Compare commits
15 commits
main
...
storage-op
Author | SHA1 | Date | |
---|---|---|---|
e44bec738c | |||
f6f0c6f515 | |||
7ba1364c08 | |||
cb02ce3eb2 | |||
5a52c4c7f3 | |||
64818d3720 | |||
852388134b | |||
96c7040a8a | |||
05dd441e9c | |||
cffa9821c1 | |||
d08778dea4 | |||
24d605fb05 | |||
ae4982c309 | |||
9c9471c64f | |||
71a13f366e |
|
@ -1,3 +0,0 @@
|
|||
[target.x86_64-unknown-linux-gnu]
|
||||
linker = "clang"
|
||||
rustflags = ["-C", "link-arg=-fuse-ld=mold"]
|
134
.drone.yml
Normal file
|
@ -0,0 +1,134 @@
|
|||
---
|
||||
kind: pipeline
|
||||
name: default
|
||||
|
||||
workspace:
|
||||
base: /drone/garage
|
||||
|
||||
volumes:
|
||||
- name: cargo_home
|
||||
temp: {}
|
||||
|
||||
steps:
|
||||
- name: restore-cache
|
||||
image: meltwater/drone-cache:dev
|
||||
volumes:
|
||||
- name: cargo_home
|
||||
path: /drone/cargo
|
||||
environment:
|
||||
AWS_ACCESS_KEY_ID:
|
||||
from_secret: cache_aws_access_key_id
|
||||
AWS_SECRET_ACCESS_KEY:
|
||||
from_secret: cache_aws_secret_access_key
|
||||
pull: true
|
||||
settings:
|
||||
restore: true
|
||||
archive_format: "gzip"
|
||||
bucket: drone-cache
|
||||
cache_key: '{{ .Repo.Name }}_{{ checksum "Cargo.lock" }}_{{ arch }}_{{ os }}_gzip'
|
||||
region: garage
|
||||
mount:
|
||||
- '/drone/cargo'
|
||||
- 'target'
|
||||
path_style: true
|
||||
endpoint: https://garage.deuxfleurs.fr
|
||||
when:
|
||||
branch:
|
||||
- nonexistent_skip_this_step
|
||||
|
||||
- name: build
|
||||
image: lxpz/garage_builder_amd64:1
|
||||
volumes:
|
||||
- name: cargo_home
|
||||
path: /drone/cargo
|
||||
environment:
|
||||
CARGO_HOME: /drone/cargo
|
||||
commands:
|
||||
- pwd
|
||||
- cargo fmt -- --check
|
||||
- cargo build
|
||||
|
||||
- name: cargo-test
|
||||
image: lxpz/garage_builder_amd64:1
|
||||
volumes:
|
||||
- name: cargo_home
|
||||
path: /drone/cargo
|
||||
environment:
|
||||
CARGO_HOME: /drone/cargo
|
||||
commands:
|
||||
- cargo test
|
||||
|
||||
- name: rebuild-cache
|
||||
image: meltwater/drone-cache:dev
|
||||
volumes:
|
||||
- name: cargo_home
|
||||
path: /drone/cargo
|
||||
environment:
|
||||
AWS_ACCESS_KEY_ID:
|
||||
from_secret: cache_aws_access_key_id
|
||||
AWS_SECRET_ACCESS_KEY:
|
||||
from_secret: cache_aws_secret_access_key
|
||||
pull: true
|
||||
settings:
|
||||
rebuild: true
|
||||
archive_format: "gzip"
|
||||
bucket: drone-cache
|
||||
cache_key: '{{ .Repo.Name }}_{{ checksum "Cargo.lock" }}_{{ arch }}_{{ os }}_gzip'
|
||||
region: garage
|
||||
mount:
|
||||
- '/drone/cargo'
|
||||
- 'target'
|
||||
path_style: true
|
||||
endpoint: https://garage.deuxfleurs.fr
|
||||
when:
|
||||
branch:
|
||||
- nonexistent_skip_this_step
|
||||
|
||||
- name: smoke-test
|
||||
image: lxpz/garage_builder_amd64:1
|
||||
volumes:
|
||||
- name: cargo_home
|
||||
path: /drone/cargo
|
||||
environment:
|
||||
CARGO_HOME: /drone/cargo
|
||||
commands:
|
||||
- ./script/test-smoke.sh || (cat /tmp/garage.log; false)
|
||||
|
||||
---
|
||||
kind: pipeline
|
||||
name: website
|
||||
|
||||
steps:
|
||||
- name: build
|
||||
image: hrektts/mdbook
|
||||
commands:
|
||||
- cd doc/book
|
||||
- mdbook build
|
||||
|
||||
- name: upload
|
||||
image: plugins/s3
|
||||
settings:
|
||||
bucket: garagehq.deuxfleurs.fr
|
||||
access_key:
|
||||
from_secret: garagehq_aws_access_key_id
|
||||
secret_key:
|
||||
from_secret: garagehq_aws_secret_access_key
|
||||
source: doc/book/book/**/*
|
||||
strip_prefix: doc/book/book/
|
||||
target: /
|
||||
path_style: true
|
||||
endpoint: https://garage.deuxfleurs.fr
|
||||
region: garage
|
||||
when:
|
||||
event:
|
||||
- push
|
||||
branch:
|
||||
- main
|
||||
repo:
|
||||
- Deuxfleurs/garage
|
||||
|
||||
---
|
||||
kind: signature
|
||||
hmac: de82026387bd09e547dbc9cc5d232fd865204b4f393d32508c50b58f8e60611d
|
||||
|
||||
...
|
1
.envrc
|
@ -1 +0,0 @@
|
|||
use flake
|
1
.gitignore
vendored
|
@ -3,4 +3,3 @@
|
|||
/pki
|
||||
**/*.rs.bk
|
||||
*.swp
|
||||
/.direnv
|
|
@ -1,47 +0,0 @@
|
|||
when:
|
||||
event:
|
||||
- push
|
||||
- tag
|
||||
- pull_request
|
||||
- deployment
|
||||
- cron
|
||||
- manual
|
||||
|
||||
steps:
|
||||
- name: check formatting
|
||||
image: nixpkgs/nix:nixos-22.05
|
||||
commands:
|
||||
- nix-shell --attr devShell --run "cargo fmt -- --check"
|
||||
|
||||
- name: build
|
||||
image: nixpkgs/nix:nixos-22.05
|
||||
commands:
|
||||
- nix-build --no-build-output --attr clippy.amd64 --argstr git_version ${CI_COMMIT_TAG:-$CI_COMMIT_SHA}
|
||||
|
||||
- name: unit + func tests
|
||||
image: nixpkgs/nix:nixos-22.05
|
||||
environment:
|
||||
GARAGE_TEST_INTEGRATION_EXE: result-bin/bin/garage
|
||||
GARAGE_TEST_INTEGRATION_PATH: tmp-garage-integration
|
||||
commands:
|
||||
- nix-build --no-build-output --attr clippy.amd64 --argstr git_version ${CI_COMMIT_TAG:-$CI_COMMIT_SHA}
|
||||
- nix-build --no-build-output --attr test.amd64
|
||||
- ./result/bin/garage_db-*
|
||||
- ./result/bin/garage_api-*
|
||||
- ./result/bin/garage_model-*
|
||||
- ./result/bin/garage_rpc-*
|
||||
- ./result/bin/garage_table-*
|
||||
- ./result/bin/garage_util-*
|
||||
- ./result/bin/garage_web-*
|
||||
- ./result/bin/garage-*
|
||||
- GARAGE_TEST_INTEGRATION_DB_ENGINE=lmdb ./result/bin/integration-* || (cat tmp-garage-integration/stderr.log; false)
|
||||
- nix-shell --attr ci --run "killall -9 garage" || true
|
||||
- GARAGE_TEST_INTEGRATION_DB_ENGINE=sqlite ./result/bin/integration-* || (cat tmp-garage-integration/stderr.log; false)
|
||||
- rm result
|
||||
- rm -rv tmp-garage-integration
|
||||
|
||||
- name: integration tests
|
||||
image: nixpkgs/nix:nixos-22.05
|
||||
commands:
|
||||
- nix-build --no-build-output --attr clippy.amd64 --argstr git_version ${CI_COMMIT_TAG:-$CI_COMMIT_SHA}
|
||||
- nix-shell --attr ci --run ./script/test-smoke.sh || (cat /tmp/garage.log; false)
|
|
@ -1,29 +0,0 @@
|
|||
when:
|
||||
event:
|
||||
- deployment
|
||||
- cron
|
||||
|
||||
depends_on:
|
||||
- release
|
||||
|
||||
steps:
|
||||
- name: refresh-index
|
||||
image: nixpkgs/nix:nixos-22.05
|
||||
secrets:
|
||||
- source: garagehq_aws_access_key_id
|
||||
target: AWS_ACCESS_KEY_ID
|
||||
- source: garagehq_aws_secret_access_key
|
||||
target: AWS_SECRET_ACCESS_KEY
|
||||
commands:
|
||||
- mkdir -p /etc/nix && cp nix/nix.conf /etc/nix/nix.conf
|
||||
- nix-shell --attr ci --run "refresh_index"
|
||||
|
||||
- name: multiarch-docker
|
||||
image: nixpkgs/nix:nixos-22.05
|
||||
secrets:
|
||||
- docker_auth
|
||||
commands:
|
||||
- mkdir -p /root/.docker
|
||||
- echo $DOCKER_AUTH > /root/.docker/config.json
|
||||
- export CONTAINER_TAG=${CI_COMMIT_TAG:-$CI_COMMIT_SHA}
|
||||
- nix-shell --attr ci --run "multiarch_docker"
