echo "Unsupported TARGETARCH=$TARGETARCH" >&2; exit 1 ;; \
+    esac; \
+    if [ "$RELEASE" = "latest" ]; then \
+      TAG="$(curl -fsSL https://api.github.com/repos/rustfs/rustfs/releases \
+              | grep -o '"tag_name": "[^"]*"' | cut -d'"' -f4 | head -n 1)"; \
+    else \
+      TAG="$RELEASE"; \
+    fi; \
+    echo "Using tag: $TAG (arch pattern: $ARCH_SUBSTR)"; \
+    # Find download URL in assets list for this tag that contains arch substring and ends with .zip
+    URL="$(curl -fsSL "https://api.github.com/repos/rustfs/rustfs/releases/tags/$TAG" \
+           | grep -o "\"browser_download_url\": \"[^\"]*${ARCH_SUBSTR}[^\"]*\\.zip\"" \
+           | cut -d'"' -f4 | head -n 1)"; \
+    if [ -z "$URL" ]; then echo "Failed to locate release asset for $ARCH_SUBSTR at tag $TAG" >&2; exit 1; fi; \
+    echo "Downloading: $URL"; \
+    curl -fL "$URL" -o rustfs.zip; \
+    unzip -q rustfs.zip -d /build; \
+    # If binary is not in root directory, try to locate and move from zip to /build/rustfs
+    if [ ! -x /build/rustfs ]; then \
+      BIN_PATH="$(unzip -Z -1 rustfs.zip | grep -E '(^|/)rustfs$' | head -n 1 || true)"; \
+      if [ -n "$BIN_PATH" ]; then \
+        mkdir -p /build/.tmp && unzip -q rustfs.zip "$BIN_PATH" -d /build/.tmp && \
+        mv "/build/.tmp/$BIN_PATH" /build/rustfs; \
+      fi; \
+    fi; \
+    [ -x /build/rustfs ] || { echo "rustfs binary not found in asset" >&2; exit 1; }; \
+    chmod +x /build/rustfs; \
+    rm -rf rustfs.zip /build/.tmp || true
 
 
-RUN curl -Lo /tmp/rustfs.zip https://dl.rustfs.com/artifacts/rustfs/rustfs-x86_64-unknown-linux-musl.zip && \
-    unzip -o /tmp/rustfs.zip -d /tmp && \
-    mv /tmp/rustfs /rustfs && \
-    chmod +x /rustfs && \
-    rm -rf /tmp/*
+FROM alpine:3.23
 
-FROM alpine:3.18
+ARG RELEASE=latest
+ARG BUILD_DATE
+ARG VCS_REF
 
-RUN apk add -U --no-cache \
-    ca-certificates \
-    bash
+LABEL name="RustFS" \
+      vendor="RustFS Team" \
+      maintainer="RustFS Team <dev@rustfs.com>" \
+      version="v${RELEASE#v}" \
+      release="${RELEASE}" \
+      build-date="${BUILD_DATE}" \
+      vcs-ref="${VCS_REF}" \
+      summary="High-performance distributed object storage system compatible with S3 API" \
+      description="RustFS is a distributed object storage system written in Rust, supporting erasure coding, multi-tenant management, and observability." \
+      url="https://rustfs.com" \
+      license="Apache-2.0"
 
-COPY --from=builder /rustfs /usr/local/bin/rustfs
+RUN apk add --no-cache ca-certificates coreutils curl
 
-ENV RUSTFS_ACCESS_KEY=rustfsadmin \
-    RUSTFS_SECRET_KEY=rustfsadmin \
-    RUSTFS_ADDRESS=":9000" \
-    RUSTFS_CONSOLE_ENABLE=true \
-    RUST_LOG=warn
+COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+COPY --from=build /build/rustfs /usr/bin/rustfs
+COPY entrypoint.sh /entrypoint.sh
 
-EXPOSE 9000
+RUN chmod +x /usr/bin/rustfs /entrypoint.sh
 
-RUN mkdir -p /data
-VOLUME /data
+RUN addgroup -g 10001 -S rustfs && \
+    adduser -u 10001 -G rustfs -S rustfs -D && \
+    mkdir -p /data /logs && \
+    chown -R rustfs:rustfs /data /logs && \
+    chmod 0750 /data /logs
 
-CMD ["rustfs", "/data"]
+ENV RUSTFS_ADDRESS=":9000" \
+    RUSTFS_CONSOLE_ADDRESS=":9001" \
+    RUSTFS_ACCESS_KEY="rustfsadmin" \
+    RUSTFS_SECRET_KEY="rustfsadmin" \
+    RUSTFS_CONSOLE_ENABLE="true" \
+    RUSTFS_CORS_ALLOWED_ORIGINS="*" \
+    RUSTFS_CONSOLE_CORS_ALLOWED_ORIGINS="*" \
+    RUSTFS_VOLUMES="/data" \
+    RUSTFS_OBS_LOGGER_LEVEL=warn \
+    RUSTFS_OBS_LOG_DIRECTORY=/logs \
+    RUSTFS_OBS_ENVIRONMENT=production
+    
+EXPOSE 9000 9001
+
+VOLUME ["/data"]
+
+USER rustfs
+
+ENTRYPOINT ["/entrypoint.sh"]
+
+CMD ["rustfs"]

Dockerfile.glibc

@@ -0,0 +1,115 @@
+# Copyright 2024 RustFS Team
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM ubuntu:24.04 AS build
+
+ARG TARGETARCH
+ARG RELEASE=latest
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    ca-certificates \
+    curl \
+    unzip \
+    && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /build
+
+RUN set -eux; \
+    case "$TARGETARCH" in \
+      amd64)  ARCH_SUBSTR="x86_64-gnu"  ;; \
+      arm64)  ARCH_SUBSTR="aarch64-gnu" ;; \
+      *) echo "Unsupported TARGETARCH=$TARGETARCH" >&2; exit 1 ;; \
+    esac; \
+    \
+    if [ "$RELEASE" = "latest" ]; then \
+      TAG="$(curl -fsSL https://api.github.com/repos/rustfs/rustfs/releases \
+              | grep -o '"tag_name": "[^"]*"' | cut -d'"' -f4 | head -n 1)"; \
+    else \
+      TAG="$RELEASE"; \
+    fi; \
+    \
+    URL="$(curl -fsSL "https://api.github.com/repos/rustfs/rustfs/releases/tags/$TAG" \
+           | grep -o "\"browser_download_url\": \"[^\"]*${ARCH_SUBSTR}[^\"]*\\.zip\"" \
+           | cut -d'"' -f4 | head -n 1)"; \
+    \
+    if [ -z "$URL" ]; then echo "Failed to locate release asset for $ARCH_SUBSTR at tag $TAG" >&2; exit 1; fi; \
+    \
+    curl -fL "$URL" -o rustfs.zip; \
+    unzip -q rustfs.zip -d /build; \
+    \
+    if [ ! -x /build/rustfs ]; then \
+      BIN_PATH="$(unzip -Z -1 rustfs.zip | grep -E '(^|/)rustfs$' | head -n 1 || true)"; \
+      if [ -n "$BIN_PATH" ]; then \
+        mkdir -p /build/.tmp && unzip -q rustfs.zip "$BIN_PATH" -d /build/.tmp && \
+        mv "/build/.tmp/$BIN_PATH" /build/rustfs; \
+      fi; \
+    fi; \
+    [ -x /build/rustfs ] || { echo "rustfs binary not found in asset" >&2; exit 1; }; \
+    chmod +x /build/rustfs; \
+    rm -rf rustfs.zip /build/.tmp || true
+
+FROM ubuntu:24.04
+
+ARG RELEASE=latest
+ARG BUILD_DATE
+ARG VCS_REF
+
+LABEL name="RustFS" \
+      vendor="RustFS Team" \
+      maintainer="RustFS Team <dev@rustfs.com>" \
+      version="v${RELEASE#v}" \
+      release="${RELEASE}" \
+      build-date="${BUILD_DATE}" \
+      vcs-ref="${VCS_REF}" \
+      summary="High-performance distributed object storage system (glibc)" \
+      url="https://rustfs.com" \
+      license="Apache-2.0"
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    ca-certificates \
+    curl \
+    && rm -rf /var/lib/apt/lists/*
+
+COPY --from=build /build/rustfs /usr/bin/rustfs
+COPY entrypoint.sh /entrypoint.sh
+
+RUN chmod +x /usr/bin/rustfs /entrypoint.sh
+
+RUN groupadd -g 10001 rustfs && \
+    useradd -u 10001 -g rustfs -m -s /sbin/nologin rustfs && \
+    mkdir -p /data /logs && \
+    chown -R rustfs:rustfs /data /logs && \
+    chmod 0750 /data /logs
+
+ENV RUSTFS_ADDRESS=":9000" \
+    RUSTFS_CONSOLE_ADDRESS=":9001" \
+    RUSTFS_ACCESS_KEY="rustfsadmin" \
+    RUSTFS_SECRET_KEY="rustfsadmin" \
+    RUSTFS_CONSOLE_ENABLE="true" \
+    RUSTFS_CORS_ALLOWED_ORIGINS="*" \
+    RUSTFS_CONSOLE_CORS_ALLOWED_ORIGINS="*" \
+    RUSTFS_VOLUMES="/data" \
+    RUSTFS_OBS_LOGGER_LEVEL=warn \
+    RUSTFS_OBS_LOG_DIRECTORY=/logs \
+    RUSTFS_OBS_ENVIRONMENT=production
+    
+EXPOSE 9000 9001
+
+VOLUME ["/data"]
+
+USER rustfs
+
+ENTRYPOINT ["/entrypoint.sh"]
+
+CMD ["rustfs"]

Dockerfile.multi-stage

@@ -1,121 +0,0 @@
-# Multi-stage Dockerfile for RustFS
-# Supports cross-compilation for amd64 and arm64 architectures
-ARG TARGETPLATFORM
-ARG BUILDPLATFORM
-
-# Build stage
-FROM --platform=$BUILDPLATFORM rust:1.85-bookworm AS builder
-
-# Install required build dependencies
-RUN apt-get update && apt-get install -y \
-    wget \
-    git \
-    curl \
-    unzip \
-    gcc \
-    pkg-config \
-    libssl-dev \
-    lld \
-    && rm -rf /var/lib/apt/lists/*
-
-# Install cross-compilation tools for ARM64
-RUN if [ "$TARGETPLATFORM" = "linux/arm64" ]; then \
-        apt-get update && \
-        apt-get install -y gcc-aarch64-linux-gnu && \
-        rm -rf /var/lib/apt/lists/*; \
-    fi
-
-# Install protoc
-RUN wget https://github.com/protocolbuffers/protobuf/releases/download/v31.1/protoc-31.1-linux-x86_64.zip \
-    && unzip protoc-31.1-linux-x86_64.zip -d protoc3 \
-    && mv protoc3/bin/* /usr/local/bin/ && chmod +x /usr/local/bin/protoc \
-    && mv protoc3/include/* /usr/local/include/ && rm -rf protoc-31.1-linux-x86_64.zip protoc3
-
-# Install flatc
-RUN wget https://github.com/google/flatbuffers/releases/download/v25.2.10/Linux.flatc.binary.g++-13.zip \
-    && unzip Linux.flatc.binary.g++-13.zip \
-    && mv flatc /usr/local/bin/ && chmod +x /usr/local/bin/flatc && rm -rf Linux.flatc.binary.g++-13.zip
-
-# Set up Rust targets based on platform
-RUN case "$TARGETPLATFORM" in \
-        "linux/amd64") rustup target add x86_64-unknown-linux-gnu ;; \
-        "linux/arm64") rustup target add aarch64-unknown-linux-gnu ;; \
-        *) echo "Unsupported platform: $TARGETPLATFORM" && exit 1 ;; \
-    esac
-
-# Set up environment for cross-compilation
-ENV CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER=aarch64-linux-gnu-gcc
-ENV CC_aarch64_unknown_linux_gnu=aarch64-linux-gnu-gcc
-ENV CXX_aarch64_unknown_linux_gnu=aarch64-linux-gnu-g++
-
-WORKDIR /usr/src/rustfs
-
-# Copy Cargo files for dependency caching
-COPY Cargo.toml Cargo.lock ./
-COPY */Cargo.toml ./*/
-
-# Create dummy main.rs files for dependency compilation
-RUN find . -name "Cargo.toml" -not -path "./Cargo.toml" | \
-    xargs -I {} dirname {} | \
-    xargs -I {} sh -c 'mkdir -p {}/src && echo "fn main() {}" > {}/src/main.rs'
-
-# Build dependencies only (cache layer)
-RUN case "$TARGETPLATFORM" in \
-        "linux/amd64") cargo build --release --target x86_64-unknown-linux-gnu ;; \
-        "linux/arm64") cargo build --release --target aarch64-unknown-linux-gnu ;; \
-    esac
-
-# Copy source code
-COPY . .
-
-# Generate protobuf code
-RUN cargo run --bin gproto
-
-# Build the actual application
-RUN case "$TARGETPLATFORM" in \
-        "linux/amd64") \
-            cargo build --release --target x86_64-unknown-linux-gnu --bin rustfs && \
-            cp target/x86_64-unknown-linux-gnu/release/rustfs /usr/local/bin/rustfs \
-            ;; \
-        "linux/arm64") \
-            cargo build --release --target aarch64-unknown-linux-gnu --bin rustfs && \
-            cp target/aarch64-unknown-linux-gnu/release/rustfs /usr/local/bin/rustfs \
-            ;; \
-    esac
-
-# Runtime stage - Ubuntu minimal for better compatibility
-FROM ubuntu:22.04
-
-# Install runtime dependencies
-RUN apt-get update && apt-get install -y \
-    ca-certificates \
-    tzdata \
-    wget \
-    && rm -rf /var/lib/apt/lists/*
-
-# Create rustfs user and group
-RUN groupadd -g 1000 rustfs && \
-    useradd -d /app -g rustfs -u 1000 -s /bin/bash rustfs
-
-WORKDIR /app
-
-# Create data directories
-RUN mkdir -p /data/rustfs{0,1,2,3} && \
-    chown -R rustfs:rustfs /data /app
-
-# Copy binary from builder stage
-COPY --from=builder /usr/local/bin/rustfs /app/rustfs
-RUN chmod +x /app/rustfs && chown rustfs:rustfs /app/rustfs
-
-# Switch to non-root user
-USER rustfs
-
-# Expose ports
-EXPOSE 9000 9001
-
-# Health check
-HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
-    CMD wget --no-verbose --tries=1 --spider http://localhost:9000/health || exit 1
-
-# Set default command
-CMD ["/app/rustfs"]

