|
|
|
/*
|
|
|
|
* MinIO Cloud Storage, (C) 2015, 2016, 2017, 2018 MinIO, Inc.
|
|
|
|
*
|
|
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
* you may not use this file except in compliance with the License.
|
|
|
|
* You may obtain a copy of the License at
|
|
|
|
*
|
|
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
*
|
|
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
* See the License for the specific language governing permissions and
|
|
|
|
* limitations under the License.
|
|
|
|
*/
|
|
|
|
|
|
|
|
package cmd
|
|
|
|
|
|
|
|
import (
|
|
|
|
"crypto/x509"
|
|
|
|
"net/http"
|
|
|
|
"os"
|
|
|
|
"sync"
|
|
|
|
"time"
|
|
|
|
|
|
|
|
"github.com/minio/minio-go/v7/pkg/set"
|
|
|
|
"github.com/minio/minio/pkg/bucket/bandwidth"
|
|
|
|
|
|
|
|
humanize "github.com/dustin/go-humanize"
|
|
|
|
"github.com/minio/minio/cmd/config/cache"
|
|
|
|
"github.com/minio/minio/cmd/config/compress"
|
|
|
|
"github.com/minio/minio/cmd/config/dns"
|
|
|
|
xldap "github.com/minio/minio/cmd/config/identity/ldap"
|
|
|
|
"github.com/minio/minio/cmd/config/identity/openid"
|
|
|
|
"github.com/minio/minio/cmd/config/policy/opa"
|
|
|
|
"github.com/minio/minio/cmd/config/storageclass"
|
|
|
|
"github.com/minio/minio/cmd/crypto"
|
|
|
|
xhttp "github.com/minio/minio/cmd/http"
|
|
|
|
"github.com/minio/minio/pkg/auth"
|
|
|
|
etcd "go.etcd.io/etcd/clientv3"
|
|
|
|
|
|
|
|
"github.com/minio/minio/pkg/certs"
|
|
|
|
"github.com/minio/minio/pkg/event"
|
|
|
|
"github.com/minio/minio/pkg/pubsub"
|
|
|
|
)
|
config/main: Re-write config files - add to new config v3
- New config format.
```
{
"version": "3",
"address": ":9000",
"backend": {
"type": "fs",
"disk": "/path"
},
"credential": {
"accessKey": "WLGDGYAQYIGI833EV05A",
"secretKey": "BYvgJM101sHngl2uzjXS/OBF/aMxAN06JrJ3qJlF"
},
"region": "us-east-1",
"logger": {
"file": {
"enable": false,
"fileName": "",
"level": "error"
},
"syslog": {
"enable": false,
"address": "",
"level": "debug"
},
"console": {
"enable": true,
"level": "fatal"
}
}
}
```
New command lines in lieu of supporting XL.
Minio initialize filesystem backend.
~~~
$ minio init fs <path>
~~~
Minio initialize XL backend.
~~~
$ minio init xl <url1>...<url16>
~~~
For 'fs' backend it starts the server.
~~~
$ minio server
~~~
For 'xl' backend it waits for servers to join.
~~~
$ minio server
... [PROGRESS BAR] of servers connecting
~~~
Now on other servers execute 'join' and they connect.
~~~
....
minio join <url1> -- from <url2> && minio server
minio join <url1> -- from <url3> && minio server
...
...
minio join <url1> -- from <url16> && minio server
~~~
9 years ago
|
|
|
|
|
|
|
// minio configuration related constants.
|
|
|
|
const (
|
|
|
|
GlobalMinioDefaultPort = "9000"
|
|
|
|
|
|
|
|
globalMinioDefaultRegion = ""
|
|
|
|
// This is a sha256 output of ``arn:aws:iam::minio:user/admin``,
|
|
|
|
// this is kept in present form to be compatible with S3 owner ID
|
|
|
|
// requirements -
|
|
|
|
//
|
|
|
|
// ```
|
|
|
|
// The canonical user ID is the Amazon S3–only concept.
|
|
|
|
// It is 64-character obfuscated version of the account ID.