|
|
@ -1,70 +0,0 @@
|
|||
when:
|
||||
event:
|
||||
- deployment
|
||||
- cron
|
||||
|
||||
matrix:
|
||||
include:
|
||||
- ARCH: amd64
|
||||
TARGET: x86_64-unknown-linux-musl
|
||||
- ARCH: i386
|
||||
TARGET: i686-unknown-linux-musl
|
||||
- ARCH: arm64
|
||||
TARGET: aarch64-unknown-linux-musl
|
||||
- ARCH: arm
|
||||
TARGET: armv6l-unknown-linux-musleabihf
|
||||
|
||||
steps:
|
||||
- name: build
|
||||
image: nixpkgs/nix:nixos-22.05
|
||||
commands:
|
||||
- nix-build --no-build-output --attr pkgs.${ARCH}.release --argstr git_version ${CI_COMMIT_TAG:-$CI_COMMIT_SHA}
|
||||
|
||||
- name: check is static binary
|
||||
image: nixpkgs/nix:nixos-22.05
|
||||
commands:
|
||||
- nix-build --no-build-output --attr pkgs.${ARCH}.release --argstr git_version ${CI_COMMIT_TAG:-$CI_COMMIT_SHA}
|
||||
- nix-shell --attr ci --run "./script/not-dynamic.sh result-bin/bin/garage"
|
||||
|
||||
- name: integration tests
|
||||
image: nixpkgs/nix:nixos-22.05
|
||||
commands:
|
||||
- nix-shell --attr ci --run ./script/test-smoke.sh || (cat /tmp/garage.log; false)
|
||||
when:
|
||||
- matrix:
|
||||
ARCH: amd64
|
||||
- matrix:
|
||||
ARCH: i386
|
||||
|
||||
- name: upgrade tests
|
||||
image: nixpkgs/nix:nixos-22.05
|
||||
commands:
|
||||
- nix-shell --attr ci --run "./script/test-upgrade.sh v0.8.4 x86_64-unknown-linux-musl" || (cat /tmp/garage.log; false)
|
||||
when:
|
||||
- matrix:
|
||||
ARCH: amd64
|
||||
|
||||
- name: push static binary
|
||||
image: nixpkgs/nix:nixos-22.05
|
||||
environment:
|
||||
TARGET: "${TARGET}"
|
||||
secrets:
|
||||
- source: garagehq_aws_access_key_id
|
||||
target: AWS_ACCESS_KEY_ID
|
||||
- source: garagehq_aws_secret_access_key
|
||||
target: AWS_SECRET_ACCESS_KEY
|
||||
commands:
|
||||
- nix-shell --attr ci --run "to_s3"
|
||||
|
||||
- name: docker build and publish
|
||||
image: nixpkgs/nix:nixos-22.05
|
||||
environment:
|
||||
DOCKER_PLATFORM: "linux/${ARCH}"
|
||||
CONTAINER_NAME: "dxflrs/${ARCH}_garage"
|
||||
secrets:
|
||||
- docker_auth
|
||||
commands:
|
||||
- mkdir -p /root/.docker
|
||||
- echo $DOCKER_AUTH > /root/.docker/config.json
|
||||
- export CONTAINER_TAG=${CI_COMMIT_TAG:-$CI_COMMIT_SHA}
|
||||
- nix-shell --attr ci --run "to_docker"
|
4327
Cargo.lock
generated
137
Cargo.toml
|
@ -1,151 +1,16 @@
|
|||
[workspace]
|
||||
resolver = "2"
|
||||
members = [
|
||||
"src/db",
|
||||
"src/util",
|
||||
"src/net",
|
||||
"src/rpc",
|
||||
"src/table",
|
||||
"src/block",
|
||||
"src/model",
|
||||
"src/api",
|
||||
"src/web",
|
||||
"src/garage",
|
||||
"src/k2v-client",
|
||||
"src/format-table",
|
||||
]
|
||||
|
||||
default-members = ["src/garage"]
|
||||
|
||||
[workspace.dependencies]
|
||||
|
||||
# Internal Garage crates
|
||||
format_table = { version = "0.1.1", path = "src/format-table" }
|
||||
garage_api = { version = "1.0.0", path = "src/api" }
|
||||
garage_block = { version = "1.0.0", path = "src/block" }
|
||||
garage_db = { version = "1.0.0", path = "src/db", default-features = false }
|
||||
garage_model = { version = "1.0.0", path = "src/model", default-features = false }
|
||||
garage_net = { version = "1.0.0", path = "src/net" }
|
||||
garage_rpc = { version = "1.0.0", path = "src/rpc" }
|
||||
garage_table = { version = "1.0.0", path = "src/table" }
|
||||
garage_util = { version = "1.0.0", path = "src/util" }
|
||||
garage_web = { version = "1.0.0", path = "src/web" }
|
||||
k2v-client = { version = "0.0.4", path = "src/k2v-client" }
|
||||
|
||||
# External crates from crates.io
|
||||
arc-swap = "1.0"
|
||||
argon2 = "0.5"
|
||||
async-trait = "0.1.7"
|
||||
backtrace = "0.3"
|
||||
base64 = "0.21"
|
||||
blake2 = "0.10"
|
||||
bytes = "1.0"
|
||||
bytesize = "1.1"
|
||||
cfg-if = "1.0"
|
||||
chrono = "0.4"
|
||||
crc32fast = "1.4"
|
||||
crc32c = "0.6"
|
||||
crypto-common = "0.1"
|
||||
digest = "0.10"
|
||||
err-derive = "0.3"
|
||||
gethostname = "0.4"
|
||||
git-version = "0.3.4"
|
||||
hex = "0.4"
|
||||
hexdump = "0.1"
|
||||
hmac = "0.12"
|
||||
idna = "0.5"
|
||||
itertools = "0.12"
|
||||
lazy_static = "1.4"
|
||||
md-5 = "0.10"
|
||||
mktemp = "0.5"
|
||||
nix = { version = "0.27", default-features = false, features = ["fs"] }
|
||||
nom = "7.1"
|
||||
parse_duration = "2.1"
|
||||
pin-project = "1.0.12"
|
||||
pnet_datalink = "0.34"
|
||||
rand = "0.8"
|
||||
sha1 = "0.10"
|
||||
sha2 = "0.10"
|
||||
timeago = { version = "0.4", default-features = false }
|
||||
xxhash-rust = { version = "0.8", default-features = false, features = ["xxh3"] }
|
||||
|
||||
aes-gcm = { version = "0.10", features = ["aes", "stream"] }
|
||||
sodiumoxide = { version = "0.2.5-0", package = "kuska-sodiumoxide" }
|
||||
kuska-handshake = { version = "0.2.0", features = ["default", "async_std"] }
|
||||
|
||||
clap = { version = "4.1", features = ["derive", "env"] }
|
||||
pretty_env_logger = "0.5"
|
||||
structopt = { version = "0.3", default-features = false }
|
||||
syslog-tracing = "0.3"
|
||||
tracing = "0.1"
|
||||
tracing-subscriber = { version = "0.3", features = ["env-filter"] }
|
||||
|
||||
heed = { version = "0.11", default-features = false, features = ["lmdb"] }
|
||||
rusqlite = "0.31.0"
|
||||
r2d2 = "0.8"
|
||||
r2d2_sqlite = "0.24"
|
||||
|
||||
async-compression = { version = "0.4", features = ["tokio", "zstd"] }
|
||||
zstd = { version = "0.13", default-features = false }
|
||||
|
||||
quick-xml = { version = "0.26", features = [ "serialize" ] }
|
||||
rmp-serde = "1.1.2"
|
||||
serde = { version = "1.0", default-features = false, features = ["derive", "rc"] }
|
||||
serde_bytes = "0.11"
|
||||
serde_json = "1.0"
|
||||
toml = { version = "0.8", default-features = false, features = ["parse"] }
|
||||
|
||||
# newer version requires rust edition 2021
|
||||
k8s-openapi = { version = "0.21", features = ["v1_24"] }
|
||||
kube = { version = "0.88", default-features = false, features = ["runtime", "derive", "client", "rustls-tls"] }
|
||||
schemars = "0.8"
|
||||
reqwest = { version = "0.11", default-features = false, features = ["rustls-tls-manual-roots", "json"] }
|
||||
|
||||
form_urlencoded = "1.0.0"
|
||||
http = "1.0"
|
||||
httpdate = "1.0"
|
||||
http-range = "0.1"
|
||||
http-body-util = "0.1"
|
||||
hyper = { version = "1.0", default-features = false }
|
||||
hyper-util = { version = "0.1", features = [ "full" ] }
|
||||
multer = "3.0"
|
||||
percent-encoding = "2.2"
|
||||
roxmltree = "0.19"
|
||||
url = "2.3"
|
||||
|
||||
futures = "0.3"
|
||||
futures-util = "0.3"
|
||||
tokio = { version = "1.0", default-features = false, features = ["net", "rt", "rt-multi-thread", "io-util", "net", "time", "macros", "sync", "signal", "fs"] }
|
||||
tokio-util = { version = "0.7", features = ["compat", "io"] }
|
||||
tokio-stream = { version = "0.1", features = ["net"] }
|
||||
|
||||
opentelemetry = { version = "0.17", features = [ "rt-tokio", "metrics", "trace" ] }
|
||||
opentelemetry-prometheus = "0.10"
|
||||
opentelemetry-otlp = "0.10"
|
||||
opentelemetry-contrib = "0.9"
|
||||
prometheus = "0.13"
|
||||
|
||||
# used by the k2v-client crate only
|
||||
aws-sigv4 = { version = "1.1" }
|
||||
hyper-rustls = { version = "0.26", features = ["http2"] }
|
||||
log = "0.4"
|
||||
thiserror = "1.0"
|
||||
|
||||
# ---- used only as build / dev dependencies ----
|
||||
assert-json-diff = "2.0"
|
||||
rustc_version = "0.4.0"
|
||||
static_init = "1.0"
|
||||
|
||||
aws-config = "1.1.4"
|
||||
aws-sdk-config = "1.13"
|
||||
aws-sdk-s3 = "1.14"
|
||||
|
||||
[profile.dev]
|
||||
#lto = "thin" # disabled for now, adds 2-4 min to each CI build
|
||||
lto = "off"
|
||||
|
||||
[profile.release]
|
||||
lto = true
|
||||
codegen-units = 1
|
||||
opt-level = "s"
|
||||
strip = true
|
||||
debug = true
|
||||
|
|
|
@ -1,7 +1,10 @@
|
|||
FROM scratch
|
||||
FROM archlinux:latest
|
||||
|
||||
RUN mkdir -p /garage/meta
|
||||
RUN mkdir -p /garage/data
|
||||
ENV RUST_BACKTRACE=1
|
||||
ENV RUST_LOG=garage=info
|
||||
|
||||
COPY result-bin/bin/garage /
|
||||
CMD [ "/garage", "server"]
|
||||
COPY target/release/garage.stripped /garage/garage
|
||||
|
||||
CMD /garage/garage server -c /garage/config.toml
|
||||
|
|
35
Makefile
|
@ -1,27 +1,20 @@
|
|||
.PHONY: doc all release shell run1 run2 run3
|
||||
BIN=target/release/garage
|
||||
DOCKER=lxpz/garage_amd64
|
||||
|
||||
all:
|
||||
clear; cargo build
|
||||
|
||||
release:
|
||||
nix-build --attr pkgs.amd64.release --no-build-output
|
||||
$(BIN):
|
||||
RUSTFLAGS="-C link-arg=-fuse-ld=lld -C target-cpu=x86-64 -C target-feature=+sse2" cargo build --release --no-default-features
|
||||
|
||||
shell:
|
||||
nix-shell
|
||||
$(BIN).stripped: $(BIN)
|
||||
cp $^ $@
|
||||
strip $@
|
||||
|
||||
# ----
|
||||
|
||||
run1:
|
||||
RUST_LOG=garage=debug ./target/debug/garage -c tmp/config1.toml server
|
||||
run1rel:
|
||||
RUST_LOG=garage=debug ./target/release/garage -c tmp/config1.toml server
|
||||
|
||||
run2:
|
||||
RUST_LOG=garage=debug ./target/debug/garage -c tmp/config2.toml server
|
||||
run2rel:
|
||||
RUST_LOG=garage=debug ./target/release/garage -c tmp/config2.toml server
|
||||
|
||||
run3:
|
||||
RUST_LOG=garage=debug ./target/debug/garage -c tmp/config3.toml server
|
||||
run3rel:
|
||||
RUST_LOG=garage=debug ./target/release/garage -c tmp/config3.toml server
|
||||
docker: $(BIN).stripped
|
||||
docker pull archlinux:latest
|
||||
docker build -t $(DOCKER):$(TAG) .
|
||||
docker push $(DOCKER):$(TAG)
|
||||
docker tag $(DOCKER):$(TAG) $(DOCKER):latest
|
||||
docker push $(DOCKER):latest
|
||||
|
||||
|
|
40
README.md
|
@ -1,38 +1,26 @@
|
|||
Garage [![status-badge](https://woodpecker.deuxfleurs.fr/api/badges/1/status.svg)](https://woodpecker.deuxfleurs.fr/repos/1)
|
||||
Garage [![Build Status](https://drone.deuxfleurs.fr/api/badges/Deuxfleurs/garage/status.svg?ref=refs/heads/main)](https://drone.deuxfleurs.fr/Deuxfleurs/garage)
|
||||
===
|
||||
|
||||
<p align="center" style="text-align:center;">
|
||||
<a href="https://garagehq.deuxfleurs.fr">
|
||||
<img alt="Garage logo" src="https://garagehq.deuxfleurs.fr/img/logo.svg" height="200" />
|
||||
<img alt="Garage logo" src="doc/logo/garage.png" height="200" />
|
||||
</a>
|
||||
</p>
|
||||
|
||||
<p align="center" style="text-align:center;">
|
||||
[ <strong><a href="https://garagehq.deuxfleurs.fr/">Website and documentation</a></strong>
|
||||
| <a href="https://garagehq.deuxfleurs.fr/_releases.html">Binary releases</a>
|
||||
| <a href="https://git.deuxfleurs.fr/Deuxfleurs/garage">Git repository</a>
|
||||
| <a href="https://matrix.to/#/%23garage:deuxfleurs.fr">Matrix channel</a>
|
||||
]
|
||||
</p>
|
||||
Garage is a lightweight S3-compatible distributed object store, with the following goals:
|
||||
|
||||
Garage is an S3-compatible distributed object storage service
|
||||
designed for self-hosting at a small-to-medium scale.
|
||||
- As self-contained as possible
|
||||
- Easy to set up
|
||||
- Highly resilient to network failures, network latency, disk failures, sysadmin failures
|
||||
- Relatively simple
|
||||
- Made for multi-datacenter deployments
|
||||
|
||||
Garage is designed for storage clusters composed of nodes running
|
||||
at different physical locations,
|
||||
in order to easily provide a storage service that replicates data at these different
|
||||
locations and stays available even when some servers are unreachable.
|
||||
Garage also focuses on being lightweight, easy to operate, and highly resilient to
|
||||
machine failures.
|
||||
Non-goals include:
|
||||
|
||||
Garage is built by [Deuxfleurs](https://deuxfleurs.fr),
|
||||
an experimental small-scale self hosted service provider,
|
||||
which has been using it in production since its first release in 2020.
|
||||
- Extremely high performance
|
||||
- Complete implementation of the S3 API
|
||||
- Erasure coding (our replication model is simply to copy the data as is on several nodes, in different datacenters if possible)
|
||||
|
||||
Learn more on our dedicated documentation pages:
|
||||
Our main use case is to provide a distributed storage layer for small-scale self hosted services such as [Deuxfleurs](https://deuxfleurs.fr).
|
||||
|
||||
- [Goals and use cases](https://garagehq.deuxfleurs.fr/documentation/design/goals/)
|
||||
- [Features](https://garagehq.deuxfleurs.fr/documentation/reference-manual/features/)
|
||||
- [Quick start](https://garagehq.deuxfleurs.fr/documentation/quick-start/)
|
||||
|
||||
Garage is entirely free software released under the terms of the AGPLv3.
|
||||
**[Go to the documentation](https://garagehq.deuxfleurs.fr)**
|
||||
|
|
27
TODO
Normal file
|
@ -0,0 +1,27 @@
|
|||
Testing
|
||||
-------
|
||||
|
||||
How are we going to test that our replication method works correctly?
|
||||
We will have to introduce lots of dummy data and then add/remove nodes many times.
|
||||
|
||||
|
||||
Attaining S3 compatibility
|
||||
--------------------------
|
||||
|
||||
- test multipart uploads
|
||||
- get ranges
|
||||
|
||||
- fix sync not working in some cases ? (when starting from empty?)
|
||||
|
||||
- api_server following the S3 semantics for head/get/put/list/delete: verify more that it works as intended
|
||||
- PUT requests: verify content-md5 if provided
|
||||
- possibly other necessary endpoints ?
|
||||
|
||||
|
||||
Lower priority
|
||||
--------------
|
||||
|
||||
- less a priority: hinted handoff
|
||||
- repair: re-propagate block ref table to rc
|
||||
- FIXME in rpc_server when garage shuts down and futures can be interrupted
|
||||
(tokio::spawn should be replaced by a new function background::spawn_joinable)
|
22
config.dev.toml
Normal file
|
@ -0,0 +1,22 @@
|
|||
block_size = 1048576 # objects are split in blocks of maximum this number of bytes
|
||||
|
||||
metadata_dir = "/tmp/garage-meta"
|
||||
data_dir = "/tmp/garage-data"
|
||||
|
||||
rpc_bind_addr = "[::]:3901" # the port other Garage nodes will use to talk to this node
|
||||
|
||||
bootstrap_peers = []
|
||||
|
||||
max_concurrent_rpc_requests = 12
|
||||
data_replication_factor = 3
|
||||
meta_replication_factor = 3
|
||||
meta_epidemic_fanout = 3
|
||||
|
||||
[s3_api]
|
||||
api_bind_addr = "[::1]:3900" # the S3 API port, HTTP without TLS. Add a reverse proxy for the TLS part.
|
||||
s3_region = "garage" # set this to anything. S3 API calls will fail if they are not made against the region set here.
|
||||
|
||||
[s3_web]
|
||||
bind_addr = "[::1]:3902"
|
||||
root_domain = ".garage.tld"
|
||||
index = "index.html"
|
55
default.nix
|
@ -1,55 +0,0 @@
|
|||
{ system ? builtins.currentSystem, git_version ? null, }:
|
||||
|
||||
with import ./nix/common.nix;
|
||||
|
||||
let
|
||||
pkgs = import pkgsSrc { };
|
||||
compile = import ./nix/compile.nix;
|
||||
|
||||
build_debug_and_release = (target: {
|
||||
debug = (compile {
|
||||
inherit system target git_version pkgsSrc cargo2nixOverlay;
|
||||
release = false;
|
||||
}).workspace.garage { compileMode = "build"; };
|
||||
|
||||
release = (compile {
|
||||
inherit system target git_version pkgsSrc cargo2nixOverlay;
|
||||
release = true;
|
||||
}).workspace.garage { compileMode = "build"; };
|
||||
});
|
||||
|
||||
test = (rustPkgs:
|
||||
pkgs.symlinkJoin {
|
||||
name = "garage-tests";
|
||||
paths =
|
||||
builtins.map (key: rustPkgs.workspace.${key} { compileMode = "test"; })
|
||||
(builtins.attrNames rustPkgs.workspace);
|
||||
});
|
||||
|
||||
in {
|
||||
pkgs = {
|
||||
amd64 = build_debug_and_release "x86_64-unknown-linux-musl";
|
||||
i386 = build_debug_and_release "i686-unknown-linux-musl";
|
||||
arm64 = build_debug_and_release "aarch64-unknown-linux-musl";
|
||||
arm = build_debug_and_release "armv6l-unknown-linux-musleabihf";
|
||||
};
|
||||
test = {
|
||||
amd64 = test (compile {
|
||||
inherit system git_version pkgsSrc cargo2nixOverlay;
|
||||
target = "x86_64-unknown-linux-musl";
|
||||
features = [
|
||||
"garage/bundled-libs"
|
||||
"garage/k2v"
|
||||
"garage/lmdb"
|
||||
"garage/sqlite"
|
||||
];
|
||||
});
|
||||
};
|
||||
clippy = {
|
||||
amd64 = (compile {
|
||||
inherit system git_version pkgsSrc cargo2nixOverlay;
|
||||
target = "x86_64-unknown-linux-musl";
|
||||
compiler = "clippy";
|
||||
}).workspace.garage { compileMode = "build"; };
|
||||
};
|
||||
}
|
Before Width: | Height: | Size: 44 KiB After Width: | Height: | Size: 44 KiB |
Before Width: | Height: | Size: 19 KiB After Width: | Height: | Size: 19 KiB |
Before Width: | Height: | Size: 53 KiB After Width: | Height: | Size: 53 KiB |
Before Width: | Height: | Size: 54 KiB After Width: | Height: | Size: 54 KiB |
Before Width: | Height: | Size: 56 KiB After Width: | Height: | Size: 56 KiB |
Before Width: | Height: | Size: 57 KiB After Width: | Height: | Size: 57 KiB |
Before Width: | Height: | Size: 360 KiB After Width: | Height: | Size: 360 KiB |
Before Width: | Height: | Size: 39 KiB After Width: | Height: | Size: 39 KiB |
Before Width: | Height: | Size: 19 KiB After Width: | Height: | Size: 19 KiB |
Before Width: | Height: | Size: 27 KiB After Width: | Height: | Size: 27 KiB |
Before Width: | Height: | Size: 32 KiB After Width: | Height: | Size: 32 KiB |
Before Width: | Height: | Size: 86 KiB After Width: | Height: | Size: 86 KiB |
Before Width: | Height: | Size: 6.1 KiB After Width: | Height: | Size: 6.1 KiB |
BIN
doc/20201202_talk/talk.pdf
Normal file
|
@ -1,17 +0,0 @@
|
|||
# Browse doc
|
||||
|
||||
Run in this directory:
|
||||
|
||||
```
|
||||
python3 -m http.server
|
||||
```
|
||||
|
||||
And open in your browser:
|
||||
- http://localhost:8000/garage-admin-v0.html
|
||||
|
||||
# Validate doc
|
||||
|
||||
```
|
||||
wget https://repo1.maven.org/maven2/org/openapitools/openapi-generator-cli/6.1.0/openapi-generator-cli-6.1.0.jar -O openapi-generator-cli.jar
|
||||
java -jar openapi-generator-cli.jar validate -i garage-admin-v0.yml
|
||||
```
|
|
@ -1,59 +0,0 @@
|
|||
/* montserrat-300 - latin */
|
||||
@font-face {
|
||||
font-family: 'Montserrat';
|
||||
font-style: normal;
|
||||
font-weight: 300;
|
||||
src: local(''),
|
||||
url('../fonts/montserrat-v25-latin-300.woff2') format('woff2'), /* Chrome 26+, Opera 23+, Firefox 39+ */
|
||||
url('../fonts/montserrat-v25-latin-300.woff') format('woff'); /* Chrome 6+, Firefox 3.6+, IE 9+, Safari 5.1+ */
|
||||
}
|
||||
|
||||
/* montserrat-regular - latin */
|
||||
@font-face {
|
||||
font-family: 'Montserrat';
|
||||
font-style: normal;
|
||||
font-weight: 400;
|
||||
src: local(''),
|
||||
url('../fonts/montserrat-v25-latin-regular.woff2') format('woff2'), /* Chrome 26+, Opera 23+, Firefox 39+ */
|
||||
url('../fonts/montserrat-v25-latin-regular.woff') format('woff'); /* Chrome 6+, Firefox 3.6+, IE 9+, Safari 5.1+ */
|
||||
}
|
||||
|
||||
/* montserrat-700 - latin */
|
||||
@font-face {
|
||||
font-family: 'Montserrat';
|
||||
font-style: normal;
|
||||
font-weight: 700;
|
||||
src: local(''),
|
||||
url('../fonts/montserrat-v25-latin-700.woff2') format('woff2'), /* Chrome 26+, Opera 23+, Firefox 39+ */
|
||||
url('../fonts/montserrat-v25-latin-700.woff') format('woff'); /* Chrome 6+, Firefox 3.6+, IE 9+, Safari 5.1+ */
|
||||
}
|
||||
/* roboto-300 - latin */
|
||||
@font-face {
|
||||
font-family: 'Roboto';
|
||||
font-style: normal;
|
||||
font-weight: 300;
|
||||
src: local(''),
|
||||
url('../fonts/roboto-v30-latin-300.woff2') format('woff2'), /* Chrome 26+, Opera 23+, Firefox 39+ */
|
||||
url('../fonts/roboto-v30-latin-300.woff') format('woff'); /* Chrome 6+, Firefox 3.6+, IE 9+, Safari 5.1+ */
|
||||
}
|
||||
|
||||
/* roboto-regular - latin */
|
||||
@font-face {
|
||||
font-family: 'Roboto';
|
||||
font-style: normal;
|
||||
font-weight: 400;
|
||||
src: local(''),
|
||||
url('../fonts/roboto-v30-latin-regular.woff2') format('woff2'), /* Chrome 26+, Opera 23+, Firefox 39+ */
|
||||
url('../fonts/roboto-v30-latin-regular.woff') format('woff'); /* Chrome 6+, Firefox 3.6+, IE 9+, Safari 5.1+ */
|
||||
}
|
||||
|
||||
/* roboto-700 - latin */
|
||||
@font-face {
|
||||
font-family: 'Roboto';
|
||||
font-style: normal;
|
||||
font-weight: 700;
|
||||
src: local(''),
|
||||
url('../fonts/roboto-v30-latin-700.woff2') format('woff2'), /* Chrome 26+, Opera 23+, Firefox 39+ */
|
||||
url('../fonts/roboto-v30-latin-700.woff') format('woff'); /* Chrome 6+, Firefox 3.6+, IE 9+, Safari 5.1+ */
|
||||
}
|
||||
|
|
@ -1,24 +0,0 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<title>Garage Adminstration API v0</title>
|
||||
<!-- needed for adaptive design -->
|
||||
<meta charset="utf-8"/>
|
||||
<meta name="viewport" content="width=device-width, initial-scale=1">
|
||||
<link href="./css/redoc.css" rel="stylesheet">
|
||||
|
||||
<!--
|
||||
Redoc doesn't change outer page styles
|
||||
-->
|
||||
<style>
|
||||
body {
|
||||
margin: 0;
|
||||
padding: 0;
|
||||
}
|
||||
</style>
|
||||
</head>
|
||||
<body>
|
||||
<redoc spec-url='./garage-admin-v0.yml'></redoc>
|
||||
<script src="./redoc.standalone.js"> </script>
|
||||
</body>
|
||||
</html>
|
|
@ -1,24 +0,0 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<title>Garage Adminstration API v0</title>
|
||||
<!-- needed for adaptive design -->
|
||||
<meta charset="utf-8"/>
|
||||
<meta name="viewport" content="width=device-width, initial-scale=1">
|
||||
<link href="./css/redoc.css" rel="stylesheet">
|
||||
|
||||
<!--
|
||||
Redoc doesn't change outer page styles
|
||||
-->
|
||||
<style>
|
||||
body {
|
||||
margin: 0;
|
||||
padding: 0;
|
||||
}
|
||||
</style>
|
||||
</head>
|
||||
<body>
|
||||
<redoc spec-url='./garage-admin-v1.yml'></redoc>
|
||||
<script src="./redoc.standalone.js"> </script>
|
||||
</body>
|
||||
</html>
|
|
@ -1,3 +0,0 @@
|
|||
These are the sources for the documentation but not the whole website.