Dockerfile.obs

@@ -1,21 +0,0 @@
-FROM ubuntu:latest
-
-# RUN apk add --no-cache <package-name>
-# 如果 rustfs 有依赖，可以在这里添加，例如：
-# RUN apk add --no-cache openssl
-# RUN apk add --no-cache bash  # 安装 Bash
-
-WORKDIR /app
-
-# 创建与 RUSTFS_VOLUMES 一致的目录
-RUN mkdir -p /root/data/target/volume/test1 /root/data/target/volume/test2 /root/data/target/volume/test3 /root/data/target/volume/test4
-
-# COPY ./target/x86_64-unknown-linux-musl/release/rustfs /app/rustfs
-COPY ./target/x86_64-unknown-linux-gnu/release/rustfs /app/rustfs
-
-RUN chmod +x /app/rustfs
-
-EXPOSE 9000
-EXPOSE 9002
-
-CMD ["/app/rustfs"]

Dockerfile.source

@@ -0,0 +1,241 @@
+# syntax=docker/dockerfile:1.6
+# Copyright 2024 RustFS Team
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Multi-stage Dockerfile for RustFS - LOCAL DEVELOPMENT ONLY
+#
+# IMPORTANT: This Dockerfile builds RustFS from source for local development and testing.
+# CI/CD uses the production Dockerfile with prebuilt binaries instead.
+#
+# Example:
+#   docker build -f Dockerfile.source -t rustfs:dev-local .
+#   docker run --rm -p 9000:9000 rustfs:dev-local
+#
+# Supports cross-compilation for amd64 and arm64 via TARGETPLATFORM.
+
+ARG TARGETPLATFORM
+ARG BUILDPLATFORM
+
+# -----------------------------
+# Build stage
+# -----------------------------
+FROM rust:1.91-trixie AS builder
+
+# Re-declare args after FROM
+ARG TARGETPLATFORM
+ARG BUILDPLATFORM
+
+# Debug: print platforms
+RUN echo "Build info -> BUILDPLATFORM=${BUILDPLATFORM}, TARGETPLATFORM=${TARGETPLATFORM}"
+
+# Install build toolchain and headers
+# Use distro packages for protoc/flatc to avoid host-arch mismatch
+RUN set -eux; \
+    export DEBIAN_FRONTEND=noninteractive; \
+    apt-get update; \
+    apt-get install -y --no-install-recommends \
+    build-essential \
+    ca-certificates \
+    curl \
+    git \
+    pkg-config \
+    libssl-dev \
+    lld \
+    protobuf-compiler \
+    flatbuffers-compiler \
+    gcc-aarch64-linux-gnu \
+    gcc-x86-64-linux-gnu; \
+    rm -rf /var/lib/apt/lists/*
+
+# Optional: cross toolchain for aarch64 (only when targeting linux/arm64)
+RUN set -eux; \
+    if [ "${TARGETPLATFORM:-linux/amd64}" = "linux/arm64" ]; then \
+    export DEBIAN_FRONTEND=noninteractive; \
+    apt-get update; \
+    apt-get install -y --no-install-recommends gcc-aarch64-linux-gnu; \
+    rm -rf /var/lib/apt/lists/*; \
+    fi
+
+# Add Rust targets for both arches (to support cross-builds on multi-arch runners)
+RUN set -eux; \
+    rustup target add x86_64-unknown-linux-gnu aarch64-unknown-linux-gnu; \
+    rustup component add rust-std-x86_64-unknown-linux-gnu rust-std-aarch64-unknown-linux-gnu
+
+# Cross-compilation environment (used only when targeting aarch64)
+ENV CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER=aarch64-linux-gnu-gcc
+ENV CC_aarch64_unknown_linux_gnu=aarch64-linux-gnu-gcc
+ENV CXX_aarch64_unknown_linux_gnu=aarch64-linux-gnu-g++
+ENV CARGO_TARGET_X86_64_UNKNOWN_LINUX_GNU_LINKER=x86_64-linux-gnu-gcc
+ENV CC_x86_64_unknown_linux_gnu=x86_64-linux-gnu-gcc
+ENV CXX_x86_64_unknown_linux_gnu=x86_64-linux-gnu-g++
+
+WORKDIR /usr/src/rustfs
+
+# Layered copy to maximize caching:
+# 1) top-level manifests
+COPY Cargo.toml Cargo.lock ./
+# 2) workspace member manifests (adjust if workspace layout changes)
+COPY rustfs/Cargo.toml rustfs/Cargo.toml
+COPY crates/*/Cargo.toml crates/
+
+# Pre-fetch dependencies for better caching
+RUN --mount=type=cache,target=/usr/local/cargo/registry \
+    --mount=type=cache,target=/usr/local/cargo/git \
+    cargo fetch --locked || true
+
+# 3) copy full sources (this is the main cache invalidation point)
+COPY . .
+
+# Generate static files
+
+RUN ./scripts/static.sh
+
+# Cargo build configuration for lean release artifacts
+ENV CARGO_NET_GIT_FETCH_WITH_CLI=true \
+    CARGO_REGISTRIES_CRATES_IO_PROTOCOL=sparse \
+    CARGO_INCREMENTAL=0 \
+    CARGO_PROFILE_RELEASE_DEBUG=false \
+    CARGO_PROFILE_RELEASE_SPLIT_DEBUGINFO=off \
+    CARGO_PROFILE_RELEASE_STRIP=symbols
+
+# Generate protobuf/flatbuffers code (uses protoc/flatc from distro)
+RUN --mount=type=cache,target=/usr/local/cargo/registry \
+    --mount=type=cache,target=/usr/local/cargo/git \
+    --mount=type=cache,target=/usr/src/rustfs/target \
+    cargo run --bin gproto
+
+# Build RustFS (target depends on TARGETPLATFORM)
+RUN --mount=type=cache,target=/usr/local/cargo/registry \
+    --mount=type=cache,target=/usr/local/cargo/git \
+    --mount=type=cache,target=/usr/src/rustfs/target \
+    set -eux; \
+    case "${TARGETPLATFORM:-linux/amd64}" in \
+    linux/amd64) \
+    echo "Building for x86_64-unknown-linux-gnu"; \
+    cargo build --release --locked --target x86_64-unknown-linux-gnu --bin rustfs -j "$(nproc)"; \
+    install -m 0755 target/x86_64-unknown-linux-gnu/release/rustfs /usr/local/bin/rustfs \
+    ;; \
+    linux/arm64) \
+    echo "Building for aarch64-unknown-linux-gnu"; \
+    cargo build --release --locked --target aarch64-unknown-linux-gnu --bin rustfs -j "$(nproc)"; \
+    install -m 0755 target/aarch64-unknown-linux-gnu/release/rustfs /usr/local/bin/rustfs \
+    ;; \
+    *) \
+    echo "Unsupported TARGETPLATFORM=${TARGETPLATFORM}" >&2; exit 1 \
+    ;; \
+    esac
+
+# -----------------------------
+# Development stage (keeps toolchain)
+# -----------------------------
+FROM builder AS dev
+
+ARG BUILD_DATE
+ARG VCS_REF
+
+LABEL name="RustFS (dev-source)" \
+    maintainer="RustFS Team" \
+    build-date="${BUILD_DATE}" \
+    vcs-ref="${VCS_REF}" \
+    description="RustFS - local development with Rust toolchain."
+
+# Install runtime dependencies that might be missing in partial builder
+# (builder already has build-essential, lld, etc.)
+WORKDIR /app
+
+ENV CARGO_INCREMENTAL=1
+
+# Ensure we have the same default env vars available
+ENV RUSTFS_ADDRESS=":9000" \
+    RUSTFS_ACCESS_KEY="rustfsadmin" \
+    RUSTFS_SECRET_KEY="rustfsadmin" \
+    RUSTFS_CONSOLE_ENABLE="true" \
+    RUSTFS_VOLUMES="/data" \
+    RUST_LOG="warn" \
+    RUSTFS_OBS_LOG_DIRECTORY="/logs" \
+    RUSTFS_USERNAME="rustfs" \
+    RUSTFS_GROUPNAME="rustfs" \
+    RUSTFS_UID="10001" \
+    RUSTFS_GID="10001"
+
+# Note: We don't COPY source here because we expect it to be mounted at /app
+# We rely on cargo run to build and run
+EXPOSE 9000 9001
+
+COPY entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
+
+ENTRYPOINT ["/entrypoint.sh"]
+CMD ["cargo", "run", "--bin", "rustfs", "--"]
+
+# -----------------------------
+# Runtime stage (Ubuntu minimal)
+# -----------------------------
+FROM ubuntu:22.04
+
+ARG BUILD_DATE
+ARG VCS_REF
+
+LABEL name="RustFS (dev-local)" \
+    maintainer="RustFS Team" \
+    build-date="${BUILD_DATE}" \
+    vcs-ref="${VCS_REF}" \
+    description="RustFS - local development image built from source (NOT for production)."
+
+# Minimal runtime deps: certificates + tzdata + coreutils (for chroot --userspec)
+RUN set -eux; \
+    export DEBIAN_FRONTEND=noninteractive; \
+    apt-get update; \
+    apt-get install -y --no-install-recommends \
+    ca-certificates \
+    tzdata \
+    coreutils; \
+    rm -rf /var/lib/apt/lists/*
+
+# Create a conventional runtime user/group (final switch happens in entrypoint via chroot --userspec)
+RUN set -eux; \
+    groupadd -g 10001 rustfs; \
+    useradd -u 10001 -g rustfs -M -s /usr/sbin/nologin rustfs
+
+WORKDIR /app
+
+# Prepare data/log directories with sane defaults
+RUN set -eux; \
+    mkdir -p /data /logs; \
+    chown -R rustfs:rustfs /data /logs /app; \
+    chmod 0750 /data /logs
+
+# Copy the freshly built binary and the entrypoint
+COPY --from=builder /usr/local/bin/rustfs /usr/bin/rustfs
+COPY entrypoint.sh /entrypoint.sh
+RUN chmod +x /usr/bin/rustfs /entrypoint.sh
+
+# Default environment (override in docker run/compose as needed)
+ENV RUSTFS_ADDRESS=":9000" \
+    RUSTFS_ACCESS_KEY="rustfsadmin" \
+    RUSTFS_SECRET_KEY="rustfsadmin" \
+    RUSTFS_CONSOLE_ENABLE="true" \
+    RUSTFS_VOLUMES="/data" \
+    RUST_LOG="warn" \
+    RUSTFS_USERNAME="rustfs" \
+    RUSTFS_GROUPNAME="rustfs" \
+    RUSTFS_UID="10001" \
+    RUSTFS_GID="10001"
+
+EXPOSE 9000
+VOLUME ["/data"]
+
+# Keep root here; entrypoint will drop privileges using chroot --userspec
+ENTRYPOINT ["/entrypoint.sh"]
+CMD ["/usr/bin/rustfs"]

