Files
rustfs/docker-compose-simple.yml
cxymds 316540aaf8 fix(docker): align TLS compose healthchecks (#3246)
* fix(docker): align TLS compose healthchecks

* fix(docker): keep simple compose TLS opt-in
2026-06-07 01:27:03 +00:00

113 lines
3.9 KiB
YAML

# Copyright 2024 RustFS Team
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
services:
# RustFS main service
rustfs:
image: rustfs/rustfs:latest
container_name: rustfs-server
security_opt:
- "no-new-privileges:true"
ports:
- "9000:9000" # S3 API port
- "9001:9001" # Console port
environment:
- RUSTFS_VOLUMES=/data/rustfs{0...3}
- RUSTFS_ADDRESS=0.0.0.0:9000
- RUSTFS_CONSOLE_ADDRESS=0.0.0.0:9001
- RUSTFS_CONSOLE_ENABLE=true
- RUSTFS_CONSOLE_CORS_ALLOWED_ORIGINS=*
- RUSTFS_ACCESS_KEY=rustfsadmin # CHANGEME
- RUSTFS_SECRET_KEY=rustfsadmin # CHANGEME
- RUSTFS_OBS_LOGGER_LEVEL=info
# Optional TLS:
# - mount your cert directory to /opt/tls
# - set RUSTFS_TLS_PATH=/opt/tls
# - when TLS is enabled, health checks automatically switch to HTTPS
# Keep strict disk topology checks enabled by default.
# For local testing only, set `RUSTFS_UNSAFE_BYPASS_DISK_CHECK=true` explicitly.
- RUSTFS_UNSAFE_BYPASS_DISK_CHECK=${RUSTFS_UNSAFE_BYPASS_DISK_CHECK:-false}
volumes:
- rustfs_data_0:/data/rustfs0
- rustfs_data_1:/data/rustfs1
- rustfs_data_2:/data/rustfs2
- rustfs_data_3:/data/rustfs3
- logs:/app/logs
networks:
- rustfs-network
restart: unless-stopped
healthcheck:
# Default behavior:
# - HTTP when RUSTFS_TLS_PATH is unset
# - HTTPS when RUSTFS_TLS_PATH is set
# - loopback TLS uses `-k` unless strict host+CA values are provided
#
# Strict TLS example:
# - set RUSTFS_HEALTHCHECK_HOST to a SAN-covered hostname
# - optionally set RUSTFS_HEALTHCHECK_CA (defaults to /opt/tls/ca.crt when present)
test:
[
"CMD",
"sh", "-ec",
"host=\"$${RUSTFS_HEALTHCHECK_HOST:-127.0.0.1}\"; scheme=\"http\"; set -- -fsS; \
if [ -n \"$${RUSTFS_TLS_PATH:-}\" ]; then \
scheme=\"https\"; \
ca_path=\"$${RUSTFS_HEALTHCHECK_CA:-}\"; \
if [ -z \"$${ca_path}\" ] && [ -f /opt/tls/ca.crt ]; then ca_path=/opt/tls/ca.crt; fi; \
case \"$${host}\" in 127.0.0.1|localhost) strict_host=false ;; *) strict_host=true ;; esac; \
if [ \"$${strict_host}\" = true ] && [ -n \"$${ca_path}\" ]; then \
set -- \"$${@}\" --cacert \"$${ca_path}\" --resolve \"$${host}:9000:127.0.0.1\" --resolve \"$${host}:9001:127.0.0.1\"; \
else \
set -- \"$${@}\" -k; \
fi; \
fi; \
curl \"$${@}\" \"$${scheme}://$${host}:9000/health\" && \
curl \"$${@}\" \"$${scheme}://$${host}:9001/rustfs/console/health\""
]
interval: 30s
timeout: 10s
retries: 3
start_period: 40s
# RustFS volume permissions fixer service
volume-permission-helper:
image: alpine
volumes:
- rustfs_data_0:/data0
- rustfs_data_1:/data1
- rustfs_data_2:/data2
- rustfs_data_3:/data3
- logs:/logs
command: >
sh -c "
chown -R 10001:10001 /data0 /data1 /data2 /data3 /logs &&
echo 'Volume Permissions fixed' &&
exit 0
"
# Permission baseline:
# - default RustFS runtime user is 10001:10001
# - alternatively, run rustfs service with host-matched `user: \"<uid>:<gid>\"`
restart: "no"
networks:
rustfs-network:
volumes:
rustfs_data_0:
rustfs_data_1:
rustfs_data_2:
rustfs_data_3:
logs: