maxmustermann/minio
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
minio/cmd/common-main.go

442 lines
14 KiB
Go
Raw Normal View History

Add support for reading and saving config on Gateway. (#4463) This is also a first step towards supporting bucket notification for gateway.
2017-06-10 04:50:51 +02:00
/*
Move etcd, logger, crypto into their own packages (#8366) - Deprecates _MINIO_PROFILER, `mc admin profile` does the job - Move ENVs to common location in cmd/config/
2019-10-08 07:47:56 +02:00
* MinIO Cloud Storage, (C) 2017-2019 MinIO, Inc.
Add support for reading and saving config on Gateway. (#4463) This is also a first step towards supporting bucket notification for gateway.
2017-06-10 04:50:51 +02:00
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package cmd
import (
avoid double CORS headers in federation (#11334) CORS proxying adds double headers one by the receiving server, one by proxied server. Remove them before proxying when 'Origin' header is found.
2021-01-24 03:27:23 +01:00
"context"
Move etcd, logger, crypto into their own packages (#8366) - Deprecates _MINIO_PROFILER, `mc admin profile` does the job - Move ENVs to common location in cmd/config/
2019-10-08 07:47:56 +02:00
"crypto/x509"
Fix an issue where MinIO was logging every error twice (#8953) The logging subsystem was initialized under init() method in both gateway-main.go and server-main.go which are part of same package. This created two logging targets and hence errors were logged twice. This PR moves the init() method to common-main.go
2020-02-07 09:18:07 +01:00
"encoding/gob"
Add support for reading and saving config on Gateway. (#4463) This is also a first step towards supporting bucket notification for gateway.
2017-06-10 04:50:51 +02:00
"errors"
certs: refactor cert manager to support multiple certificates (#10207) This commit refactors the certificate management implementation in the `certs` package such that multiple certificates can be specified at the same time. Therefore, the following layout of the `certs/` directory is expected: ``` certs/ │ ├─ public.crt ├─ private.key ├─ CAs/ // CAs directory is ignored │ │ │ ... │ ├─ example.com/ │ │ │ ├─ public.crt │ └─ private.key └─ foobar.org/ │ ├─ public.crt └─ private.key ... ``` However, directory names like `example.com` are just for human readability/organization and don't have any meaning w.r.t whether a particular certificate is served or not. This decision is made based on the SNI sent by the client and the SAN of the certificate. *** The `Manager` will pick a certificate based on the client trying to establish a TLS connection. In particular, it looks at the client hello (i.e. SNI) to determine which host the client tries to access. If the manager can find a certificate that matches the SNI it returns this certificate to the client. However, the client may choose to not send an SNI or tries to access a server directly via IP (`https://<ip>:<port>`). In this case, we cannot use the SNI to determine which certificate to serve. However, we also should not pick "the first" certificate that would be accepted by the client (based on crypto. parameters - like a signature algorithm) because it may be an internal certificate that contains internal hostnames. We would disclose internal infrastructure details doing so. Therefore, the `Manager` returns the "default" certificate when the client does not specify an SNI. The default certificate the top-level `public.crt` - i.e. `certs/public.crt`. This approach has some consequences: - It's the operator's responsibility to ensure that the top-level `public.crt` does not disclose any information (i.e. hostnames) that are not publicly visible. However, this was the case in the past already. - Any other `public.crt` - except for the top-level one - must not contain any IP SAN. The reason for this restriction is that the Manager cannot match a SNI to an IP b/c the SNI is the server host name. The entire purpose of SNI is to indicate which host the client tries to connect to when multiple hosts run on the same IP. So, a client will not set the SNI to an IP. If we would allow IP SANs in a lower-level `public.crt` a user would expect that it is possible to connect to MinIO directly via IP address and that the MinIO server would pick "the right" certificate. However, the MinIO server cannot determine which certificate to serve, and therefore always picks the "default" one. This may lead to all sorts of confusing errors like: "It works if I use `https:instance.minio.local` but not when I use `https://10.0.2.1`. These consequences/limitations should be pointed out / explained in our docs in an appropriate way. However, the support for multiple certificates should not have any impact on how deployment with a single certificate function today. Co-authored-by: Harshavardhana <harsha@minio.io>
2020-09-04 08:33:37 +02:00
"fmt"
fix: s3 gateway DNS cache initialization (#10706) fixes #10705
2020-10-19 10:34:23 +02:00
"math/rand"
Bring etcd support for bucket DNS federation - Supports centralized `config.json` - Supports centralized `bucket` service records for client lookups - implement a new proxy forwarder
2018-02-03 03:18:52 +01:00
"net"
refactor server update behavior (#10107)
2020-07-23 17:03:31 +02:00
"net/url"
Add service account type in IAM (#9029)
2020-03-17 18:36:13 +01:00
"os"
Add support for reading and saving config on Gateway. (#4463) This is also a first step towards supporting bucket notification for gateway.
2017-06-10 04:50:51 +02:00
"path/filepath"
refactor server update behavior (#10107)
2020-07-23 17:03:31 +02:00
"runtime"
fix: allow updated domain names in federation (#11365) additionally also disallow overlapping domain names
2021-01-28 20:44:48 +01:00
"sort"
Add support for reading and saving config on Gateway. (#4463) This is also a first step towards supporting bucket notification for gateway.
2017-06-10 04:50:51 +02:00
"strings"
"time"
add _MINIO_SERVER_DEBUG env for enabling debug messages (#11128)
2020-12-18 01:52:47 +01:00
"github.com/fatih/color"
Deprecate domain, browser as config entries (#6498)
2018-09-20 23:56:32 +02:00
dns2 "github.com/miekg/dns"
Add support for reading and saving config on Gateway. (#4463) This is also a first step towards supporting bucket notification for gateway.
2017-06-10 04:50:51 +02:00
"github.com/minio/cli"
Move dependency from minio-go v6 to v7 (#10042)
2020-07-14 18:38:05 +02:00
"github.com/minio/minio-go/v7/pkg/set"
Refactor config and split them in packages (#8351) This change is related to larger config migration PR change, this is a first stage change to move our configs to `cmd/config/` - divided into its subsystems
2019-10-04 19:35:33 +02:00
"github.com/minio/minio/cmd/config"
fix: s3 gateway DNS cache initialization (#10706) fixes #10705
2020-10-19 10:34:23 +02:00
xhttp "github.com/minio/minio/cmd/http"
Create logger package and rename errorIf to LogIf (#5678) Removing message from error logging Replace errors.Trace with LogIf
2018-04-06 00:04:40 +02:00
"github.com/minio/minio/cmd/logger"
Migrate all backend at .minio.sys/config to encrypted backend (#8474) - Supports migrating only when the credential ENVs are set, so any FS mode deployments which do not have ENVs set will continue to remain as is. - Credential ENVs can be rotated using MINIO_ACCESS_KEY_OLD and MINIO_SECRET_KEY_OLD envs, in such scenarios it allowed to rotate the encrypted content to a new admin key.
2019-11-01 23:53:16 +01:00
"github.com/minio/minio/pkg/auth"
Move etcd, logger, crypto into their own packages (#8366) - Deprecates _MINIO_PROFILER, `mc admin profile` does the job - Move ENVs to common location in cmd/config/
2019-10-08 07:47:56 +02:00
"github.com/minio/minio/pkg/certs"
add _MINIO_SERVER_DEBUG env for enabling debug messages (#11128)
2020-12-18 01:52:47 +01:00
"github.com/minio/minio/pkg/console"
Refactor config and split them in packages (#8351) This change is related to larger config migration PR change, this is a first stage change to move our configs to `cmd/config/` - divided into its subsystems
2019-10-04 19:35:33 +02:00
"github.com/minio/minio/pkg/env"
initialize forwarder after init() to avoid crashes (#11330) DNSCache dialer is a global value initialized in init(), whereas `go` keeps `var =` before `init()` , also we don't need to keep proxy routers as global entities - register the forwarder as necessary to avoid crashes.
2021-01-23 00:37:41 +01:00
"github.com/minio/minio/pkg/handlers"
Add support for reading and saving config on Gateway. (#4463) This is also a first step towards supporting bucket notification for gateway.
2017-06-10 04:50:51 +02:00
)
add _MINIO_SERVER_DEBUG env for enabling debug messages (#11128)
2020-12-18 01:52:47 +01:00
// serverDebugLog will enable debug printing
var serverDebugLog = env.Get("_MINIO_SERVER_DEBUG", config.EnableOff) == config.EnableOn
Fix an issue where MinIO was logging every error twice (#8953) The logging subsystem was initialized under init() method in both gateway-main.go and server-main.go which are part of same package. This created two logging targets and hence errors were logged twice. This PR moves the init() method to common-main.go
2020-02-07 09:18:07 +01:00
func init() {
fix: rename crawler as scanner in config (#11549)
2021-02-17 21:04:11 +01:00
rand.Seed(time.Now().UTC().UnixNano())
Fix an issue where MinIO was logging every error twice (#8953) The logging subsystem was initialized under init() method in both gateway-main.go and server-main.go which are part of same package. This created two logging targets and hence errors were logged twice. This PR moves the init() method to common-main.go
2020-02-07 09:18:07 +01:00
logger.Init(GOPATH, GOROOT)
logger.RegisterError(config.FmtError)
fix: rename crawler as scanner in config (#11549)
2021-02-17 21:04:11 +01:00
// Inject into config package.
config.Logger.Info = logger.Info
config.Logger.LogIf = logger.LogIf
initialize forwarder after init() to avoid crashes (#11330) DNSCache dialer is a global value initialized in init(), whereas `go` keeps `var =` before `init()` , also we don't need to keep proxy routers as global entities - register the forwarder as necessary to avoid crashes.
2021-01-23 00:37:41 +01:00
fix: use common logging implementation for DNSCache (#11284)
2021-01-15 23:04:56 +01:00
globalDNSCache = xhttp.NewDNSCache(10*time.Second, 10*time.Second, logger.LogOnceIf)
fix: s3 gateway DNS cache initialization (#10706) fixes #10705
2020-10-19 10:34:23 +02:00
fix: heal bucket metadata right before healing bucket (#11097) optimization mainly to avoid listing the entire `.minio.sys/buckets/.minio.sys` directory, this can get really huge and comes in the way of startup routines, contents inside `.minio.sys/buckets/.minio.sys` are rather transient and not necessary to be healed.
2020-12-13 20:57:08 +01:00
initGlobalContext()
initialize forwarder after init() to avoid crashes (#11330) DNSCache dialer is a global value initialized in init(), whereas `go` keeps `var =` before `init()` , also we don't need to keep proxy routers as global entities - register the forwarder as necessary to avoid crashes.
2021-01-23 00:37:41 +01:00
globalForwarder = handlers.NewForwarder(&handlers.Forwarder{
PassHost: true,
RoundTripper: newGatewayHTTPTransport(1 * time.Hour),
Logger: func(err error) {
avoid double CORS headers in federation (#11334) CORS proxying adds double headers one by the receiving server, one by proxied server. Remove them before proxying when 'Origin' header is found.
2021-01-24 03:27:23 +01:00
if err != nil && !errors.Is(err, context.Canceled) {
logger.LogIf(GlobalContext, err)
}
initialize forwarder after init() to avoid crashes (#11330) DNSCache dialer is a global value initialized in init(), whereas `go` keeps `var =` before `init()` , also we don't need to keep proxy routers as global entities - register the forwarder as necessary to avoid crashes.
2021-01-23 00:37:41 +01:00
},
})
fix: heal bucket metadata right before healing bucket (#11097) optimization mainly to avoid listing the entire `.minio.sys/buckets/.minio.sys` directory, this can get really huge and comes in the way of startup routines, contents inside `.minio.sys/buckets/.minio.sys` are rather transient and not necessary to be healed.
2020-12-13 20:57:08 +01:00
globalReplicationState = newReplicationState()
globalTransitionState = newTransitionState()
add _MINIO_SERVER_DEBUG env for enabling debug messages (#11128)
2020-12-18 01:52:47 +01:00
console.SetColor("Debug", color.New())
Fix an issue where MinIO was logging every error twice (#8953) The logging subsystem was initialized under init() method in both gateway-main.go and server-main.go which are part of same package. This created two logging targets and hence errors were logged twice. This PR moves the init() method to common-main.go
2020-02-07 09:18:07 +01:00
gob.Register(StorageErr(""))
}
Add common validation for compression and encryption (#7978)
2019-07-26 11:41:16 +02:00
func verifyObjectLayerFeatures(name string, objAPI ObjectLayer) {
update KES docs to talk about 'mc encrypt' command (#10400) add a deprecation notice for KMS_AUTO_ENCRYPTION
2020-09-03 21:43:45 +02:00
if (GlobalKMS != nil) && !objAPI.IsEncryptionSupported() {
Add common validation for compression and encryption (#7978)
2019-07-26 11:41:16 +02:00
logger.Fatal(errInvalidArgument,
"Encryption support is requested but '%s' does not support encryption", name)
}
if strings.HasPrefix(name, "gateway") {
if GlobalGatewaySSE.IsSet() && GlobalKMS == nil {
Refactor config and split them in packages (#8351) This change is related to larger config migration PR change, this is a first stage change to move our configs to `cmd/config/` - divided into its subsystems
2019-10-04 19:35:33 +02:00
uiErr := config.ErrInvalidGWSSEEnvValue(nil).Msg("MINIO_GATEWAY_SSE set but KMS is not configured")
Add common validation for compression and encryption (#7978)
2019-07-26 11:41:16 +02:00
logger.Fatal(uiErr, "Unable to start gateway with SSE")
}
}
Add crawler delay config + dynamic config values (#11018)
2020-12-04 18:32:35 +01:00
globalCompressConfigMu.Lock()
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 07:59:13 +02:00
if globalCompressConfig.Enabled && !objAPI.IsCompressionSupported() {
Add common validation for compression and encryption (#7978)
2019-07-26 11:41:16 +02:00
logger.Fatal(errInvalidArgument,
"Compression support is requested but '%s' does not support compression", name)
}
Add crawler delay config + dynamic config values (#11018)
2020-12-04 18:32:35 +01:00
globalCompressConfigMu.Unlock()
Add common validation for compression and encryption (#7978)
2019-07-26 11:41:16 +02:00
}
Add support for reading and saving config on Gateway. (#4463) This is also a first step towards supporting bucket notification for gateway.
2017-06-10 04:50:51 +02:00
// Check for updates and print a notification message
func checkUpdate(mode string) {
refactor server update behavior (#10107)
2020-07-23 17:03:31 +02:00
updateURL := minioReleaseInfoURL
if runtime.GOOS == globalWindowsOSName {
updateURL = minioReleaseWindowsInfoURL
}
u, err := url.Parse(updateURL)
if err != nil {
return
}
Support in-place upgrades of new minio binary and releases. (#4961) This PR allows 'minio update' to not only shows update banner but also allows for in-place upgrades. Updates are done safely by validating the downloaded sha256 of the binary. Fixes #4781
2017-12-15 21:33:42 +01:00
// Its OK to ignore any errors during doUpdate() here.
refactor server update behavior (#10107)
2020-07-23 17:03:31 +02:00
crTime, err := GetCurrentReleaseTime()
if err != nil {
return
}
_, lrTime, err := getLatestReleaseTime(u, 2*time.Second, mode)
if err != nil {
return
}
var older time.Duration
var downloadURL string
if lrTime.After(crTime) {
older = lrTime.Sub(crTime)
downloadURL = getDownloadURL(releaseTimeToReleaseTag(lrTime))
}
updateMsg := prepareUpdateMessage(downloadURL, older)
if updateMsg == "" {
return
}
turn-off checking for updates completely if MINIO_UPDATE=off (#10752)
2020-10-25 06:39:44 +01:00
logStartupMessage(prepareUpdateMessage("Run `mc admin update`", lrTime.Sub(crTime)))
Add support for reading and saving config on Gateway. (#4463) This is also a first step towards supporting bucket notification for gateway.
2017-06-10 04:50:51 +02:00
}
Inherit certsDir from configDir if latter is set (#7098) This is to ensure backward compatibility for all existing deployments which use custom config dir to point to their certs directory.
2019-01-16 21:04:32 +01:00
func newConfigDirFromCtx(ctx *cli.Context, option string, getDefaultDir func() string) (*ConfigDir, bool) {
Deprecate config-dir bring in certs-dir for TLS configuration (#7033) This PR is to provide indication that config-dir will be removed in future and all users should migrate to new --certs-dir option Fixes #7016 Fixes #7032
2019-01-02 19:05:16 +01:00
var dir string
Inherit certsDir from configDir if latter is set (#7098) This is to ensure backward compatibility for all existing deployments which use custom config dir to point to their certs directory.
2019-01-16 21:04:32 +01:00
var dirSet bool
Deprecate config-dir bring in certs-dir for TLS configuration (#7033) This PR is to provide indication that config-dir will be removed in future and all users should migrate to new --certs-dir option Fixes #7016 Fixes #7032
2019-01-02 19:05:16 +01:00
switch {
case ctx.IsSet(option):
dir = ctx.String(option)
Inherit certsDir from configDir if latter is set (#7098) This is to ensure backward compatibility for all existing deployments which use custom config dir to point to their certs directory.
2019-01-16 21:04:32 +01:00
dirSet = true
Deprecate config-dir bring in certs-dir for TLS configuration (#7033) This PR is to provide indication that config-dir will be removed in future and all users should migrate to new --certs-dir option Fixes #7016 Fixes #7032
2019-01-02 19:05:16 +01:00
case ctx.GlobalIsSet(option):
dir = ctx.GlobalString(option)
Inherit certsDir from configDir if latter is set (#7098) This is to ensure backward compatibility for all existing deployments which use custom config dir to point to their certs directory.
2019-01-16 21:04:32 +01:00
dirSet = true
Deprecate config-dir bring in certs-dir for TLS configuration (#7033) This PR is to provide indication that config-dir will be removed in future and all users should migrate to new --certs-dir option Fixes #7016 Fixes #7032
2019-01-02 19:05:16 +01:00
// cli package does not expose parent's option option. Below code is workaround.
if dir == "" || dir == getDefaultDir() {
Inherit certsDir from configDir if latter is set (#7098) This is to ensure backward compatibility for all existing deployments which use custom config dir to point to their certs directory.
2019-01-16 21:04:32 +01:00
dirSet = false // Unset to false since GlobalIsSet() true is a false positive.
Deprecate config-dir bring in certs-dir for TLS configuration (#7033) This PR is to provide indication that config-dir will be removed in future and all users should migrate to new --certs-dir option Fixes #7016 Fixes #7032
2019-01-02 19:05:16 +01:00
if ctx.Parent().GlobalIsSet(option) {
dir = ctx.Parent().GlobalString(option)
Inherit certsDir from configDir if latter is set (#7098) This is to ensure backward compatibility for all existing deployments which use custom config dir to point to their certs directory.
2019-01-16 21:04:32 +01:00
dirSet = true
Deprecate config-dir bring in certs-dir for TLS configuration (#7033) This PR is to provide indication that config-dir will be removed in future and all users should migrate to new --certs-dir option Fixes #7016 Fixes #7032
2019-01-02 19:05:16 +01:00
}
}
default:
// Neither local nor global option is provided. In this case, try to use
// default directory.
dir = getDefaultDir()
if dir == "" {
logger.FatalIf(errInvalidArgument, "%s option must be provided", option)
}
}
if dir == "" {
logger.FatalIf(errors.New("empty directory"), "%s directory cannot be empty", option)
}
// Disallow relative paths, figure out absolute paths.
dirAbs, err := filepath.Abs(dir)
logger.FatalIf(err, "Unable to fetch absolute path for %s=%s", option, dir)
logger.FatalIf(mkdirAllIgnorePerm(dirAbs), "Unable to create directory specified %s=%s", option, dir)
Inherit certsDir from configDir if latter is set (#7098) This is to ensure backward compatibility for all existing deployments which use custom config dir to point to their certs directory.
2019-01-16 21:04:32 +01:00
return &ConfigDir{path: dirAbs}, dirSet
Deprecate config-dir bring in certs-dir for TLS configuration (#7033) This PR is to provide indication that config-dir will be removed in future and all users should migrate to new --certs-dir option Fixes #7016 Fixes #7032
2019-01-02 19:05:16 +01:00
}
Add support for reading and saving config on Gateway. (#4463) This is also a first step towards supporting bucket notification for gateway.
2017-06-10 04:50:51 +02:00
func handleCommonCmdArgs(ctx *cli.Context) {
Honor global flags irrespective of the position. (#5486) Flags like `json, config-dir, quiet` are now honored even if they are between minio and gateway in the cli, like, `minio --json gateway s3`. Fixes #5403
2018-03-01 05:13:33 +01:00
Add anonymous flag to prevent logging sensitive information (#6899)
2018-12-19 01:08:11 +01:00
// Get "json" flag from command line argument and
Comment Typo: Changed 'jason' to 'json` (#7216)
2019-02-10 14:49:00 +01:00
// enable json and quite modes if json flag is turned on.
Add anonymous flag to prevent logging sensitive information (#6899)
2018-12-19 01:08:11 +01:00
globalCLIContext.JSON = ctx.IsSet("json") || ctx.GlobalIsSet("json")
if globalCLIContext.JSON {
logger.EnableJSON()
}
// Get quiet flag from command line argument.
globalCLIContext.Quiet = ctx.IsSet("quiet") || ctx.GlobalIsSet("quiet")
if globalCLIContext.Quiet {
logger.EnableQuiet()
}
// Get anonymous flag from command line argument.
globalCLIContext.Anonymous = ctx.IsSet("anonymous") || ctx.GlobalIsSet("anonymous")
if globalCLIContext.Anonymous {
logger.EnableAnonymous()
}
// Fetch address option
globalCLIContext.Addr = ctx.GlobalString("address")
Check for address flags in all positions (#9615) Fixes #9599
2020-05-17 17:46:23 +02:00
if globalCLIContext.Addr == "" || globalCLIContext.Addr == ":"+GlobalMinioDefaultPort {
Add anonymous flag to prevent logging sensitive information (#6899)
2018-12-19 01:08:11 +01:00
globalCLIContext.Addr = ctx.String("address")
}
enable --compat flag by default (#9326) if needed use --no-compat to disable md5sum while verifying any performance numbers. bring back --compat behavior as default to avoid additional documentation and confusing behavior, as we are working towards improving md5sum to be faster on AVX instructions, enabling this should be hardly a problem in future versions of MinIO. fixes #8012 fixes #7859 fixes #7642
2020-04-13 03:08:27 +02:00
// Check "no-compat" flag from command line argument.
globalCLIContext.StrictS3Compat = true
if ctx.IsSet("no-compat") || ctx.GlobalIsSet("no-compat") {
globalCLIContext.StrictS3Compat = false
}
Deprecate config-dir bring in certs-dir for TLS configuration (#7033) This PR is to provide indication that config-dir will be removed in future and all users should migrate to new --certs-dir option Fixes #7016 Fixes #7032
2019-01-02 19:05:16 +01:00
// Set all config, certs and CAs directories.
Inherit certsDir from configDir if latter is set (#7098) This is to ensure backward compatibility for all existing deployments which use custom config dir to point to their certs directory.
2019-01-16 21:04:32 +01:00
var configSet, certsSet bool
globalConfigDir, configSet = newConfigDirFromCtx(ctx, "config-dir", defaultConfigDir.Get)
globalCertsDir, certsSet = newConfigDirFromCtx(ctx, "certs-dir", defaultCertsDir.Get)
// Remove this code when we deprecate and remove config-dir.
// This code is to make sure we inherit from the config-dir
// option if certs-dir is not provided.
if !certsSet && configSet {
globalCertsDir = &ConfigDir{path: filepath.Join(globalConfigDir.Get(), certsDir)}
}
Deprecate config-dir bring in certs-dir for TLS configuration (#7033) This PR is to provide indication that config-dir will be removed in future and all users should migrate to new --certs-dir option Fixes #7016 Fixes #7032
2019-01-02 19:05:16 +01:00
globalCertsCADir = &ConfigDir{path: filepath.Join(globalCertsDir.Get(), certsCADir)}
Honor global flags irrespective of the position. (#5486) Flags like `json, config-dir, quiet` are now honored even if they are between minio and gateway in the cli, like, `minio --json gateway s3`. Fixes #5403
2018-03-01 05:13:33 +01:00
Deprecate config-dir bring in certs-dir for TLS configuration (#7033) This PR is to provide indication that config-dir will be removed in future and all users should migrate to new --certs-dir option Fixes #7016 Fixes #7032
2019-01-02 19:05:16 +01:00
logger.FatalIf(mkdirAllIgnorePerm(globalCertsCADir.Get()), "Unable to create certs CA directory at %s", globalCertsCADir.Get())
Add support for reading and saving config on Gateway. (#4463) This is also a first step towards supporting bucket notification for gateway.
2017-06-10 04:50:51 +02:00
}
func handleCommonEnvVars() {
deprecate/remove global WORM mode (#9436) global WORM mode is a complex piece for which the time has passed, with the advent of S3 compatible object locking and retention implementation global WORM is sort of deprecated, this has been mentioned in our documentation for some time, now the time has come for this to go.
2020-04-25 01:37:05 +02:00
wormEnabled, err := config.LookupWorm()
if err != nil {
logger.Fatal(config.ErrInvalidWormValue(err), "Invalid worm configuration")
}
if wormEnabled {
logger.Fatal(errors.New("WORM is deprecated"), "global MINIO_WORM support is removed, please downgrade your server or migrate to https://github.com/minio/minio/tree/master/docs/retention")
}
Final changes to config sub-system (#8600) - Introduces changes such as certain types of errors that can be ignored or which need to go into safe mode. - Update help text as per the review
2019-12-05 00:32:37 +01:00
globalBrowserEnabled, err = config.ParseBool(env.Get(config.EnvBrowser, config.EnableOn))
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing.
2019-10-23 07:59:13 +02:00
if err != nil {
logger.Fatal(config.ErrInvalidBrowserValue(err), "Invalid MINIO_BROWSER value in environment variable")
Add support for reading and saving config on Gateway. (#4463) This is also a first step towards supporting bucket notification for gateway.
2017-06-10 04:50:51 +02:00
}
log: Store http request/responses in a log file (#4804) When MINIO_TRACE_DIR is provided, create a new log file and store all HTTP requests + responses data, body are excluded to reduce memory consumption. MINIO_HTTP_TRACE=1 enables logging. Use non mem consuming http req/resp recorders, the maximum is about 32k per request. This logs to STDOUT, body logging is disabled for PutObject PutObjectPart GetObject.
2017-10-25 04:04:51 +02:00
add option for O_SYNC writes for standalone FS backend (#9581)
2020-05-13 04:24:59 +02:00
globalFSOSync, err = config.ParseBool(env.Get(config.EnvFSOSync, config.EnableOff))
if err != nil {
logger.Fatal(config.ErrInvalidFSOSyncValue(err), "Invalid MINIO_FS_OSYNC value in environment variable")
}
Extend further validation of config values (#8469) - This PR allows config KVS to be validated properly without being affected by ENV overrides, rejects invalid values during set operation - Expands unit tests and refactors the error handling for notification targets, returns error instead of ignoring targets for invalid KVS - Does all the prep-work for implementing safe-mode style operation for MinIO server, introduces a new global variable to toggle safe mode based operations NOTE: this PR itself doesn't provide safe mode operations
2019-10-31 07:39:09 +01:00
domains := env.Get(config.EnvDomain, "")
if len(domains) != 0 {
for _, domainName := range strings.Split(domains, config.ValueSeparator) {
Move etcd, logger, crypto into their own packages (#8366) - Deprecates _MINIO_PROFILER, `mc admin profile` does the job - Move ENVs to common location in cmd/config/
2019-10-08 07:47:56 +02:00
if _, ok := dns2.IsDomainName(domainName); !ok {
Refactor config and split them in packages (#8351) This change is related to larger config migration PR change, this is a first stage change to move our configs to `cmd/config/` - divided into its subsystems
2019-10-04 19:35:33 +02:00
logger.Fatal(config.ErrInvalidDomainValue(nil).Msg("Unknown value `%s`", domainName),
Support multiple-domains in MINIO_DOMAIN (#7274) Fixes #7173
2019-02-23 04:18:01 +01:00
"Invalid MINIO_DOMAIN value in environment variable")
}
globalDomainNames = append(globalDomainNames, domainName)
Deprecate domain, browser as config entries (#6498)
2018-09-20 23:56:32 +02:00
}
fix: allow updated domain names in federation (#11365) additionally also disallow overlapping domain names
2021-01-28 20:44:48 +01:00
sort.Strings(globalDomainNames)
lcpSuf := lcpSuffix(globalDomainNames)
for _, domainName := range globalDomainNames {
fix: verify overlapping domains when > 1
2021-01-28 22:08:48 +01:00
if domainName == lcpSuf && len(globalDomainNames) > 1 {
fix: allow updated domain names in federation (#11365) additionally also disallow overlapping domain names
2021-01-28 20:44:48 +01:00
logger.Fatal(config.ErrOverlappingDomainValue(nil).Msg("Overlapping domains `%s` not allowed", globalDomainNames),
"Invalid MINIO_DOMAIN value in environment variable")
}
}
Deprecate domain, browser as config entries (#6498)
2018-09-20 23:56:32 +02:00
}
Use random host from among multiple hosts to create requests Also use hosts passed to Minio startup command to populate IP addresses if MINIO_PUBLIC_IPS is not set.
2018-05-16 03:20:22 +02:00
Extend further validation of config values (#8469) - This PR allows config KVS to be validated properly without being affected by ENV overrides, rejects invalid values during set operation - Expands unit tests and refactors the error handling for notification targets, returns error instead of ignoring targets for invalid KVS - Does all the prep-work for implementing safe-mode style operation for MinIO server, introduces a new global variable to toggle safe mode based operations NOTE: this PR itself doesn't provide safe mode operations
2019-10-31 07:39:09 +01:00
publicIPs := env.Get(config.EnvPublicIPs, "")
if len(publicIPs) != 0 {
minioEndpoints := strings.Split(publicIPs, config.ValueSeparator)
Add support for hostname lookups instead of IPs in MINIO_PUBLIC_IPS (#7018) DNS names will be resolved to their respective IPs if specified in MINIO_PUBLIC_IPS. Fixes #6862
2018-12-23 12:08:21 +01:00
var domainIPs = set.NewStringSet()
for _, endpoint := range minioEndpoints {
if net.ParseIP(endpoint) == nil {
// Checking if the IP is a DNS entry.
addrs, err := net.LookupHost(endpoint)
if err != nil {
Replace Minio refs in docs with MinIO and links (#7494)
2019-04-09 20:39:42 +02:00
logger.FatalIf(err, "Unable to initialize MinIO server with [%s] invalid entry found in MINIO_PUBLIC_IPS", endpoint)
Add support for hostname lookups instead of IPs in MINIO_PUBLIC_IPS (#7018) DNS names will be resolved to their respective IPs if specified in MINIO_PUBLIC_IPS. Fixes #6862
2018-12-23 12:08:21 +01:00
}
for _, addr := range addrs {
domainIPs.Add(addr)
}
Add support for CopyObject across regions and multiple Minio IPs This PR adds CopyObject support for objects residing in buckets in different Minio instances (where Minio instances are part of a federated setup). Also, added support for multiple Minio domain IPs. This is required for distributed deployments, where one deployment may have multiple nodes, each with a different public IP.
2018-05-11 21:02:30 +02:00
}
Add support for hostname lookups instead of IPs in MINIO_PUBLIC_IPS (#7018) DNS names will be resolved to their respective IPs if specified in MINIO_PUBLIC_IPS. Fixes #6862
2018-12-23 12:08:21 +01:00
domainIPs.Add(endpoint)
Add support for CopyObject across regions and multiple Minio IPs This PR adds CopyObject support for objects residing in buckets in different Minio instances (where Minio instances are part of a federated setup). Also, added support for multiple Minio domain IPs. This is required for distributed deployments, where one deployment may have multiple nodes, each with a different public IP.
2018-05-11 21:02:30 +02:00
}
Add support for hostname lookups instead of IPs in MINIO_PUBLIC_IPS (#7018) DNS names will be resolved to their respective IPs if specified in MINIO_PUBLIC_IPS. Fixes #6862
2018-12-23 12:08:21 +01:00
updateDomainIPs(domainIPs)
Fallback to non-loopback IF addresses for Domain IPs (#6918) When MINIO_PUBLIC_IPS is not specified and no endpoints are passed as arguments, fallback to the address of non loop-back interfaces. This is useful so users can avoid setting MINIO_PUBLIC_IPS in docker or orchestration scripts, ince users naturally setup an internal network that connects all instances.
2018-12-05 02:35:22 +01:00
} else {
// Add found interfaces IP address to global domain IPS,
// loopback addresses will be naturally dropped.
add dnsStore interface for upcoming operator webhook (#10077)
2020-07-20 21:28:48 +02:00
domainIPs := mustGetLocalIP4()
for _, host := range globalEndpoints.Hostnames() {
domainIPs.Add(host)
}
updateDomainIPs(domainIPs)
Add support for CopyObject across regions and multiple Minio IPs This PR adds CopyObject support for objects residing in buckets in different Minio instances (where Minio instances are part of a federated setup). Also, added support for multiple Minio domain IPs. This is required for distributed deployments, where one deployment may have multiple nodes, each with a different public IP.
2018-05-11 21:02:30 +02:00
}
Fallback to non-loopback IF addresses for Domain IPs (#6918) When MINIO_PUBLIC_IPS is not specified and no endpoints are passed as arguments, fallback to the address of non loop-back interfaces. This is useful so users can avoid setting MINIO_PUBLIC_IPS in docker or orchestration scripts, ince users naturally setup an internal network that connects all instances.
2018-12-05 02:35:22 +01:00
Support in-place upgrades of new minio binary and releases. (#4961) This PR allows 'minio update' to not only shows update banner but also allows for in-place upgrades. Updates are done safely by validating the downloaded sha256 of the binary. Fixes #4781
2017-12-15 21:33:42 +01:00
// In place update is true by default if the MINIO_UPDATE is not set
// or is not set to 'off', if MINIO_UPDATE is set to 'off' then
// in-place update is off.
Final changes to config sub-system (#8600) - Introduces changes such as certain types of errors that can be ignored or which need to go into safe mode. - Update help text as per the review
2019-12-05 00:32:37 +01:00
globalInplaceUpdateDisabled = strings.EqualFold(env.Get(config.EnvUpdate, config.EnableOn), config.EnableOff)
Migrate all backend at .minio.sys/config to encrypted backend (#8474) - Supports migrating only when the credential ENVs are set, so any FS mode deployments which do not have ENVs set will continue to remain as is. - Credential ENVs can be rotated using MINIO_ACCESS_KEY_OLD and MINIO_SECRET_KEY_OLD envs, in such scenarios it allowed to rotate the encrypted content to a new admin key.
2019-11-01 23:53:16 +01:00
Fix review comments and new changes in config (#8515) - Migrate and save only settings which are enabled - Rename logger_http to logger_webhook and logger_http_audit to audit_webhook - No more pretty printing comments, comment is a key=value pair now. - Avoid quotes on values which do not have space in them - `state="on"` is implicit for all SetConfigKV unless specified explicitly as `state="off"` - Disabled IAM users should be disabled always
2019-11-14 02:38:05 +01:00
if env.IsSet(config.EnvAccessKey) || env.IsSet(config.EnvSecretKey) {
cred, err := auth.CreateCredentials(env.Get(config.EnvAccessKey, ""), env.Get(config.EnvSecretKey, ""))
Migrate all backend at .minio.sys/config to encrypted backend (#8474) - Supports migrating only when the credential ENVs are set, so any FS mode deployments which do not have ENVs set will continue to remain as is. - Credential ENVs can be rotated using MINIO_ACCESS_KEY_OLD and MINIO_SECRET_KEY_OLD envs, in such scenarios it allowed to rotate the encrypted content to a new admin key.
2019-11-01 23:53:16 +01:00
if err != nil {
logger.Fatal(config.ErrInvalidCredentials(err),
"Unable to validate credentials inherited from the shell environment")
}
globalActiveCred = cred
globalConfigEncrypted = true
}
Remove safe mode for invalid entries in config (#8650) The approach is that now safe mode is only invoked when we cannot read the config or under some catastrophic situations, but not under situations when config entries are invalid or unreachable. This allows for maximum availability for MinIO and not fail on our users unlike most of our historical releases.
2019-12-15 02:27:57 +01:00
feat: migrate to ROOT_USER/PASSWORD from ACCESS/SECRET_KEY (#11185)
2021-01-05 19:22:57 +01:00
if env.IsSet(config.EnvRootUser) || env.IsSet(config.EnvRootPassword) {
cred, err := auth.CreateCredentials(env.Get(config.EnvRootUser, ""), env.Get(config.EnvRootPassword, ""))
if err != nil {
logger.Fatal(config.ErrInvalidCredentials(err),
"Unable to validate credentials inherited from the shell environment")
}
globalActiveCred = cred
globalConfigEncrypted = true
}
Add service account type in IAM (#9029)
2020-03-17 18:36:13 +01:00
if env.IsSet(config.EnvAccessKeyOld) && env.IsSet(config.EnvSecretKeyOld) {
oldCred, err := auth.CreateCredentials(env.Get(config.EnvAccessKeyOld, ""), env.Get(config.EnvSecretKeyOld, ""))
if err != nil {
logger.Fatal(config.ErrInvalidCredentials(err),
"Unable to validate the old credentials inherited from the shell environment")
}
globalOldCred = oldCred
os.Unsetenv(config.EnvAccessKeyOld)
os.Unsetenv(config.EnvSecretKeyOld)
}
feat: migrate to ROOT_USER/PASSWORD from ACCESS/SECRET_KEY (#11185)
2021-01-05 19:22:57 +01:00
if env.IsSet(config.EnvRootUserOld) && env.IsSet(config.EnvRootPasswordOld) {
oldCred, err := auth.CreateCredentials(env.Get(config.EnvRootUserOld, ""), env.Get(config.EnvRootPasswordOld, ""))
if err != nil {
logger.Fatal(config.ErrInvalidCredentials(err),
"Unable to validate the old credentials inherited from the shell environment")
}
globalOldCred = oldCred
os.Unsetenv(config.EnvRootUserOld)
os.Unsetenv(config.EnvRootPasswordOld)
}
Add support for reading and saving config on Gateway. (#4463) This is also a first step towards supporting bucket notification for gateway.
2017-06-10 04:50:51 +02:00
}
log server startup messages to admin console api (#8264)
2019-09-22 10:24:32 +02:00
Remove unusued params and functions (#8399)
2019-10-16 03:35:41 +02:00
func logStartupMessage(msg string) {
Fix all failing tests with -race
2019-09-22 19:45:33 +02:00
if globalConsoleSys != nil {
Allow logging targets to be configured to receive `minio` (#8347) specific errors, `application` errors or `all` by default. console logging on server by default lists all logs - enhance admin console API to accept `type` as query parameter to subscribe to application/minio logs.
2019-10-12 03:50:54 +02:00
globalConsoleSys.Send(msg, string(logger.All))
Fix all failing tests with -race
2019-09-22 19:45:33 +02:00
}
Remove unusued params and functions (#8399)
2019-10-16 03:35:41 +02:00
logger.StartupMessage(msg)
log server startup messages to admin console api (#8264)
2019-09-22 10:24:32 +02:00
}
Move etcd, logger, crypto into their own packages (#8366) - Deprecates _MINIO_PROFILER, `mc admin profile` does the job - Move ENVs to common location in cmd/config/
2019-10-08 07:47:56 +02:00
certs: refactor cert manager to support multiple certificates (#10207) This commit refactors the certificate management implementation in the `certs` package such that multiple certificates can be specified at the same time. Therefore, the following layout of the `certs/` directory is expected: ``` certs/ │ ├─ public.crt ├─ private.key ├─ CAs/ // CAs directory is ignored │ │ │ ... │ ├─ example.com/ │ │ │ ├─ public.crt │ └─ private.key └─ foobar.org/ │ ├─ public.crt └─ private.key ... ``` However, directory names like `example.com` are just for human readability/organization and don't have any meaning w.r.t whether a particular certificate is served or not. This decision is made based on the SNI sent by the client and the SAN of the certificate. *** The `Manager` will pick a certificate based on the client trying to establish a TLS connection. In particular, it looks at the client hello (i.e. SNI) to determine which host the client tries to access. If the manager can find a certificate that matches the SNI it returns this certificate to the client. However, the client may choose to not send an SNI or tries to access a server directly via IP (`https://<ip>:<port>`). In this case, we cannot use the SNI to determine which certificate to serve. However, we also should not pick "the first" certificate that would be accepted by the client (based on crypto. parameters - like a signature algorithm) because it may be an internal certificate that contains internal hostnames. We would disclose internal infrastructure details doing so. Therefore, the `Manager` returns the "default" certificate when the client does not specify an SNI. The default certificate the top-level `public.crt` - i.e. `certs/public.crt`. This approach has some consequences: - It's the operator's responsibility to ensure that the top-level `public.crt` does not disclose any information (i.e. hostnames) that are not publicly visible. However, this was the case in the past already. - Any other `public.crt` - except for the top-level one - must not contain any IP SAN. The reason for this restriction is that the Manager cannot match a SNI to an IP b/c the SNI is the server host name. The entire purpose of SNI is to indicate which host the client tries to connect to when multiple hosts run on the same IP. So, a client will not set the SNI to an IP. If we would allow IP SANs in a lower-level `public.crt` a user would expect that it is possible to connect to MinIO directly via IP address and that the MinIO server would pick "the right" certificate. However, the MinIO server cannot determine which certificate to serve, and therefore always picks the "default" one. This may lead to all sorts of confusing errors like: "It works if I use `https:instance.minio.local` but not when I use `https://10.0.2.1`. These consequences/limitations should be pointed out / explained in our docs in an appropriate way. However, the support for multiple certificates should not have any impact on how deployment with a single certificate function today. Co-authored-by: Harshavardhana <harsha@minio.io>
2020-09-04 08:33:37 +02:00
func getTLSConfig() (x509Certs []*x509.Certificate, manager *certs.Manager, secureConn bool, err error) {
Move etcd, logger, crypto into their own packages (#8366) - Deprecates _MINIO_PROFILER, `mc admin profile` does the job - Move ENVs to common location in cmd/config/
2019-10-08 07:47:56 +02:00
if !(isFile(getPublicCertFile()) && isFile(getPrivateKeyFile())) {
return nil, nil, false, nil
}
if x509Certs, err = config.ParsePublicCertFile(getPublicCertFile()); err != nil {
return nil, nil, false, err
}
certs: refactor cert manager to support multiple certificates (#10207) This commit refactors the certificate management implementation in the `certs` package such that multiple certificates can be specified at the same time. Therefore, the following layout of the `certs/` directory is expected: ``` certs/ │ ├─ public.crt ├─ private.key ├─ CAs/ // CAs directory is ignored │ │ │ ... │ ├─ example.com/ │ │ │ ├─ public.crt │ └─ private.key └─ foobar.org/ │ ├─ public.crt └─ private.key ... ``` However, directory names like `example.com` are just for human readability/organization and don't have any meaning w.r.t whether a particular certificate is served or not. This decision is made based on the SNI sent by the client and the SAN of the certificate. *** The `Manager` will pick a certificate based on the client trying to establish a TLS connection. In particular, it looks at the client hello (i.e. SNI) to determine which host the client tries to access. If the manager can find a certificate that matches the SNI it returns this certificate to the client. However, the client may choose to not send an SNI or tries to access a server directly via IP (`https://<ip>:<port>`). In this case, we cannot use the SNI to determine which certificate to serve. However, we also should not pick "the first" certificate that would be accepted by the client (based on crypto. parameters - like a signature algorithm) because it may be an internal certificate that contains internal hostnames. We would disclose internal infrastructure details doing so. Therefore, the `Manager` returns the "default" certificate when the client does not specify an SNI. The default certificate the top-level `public.crt` - i.e. `certs/public.crt`. This approach has some consequences: - It's the operator's responsibility to ensure that the top-level `public.crt` does not disclose any information (i.e. hostnames) that are not publicly visible. However, this was the case in the past already. - Any other `public.crt` - except for the top-level one - must not contain any IP SAN. The reason for this restriction is that the Manager cannot match a SNI to an IP b/c the SNI is the server host name. The entire purpose of SNI is to indicate which host the client tries to connect to when multiple hosts run on the same IP. So, a client will not set the SNI to an IP. If we would allow IP SANs in a lower-level `public.crt` a user would expect that it is possible to connect to MinIO directly via IP address and that the MinIO server would pick "the right" certificate. However, the MinIO server cannot determine which certificate to serve, and therefore always picks the "default" one. This may lead to all sorts of confusing errors like: "It works if I use `https:instance.minio.local` but not when I use `https://10.0.2.1`. These consequences/limitations should be pointed out / explained in our docs in an appropriate way. However, the support for multiple certificates should not have any impact on how deployment with a single certificate function today. Co-authored-by: Harshavardhana <harsha@minio.io>
2020-09-04 08:33:37 +02:00
manager, err = certs.NewManager(GlobalContext, getPublicCertFile(), getPrivateKeyFile(), config.LoadX509KeyPair)
Move etcd, logger, crypto into their own packages (#8366) - Deprecates _MINIO_PROFILER, `mc admin profile` does the job - Move ENVs to common location in cmd/config/
2019-10-08 07:47:56 +02:00
if err != nil {
return nil, nil, false, err
}
certs: refactor cert manager to support multiple certificates (#10207) This commit refactors the certificate management implementation in the `certs` package such that multiple certificates can be specified at the same time. Therefore, the following layout of the `certs/` directory is expected: ``` certs/ │ ├─ public.crt ├─ private.key ├─ CAs/ // CAs directory is ignored │ │ │ ... │ ├─ example.com/ │ │ │ ├─ public.crt │ └─ private.key └─ foobar.org/ │ ├─ public.crt └─ private.key ... ``` However, directory names like `example.com` are just for human readability/organization and don't have any meaning w.r.t whether a particular certificate is served or not. This decision is made based on the SNI sent by the client and the SAN of the certificate. *** The `Manager` will pick a certificate based on the client trying to establish a TLS connection. In particular, it looks at the client hello (i.e. SNI) to determine which host the client tries to access. If the manager can find a certificate that matches the SNI it returns this certificate to the client. However, the client may choose to not send an SNI or tries to access a server directly via IP (`https://<ip>:<port>`). In this case, we cannot use the SNI to determine which certificate to serve. However, we also should not pick "the first" certificate that would be accepted by the client (based on crypto. parameters - like a signature algorithm) because it may be an internal certificate that contains internal hostnames. We would disclose internal infrastructure details doing so. Therefore, the `Manager` returns the "default" certificate when the client does not specify an SNI. The default certificate the top-level `public.crt` - i.e. `certs/public.crt`. This approach has some consequences: - It's the operator's responsibility to ensure that the top-level `public.crt` does not disclose any information (i.e. hostnames) that are not publicly visible. However, this was the case in the past already. - Any other `public.crt` - except for the top-level one - must not contain any IP SAN. The reason for this restriction is that the Manager cannot match a SNI to an IP b/c the SNI is the server host name. The entire purpose of SNI is to indicate which host the client tries to connect to when multiple hosts run on the same IP. So, a client will not set the SNI to an IP. If we would allow IP SANs in a lower-level `public.crt` a user would expect that it is possible to connect to MinIO directly via IP address and that the MinIO server would pick "the right" certificate. However, the MinIO server cannot determine which certificate to serve, and therefore always picks the "default" one. This may lead to all sorts of confusing errors like: "It works if I use `https:instance.minio.local` but not when I use `https://10.0.2.1`. These consequences/limitations should be pointed out / explained in our docs in an appropriate way. However, the support for multiple certificates should not have any impact on how deployment with a single certificate function today. Co-authored-by: Harshavardhana <harsha@minio.io>
2020-09-04 08:33:37 +02:00
// MinIO has support for multiple certificates. It expects the following structure:
// certs/
// │
// ├─ public.crt
// ├─ private.key
// │
// ├─ example.com/
// │ │
// │ ├─ public.crt
// │ └─ private.key
// └─ foobar.org/
// │
// ├─ public.crt
// └─ private.key
// ...
//
// Therefore, we read all filenames in the cert directory and check
// for each directory whether it contains a public.crt and private.key.
// If so, we try to add it to certificate manager.
root, err := os.Open(globalCertsDir.Get())
if err != nil {
return nil, nil, false, err
}
defer root.Close()
files, err := root.Readdir(-1)
if err != nil {
return nil, nil, false, err
}
for _, file := range files {
fix: reading multiple TLS certificates when deployed in K8S (#10601) Ignore all regular files, CAs directory and any directory that starts with `..` inside the `.minio/certs` folder
2020-09-30 17:21:30 +02:00
// Ignore all
// - regular files
// - "CAs" directory
// - any directory which starts with ".."
if file.Mode().IsRegular() || file.Name() == "CAs" || strings.HasPrefix(file.Name(), "..") {
certs: refactor cert manager to support multiple certificates (#10207) This commit refactors the certificate management implementation in the `certs` package such that multiple certificates can be specified at the same time. Therefore, the following layout of the `certs/` directory is expected: ``` certs/ │ ├─ public.crt ├─ private.key ├─ CAs/ // CAs directory is ignored │ │ │ ... │ ├─ example.com/ │ │ │ ├─ public.crt │ └─ private.key └─ foobar.org/ │ ├─ public.crt └─ private.key ... ``` However, directory names like `example.com` are just for human readability/organization and don't have any meaning w.r.t whether a particular certificate is served or not. This decision is made based on the SNI sent by the client and the SAN of the certificate. *** The `Manager` will pick a certificate based on the client trying to establish a TLS connection. In particular, it looks at the client hello (i.e. SNI) to determine which host the client tries to access. If the manager can find a certificate that matches the SNI it returns this certificate to the client. However, the client may choose to not send an SNI or tries to access a server directly via IP (`https://<ip>:<port>`). In this case, we cannot use the SNI to determine which certificate to serve. However, we also should not pick "the first" certificate that would be accepted by the client (based on crypto. parameters - like a signature algorithm) because it may be an internal certificate that contains internal hostnames. We would disclose internal infrastructure details doing so. Therefore, the `Manager` returns the "default" certificate when the client does not specify an SNI. The default certificate the top-level `public.crt` - i.e. `certs/public.crt`. This approach has some consequences: - It's the operator's responsibility to ensure that the top-level `public.crt` does not disclose any information (i.e. hostnames) that are not publicly visible. However, this was the case in the past already. - Any other `public.crt` - except for the top-level one - must not contain any IP SAN. The reason for this restriction is that the Manager cannot match a SNI to an IP b/c the SNI is the server host name. The entire purpose of SNI is to indicate which host the client tries to connect to when multiple hosts run on the same IP. So, a client will not set the SNI to an IP. If we would allow IP SANs in a lower-level `public.crt` a user would expect that it is possible to connect to MinIO directly via IP address and that the MinIO server would pick "the right" certificate. However, the MinIO server cannot determine which certificate to serve, and therefore always picks the "default" one. This may lead to all sorts of confusing errors like: "It works if I use `https:instance.minio.local` but not when I use `https://10.0.2.1`. These consequences/limitations should be pointed out / explained in our docs in an appropriate way. However, the support for multiple certificates should not have any impact on how deployment with a single certificate function today. Co-authored-by: Harshavardhana <harsha@minio.io>
2020-09-04 08:33:37 +02:00
continue
}
fix: reading multiple TLS certificates when deployed in K8S (#10601) Ignore all regular files, CAs directory and any directory that starts with `..` inside the `.minio/certs` folder
2020-09-30 17:21:30 +02:00
if file.Mode()&os.ModeSymlink == os.ModeSymlink {
file, err = os.Stat(filepath.Join(root.Name(), file.Name()))
if err != nil {
// not accessible ignore
continue
}
if !file.IsDir() {
continue
}
}
certs: refactor cert manager to support multiple certificates (#10207) This commit refactors the certificate management implementation in the `certs` package such that multiple certificates can be specified at the same time. Therefore, the following layout of the `certs/` directory is expected: ``` certs/ │ ├─ public.crt ├─ private.key ├─ CAs/ // CAs directory is ignored │ │ │ ... │ ├─ example.com/ │ │ │ ├─ public.crt │ └─ private.key └─ foobar.org/ │ ├─ public.crt └─ private.key ... ``` However, directory names like `example.com` are just for human readability/organization and don't have any meaning w.r.t whether a particular certificate is served or not. This decision is made based on the SNI sent by the client and the SAN of the certificate. *** The `Manager` will pick a certificate based on the client trying to establish a TLS connection. In particular, it looks at the client hello (i.e. SNI) to determine which host the client tries to access. If the manager can find a certificate that matches the SNI it returns this certificate to the client. However, the client may choose to not send an SNI or tries to access a server directly via IP (`https://<ip>:<port>`). In this case, we cannot use the SNI to determine which certificate to serve. However, we also should not pick "the first" certificate that would be accepted by the client (based on crypto. parameters - like a signature algorithm) because it may be an internal certificate that contains internal hostnames. We would disclose internal infrastructure details doing so. Therefore, the `Manager` returns the "default" certificate when the client does not specify an SNI. The default certificate the top-level `public.crt` - i.e. `certs/public.crt`. This approach has some consequences: - It's the operator's responsibility to ensure that the top-level `public.crt` does not disclose any information (i.e. hostnames) that are not publicly visible. However, this was the case in the past already. - Any other `public.crt` - except for the top-level one - must not contain any IP SAN. The reason for this restriction is that the Manager cannot match a SNI to an IP b/c the SNI is the server host name. The entire purpose of SNI is to indicate which host the client tries to connect to when multiple hosts run on the same IP. So, a client will not set the SNI to an IP. If we would allow IP SANs in a lower-level `public.crt` a user would expect that it is possible to connect to MinIO directly via IP address and that the MinIO server would pick "the right" certificate. However, the MinIO server cannot determine which certificate to serve, and therefore always picks the "default" one. This may lead to all sorts of confusing errors like: "It works if I use `https:instance.minio.local` but not when I use `https://10.0.2.1`. These consequences/limitations should be pointed out / explained in our docs in an appropriate way. However, the support for multiple certificates should not have any impact on how deployment with a single certificate function today. Co-authored-by: Harshavardhana <harsha@minio.io>