Justfile

@@ -0,0 +1,258 @@
+DOCKER_CLI := env("DOCKER_CLI", "docker")
+IMAGE_NAME := env("IMAGE_NAME", "rustfs:v1.0.0")
+DOCKERFILE_SOURCE := env("DOCKERFILE_SOURCE", "Dockerfile.source")
+DOCKERFILE_PRODUCTION := env("DOCKERFILE_PRODUCTION", "Dockerfile")
+CONTAINER_NAME := env("CONTAINER_NAME", "rustfs-dev")
+
+[group("📒 Help")]
+[private]
+default:
+    @just --list --list-heading $'🦀 RustFS justfile manual page:\n'
+
+[doc("show help")]
+[group("📒 Help")]
+help: default
+
+[doc("run `cargo fmt` to format codes")]
+[group("👆 Code Quality")]
+fmt:
+    @echo "🔧 Formatting code..."
+    cargo fmt --all
+
+[doc("run `cargo fmt` in check mode")]
+[group("👆 Code Quality")]
+fmt-check:
+    @echo "📝 Checking code formatting..."
+    cargo fmt --all --check
+
+[doc("run `cargo clippy`")]
+[group("👆 Code Quality")]
+clippy:
+    @echo "🔍 Running clippy checks..."
+    cargo clippy --all-targets --all-features --fix --allow-dirty -- -D warnings
+
+[doc("run `cargo check`")]
+[group("👆 Code Quality")]
+check:
+    @echo "🔨 Running compilation check..."
+    cargo check --all-targets
+
+[doc("run `cargo test`")]
+[group("👆 Code Quality")]
+test:
+    @echo "🧪 Running tests..."
+    cargo nextest run --all --exclude e2e_test
+    cargo test --all --doc
+
+[doc("run `fmt` `clippy` `check` `test` at once")]
+[group("👆 Code Quality")]
+pre-commit: fmt clippy check test
+    @echo "✅ All pre-commit checks passed!"
+
+[group("🤔 Git")]
+setup-hooks:
+    @echo "🔧 Setting up git hooks..."
+    chmod +x .git/hooks/pre-commit
+    @echo "✅ Git hooks setup complete!"
+
+[doc("use `release` mode for building")]
+[group("🔨 Build")]
+build:
+    @echo "🔨 Building RustFS using build-rustfs.sh script..."
+    ./build-rustfs.sh
+
+[doc("use `debug` mode for building")]
+[group("🔨 Build")]
+build-dev:
+    @echo "🔨 Building RustFS in development mode..."
+    ./build-rustfs.sh --dev
+
+[group("🔨 Build")]
+[private]
+build-target target:
+    @echo "🔨 Building rustfs for {{ target }}..."
+    @echo "💡 On macOS/Windows, use 'make build-docker' or 'make docker-dev' instead"
+    ./build-rustfs.sh --platform {{ target }}
+
+[doc("use `x86_64-unknown-linux-musl` target for building")]
+[group("🔨 Build")]
+build-musl: (build-target "x86_64-unknown-linux-musl")
+
+[doc("use `x86_64-unknown-linux-gnu` target for building")]
+[group("🔨 Build")]
+build-gnu: (build-target "x86_64-unknown-linux-gnu")
+
+[doc("use `aarch64-unknown-linux-musl` target for building")]
+[group("🔨 Build")]
+build-musl-arm64: (build-target "aarch64-unknown-linux-musl")
+
+[doc("use `aarch64-unknown-linux-gnu` target for building")]
+[group("🔨 Build")]
+build-gnu-arm64: (build-target "aarch64-unknown-linux-gnu")
+
+[doc("build and deploy to server")]
+[group("🔨 Build")]
+deploy-dev ip: build-musl
+    @echo "🚀 Deploying to dev server: {{ ip }}"
+    ./scripts/dev_deploy.sh {{ ip }}
+
+[group("🔨 Build")]
+[private]
+build-cross-all-pre:
+    @echo "🔧 Building all target architectures..."
+    @echo "💡 On macOS/Windows, use 'make docker-dev' for reliable multi-arch builds"
+    @echo "🔨 Generating protobuf code..."
+    -cargo run --bin gproto
+
+[doc("build all targets at once")]
+[group("🔨 Build")]
+build-cross-all: build-cross-all-pre && build-gnu build-gnu-arm64 build-musl build-musl-arm64
+
+# ========================================================================================
+# Docker Multi-Architecture Builds (Primary Methods)
+# ========================================================================================
+
+[doc("build an image and run it")]
+[group("🐳 Build Image")]
+build-docker os="rockylinux9.3" cli=(DOCKER_CLI) dockerfile=(DOCKERFILE_SOURCE):
+    #!/usr/bin/env bash
+    SOURCE_BUILD_IMAGE_NAME="rustfs/rustfs-{{ os }}:v1"
+    SOURCE_BUILD_CONTAINER_NAME="rustfs-{{ os }}-build"
+    BUILD_CMD="/root/.cargo/bin/cargo build --release --bin rustfs --target-dir /root/s3-rustfs/target/{{ os }}"
+    echo "🐳 Building RustFS using Docker ({{ os }})..."
+    {{ cli }} buildx build -t $SOURCE_BUILD_IMAGE_NAME -f {{ dockerfile }} .
+    {{ cli }} run --rm --name $SOURCE_BUILD_CONTAINER_NAME -v $(pwd):/root/s3-rustfs -it $SOURCE_BUILD_IMAGE_NAME $BUILD_CMD
+
+[doc("build an image")]
+[group("🐳 Build Image")]
+docker-buildx:
+    @echo "🏗️ Building multi-architecture production Docker images with buildx..."
+    ./docker-buildx.sh
+
+[doc("build an image and push it")]
+[group("🐳 Build Image")]
+docker-buildx-push:
+    @echo "🚀 Building and pushing multi-architecture production Docker images with buildx..."
+    ./docker-buildx.sh --push
+
+[doc("build an image with a version")]
+[group("🐳 Build Image")]
+docker-buildx-version version:
+    @echo "🏗️ Building multi-architecture production Docker images (version: {{ version }}..."
+    ./docker-buildx.sh --release {{ version }}
+
+[doc("build an image with a version and push it")]
+[group("🐳 Build Image")]
+docker-buildx-push-version version:
+    @echo "🚀 Building and pushing multi-architecture production Docker images (version: {{ version }}..."
+    ./docker-buildx.sh --release {{ version }} --push
+
+[doc("build an image with a version and push it to registry")]
+[group("🐳 Build Image")]
+docker-dev-push registry cli=(DOCKER_CLI) source=(DOCKERFILE_SOURCE):
+    @echo "🚀 Building and pushing multi-architecture development Docker images..."
+    @echo "💡 push to registry: {{ registry }}"
+    {{ cli }} buildx build \
+    	--platform linux/amd64,linux/arm64 \
+    	--file {{ source }} \
+    	--tag {{ registry }}/rustfs:source-latest \
+    	--tag {{ registry }}/rustfs:dev-latest \
+    	--push \
+    	.
+
+# Local production builds using direct buildx (alternative to docker-buildx.sh)
+
+[group("🐳 Build Image")]
+docker-buildx-production-local cli=(DOCKER_CLI) source=(DOCKERFILE_PRODUCTION):
+    @echo "🏗️ Building single-architecture production Docker image locally..."
+    @echo "💡 Alternative to docker-buildx.sh for local testing"
+    {{ cli }} buildx build \
+    	--file {{ source }} \
+    	--tag rustfs:production-latest \
+    	--tag rustfs:latest \
+    	--load \
+    	--build-arg RELEASE=latest \
+    	.
+
+# Development/Source builds using direct buildx commands
+
+[group("🐳 Build Image")]
+docker-dev cli=(DOCKER_CLI) source=(DOCKERFILE_SOURCE):
+    @echo "🏗️ Building multi-architecture development Docker images with buildx..."
+    @echo "💡 This builds from source code and is intended for local development and testing"
+    @echo "⚠️  Multi-arch images cannot be loaded locally, use docker-dev-push to push to registry"
+    {{ cli }} buildx build \
+    	--platform linux/amd64,linux/arm64 \
+    	--file {{ source }} \
+    	--tag rustfs:source-latest \
+    	--tag rustfs:dev-latest \
+    	.
+
+[group("🐳 Build Image")]
+docker-dev-local cli=(DOCKER_CLI) source=(DOCKERFILE_SOURCE):
+    @echo "🏗️ Building single-architecture development Docker image for local use..."
+    @echo "💡 This builds from source code for the current platform and loads locally"
+    {{ cli }} buildx build \
+    	--file {{ source }} \
+    	--tag rustfs:source-latest \
+    	--tag rustfs:dev-latest \
+    	--load \
+    	.
+
+# ========================================================================================
+# Single Architecture Docker Builds (Traditional)
+# ========================================================================================
+
+[group("🐳 Build Image")]
+docker-build-production cli=(DOCKER_CLI) source=(DOCKERFILE_PRODUCTION):
+    @echo "🏗️ Building single-architecture production Docker image..."
+    @echo "💡 Consider using 'make docker-buildx-production-local' for multi-arch support"
+    {{ cli }} build -f {{ source }} -t rustfs:latest .
+
+[group("🐳 Build Image")]
+docker-build-source cli=(DOCKER_CLI) source=(DOCKERFILE_SOURCE):
+    @echo "🏗️ Building single-architecture source Docker image..."
+    @echo "💡 Consider using 'make docker-dev-local' for multi-arch support"
+    {{ cli }} build -f {{ source }} -t rustfs:source .
+
+# ========================================================================================
+# Development Environment
+# ========================================================================================
+
+[group("🏃 Running")]
+dev-env-start cli=(DOCKER_CLI) source=(DOCKERFILE_SOURCE) container=(CONTAINER_NAME):
+    @echo "🚀 Starting development environment..."
+    {{ cli }} buildx build \
+    	--file {{ source }} \
+    	--tag rustfs:dev \
+    	--load \
+    	.
+    -{{ cli }} stop {{ container }} 2>/dev/null
+    -{{ cli }} rm {{ container }} 2>/dev/null
+    {{ cli }} run -d --name {{ container }} \
+    	-p 9010:9010 -p 9000:9000 \
+    	-v {{ invocation_directory() }}:/workspace \
+    	-it rustfs:dev
+
+[group("🏃 Running")]
+dev-env-stop cli=(DOCKER_CLI) container=(CONTAINER_NAME):
+    @echo "🛑 Stopping development environment..."
+    -{{ cli }} stop {{ container }} 2>/dev/null
+    -{{ cli }}  rm {{ container }} 2>/dev/null
+
+[group("🏃 Running")]
+dev-env-restart: dev-env-stop dev-env-start
+
+[group("👍 E2E")]
+e2e-server:
+    sh scripts/run.sh
+
+[group("👍 E2E")]
+probe-e2e:
+    sh scripts/probe.sh
+
+[doc("inspect one image")]
+[group("🚚 Other")]
+docker-inspect-multiarch image cli=(DOCKER_CLI):
+    @echo "🔍 Inspecting multi-architecture image: {{ image }}"
+    {{ cli }} buildx imagetools inspect {{ image }}

Makefile

@@ -1,200 +1,81 @@
 ###########
-# 远程开发，需要 VSCode 安装 Dev Containers, Remote SSH, Remote Explorer
+# Remote development requires VSCode with Dev Containers, Remote SSH, Remote Explorer
 # https://code.visualstudio.com/docs/remote/containers
 ###########
+
+.PHONY: SHELL
+
+# Makefile global config
+# Use config.mak to override any of the following variables.
+# Do not make changes here.
+
+.DEFAULT_GOAL := help
+.EXPORT_ALL_VARIABLES:
+.ONESHELL:
+.SILENT:
+
+NUM_CORES := $(shell nproc 2>/dev/null || sysctl -n hw.ncpu)
+
+MAKEFLAGS += -j$(NUM_CORES) -l$(NUM_CORES)
+MAKEFLAGS += --silent
+
+SHELL := $(shell which bash)
+.SHELLFLAGS = -eu -o pipefail -c
+
 DOCKER_CLI ?= docker
 IMAGE_NAME ?= rustfs:v1.0.0
 CONTAINER_NAME ?= rustfs-dev
-DOCKERFILE_PATH = $(shell pwd)/.docker
-
-# Code quality and formatting targets
-.PHONY: fmt
-fmt:
-	@echo "🔧 Formatting code..."
-	cargo fmt --all
-
-.PHONY: fmt-check
-fmt-check:
-	@echo "📝 Checking code formatting..."
-	cargo fmt --all --check
-
-.PHONY: clippy
-clippy:
-	@echo "🔍 Running clippy checks..."
-	cargo clippy --all-targets --all-features -- -D warnings
-
-.PHONY: check
-check:
-	@echo "🔨 Running compilation check..."
-	cargo check --all-targets
-
-.PHONY: test
-test:
-	@echo "🧪 Running tests..."
-	cargo nextest run --all --exclude e2e_test
-	cargo test --all --doc
-
-.PHONY: pre-commit
-pre-commit: fmt clippy check test
-	@echo "✅ All pre-commit checks passed!"
-
-.PHONY: setup-hooks
-setup-hooks:
-	@echo "🔧 Setting up git hooks..."
-	chmod +x .git/hooks/pre-commit
-	@echo "✅ Git hooks setup complete!"
-
-.PHONY: init-devenv
-init-devenv:
-	$(DOCKER_CLI) build -t $(IMAGE_NAME) -f $(DOCKERFILE_PATH)/Dockerfile.devenv .
-	$(DOCKER_CLI) stop $(CONTAINER_NAME)
-	$(DOCKER_CLI) rm $(CONTAINER_NAME)
-	$(DOCKER_CLI) run -d --name $(CONTAINER_NAME) -p 9010:9010 -p 9000:9000 -v $(shell pwd):/root/s3-rustfs -it $(IMAGE_NAME)
-
-.PHONY: start
-start:
-	$(DOCKER_CLI) start $(CONTAINER_NAME)
-
-.PHONY: stop
-stop:
-	$(DOCKER_CLI) stop $(CONTAINER_NAME)
-
-.PHONY: e2e-server
-e2e-server:
-	sh $(shell pwd)/scripts/run.sh
-
-.PHONY: probe-e2e
-probe-e2e:
-	sh $(shell pwd)/scripts/probe.sh
-
-# make BUILD_OS=ubuntu22.04 build
-# in target/ubuntu22.04/release/rustfs
-
-# make BUILD_OS=rockylinux9.3 build
-# in target/rockylinux9.3/release/rustfs
+# Docker build configurations
+DOCKERFILE_PRODUCTION = Dockerfile
+DOCKERFILE_SOURCE = Dockerfile.source
 BUILD_OS ?= rockylinux9.3
-.PHONY: build
-build: ROCKYLINUX_BUILD_IMAGE_NAME = rustfs-$(BUILD_OS):v1
-build: ROCKYLINUX_BUILD_CONTAINER_NAME = rustfs-$(BUILD_OS)-build
-build: BUILD_CMD = /root/.cargo/bin/cargo build --release --bin rustfs --target-dir /root/s3-rustfs/target/$(BUILD_OS)
-build:
-	$(DOCKER_CLI) build -t $(ROCKYLINUX_BUILD_IMAGE_NAME) -f $(DOCKERFILE_PATH)/Dockerfile.$(BUILD_OS) .
-	$(DOCKER_CLI) run --rm --name $(ROCKYLINUX_BUILD_CONTAINER_NAME) -v $(shell pwd):/root/s3-rustfs -it $(ROCKYLINUX_BUILD_IMAGE_NAME) $(BUILD_CMD)
 
-.PHONY: build-musl
-build-musl:
-	@echo "🔨 Building rustfs for x86_64-unknown-linux-musl..."
-	cargo build --target x86_64-unknown-linux-musl --bin rustfs -r
+# Makefile colors config
+bold := $(shell tput bold)
+normal := $(shell tput sgr0)
+errorTitle := $(shell tput setab 1 && tput bold && echo '\n')
+recommendation := $(shell tput setab 4)
+underline := $(shell tput smul)
+reset := $(shell tput -Txterm sgr0)
+black := $(shell tput setaf 0)
+red := $(shell tput setaf 1)
+green := $(shell tput setaf 2)
+yellow := $(shell tput setaf 3)
+blue := $(shell tput setaf 4)
+magenta := $(shell tput setaf 5)
+cyan := $(shell tput setaf 6)
+white := $(shell tput setaf 7)
 
-.PHONY: build-gnu
-build-gnu:
-	@echo "🔨 Building rustfs for x86_64-unknown-linux-gnu..."
-	cargo build --target x86_64-unknown-linux-gnu --bin rustfs -r
+define HEADER
+How to use me:
+	# To get help for each target
+	${bold}make help${reset}
 
-.PHONY: deploy-dev
-deploy-dev: build-musl
-	@echo "🚀 Deploying to dev server: $${IP}"
-	./scripts/dev_deploy.sh $${IP}
+	# To run and execute a target
+	${bold}make ${cyan}<target>${reset}
 
-# Multi-architecture Docker build targets
-.PHONY: docker-build-multiarch
-docker-build-multiarch:
-	@echo "🏗️ Building multi-architecture Docker images..."
-	./scripts/build-docker-multiarch.sh
+	💡 For more help use 'make help', 'make help-build' or 'make help-docker'
 
-.PHONY: docker-build-multiarch-push
-docker-build-multiarch-push:
-	@echo "🚀 Building and pushing multi-architecture Docker images..."
-	./scripts/build-docker-multiarch.sh --push
+	🦀 RustFS Makefile Help:
 
-.PHONY: docker-build-multiarch-version
-docker-build-multiarch-version:
-	@if [ -z "$(VERSION)" ]; then \
-		echo "❌ 错误: 请指定版本, 例如: make docker-build-multiarch-version VERSION=v1.0.0"; \
-		exit 1; \
-	fi
-	@echo "🏗️ Building multi-architecture Docker images (version: $(VERSION))..."
-	./scripts/build-docker-multiarch.sh --version $(VERSION)
+	📋 Main Command Categories:
+	 	make help-build                          # Show build-related help
+	 	make help-docker                         # Show Docker-related help
 
-.PHONY: docker-push-multiarch-version
-docker-push-multiarch-version:
-	@if [ -z "$(VERSION)" ]; then \
-		echo "❌ 错误: 请指定版本, 例如: make docker-push-multiarch-version VERSION=v1.0.0"; \
-		exit 1; \
-	fi
-	@echo "🚀 Building and pushing multi-architecture Docker images (version: $(VERSION))..."
-	./scripts/build-docker-multiarch.sh --version $(VERSION) --push
+	🔧 Code Quality:
+		make fmt                                 # Format code
+		make clippy                              # Run clippy checks
+		make test                                # Run tests
+		make pre-commit                          # Run all pre-commit checks
 
-.PHONY: docker-build-ubuntu
-docker-build-ubuntu:
-	@echo "🏗️ Building multi-architecture Ubuntu Docker images..."
-	./scripts/build-docker-multiarch.sh --type ubuntu
+	🚀 Quick Start:
+		make build                               # Build RustFS binary
+		make docker-dev-local                    # Build development Docker image (local)
+		make dev-env-start                       # Start development environment
 
-.PHONY: docker-build-rockylinux
-docker-build-rockylinux:
-	@echo "🏗️ Building multi-architecture RockyLinux Docker images..."
-	./scripts/build-docker-multiarch.sh --type rockylinux
 
-.PHONY: docker-build-devenv
-docker-build-devenv:
-	@echo "🏗️ Building multi-architecture development environment Docker images..."
-	./scripts/build-docker-multiarch.sh --type devenv
+endef
+export HEADER
 
-.PHONY: docker-build-all-types
-docker-build-all-types:
-	@echo "🏗️ Building all multi-architecture Docker image types..."
-	./scripts/build-docker-multiarch.sh --type production
-	./scripts/build-docker-multiarch.sh --type ubuntu
-	./scripts/build-docker-multiarch.sh --type rockylinux
-	./scripts/build-docker-multiarch.sh --type devenv
+-include $(addsuffix /*.mak, $(shell find .config/make -type d))
 
-.PHONY: docker-inspect-multiarch
-docker-inspect-multiarch:
-	@if [ -z "$(IMAGE)" ]; then \
-		echo "❌ 错误: 请指定镜像, 例如: make docker-inspect-multiarch IMAGE=rustfs/rustfs:latest"; \
-		exit 1; \
-	fi
-	@echo "🔍 Inspecting multi-architecture image: $(IMAGE)"
-	docker buildx imagetools inspect $(IMAGE)
-
-.PHONY: build-cross-all
-build-cross-all:
-	@echo "🔧 Building all target architectures..."
-	@if ! command -v cross &> /dev/null; then \
-		echo "📦 Installing cross..."; \
-		cargo install cross; \
-	fi
-	@echo "🔨 Generating protobuf code..."
-	cargo run --bin gproto || true
-	@echo "🔨 Building x86_64-unknown-linux-musl..."
-	cargo build --release --target x86_64-unknown-linux-musl --bin rustfs
-	@echo "🔨 Building aarch64-unknown-linux-gnu..."
-	cross build --release --target aarch64-unknown-linux-gnu --bin rustfs
-	@echo "✅ All architectures built successfully!"
-
-.PHONY: help-docker
-help-docker:
-	@echo "🐳 Docker 多架构构建帮助："
-	@echo ""
-	@echo "基本构建:"
-	@echo "  make docker-build-multiarch              # 构建多架构镜像（不推送）"
-	@echo "  make docker-build-multiarch-push         # 构建并推送多架构镜像"
-	@echo ""
-	@echo "版本构建:"
-	@echo "  make docker-build-multiarch-version VERSION=v1.0.0   # 构建指定版本"
-	@echo "  make docker-push-multiarch-version VERSION=v1.0.0    # 构建并推送指定版本"
-	@echo ""
-	@echo "镜像类型:"
-	@echo "  make docker-build-ubuntu                 # 构建 Ubuntu 镜像"
-	@echo "  make docker-build-rockylinux             # 构建 RockyLinux 镜像"
-	@echo "  make docker-build-devenv                 # 构建开发环境镜像"
-	@echo "  make docker-build-all-types              # 构建所有类型镜像"
-	@echo ""
-	@echo "辅助工具:"
-	@echo "  make build-cross-all                     # 构建所有架构的二进制文件"
-	@echo "  make docker-inspect-multiarch IMAGE=xxx  # 检查镜像的架构支持"
-	@echo ""
-	@echo "环境变量 (在推送时需要设置):"
-	@echo "  DOCKERHUB_USERNAME    Docker Hub 用户名"
-	@echo "  DOCKERHUB_TOKEN       Docker Hub 访问令牌"
-	@echo "  GITHUB_TOKEN          GitHub 访问令牌"

README.md

@@ -1,95 +1,210 @@
-[![RustFS](https://rustfs.com/images/rustfs-github.png)](https://rustfs.com)
-
-
-<p align="center">RustFS is a high-performance distributed object storage software built using Rust</p>
+[![RustFS](https://repository-images.githubusercontent.com/722597620/0fa936a2-8164-4f53-867f-def4beb64b21)](https://rustfs.com)
 
+<p align="center">RustFS is a high-performance, distributed object storage system built in Rust.</p>
 
 <p align="center">
   <a href="https://github.com/rustfs/rustfs/actions/workflows/ci.yml"><img alt="CI" src="https://github.com/rustfs/rustfs/actions/workflows/ci.yml/badge.svg" /></a>
   <a href="https://github.com/rustfs/rustfs/actions/workflows/docker.yml"><img alt="Build and Push Docker Images" src="https://github.com/rustfs/rustfs/actions/workflows/docker.yml/badge.svg" /></a>
   <img alt="GitHub commit activity" src="https://img.shields.io/github/commit-activity/m/rustfs/rustfs"/>
   <img alt="Github Last Commit" src="https://img.shields.io/github/last-commit/rustfs/rustfs"/>
+  <a href="https://hellogithub.com/repository/rustfs/rustfs" target="_blank"><img src="https://abroad.hellogithub.com/v1/widgets/recommend.svg?rid=b95bcb72bdc340b68f16fdf6790b7d5b&claim_uid=MsbvjYeLDKAH457&theme=small" alt="Featured｜HelloGitHub" /></a>
 </p>
 
 <p align="center">
-  <a href="https://docs.rustfs.com/en/introduction.html">Getting Started</a>
-  · <a href="https://docs.rustfs.com/en/">Docs</a>
+<a href="https://trendshift.io/repositories/14181" target="_blank"><img src="https://trendshift.io/api/badge/repositories/14181" alt="rustfs%2Frustfs | Trendshift" style="width: 250px; height: 55px;" width="250" height="55"/></a> 
+<a href="https://runacap.com/ross-index/q4-2025/" target="_blank" rel="noopener"><img style="width: 260px; height: 55px" src="https://runacap.com/wp-content/uploads/2026/01/ROSS_badge_white_Q4_2025.svg" alt="ROSS Index - Fastest Growing Open-Source Startups in Q4 2025 | Runa Capital" height="55" /></a>
+</p>
+
+<p align="center">
+  <a href="https://docs.rustfs.com/installation/">Getting Started</a>
+  · <a href="https://docs.rustfs.com/">Docs</a>
   · <a href="https://github.com/rustfs/rustfs/issues">Bug reports</a>
   · <a href="https://github.com/rustfs/rustfs/discussions">Discussions</a>
 </p>
 
 <p align="center">
-English | <a href="https://github.com/rustfs/rustfs/blob/main/README_ZH.md">简体中文</a> | 
-  <!-- Keep these links. Translations will automatically update with the README. -->
-  <a href="https://readme-i18n.com/rustfs/rustfs?lang=de">Deutsch</a> | 
-  <a href="https://readme-i18n.com/rustfs/rustfs?lang=es">Español</a> | 
-  <a href="https://readme-i18n.com/rustfs/rustfs?lang=fr">français</a> | 
-  <a href="https://readme-i18n.com/rustfs/rustfs?lang=ja">日本語</a> | 
-  <a href="https://readme-i18n.com/rustfs/rustfs?lang=ko">한국어</a> | 
-  <a href="https://readme-i18n.com/rustfs/rustfs?lang=pt">Português</a> | 
+English | <a href="https://github.com/rustfs/rustfs/blob/main/README_ZH.md">简体中文</a> |
+  <a href="https://readme-i18n.com/rustfs/rustfs?lang=de">Deutsch</a> |
+  <a href="https://readme-i18n.com/rustfs/rustfs?lang=es">Español</a> |
+  <a href="https://readme-i18n.com/rustfs/rustfs?lang=fr">français</a> |
+  <a href="https://readme-i18n.com/rustfs/rustfs?lang=ja">日本語</a> |
+  <a href="https://readme-i18n.com/rustfs/rustfs?lang=ko">한국어</a> |
+  <a href="https://readme-i18n.com/rustfs/rustfs?lang=pt">Portuguese</a> |
   <a href="https://readme-i18n.com/rustfs/rustfs?lang=ru">Русский</a>
 </p>
 
-RustFS is a high-performance distributed object storage software built using Rust, one of the most popular languages worldwide. Along with MinIO, it shares a range of advantages such as simplicity, S3 compatibility, open-source nature, support for data lakes, AI, and big data. Furthermore, it has a better and more user-friendly open-source license in comparison to other storage systems, being constructed under the Apache license. As Rust serves as its foundation, RustFS provides faster speed and safer distributed features for high-performance object storage.
+RustFS is a high-performance, distributed object storage system built in Rust—one of the most loved programming languages worldwide. RustFS combines the simplicity of MinIO with the memory safety and raw performance of Rust. It offers full S3 compatibility, is completely open-source, and is optimized for data lakes, AI, and big data workloads.
 
+Unlike other storage systems, RustFS is released under the permissible Apache 2.0 license, avoiding the restrictions of AGPL. With Rust as its foundation, RustFS delivers superior speed and secure distributed features for next-generation object storage.
 
-> ⚠️ **RustFS is under rapid development. Do NOT use in production environments!**
+## Feature & Status
 
-## Features
+- **High Performance**: Built with Rust to ensure maximum speed and resource efficiency.
+- **Distributed Architecture**: Scalable and fault-tolerant design suitable for large-scale deployments.
+- **S3 Compatibility**: Seamless integration with existing S3-compatible applications and tools.
+- **OpenStack Swift API**: Native support for Swift protocol with Keystone authentication.
+- **OpenStack Keystone Integration**: Native support for OpenStack Keystone authentication with X-Auth-Token headers.
+- **Data Lake Support**: Optimized for high-throughput big data and AI workloads.
+- **Open Source**: Licensed under Apache 2.0, encouraging unrestricted community contributions and commercial usage.
+- **User-Friendly**: Designed with simplicity in mind for easy deployment and management.
 
-- **High Performance**: Built with Rust, ensuring speed and efficiency.
-- **Distributed Architecture**: Scalable and fault-tolerant design for large-scale deployments.
-- **S3 Compatibility**: Seamless integration with existing S3-compatible applications.
-- **Data Lake Support**: Optimized for big data and AI workloads.
-- **Open Source**: Licensed under Apache 2.0, encouraging community contributions and transparency.
-- **User-Friendly**: Designed with simplicity in mind, making it easy to deploy and manage.
+| Feature                 | Status       | Feature                  | Status           |
+| :---------------------- | :----------- | :----------------------- | :--------------- |
+| **S3 Core Features**    | ✅ Available | **Bitrot Protection**    | ✅ Available     |
+| **Upload / Download**   | ✅ Available | **Single Node Mode**     | ✅ Available     |
+| **Versioning**          | ✅ Available | **Bucket Replication**   | ✅ Available     |
+| **Logging**             | ✅ Available | **Lifecycle Management** | 🚧 Under Testing |
+| **Event Notifications** | ✅ Available | **Distributed Mode**     | 🚧 Under Testing |
+| **K8s Helm Charts**     | ✅ Available | **RustFS KMS**           | 🚧 Under Testing |
+| **Keystone Auth**       | ✅ Available | **Multi-Tenancy**        | ✅ Available     |
+| **Swift API**           | ✅ Available | **Swift Metadata Ops**   | 🚧 Partial       |
 
-## RustFS vs MinIO
+## RustFS vs MinIO Performance
 
-Stress test server parameters
+**Stress Test Environment:**
 
-|  Type  |  parameter   | Remark |
-| - | - | - |
-|CPU | 2 Core | Intel Xeon(Sapphire Rapids) Platinum 8475B , 2.7/3.2 GHz|   |
-|Memory| 4GB |     |
-|Network | 15Gbp |      |
-|Driver  | 40GB x 4 |   IOPS 3800 / Driver |
+| Type    | Parameter | Remark                                                   |
+| ------- | --------- | -------------------------------------------------------- |
+| CPU     | 2 Core    | Intel Xeon (Sapphire Rapids) Platinum 8475B, 2.7/3.2 GHz |
+| Memory  | 4GB       |                                                          |
+| Network | 15Gbps    |                                                          |
+| Drive   | 40GB x 4  | IOPS 3800 / Drive                                        |
 
 <https://github.com/user-attachments/assets/2e4979b5-260c-4f2c-ac12-c87fd558072a>
 