|
|
|
|
// ```
|
|
|
|
// http://docs.aws.amazon.com/AmazonS3/latest/dev/example-walkthroughs-managing-access-example4.html
|
|
|
|
globalMinioDefaultOwnerID = "02d6176db174dc93cb1b899f7c6078f08654445fe8cf1b6ce98d8855f66bdbf4"
|
|
|
|
globalMinioDefaultStorageClass = "STANDARD"
|
|
|
|
globalWindowsOSName = "windows"
|
|
|
|
globalMacOSName = "darwin"
|
|
|
|
globalMinioModeFS = "mode-server-fs"
|
|
|
|
globalMinioModeErasure = "mode-server-xl"
|
|
|
|
globalMinioModeDistErasure = "mode-server-distributed-xl"
|
|
|
|
globalMinioModeGatewayPrefix = "mode-gateway-"
|
|
|
|
globalDirSuffix = "__XLDIR__"
|
|
|
|
globalDirSuffixWithSlash = globalDirSuffix + slashSeparator
|
|
|
|
|
|
|
|
// Add new global values here.
|
config/main: Re-write config files - add to new config v3
- New config format.
```
{
"version": "3",
"address": ":9000",
"backend": {
"type": "fs",
"disk": "/path"
},
"credential": {
"accessKey": "WLGDGYAQYIGI833EV05A",
"secretKey": "BYvgJM101sHngl2uzjXS/OBF/aMxAN06JrJ3qJlF"
},
"region": "us-east-1",
"logger": {
"file": {
"enable": false,
"fileName": "",
"level": "error"
},
"syslog": {
"enable": false,
"address": "",
"level": "debug"
},
"console": {
"enable": true,
"level": "fatal"
}
}
}
```
New command lines in lieu of supporting XL.
Minio initialize filesystem backend.
~~~
$ minio init fs <path>
~~~
Minio initialize XL backend.
~~~
$ minio init xl <url1>...<url16>
~~~
For 'fs' backend it starts the server.
~~~
$ minio server
~~~
For 'xl' backend it waits for servers to join.
~~~
$ minio server
... [PROGRESS BAR] of servers connecting
~~~
Now on other servers execute 'join' and they connect.
~~~
....
minio join <url1> -- from <url2> && minio server
minio join <url1> -- from <url3> && minio server
...
...
minio join <url1> -- from <url16> && minio server
~~~
9 years ago
|
|
|
)
|
|
|
|
|
|
|
|
const (
|
|
|
|
// Limit fields size (except file) to 1Mib since Policy document
|
|
|
|
// can reach that size according to https://aws.amazon.com/articles/1434
|
|
|
|
maxFormFieldSize = int64(1 * humanize.MiByte)
|
|
|
|
|
|
|
|
// Limit memory allocation to store multipart data
|
|
|
|
maxFormMemory = int64(5 * humanize.MiByte)
|
|
|
|
|
|
|
|
// The maximum allowed time difference between the incoming request
|
|
|
|
// date and server date during signature verification.
|
|
|
|
globalMaxSkewTime = 15 * time.Minute // 15 minutes skew allowed.
|
|
|
|
|
|
|
|
// GlobalStaleUploadsExpiry - Expiry duration after which the uploads in multipart, tmp directory are deemed stale.
|
|
|
|
GlobalStaleUploadsExpiry = time.Hour * 24 // 24 hrs.
|
|
|
|
// GlobalStaleUploadsCleanupInterval - Cleanup interval when the stale uploads cleanup is initiated.
|
|
|
|
GlobalStaleUploadsCleanupInterval = time.Hour * 24 // 24 hrs.
|
|
|
|
|
|
|
|
// GlobalServiceExecutionInterval - Executes the Lifecycle events.
|
|
|
|
GlobalServiceExecutionInterval = time.Hour * 24 // 24 hrs.
|
|
|
|
|
|
|
|
// Refresh interval to update in-memory iam config cache.
|
|
|
|
globalRefreshIAMInterval = 5 * time.Minute
|
|
|
|
|
|
|
|
// Limit of location constraint XML for unauthenticted PUT bucket operations.
|
|
|
|
maxLocationConstraintSize = 3 * humanize.MiByte
|
|
|
|
|
|
|
|
// Maximum size of default bucket encryption configuration allowed
|
|
|
|
maxBucketSSEConfigSize = 1 * humanize.MiByte
|
|
|
|
|
|
|
|
// diskFillFraction is the fraction of a disk we allow to be filled.
