# Copyright 2024 RustFS Team # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. services: # RustFS main service rustfs: image: rustfs/rustfs:latest container_name: rustfs-server security_opt: - "no-new-privileges:true" ports: - "9000:9000" # S3 API port - "9001:9001" # Console port environment: - RUSTFS_VOLUMES=/data/rustfs{0...3} - RUSTFS_ADDRESS=0.0.0.0:9000 - RUSTFS_CONSOLE_ADDRESS=0.0.0.0:9001 - RUSTFS_CONSOLE_ENABLE=true - RUSTFS_CONSOLE_CORS_ALLOWED_ORIGINS=* - RUSTFS_ACCESS_KEY=rustfsadmin # CHANGEME - RUSTFS_SECRET_KEY=rustfsadmin # CHANGEME - RUSTFS_OBS_LOGGER_LEVEL=info # Optional TLS: # - mount your cert directory to /opt/tls # - set RUSTFS_TLS_PATH=/opt/tls # - when TLS is enabled, health checks automatically switch to HTTPS # Keep strict disk topology checks enabled by default. # For local testing only, set `RUSTFS_UNSAFE_BYPASS_DISK_CHECK=true` explicitly. - RUSTFS_UNSAFE_BYPASS_DISK_CHECK=${RUSTFS_UNSAFE_BYPASS_DISK_CHECK:-false} volumes: - rustfs_data_0:/data/rustfs0 - rustfs_data_1:/data/rustfs1 - rustfs_data_2:/data/rustfs2 - rustfs_data_3:/data/rustfs3 - logs:/app/logs networks: - rustfs-network restart: unless-stopped healthcheck: # Default behavior: # - HTTP when RUSTFS_TLS_PATH is unset # - HTTPS when RUSTFS_TLS_PATH is set # - loopback TLS uses `-k` unless strict host+CA values are provided # # Strict TLS example: # - set RUSTFS_HEALTHCHECK_HOST to a SAN-covered hostname # - optionally set RUSTFS_HEALTHCHECK_CA (defaults to /opt/tls/ca.crt when present) test: [ "CMD", "sh", "-ec", "host=\"$${RUSTFS_HEALTHCHECK_HOST:-127.0.0.1}\"; scheme=\"http\"; set -- -fsS; \ if [ -n \"$${RUSTFS_TLS_PATH:-}\" ]; then \ scheme=\"https\"; \ ca_path=\"$${RUSTFS_HEALTHCHECK_CA:-}\"; \ if [ -z \"$${ca_path}\" ] && [ -f /opt/tls/ca.crt ]; then ca_path=/opt/tls/ca.crt; fi; \ case \"$${host}\" in 127.0.0.1|localhost) strict_host=false ;; *) strict_host=true ;; esac; \ if [ \"$${strict_host}\" = true ] && [ -n \"$${ca_path}\" ]; then \ set -- \"$${@}\" --cacert \"$${ca_path}\" --resolve \"$${host}:9000:127.0.0.1\" --resolve \"$${host}:9001:127.0.0.1\"; \ else \ set -- \"$${@}\" -k; \ fi; \ fi; \ curl \"$${@}\" \"$${scheme}://$${host}:9000/health\" && \ curl \"$${@}\" \"$${scheme}://$${host}:9001/rustfs/console/health\"" ] interval: 30s timeout: 10s retries: 3 start_period: 40s # RustFS volume permissions fixer service volume-permission-helper: image: alpine volumes: - rustfs_data_0:/data0 - rustfs_data_1:/data1 - rustfs_data_2:/data2 - rustfs_data_3:/data3 - logs:/logs command: > sh -c " chown -R 10001:10001 /data0 /data1 /data2 /data3 /logs && echo 'Volume Permissions fixed' && exit 0 " # Permission baseline: # - default RustFS runtime user is 10001:10001 # - alternatively, run rustfs service with host-matched `user: \":\"` restart: "no" networks: rustfs-network: volumes: rustfs_data_0: rustfs_data_1: rustfs_data_2: rustfs_data_3: logs: