mirror of
https://github.com/rustfs/rustfs.git
synced 2026-01-17 01:30:33 +00:00
29c004d935
* Initial plan * feat: implement console service separation from endpoint Co-authored-by: houseme <4829346+houseme@users.noreply.github.com> * feat: add console separation documentation and tests Co-authored-by: houseme <4829346+houseme@users.noreply.github.com> * feat: enhance console separation with configurable CORS and improved Docker support Co-authored-by: houseme <4829346+houseme@users.noreply.github.com> * feat: implement enhanced console separation with security hardening and monitoring Co-authored-by: houseme <4829346+houseme@users.noreply.github.com> * refactor: implement console TLS following endpoint logic and improve configuration Co-authored-by: houseme <4829346+houseme@users.noreply.github.com> * add tower-http feature "timeout|limit" * add dependencies crates `axum-server` * refactor: reconstruct console server with enhanced tower-http features and environment variables Co-authored-by: houseme <4829346+houseme@users.noreply.github.com> * upgrade dep * improve code for dns and console port `:9001` * improve code * fix * docs: comprehensive improvement of console separation documentation and Docker deployment standards Co-authored-by: houseme <4829346+houseme@users.noreply.github.com> * fmt * add logs * improve code for Config handler * remove logs * fix --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: houseme <4829346+houseme@users.noreply.github.com> Co-authored-by: houseme <housemecn@gmail.com>
207 lines
5.7 KiB
Bash
Executable File
207 lines
5.7 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
# RustFS Enhanced Security Deployment Script
|
|
# This script demonstrates production-ready deployment with enhanced security features
|
|
|
|
set -e
|
|
|
|
# Configuration
|
|
RUSTFS_IMAGE="${RUSTFS_IMAGE:-rustfs/rustfs:latest}"
|
|
CONTAINER_NAME="${CONTAINER_NAME:-rustfs-secure}"
|
|
DATA_DIR="${DATA_DIR:-./data}"
|
|
CERTS_DIR="${CERTS_DIR:-./certs}"
|
|
CONSOLE_PORT="${CONSOLE_PORT:-9443}"
|
|
API_PORT="${API_PORT:-9000}"
|
|
|
|
# Colors for output
|
|
RED='\033[0;31m'
|
|
GREEN='\033[0;32m'
|
|
YELLOW='\033[1;33m'
|
|
BLUE='\033[0;34m'
|
|
NC='\033[0m' # No Color
|
|
|
|
log() {
|
|
echo -e "${BLUE}[INFO]${NC} $1"
|
|
}
|
|
|
|
warn() {
|
|
echo -e "${YELLOW}[WARN]${NC} $1"
|
|
}
|
|
|
|
error() {
|
|
echo -e "${RED}[ERROR]${NC} $1"
|
|
exit 1
|
|
}
|
|
|
|
success() {
|
|
echo -e "${GREEN}[SUCCESS]${NC} $1"
|
|
}
|
|
|
|
# Check if Docker is available
|
|
check_docker() {
|
|
if ! command -v docker &> /dev/null; then
|
|
error "Docker is not installed or not in PATH"
|
|
fi
|
|
log "Docker is available"
|
|
}
|
|
|
|
# Generate TLS certificates for console
|
|
generate_certs() {
|
|
if [[ ! -d "$CERTS_DIR" ]]; then
|
|
mkdir -p "$CERTS_DIR"
|
|
log "Created certificates directory: $CERTS_DIR"
|
|
fi
|
|
|
|
if [[ ! -f "$CERTS_DIR/console.crt" ]] || [[ ! -f "$CERTS_DIR/console.key" ]]; then
|
|
log "Generating TLS certificates for console..."
|
|
openssl req -x509 -newkey rsa:4096 \
|
|
-keyout "$CERTS_DIR/console.key" \
|
|
-out "$CERTS_DIR/console.crt" \
|
|
-days 365 -nodes \
|
|
-subj "/C=US/ST=CA/L=SF/O=RustFS/CN=localhost"
|
|
|
|
chmod 600 "$CERTS_DIR/console.key"
|
|
chmod 644 "$CERTS_DIR/console.crt"
|
|
success "TLS certificates generated"
|
|
else
|
|
log "TLS certificates already exist"
|
|
fi
|
|
}
|
|
|
|
# Create data directory
|
|
create_data_dir() {
|
|
if [[ ! -d "$DATA_DIR" ]]; then
|
|
mkdir -p "$DATA_DIR"
|
|
log "Created data directory: $DATA_DIR"
|
|
fi
|
|
}
|
|
|
|
# Generate secure credentials
|
|
generate_credentials() {
|
|
if [[ -z "$RUSTFS_ACCESS_KEY" ]]; then
|
|
export RUSTFS_ACCESS_KEY="admin-$(openssl rand -hex 8)"
|
|
log "Generated access key: $RUSTFS_ACCESS_KEY"
|
|
fi
|
|
|
|
if [[ -z "$RUSTFS_SECRET_KEY" ]]; then
|
|
export RUSTFS_SECRET_KEY="$(openssl rand -hex 32)"
|
|
log "Generated secret key: [HIDDEN]"
|
|
fi
|
|
|
|
# Save credentials to .env file
|
|
cat > .env << EOF
|
|
RUSTFS_ACCESS_KEY=$RUSTFS_ACCESS_KEY
|
|
RUSTFS_SECRET_KEY=$RUSTFS_SECRET_KEY
|
|
EOF
|
|
chmod 600 .env
|
|
success "Credentials saved to .env file"
|
|
}
|
|
|
|
# Stop existing container
|
|
stop_existing() {
|
|
if docker ps -a --format "table {{.Names}}" | grep -q "^$CONTAINER_NAME\$"; then
|
|
log "Stopping existing container: $CONTAINER_NAME"
|
|
docker stop "$CONTAINER_NAME" 2>/dev/null || true
|
|
docker rm "$CONTAINER_NAME" 2>/dev/null || true
|
|
fi
|
|
}
|
|
|
|
# Deploy RustFS with enhanced security
|
|
deploy_rustfs() {
|
|
log "Deploying RustFS with enhanced security..."