-### RustFS vs Other object storage
+### RustFS vs Other Object Storage
 
-| RustFS | Other object storage|
-| - | - |
-| Powerful Console | Simple and useless Console |
-| Developed based on Rust language, memory is safer | Developed in Go or C, with potential issues like memory GC/leaks |
-| Does not report logs to third-party countries  | Reporting logs to other third countries may violate national security laws |
-| Licensed under Apache, more business-friendly  | AGPL V3 License and other License, polluted open source and License traps, infringement of intellectual property rights |
-| Comprehensive S3 support, works with domestic and international cloud providers  | Full support for S3, but no local cloud vendor support |
-| Rust-based development, strong support for secure and innovative devices  | Poor support for edge gateways and secure innovative devices|
-| Stable commercial prices, free community support | High pricing, with costs up to $250,000 for 1PiB |
-| No risk | Intellectual property risks and risks of prohibited uses |
+| Feature                | RustFS                                                                                                                                                | Other Object Storage                                                                     |
+| :--------------------- | :---------------------------------------------------------------------------------------------------------------------------------------------------- | :--------------------------------------------------------------------------------------- |
+| **Console Experience** | **Powerful Console**<br>Comprehensive management interface.                                                                                           | **Basic / Limited Console**<br>Often overly simple or lacking critical features.         |
+| **Language & Safety**  | **Rust-based**<br>Memory safety by design.                                                                                                            | **Go or C-based**<br>Potential for memory GC pauses or leaks.                            |
+| **Data Sovereignty**   | **No Telemetry / Full Compliance**<br>Guards against unauthorized cross-border data egress. Compliant with GDPR (EU/UK), CCPA (US), and APPI (Japan). | **Potential Risk**<br>Possible legal exposure and unwanted data telemetry.               |
+| **Licensing**          | **Permissive Apache 2.0**<br>Business-friendly, no "poison pill" clauses.                                                                             | **Restrictive AGPL v3**<br>Risk of license traps and intellectual property pollution.    |
+| **Compatibility**      | **100% S3 Compatible**<br>Works with any cloud provider or client, anywhere.                                                                          | **Variable Compatibility**<br>May lack support for local cloud vendors or specific APIs. |
+| **Edge & IoT**         | **Strong Edge Support**<br>Ideal for secure, innovative edge devices.                                                                                 | **Weak Edge Support**<br>Often too heavy for edge gateways.                              |
+| **Risk Profile**       | **Enterprise Risk Mitigation**<br>Clear IP rights and safe for commercial use.                                                                        | **Legal Risks**<br>Intellectual property ambiguity and usage restrictions.               |
+
+## Staying ahead
+
+Star RustFS on GitHub and be instantly notified of new releases.
+
+<img src="https://github.com/user-attachments/assets/7ee40bb4-3e46-4eac-b0d0-5fbeb85ff8f3" />
 
 ## Quickstart
 
 To get started with RustFS, follow these steps:
 
-1.  **One-click installation script (Option 1)​​**
+### 1. One-click Installation (Option 1)
 
-   ```bash
-   curl -O  https://rustfs.com/install_rustfs.sh && bash install_rustfs.sh
-   ```
+```bash
+curl -O https://rustfs.com/install_rustfs.sh && bash install_rustfs.sh
+```
 
-2. **Docker Quick Start (Option 2)​​**
+### 2\. Docker Quick Start (Option 2)
 
-  ```bash
-   podman run -d -p 9000:9000 -p 9001:9001 -v /data:/data quay.io/rustfs/rustfs
-   ```
+The RustFS container runs as a non-root user `rustfs` (UID `10001`). If you run Docker with `-v` to mount a host directory, please ensure the host directory owner is set to `10001`, otherwise you will encounter permission denied errors.
 
+```bash
+ # Create data and logs directories
+ mkdir -p data logs
 
-3. **Access the Console**: Open your web browser and navigate to `http://localhost:9001` to access the RustFS console, default username and password is `rustfsadmin` .
-4. **Create a Bucket**: Use the console to create a new bucket for your objects.
-5. **Upload Objects**: You can upload files directly through the console or use S3-compatible APIs to interact with your RustFS instance.
+ # Change the owner of these directories
+ chown -R 10001:10001 data logs
+
+ # Using latest version
+ docker run -d -p 9000:9000 -p 9001:9001 -v $(pwd)/data:/data -v $(pwd)/logs:/logs rustfs/rustfs:latest
+
+ # Using specific version
+ docker run -d -p 9000:9000 -p 9001:9001 -v $(pwd)/data:/data -v $(pwd)/logs:/logs rustfs/rustfs:1.0.0-alpha.76
+```
+
+If you use [podman](https://github.com/containers/podman) instead of docker, you can install the RustFS with the below command
+
+```bash
+ podman run -d -p 9000:9000 -p 9001:9001 -v $(pwd)/data:/data -v $(pwd)/logs:/logs rustfs/rustfs:latest
+```
+
+You can also use Docker Compose. Using the `docker-compose.yml` file in the root directory:
+
+```bash
+docker compose --profile observability up -d
+```
+
+Similarly, you can run the command with podman
+
+```bash
+podman compose --profile observability up -d
+```
+
+**NOTE**: We recommend reviewing the `docker-compose.yaml` file before running. It defines several services including Grafana, Prometheus, and Jaeger, which are helpful for RustFS observability. If you wish to start Redis or Nginx containers, you can specify the corresponding profiles.
+
+### 3\. Build from Source (Option 3) - Advanced Users
+
+For developers who want to build RustFS Docker images from source with multi-architecture support:
+
+```bash
+# Build multi-architecture images locally
+./docker-buildx.sh --build-arg RELEASE=latest
+
+# Build and push to registry
+./docker-buildx.sh --push
+
+# Build specific version
+./docker-buildx.sh --release v1.0.0 --push
+
+# Build for custom registry
+./docker-buildx.sh --registry your-registry.com --namespace yourname --push
+```
+
+The `docker-buildx.sh` script supports:
+
+- **Multi-architecture builds**: `linux/amd64`, `linux/arm64`
+- **Automatic version detection**: Uses git tags or commit hashes
+- **Registry flexibility**: Supports Docker Hub, GitHub Container Registry, etc.
+- **Build optimization**: Includes caching and parallel builds
+
+You can also use Make targets for convenience:
+
+```bash
+make docker-buildx                    # Build locally
+make docker-buildx-push               # Build and push
+make docker-buildx-version VERSION=v1.0.0  # Build specific version
+make help-docker                      # Show all Docker-related commands
+```
+
+> **Heads-up (macOS cross-compilation)**: macOS keeps the default `ulimit -n` at 256, so `cargo zigbuild` or `./build-rustfs.sh --platform ...` may fail with `ProcessFdQuotaExceeded` when targeting Linux. The build script attempts to raise the limit automatically, but if you still see the warning, run `ulimit -n 4096` (or higher) in your shell before building.
+
+### 4\. Build with Helm Chart (Option 4) - Cloud Native
+
+Follow the instructions in the [Helm Chart README](https://charts.rustfs.com/) to install RustFS on a Kubernetes cluster.
+
+### 5\. Nix Flake (Option 5)
+
+If you have [Nix with flakes enabled](https://nixos.wiki/wiki/Flakes#Enable_flakes):
+
+```bash
+# Run directly without installing
+nix run github:rustfs/rustfs
+
+# Build the binary
+nix build github:rustfs/rustfs
+./result/bin/rustfs --help
+
+# Or from a local checkout
+nix build
+nix run
+```
+
+---
+
+### Accessing RustFS
+
+1. **Access the Console**: Open your web browser and navigate to `http://localhost:9001` to access the RustFS console.
+    - Default credentials: `rustfsadmin` / `rustfsadmin`
+2. **Create a Bucket**: Use the console to create a new bucket for your objects.
+3. **Upload Objects**: You can upload files directly through the console or use S3-compatible APIs/clients to interact with your RustFS instance.
+
+**NOTE**: To access the RustFS instance via `https`, please refer to the [TLS Configuration Docs](https://docs.rustfs.com/integration/tls-configured.html).
 
 ## Documentation
 
@@ -97,7 +212,7 @@ For detailed documentation, including configuration options, API references, and
 
 ## Getting Help
 
-If you have any questions or need assistance, you can:
+If you have any questions or need assistance:
 
 - Check the [FAQ](https://github.com/rustfs/rustfs/discussions/categories/q-a) for common issues and solutions.
 - Join our [GitHub Discussions](https://github.com/rustfs/rustfs/discussions) to ask questions and share your experiences.
@@ -112,8 +227,8 @@ If you have any questions or need assistance, you can:
 ## Contact
 
 - **Bugs**: [GitHub Issues](https://github.com/rustfs/rustfs/issues)
-- **Business**: <hello@rustfs.com>
-- **Jobs**: <jobs@rustfs.com>
+- **Business**: [hello@rustfs.com](mailto:hello@rustfs.com)
+- **Jobs**: [jobs@rustfs.com](mailto:jobs@rustfs.com)
 - **General Discussion**: [GitHub Discussions](https://github.com/rustfs/rustfs/discussions)
 - **Contributing**: [CONTRIBUTING.md](CONTRIBUTING.md)
 
@@ -122,9 +237,13 @@ If you have any questions or need assistance, you can:
 RustFS is a community-driven project, and we appreciate all contributions. Check out the [Contributors](https://github.com/rustfs/rustfs/graphs/contributors) page to see the amazing people who have helped make RustFS better.
 
 <a href="https://github.com/rustfs/rustfs/graphs/contributors">
-  <img src="https://contrib.rocks/image?repo=rustfs/rustfs" />
+<img src="https://opencollective.com/rustfs/contributors.svg?width=890&limit=500&button=false" alt="Contributors" />
 </a>
 
+## Star History
+
+[![Star History Chart](https://api.star-history.com/svg?repos=rustfs/rustfs&type=date&legend=top-left)](https://www.star-history.com/#rustfs/rustfs&type=date&legend=top-left)
+
 ## License
 
 [Apache 2.0](https://opensource.org/licenses/Apache-2.0)

README_ZH.md

@@ -1,116 +1,216 @@
-[![RustFS](https://rustfs.com/images/rustfs-github.png)](https://rustfs.com)
+[![RustFS](https://github.com/user-attachments/assets/1b5afcd6-a2c3-47ff-8bc3-ce882b0ddca7)](https://rustfs.com.cn)
 
-<p align="center">RustFS 是一个使用 Rust 构建的高性能分布式对象存储软件</p >
+<p align="center">RustFS 是一个基于 Rust 构建的高性能分布式对象存储系统。</p>
 
 <p align="center">
   <a href="https://github.com/rustfs/rustfs/actions/workflows/ci.yml"><img alt="CI" src="https://github.com/rustfs/rustfs/actions/workflows/ci.yml/badge.svg" /></a>
-  <a href="https://github.com/rustfs/rustfs/actions/workflows/docker.yml"><img alt="Build and Push Docker Images" src="https://github.com/rustfs/rustfs/actions/workflows/docker.yml/badge.svg" /></a>
-  <img alt="GitHub commit activity" src="https://img.shields.io/github/commit-activity/m/rustfs/rustfs"/>
-  <img alt="Github Last Commit" src="https://img.shields.io/github/last-commit/rustfs/rustfs"/>
-</p >
+  <a href="https://github.com/rustfs/rustfs/actions/workflows/docker.yml"><img alt="构建并推送 Docker 镜像" src="https://github.com/rustfs/rustfs/actions/workflows/docker.yml/badge.svg" /></a>
+  <img alt="GitHub 提交活跃度" src="https://img.shields.io/github/commit-activity/m/rustfs/rustfs"/>
+  <img alt="Github 最新提交" src="https://img.shields.io/github/last-commit/rustfs/rustfs"/>
+  <a href="https://hellogithub.com/repository/rustfs/rustfs" target="_blank"><img src="https://abroad.hellogithub.com/v1/widgets/recommend.svg?rid=b95bcb72bdc340b68f16fdf6790b7d5b&claim_uid=MsbvjYeLDKAH457&theme=small" alt="Featured｜HelloGitHub" /></a>
+</p>
+
 
 <p align="center">
-  <a href="https://docs.rustfs.com/zh/introduction.html">快速开始</a >
-  · <a href="https://docs.rustfs.com/zh/">文档</a >
-  · <a href="https://github.com/rustfs/rustfs/issues">问题报告</a >
-  · <a href="https://github.com/rustfs/rustfs/discussions">讨论</a >
-</p >
+<a href="https://trendshift.io/repositories/14181" target="_blank"><img src="https://trendshift.io/api/badge/repositories/14181" alt="rustfs%2Frustfs | Trendshift" style="width: 250px; height: 55px;" width="250" height="55"/></a> 
+<a href="https://runacap.com/ross-index/q4-2025/" target="_blank" rel="noopener"><img style="width: 260px; height: 55px" src="https://runacap.com/wp-content/uploads/2026/01/ROSS_badge_white_Q4_2025.svg" alt="ROSS Index - Fastest Growing Open-Source Startups in Q4 2025 | Runa Capital" height="55" /></a>
+</p>
 
 <p align="center">
-<a href="https://github.com/rustfs/rustfs/blob/main/README.md">English</a > | 简体中文
-</p >
+  <a href="https://docs.rustfs.com/installation/">快速开始</a>
+  · <a href="https://docs.rustfs.com/">文档</a>
+  · <a href="https://github.com/rustfs/rustfs/issues">报告 Bug</a>
+  · <a href="https://github.com/rustfs/rustfs/discussions">社区讨论</a>
+</p>
 
-RustFS 是一个使用 Rust（全球最受欢迎的编程语言之一）构建的高性能分布式对象存储软件。与 MinIO 一样，它具有简单性、S3 兼容性、开源特性以及对数据湖、AI 和大数据的支持等一系列优势。此外，与其他存储系统相比，它采用 Apache 许可证构建，拥有更好、更用户友好的开源许可证。由于以 Rust 为基础，RustFS 为高性能对象存储提供了更快的速度和更安全的分布式功能。
+<p align="center">
+  <a href="https://github.com/rustfs/rustfs/blob/main/README.md">English</a> | 简体中文 |
+  <a href="https://readme-i18n.com/rustfs/rustfs?lang=de">Deutsch</a> |
+  <a href="https://readme-i18n.com/rustfs/rustfs?lang=es">Español</a> |
+  <a href="https://readme-i18n.com/rustfs/rustfs?lang=fr">français</a> |
+  <a href="https://readme-i18n.com/rustfs/rustfs?lang=ja">日本語</a> |
+  <a href="https://readme-i18n.com/rustfs/rustfs?lang=ko">한국어</a> |
+  <a href="https://readme-i18n.com/rustfs/rustfs?lang=pt">Portuguese</a> |
+  <a href="https://readme-i18n.com/rustfs/rustfs?lang=ru">Русский</a>
+</p>
 