|
|
|
|
diskFillFraction = 0.95
|
|
|
|
)
|
|
|
|
|
|
|
|
var globalCLIContext = struct {
|
|
|
|
JSON, Quiet bool
|
|
|
|
Anonymous bool
|
|
|
|
Addr string
|
|
|
|
StrictS3Compat bool
|
|
|
|
}{}
|
|
|
|
|
|
|
|
var (
|
|
|
|
// Indicates if the running minio server is distributed setup.
|
|
|
|
globalIsDistErasure = false
|
|
|
|
|
|
|
|
// Indicates if the running minio server is an erasure-code backend.
|
|
|
|
globalIsErasure = false
|
|
|
|
|
|
|
|
// Indicates if the running minio is in gateway mode.
|
|
|
|
globalIsGateway = false
|
|
|
|
|
|
|
|
// Name of gateway server, e.g S3, GCS, Azure, etc
|
|
|
|
globalGatewayName = ""
|
|
|
|
|
|
|
|
// This flag is set to 'true' by default
|
|
|
|
globalBrowserEnabled = true
|
|
|
|
|
|
|
|
// This flag is set to 'true' when MINIO_UPDATE env is set to 'off'. Default is false.
|
|
|
|
globalInplaceUpdateDisabled = false
|
|
|
|
|
|
|
|
// This flag is set to 'us-east-1' by default
|
|
|
|
globalServerRegion = globalMinioDefaultRegion
|
|
|
|
|
|
|
|
// MinIO local server address (in `host:port` format)
|
|
|
|
globalMinioAddr = ""
|
|
|
|
// MinIO default port, can be changed through command line.
|
|
|
|
globalMinioPort = GlobalMinioDefaultPort
|
|
|
|
// Holds the host that was passed using --address
|
|
|
|
globalMinioHost = ""
|
|
|
|
// Holds the possible host endpoint.
|
|
|
|
globalMinioEndpoint = ""
|
|
|
|
|
|
|
|
// globalConfigSys server config system.
|
|
|
|
globalConfigSys *ConfigSys
|
|
|
|
|
|
|
|
globalNotificationSys *NotificationSys
|
|
|
|
globalConfigTargetList *event.TargetList
|
|
|
|
// globalEnvTargetList has list of targets configured via env.
|
|
|
|
globalEnvTargetList *event.TargetList
|
|
|
|
|
|
|
|
globalBucketMetadataSys *BucketMetadataSys
|
|
|
|
globalBucketMonitor *bandwidth.Monitor
|
|
|
|
globalPolicySys *PolicySys
|
|
|
|
globalIAMSys *IAMSys
|
|
|
|
|
|
|
|
globalLifecycleSys *LifecycleSys
|
|
|
|
globalBucketSSEConfigSys *BucketSSEConfigSys
|
|
|
|
globalBucketTargetSys *BucketTargetSys
|
|
|
|
// globalAPIConfig controls S3 API requests throttling,
|
|
|
|
// healthcheck readiness deadlines and cors settings.
|
|
|
|
globalAPIConfig = apiConfig{listQuorum: 3}
|
|
|
|
|
|
|
|
globalStorageClass storageclass.Config
|
|
|
|
globalLDAPConfig xldap.Config
|
|
|
|
globalOpenIDConfig openid.Config
|
|
|
|
|
|
|
|
// CA root certificates, a nil value means system certs pool will be used
|
|
|
|
globalRootCAs *x509.CertPool
|
|
|
|
|
|
|
|
// IsSSL indicates if the server is configured with SSL.
|
|
|
|
globalIsSSL bool
|
|
|
|
|
certs: refactor cert manager to support multiple certificates (#10207)
This commit refactors the certificate management implementation
in the `certs` package such that multiple certificates can be
specified at the same time. Therefore, the following layout of
the `certs/` directory is expected:
```
certs/
│
├─ public.crt
├─ private.key
├─ CAs/ // CAs directory is ignored
│ │
│ ...
│
├─ example.com/
│ │
│ ├─ public.crt
│ └─ private.key
└─ foobar.org/
│
├─ public.crt
└─ private.key
...
```
However, directory names like `example.com` are just for human
readability/organization and don't have any meaning w.r.t whether
a particular certificate is served or not. This decision is made based
on the SNI sent by the client and the SAN of the certificate.
***
The `Manager` will pick a certificate based on the client trying
to establish a TLS connection. In particular, it looks at the client
hello (i.e. SNI) to determine which host the client tries to access.
If the manager can find a certificate that matches the SNI it
returns this certificate to the client.
However, the client may choose to not send an SNI or tries to access
a server directly via IP (`https://<ip>:<port>`). In this case, we
cannot use the SNI to determine which certificate to serve. However,
we also should not pick "the first" certificate that would be accepted
by the client (based on crypto. parameters - like a signature algorithm)
because it may be an internal certificate that contains internal hostnames.
We would disclose internal infrastructure details doing so.
Therefore, the `Manager` returns the "default" certificate when the
client does not specify an SNI. The default certificate the top-level
`public.crt` - i.e. `certs/public.crt`.
This approach has some consequences:
- It's the operator's responsibility to ensure that the top-level
`public.crt` does not disclose any information (i.e. hostnames)
that are not publicly visible. However, this was the case in the
past already.
- Any other `public.crt` - except for the top-level one - must not
contain any IP SAN. The reason for this restriction is that the
Manager cannot match a SNI to an IP b/c the SNI is the server host
name. The entire purpose of SNI is to indicate which host the client
tries to connect to when multiple hosts run on the same IP. So, a
client will not set the SNI to an IP.
If we would allow IP SANs in a lower-level `public.crt` a user would
expect that it is possible to connect to MinIO directly via IP address
and that the MinIO server would pick "the right" certificate. However,
the MinIO server cannot determine which certificate to serve, and
therefore always picks the "default" one. This may lead to all sorts
of confusing errors like:
"It works if I use `https:instance.minio.local` but not when I use
`https://10.0.2.1`.
These consequences/limitations should be pointed out / explained in our
docs in an appropriate way. However, the support for multiple
certificates should not have any impact on how deployment with a single
certificate function today.
Co-authored-by: Harshavardhana <harsha@minio.io>
4 years ago
|
|
|
globalTLSCerts *certs.Manager
|
|
|
|
|
|
|
|
globalHTTPServer *xhttp.Server
|
|
|
|
globalHTTPServerErrorCh = make(chan error)
|
|
|
|
globalOSSignalCh = make(chan os.Signal, 1)
|
|
|
|
|
|
|
|
// global Trace system to send HTTP request/response logs to
|
|
|
|
// registered listeners
|
|
|
|
globalHTTPTrace = pubsub.New()
|
|
|
|
|
|
|
|
// global Listen system to send S3 API events to registered listeners
|
|
|
|
globalHTTPListen = pubsub.New()
|
|
|
|
|
|
|
|
// global console system to send console logs to
|
|
|
|
// registered listeners
|
|
|
|
globalConsoleSys *HTTPConsoleLoggerSys
|
|
|
|
|
|
|
|
globalEndpoints EndpointServerPools
|
|
|
|
|
|
|
|
// Global server's network statistics
|
|
|
|
globalConnStats = newConnStats()
|
|
|
|
|
|
|
|
// Global HTTP request statisitics
|
|
|
|
globalHTTPStats = newHTTPStats()
|
|
|
|
|
|
|
|
// Time when the server is started
|
|
|
|
globalBootTime = UTCNow()
|
|
|
|
|
|
|
|
globalActiveCred auth.Credentials
|
|
|
|
|
|
|
|
// Hold the old server credentials passed by the environment
|
|
|
|
globalOldCred auth.Credentials
|
|
|
|
|
|
|
|
// Indicates if config is to be encrypted
|
|
|
|
globalConfigEncrypted bool
|
|
|
|
|
|
|
|
globalPublicCerts []*x509.Certificate
|
|
|
|
|
|
|
|
globalDomainNames []string // Root domains for virtual host style requests
|
|
|
|
globalDomainIPs set.StringSet // Root domain IP address(s) for a distributed MinIO deployment
|
|
|
|
|
|
|
|
globalOperationTimeout = newDynamicTimeout(10*time.Minute, 5*time.Minute) // default timeout for general ops
|
|
|
|
globalDeleteOperationTimeout = newDynamicTimeout(5*time.Minute, 1*time.Minute) // default time for delete ops
|
|
|
|
|
|
|
|
globalBucketObjectLockSys *BucketObjectLockSys
|
|
|
|
globalBucketQuotaSys *BucketQuotaSys
|
|
|
|
globalBucketVersioningSys *BucketVersioningSys
|
|
|
|
|
|
|
|
// Disk cache drives
|
|
|
|
globalCacheConfig cache.Config
|
|
|
|
|
|
|
|
// Initialized KMS configuration for disk cache
|
|
|
|
globalCacheKMS crypto.KMS
|
|
|
|
|
|
|
|
// Allocated etcd endpoint for config and bucket DNS.
|
|
|
|
globalEtcdClient *etcd.Client
|
|
|
|
|
|
|
|
// Is set to true when Bucket federation is requested
|
|
|
|
// and is 'true' when etcdConfig.PathPrefix is empty
|
|
|
|
globalBucketFederation bool
|
|
|
|
|
|
|
|
// Allocated DNS config wrapper over etcd client.
|
|
|
|
globalDNSConfig dns.Store
|
|
|
|
|
|
|
|
// GlobalKMS initialized KMS configuration
|
|
|
|
GlobalKMS crypto.KMS
|
|
|
|
|
|
|
|
// Auto-Encryption, if enabled, turns any non-SSE-C request
|
|
|
|
// into an SSE-S3 request. If enabled a valid, non-empty KMS
|
|
|
|
// configuration must be present.
|
|
|
|
globalAutoEncryption bool
|
|
|
|
|
|
|
|
// Is compression enabled?
|
|
|
|
globalCompressConfigMu sync.Mutex
|
|
|
|
globalCompressConfig compress.Config
|
|
|
|
|
|
|
|
// Some standard object extensions which we strictly dis-allow for compression.
|
|
|
|
standardExcludeCompressExtensions = []string{".gz", ".bz2", ".rar", ".zip", ".7z", ".xz", ".mp4", ".mkv", ".mov"}
|
|
|
|
|
|
|
|
// Some standard content-types which we strictly dis-allow for compression.
|
|
|
|
standardExcludeCompressContentTypes = []string{"video/*", "audio/*", "application/zip", "application/x-gzip", "application/x-zip-compressed", " application/x-compress", "application/x-spoon"}
|
|
|
|
|
|
|
|
// Authorization validators list.
|
|
|
|
globalOpenIDValidators *openid.Validators
|
|
|
|
|
|
|
|
// OPA policy system.
|
|
|
|
globalPolicyOPA *opa.Opa
|
|
|
|
|
|
|
|
// Deployment ID - unique per deployment
|
|
|
|
globalDeploymentID string
|
|
|
|
|
|
|
|
// GlobalGatewaySSE sse options
|
|
|
|
GlobalGatewaySSE gatewaySSE
|
|
|
|
|
|
|
|
globalAllHealState *allHealState
|
|
|
|
|
|
|
|
// The always present healing routine ready to heal objects
|
|
|
|
globalBackgroundHealRoutine *healRoutine
|
|
|
|
globalBackgroundHealState *allHealState
|
|
|
|
|
|
|
|
// If writes to FS backend should be O_SYNC.
|
|
|
|
globalFSOSync bool
|
|
|
|
|
|
|
|
globalProxyEndpoints []ProxyEndpoint
|
|
|
|
|
|
|
|
globalInternodeTransport http.RoundTripper
|
|
|
|
|
|
|
|
globalDNSCache *xhttp.DNSCache
|
|
|
|
// Add new variable global values here.
|
|
|
|
)
|
|
|
|
|
|
|
|
// Returns minio global information, as a key value map.
|
|
|
|
// returned list of global values is not an exhaustive
|
|
|
|
// list. Feel free to add new relevant fields.
|
|
|
|
func getGlobalInfo() (globalInfo map[string]interface{}) {
|
|
|
|
globalInfo = map[string]interface{}{
|
|
|
|
"serverRegion": globalServerRegion,
|
|
|
|
"domains": globalDomainNames,
|
|
|
|
// Add more relevant global settings here.
|
|
|
|
}
|
|
|
|
|
|
|
|
return globalInfo
|
|
|
|
}
|