|
|
|
|
docker run -d \
|
|
--name "$CONTAINER_NAME" \
|
|
--restart unless-stopped \
|
|
-p "$CONSOLE_PORT:9001" \
|
|
-p "$API_PORT:9000" \
|
|
-v "$(pwd)/$DATA_DIR:/data" \
|
|
-v "$(pwd)/$CERTS_DIR:/certs:ro" \
|
|
-e RUSTFS_CONSOLE_TLS_ENABLE=true \
|
|
-e RUSTFS_CONSOLE_TLS_CERT=/certs/console.crt \
|
|
-e RUSTFS_CONSOLE_TLS_KEY=/certs/console.key \
|
|
-e RUSTFS_CONSOLE_RATE_LIMIT_ENABLE=true \
|
|
-e RUSTFS_CONSOLE_RATE_LIMIT_RPM=60 \
|
|
-e RUSTFS_CONSOLE_AUTH_TIMEOUT=1800 \
|
|
-e RUSTFS_CONSOLE_CORS_ALLOWED_ORIGINS="https://localhost:$CONSOLE_PORT" \
|
|
-e RUSTFS_CORS_ALLOWED_ORIGINS="http://localhost:$API_PORT" \
|
|
-e RUSTFS_ACCESS_KEY="$RUSTFS_ACCESS_KEY" \
|
|
-e RUSTFS_SECRET_KEY="$RUSTFS_SECRET_KEY" \
|
|
-e RUSTFS_EXTERNAL_ADDRESS=":$API_PORT" \
|
|
"$RUSTFS_IMAGE" /data
|
|
|
|
# Wait for container to start
|
|
sleep 5
|
|
|
|
if docker ps --format "table {{.Names}}" | grep -q "^$CONTAINER_NAME\$"; then
|
|
success "RustFS deployed successfully"
|
|
else
|
|
error "Failed to deploy RustFS"
|
|
fi
|
|
}
|
|
|
|
# Check service health
|
|
check_health() {
|
|
log "Checking service health..."
|
|
|
|
# Check console health
|
|
if curl -k -s "https://localhost:$CONSOLE_PORT/health" | jq -e '.status == "ok"' > /dev/null 2>&1; then
|
|
success "Console service is healthy"
|
|
else
|
|
warn "Console service health check failed"
|
|
fi
|
|
|
|
# Check API health
|
|
if curl -s "http://localhost:$API_PORT/health" | jq -e '.status == "ok"' > /dev/null 2>&1; then
|
|
success "API service is healthy"
|
|
else
|
|
warn "API service health check failed"
|
|
fi
|
|
}
|
|
|
|
# Display access information
|
|
show_access_info() {
|
|
echo
|
|
echo "=========================================="
|
|
echo " RustFS Access Information"
|
|
echo "=========================================="
|
|
echo
|
|
echo "🌐 Console (HTTPS): https://localhost:$CONSOLE_PORT/rustfs/console/"
|
|
echo "🔧 API Endpoint: http://localhost:$API_PORT"
|
|
echo "🏥 Console Health: https://localhost:$CONSOLE_PORT/health"
|
|
echo "🏥 API Health: http://localhost:$API_PORT/health"
|
|
echo
|
|
echo "🔐 Credentials:"
|
|
echo " Access Key: $RUSTFS_ACCESS_KEY"
|
|
echo " Secret Key: [Check .env file]"
|
|
echo
|
|
echo "📝 Logs: docker logs $CONTAINER_NAME"
|
|
echo "🛑 Stop: docker stop $CONTAINER_NAME"
|
|
echo
|
|
echo "⚠️ Note: Console uses self-signed certificate"
|
|
echo " Accept the certificate warning in your browser"
|
|
echo
|
|
}
|
|
|
|
# Main deployment flow
|
|
main() {
|
|
log "Starting RustFS Enhanced Security Deployment"
|
|
|
|
check_docker
|
|
create_data_dir
|
|
generate_certs
|
|
generate_credentials
|
|
stop_existing
|
|
deploy_rustfs
|
|
|
|
# Wait a bit for services to start
|
|
sleep 10
|
|
|
|
check_health
|
|
show_access_info
|
|
|
|
success "Deployment completed successfully!"
|
|
}
|
|
|
|
# Run main function
|
|
main "$@" |