-## 特性
+RustFS 是一个基于 Rust 构建的高性能分布式对象存储系统。Rust 是全球最受开发者喜爱的编程语言之一，RustFS 完美结合了 MinIO 的简洁性与 Rust 的内存安全及高性能优势。它提供完整的 S3 兼容性，完全开源，并专为数据湖、人工智能（AI）和大数据负载进行了优化。
 
-- **高性能**：使用 Rust 构建，确保速度和效率。
+与其他存储系统不同，RustFS 采用更宽松、商业友好的 Apache 2.0 许可证，避免了 AGPL 协议的限制。以 Rust 为基石，RustFS 为下一代对象存储提供了更快的速度和更安全的分布式特性。
+
+## 特征和功能状态
+
+- **高性能**：基于 Rust 构建，确保极致的速度和资源效率。
 - **分布式架构**：可扩展且容错的设计，适用于大规模部署。
-- **S3 兼容性**：与现有 S3 兼容应用程序无缝集成。
-- **数据湖支持**：针对大数据和 AI 工作负载进行了优化。
-- **开源**：采用 Apache 2.0 许可证，鼓励社区贡献和透明度。
-- **用户友好**：设计简单，易于部署和管理。
+- **S3 兼容性**：与现有的 S3 兼容应用和工具无缝集成。
+- **数据湖支持**：专为高吞吐量的大数据和 AI 工作负载优化。
+- **完全开源**：采用 Apache 2.0 许可证，鼓励社区贡献和商业使用。
+- **简单易用**：设计简洁，易于部署和管理。
 
-## RustFS vs MinIO
+| 功能               | 状态    | 功能                    | 状态      |
+| :----------------- | :------ | :---------------------- | :-------- |
+| **S3 核心功能**    | ✅ 可用 | **Bitrot (防数据腐烂)** | ✅ 可用   |
+| **上传 / 下载**    | ✅ 可用 | **单机模式**            | ✅ 可用   |
+| **版本控制**       | ✅ 可用 | **存储桶复制**          | ✅ 可用   |
+| **日志功能**       | ✅ 可用 | **生命周期管理**        | 🚧 测试中 |
+| **事件通知**       | ✅ 可用 | **分布式模式**          | 🚧 测试中 |
+| **K8s Helm Chart** | ✅ 可用 | **OPA (策略引擎)**      | 🚧 测试中 |
 
-压力测试服务器参数
+## RustFS vs MinIO 性能对比
 
-|  类型  |  参数   | 备注 |
-| - | - | - |
-|CPU | 2 核心 | Intel Xeon(Sapphire Rapids) Platinum 8475B , 2.7/3.2 GHz|   |
-|内存| 4GB |     |
-|网络 | 15Gbp |      |
-|驱动器  | 40GB x 4 |   IOPS 3800 / 驱动器 |
+**压力测试环境参数：**
+
+| 类型 | 参数     | 备注                                                      |
+| ---- | -------- | --------------------------------------------------------- |
+| CPU  | 2 核     | Intel Xeon (Sapphire Rapids) Platinum 8475B , 2.7/3.2 GHz |
+| 内存 | 4GB      |                                                           |
+| 网络 | 15Gbps   |                                                           |
+| 硬盘 | 40GB x 4 | IOPS 3800 / Drive                                         |
 
 <https://github.com/user-attachments/assets/2e4979b5-260c-4f2c-ac12-c87fd558072a>
 
 ### RustFS vs 其他对象存储
 
-| RustFS | 其他对象存储|
-| - | - |
-| 强大的控制台 | 简单且无用的控制台 |
-| 基于 Rust 语言开发，内存更安全 | 使用 Go 或 C 开发，存在内存 GC/泄漏等潜在问题 |
-| 不向第三方国家报告日志  | 向其他第三方国家报告日志可能违反国家安全法律 |
-| 采用 Apache 许可证，对商业更友好  | AGPL V3 许可证等其他许可证，污染开源和许可证陷阱，侵犯知识产权 |
-| 全面的 S3 支持，适用于国内外云提供商  | 完全支持 S3，但不支持本地云厂商 |
-| 基于 Rust 开发，对安全和创新设备有强大支持  | 对边缘网关和安全创新设备支持较差|
-| 稳定的商业价格，免费社区支持 | 高昂的定价，1PiB 成本高达 $250,000 |
-| 无风险 | 知识产权风险和禁止使用的风险 |
+| 特性           | RustFS                                                                                                              | 其他对象存储                                                             |
+| :------------- | :------------------------------------------------------------------------------------------------------------------ | :----------------------------------------------------------------------- |
+| **控制台体验** | **功能强大的控制台**<br>提供全面的管理界面。                                                                        | **基础/简陋的控制台**<br>通常功能过于简单或缺失关键特性。                |
+| **语言与安全** | **基于 Rust 开发**<br>天生的内存安全。                                                                              | **基于 Go 或 C 开发**<br>存在内存 GC 停顿或内存泄漏的潜在风险。          |
+| **数据主权**   | **无遥测 / 完全合规**<br>防止未经授权的数据跨境传输。完全符合 GDPR (欧盟/英国)、CCPA (美国) 和 APPI (日本) 等法规。 | **潜在风险**<br>可能存在法律风险和隐蔽的数据遥测（Telemetry）。          |
+| **开源协议**   | **宽松的 Apache 2.0**<br>商业友好，无“毒丸”条款。                                                                   | **受限的 AGPL v3**<br>存在许可证陷阱和知识产权污染的风险。               |
+| **兼容性**     | **100% S3 兼容**<br>适用于任何云提供商和客户端，随处运行。                                                          | **兼容性不一**<br>虽然支持 S3，但可能缺乏对本地云厂商或特定 API 的支持。 |
+| **边缘与 IoT** | **强大的边缘支持**<br>非常适合安全、创新的边缘设备。                                                                | **边缘支持较弱**<br>对于边缘网关来说通常过于沉重。                       |
+| **成本**       | **稳定且免费**<br>免费社区支持，稳定的商业定价。                                                                    | **高昂成本**<br>1PiB 的成本可能高达 250,000 美元。                       |
+| **风险控制**   | **企业级风险规避**<br>清晰的知识产权，商业使用安全无忧。                                                            | **法律风险**<br>知识产权归属模糊及使用限制风险。                         |
+
+## 保持领先
+
+在 GitHub 上为 RustFS 点赞，即可第一时间收到新版本发布通知。
+
+<img src="https://github.com/user-attachments/assets/7ee40bb4-3e46-4eac-b0d0-5fbeb85ff8f3" />
 
 ## 快速开始
 
-要开始使用 RustFS，请按照以下步骤操作：
+请按照以下步骤快速上手 RustFS：
 
-1.  **一键脚本快速启动 (方案一)**
+### 1. 一键安装脚本 (选项 1)
 
-   ```bash
-   curl -O  https://rustfs.com/install_rustfs.sh && bash install_rustfs.sh
-   ```
+```bash
+curl -O https://rustfs.com/install_rustfs.sh && bash install_rustfs.sh
+```
 
-2. **Docker快速启动（方案二）**
+### 2\. Docker 快速启动 (选项 2)
 
-  ```bash
-   podman run -d -p 9000:9000 -p 9001:9001 -v /data:/data quay.io/rustfs/rustfs
-   ```
+RustFS 容器以非 root 用户 `rustfs` (UID `10001`) 运行。如果您使用 Docker 的 `-v` 参数挂载宿主机目录，请务必确保宿主机目录的所有者已更改为 `10001`，否则会遇到权限拒绝错误。
 
+```bash
+ # 创建数据和日志目录
+ mkdir -p data logs
 
-3. **访问控制台**：打开 Web 浏览器并导航到 `http://localhost:9001` 以访问 RustFS 控制台，默认的用户名和密码是 `rustfsadmin` 。
-4. **创建存储桶**：使用控制台为您的对象创建新的存储桶。
-5. **上传对象**：您可以直接通过控制台上传文件，或使用 S3 兼容的 API 与您的 RustFS 实例交互。
+ # 更改这两个目录的所有者
+ chown -R 10001:10001 data logs
+
+ # 使用最新版本运行
+ docker run -d -p 9000:9000 -p 9001:9001 -v $(pwd)/data:/data -v $(pwd)/logs:/logs rustfs/rustfs:latest
+
+ # 使用指定版本运行
+ docker run -d -p 9000:9000 -p 9001:9001 -v $(pwd)/data:/data -v $(pwd)/logs:/logs rustfs/rustfs:1.0.0.alpha.68
+```
+
+您也可以使用 Docker Compose。使用根目录下的 `docker-compose.yml` 文件：
+
+```bash
+docker compose --profile observability up -d
+```
+
+**注意**: 我们建议您在运行前查看 `docker-compose.yaml` 文件。该文件定义了包括 Grafana、Prometheus 和 Jaeger 在内的多个服务，有助于 RustFS 的可观测性监控。如果您还想启动 Redis 或 Nginx 容器，可以指定相应的 profile。
+
+### 3\. 源码编译 (选项 3) - 进阶用户
+
+适用于希望从源码构建支持多架构 RustFS Docker 镜像的开发者：
+
+```bash
+# 在本地构建多架构镜像
+./docker-buildx.sh --build-arg RELEASE=latest
+
+# 构建并推送到仓库
+./docker-buildx.sh --push
+
+# 构建指定版本
+./docker-buildx.sh --release v1.0.0 --push
+
+# 构建并推送到自定义仓库
+./docker-buildx.sh --registry your-registry.com --namespace yourname --push
+```
+
+`docker-buildx.sh` 脚本支持：
+- **多架构构建**: `linux/amd64`, `linux/arm64`
+- **自动版本检测**: 使用 git tags 或 commit hash
+- **灵活的仓库支持**: 支持 Docker Hub, GitHub Container Registry 等
+- **构建优化**: 包含缓存和并行构建
+
+为了方便起见，您也可以使用 Make 命令：
+
+```bash
+make docker-buildx                    # 本地构建
+make docker-buildx-push               # 构建并推送
+make docker-buildx-version VERSION=v1.0.0  # 构建指定版本
+make help-docker                      # 显示所有 Docker 相关命令
+```
+
+> **注意 (macOS 交叉编译)**: macOS 默认的 `ulimit -n` 限制为 256，因此在使用 `cargo zigbuild` 或 `./build-rustfs.sh --platform ...` 交叉编译 Linux 版本时，可能会因 `ProcessFdQuotaExceeded` 失败。构建脚本会尝试自动提高限制，但如果您仍然看到警告，请在构建前在终端运行 `ulimit -n 4096` (或更高)。
+
+### 4\. 使用 Helm Chart 安装 (选项 4) - 云原生环境
+
+请按照 [Helm Chart README](https://charts.rustfs.com) 上的说明在 Kubernetes 集群上安装 RustFS。
+
+---
+
+### 访问 RustFS
+
+1. **访问控制台**: 打开浏览器并访问 `http://localhost:9000` 进入 RustFS 控制台。
+   - 默认账号/密码: `rustfsadmin` / `rustfsadmin`
+2. **创建存储桶**: 使用控制台为您​​的对象创建一个新的存储桶 (Bucket)。
+3. **上传对象**: 您可以直接通过控制台上传文件，或使用 S3 兼容的 API/客户端与您的 RustFS 实例进行交互。
+
+**注意**: 如果您希望通过 `https` 访问 RustFS 实例，请参考 [TLS 配置文档](https://docs.rustfs.com/integration/tls-configured.html)。
 
 ## 文档
 
-有关详细文档，包括配置选项、API 参考和高级用法，请访问我们的[文档](https://docs.rustfs.com)。
+有关详细文档，包括配置选项、API 参考和高级用法，请访问我们的 [官方文档](https://docs.rustfs.com)。
 
 ## 获取帮助
 
-如果您有任何问题或需要帮助，您可以：
+如果您有任何问题或需要帮助：
 
-- 查看[常见问题解答](https://github.com/rustfs/rustfs/discussions/categories/q-a)以获取常见问题和解决方案。
-- 加入我们的 [GitHub 讨论](https://github.com/rustfs/rustfs/discussions)来提问和分享您的经验。
-- 在我们的 [GitHub Issues](https://github.com/rustfs/rustfs/issues) 页面上开启问题，报告错误或功能请求。
+- 查看 [FAQ](https://github.com/rustfs/rustfs/discussions/categories/q-a) 寻找常见问题和解决方案。
+- 加入我们的 [GitHub Discussions](https://github.com/rustfs/rustfs/discussions) 提问并分享您的经验。
+- 在我们的 [GitHub Issues](https://github.com/rustfs/rustfs/issues) 页面提交 Bug 报告或功能请求。
 
 ## 链接
 
-- [文档](https://docs.rustfs.com) - 您应该阅读的手册
-- [更新日志](https://docs.rustfs.com/changelog) - 我们破坏和修复的内容
-- [GitHub 讨论](https://github.com/rustfs/rustfs/discussions) - 社区所在地
+- [官方文档](https://docs.rustfs.com) - 必读手册
+- [更新日志](https://github.com/rustfs/rustfs/releases) - 版本变更记录
+- [社区讨论](https://github.com/rustfs/rustfs/discussions) - 社区交流地
 
-## 联系
+## 联系方式
 
-- **错误报告**：[GitHub Issues](https://github.com/rustfs/rustfs/issues)
-- **商务合作**：<hello@rustfs.com>
-- **招聘**：<jobs@rustfs.com>
-- **一般讨论**：[GitHub 讨论](https://github.com/rustfs/rustfs/discussions)
-- **贡献**：[CONTRIBUTING.md](CONTRIBUTING.md)
+- **Bug 反馈**: [GitHub Issues](https://github.com/rustfs/rustfs/issues)
+- **商务合作**: [hello@rustfs.com](mailto:hello@rustfs.com)
+- **工作机会**: [jobs@rustfs.com](mailto:jobs@rustfs.com)
+- **一般讨论**: [GitHub Discussions](https://github.com/rustfs/rustfs/discussions)
+- **贡献指南**: [CONTRIBUTING.md](https://www.google.com/search?q=CONTRIBUTING.md)
 
 ## 贡献者
 
-RustFS 是一个社区驱动的项目，我们感谢所有的贡献。查看[贡献者](https://github.com/rustfs/rustfs/graphs/contributors)页面，了解帮助 RustFS 变得更好的杰出人员。
+RustFS 是一个社区驱动的项目，我们感谢所有的贡献。请查看 [贡献者](https://github.com/rustfs/rustfs/graphs/contributors) 页面，看看那些让 RustFS 变得更好的了不起的人们。
 
 <a href="https://github.com/rustfs/rustfs/graphs/contributors">
-  <img src="https://contrib.rocks/image?repo=rustfs/rustfs" />
-</a >
+<img src="https://opencollective.com/rustfs/contributors.svg?width=890&limit=500&button=false" alt="Contributors" />
+</a>
+
+## Star 历史
+
+[![Star History Chart](https://api.star-history.com/svg?repos=rustfs/rustfs&type=date&legend=top-left)](https://www.star-history.com/#rustfs/rustfs&type=date&legend=top-left)
 
 ## 许可证
 

SECURITY.md

@@ -1,18 +1,40 @@
 # Security Policy
 
+## Security Philosophy
+
+At RustFS, we take security seriously. We believe that **transparency leads to better security**. The more open our code is, the more eyes are on it, and the faster we can identify and resolve potential issues.
+
+We highly value the contributions of the security community and welcome anyone to audit our code. Your efforts help us make RustFS safer for everyone.
+
 ## Supported Versions
 
-Use this section to tell people about which versions of your project are
-currently being supported with security updates.
+To help us focus our security efforts, please refer to the table below to see which versions of RustFS are currently supported with security updates.
 
 | Version | Supported          |
 | ------- | ------------------ |
-| 1.x.x   | :white_check_mark: |
+| Latest  | :white_check_mark: |
+| < 1.0   | :x:                |
 
 ## Reporting a Vulnerability
 
-Use this section to tell people how to report a vulnerability.
+If you discover a security vulnerability in RustFS, we appreciate your help in disclosing it to us responsibly.
 
