maxmustermann/minio
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
minio/cmd/common-main.go

714 lines
23 KiB
Go
Raw Normal View History

update license change for MinIO Signed-off-by: Harshavardhana <harsha@minio.io>
2021-04-18 21:41:13 +02:00
// Copyright (c) 2015-2021 MinIO, Inc.
//
// This file is part of MinIO Object Storage stack
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <http://www.gnu.org/licenses/>.
Add support for reading and saving config on Gateway. (#4463) This is also a first step towards supporting bucket notification for gateway.
2017-06-10 04:50:51 +02:00
package cmd
import (
avoid double CORS headers in federation (#11334) CORS proxying adds double headers one by the receiving server, one by proxied server. Remove them before proxying when 'Origin' header is found.
2021-01-24 03:27:23 +01:00
"context"
kms: encrypt IAM/config data with the KMS (#12041) This commit changes the config/IAM encryption process. Instead of encrypting config data (users, policies etc.) with the root credentials MinIO now encrypts this data with a KMS - if configured. Therefore, this PR moves the MinIO-KMS configuration (via env. variables) to a "top-level" configuration. The KMS configuration cannot be stored in the config file since it is used to decrypt the config file in the first place. As a consequence, this commit also removes support for Hashicorp Vault - which has been deprecated anyway. Signed-off-by: Andreas Auernhammer <aead@mail.de>
2021-04-22 17:45:30 +02:00
"crypto/tls"
Move etcd, logger, crypto into their own packages (#8366) - Deprecates _MINIO_PROFILER, `mc admin profile` does the job - Move ENVs to common location in cmd/config/
2019-10-08 07:47:56 +02:00
"crypto/x509"
Fix an issue where MinIO was logging every error twice (#8953) The logging subsystem was initialized under init() method in both gateway-main.go and server-main.go which are part of same package. This created two logging targets and hence errors were logged twice. This PR moves the init() method to common-main.go
2020-02-07 09:18:07 +01:00
"encoding/gob"
Add support for reading and saving config on Gateway. (#4463) This is also a first step towards supporting bucket notification for gateway.
2017-06-10 04:50:51 +02:00
"errors"
certs: refactor cert manager to support multiple certificates (#10207) This commit refactors the certificate management implementation in the `certs` package such that multiple certificates can be specified at the same time. Therefore, the following layout of the `certs/` directory is expected: ``` certs/ │ ├─ public.crt ├─ private.key ├─ CAs/ // CAs directory is ignored │ │ │ ... │ ├─ example.com/ │ │ │ ├─ public.crt │ └─ private.key └─ foobar.org/ │ ├─ public.crt └─ private.key ... ``` However, directory names like `example.com` are just for human readability/organization and don't have any meaning w.r.t whether a particular certificate is served or not. This decision is made based on the SNI sent by the client and the SAN of the certificate. *** The `Manager` will pick a certificate based on the client trying to establish a TLS connection. In particular, it looks at the client hello (i.e. SNI) to determine which host the client tries to access. If the manager can find a certificate that matches the SNI it returns this certificate to the client. However, the client may choose to not send an SNI or tries to access a server directly via IP (`https://<ip>:<port>`). In this case, we cannot use the SNI to determine which certificate to serve. However, we also should not pick "the first" certificate that would be accepted by the client (based on crypto. parameters - like a signature algorithm) because it may be an internal certificate that contains internal hostnames. We would disclose internal infrastructure details doing so. Therefore, the `Manager` returns the "default" certificate when the client does not specify an SNI. The default certificate the top-level `public.crt` - i.e. `certs/public.crt`. This approach has some consequences: - It's the operator's responsibility to ensure that the top-level `public.crt` does not disclose any information (i.e. hostnames) that are not publicly visible. However, this was the case in the past already. - Any other `public.crt` - except for the top-level one - must not contain any IP SAN. The reason for this restriction is that the Manager cannot match a SNI to an IP b/c the SNI is the server host name. The entire purpose of SNI is to indicate which host the client tries to connect to when multiple hosts run on the same IP. So, a client will not set the SNI to an IP. If we would allow IP SANs in a lower-level `public.crt` a user would expect that it is possible to connect to MinIO directly via IP address and that the MinIO server would pick "the right" certificate. However, the MinIO server cannot determine which certificate to serve, and therefore always picks the "default" one. This may lead to all sorts of confusing errors like: "It works if I use `https:instance.minio.local` but not when I use `https://10.0.2.1`. These consequences/limitations should be pointed out / explained in our docs in an appropriate way. However, the support for multiple certificates should not have any impact on how deployment with a single certificate function today. Co-authored-by: Harshavardhana <harsha@minio.io>
2020-09-04 08:33:37 +02:00
"fmt"
fix: s3 gateway DNS cache initialization (#10706) fixes #10705
2020-10-19 10:34:23 +02:00
"math/rand"
Bring etcd support for bucket DNS federation - Supports centralized `config.json` - Supports centralized `bucket` service records for client lookups - implement a new proxy forwarder
2018-02-03 03:18:52 +01:00
"net"
tiering: add aws role support for s3 (#12424) Signed-off-by: Poorna Krishnamoorthy <poorna@minio.io>
2021-06-04 21:47:00 +02:00
"net/http"
refactor server update behavior (#10107)
2020-07-23 17:03:31 +02:00
"net/url"
Add service account type in IAM (#9029)
2020-03-17 18:36:13 +01:00
"os"
Add support for reading and saving config on Gateway. (#4463) This is also a first step towards supporting bucket notification for gateway.
2017-06-10 04:50:51 +02:00
"path/filepath"
refactor server update behavior (#10107)
2020-07-23 17:03:31 +02:00
"runtime"
fix: allow updated domain names in federation (#11365) additionally also disallow overlapping domain names
2021-01-28 20:44:48 +01:00
"sort"
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-18 05:27:04 +02:00
"strconv"
Add support for reading and saving config on Gateway. (#4463) This is also a first step towards supporting bucket notification for gateway.
2017-06-10 04:50:51 +02:00
"strings"
"time"
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-18 05:27:04 +02:00
fcolor "github.com/fatih/color"
"github.com/go-openapi/loads"
Deprecate domain, browser as config entries (#6498)
2018-09-20 23:56:32 +02:00
dns2 "github.com/miekg/dns"
Add support for reading and saving config on Gateway. (#4463) This is also a first step towards supporting bucket notification for gateway.
2017-06-10 04:50:51 +02:00
"github.com/minio/cli"
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-18 05:27:04 +02:00
consoleCerts "github.com/minio/console/pkg/certs"
"github.com/minio/console/restapi"
"github.com/minio/console/restapi/operations"
check that we can reach KES server and that the default key exists (#12291) This commit adds a check to the MinIO server setup that verifies that MinIO can reach KES, if configured, and that the default key exists. If the default key does not exist it will create it automatically. Signed-off-by: Andreas Auernhammer <aead@mail.de>
2021-05-13 20:13:31 +02:00
"github.com/minio/kes"
allow multipart uploads for single part multipart (#12821) its possible that some multipart uploads would have uploaded only single parts so relying on `len(o.Parts)` alone is not sufficient, we need to look for ETag pattern to be absolutely sure.
2021-07-29 07:11:55 +02:00
"github.com/minio/minio-go/v7"
tiering: add aws role support for s3 (#12424) Signed-off-by: Poorna Krishnamoorthy <poorna@minio.io>
2021-06-04 21:47:00 +02:00
"github.com/minio/minio-go/v7/pkg/credentials"
Move dependency from minio-go v6 to v7 (#10042)
2020-07-14 18:38:05 +02:00
"github.com/minio/minio-go/v7/pkg/set"
rename all remaining packages to internal/ (#12418) This is to ensure that there are no projects that try to import `minio/minio/pkg` into their own repo. Any such common packages should go to `https://github.com/minio/pkg`
2021-06-01 23:59:40 +02:00
"github.com/minio/minio/internal/auth"
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-18 05:27:04 +02:00
"github.com/minio/minio/internal/color"
rename all remaining packages to internal/ (#12418) This is to ensure that there are no projects that try to import `minio/minio/pkg` into their own repo. Any such common packages should go to `https://github.com/minio/pkg`
2021-06-01 23:59:40 +02:00
"github.com/minio/minio/internal/config"
"github.com/minio/minio/internal/handlers"
"github.com/minio/minio/internal/kms"
"github.com/minio/minio/internal/logger"
move the dependency to minio/pkg for common libraries (#12397)
2021-05-29 00:17:01 +02:00
"github.com/minio/pkg/certs"
"github.com/minio/pkg/console"
"github.com/minio/pkg/ellipses"
"github.com/minio/pkg/env"
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-18 05:27:04 +02:00
xnet "github.com/minio/pkg/net"
update and use rs/dnscache implementation instead of custom (#13348) additionally optimize for IP only setups, avoid doing unnecessary lookups if the Dial addr is an IP. allow support for multiple listeners on same socket, this is mainly meant for future purposes.
2021-10-05 19:13:04 +02:00
"github.com/rs/dnscache"
Add support for reading and saving config on Gateway. (#4463) This is also a first step towards supporting bucket notification for gateway.
2017-06-10 04:50:51 +02:00
)
add _MINIO_SERVER_DEBUG env for enabling debug messages (#11128)
2020-12-18 01:52:47 +01:00
// serverDebugLog will enable debug printing
var serverDebugLog = env.Get("_MINIO_SERVER_DEBUG", config.EnableOff) == config.EnableOn
tiering: add aws role support for s3 (#12424) Signed-off-by: Poorna Krishnamoorthy <poorna@minio.io>
2021-06-04 21:47:00 +02:00
var defaultAWSCredProvider []credentials.Provider
add _MINIO_SERVER_DEBUG env for enabling debug messages (#11128)
2020-12-18 01:52:47 +01:00
Fix an issue where MinIO was logging every error twice (#8953) The logging subsystem was initialized under init() method in both gateway-main.go and server-main.go which are part of same package. This created two logging targets and hence errors were logged twice. This PR moves the init() method to common-main.go
2020-02-07 09:18:07 +01:00
func init() {
fix: rename crawler as scanner in config (#11549)
2021-02-17 21:04:11 +01:00
rand.Seed(time.Now().UTC().UnixNano())
Fix an issue where MinIO was logging every error twice (#8953) The logging subsystem was initialized under init() method in both gateway-main.go and server-main.go which are part of same package. This created two logging targets and hence errors were logged twice. This PR moves the init() method to common-main.go
2020-02-07 09:18:07 +01:00
logger.Init(GOPATH, GOROOT)
logger.RegisterError(config.FmtError)
fix: heal bucket metadata right before healing bucket (#11097) optimization mainly to avoid listing the entire `.minio.sys/buckets/.minio.sys` directory, this can get really huge and comes in the way of startup routines, contents inside `.minio.sys/buckets/.minio.sys` are rather transient and not necessary to be healed.
2020-12-13 20:57:08 +01:00
initGlobalContext()
update and use rs/dnscache implementation instead of custom (#13348) additionally optimize for IP only setups, avoid doing unnecessary lookups if the Dial addr is an IP. allow support for multiple listeners on same socket, this is mainly meant for future purposes.