|
||||
The website templates and other things are in garage_website, which
|
||||
uses this as a submodule.
|
|
@ -1,5 +0,0 @@
|
|||
+++
|
||||
template = "documentation.html"
|
||||
page_template = "documentation.html"
|
||||
redirect_to = "documentation/quick-start/"
|
||||
+++
|
6
doc/book/book.toml
Normal file
|
@ -0,0 +1,6 @@
|
|||
[book]
|
||||
authors = ["Quentin Dufour"]
|
||||
language = "en"
|
||||
multilingual = false
|
||||
src = "src"
|
||||
title = "Garage Documentation"
|
|
@ -1,54 +0,0 @@
|
|||
+++
|
||||
title = "Build your own app"
|
||||
weight = 40
|
||||
sort_by = "weight"
|
||||
template = "documentation.html"
|
||||
+++
|
||||
|
||||
Garage has many API that you can rely on to build complex applications.
|
||||
In this section, we reference the existing SDKs and give some code examples.
|
||||
|
||||
|
||||
## ⚠️ DISCLAIMER
|
||||
|
||||
**K2V AND ADMIN SDK ARE TECHNICAL PREVIEWS**. The following limitations apply:
|
||||
- The API is not complete, some actions are possible only through the `garage` binary
|
||||
- The underlying admin API is not yet stable nor complete, it can breaks at any time
|
||||
- The generator configuration is currently tweaked, the library might break at any time due to a generator change
|
||||
- Because the API and the library are not stable, none of them are published in a package manager (npm, pypi, etc.)
|
||||
- This code has not been extensively tested, some things might not work (please report!)
|
||||
|
||||
To have the best experience possible, please consider:
|
||||
- Make sure that the version of the library you are using is pinned (`go.sum`, `package-lock.json`, `requirements.txt`).
|
||||
- Before upgrading your Garage cluster, make sure that you can find a version of this SDK that works with your targeted version and that you are able to update your own code to work with this new version of the library.
|
||||
- Join our Matrix channel at `#garage:deuxfleurs.fr`, say that you are interested by this SDK, and report any friction.
|
||||
- If stability is critical, mirror this repository on your own infrastructure, regenerate the SDKs and upgrade them at your own pace.
|
||||
|
||||
|
||||
## About the APIs
|
||||
|
||||
Code can interact with Garage through 3 different APIs: S3, K2V, and Admin.
|
||||
Each of them has a specific scope.
|
||||
|
||||
### S3
|
||||
|
||||
De-facto standard, introduced by Amazon, designed to store blobs of data.
|
||||
|
||||
### K2V
|
||||
|
||||
A simple database API similar to RiakKV or DynamoDB.
|
||||
Think a key value store with some additional operations.
|
||||
Its design is inspired by Distributed Hash Tables (DHT).
|
||||
|
||||
More information:
|
||||
- [In the reference manual](@/documentation/reference-manual/k2v.md)
|
||||
|
||||
|
||||
### Administration
|
||||
|
||||
Garage operations can also be automated through a REST API.
|
||||
We are currently building this SDK for [Python](@/documentation/build/python.md#admin-api), [Javascript](@/documentation/build/javascript.md#administration) and [Golang](@/documentation/build/golang.md#administration).
|
||||
|
||||
More information:
|
||||
- [In the reference manual](@/documentation/reference-manual/admin-api.md)
|
||||
- [Full specifiction](https://garagehq.deuxfleurs.fr/api/garage-admin-v0.html)
|
|
@ -1,123 +0,0 @@
|
|||
+++
|
||||
title = "Golang"
|
||||
weight = 30
|
||||
+++
|
||||
|
||||
## S3
|
||||
|
||||
*Coming soon*
|
||||
|
||||
Some refs:
|
||||
- Minio minio-go-sdk
|
||||
- [Reference](https://docs.min.io/docs/golang-client-api-reference.html)
|
||||
|
||||
- Amazon aws-sdk-go-v2
|
||||
- [Installation](https://aws.github.io/aws-sdk-go-v2/docs/getting-started/)
|
||||
- [Reference](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/s3)
|
||||
- [Example](https://aws.github.io/aws-sdk-go-v2/docs/code-examples/s3/putobject/)
|
||||
|
||||
## K2V
|
||||
|
||||
*Coming soon*
|
||||
|
||||
## Administration
|
||||
|
||||
Install the SDK with:
|
||||
|
||||
```bash
|
||||
go get git.deuxfleurs.fr/garage-sdk/garage-admin-sdk-golang
|
||||
```
|
||||
|
||||
A short example:
|
||||
|
||||
```go
|
||||
package main
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"os"
|
||||
"strings"
|
||||
garage "git.deuxfleurs.fr/garage-sdk/garage-admin-sdk-golang"
|
||||
)
|
||||
|
||||
func main() {
|
||||
// Initialization
|
||||
configuration := garage.NewConfiguration()
|
||||
configuration.Host = "127.0.0.1:3903"
|
||||
client := garage.NewAPIClient(configuration)
|
||||
ctx := context.WithValue(context.Background(), garage.ContextAccessToken, "s3cr3t")
|
||||
|
||||
// Nodes
|
||||
fmt.Println("--- nodes ---")
|
||||
nodes, _, _ := client.NodesApi.GetNodes(ctx).Execute()
|
||||
fmt.Fprintf(os.Stdout, "First hostname: %v\n", nodes.KnownNodes[0].Hostname)
|
||||
capa := int64(1000000000)
|
||||
change := []garage.NodeRoleChange{
|
||||
garage.NodeRoleChange{NodeRoleUpdate: &garage.NodeRoleUpdate {
|
||||
Id: *nodes.KnownNodes[0].Id,
|
||||
Zone: "dc1",
|
||||
Capacity: *garage.NewNullableInt64(&capa),
|
||||
Tags: []string{ "fast", "amd64" },
|
||||
}},
|
||||
}
|
||||
staged, _, _ := client.LayoutApi.AddLayout(ctx).NodeRoleChange(change).Execute()
|
||||
msg, _, _ := client.LayoutApi.ApplyLayout(ctx).LayoutVersion(*garage.NewLayoutVersion(staged.Version + 1)).Execute()
|
||||
fmt.Printf(strings.Join(msg.Message, "\n")) // Layout configured
|
||||
|
||||
health, _, _ := client.NodesApi.GetHealth(ctx).Execute()
|
||||
fmt.Printf("Status: %s, nodes: %v/%v, storage: %v/%v, partitions: %v/%v\n", health.Status, health.ConnectedNodes, health.KnownNodes, health.StorageNodesOk, health.StorageNodes, health.PartitionsAllOk, health.Partitions)
|
||||
|
||||
// Key
|
||||
fmt.Println("\n--- key ---")
|
||||
key := "openapi-key"
|
||||
keyInfo, _, _ := client.KeyApi.AddKey(ctx).AddKeyRequest(garage.AddKeyRequest{Name: *garage.NewNullableString(&key) }).Execute()
|
||||
defer client.KeyApi.DeleteKey(ctx).Id(*keyInfo.AccessKeyId).Execute()
|
||||
fmt.Printf("AWS_ACCESS_KEY_ID=%s\nAWS_SECRET_ACCESS_KEY=%s\n", *keyInfo.AccessKeyId, *keyInfo.SecretAccessKey.Get())
|
||||
|
||||
id := *keyInfo.AccessKeyId
|
||||
canCreateBucket := true
|
||||
updateKeyRequest := *garage.NewUpdateKeyRequest()
|
||||
updateKeyRequest.SetName("openapi-key-updated")
|
||||
updateKeyRequest.SetAllow(garage.UpdateKeyRequestAllow { CreateBucket: &canCreateBucket })
|
||||
update, _, _ := client.KeyApi.UpdateKey(ctx).Id(id).UpdateKeyRequest(updateKeyRequest).Execute()
|
||||
fmt.Printf("Updated %v with key name %v\n", *update.AccessKeyId, *update.Name)
|
||||
|
||||
keyList, _, _ := client.KeyApi.ListKeys(ctx).Execute()
|
||||
fmt.Printf("Keys count: %v\n", len(keyList))
|
||||
|
||||
// Bucket
|
||||
fmt.Println("\n--- bucket ---")
|
||||
global_name := "global-ns-openapi-bucket"
|
||||
local_name := "local-ns-openapi-bucket"
|
||||
bucketInfo, _, _ := client.BucketApi.CreateBucket(ctx).CreateBucketRequest(garage.CreateBucketRequest{
|
||||
GlobalAlias: &global_name,
|
||||
LocalAlias: &garage.CreateBucketRequestLocalAlias {
|
||||
AccessKeyId: keyInfo.AccessKeyId,
|
||||
Alias: &local_name,
|
||||
},
|
||||
}).Execute()
|
||||
defer client.BucketApi.DeleteBucket(ctx).Id(*bucketInfo.Id).Execute()
|
||||
fmt.Printf("Bucket id: %s\n", *bucketInfo.Id)
|
||||
|
||||
updateBucketRequest := *garage.NewUpdateBucketRequest()
|
||||
website := garage.NewUpdateBucketRequestWebsiteAccess()
|
||||
website.SetEnabled(true)
|
||||
website.SetIndexDocument("index.html")
|
||||
website.SetErrorDocument("errors/4xx.html")
|
||||
updateBucketRequest.SetWebsiteAccess(*website)
|
||||
quotas := garage.NewUpdateBucketRequestQuotas()
|
||||
quotas.SetMaxSize(1000000000)
|
||||
quotas.SetMaxObjects(999999999)
|
||||
updateBucketRequest.SetQuotas(*quotas)
|
||||
updatedBucket, _, _ := client.BucketApi.UpdateBucket(ctx).Id(*bucketInfo.Id).UpdateBucketRequest(updateBucketRequest).Execute()
|
||||
fmt.Printf("Bucket %v website activation: %v\n", *updatedBucket.Id, *updatedBucket.WebsiteAccess)
|
||||
|
||||
bucketList, _, _ := client.BucketApi.ListBuckets(ctx).Execute()
|
||||
fmt.Printf("Bucket count: %v\n", len(bucketList))
|
||||
}
|
||||
```
|
||||
|
||||
See also:
|
||||
- [generated doc](https://git.deuxfleurs.fr/garage-sdk/garage-admin-sdk-golang)
|
||||
- [examples](https://git.deuxfleurs.fr/garage-sdk/garage-admin-sdk-generator/src/branch/main/example/golang)
|
|
@ -1,55 +0,0 @@
|
|||
+++
|
||||
title = "Javascript"
|
||||
weight = 10
|
||||
+++
|
||||
|
||||
## S3
|
||||
|
||||
*Coming soon*.
|
||||
|
||||
Some refs:
|
||||
- Minio SDK
|
||||
- [Reference](https://docs.min.io/docs/javascript-client-api-reference.html)
|
||||
|
||||
- Amazon aws-sdk-js
|
||||
- [Installation](https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/getting-started.html)
|
||||
- [Reference](https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/S3.html)
|
||||
- [Example](https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/s3-example-creating-buckets.html)
|
||||
|
||||
## K2V
|
||||
|
||||
*Coming soon*
|
||||
|
||||
## Administration
|
||||
|
||||
Install the SDK with:
|
||||
|
||||
```bash
|
||||
npm install --save git+https://git.deuxfleurs.fr/garage-sdk/garage-admin-sdk-js.git
|
||||
```
|
||||
|
||||
A short example:
|
||||
|
||||
```javascript
|
||||
const garage = require('garage_administration_api_v1garage_v0_9_0');
|
||||
|
||||
const api = new garage.ApiClient("http://127.0.0.1:3903/v1");
|
||||
api.authentications['bearerAuth'].accessToken = "s3cr3t";
|
||||
|
||||
const [node, layout, key, bucket] = [
|
||||
new garage.NodesApi(api),
|
||||
new garage.LayoutApi(api),
|
||||
new garage.KeyApi(api),
|
||||
new garage.BucketApi(api),
|
||||
];
|
||||
|
||||
node.getNodes().then((data) => {
|
||||
console.log(`nodes: ${Object.values(data.knownNodes).map(n => n.hostname)}`)
|
||||
}, (error) => {
|
||||
console.error(error);
|
||||
});
|
||||
```
|
||||
|
||||
See also:
|
||||
- [sdk repository](https://git.deuxfleurs.fr/garage-sdk/garage-admin-sdk-js)
|
||||
- [examples](https://git.deuxfleurs.fr/garage-sdk/garage-admin-sdk-generator/src/branch/main/example/javascript)
|
|
@ -1,49 +0,0 @@
|
|||
+++
|
||||
title = "Others"
|
||||
weight = 99
|
||||
+++
|
||||
|
||||
## S3
|
||||
|
||||
If you are developping a new application, you may want to use Garage to store your user's media.
|
||||
|
||||
The S3 API that Garage uses is a standard REST API, so as long as you can make HTTP requests,
|
||||
you can query it. You can check the [S3 REST API Reference](https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations_Amazon_Simple_Storage_Service.html) from Amazon to learn more.
|
||||
|
||||
Developping your own wrapper around the REST API is time consuming and complicated.
|
||||
Instead, there are some libraries already avalaible.
|
||||
|
||||
Some of them are maintained by Amazon, some by Minio, others by the community.
|
||||
|
||||
### PHP
|
||||
|
||||
- Amazon aws-sdk-php
|
||||
- [Installation](https://docs.aws.amazon.com/sdk-for-php/v3/developer-guide/getting-started_installation.html)
|
||||
- [Reference](https://docs.aws.amazon.com/aws-sdk-php/v3/api/api-s3-2006-03-01.html)
|
||||
- [Example](https://docs.aws.amazon.com/sdk-for-php/v3/developer-guide/s3-examples-creating-buckets.html)
|
||||
|
||||
### Java
|
||||
|
||||
- Minio SDK
|
||||
- [Reference](https://docs.min.io/docs/java-client-api-reference.html)
|
||||
|
||||
- Amazon aws-sdk-java
|
||||
- [Installation](https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html)
|
||||
- [Reference](https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/services/s3/S3Client.html)
|
||||
- [Example](https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/examples-s3-objects.html)
|
||||
|
||||
### .NET
|
||||
|
||||
- Minio SDK
|
||||
- [Reference](https://docs.min.io/docs/dotnet-client-api-reference.html)
|
||||
|
||||
- Amazon aws-dotnet-sdk
|
||||
|
||||
### C++
|
||||
|
||||
- Amazon aws-cpp-sdk
|
||||
|
||||
### Haskell
|
||||
|
||||
- Minio SDK
|
||||
- [Reference](https://docs.min.io/docs/haskell-client-api-reference.html)
|
|
@ -1,139 +0,0 @@
|
|||
+++
|
||||
title = "Python"
|
||||
weight = 20
|
||||
+++
|
||||
|
||||
## S3
|
||||
|
||||
### Using Minio SDK
|
||||
|
||||
First install the SDK:
|
||||
|
||||
```bash
|
||||
pip3 install minio
|
||||
```
|
||||
|
||||
Then instantiate a client object using garage root domain, api key and secret:
|
||||
|
||||
```python
|
||||
import minio
|
||||
|
||||
client = minio.Minio(
|
||||
"your.domain.tld",
|
||||
"GKyourapikey",
|
||||
"abcd[...]1234",
|
||||
# Force the region, this is specific to garage
|
||||
region="region",
|
||||
)
|
||||
```
|
||||
|
||||
Then use all the standard S3 endpoints as implemented by the Minio SDK:
|
||||
|
||||
```
|
||||
# List buckets
|
||||
print(client.list_buckets())
|
||||
|
||||
# Put an object containing 'content' to /path in bucket named 'bucket':
|
||||
content = b"content"
|
||||
client.put_object(
|
||||
"bucket",
|
||||
"path",
|
||||
io.BytesIO(content),
|
||||
len(content),
|
||||
)
|
||||
|
||||
# Read the object back and check contents
|
||||
data = client.get_object("bucket", "path").read()
|
||||
assert data == content
|
||||
```
|
||||
|
||||
For further documentation, see the Minio SDK
|
||||
[Reference](https://docs.min.io/docs/python-client-api-reference.html)
|
||||
|
||||
### Using Amazon boto3
|
||||
|
||||
*Coming soon*
|
||||
|
||||
See the official documentation:
|
||||
- [Installation](https://boto3.amazonaws.com/v1/documentation/api/latest/guide/quickstart.html)
|
||||
- [Reference](https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/s3.html)
|
||||
- [Example](https://boto3.amazonaws.com/v1/documentation/api/latest/guide/s3-uploading-files.html)
|
||||
|
||||
## K2V
|
||||
|
||||
*Coming soon*
|
||||
|
||||
## Admin API
|
||||
|
||||
You need at least Python 3.6, pip, and setuptools.