-Tell them where to go, how often they can expect to get an update on a
-reported vulnerability, what to expect if the vulnerability is accepted or
-declined, etc.
+**Please do not open a public GitHub issue for security vulnerabilities.** Publicly disclosing a vulnerability can put the entire community at risk before a fix is available.
+
+### How to Report
+
+1. https://github.com/rustfs/rustfs/security/advisories/new
+2. Please email us directly at: **security@rustfs.com**
+
+In your email, please include:
+1.  **Description**: A detailed description of the vulnerability.
+2.  **Steps to Reproduce**: Steps or a script to reproduce the issue.
+3.  **Impact**: The potential impact of the vulnerability.
+
+### Our Response Process
+
+1.  **Acknowledgment**: We will acknowledge your email within 48 hours.
+2.  **Assessment**: We will investigate the issue and determine its severity.
+3.  **Fix & Disclosure**: We will work on a patch. Once the patch is released, we will publicly announce the vulnerability and acknowledge your contribution (unless you prefer to remain anonymous).
+
+Thank you for helping keep RustFS and its users safe!

_typos.toml

@@ -0,0 +1,49 @@
+[default]
+# # Ignore specific spell checking patterns
+# extend-ignore-identifiers-re = [
+#     # Ignore common patterns in base64 encoding and hash values
+#     "[A-Za-z0-9+/]{8,}={0,2}",  # base64 encoding
+#     "[A-Fa-f0-9]{8,}",          # hexadecimal hash
+#     "[A-Za-z0-9_-]{20,}",       # long random strings
+# ]
+
+# # Ignore specific regex patterns in content
+# extend-ignore-re = [
+#     # Ignore hash values and encoded strings (base64 patterns)
+#     "(?i)[A-Za-z0-9+/]{8,}={0,2}",
+#     # Ignore long strings in quotes (usually hash or base64)
+#     '"[A-Za-z0-9+/=_-]{8,}"',
+#     # Ignore IV values and similar cryptographic strings
+#     '"[A-Za-z0-9+/=]{12,}"',
+#     # Ignore cryptographic signatures and keys (including partial strings)
+#     "[A-Za-z0-9+/]{6,}[A-Za-z0-9+/=]*",
+#     # Ignore base64-like strings in comments (common in examples)
+#     "//.*[A-Za-z0-9+/]{8,}[A-Za-z0-9+/=]*",
+# ]
+extend-ignore-re = [
+    # Ignore long strings in quotes (usually hash or base64)
+    '"[A-Za-z0-9+/=_-]{32,}"',
+    # Ignore IV values and similar cryptographic strings
+    '"[A-Za-z0-9+/=]{12,}"',
+    # Ignore cryptographic signatures and keys (including partial strings)
+    "[A-Za-z0-9+/]{16,}[A-Za-z0-9+/=]*",
+]
+
+[default.extend-words]
+bui = "bui"
+typ = "typ"
+clen = "clen"
+datas = "datas"
+bre = "bre"
+abd = "abd"
+mak = "mak"
+gae = "gae"
+GAE = "GAE"
+# s3-tests original test names (cannot be changed)
+nonexisted = "nonexisted"
+consts = "consts"
+# Swift API - company/product names
+Hashi = "Hashi"  # HashiCorp
+
+[files]
+extend-exclude = []