2020-09-04 08:33:37 +02:00
var (
certFile = filepath.Join(root.Name(), file.Name(), publicCertFile)
keyFile = filepath.Join(root.Name(), file.Name(), privateKeyFile)
)
if !isFile(certFile) || !isFile(keyFile) {
continue
}
fix: reading multiple TLS certificates when deployed in K8S (#10601) Ignore all regular files, CAs directory and any directory that starts with `..` inside the `.minio/certs` folder
2020-09-30 17:21:30 +02:00
if err = manager.AddCertificate(certFile, keyFile); err != nil {
err = fmt.Errorf("Unable to load TLS certificate '%s,%s': %w", certFile, keyFile, err)
certs: refactor cert manager to support multiple certificates (#10207) This commit refactors the certificate management implementation in the `certs` package such that multiple certificates can be specified at the same time. Therefore, the following layout of the `certs/` directory is expected: ``` certs/ │ ├─ public.crt ├─ private.key ├─ CAs/ // CAs directory is ignored │ │ │ ... │ ├─ example.com/ │ │ │ ├─ public.crt │ └─ private.key └─ foobar.org/ │ ├─ public.crt └─ private.key ... ``` However, directory names like `example.com` are just for human readability/organization and don't have any meaning w.r.t whether a particular certificate is served or not. This decision is made based on the SNI sent by the client and the SAN of the certificate. *** The `Manager` will pick a certificate based on the client trying to establish a TLS connection. In particular, it looks at the client hello (i.e. SNI) to determine which host the client tries to access. If the manager can find a certificate that matches the SNI it returns this certificate to the client. However, the client may choose to not send an SNI or tries to access a server directly via IP (`https://<ip>:<port>`). In this case, we cannot use the SNI to determine which certificate to serve. However, we also should not pick "the first" certificate that would be accepted by the client (based on crypto. parameters - like a signature algorithm) because it may be an internal certificate that contains internal hostnames. We would disclose internal infrastructure details doing so. Therefore, the `Manager` returns the "default" certificate when the client does not specify an SNI. The default certificate the top-level `public.crt` - i.e. `certs/public.crt`. This approach has some consequences: - It's the operator's responsibility to ensure that the top-level `public.crt` does not disclose any information (i.e. hostnames) that are not publicly visible. However, this was the case in the past already. - Any other `public.crt` - except for the top-level one - must not contain any IP SAN. The reason for this restriction is that the Manager cannot match a SNI to an IP b/c the SNI is the server host name. The entire purpose of SNI is to indicate which host the client tries to connect to when multiple hosts run on the same IP. So, a client will not set the SNI to an IP. If we would allow IP SANs in a lower-level `public.crt` a user would expect that it is possible to connect to MinIO directly via IP address and that the MinIO server would pick "the right" certificate. However, the MinIO server cannot determine which certificate to serve, and therefore always picks the "default" one. This may lead to all sorts of confusing errors like: "It works if I use `https:instance.minio.local` but not when I use `https://10.0.2.1`. These consequences/limitations should be pointed out / explained in our docs in an appropriate way. However, the support for multiple certificates should not have any impact on how deployment with a single certificate function today. Co-authored-by: Harshavardhana <harsha@minio.io>
2020-09-04 08:33:37 +02:00
logger.LogIf(GlobalContext, err, logger.Minio)
}
}
Move etcd, logger, crypto into their own packages (#8366) - Deprecates _MINIO_PROFILER, `mc admin profile` does the job - Move ENVs to common location in cmd/config/
2019-10-08 07:47:56 +02:00
secureConn = true
certs: refactor cert manager to support multiple certificates (#10207) This commit refactors the certificate management implementation in the `certs` package such that multiple certificates can be specified at the same time. Therefore, the following layout of the `certs/` directory is expected: ``` certs/ │ ├─ public.crt ├─ private.key ├─ CAs/ // CAs directory is ignored │ │ │ ... │ ├─ example.com/ │ │ │ ├─ public.crt │ └─ private.key └─ foobar.org/ │ ├─ public.crt └─ private.key ... ``` However, directory names like `example.com` are just for human readability/organization and don't have any meaning w.r.t whether a particular certificate is served or not. This decision is made based on the SNI sent by the client and the SAN of the certificate. *** The `Manager` will pick a certificate based on the client trying to establish a TLS connection. In particular, it looks at the client hello (i.e. SNI) to determine which host the client tries to access. If the manager can find a certificate that matches the SNI it returns this certificate to the client. However, the client may choose to not send an SNI or tries to access a server directly via IP (`https://<ip>:<port>`). In this case, we cannot use the SNI to determine which certificate to serve. However, we also should not pick "the first" certificate that would be accepted by the client (based on crypto. parameters - like a signature algorithm) because it may be an internal certificate that contains internal hostnames. We would disclose internal infrastructure details doing so. Therefore, the `Manager` returns the "default" certificate when the client does not specify an SNI. The default certificate the top-level `public.crt` - i.e. `certs/public.crt`. This approach has some consequences: - It's the operator's responsibility to ensure that the top-level `public.crt` does not disclose any information (i.e. hostnames) that are not publicly visible. However, this was the case in the past already. - Any other `public.crt` - except for the top-level one - must not contain any IP SAN. The reason for this restriction is that the Manager cannot match a SNI to an IP b/c the SNI is the server host name. The entire purpose of SNI is to indicate which host the client tries to connect to when multiple hosts run on the same IP. So, a client will not set the SNI to an IP. If we would allow IP SANs in a lower-level `public.crt` a user would expect that it is possible to connect to MinIO directly via IP address and that the MinIO server would pick "the right" certificate. However, the MinIO server cannot determine which certificate to serve, and therefore always picks the "default" one. This may lead to all sorts of confusing errors like: "It works if I use `https:instance.minio.local` but not when I use `https://10.0.2.1`. These consequences/limitations should be pointed out / explained in our docs in an appropriate way. However, the support for multiple certificates should not have any impact on how deployment with a single certificate function today. Co-authored-by: Harshavardhana <harsha@minio.io>
2020-09-04 08:33:37 +02:00
return x509Certs, manager, secureConn, nil
Move etcd, logger, crypto into their own packages (#8366) - Deprecates _MINIO_PROFILER, `mc admin profile` does the job - Move ENVs to common location in cmd/config/
2019-10-08 07:47:56 +02:00
}
Fix listPathRaw/WalkDir cancelation (#11905) In #11888 we observe a lot of running, WalkDir calls. There doesn't appear to be any listerners for these calls, so they should be aborted. Ensure that WalkDir aborts when upstream cancels the request. Fixes #11888
2021-03-26 19:18:30 +01:00
// contextCanceled returns whether a context is canceled.
func contextCanceled(ctx context.Context) bool {
select {
case <-ctx.Done():
return true
default:
return false
}
}
Reference in a new issue Copy permalink