2021-10-05 19:13:04 +02:00
options := dnscache.ResolverRefreshOptions{
ClearUnused: true,
PersistOnFailure: false,
}
// Call to refresh will refresh names in cache. If you pass true, it will also
// remove cached names not looked up since the last call to Refresh. It is a good idea
// to call this method on a regular interval.
go func() {
var t *time.Ticker
if IsKubernetes() || IsDocker() || IsBOSH() || IsDCOS() || IsPCFTile() {
t = time.NewTicker(1 * time.Minute)
} else {
t = time.NewTicker(10 * time.Minute)
}
defer t.Stop()
for {
select {
case <-t.C:
globalDNSCache.RefreshWithOptions(options)
case <-GlobalContext.Done():
return
}
}
}()
initialize forwarder after init() to avoid crashes (#11330) DNSCache dialer is a global value initialized in init(), whereas `go` keeps `var =` before `init()` , also we don't need to keep proxy routers as global entities - register the forwarder as necessary to avoid crashes.
2021-01-23 00:37:41 +01:00
globalForwarder = handlers.NewForwarder(&handlers.Forwarder{
PassHost: true,
RoundTripper: newGatewayHTTPTransport(1 * time.Hour),
Logger: func(err error) {
avoid double CORS headers in federation (#11334) CORS proxying adds double headers one by the receiving server, one by proxied server. Remove them before proxying when 'Origin' header is found.
2021-01-24 03:27:23 +01:00
if err != nil && !errors.Is(err, context.Canceled) {
logger.LogIf(GlobalContext, err)
}
initialize forwarder after init() to avoid crashes (#11330) DNSCache dialer is a global value initialized in init(), whereas `go` keeps `var =` before `init()` , also we don't need to keep proxy routers as global entities - register the forwarder as necessary to avoid crashes.
2021-01-23 00:37:41 +01:00
},
})
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-18 05:27:04 +02:00
console.SetColor("Debug", fcolor.New())
add _MINIO_SERVER_DEBUG env for enabling debug messages (#11128)
2020-12-18 01:52:47 +01:00
Fix an issue where MinIO was logging every error twice (#8953) The logging subsystem was initialized under init() method in both gateway-main.go and server-main.go which are part of same package. This created two logging targets and hence errors were logged twice. This PR moves the init() method to common-main.go
2020-02-07 09:18:07 +01:00
gob.Register(StorageErr(""))
tiering: add aws role support for s3 (#12424) Signed-off-by: Poorna Krishnamoorthy <poorna@minio.io>
2021-06-04 21:47:00 +02:00
defaultAWSCredProvider = []credentials.Provider{
&credentials.IAM{
Client: &http.Client{
Transport: NewGatewayHTTPTransport(),
},
},
}
Increase context timeout for bandwidth throttled reader (#12820) increase default timeout up to one hour for toy setups. fixes #12812
2021-07-29 00:20:01 +02:00
allow multipart uploads for single part multipart (#12821) its possible that some multipart uploads would have uploaded only single parts so relying on `len(o.Parts)` alone is not sufficient, we need to look for ETag pattern to be absolutely sure.
2021-07-29 07:11:55 +02:00
// All minio-go API operations shall be performed only once,
// another way to look at this is we are turning off retries.
minio.MaxRetry = 1
Fix an issue where MinIO was logging every error twice (#8953) The logging subsystem was initialized under init() method in both gateway-main.go and server-main.go which are part of same package. This created two logging targets and hence errors were logged twice. This PR moves the init() method to common-main.go
2020-02-07 09:18:07 +01:00
}
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-18 05:27:04 +02:00
const consolePrefix = "CONSOLE_"
func minioConfigToConsoleFeatures() {
add support for customizing redirect_uri for IDP (#12607)
2021-07-01 01:08:20 +02:00
os.Setenv("CONSOLE_PBKDF_SALT", globalDeploymentID)
fix: set the correct IDP salt/passphrase
2021-07-01 01:45:52 +02:00
os.Setenv("CONSOLE_PBKDF_PASSPHRASE", globalDeploymentID)
fix: simplify APIEndpoints() usage (#12893) improvements include - skip IPv6 correctly - do not set default value for MINIO_SERVER_URL, let it be configured if not use local IPs Bonus: - In healing return error from listPathRaw() - update console to v0.8.3
2021-08-06 00:01:19 +02:00
if globalMinioEndpoint != "" {
os.Setenv("CONSOLE_MINIO_SERVER", globalMinioEndpoint)
} else {
os.Setenv("CONSOLE_MINIO_SERVER", getAPIEndpoints()[0])
use expected MinIO URLs for console (#12770) when TLS is configured using IPs directly might interfere and not work properly when the server is configured with TLS certs but the certs only have domain certs. Also additionally allow users to specify a public accessible URL for console to talk to MinIO i.e `MINIO_SERVER_URL` this would allow them to use an external ingress domain to talk to MinIO. This internally fixes few problems such as presigned URL generation on the console UI etc. This needs to be done additionally for any MinIO deployments that might have a much more stricter requirement when running in standalone mode such as FS or standalone erasure code.
2021-07-21 23:51:16 +02:00
}
add support for customizing redirect_uri for IDP (#12607)
2021-07-01 01:08:20 +02:00
if value := env.Get("MINIO_LOG_QUERY_URL", ""); value != "" {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-18 05:27:04 +02:00
os.Setenv("CONSOLE_LOG_QUERY_URL", value)
fix: handle redirects for specific resources (#12629)
2021-07-07 21:04:16 +02:00
if value := env.Get("MINIO_LOG_QUERY_AUTH_TOKEN", ""); value != "" {
os.Setenv("CONSOLE_LOG_QUERY_AUTH_TOKEN", value)
}
fix: --console-address when specified endpoints missing (#12534) Additionally upgrade console dependency for reading environment variables properly.
2021-06-21 08:04:47 +02:00
}
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-18 05:27:04 +02:00
// Enable if prometheus URL is set.
add support for customizing redirect_uri for IDP (#12607)
2021-07-01 01:08:20 +02:00
if value := env.Get("MINIO_PROMETHEUS_URL", ""); value != "" {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-18 05:27:04 +02:00
os.Setenv("CONSOLE_PROMETHEUS_URL", value)
fix: handle redirects for specific resources (#12629)
2021-07-07 21:04:16 +02:00
if value := env.Get("MINIO_PROMETHEUS_JOB_ID", "minio-job"); value != "" {
os.Setenv("CONSOLE_PROMETHEUS_JOB_ID", value)
}
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-18 05:27:04 +02:00
}
// Enable if LDAP is enabled.
if globalLDAPConfig.Enabled {
os.Setenv("CONSOLE_LDAP_ENABLED", config.EnableOn)
}
// if IDP is enabled, set IDP environment variables
if globalOpenIDConfig.URL != nil {
fix: OpenID URL changed in console, adapt to new URL
2021-09-28 04:51:24 +02:00
os.Setenv("CONSOLE_IDP_URL", globalOpenIDConfig.URL.String())
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-18 05:27:04 +02:00
os.Setenv("CONSOLE_IDP_CLIENT_ID", globalOpenIDConfig.ClientID)
os.Setenv("CONSOLE_IDP_SECRET", globalOpenIDConfig.ClientSecret)
fix: set the correct IDP salt/passphrase
2021-07-01 01:45:52 +02:00
os.Setenv("CONSOLE_IDP_HMAC_SALT", globalDeploymentID)
os.Setenv("CONSOLE_IDP_HMAC_PASSPHRASE", globalOpenIDConfig.ClientID)
os.Setenv("CONSOLE_IDP_SCOPES", strings.Join(globalOpenIDConfig.DiscoveryDoc.ScopesSupported, ","))
support Console UI with userInfo claims for OpenID
2021-09-15 02:09:12 +02:00
if globalOpenIDConfig.ClaimUserinfo {
os.Setenv("CONSOLE_IDP_USERINFO", "on")
}
fix: set the correct IDP salt/passphrase
2021-07-01 01:45:52 +02:00
if globalOpenIDConfig.RedirectURI != "" {
os.Setenv("CONSOLE_IDP_CALLBACK", globalOpenIDConfig.RedirectURI)
} else {
os.Setenv("CONSOLE_IDP_CALLBACK", getConsoleEndpoints()[0]+"/oauth_callback")
}
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-18 05:27:04 +02:00
}
os.Setenv("CONSOLE_MINIO_REGION", globalServerRegion)
add support for customizing redirect_uri for IDP (#12607)
2021-07-01 01:08:20 +02:00
os.Setenv("CONSOLE_CERT_PASSWD", env.Get("MINIO_CERT_PASSWD", ""))
Add config to store subnet license (#13194) Command to set subnet license: `mc admin config set {alias} subnet license={token}` Signed-off-by: Shireesh Anjal <shireesh@minio.io> Co-authored-by: Harshavardhana <harsha@minio.io>
2021-09-15 06:54:25 +02:00
if globalSubnetConfig.License != "" {
os.Setenv("CONSOLE_SUBNET_LICENSE", globalSubnetConfig.License)
add support to set subnet license for embedded console (#12993)
2021-08-17 20:56:01 +02:00
}
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-18 05:27:04 +02:00
}
func initConsoleServer() (*restapi.Server, error) {
// unset all console_ environment variables.
for _, cenv := range env.List(consolePrefix) {
os.Unsetenv(cenv)
}
// enable all console environment variables
minioConfigToConsoleFeatures()
// set certs dir to minio directory
consoleCerts.GlobalCertsDir = &consoleCerts.ConfigDir{
Path: globalCertsDir.Get(),
}
consoleCerts.GlobalCertsCADir = &consoleCerts.ConfigDir{
Path: globalCertsCADir.Get(),
}
swaggerSpec, err := loads.Embedded(restapi.SwaggerJSON, restapi.FlatSwaggerJSON)
if err != nil {
return nil, err
}
Enable console logging when server debug is enabled (#13259) _MINIO_SERVER_DEBUG will enable console logging.
2021-09-21 18:01:29 +02:00
api := operations.NewConsoleAPI(swaggerSpec)
stop all console logging
2021-07-30 08:05:57 +02:00
Enable console logging when server debug is enabled (#13259) _MINIO_SERVER_DEBUG will enable console logging.
2021-09-21 18:01:29 +02:00
if !serverDebugLog {
// Disable console logging if server debug log is not enabled
noLog := func(string, ...interface{}) {}
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-18 05:27:04 +02:00
Enable console logging when server debug is enabled (#13259) _MINIO_SERVER_DEBUG will enable console logging.
2021-09-21 18:01:29 +02:00
restapi.LogInfo = noLog
restapi.LogError = noLog
api.Logger = noLog
}
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-18 05:27:04 +02:00
server := restapi.NewServer(api)
// register all APIs
server.ConfigureAPI()
restapi.GlobalRootCAs, restapi.GlobalPublicCerts, restapi.GlobalTLSCertsManager = globalRootCAs, globalPublicCerts, globalTLSCerts
consolePort, _ := strconv.Atoi(globalMinioConsolePort)
server.Host = globalMinioConsoleHost
server.Port = consolePort
restapi.Port = globalMinioConsolePort
restapi.Hostname = globalMinioConsoleHost
if globalIsTLS {
// If TLS certificates are provided enforce the HTTPS.
server.EnabledListeners = []string{"https"}
server.TLSPort = consolePort
// Need to store tls-port, tls-host un config variables so secure.middleware can read from there
restapi.TLSPort = globalMinioConsolePort
restapi.Hostname = globalMinioConsoleHost
}
return server, nil
}
Add common validation for compression and encryption (#7978)
2019-07-26 11:41:16 +02:00
func verifyObjectLayerFeatures(name string, objAPI ObjectLayer) {
if strings.HasPrefix(name, "gateway") {
if GlobalGatewaySSE.IsSet() && GlobalKMS == nil {
Refactor config and split them in packages (#8351) This change is related to larger config migration PR change, this is a first stage change to move our configs to `cmd/config/` - divided into its subsystems
2019-10-04 19:35:33 +02:00
uiErr := config.ErrInvalidGWSSEEnvValue(nil).Msg("MINIO_GATEWAY_SSE set but KMS is not configured")
Add common validation for compression and encryption (#7978)
2019-07-26 11:41:16 +02:00
logger.Fatal(uiErr, "Unable to start gateway with SSE")
}
}
Add crawler delay config + dynamic config values (#11018)
2020-12-04 18:32:35 +01:00
globalCompressConfigMu.Lock()
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 07:59:13 +02:00
if globalCompressConfig.Enabled && !objAPI.IsCompressionSupported() {
Add common validation for compression and encryption (#7978)
2019-07-26 11:41:16 +02:00
logger.Fatal(errInvalidArgument,
"Compression support is requested but '%s' does not support compression", name)
}
Add crawler delay config + dynamic config values (#11018)
2020-12-04 18:32:35 +01:00
globalCompressConfigMu.Unlock()
Add common validation for compression and encryption (#7978)
2019-07-26 11:41:16 +02:00
}
Add support for reading and saving config on Gateway. (#4463) This is also a first step towards supporting bucket notification for gateway.
2017-06-10 04:50:51 +02:00
// Check for updates and print a notification message
func checkUpdate(mode string) {
refactor server update behavior (#10107)
2020-07-23 17:03:31 +02:00
updateURL := minioReleaseInfoURL
if runtime.GOOS == globalWindowsOSName {
updateURL = minioReleaseWindowsInfoURL
}
u, err := url.Parse(updateURL)
if err != nil {
return
}
Support in-place upgrades of new minio binary and releases. (#4961) This PR allows 'minio update' to not only shows update banner but also allows for in-place upgrades. Updates are done safely by validating the downloaded sha256 of the binary. Fixes #4781
2017-12-15 21:33:42 +01:00
// Its OK to ignore any errors during doUpdate() here.
refactor server update behavior (#10107)
2020-07-23 17:03:31 +02:00
crTime, err := GetCurrentReleaseTime()
if err != nil {
return
}
_, lrTime, err := getLatestReleaseTime(u, 2*time.Second, mode)
if err != nil {
return
}
var older time.Duration
var downloadURL string
if lrTime.After(crTime) {
older = lrTime.Sub(crTime)
downloadURL = getDownloadURL(releaseTimeToReleaseTag(lrTime))
}
updateMsg := prepareUpdateMessage(downloadURL, older)
if updateMsg == "" {
return
}
turn-off checking for updates completely if MINIO_UPDATE=off (#10752)
2020-10-25 06:39:44 +01:00
logStartupMessage(prepareUpdateMessage("Run `mc admin update`", lrTime.Sub(crTime)))
Add support for reading and saving config on Gateway. (#4463) This is also a first step towards supporting bucket notification for gateway.
2017-06-10 04:50:51 +02:00
}
Inherit certsDir from configDir if latter is set (#7098) This is to ensure backward compatibility for all existing deployments which use custom config dir to point to their certs directory.
2019-01-16 21:04:32 +01:00
func newConfigDirFromCtx(ctx *cli.Context, option string, getDefaultDir func() string) (*ConfigDir, bool) {
Deprecate config-dir bring in certs-dir for TLS configuration (#7033) This PR is to provide indication that config-dir will be removed in future and all users should migrate to new --certs-dir option Fixes #7016 Fixes #7032
2019-01-02 19:05:16 +01:00
var dir string
Inherit certsDir from configDir if latter is set (#7098) This is to ensure backward compatibility for all existing deployments which use custom config dir to point to their certs directory.
2019-01-16 21:04:32 +01:00
var dirSet bool
Deprecate config-dir bring in certs-dir for TLS configuration (#7033) This PR is to provide indication that config-dir will be removed in future and all users should migrate to new --certs-dir option Fixes #7016 Fixes #7032
2019-01-02 19:05:16 +01:00
switch {
case ctx.IsSet(option):
dir = ctx.String(option)
Inherit certsDir from configDir if latter is set (#7098) This is to ensure backward compatibility for all existing deployments which use custom config dir to point to their certs directory.
2019-01-16 21:04:32 +01:00
dirSet = true
Deprecate config-dir bring in certs-dir for TLS configuration (#7033) This PR is to provide indication that config-dir will be removed in future and all users should migrate to new --certs-dir option Fixes #7016 Fixes #7032
2019-01-02 19:05:16 +01:00
case ctx.GlobalIsSet(option):
dir = ctx.GlobalString(option)
Inherit certsDir from configDir if latter is set (#7098) This is to ensure backward compatibility for all existing deployments which use custom config dir to point to their certs directory.
2019-01-16 21:04:32 +01:00
dirSet = true
Deprecate config-dir bring in certs-dir for TLS configuration (#7033) This PR is to provide indication that config-dir will be removed in future and all users should migrate to new --certs-dir option Fixes #7016 Fixes #7032
2019-01-02 19:05:16 +01:00
// cli package does not expose parent's option option. Below code is workaround.
if dir == "" || dir == getDefaultDir() {
Inherit certsDir from configDir if latter is set (#7098) This is to ensure backward compatibility for all existing deployments which use custom config dir to point to their certs directory.
2019-01-16 21:04:32 +01:00
dirSet = false // Unset to false since GlobalIsSet() true is a false positive.
Deprecate config-dir bring in certs-dir for TLS configuration (#7033) This PR is to provide indication that config-dir will be removed in future and all users should migrate to new --certs-dir option Fixes #7016 Fixes #7032
2019-01-02 19:05:16 +01:00
if ctx.Parent().GlobalIsSet(option) {
dir = ctx.Parent().GlobalString(option)
Inherit certsDir from configDir if latter is set (#7098) This is to ensure backward compatibility for all existing deployments which use custom config dir to point to their certs directory.
2019-01-16 21:04:32 +01:00
dirSet = true
Deprecate config-dir bring in certs-dir for TLS configuration (#7033) This PR is to provide indication that config-dir will be removed in future and all users should migrate to new --certs-dir option Fixes #7016 Fixes #7032
2019-01-02 19:05:16 +01:00
}
}
default:
// Neither local nor global option is provided. In this case, try to use
// default directory.
dir = getDefaultDir()
if dir == "" {
logger.FatalIf(errInvalidArgument, "%s option must be provided", option)
}
}
if dir == "" {
logger.FatalIf(errors.New("empty directory"), "%s directory cannot be empty", option)
}
// Disallow relative paths, figure out absolute paths.
dirAbs, err := filepath.Abs(dir)
logger.FatalIf(err, "Unable to fetch absolute path for %s=%s", option, dir)
logger.FatalIf(mkdirAllIgnorePerm(dirAbs), "Unable to create directory specified %s=%s", option, dir)
Inherit certsDir from configDir if latter is set (#7098) This is to ensure backward compatibility for all existing deployments which use custom config dir to point to their certs directory.
2019-01-16 21:04:32 +01:00
return &ConfigDir{path: dirAbs}, dirSet
Deprecate config-dir bring in certs-dir for TLS configuration (#7033) This PR is to provide indication that config-dir will be removed in future and all users should migrate to new --certs-dir option Fixes #7016 Fixes #7032
2019-01-02 19:05:16 +01:00
}
Add support for reading and saving config on Gateway. (#4463) This is also a first step towards supporting bucket notification for gateway.
2017-06-10 04:50:51 +02:00
func handleCommonCmdArgs(ctx *cli.Context) {
Honor global flags irrespective of the position. (#5486) Flags like `json, config-dir, quiet` are now honored even if they are between minio and gateway in the cli, like, `minio --json gateway s3`. Fixes #5403
2018-03-01 05:13:33 +01:00
Add anonymous flag to prevent logging sensitive information (#6899)
2018-12-19 01:08:11 +01:00
// Get "json" flag from command line argument and
Comment Typo: Changed 'jason' to 'json` (#7216)
2019-02-10 14:49:00 +01:00
// enable json and quite modes if json flag is turned on.
Add anonymous flag to prevent logging sensitive information (#6899)
2018-12-19 01:08:11 +01:00
globalCLIContext.JSON = ctx.IsSet("json") || ctx.GlobalIsSet("json")
if globalCLIContext.JSON {
logger.EnableJSON()
}
// Get quiet flag from command line argument.
globalCLIContext.Quiet = ctx.IsSet("quiet") || ctx.GlobalIsSet("quiet")
if globalCLIContext.Quiet {
logger.EnableQuiet()
}
// Get anonymous flag from command line argument.
globalCLIContext.Anonymous = ctx.IsSet("anonymous") || ctx.GlobalIsSet("anonymous")
if globalCLIContext.Anonymous {
logger.EnableAnonymous()
}
// Fetch address option
fix: --console-address when specified endpoints missing (#12534) Additionally upgrade console dependency for reading environment variables properly.
2021-06-21 08:04:47 +02:00
addr := ctx.GlobalString("address")
if addr == "" || addr == ":"+GlobalMinioDefaultPort {
addr = ctx.String("address")
Add anonymous flag to prevent logging sensitive information (#6899)
2018-12-19 01:08:11 +01:00
}
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-18 05:27:04 +02:00
// Fetch console address option
fix: --console-address when specified endpoints missing (#12534) Additionally upgrade console dependency for reading environment variables properly.
2021-06-21 08:04:47 +02:00
consoleAddr := ctx.GlobalString("console-address")
if consoleAddr == "" {
consoleAddr = ctx.String("console-address")
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-18 05:27:04 +02:00
}
fix: --console-address when specified endpoints missing (#12534) Additionally upgrade console dependency for reading environment variables properly.
2021-06-21 08:04:47 +02:00
if consoleAddr == "" {
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-18 05:27:04 +02:00
p, err := xnet.GetFreePort()
if err != nil {
logger.FatalIf(err, "Unable to get free port for console on the host")
}
globalMinioConsolePortAuto = true
fix: --console-address when specified endpoints missing (#12534) Additionally upgrade console dependency for reading environment variables properly.
2021-06-21 08:04:47 +02:00
consoleAddr = net.JoinHostPort("", p.String())
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-18 05:27:04 +02:00
}
fix: --console-address when specified endpoints missing (#12534) Additionally upgrade console dependency for reading environment variables properly.
2021-06-21 08:04:47 +02:00
if _, _, err := net.SplitHostPort(consoleAddr); err != nil {
logger.FatalIf(err, "Unable to start listening on console port")
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-18 05:27:04 +02:00
}
fix: --console-address when specified endpoints missing (#12534) Additionally upgrade console dependency for reading environment variables properly.
2021-06-21 08:04:47 +02:00
if consoleAddr == addr {
logger.FatalIf(errors.New("--console-address cannot be same as --address"), "Unable to start the server")
}
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-18 05:27:04 +02:00
fix: --console-address when specified endpoints missing (#12534) Additionally upgrade console dependency for reading environment variables properly.
2021-06-21 08:04:47 +02:00
globalMinioHost, globalMinioPort = mustSplitHostPort(addr)
globalMinioConsoleHost, globalMinioConsolePort = mustSplitHostPort(consoleAddr)
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-18 05:27:04 +02:00
if globalMinioPort == globalMinioConsolePort {
logger.FatalIf(errors.New("--console-address port cannot be same as --address port"), "Unable to start the server")
}
fix: --console-address when specified endpoints missing (#12534) Additionally upgrade console dependency for reading environment variables properly.
2021-06-21 08:04:47 +02:00
globalMinioAddr = addr
enable --compat flag by default (#9326) if needed use --no-compat to disable md5sum while verifying any performance numbers. bring back --compat behavior as default to avoid additional documentation and confusing behavior, as we are working towards improving md5sum to be faster on AVX instructions, enabling this should be hardly a problem in future versions of MinIO. fixes #8012 fixes #7859 fixes #7642
2020-04-13 03:08:27 +02:00
// Check "no-compat" flag from command line argument.
globalCLIContext.StrictS3Compat = true
if ctx.IsSet("no-compat") || ctx.GlobalIsSet("no-compat") {
globalCLIContext.StrictS3Compat = false
}
Deprecate config-dir bring in certs-dir for TLS configuration (#7033) This PR is to provide indication that config-dir will be removed in future and all users should migrate to new --certs-dir option Fixes #7016 Fixes #7032
2019-01-02 19:05:16 +01:00
// Set all config, certs and CAs directories.
Inherit certsDir from configDir if latter is set (#7098) This is to ensure backward compatibility for all existing deployments which use custom config dir to point to their certs directory.
2019-01-16 21:04:32 +01:00
var configSet, certsSet bool
globalConfigDir, configSet = newConfigDirFromCtx(ctx, "config-dir", defaultConfigDir.Get)
globalCertsDir, certsSet = newConfigDirFromCtx(ctx, "certs-dir", defaultCertsDir.Get)
// Remove this code when we deprecate and remove config-dir.
// This code is to make sure we inherit from the config-dir
// option if certs-dir is not provided.
if !certsSet && configSet {
globalCertsDir = &ConfigDir{path: filepath.Join(globalConfigDir.Get(), certsDir)}
}
Deprecate config-dir bring in certs-dir for TLS configuration (#7033) This PR is to provide indication that config-dir will be removed in future and all users should migrate to new --certs-dir option Fixes #7016 Fixes #7032
2019-01-02 19:05:16 +01:00
globalCertsCADir = &ConfigDir{path: filepath.Join(globalCertsDir.Get(), certsCADir)}
Honor global flags irrespective of the position. (#5486) Flags like `json, config-dir, quiet` are now honored even if they are between minio and gateway in the cli, like, `minio --json gateway s3`. Fixes #5403
2018-03-01 05:13:33 +01:00
Deprecate config-dir bring in certs-dir for TLS configuration (#7033) This PR is to provide indication that config-dir will be removed in future and all users should migrate to new --certs-dir option Fixes #7016 Fixes #7032
2019-01-02 19:05:16 +01:00
logger.FatalIf(mkdirAllIgnorePerm(globalCertsCADir.Get()), "Unable to create certs CA directory at %s", globalCertsCADir.Get())
Add support for reading and saving config on Gateway. (#4463) This is also a first step towards supporting bucket notification for gateway.
2017-06-10 04:50:51 +02:00
}
func handleCommonEnvVars() {
feat: distributed setup can start now with default credentials (#12303) In lieu of new changes coming for server command line, this change is to deprecate strict requirement for distributed setups to provide root credentials. Bonus: remove MINIO_WORM warning from April 2020, it is time to remove this warning.
2021-05-17 17:45:22 +02:00
var err error
Revert "deprecate embedded browser (#12163)" This reverts commit 736d8cbac483d8bf56c3422ca9a9c4c3e043c6cf. Bring contrib files for older contributions
2021-04-30 04:01:43 +02:00
globalBrowserEnabled, err = config.ParseBool(env.Get(config.EnvBrowser, config.EnableOn))
if err != nil {
logger.Fatal(config.ErrInvalidBrowserValue(err), "Invalid MINIO_BROWSER value in environment variable")
}
fix: allow customizing console redirection (#12665) MinIO might be running inside proxies, and console while being on another port might not be reachable on a specific port behind such proxies. For such scenarios customize the redirect URL such that console can be redirected to correct proxy endpoint instead. fixes #12661
2021-07-09 23:27:09 +02:00
if globalBrowserEnabled {
if redirectURL := env.Get(config.EnvMinIOBrowserRedirectURL, ""); redirectURL != "" {
u, err := xnet.ParseHTTPURL(redirectURL)
if err != nil {
fix: rename error message for MINIO_BROWSER_REDIRECT_URL (#12700) rename the error message for MINIO_BROWSER_REDIRECT_URL to match the field name
2021-07-14 21:38:25 +02:00
logger.Fatal(err, "Invalid MINIO_BROWSER_REDIRECT_URL value in environment variable")
fix: allow customizing console redirection (#12665) MinIO might be running inside proxies, and console while being on another port might not be reachable on a specific port behind such proxies. For such scenarios customize the redirect URL such that console can be redirected to correct proxy endpoint instead. fixes #12661
2021-07-09 23:27:09 +02:00
}
// Look for if URL has invalid values and return error.
if !((u.Scheme == "http" || u.Scheme == "https") &&
(u.Path == "/" || u.Path == "") && u.Opaque == "" &&
!u.ForceQuery && u.RawQuery == "" && u.Fragment == "") {
err := fmt.Errorf("URL contains unexpected resources, expected URL to be of http(s)://minio.example.com format: %v", u)
fix: rename error message for MINIO_BROWSER_REDIRECT_URL (#12700) rename the error message for MINIO_BROWSER_REDIRECT_URL to match the field name
2021-07-14 21:38:25 +02:00
logger.Fatal(err, "Invalid MINIO_BROWSER_REDIRECT_URL value is environment variable")
fix: allow customizing console redirection (#12665) MinIO might be running inside proxies, and console while being on another port might not be reachable on a specific port behind such proxies. For such scenarios customize the redirect URL such that console can be redirected to correct proxy endpoint instead. fixes #12661
2021-07-09 23:27:09 +02:00
}
fix: use browser redirect URL for IDP callback (#12689) if browser_redirect_url is set use that for IDP callback automatically, if we do not have to set REDIRECT_URI for OpenID callback URL.
2021-07-13 00:21:07 +02:00
u.Path = "" // remove any path component such as `/`
fix: allow customizing console redirection (#12665) MinIO might be running inside proxies, and console while being on another port might not be reachable on a specific port behind such proxies. For such scenarios customize the redirect URL such that console can be redirected to correct proxy endpoint instead. fixes #12661
2021-07-09 23:27:09 +02:00
globalBrowserRedirectURL = u
}
}
Revert "deprecate embedded browser (#12163)" This reverts commit 736d8cbac483d8bf56c3422ca9a9c4c3e043c6cf. Bring contrib files for older contributions
2021-04-30 04:01:43 +02:00
fix: simplify APIEndpoints() usage (#12893) improvements include - skip IPv6 correctly - do not set default value for MINIO_SERVER_URL, let it be configured if not use local IPs Bonus: - In healing return error from listPathRaw() - update console to v0.8.3
2021-08-06 00:01:19 +02:00
if serverURL := env.Get(config.EnvMinIOServerURL, ""); serverURL != "" {
use expected MinIO URLs for console (#12770) when TLS is configured using IPs directly might interfere and not work properly when the server is configured with TLS certs but the certs only have domain certs. Also additionally allow users to specify a public accessible URL for console to talk to MinIO i.e `MINIO_SERVER_URL` this would allow them to use an external ingress domain to talk to MinIO. This internally fixes few problems such as presigned URL generation on the console UI etc. This needs to be done additionally for any MinIO deployments that might have a much more stricter requirement when running in standalone mode such as FS or standalone erasure code.
2021-07-21 23:51:16 +02:00
u, err := xnet.ParseHTTPURL(serverURL)
if err != nil {
logger.Fatal(err, "Invalid MINIO_SERVER_URL value in environment variable")
}
// Look for if URL has invalid values and return error.
if !((u.Scheme == "http" || u.Scheme == "https") &&
(u.Path == "/" || u.Path == "") && u.Opaque == "" &&
!u.ForceQuery && u.RawQuery == "" && u.Fragment == "") {
err := fmt.Errorf("URL contains unexpected resources, expected URL to be of http(s)://minio.example.com format: %v", u)
logger.Fatal(err, "Invalid MINIO_SERVER_URL value is environment variable")
}
u.Path = "" // remove any path component such as `/`
globalMinioEndpoint = u.String()
}
add option for O_SYNC writes for standalone FS backend (#9581)
2020-05-13 04:24:59 +02:00
globalFSOSync, err = config.ParseBool(env.Get(config.EnvFSOSync, config.EnableOff))
if err != nil {
logger.Fatal(config.ErrInvalidFSOSyncValue(err), "Invalid MINIO_FS_OSYNC value in environment variable")
}
Extend further validation of config values (#8469) - This PR allows config KVS to be validated properly without being affected by ENV overrides, rejects invalid values during set operation - Expands unit tests and refactors the error handling for notification targets, returns error instead of ignoring targets for invalid KVS - Does all the prep-work for implementing safe-mode style operation for MinIO server, introduces a new global variable to toggle safe mode based operations NOTE: this PR itself doesn't provide safe mode operations
2019-10-31 07:39:09 +01:00
domains := env.Get(config.EnvDomain, "")
if len(domains) != 0 {
for _, domainName := range strings.Split(domains, config.ValueSeparator) {
Move etcd, logger, crypto into their own packages (#8366) - Deprecates _MINIO_PROFILER, `mc admin profile` does the job - Move ENVs to common location in cmd/config/
2019-10-08 07:47:56 +02:00
if _, ok := dns2.IsDomainName(domainName); !ok {
Refactor config and split them in packages (#8351) This change is related to larger config migration PR change, this is a first stage change to move our configs to `cmd/config/` - divided into its subsystems
2019-10-04 19:35:33 +02:00
logger.Fatal(config.ErrInvalidDomainValue(nil).Msg("Unknown value `%s`", domainName),
Support multiple-domains in MINIO_DOMAIN (#7274) Fixes #7173
2019-02-23 04:18:01 +01:00
"Invalid MINIO_DOMAIN value in environment variable")
}
globalDomainNames = append(globalDomainNames, domainName)
Deprecate domain, browser as config entries (#6498)
2018-09-20 23:56:32 +02:00
}
fix: allow updated domain names in federation (#11365) additionally also disallow overlapping domain names
2021-01-28 20:44:48 +01:00
sort.Strings(globalDomainNames)
lcpSuf := lcpSuffix(globalDomainNames)
for _, domainName := range globalDomainNames {
fix: verify overlapping domains when > 1
2021-01-28 22:08:48 +01:00
if domainName == lcpSuf && len(globalDomainNames) > 1 {
fix: allow updated domain names in federation (#11365) additionally also disallow overlapping domain names
2021-01-28 20:44:48 +01:00
logger.Fatal(config.ErrOverlappingDomainValue(nil).Msg("Overlapping domains `%s` not allowed", globalDomainNames),
"Invalid MINIO_DOMAIN value in environment variable")
}
}
Deprecate domain, browser as config entries (#6498)
2018-09-20 23:56:32 +02:00
}
Use random host from among multiple hosts to create requests Also use hosts passed to Minio startup command to populate IP addresses if MINIO_PUBLIC_IPS is not set.
2018-05-16 03:20:22 +02:00
Extend further validation of config values (#8469) - This PR allows config KVS to be validated properly without being affected by ENV overrides, rejects invalid values during set operation - Expands unit tests and refactors the error handling for notification targets, returns error instead of ignoring targets for invalid KVS - Does all the prep-work for implementing safe-mode style operation for MinIO server, introduces a new global variable to toggle safe mode based operations NOTE: this PR itself doesn't provide safe mode operations
2019-10-31 07:39:09 +01:00
publicIPs := env.Get(config.EnvPublicIPs, "")
if len(publicIPs) != 0 {
minioEndpoints := strings.Split(publicIPs, config.ValueSeparator)
Add support for hostname lookups instead of IPs in MINIO_PUBLIC_IPS (#7018) DNS names will be resolved to their respective IPs if specified in MINIO_PUBLIC_IPS. Fixes #6862
2018-12-23 12:08:21 +01:00
var domainIPs = set.NewStringSet()
for _, endpoint := range minioEndpoints {
if net.ParseIP(endpoint) == nil {
// Checking if the IP is a DNS entry.
addrs, err := net.LookupHost(endpoint)
if err != nil {
Replace Minio refs in docs with MinIO and links (#7494)
2019-04-09 20:39:42 +02:00
logger.FatalIf(err, "Unable to initialize MinIO server with [%s] invalid entry found in MINIO_PUBLIC_IPS", endpoint)
Add support for hostname lookups instead of IPs in MINIO_PUBLIC_IPS (#7018) DNS names will be resolved to their respective IPs if specified in MINIO_PUBLIC_IPS. Fixes #6862
2018-12-23 12:08:21 +01:00
}
for _, addr := range addrs {
domainIPs.Add(addr)
}
Add support for CopyObject across regions and multiple Minio IPs This PR adds CopyObject support for objects residing in buckets in different Minio instances (where Minio instances are part of a federated setup). Also, added support for multiple Minio domain IPs. This is required for distributed deployments, where one deployment may have multiple nodes, each with a different public IP.
2018-05-11 21:02:30 +02:00
}
Add support for hostname lookups instead of IPs in MINIO_PUBLIC_IPS (#7018) DNS names will be resolved to their respective IPs if specified in MINIO_PUBLIC_IPS. Fixes #6862
2018-12-23 12:08:21 +01:00
domainIPs.Add(endpoint)
Add support for CopyObject across regions and multiple Minio IPs This PR adds CopyObject support for objects residing in buckets in different Minio instances (where Minio instances are part of a federated setup). Also, added support for multiple Minio domain IPs. This is required for distributed deployments, where one deployment may have multiple nodes, each with a different public IP.
2018-05-11 21:02:30 +02:00
}
Add support for hostname lookups instead of IPs in MINIO_PUBLIC_IPS (#7018) DNS names will be resolved to their respective IPs if specified in MINIO_PUBLIC_IPS. Fixes #6862
2018-12-23 12:08:21 +01:00
updateDomainIPs(domainIPs)
Fallback to non-loopback IF addresses for Domain IPs (#6918) When MINIO_PUBLIC_IPS is not specified and no endpoints are passed as arguments, fallback to the address of non loop-back interfaces. This is useful so users can avoid setting MINIO_PUBLIC_IPS in docker or orchestration scripts, ince users naturally setup an internal network that connects all instances.
2018-12-05 02:35:22 +01:00
} else {
// Add found interfaces IP address to global domain IPS,
// loopback addresses will be naturally dropped.
add dnsStore interface for upcoming operator webhook (#10077)
2020-07-20 21:28:48 +02:00
domainIPs := mustGetLocalIP4()
for _, host := range globalEndpoints.Hostnames() {
domainIPs.Add(host)
}
updateDomainIPs(domainIPs)
Add support for CopyObject across regions and multiple Minio IPs This PR adds CopyObject support for objects residing in buckets in different Minio instances (where Minio instances are part of a federated setup). Also, added support for multiple Minio domain IPs. This is required for distributed deployments, where one deployment may have multiple nodes, each with a different public IP.
2018-05-11 21:02:30 +02:00
}
Fallback to non-loopback IF addresses for Domain IPs (#6918) When MINIO_PUBLIC_IPS is not specified and no endpoints are passed as arguments, fallback to the address of non loop-back interfaces. This is useful so users can avoid setting MINIO_PUBLIC_IPS in docker or orchestration scripts, ince users naturally setup an internal network that connects all instances.
2018-12-05 02:35:22 +01:00
Support in-place upgrades of new minio binary and releases. (#4961) This PR allows 'minio update' to not only shows update banner but also allows for in-place upgrades. Updates are done safely by validating the downloaded sha256 of the binary. Fixes #4781
2017-12-15 21:33:42 +01:00
// In place update is true by default if the MINIO_UPDATE is not set
// or is not set to 'off', if MINIO_UPDATE is set to 'off' then
// in-place update is off.
Final changes to config sub-system (#8600) - Introduces changes such as certain types of errors that can be ignored or which need to go into safe mode. - Update help text as per the review
2019-12-05 00:32:37 +01:00
globalInplaceUpdateDisabled = strings.EqualFold(env.Get(config.EnvUpdate, config.EnableOn), config.EnableOff)
Migrate all backend at .minio.sys/config to encrypted backend (#8474) - Supports migrating only when the credential ENVs are set, so any FS mode deployments which do not have ENVs set will continue to remain as is. - Credential ENVs can be rotated using MINIO_ACCESS_KEY_OLD and MINIO_SECRET_KEY_OLD envs, in such scenarios it allowed to rotate the encrypted content to a new admin key.
2019-11-01 23:53:16 +01:00
fix: partially defined cred env vars cause "minio gateway s3" to fail (#12228) Both credential env vars not needed to start s3 gateway
2021-06-11 07:28:09 +02:00
// Check if the supported credential env vars, "MINIO_ROOT_USER" and
// "MINIO_ROOT_PASSWORD" are provided
// Warn user if deprecated environment variables,
// "MINIO_ACCESS_KEY" and "MINIO_SECRET_KEY", are defined
// Check all error conditions first
if !env.IsSet(config.EnvRootUser) && env.IsSet(config.EnvRootPassword) {
logger.Fatal(config.ErrMissingEnvCredentialRootUser(nil), "Unable to start MinIO")
} else if env.IsSet(config.EnvRootUser) && !env.IsSet(config.EnvRootPassword) {
logger.Fatal(config.ErrMissingEnvCredentialRootPassword(nil), "Unable to start MinIO")
} else if !env.IsSet(config.EnvRootUser) && !env.IsSet(config.EnvRootPassword) {
if !env.IsSet(config.EnvAccessKey) && env.IsSet(config.EnvSecretKey) {
logger.Fatal(config.ErrMissingEnvCredentialAccessKey(nil), "Unable to start MinIO")
} else if env.IsSet(config.EnvAccessKey) && !env.IsSet(config.EnvSecretKey) {
logger.Fatal(config.ErrMissingEnvCredentialSecretKey(nil), "Unable to start MinIO")
Revert "fix: remove deprecated MINIO_ACCESS_KEY, MINIO_SECRET_KEY envs (#12173)" This reverts commit b0baaeaa3ddee9573d3b1ac698e1182d2cc883fe.
2021-04-29 19:55:05 +02:00
}
}
fix: partially defined cred env vars cause "minio gateway s3" to fail (#12228) Both credential env vars not needed to start s3 gateway
2021-06-11 07:28:09 +02:00
// At this point, either both environment variables
// are defined or both are not defined.
// Check both cases and authenticate them if correctly defined
var user, password string
haveRootCredentials := false
haveAccessCredentials := false
if env.IsSet(config.EnvRootUser) && env.IsSet(config.EnvRootPassword) {
user = env.Get(config.EnvRootUser, "")
password = env.Get(config.EnvRootPassword, "")
haveRootCredentials = true
} else if env.IsSet(config.EnvAccessKey) && env.IsSet(config.EnvSecretKey) {
user = env.Get(config.EnvAccessKey, "")
password = env.Get(config.EnvSecretKey, "")
haveAccessCredentials = true
}
if haveRootCredentials || haveAccessCredentials {
cred, err := auth.CreateCredentials(user, password)
feat: migrate to ROOT_USER/PASSWORD from ACCESS/SECRET_KEY (#11185)
2021-01-05 19:22:57 +01:00
if err != nil {
logger.Fatal(config.ErrInvalidCredentials(err),
"Unable to validate credentials inherited from the shell environment")
}
fix: partially defined cred env vars cause "minio gateway s3" to fail (#12228) Both credential env vars not needed to start s3 gateway
2021-06-11 07:28:09 +02:00
if haveAccessCredentials {
msg := fmt.Sprintf("WARNING: %s and %s are deprecated.\n"+
" Please use %s and %s",
config.EnvAccessKey, config.EnvSecretKey,
config.EnvRootUser, config.EnvRootPassword)
feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```
2021-06-18 05:27:04 +02:00
logStartupMessage(color.RedBold(msg))
fix: partially defined cred env vars cause "minio gateway s3" to fail (#12228) Both credential env vars not needed to start s3 gateway
2021-06-11 07:28:09 +02:00
}
feat: migrate to ROOT_USER/PASSWORD from ACCESS/SECRET_KEY (#11185)
2021-01-05 19:22:57 +01:00
globalActiveCred = cred
}
kms: encrypt IAM/config data with the KMS (#12041) This commit changes the config/IAM encryption process. Instead of encrypting config data (users, policies etc.) with the root credentials MinIO now encrypts this data with a KMS - if configured. Therefore, this PR moves the MinIO-KMS configuration (via env. variables) to a "top-level" configuration. The KMS configuration cannot be stored in the config file since it is used to decrypt the config file in the first place. As a consequence, this commit also removes support for Hashicorp Vault - which has been deprecated anyway. Signed-off-by: Andreas Auernhammer <aead@mail.de>
2021-04-22 17:45:30 +02:00
switch {
case env.IsSet(config.EnvKMSSecretKey) && env.IsSet(config.EnvKESEndpoint):
logger.Fatal(errors.New("ambigious KMS configuration"), fmt.Sprintf("The environment contains %q as well as %q", config.EnvKMSSecretKey, config.EnvKESEndpoint))
}
fix: allow parsing keys in both new and old format (#12144) Bonus fix fallback to decrypt previously encrypted content as well using older master key ciphertext format. Signed-off-by: Harshavardhana <harsha@minio.io>
2021-04-25 04:05:25 +02:00
avoid parsing MINIO_KMS_MASTER_KEY as base64 (#12149) This commit reverts a change that added support for parsing base64-encoded keys set via `MINIO_KMS_MASTER_KEY`. The env. variable `MINIO_KMS_MASTER_KEY` is deprecated and should ONLY support parsing existing keys - not the new format. Any new deployment should use `MINIO_KMS_SECRET_KEY`. The legacy env. variable `MINIO_KMS_MASTER_KEY` will be removed at some point in time. Signed-off-by: Andreas Auernhammer <aead@mail.de>
2021-04-25 20:04:31 +02:00
if env.IsSet(config.EnvKMSSecretKey) {
fix MINIO_KMS_SECRET_KEY env. variable parsing (#12200) This commit fixes a bug when parsing the env. variable `MINIO_KMS_SECRET_KEY`. Before, the env. variable name - instead of its value - was parsed. This (obviously) did not work properly. This commit fixes this. Signed-off-by: Andreas Auernhammer <aead@mail.de>
2021-05-01 03:47:30 +02:00
GlobalKMS, err = kms.Parse(env.Get(config.EnvKMSSecretKey, ""))
Add service account type in IAM (#9029)
2020-03-17 18:36:13 +01:00
if err != nil {
avoid parsing MINIO_KMS_MASTER_KEY as base64 (#12149) This commit reverts a change that added support for parsing base64-encoded keys set via `MINIO_KMS_MASTER_KEY`. The env. variable `MINIO_KMS_MASTER_KEY` is deprecated and should ONLY support parsing existing keys - not the new format. Any new deployment should use `MINIO_KMS_SECRET_KEY`. The legacy env. variable `MINIO_KMS_MASTER_KEY` will be removed at some point in time. Signed-off-by: Andreas Auernhammer <aead@mail.de>
2021-04-25 20:04:31 +02:00
logger.Fatal(err, "Unable to parse the KMS secret key inherited from the shell environment")
Add service account type in IAM (#9029)
2020-03-17 18:36:13 +01:00
}
kms: encrypt IAM/config data with the KMS (#12041) This commit changes the config/IAM encryption process. Instead of encrypting config data (users, policies etc.) with the root credentials MinIO now encrypts this data with a KMS - if configured. Therefore, this PR moves the MinIO-KMS configuration (via env. variables) to a "top-level" configuration. The KMS configuration cannot be stored in the config file since it is used to decrypt the config file in the first place. As a consequence, this commit also removes support for Hashicorp Vault - which has been deprecated anyway. Signed-off-by: Andreas Auernhammer <aead@mail.de>
2021-04-22 17:45:30 +02:00
}
if env.IsSet(config.EnvKESEndpoint) {
kms: replace KES client implementation with minio/kes (#12207) This commit replaces the custom KES client implementation with the KES SDK from https://github.com/minio/kes The SDK supports multi-server client load-balancing and requests retry out of the box. Therefore, this change reduces the overall complexity within the MinIO server and there is no need to maintain two separate client implementations. Signed-off-by: Andreas Auernhammer <aead@mail.de>
2021-05-11 03:15:11 +02:00
var endpoints []string
for _, endpoint := range strings.Split(env.Get(config.EnvKESEndpoint, ""), ",") {
if strings.TrimSpace(endpoint) == "" {
continue
}
if !ellipses.HasEllipses(endpoint) {
endpoints = append(endpoints, endpoint)
continue
}
patterns, err := ellipses.FindEllipsesPatterns(endpoint)
if err != nil {
logger.Fatal(err, fmt.Sprintf("Invalid KES endpoint %q", endpoint))
}
for _, lbls := range patterns.Expand() {
endpoints = append(endpoints, strings.Join(lbls, ""))
}
}
certificate, err := tls.LoadX509KeyPair(env.Get(config.EnvKESClientCert, ""), env.Get(config.EnvKESClientKey, ""))
if err != nil {
logger.Fatal(err, "Unable to load KES client certificate as specified by the shell environment")
}
rootCAs, err := certs.GetRootCAs(env.Get(config.EnvKESServerCA, globalCertsCADir.Get()))
kms: encrypt IAM/config data with the KMS (#12041) This commit changes the config/IAM encryption process. Instead of encrypting config data (users, policies etc.) with the root credentials MinIO now encrypts this data with a KMS - if configured. Therefore, this PR moves the MinIO-KMS configuration (via env. variables) to a "top-level" configuration. The KMS configuration cannot be stored in the config file since it is used to decrypt the config file in the first place. As a consequence, this commit also removes support for Hashicorp Vault - which has been deprecated anyway. Signed-off-by: Andreas Auernhammer <aead@mail.de>
2021-04-22 17:45:30 +02:00
if err != nil {
kms: replace KES client implementation with minio/kes (#12207) This commit replaces the custom KES client implementation with the KES SDK from https://github.com/minio/kes The SDK supports multi-server client load-balancing and requests retry out of the box. Therefore, this change reduces the overall complexity within the MinIO server and there is no need to maintain two separate client implementations. Signed-off-by: Andreas Auernhammer <aead@mail.de>
2021-05-11 03:15:11 +02:00
logger.Fatal(err, fmt.Sprintf("Unable to load X.509 root CAs for KES from %q", env.Get(config.EnvKESServerCA, globalCertsCADir.Get())))
kms: encrypt IAM/config data with the KMS (#12041) This commit changes the config/IAM encryption process. Instead of encrypting config data (users, policies etc.) with the root credentials MinIO now encrypts this data with a KMS - if configured. Therefore, this PR moves the MinIO-KMS configuration (via env. variables) to a "top-level" configuration. The KMS configuration cannot be stored in the config file since it is used to decrypt the config file in the first place. As a consequence, this commit also removes support for Hashicorp Vault - which has been deprecated anyway. Signed-off-by: Andreas Auernhammer <aead@mail.de>
2021-04-22 17:45:30 +02:00
}
kms: replace KES client implementation with minio/kes (#12207) This commit replaces the custom KES client implementation with the KES SDK from https://github.com/minio/kes The SDK supports multi-server client load-balancing and requests retry out of the box. Therefore, this change reduces the overall complexity within the MinIO server and there is no need to maintain two separate client implementations. Signed-off-by: Andreas Auernhammer <aead@mail.de>
2021-05-11 03:15:11 +02:00
check that we can reach KES server and that the default key exists (#12291) This commit adds a check to the MinIO server setup that verifies that MinIO can reach KES, if configured, and that the default key exists. If the default key does not exist it will create it automatically. Signed-off-by: Andreas Auernhammer <aead@mail.de>
2021-05-13 20:13:31 +02:00
var defaultKeyID = env.Get(config.EnvKESKeyName, "")
kms: replace KES client implementation with minio/kes (#12207) This commit replaces the custom KES client implementation with the KES SDK from https://github.com/minio/kes The SDK supports multi-server client load-balancing and requests retry out of the box. Therefore, this change reduces the overall complexity within the MinIO server and there is no need to maintain two separate client implementations. Signed-off-by: Andreas Auernhammer <aead@mail.de>
2021-05-11 03:15:11 +02:00
KMS, err := kms.NewWithConfig(kms.Config{
Endpoints: endpoints,
check that we can reach KES server and that the default key exists (#12291) This commit adds a check to the MinIO server setup that verifies that MinIO can reach KES, if configured, and that the default key exists. If the default key does not exist it will create it automatically. Signed-off-by: Andreas Auernhammer <aead@mail.de>
2021-05-13 20:13:31 +02:00
DefaultKeyID: defaultKeyID,
kms: replace KES client implementation with minio/kes (#12207) This commit replaces the custom KES client implementation with the KES SDK from https://github.com/minio/kes The SDK supports multi-server client load-balancing and requests retry out of the box. Therefore, this change reduces the overall complexity within the MinIO server and there is no need to maintain two separate client implementations. Signed-off-by: Andreas Auernhammer <aead@mail.de>
2021-05-11 03:15:11 +02:00
Certificate: certificate,
RootCAs: rootCAs,
kms: encrypt IAM/config data with the KMS (#12041) This commit changes the config/IAM encryption process. Instead of encrypting config data (users, policies etc.) with the root credentials MinIO now encrypts this data with a KMS - if configured. Therefore, this PR moves the MinIO-KMS configuration (via env. variables) to a "top-level" configuration. The KMS configuration cannot be stored in the config file since it is used to decrypt the config file in the first place. As a consequence, this commit also removes support for Hashicorp Vault - which has been deprecated anyway. Signed-off-by: Andreas Auernhammer <aead@mail.de>
2021-04-22 17:45:30 +02:00
})
if err != nil {
logger.Fatal(err, "Unable to initialize a connection to KES as specified by the shell environment")
feat: migrate to ROOT_USER/PASSWORD from ACCESS/SECRET_KEY (#11185)
2021-01-05 19:22:57 +01:00
}
check that we can reach KES server and that the default key exists (#12291) This commit adds a check to the MinIO server setup that verifies that MinIO can reach KES, if configured, and that the default key exists. If the default key does not exist it will create it automatically. Signed-off-by: Andreas Auernhammer <aead@mail.de>
2021-05-13 20:13:31 +02:00
// We check that the default key ID exists or try to create it otherwise.
// This implicitly checks that we can communicate to KES. We don't treat
// a policy error as failure condition since MinIO may not have the permission
// to create keys - just to generate/decrypt data encryption keys.
if err = KMS.CreateKey(defaultKeyID); err != nil && !errors.Is(err, kes.ErrKeyExists) && !errors.Is(err, kes.ErrNotAllowed) {
logger.Fatal(err, "Unable to initialize a connection to KES as specified by the shell environment")
}
kms: encrypt IAM/config data with the KMS (#12041) This commit changes the config/IAM encryption process. Instead of encrypting config data (users, policies etc.) with the root credentials MinIO now encrypts this data with a KMS - if configured. Therefore, this PR moves the MinIO-KMS configuration (via env. variables) to a "top-level" configuration. The KMS configuration cannot be stored in the config file since it is used to decrypt the config file in the first place. As a consequence, this commit also removes support for Hashicorp Vault - which has been deprecated anyway. Signed-off-by: Andreas Auernhammer <aead@mail.de>
2021-04-22 17:45:30 +02:00
GlobalKMS = KMS
feat: migrate to ROOT_USER/PASSWORD from ACCESS/SECRET_KEY (#11185)
2021-01-05 19:22:57 +01:00
}
Add support for reading and saving config on Gateway. (#4463) This is also a first step towards supporting bucket notification for gateway.
2017-06-10 04:50:51 +02:00
}
log server startup messages to admin console api (#8264)
2019-09-22 10:24:32 +02:00
Remove unusued params and functions (#8399)
2019-10-16 03:35:41 +02:00
func logStartupMessage(msg string) {
Fix all failing tests with -race
2019-09-22 19:45:33 +02:00
if globalConsoleSys != nil {
Allow logging targets to be configured to receive `minio` (#8347) specific errors, `application` errors or `all` by default. console logging on server by default lists all logs - enhance admin console API to accept `type` as query parameter to subscribe to application/minio logs.
2019-10-12 03:50:54 +02:00
globalConsoleSys.Send(msg, string(logger.All))
Fix all failing tests with -race
2019-09-22 19:45:33 +02:00
}
Remove unusued params and functions (#8399)
2019-10-16 03:35:41 +02:00
logger.StartupMessage(msg)
log server startup messages to admin console api (#8264)
2019-09-22 10:24:32 +02:00
}
Move etcd, logger, crypto into their own packages (#8366) - Deprecates _MINIO_PROFILER, `mc admin profile` does the job - Move ENVs to common location in cmd/config/
2019-10-08 07:47:56 +02:00
certs: refactor cert manager to support multiple certificates (#10207) This commit refactors the certificate management implementation in the `certs` package such that multiple certificates can be specified at the same time. Therefore, the following layout of the `certs/` directory is expected: ``` certs/ │ ├─ public.crt ├─ private.key ├─ CAs/ // CAs directory is ignored │ │ │ ... │ ├─ example.com/ │ │ │ ├─ public.crt │ └─ private.key └─ foobar.org/ │ ├─ public.crt └─ private.key ... ``` However, directory names like `example.com` are just for human readability/organization and don't have any meaning w.r.t whether a particular certificate is served or not. This decision is made based on the SNI sent by the client and the SAN of the certificate. *** The `Manager` will pick a certificate based on the client trying to establish a TLS connection. In particular, it looks at the client hello (i.e. SNI) to determine which host the client tries to access. If the manager can find a certificate that matches the SNI it returns this certificate to the client. However, the client may choose to not send an SNI or tries to access a server directly via IP (`https://<ip>:<port>`). In this case, we cannot use the SNI to determine which certificate to serve. However, we also should not pick "the first" certificate that would be accepted by the client (based on crypto. parameters - like a signature algorithm) because it may be an internal certificate that contains internal hostnames. We would disclose internal infrastructure details doing so. Therefore, the `Manager` returns the "default" certificate when the client does not specify an SNI. The default certificate the top-level `public.crt` - i.e. `certs/public.crt`. This approach has some consequences: - It's the operator's responsibility to ensure that the top-level `public.crt` does not disclose any information (i.e. hostnames) that are not publicly visible. However, this was the case in the past already. - Any other `public.crt` - except for the top-level one - must not contain any IP SAN. The reason for this restriction is that the Manager cannot match a SNI to an IP b/c the SNI is the server host name. The entire purpose of SNI is to indicate which host the client tries to connect to when multiple hosts run on the same IP. So, a client will not set the SNI to an IP. If we would allow IP SANs in a lower-level `public.crt` a user would expect that it is possible to connect to MinIO directly via IP address and that the MinIO server would pick "the right" certificate. However, the MinIO server cannot determine which certificate to serve, and therefore always picks the "default" one. This may lead to all sorts of confusing errors like: "It works if I use `https:instance.minio.local` but not when I use `https://10.0.2.1`. These consequences/limitations should be pointed out / explained in our docs in an appropriate way. However, the support for multiple certificates should not have any impact on how deployment with a single certificate function today. Co-authored-by: Harshavardhana <harsha@minio.io>
2020-09-04 08:33:37 +02:00
func getTLSConfig() (x509Certs []*x509.Certificate, manager *certs.Manager, secureConn bool, err error) {
Move etcd, logger, crypto into their own packages (#8366) - Deprecates _MINIO_PROFILER, `mc admin profile` does the job - Move ENVs to common location in cmd/config/
2019-10-08 07:47:56 +02:00
if !(isFile(getPublicCertFile()) && isFile(getPrivateKeyFile())) {
return nil, nil, false, nil
}
if x509Certs, err = config.ParsePublicCertFile(getPublicCertFile()); err != nil {
return nil, nil, false, err
}
certs: refactor cert manager to support multiple certificates (#10207) This commit refactors the certificate management implementation in the `certs` package such that multiple certificates can be specified at the same time. Therefore, the following layout of the `certs/` directory is expected: ``` certs/ │ ├─ public.crt ├─ private.key ├─ CAs/ // CAs directory is ignored │ │ │ ... │ ├─ example.com/ │ │ │ ├─ public.crt │ └─ private.key └─ foobar.org/ │ ├─ public.crt └─ private.key ... ``` However, directory names like `example.com` are just for human readability/organization and don't have any meaning w.r.t whether a particular certificate is served or not. This decision is made based on the SNI sent by the client and the SAN of the certificate. *** The `Manager` will pick a certificate based on the client trying to establish a TLS connection. In particular, it looks at the client hello (i.e. SNI) to determine which host the client tries to access. If the manager can find a certificate that matches the SNI it returns this certificate to the client. However, the client may choose to not send an SNI or tries to access a server directly via IP (`https://<ip>:<port>`). In this case, we cannot use the SNI to determine which certificate to serve. However, we also should not pick "the first" certificate that would be accepted by the client (based on crypto. parameters - like a signature algorithm) because it may be an internal certificate that contains internal hostnames. We would disclose internal infrastructure details doing so. Therefore, the `Manager` returns the "default" certificate when the client does not specify an SNI. The default certificate the top-level `public.crt` - i.e. `certs/public.crt`. This approach has some consequences: - It's the operator's responsibility to ensure that the top-level `public.crt` does not disclose any information (i.e. hostnames) that are not publicly visible. However, this was the case in the past already. - Any other `public.crt` - except for the top-level one - must not contain any IP SAN. The reason for this restriction is that the Manager cannot match a SNI to an IP b/c the SNI is the server host name. The entire purpose of SNI is to indicate which host the client tries to connect to when multiple hosts run on the same IP. So, a client will not set the SNI to an IP. If we would allow IP SANs in a lower-level `public.crt` a user would expect that it is possible to connect to MinIO directly via IP address and that the MinIO server would pick "the right" certificate. However, the MinIO server cannot determine which certificate to serve, and therefore always picks the "default" one. This may lead to all sorts of confusing errors like: "It works if I use `https:instance.minio.local` but not when I use `https://10.0.2.1`. These consequences/limitations should be pointed out / explained in our docs in an appropriate way. However, the support for multiple certificates should not have any impact on how deployment with a single certificate function today. Co-authored-by: Harshavardhana <harsha@minio.io>
2020-09-04 08:33:37 +02:00
manager, err = certs.NewManager(GlobalContext, getPublicCertFile(), getPrivateKeyFile(), config.LoadX509KeyPair)
Move etcd, logger, crypto into their own packages (#8366) - Deprecates _MINIO_PROFILER, `mc admin profile` does the job - Move ENVs to common location in cmd/config/
2019-10-08 07:47:56 +02:00
if err != nil {
return nil, nil, false, err
}
certs: refactor cert manager to support multiple certificates (#10207) This commit refactors the certificate management implementation in the `certs` package such that multiple certificates can be specified at the same time. Therefore, the following layout of the `certs/` directory is expected: ``` certs/ │ ├─ public.crt ├─ private.key ├─ CAs/ // CAs directory is ignored │ │ │ ... │ ├─ example.com/ │ │ │ ├─ public.crt │ └─ private.key └─ foobar.org/ │ ├─ public.crt └─ private.key ... ``` However, directory names like `example.com` are just for human readability/organization and don't have any meaning w.r.t whether a particular certificate is served or not. This decision is made based on the SNI sent by the client and the SAN of the certificate. *** The `Manager` will pick a certificate based on the client trying to establish a TLS connection. In particular, it looks at the client hello (i.e. SNI) to determine which host the client tries to access. If the manager can find a certificate that matches the SNI it returns this certificate to the client. However, the client may choose to not send an SNI or tries to access a server directly via IP (`https://<ip>:<port>`). In this case, we cannot use the SNI to determine which certificate to serve. However, we also should not pick "the first" certificate that would be accepted by the client (based on crypto. parameters - like a signature algorithm) because it may be an internal certificate that contains internal hostnames. We would disclose internal infrastructure details doing so. Therefore, the `Manager` returns the "default" certificate when the client does not specify an SNI. The default certificate the top-level `public.crt` - i.e. `certs/public.crt`. This approach has some consequences: - It's the operator's responsibility to ensure that the top-level `public.crt` does not disclose any information (i.e. hostnames) that are not publicly visible. However, this was the case in the past already. - Any other `public.crt` - except for the top-level one - must not contain any IP SAN. The reason for this restriction is that the Manager cannot match a SNI to an IP b/c the SNI is the server host name. The entire purpose of SNI is to indicate which host the client tries to connect to when multiple hosts run on the same IP. So, a client will not set the SNI to an IP. If we would allow IP SANs in a lower-level `public.crt` a user would expect that it is possible to connect to MinIO directly via IP address and that the MinIO server would pick "the right" certificate. However, the MinIO server cannot determine which certificate to serve, and therefore always picks the "default" one. This may lead to all sorts of confusing errors like: "It works if I use `https:instance.minio.local` but not when I use `https://10.0.2.1`. These consequences/limitations should be pointed out / explained in our docs in an appropriate way. However, the support for multiple certificates should not have any impact on how deployment with a single certificate function today. Co-authored-by: Harshavardhana <harsha@minio.io>
2020-09-04 08:33:37 +02:00
// MinIO has support for multiple certificates. It expects the following structure:
// certs/
// │
// ├─ public.crt
// ├─ private.key
// │
// ├─ example.com/
// │ │
// │ ├─ public.crt
// │ └─ private.key
// └─ foobar.org/
// │
// ├─ public.crt
// └─ private.key
// ...
//
// Therefore, we read all filenames in the cert directory and check
// for each directory whether it contains a public.crt and private.key.
// If so, we try to add it to certificate manager.
root, err := os.Open(globalCertsDir.Get())
if err != nil {
return nil, nil, false, err
}
defer root.Close()
files, err := root.Readdir(-1)
if err != nil {
return nil, nil, false, err
}
for _, file := range files {
fix: reading multiple TLS certificates when deployed in K8S (#10601) Ignore all regular files, CAs directory and any directory that starts with `..` inside the `.minio/certs` folder
2020-09-30 17:21:30 +02:00
// Ignore all
// - regular files
// - "CAs" directory
// - any directory which starts with ".."
