mirror/seaweedfs
1
0
Fork 0
mirror of https://github.com/seaweedfs/seaweedfs.git synced 2024-11-23 18:49:17 +08:00
Code Issues Packages Projects Releases Wiki Activity
Page: Run Blob Storage on Public Internet
Pages
AWS CLI with SeaweedFS AWS IAM CLI Actual Users Amazon IAM API Amazon S3 API Applications Async Backup Async Filer Metadata Backup Async Replication to Cloud Async Replication to another Filer Benchmark SeaweedFS as a GlusterFS replacement Benchmarks from jinleileiking Benchmarks Cache Remote Storage Choosing a Filer Store Client Libraries Cloud Drive Architecture Cloud Drive Benefits Cloud Drive Quick Setup Cloud Monitoring Cloud Tier Components Configure Remote Storage Customize Filer Store Data Backup Data Structure for Large Files Deployment to Kubernetes and Minikube Directories and Files Docker Compose for S3 Docker Image Registry with SeaweedFS Environment Variables Erasure Coding for warm storage Error reporting to sentry FAQ FIO benchmark FUSE Mount Failover Master Server Filer Active Active cross cluster continuous synchronization Filer Cassandra Setup Filer Change Data Capture Filer Commands and Operations Filer Data Encryption Filer JWT Use Filer Metadata Events Filer Redis Setup Filer Server API Filer Setup Filer Store Replication Filer Stores Filer as a Key Large Value Store Gateway to Remote Object Storage Getting Started HDFS via S3 connector Hadoop Benchmark Hadoop Compatible File System Hardware Hobbyest Tinkerer scale on premises tutorial Home Independent Benchmarks Kubernetes Backups and Recovery with K8up Large File Handling Load Command Line Options from a file Master Server API Migrate to Filer Store Mount Remote Storage Optimization Path Specific Configuration Path Specific Filer Store Production Setup Replication Run Blob Storage on Public Internet Run Presto on SeaweedFS S3 API Audit log S3 API Benchmark S3 API FAQ S3 Bucket Quota S3 Nginx Proxy SRV Service Discovery SeaweedFS Java Client SeaweedFS in Docker Swarm Security Configuration Security Overview Server Startup Setup Store file with a Time To Live Super Large Directories System Metrics TensorFlow with SeaweedFS Tiered Storage UrBackup with SeaweedFS Use Cases Volume Files Structure Volume Management Volume Server API WebDAV Words from SeaweedFS Users fstab nodejs with Seaweed S3 rclone with SeaweedFS restic with SeaweedFS run HBase on SeaweedFS run Spark on SeaweedFS s3cmd with SeaweedFS weed shell
31 Run Blob Storage on Public Internet
chrislu edited this page 2024-11-18 22:47:15 -08:00
Table of Contents

How to setup SeaweedFS on servers that face the public internet

This guide is for setting up master and volume servers only, we will not setup filer or S3. All services will run in Docker, which also acts as a firewall to block direct access to the HTTP API of the master server (single master, no HA). gRPC communication between volume and master server is encrypted with mutual TLS, all gRPC ports are exposed to the public internet. Master server HTTP API port (9333) is exposed via reverse proxy Caddy, which handles SSL termination and checks for an Authorization header (this header is completely separate from SeaweedFS JWT mechanism). Other reverse proxy can also be used instead of Caddy.

Step by step setup

We will use 2 servers. Server 1 will host master, 2x volumes (2 disks, one volume server each), caddy reverse proxy. Server 2 will host 2 volume servers.

  1. Install docker and docker-compose
  2. Start master server. Using my own Dockerfile here to run the large_disk version Dockerfile
# todo: set version as ARG
# todo: use 2 step build process, copy over weed binary to fresh container (do not need curl and tar at runtime)
FROM alpine
RUN apk update && apk add wget tar
RUN wget https://github.com/seaweedfs/seaweedfs/releases/download/3.80/linux_amd64_large_disk.tar.gz
RUN tar -xf linux_amd64_large_disk.tar.gz
RUN chmod +x weed
RUN mv weed /usr/bin/