|
||||
Because the python package is in a subfolder, the command is a bit more complicated than usual:
|
||||
|
||||
```bash
|
||||
pip3 install --user 'git+https://git.deuxfleurs.fr/garage-sdk/garage-admin-sdk-python'
|
||||
```
|
||||
|
||||
Now, let imagine you have a fresh Garage instance running on localhost, with the admin API configured on port 3903 with the bearer `s3cr3t`:
|
||||
|
||||
```python
|
||||
import garage_admin_sdk
|
||||
from garage_admin_sdk.apis import *
|
||||
from garage_admin_sdk.models import *
|
||||
|
||||
configuration = garage_admin_sdk.Configuration(
|
||||
host = "http://localhost:3903/v1",
|
||||
access_token = "s3cr3t"
|
||||
)
|
||||
|
||||
# Init APIs
|
||||
api = garage_admin_sdk.ApiClient(configuration)
|
||||
nodes, layout, keys, buckets = NodesApi(api), LayoutApi(api), KeyApi(api), BucketApi(api)
|
||||
|
||||
# Display some info on the node
|
||||
status = nodes.get_nodes()
|
||||
print(f"running garage {status.garage_version}, node_id {status.node}")
|
||||
|
||||
# Change layout of this node
|
||||
current = layout.get_layout()
|
||||
layout.add_layout([
|
||||
NodeRoleChange(
|
||||
id = status.node,
|
||||
zone = "dc1",
|
||||
capacity = 1000000000,
|
||||
tags = [ "dev" ],
|
||||
)
|
||||
])
|
||||
layout.apply_layout(LayoutVersion(
|
||||
version = current.version + 1
|
||||
))
|
||||
|
||||
# Create key, allow it to create buckets
|
||||
kinfo = keys.add_key(AddKeyRequest(name="openapi"))
|
||||
|
||||
allow_create = UpdateKeyRequestAllow(create_bucket=True)
|
||||
keys.update_key(kinfo.access_key_id, UpdateKeyRequest(allow=allow_create))
|
||||
|
||||
# Create a bucket, allow key, set quotas
|
||||
binfo = buckets.create_bucket(CreateBucketRequest(global_alias="documentation"))
|
||||
binfo = buckets.allow_bucket_key(AllowBucketKeyRequest(
|
||||
bucket_id=binfo.id,
|
||||
access_key_id=kinfo.access_key_id,
|
||||
permissions=AllowBucketKeyRequestPermissions(read=True, write=True, owner=True),
|
||||
))
|
||||
binfo = buckets.update_bucket(binfo.id, UpdateBucketRequest(
|
||||
quotas=UpdateBucketRequestQuotas(max_size=19029801,max_objects=1500)))
|
||||
|
||||
# Display key
|
||||
print(f"""
|
||||
cluster ready
|
||||
key id is {kinfo.access_key_id}
|
||||
secret key is {kinfo.secret_access_key}
|
||||
bucket {binfo.global_aliases[0]} contains {binfo.objects}/{binfo.quotas.max_objects} objects
|
||||
""")
|
||||
```
|
||||
|
||||
*This example is named `short.py` in the example folder. Other python examples are also available.*
|
||||
|
||||
See also:
|
||||
- [sdk repo](https://git.deuxfleurs.fr/garage-sdk/garage-admin-sdk-python)
|
||||
- [examples](https://git.deuxfleurs.fr/garage-sdk/garage-admin-sdk-generator/src/branch/main/example/python)
|
||||
|
|
@ -1,47 +0,0 @@
|
|||
+++
|
||||
title = "Rust"
|
||||
weight = 40
|
||||
+++
|
||||
|
||||
## S3
|
||||
|
||||
*Coming soon*
|
||||
|
||||
Some refs:
|
||||
- Amazon aws-rust-sdk
|
||||
- [Github](https://github.com/awslabs/aws-sdk-rust)
|
||||
|
||||
## K2V
|
||||
|
||||
*Coming soon*
|
||||
|
||||
Some refs: https://git.deuxfleurs.fr/Deuxfleurs/garage/src/branch/main/src/k2v-client
|
||||
|
||||
```bash
|
||||
# all these values can be provided on the cli instead
|
||||
export AWS_ACCESS_KEY_ID=GK123456
|
||||
export AWS_SECRET_ACCESS_KEY=0123..789
|
||||
export AWS_REGION=garage
|
||||
export K2V_ENDPOINT=http://172.30.2.1:3903
|
||||
export K2V_BUCKET=my-bucket
|
||||
|
||||
cargo run --features=cli -- read-range my-partition-key --all
|
||||
|
||||
cargo run --features=cli -- insert my-partition-key my-sort-key --text "my string1"
|
||||
cargo run --features=cli -- insert my-partition-key my-sort-key --text "my string2"
|
||||
cargo run --features=cli -- insert my-partition-key my-sort-key2 --text "my string"
|
||||
|
||||
cargo run --features=cli -- read-range my-partition-key --all
|
||||
|
||||
causality=$(cargo run --features=cli -- read my-partition-key my-sort-key2 -b | head -n1)
|
||||
cargo run --features=cli -- delete my-partition-key my-sort-key2 -c $causality
|
||||
|
||||
causality=$(cargo run --features=cli -- read my-partition-key my-sort-key -b | head -n1)
|
||||
cargo run --features=cli -- insert my-partition-key my-sort-key --text "my string3" -c $causality
|
||||
|
||||
cargo run --features=cli -- read-range my-partition-key --all
|
||||
```
|
||||
|
||||
## Admin API
|
||||
|
||||
*Coming soon*
|
|
@ -1,48 +0,0 @@
|
|||
+++
|
||||
title = "Existing integrations"
|
||||
weight = 30
|
||||
sort_by = "weight"
|
||||
template = "documentation.html"
|
||||
+++
|
||||
|
||||
|
||||
Garage implements the Amazon S3 protocol, which makes it compatible with many existing software programs.
|
||||
|
||||
In particular, you will find here instructions to connect it with:
|
||||
|
||||
- [Applications](@/documentation/connect/apps/index.md)
|
||||
- [Browsing tools](@/documentation/connect/cli.md)
|
||||
- [FUSE](@/documentation/connect/fs.md)
|
||||
- [Observability](@/documentation/connect/observability.md)
|
||||
- [Software repositories](@/documentation/connect/repositories.md)
|
||||
- [Website hosting](@/documentation/connect/websites.md)
|
||||
|
||||
### Generic instructions
|
||||
|
||||
To configure S3-compatible software to interact with Garage,
|
||||
you will need the following parameters:
|
||||
|
||||
- An **API endpoint**: this corresponds to the HTTP or HTTPS address
|
||||
used to contact the Garage server. When runing Garage locally this will usually
|
||||
be `http://127.0.0.1:3900`. In a real-world setting, you would usually have a reverse-proxy
|
||||
that adds TLS support and makes your Garage server available under a public hostname
|
||||
such as `https://garage.example.com`.
|
||||
|
||||
- An **API access key** and its associated **secret key**. These usually look something
|
||||
like this: `GK3515373e4c851ebaad366558` (access key),
|
||||
`7d37d093435a41f2aab8f13c19ba067d9776c90215f56614adad6ece597dbb34` (secret key).
|
||||
These keys are created and managed using the `garage` CLI, as explained in the
|
||||
[quick start](@/documentation/quick-start/_index.md) guide.
|
||||
|
||||
Most S3 clients can be configured easily with these parameters,
|
||||
provided that you follow the following guidelines:
|
||||
|
||||
- **Be careful to DNS-style/path-style access:** Garage supports both DNS-style buckets, which are now by default
|
||||
on Amazon S3, and legacy path-style buckets. If you use a reverse proxy in front of Garage,
|
||||
make sure that you configured it to support the access-style required by the software you want to use.