if file.Mode().IsRegular() || file.Name() == "CAs" || strings.HasPrefix(file.Name(), "..") {
certs: refactor cert manager to support multiple certificates (#10207) This commit refactors the certificate management implementation in the `certs` package such that multiple certificates can be specified at the same time. Therefore, the following layout of the `certs/` directory is expected: ``` certs/ │ ├─ public.crt ├─ private.key ├─ CAs/ // CAs directory is ignored │ │ │ ... │ ├─ example.com/ │ │ │ ├─ public.crt │ └─ private.key └─ foobar.org/ │ ├─ public.crt └─ private.key ... ``` However, directory names like `example.com` are just for human readability/organization and don't have any meaning w.r.t whether a particular certificate is served or not. This decision is made based on the SNI sent by the client and the SAN of the certificate. *** The `Manager` will pick a certificate based on the client trying to establish a TLS connection. In particular, it looks at the client hello (i.e. SNI) to determine which host the client tries to access. If the manager can find a certificate that matches the SNI it returns this certificate to the client. However, the client may choose to not send an SNI or tries to access a server directly via IP (`https://<ip>:<port>`). In this case, we cannot use the SNI to determine which certificate to serve. However, we also should not pick "the first" certificate that would be accepted by the client (based on crypto. parameters - like a signature algorithm) because it may be an internal certificate that contains internal hostnames. We would disclose internal infrastructure details doing so. Therefore, the `Manager` returns the "default" certificate when the client does not specify an SNI. The default certificate the top-level `public.crt` - i.e. `certs/public.crt`. This approach has some consequences: - It's the operator's responsibility to ensure that the top-level `public.crt` does not disclose any information (i.e. hostnames) that are not publicly visible. However, this was the case in the past already. - Any other `public.crt` - except for the top-level one - must not contain any IP SAN. The reason for this restriction is that the Manager cannot match a SNI to an IP b/c the SNI is the server host name. The entire purpose of SNI is to indicate which host the client tries to connect to when multiple hosts run on the same IP. So, a client will not set the SNI to an IP. If we would allow IP SANs in a lower-level `public.crt` a user would expect that it is possible to connect to MinIO directly via IP address and that the MinIO server would pick "the right" certificate. However, the MinIO server cannot determine which certificate to serve, and therefore always picks the "default" one. This may lead to all sorts of confusing errors like: "It works if I use `https:instance.minio.local` but not when I use `https://10.0.2.1`. These consequences/limitations should be pointed out / explained in our docs in an appropriate way. However, the support for multiple certificates should not have any impact on how deployment with a single certificate function today. Co-authored-by: Harshavardhana <harsha@minio.io>
2020-09-04 08:33:37 +02:00
continue
}
fix: reading multiple TLS certificates when deployed in K8S (#10601) Ignore all regular files, CAs directory and any directory that starts with `..` inside the `.minio/certs` folder
2020-09-30 17:21:30 +02:00
if file.Mode()&os.ModeSymlink == os.ModeSymlink {
file, err = os.Stat(filepath.Join(root.Name(), file.Name()))
if err != nil {
// not accessible ignore
continue
}
if !file.IsDir() {
continue
}
}
certs: refactor cert manager to support multiple certificates (#10207) This commit refactors the certificate management implementation in the `certs` package such that multiple certificates can be specified at the same time. Therefore, the following layout of the `certs/` directory is expected: ``` certs/ │ ├─ public.crt ├─ private.key ├─ CAs/ // CAs directory is ignored │ │ │ ... │ ├─ example.com/ │ │ │ ├─ public.crt │ └─ private.key └─ foobar.org/ │ ├─ public.crt └─ private.key ... ``` However, directory names like `example.com` are just for human readability/organization and don't have any meaning w.r.t whether a particular certificate is served or not. This decision is made based on the SNI sent by the client and the SAN of the certificate. *** The `Manager` will pick a certificate based on the client trying to establish a TLS connection. In particular, it looks at the client hello (i.e. SNI) to determine which host the client tries to access. If the manager can find a certificate that matches the SNI it returns this certificate to the client. However, the client may choose to not send an SNI or tries to access a server directly via IP (`https://<ip>:<port>`). In this case, we cannot use the SNI to determine which certificate to serve. However, we also should not pick "the first" certificate that would be accepted by the client (based on crypto. parameters - like a signature algorithm) because it may be an internal certificate that contains internal hostnames. We would disclose internal infrastructure details doing so. Therefore, the `Manager` returns the "default" certificate when the client does not specify an SNI. The default certificate the top-level `public.crt` - i.e. `certs/public.crt`. This approach has some consequences: - It's the operator's responsibility to ensure that the top-level `public.crt` does not disclose any information (i.e. hostnames) that are not publicly visible. However, this was the case in the past already. - Any other `public.crt` - except for the top-level one - must not contain any IP SAN. The reason for this restriction is that the Manager cannot match a SNI to an IP b/c the SNI is the server host name. The entire purpose of SNI is to indicate which host the client tries to connect to when multiple hosts run on the same IP. So, a client will not set the SNI to an IP. If we would allow IP SANs in a lower-level `public.crt` a user would expect that it is possible to connect to MinIO directly via IP address and that the MinIO server would pick "the right" certificate. However, the MinIO server cannot determine which certificate to serve, and therefore always picks the "default" one. This may lead to all sorts of confusing errors like: "It works if I use `https:instance.minio.local` but not when I use `https://10.0.2.1`. These consequences/limitations should be pointed out / explained in our docs in an appropriate way. However, the support for multiple certificates should not have any impact on how deployment with a single certificate function today. Co-authored-by: Harshavardhana <harsha@minio.io>
2020-09-04 08:33:37 +02:00
var (
certFile = filepath.Join(root.Name(), file.Name(), publicCertFile)
keyFile = filepath.Join(root.Name(), file.Name(), privateKeyFile)
)
if !isFile(certFile) || !isFile(keyFile) {
continue
}
fix: reading multiple TLS certificates when deployed in K8S (#10601) Ignore all regular files, CAs directory and any directory that starts with `..` inside the `.minio/certs` folder
2020-09-30 17:21:30 +02:00
if err = manager.AddCertificate(certFile, keyFile); err != nil {
err = fmt.Errorf("Unable to load TLS certificate '%s,%s': %w", certFile, keyFile, err)
certs: refactor cert manager to support multiple certificates (#10207) This commit refactors the certificate management implementation in the `certs` package such that multiple certificates can be specified at the same time. Therefore, the following layout of the `certs/` directory is expected: ``` certs/ │ ├─ public.crt ├─ private.key ├─ CAs/ // CAs directory is ignored │ │ │ ... │ ├─ example.com/ │ │ │ ├─ public.crt │ └─ private.key └─ foobar.org/ │ ├─ public.crt └─ private.key ... ``` However, directory names like `example.com` are just for human readability/organization and don't have any meaning w.r.t whether a particular certificate is served or not. This decision is made based on the SNI sent by the client and the SAN of the certificate. *** The `Manager` will pick a certificate based on the client trying to establish a TLS connection. In particular, it looks at the client hello (i.e. SNI) to determine which host the client tries to access. If the manager can find a certificate that matches the SNI it returns this certificate to the client. However, the client may choose to not send an SNI or tries to access a server directly via IP (`https://<ip>:<port>`). In this case, we cannot use the SNI to determine which certificate to serve. However, we also should not pick "the first" certificate that would be accepted by the client (based on crypto. parameters - like a signature algorithm) because it may be an internal certificate that contains internal hostnames. We would disclose internal infrastructure details doing so. Therefore, the `Manager` returns the "default" certificate when the client does not specify an SNI. The default certificate the top-level `public.crt` - i.e. `certs/public.crt`. This approach has some consequences: - It's the operator's responsibility to ensure that the top-level `public.crt` does not disclose any information (i.e. hostnames) that are not publicly visible. However, this was the case in the past already. - Any other `public.crt` - except for the top-level one - must not contain any IP SAN. The reason for this restriction is that the Manager cannot match a SNI to an IP b/c the SNI is the server host name. The entire purpose of SNI is to indicate which host the client tries to connect to when multiple hosts run on the same IP. So, a client will not set the SNI to an IP. If we would allow IP SANs in a lower-level `public.crt` a user would expect that it is possible to connect to MinIO directly via IP address and that the MinIO server would pick "the right" certificate. However, the MinIO server cannot determine which certificate to serve, and therefore always picks the "default" one. This may lead to all sorts of confusing errors like: "It works if I use `https:instance.minio.local` but not when I use `https://10.0.2.1`. These consequences/limitations should be pointed out / explained in our docs in an appropriate way. However, the support for multiple certificates should not have any impact on how deployment with a single certificate function today. Co-authored-by: Harshavardhana <harsha@minio.io>
2020-09-04 08:33:37 +02:00
logger.LogIf(GlobalContext, err, logger.Minio)
}
}
Move etcd, logger, crypto into their own packages (#8366) - Deprecates _MINIO_PROFILER, `mc admin profile` does the job - Move ENVs to common location in cmd/config/
2019-10-08 07:47:56 +02:00
secureConn = true
certs: refactor cert manager to support multiple certificates (#10207) This commit refactors the certificate management implementation in the `certs` package such that multiple certificates can be specified at the same time. Therefore, the following layout of the `certs/` directory is expected: ``` certs/ │ ├─ public.crt ├─ private.key ├─ CAs/ // CAs directory is ignored │ │ │ ... │ ├─ example.com/ │ │ │ ├─ public.crt │ └─ private.key └─ foobar.org/ │ ├─ public.crt └─ private.key ... ``` However, directory names like `example.com` are just for human readability/organization and don't have any meaning w.r.t whether a particular certificate is served or not. This decision is made based on the SNI sent by the client and the SAN of the certificate. *** The `Manager` will pick a certificate based on the client trying to establish a TLS connection. In particular, it looks at the client hello (i.e. SNI) to determine which host the client tries to access. If the manager can find a certificate that matches the SNI it returns this certificate to the client. However, the client may choose to not send an SNI or tries to access a server directly via IP (`https://<ip>:<port>`). In this case, we cannot use the SNI to determine which certificate to serve. However, we also should not pick "the first" certificate that would be accepted by the client (based on crypto. parameters - like a signature algorithm) because it may be an internal certificate that contains internal hostnames. We would disclose internal infrastructure details doing so. Therefore, the `Manager` returns the "default" certificate when the client does not specify an SNI. The default certificate the top-level `public.crt` - i.e. `certs/public.crt`. This approach has some consequences: - It's the operator's responsibility to ensure that the top-level `public.crt` does not disclose any information (i.e. hostnames) that are not publicly visible. However, this was the case in the past already. - Any other `public.crt` - except for the top-level one - must not contain any IP SAN. The reason for this restriction is that the Manager cannot match a SNI to an IP b/c the SNI is the server host name. The entire purpose of SNI is to indicate which host the client tries to connect to when multiple hosts run on the same IP. So, a client will not set the SNI to an IP. If we would allow IP SANs in a lower-level `public.crt` a user would expect that it is possible to connect to MinIO directly via IP address and that the MinIO server would pick "the right" certificate. However, the MinIO server cannot determine which certificate to serve, and therefore always picks the "default" one. This may lead to all sorts of confusing errors like: "It works if I use `https:instance.minio.local` but not when I use `https://10.0.2.1`. These consequences/limitations should be pointed out / explained in our docs in an appropriate way. However, the support for multiple certificates should not have any impact on how deployment with a single certificate function today. Co-authored-by: Harshavardhana <harsha@minio.io>
2020-09-04 08:33:37 +02:00
return x509Certs, manager, secureConn, nil
Move etcd, logger, crypto into their own packages (#8366) - Deprecates _MINIO_PROFILER, `mc admin profile` does the job - Move ENVs to common location in cmd/config/
2019-10-08 07:47:56 +02:00
}
Fix listPathRaw/WalkDir cancelation (#11905) In #11888 we observe a lot of running, WalkDir calls. There doesn't appear to be any listerners for these calls, so they should be aborted. Ensure that WalkDir aborts when upstream cancels the request. Fixes #11888
2021-03-26 19:18:30 +01:00
// contextCanceled returns whether a context is canceled.
func contextCanceled(ctx context.Context) bool {
select {
case <-ctx.Done():
return true
default:
return false
}
}
Reference in a new issue Copy permalink