docker-compose.yml

version: '3.7'
services:
  master:
    build: .
    volumes:
      - /data/seaweedfs/master:/data/seaweedfs/master
    ports:
      - 19333:19333
    entrypoint: weed master -mdir='/data/seaweedfs/master' -ip=<public ip of server> -volumeSizeLimitMB=100000 -defaultReplication=010
  1. docker-compose up and see if it looks ok
  2. Run volume server on server 2 (to test connection between physical servers)
  • same dockerfile
  • docker-compose.yml
version: '3.7'
services:
  volume-sda:
    build: .
    volumes:
      - /data/seaweedfs/volume:/data/seaweedfs/volume
    ports:
      - 8080:8080
      - 18080:18080
    command: weed volume -mserver=<public IP of server 1>:9333 -dir=/data/seaweedfs/volume -ip=<public ip of this server (server2)>
  1. docker-compose up on both servers and check that the master sees the volume
  2. Follow security guide to add secrets and certs. Scaffold security.toml file and generate certs, in this example, all certs are in certs/ folder. Update docker-compose.yml of master server:
version: '3.7'
services:
  master:
    build: .
    volumes:
      - /data/seaweedfs/master:/data/seaweedfs/master
      - ./security.toml:/etc/seaweedfs/security.toml
      - ./certs:/etc/seaweedfs/certs
    ports:
      - 19333:19333
    entrypoint: weed master -mdir='/data/seaweedfs/master' -ip=<public ip of server> -volumeSizeLimitMB=100000 -defaultReplication=010
  1. docker-compose up the master and volume. Because the volume server doesn't have the security config, the heartbeat should fail.
  2. Copy security.toml and certs/ folder to server2 and add mounts in docker-compose.yml file of volume server.
  3. docker-compose up, now heartbeat should work and master should see volume server again
  4. Test that JWT auth works as you expect. For that, edit docker-compose.yml of master server to temporarily expose port 9333 to the host machine. All testing will be done from command line of server 1:
  • curl -i http://localhost:9333/dir/assign should include bearer token
  • uploading with bearer token should work (for hand testing, might want to update the 10 second JWT timeout to something longer)
  • uploading without bearer token fails (3 test cases: not provided, incorrect provided, or token expired)
  • downloading with bearer token works
  • downloading without bearer token fails
  • delete with bearer token works, doesn't work without token
  1. Great, JWT auth works as expected. docker-compose down, remove port 9333 from master server docker-compose.yml, clean data directory rm -rf /data/seaweedfs/master/* and rm -rf /data/seaweedfs/volume/*
  2. Add caddyserver to master server docker-compose.yml. Caddy will automatically and without config issue a SSL cert from Lets Encrypt, redirect traffic from HTTP to HTTPS (on HTTP the header value can be sniffed, please remember to use HTTPS), and we will add config to check for Authorization header. A domain is needed for SSL. On master servers docker-compose.yml, add a new service:
  caddy:
    image: caddy:2.3.0-alpine
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile
    ports:
      - 80:80
      - 443:443

Add Caddyfile

seaweedfs.yourdomain.com

@bearertoken header Authorization "Bearer <your token>"
@notBearertoken not header Authorization "Bearer <your token>"

reverse_proxy @bearertoken master:9333

respond @notBearertoken 401
  1. docker-compose up, wait for Caddy to get certs from LetsEncrypt, test it via curl:
  • curl -i http://seaweedfs.yourdomain.com redirects to HTTPS
  • curl -i https://seaweedfs.yourdomain.com responds with 401
  • curl -H "Authorization: Bearer <your token>" https://seaweedfs.yourdomain.com/dir/assign works
  • curl -iH "Authorization: Bearer someOtherToken" https://seaweedfs.yourdomain.com/dir/assign 401
  1. Add more volume servers, take notice of port bindings. In my case, server 1 docker-compose.yml has master, volume-sda, volume-sdb, caddy, server 2 has volume-sda, volume-sdb.

docker-compose.yml server 2:

version: '3.7'
services:
  volume-sda:
    build: .
    volumes:
      # /dev/sda4 mounts to /data
      - /data/seaweedfs/volume:/data/seaweedfs/volume
      - ./security.toml:/etc/seaweedfs/security.toml
      - ./certs:/etc/seaweedfs/certs
    ports:
      - 8080:8080
      - 18080:18080
    command: weed volume -mserver=<master server ip>:9333 -dir=/data/seaweedfs/volume -ip=<publicIp>

  volume-sdb:
    build: .
    volumes:
      # /dev/sdb1 mounts to /data2
      - /data2/seaweedfs/volume:/data/seaweedfs/volume
      - ./security.toml:/etc/seaweedfs/security.toml
      - ./certs:/etc/seaweedfs/certs
    ports:
      - 8081:8081
      - 18081:18081
    command: weed volume -mserver=<master server ip>:9333 -dir=/data/seaweedfs/volume -ip=<publicIp>  -port=8081

High availability

I haven't tested this, but this is how I would go about making it HA:

  • Run master server on 3 or 5 physical servers
  • Run caddy as a sidecar on every server that runs a master
  • Install caddy from own Dockerfile, adding redis plugin for distributed SSL cert storage and distributed locks for SSL cert issuing.
  • Run redis in high-availability mode, for example by following this docker swarm guide. Caddy redis plugin probably doesn't allow multiple IP addresses, so might have to add haproxy sidecar to every caddy sidecar as well to load balance to redis cluster.
  • Update command of volume servers docker-compose file to add all master server IPs

Alternatively:

  • Use another caddy plugin for distributed SSL certs, not redis
  • Use a loadbalancer-as-a-service that does SSL termination from some cloud provider (i.e. Cloudflare - easier to setup but less secure as traffic between cloudflare and nodes is not encrypted)
  • Disable HTTP API on master server (-disableHttp flag) and use clients that can speak gRPC protocol

Introduction

API

Configuration

Filer

Filer Stores

Advanced Filer Configurations

FUSE Mount

WebDAV

Cloud Drive

AWS S3 API

AWS IAM

Machine Learning

HDFS

Replication and Backup

Messaging

Use Cases

Operations

Advanced

Security

Misc Use Case Examples