build-rustfs.sh

@@ -0,0 +1,610 @@
+#!/usr/bin/env bash
+
+# RustFS Binary Build Script
+# This script compiles RustFS binaries for different platforms and architectures
+
+set -e
+
+# Colors for output
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+BLUE='\033[0;34m'
+NC='\033[0m' # No Color
+
+# Auto-detect current platform
+detect_platform() {
+    local arch=$(uname -m)
+    local os=$(uname -s | tr '[:upper:]' '[:lower:]')
+
+    case "$os" in
+        "linux")
+            case "$arch" in
+                "x86_64")
+                    # Default to GNU for better compatibility
+                    echo "x86_64-unknown-linux-gnu"
+                    ;;
+                "aarch64"|"arm64")
+                    echo "aarch64-unknown-linux-gnu"
+                    ;;
+                "armv7l")
+                    echo "armv7-unknown-linux-gnueabihf"
+                    ;;
+                "loongarch64")
+                    echo "loongarch64-unknown-linux-gnu"
+                    ;;
+                *)
+                    echo "unknown-platform"
+                    ;;
+            esac
+            ;;
+        "darwin")
+            case "$arch" in
+                "x86_64")
+                    echo "x86_64-apple-darwin"
+                    ;;
+                "arm64"|"aarch64")
+                    echo "aarch64-apple-darwin"
+                    ;;
+                *)
+                    echo "unknown-platform"
+                    ;;
+            esac
+            ;;
+        *)
+            echo "unknown-platform"
+            ;;
+    esac
+}
+
+# Cross-platform SHA256 checksum generation
+generate_sha256() {
+    local file="$1"
+    local output_file="$2"
+    local os=$(uname -s | tr '[:upper:]' '[:lower:]')
+
+    case "$os" in
+        "linux")
+            if command -v sha256sum &> /dev/null; then
+                sha256sum "$file" > "$output_file"
+            elif command -v shasum &> /dev/null; then
+                shasum -a 256 "$file" > "$output_file"
+            else
+                print_message $RED "❌ No SHA256 command found (sha256sum or shasum)"
+                return 1
+            fi
+            ;;
+        "darwin")
+            if command -v shasum &> /dev/null; then
+                shasum -a 256 "$file" > "$output_file"
+            elif command -v sha256sum &> /dev/null; then
+                sha256sum "$file" > "$output_file"
+            else
+                print_message $RED "❌ No SHA256 command found (shasum or sha256sum)"
+                return 1
+            fi
+            ;;
+        *)
+            # Try common commands in order
+            if command -v sha256sum &> /dev/null; then
+                sha256sum "$file" > "$output_file"
+            elif command -v shasum &> /dev/null; then
+                shasum -a 256 "$file" > "$output_file"
+            else
+                print_message $RED "❌ No SHA256 command found"
+                return 1
+            fi
+            ;;
+    esac
+}
+
+# Default values
+OUTPUT_DIR="target/release"
+PLATFORM=$(detect_platform)  # Auto-detect current platform
+BINARY_NAME="rustfs"
+BUILD_TYPE="release"
+SIGN=false
+WITH_CONSOLE=true
+FORCE_CONSOLE_UPDATE=false
+CONSOLE_VERSION="latest"
+SKIP_VERIFICATION=false
+CUSTOM_PLATFORM=""
+
+# Print usage
+usage() {
+    echo "Usage: $0 [OPTIONS]"
+    echo ""
+    echo "Description:"
+    echo "  Build RustFS binary for the current platform. Designed for CI/CD pipelines"
+    echo "  where different runners build platform-specific binaries natively."
+    echo "  Includes automatic verification to ensure the built binary is functional."
+    echo ""
+    echo "Options:"
+    echo "  -o, --output-dir DIR       Output directory (default: target/release)"
+    echo "  -b, --binary-name NAME     Binary name (default: rustfs)"
+    echo "  -p, --platform TARGET      Target platform (default: auto-detect)"
+    echo "                              Supported platforms:"
+    echo "                                x86_64-unknown-linux-gnu"
+    echo "                                aarch64-unknown-linux-gnu"
+    echo "                                loongarch64-unknown-linux-gnu"
+    echo "                                armv7-unknown-linux-gnueabihf"
+    echo "                                x86_64-unknown-linux-musl"
+    echo "                                aarch64-unknown-linux-musl"
+    echo "                                armv7-unknown-linux-musleabihf"
+    echo "                                x86_64-apple-darwin"
+    echo "                                aarch64-apple-darwin"
+    echo "                                x86_64-pc-windows-msvc"
+    echo "                                aarch64-pc-windows-msvc"
+    echo "  --dev                      Build in dev mode"
+    echo "  --sign                     Sign binaries after build"
+    echo "  --with-console             Download console static assets (default)"
+    echo "  --no-console               Skip console static assets"
+    echo "  --force-console-update     Force update console assets even if they exist"
+    echo "  --console-version VERSION  Console version to download (default: latest)"
+    echo "  --skip-verification        Skip binary verification after build"
+    echo "  -h, --help                 Show this help message"
+    echo ""
+    echo "Examples:"
+    echo "  $0                         # Build for current platform (includes console assets)"
+    echo "  $0 --dev                   # Development build"
+    echo "  $0 --sign                  # Build and sign binary (release CI)"
+    echo "  $0 --no-console            # Build without console static assets"
+    echo "  $0 --force-console-update  # Force update console assets"
+    echo "  $0 --platform x86_64-unknown-linux-musl  # Build for specific platform"
+    echo "  $0 --skip-verification     # Skip binary verification (for cross-compilation)"
+    echo ""
+    echo "Detected platform: $(detect_platform)"
+    echo "CI Usage: Run this script on each platform's runner to build native binaries"
+}
+
+# Print colored message
+print_message() {
+    local color=$1
+    local message=$2
+    echo -e "${color}${message}${NC}"
+}
+
+# Prevent zig/ld from hitting macOS file descriptor defaults during linking
+ensure_file_descriptor_limit() {
+    local required_limit=4096
+    local current_limit
+    current_limit=$(ulimit -Sn 2>/dev/null || echo "")
+
+    if [ -z "$current_limit" ] || [ "$current_limit" = "unlimited" ]; then
+        return
+    fi
+
+    if (( current_limit >= required_limit )); then
+        return
+    fi
+
+    local hard_limit target_limit
+    hard_limit=$(ulimit -Hn 2>/dev/null || echo "")
+    target_limit=$required_limit
+
+    if [ -n "$hard_limit" ] && [ "$hard_limit" != "unlimited" ] && (( hard_limit < required_limit )); then
+        target_limit=$hard_limit
+    fi
+
+    if ulimit -Sn "$target_limit" 2>/dev/null; then
+        print_message $YELLOW "🔧 Increased open file limit from $current_limit to $target_limit to avoid ProcessFdQuotaExceeded"
+    else
+        print_message $YELLOW "⚠️ Unable to raise ulimit -n automatically (current: $current_limit, needed: $required_limit). Please run 'ulimit -n $required_limit' manually before building."
+    fi
+}
+
+# Get version from git
+get_version() {
+    if git describe --abbrev=0 --tags >/dev/null 2>&1; then
+        git describe --abbrev=0 --tags
+    else
+        git rev-parse --short HEAD
+    fi
+}
+
+# Setup rust environment
+setup_rust_environment() {
+    print_message $BLUE "🔧 Setting up Rust environment..."
+
+    # Install required target for current platform
+    print_message $YELLOW "Installing target: $PLATFORM"
+    rustup target add "$PLATFORM"
+
+    # Set up environment variables for musl targets
+    if [[ "$PLATFORM" == *"musl"* ]]; then
+        print_message $YELLOW "Setting up environment for musl target..."
+        export RUSTFLAGS="-C target-feature=-crt-static"
+
+        # For cargo-zigbuild, set up additional environment variables
+        if command -v cargo-zigbuild &> /dev/null; then
+            print_message $YELLOW "Configuring cargo-zigbuild for musl target..."
+
+            # Set environment variables for better musl support
+            export CC_x86_64_unknown_linux_musl="zig cc -target x86_64-linux-musl"
+            export CXX_x86_64_unknown_linux_musl="zig c++ -target x86_64-linux-musl"
+            export AR_x86_64_unknown_linux_musl="zig ar"
+            export CARGO_TARGET_X86_64_UNKNOWN_LINUX_MUSL_LINKER="zig cc -target x86_64-linux-musl"
+
+            export CC_aarch64_unknown_linux_musl="zig cc -target aarch64-linux-musl"
+            export CXX_aarch64_unknown_linux_musl="zig c++ -target aarch64-linux-musl"
+            export AR_aarch64_unknown_linux_musl="zig ar"
+            export CARGO_TARGET_AARCH64_UNKNOWN_LINUX_MUSL_LINKER="zig cc -target aarch64-linux-musl"
+
+            # Set environment variables for zstd-sys to avoid target parsing issues
+            export ZSTD_SYS_USE_PKG_CONFIG=1
+            export PKG_CONFIG_ALLOW_CROSS=1
+        fi
+    fi
+
+    # Install required tools
+    if [ "$SIGN" = true ]; then
+        if ! command -v minisign &> /dev/null; then
+            print_message $YELLOW "Installing minisign for binary signing..."
+            cargo install minisign
+        fi
+    fi
+}
+
+# Download console static assets
+download_console_assets() {
+    local static_dir="rustfs/static"
+    local console_exists=false
+
+    # Check if console assets already exist
+    if [ -d "$static_dir" ] && [ -f "$static_dir/index.html" ]; then
+        console_exists=true
+        local static_size=$(du -sh "$static_dir" 2>/dev/null | cut -f1 || echo "unknown")
+        print_message $YELLOW "Console static assets already exist ($static_size)"
+    fi
+
+    # Determine if we need to download
+    local should_download=false
+    if [ "$WITH_CONSOLE" = true ]; then
+        if [ "$console_exists" = false ]; then
+            print_message $BLUE "🎨 Console assets not found, downloading..."
+            should_download=true
+        elif [ "$FORCE_CONSOLE_UPDATE" = true ]; then
+            print_message $BLUE "🎨 Force updating console assets..."
+            should_download=true
+        else
+            print_message $GREEN "✅ Console assets already available, skipping download"
+        fi
+    else
+        if [ "$console_exists" = true ]; then
+            print_message $GREEN "✅ Using existing console assets"
+        else
+            print_message $YELLOW "⚠️  Console assets not found. Use --download-console to download them."
+        fi
+    fi
+
+    if [ "$should_download" = true ]; then
+        print_message $BLUE "📥 Downloading console static assets..."
+
+        # Create static directory
+        mkdir -p "$static_dir"
+
+        # Download from GitHub Releases (consistent with Docker build)
+        local download_url
+        if [ "$CONSOLE_VERSION" = "latest" ]; then
+            print_message $YELLOW "Getting latest console release info..."
+            # For now, use dl.rustfs.com as fallback until GitHub Releases includes console assets
+            download_url="https://dl.rustfs.com/artifacts/console/rustfs-console-latest.zip"
+        else
+            download_url="https://dl.rustfs.com/artifacts/console/rustfs-console-${CONSOLE_VERSION}.zip"
+        fi
+
+        print_message $YELLOW "Downloading from: $download_url"
+
+        # Download with retries
+        local temp_file="console-assets-temp.zip"
+        local download_success=false
+
+        for i in {1..3}; do
+            if curl -L "$download_url" -o "$temp_file" --retry 3 --retry-delay 5 --max-time 300; then
+                download_success=true
+                break
+            else
+                print_message $YELLOW "Download attempt $i failed, retrying..."
+                sleep 2
+            fi
+        done
+
+        if [ "$download_success" = true ]; then
+            # Verify the downloaded file
+            if [ -f "$temp_file" ] && [ -s "$temp_file" ]; then
+                print_message $BLUE "📦 Extracting console assets..."
+
+                # Extract to static directory
+                if unzip -o "$temp_file" -d "$static_dir"; then
+                    rm "$temp_file"
+                    local final_size=$(du -sh "$static_dir" 2>/dev/null | cut -f1 || echo "unknown")
+                    print_message $GREEN "✅ Console assets downloaded successfully ($final_size)"
+                else
+                    print_message $RED "❌ Failed to extract console assets"
+                    rm -f "$temp_file"
+                    return 1
+                fi
+            else
+                print_message $RED "❌ Downloaded file is empty or invalid"
+                rm -f "$temp_file"
+                return 1
+            fi
+        else
+            print_message $RED "❌ Failed to download console assets after 3 attempts"
+            print_message $YELLOW "💡 Console assets are optional. Build will continue without them."
+            rm -f "$temp_file"
+        fi
+    fi
+}
+
+# Verify binary functionality
+verify_binary() {
+    local binary_path="$1"
+
+    # Check if binary exists
+    if [ ! -f "$binary_path" ]; then
+        print_message $RED "❌ Binary file not found: $binary_path"
+        return 1
+    fi
+
+    # Check if binary is executable
+    if [ ! -x "$binary_path" ]; then
+        print_message $RED "❌ Binary is not executable: $binary_path"
+        return 1
+    fi
+
+    # Check basic functionality - try to run help command
+    print_message $YELLOW "   Testing --help command..."
+    if ! "$binary_path" --help >/dev/null 2>&1; then
+        print_message $RED "❌ Binary failed to run --help command"
+        return 1
+    fi
+
+    # Check version command
+    print_message $YELLOW "   Testing --version command..."
+    if ! "$binary_path" --version >/dev/null 2>&1; then
+        print_message $YELLOW "⚠️  Binary does not support --version command (this is optional)"
+    fi
+
+    # Try to get some basic info about the binary
+    local file_info=$(file "$binary_path" 2>/dev/null || echo "unknown")
+    print_message $YELLOW "   Binary info: $file_info"
+
+    # Check if it's a valid ELF/Mach-O binary
+    if command -v readelf >/dev/null 2>&1; then
+        if readelf -h "$binary_path" >/dev/null 2>&1; then
+            print_message $YELLOW "   ELF binary structure: valid"
+        fi
+    elif command -v otool >/dev/null 2>&1; then
+        if otool -h "$binary_path" >/dev/null 2>&1; then
+            print_message $YELLOW "   Mach-O binary structure: valid"
+        fi
+    fi
+
+    return 0
+}
+
+# Build binary for current platform
+build_binary() {
+    local version=$(get_version)
+    local output_file="${OUTPUT_DIR}/${PLATFORM}/${BINARY_NAME}"
+
+    print_message $BLUE "🏗️  Building for platform: $PLATFORM"
+    print_message $YELLOW "   Version: $version"
+    print_message $YELLOW "   Output: $output_file"
+
+    # Create output directory
+    mkdir -p "${OUTPUT_DIR}/${PLATFORM}"
+
+    # Simple build logic matching the working version (4fb4b353)
+    # Force rebuild by touching build.rs
+    touch rustfs/build.rs
+
+    # Determine build command based on platform and cross-compilation needs
+    local build_cmd=""
+    local current_platform=$(detect_platform)
+
+    print_message $BLUE "📦 Using working version build logic..."
+
+    # Check if we need cross-compilation
+    if [ "$PLATFORM" != "$current_platform" ]; then
+        # Cross-compilation needed
+        if [[ "$PLATFORM" == *"apple-darwin"* ]]; then
+            print_message $RED "❌ macOS cross-compilation not supported"
+            print_message $YELLOW "💡 macOS targets must be built natively on macOS runners"
+            return 1
+        elif [[ "$PLATFORM" == *"windows"* ]]; then
+            # Use cross for Windows ARM64
+            if ! command -v cross &> /dev/null; then
+                print_message $YELLOW "📦 Installing cross tool..."
+                cargo install cross --git https://github.com/cross-rs/cross
+            fi
+            build_cmd="cross build"
+        else
+            # Use zigbuild for Linux ARM64 (matches working version)
+            if ! command -v cargo-zigbuild &> /dev/null; then
+                print_message $RED "❌ cargo-zigbuild not found. Please install it first."
+                return 1
+            fi
+            build_cmd="cargo zigbuild"
+        fi
+    else
+        # Native compilation
+        build_cmd="RUSTFLAGS=-Clink-arg=-lm cargo build"
+    fi
+
+    if [ "$BUILD_TYPE" = "release" ]; then
+        build_cmd+=" --release"
+    fi
+
+    build_cmd+=" --target $PLATFORM"
+    build_cmd+=" -p rustfs --bins"
+
+    print_message $BLUE "📦 Executing: $build_cmd"
+
+    # Execute build (this matches exactly what the working version does)
+    if eval $build_cmd; then
+        print_message $GREEN "✅ Successfully built for $PLATFORM"
+
+        # Copy binary to output directory
+        cp "target/${PLATFORM}/${BUILD_TYPE}/${BINARY_NAME}" "$output_file"
+
+        # Generate checksums
+        print_message $BLUE "🔐 Generating checksums..."
+        (cd "${OUTPUT_DIR}/${PLATFORM}" && generate_sha256 "${BINARY_NAME}" "${BINARY_NAME}.sha256sum")
+
+        # Verify binary functionality (if not skipped)
+        if [ "$SKIP_VERIFICATION" = false ]; then
+            print_message $BLUE "🔍 Verifying binary functionality..."
+            if verify_binary "$output_file"; then
+                print_message $GREEN "✅ Binary verification passed"
+            else
+                print_message $RED "❌ Binary verification failed"
+                return 1
+            fi
+        else
+            print_message $YELLOW "⚠️  Binary verification skipped by user request"
+        fi
+
+        # Sign binary if requested
+        if [ "$SIGN" = true ]; then
+            print_message $BLUE "✍️  Signing binary..."
+            (cd "${OUTPUT_DIR}/${PLATFORM}" && minisign -S -m "${BINARY_NAME}" -s ~/.minisign/minisign.key)
+        fi
+
+        print_message $GREEN "✅ Build completed successfully"
+    else
+        print_message $RED "❌ Failed to build for $PLATFORM"
+        return 1
+    fi
+}
+
+
+
+# Main build function
+build_rustfs() {
+    local version=$(get_version)
+
+    print_message $BLUE "🚀 Starting RustFS binary build process..."
+    print_message $YELLOW "   Version: $version"
+    print_message $YELLOW "   Platform: $PLATFORM"
+    print_message $YELLOW "   Output Directory: $OUTPUT_DIR"
+    print_message $YELLOW "   Build Type: $BUILD_TYPE"
+    print_message $YELLOW "   Sign: $SIGN"
+    print_message $YELLOW "   With Console: $WITH_CONSOLE"
+    if [ "$WITH_CONSOLE" = true ]; then
+        print_message $YELLOW "   Console Version: $CONSOLE_VERSION"
+        print_message $YELLOW "   Force Console Update: $FORCE_CONSOLE_UPDATE"
+    fi
+    print_message $YELLOW "   Skip Verification: $SKIP_VERIFICATION"
+    echo ""
+
+    # Setup environment
+    setup_rust_environment
+    echo ""
+
+    # Download console assets if requested
+    download_console_assets
+    echo ""
+
+    # Build binary
+    build_binary
+    echo ""
+
+    print_message $GREEN "🎉 Build process completed successfully!"
+
+    # Show built binary
+    local binary_file="${OUTPUT_DIR}/${PLATFORM}/${BINARY_NAME}"
+    if [ -f "$binary_file" ]; then
+        local size=$(ls -lh "$binary_file" | awk '{print $5}')
+        print_message $BLUE "📋 Built binary: $binary_file ($size)"
+    fi
+}
+
+# Parse command line arguments
+while [[ $# -gt 0 ]]; do
+    case $1 in
+        -o|--output-dir)
+            OUTPUT_DIR="$2"
+            shift 2
+            ;;
+        -b|--binary-name)
+            BINARY_NAME="$2"
+            shift 2
+            ;;
+        -p|--platform)
+            CUSTOM_PLATFORM="$2"
+            shift 2
+            ;;
+        --dev)
+            BUILD_TYPE="debug"
+            shift
+            ;;
+        --sign)
+            SIGN=true
+            shift
+            ;;
+        --with-console)
+            WITH_CONSOLE=true
+            shift
+            ;;
+        --no-console)
+            WITH_CONSOLE=false
+            shift
+            ;;
+        --force-console-update)
+            FORCE_CONSOLE_UPDATE=true
+            WITH_CONSOLE=true  # Auto-enable download when forcing update
+            shift
+            ;;
+        --console-version)
+            CONSOLE_VERSION="$2"
+            shift 2
+            ;;
+        --skip-verification)
+            SKIP_VERIFICATION=true
+            shift
+            ;;
+        -h|--help)
+            usage
+            exit 0
+            ;;
+        *)
+            print_message $RED "❌ Unknown option: $1"
+            usage
+            exit 1
+            ;;
+    esac
+done
+
+# Main execution
+main() {
+    print_message $BLUE "🦀 RustFS Binary Build Script"
+    echo ""
+
+    # Check if we're in a Rust project
+    if [ ! -f "Cargo.toml" ]; then
+        print_message $RED "❌ No Cargo.toml found. Are you in a Rust project directory?"
+        exit 1
+    fi
+
+    # Override platform if specified
+    if [ -n "$CUSTOM_PLATFORM" ]; then
+        PLATFORM="$CUSTOM_PLATFORM"
+        print_message $YELLOW "🎯 Using specified platform: $PLATFORM"
+
+        # Auto-enable skip verification for cross-compilation
+        if [ "$PLATFORM" != "$(detect_platform)" ]; then
+            SKIP_VERIFICATION=true
+            print_message $YELLOW "⚠️  Cross-compilation detected, enabling --skip-verification"
+        fi
+    fi
+
+    ensure_file_descriptor_limit
+
+    # Start build process
+    build_rustfs
+}
+
+# Run main function
+main

cli/rustfs-gui/Dioxus.toml

@@ -1,52 +0,0 @@
-[application]
-
-# App (Project) Name
-name = "rustfs-gui"
-
-# The static resource path
-asset_dir = "public"
-
-[web.app]
-
-# HTML title tag content
-title = "rustfs-gui"
-
-# include `assets` in web platform
-[web.resource]
-
-# Additional CSS style files
-style = []
-
-# Additional JavaScript files
-script = []
-
-[web.resource.dev]
-
-# Javascript code file
-# serve: [dev-server] only
-script = []
-
-[bundle]
-identifier = "com.rustfs.cli.gui"
-
-publisher = "RustFsGUI"
-
-category = "Utility"
-
-copyright = "Copyright 2025 rustfs.com"
-
-icon = [
-    "assets/icons/icon.icns",
-    "assets/icons/icon.ico",
-    "assets/icons/icon.png",
-    "assets/icons/rustfs-icon.png",
-]
-#[bundle.macos]
-#provider_short_name = "RustFs"
-[bundle.windows]
-tsp = true
-icon_path = "assets/icons/icon.ico"
-allow_downgrades = true
-[bundle.windows.webview_install_mode]
-[bundle.windows.webview_install_mode.EmbedBootstrapper]
-silent = true

cli/rustfs-gui/README.md

@@ -1,34 +0,0 @@
-## Rustfs GUI
-
-### Tailwind
-
-1. Install npm: https://docs.npmjs.com/downloading-and-installing-node-js-and-npm
-2. Install the Tailwind CSS CLI: https://tailwindcss.com/docs/installation
-3. Run the following command in the root of the project to start the Tailwind CSS compiler:
-
-```bash
-npx tailwindcss -i ./input.css -o ./assets/tailwind.css --watch
-```
-
-### Dioxus CLI
-
-#### Install the stable version (recommended)
-
-```shell
-cargo install dioxus-cli
-```
-
-### Serving Your App
-
-Run the following command in the root of your project to start developing with the default platform:
-
-```bash
-dx serve
-```
-
-To run for a different platform, use the `--platform platform` flag. E.g.
-
-```bash
-dx serve --platform desktop
-```
-