|
||||
|
||||
- **Configuring the S3 region:** Garage requires your client to talk to the correct "S3 region",
|
||||
which is set in the configuration file. This is often set just to `garage`.
|
||||
If this is not configured explicitly, clients usually try to talk to region `us-east-1`.
|
||||
Garage should normally redirect your client to the correct region,
|
||||
but in case your client does not support this you might have to configure it manually.
|
Before Width: | Height: | Size: 197 KiB |
|
@ -1,666 +0,0 @@
|
|||
+++
|
||||
title = "Apps (Nextcloud, Peertube...)"
|
||||
weight = 5
|
||||
+++
|
||||
|
||||
In this section, we cover the following web applications:
|
||||
|
||||
| Name | Status | Note |
|
||||
|------|--------|------|
|
||||
| [Nextcloud](#nextcloud) | ✅ | Both Primary Storage and External Storage are supported |
|
||||
| [Peertube](#peertube) | ✅ | Supported with the website endpoint, proxifying private videos unsupported |
|
||||
| [Mastodon](#mastodon) | ✅ | Natively supported |
|
||||
| [Matrix](#matrix) | ✅ | Tested with `synapse-s3-storage-provider` |
|
||||
| [ejabberd](#ejabberd) | ✅ | `mod_s3_upload` |
|
||||
| [Pixelfed](#pixelfed) | ❓ | Not yet tested |
|
||||
| [Pleroma](#pleroma) | ❓ | Not yet tested |
|
||||
| [Lemmy](#lemmy) | ✅ | Supported with pict-rs |
|
||||
| [Funkwhale](#funkwhale) | ❓ | Not yet tested |
|
||||
| [Misskey](#misskey) | ❓ | Not yet tested |
|
||||
| [Prismo](#prismo) | ❓ | Not yet tested |
|
||||
| [Owncloud OCIS](#owncloud-infinite-scale-ocis) | ❓| Not yet tested |
|
||||
|
||||
## Nextcloud
|
||||
|
||||
Nextcloud is a popular file synchronisation and backup service.
|
||||
By default, Nextcloud stores its data on the local filesystem.
|
||||
If you want to expand your storage to aggregate multiple servers, Garage is the way to go.
|
||||
|
||||
A S3 backend can be configured in two ways on Nextcloud, either as Primary Storage or as an External Storage.
|
||||
Primary storage will store all your data on S3, in an opaque manner, and will provide the best performances.
|
||||
External storage enable you to select which data will be stored on S3, your file hierarchy will be preserved in S3, but it might be slower.
|
||||
|
||||
In the following, we cover both methods but before reading our guide, we suppose you have done some preliminary steps.
|
||||
First, we expect you have an already installed and configured Nextcloud instance.
|
||||
Second, we suppose you have created a key and a bucket.
|
||||
|
||||
As a reminder, you can create a key for your nextcloud instance as follow:
|
||||
|
||||
```bash
|
||||
garage key create nextcloud-key
|
||||
```
|
||||
|
||||
Keep the Key ID and the Secret key in a pad, they will be needed later.
|
||||
Then you can create a bucket and give read/write rights to your key on this bucket with:
|
||||
|
||||
```bash
|
||||
garage bucket create nextcloud
|
||||
garage bucket allow nextcloud --read --write --key nextcloud-key
|
||||
```
|
||||
|
||||
|
||||
### Primary Storage
|
||||
|
||||
Now edit your Nextcloud configuration file to enable object storage.
|
||||
On my installation, the config. file is located at the following path: `/var/www/nextcloud/config/config.php`.
|
||||
We will add a new root key to the `$CONFIG` dictionnary named `objectstore`:
|
||||
|
||||
```php
|
||||
<?php
|
||||
$CONFIG = array(
|
||||
/* your existing configuration */
|
||||
'objectstore' => [
|
||||
'class' => '\\OC\\Files\\ObjectStore\\S3',
|
||||
'arguments' => [
|
||||
'bucket' => 'nextcloud', // Your bucket name, must be created before
|
||||
'autocreate' => false, // Garage does not support autocreate
|
||||
'key' => 'xxxxxxxxx', // The Key ID generated previously
|
||||
'secret' => 'xxxxxxxxx', // The Secret key generated previously
|
||||
'hostname' => '127.0.0.1', // Can also be a domain name, eg. garage.example.com
|
||||
'port' => 3900, // Put your reverse proxy port or your S3 API port
|
||||
'use_ssl' => false, // Set it to true if you have a TLS enabled reverse proxy
|
||||
'region' => 'garage', // Garage has only one region named "garage"
|
||||
'use_path_style' => true // Garage supports only path style, must be set to true
|
||||
],
|
||||
],
|
||||
```
|
||||
|
||||
That's all, your Nextcloud will store all your data to S3.
|
||||
To test your new configuration, just reload your Nextcloud webpage and start sending data.
|
||||
|
||||
*External link:* [Nextcloud Documentation > Primary Storage](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/primary_storage.html)
|
||||
|
||||
#### SSE-C encryption (since Garage v1.0)
|
||||
|
||||
Since version 1.0, Garage supports server-side encryption with customer keys
|
||||
(SSE-C). In this mode, Garage is responsible for encrypting and decrypting
|
||||
objects, but it does not store the encryption key itself. The encryption key
|
||||
should be provided by Nextcloud upon each request. This mode of operation is
|
||||
supported by Nextcloud and it has successfully been tested together with
|
||||
Garage.
|
||||
|
||||
To enable SSE-C encryption:
|
||||
|
||||
1. Make sure your Garage server is accessible via SSL through a reverse proxy
|
||||
such as Nginx, and that it is using a valid public certificate (Nextcloud
|
||||
might be able to connect to an S3 server that is using a self-signed
|
||||
certificate, but you will lose many hours while trying, so don't).
|
||||
Configure values for `use_ssl` and `port` accordingly in your `config.php`
|
||||
file.
|
||||
|
||||
2. Generate an encryption key using the following command:
|
||||
|
||||
```
|
||||
openssl rand -base64 32
|
||||
```
|
||||
|
||||
Make sure to keep this key **secret**!
|
||||
|
||||
3. Add the encryption key in your `config.php` file as follows:
|
||||
|
||||
|
||||
```php
|
||||
<?php
|
||||
$CONFIG = array(
|
||||
'objectstore' => [
|
||||
'class' => '\\OC\\Files\\ObjectStore\\S3',
|
||||
'arguments' => [
|
||||
...
|
||||
'sse_c_key' => 'exampleencryptionkeyLbU+5fKYQcVoqnn+RaIOXgo=',
|
||||
...
|
||||
],
|
||||
],
|
||||
```
|
||||
|
||||
Nextcloud will now make Garage encrypt files at rest in the storage bucket.
|
||||
These files will not be readable by an S3 client that has credentials to the
|
||||
bucket but doesn't also know the secret encryption key.
|
||||
|
||||
|
||||
### External Storage
|
||||
|
||||
**From the GUI.** Activate the "External storage support" app from the "Applications" page (click on your account icon on the top right corner of your screen to display the menu). Go to your parameters page (also located below your account icon). Click on external storage (or the corresponding translation in your language).
|
||||
|
||||
[![Screenshot of the External Storage form](cli-nextcloud-gui.png)](cli-nextcloud-gui.png)
|
||||
*Click on the picture to zoom*
|
||||
|
||||
Add a new external storage. Put what you want in "folder name" (eg. "shared"). Select "Amazon S3". Keep "Access Key" for the Authentication field.
|
||||
In Configuration, put your bucket name (eg. nextcloud), the host (eg. 127.0.0.1), the port (eg. 3900 or 443), the region (garage). Tick the SSL box if you have put an HTTPS proxy in front of garage. You must tick the "Path access" box and you must leave the "Legacy authentication (v2)" box empty. Put your Key ID (eg. GK...) and your Secret Key in the last two input boxes. Finally click on the tick symbol on the right of your screen.
|
||||
|
||||
Now go to your "Files" app and a new "linked folder" has appeared with the name you chose earlier (eg. "shared").
|
||||
|
||||
*External link:* [Nextcloud Documentation > External Storage Configuration GUI](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/external_storage_configuration_gui.html)
|
||||
|
||||
**From the CLI.** First install the external storage application:
|
||||
|
||||
```bash
|
||||
php occ app:install files_external
|
||||
```
|
||||
|
||||
Then add a new mount point with:
|
||||
|
||||
```bash
|
||||
php occ files_external:create \
|
||||
-c bucket=nextcloud \
|
||||
-c hostname=127.0.0.1 \
|
||||
-c port=3900 \
|
||||
-c region=garage \
|
||||
-c use_ssl=false \
|
||||
-c use_path_style=true \
|
||||
-c legacy_auth=false \
|
||||
-c key=GKxxxx \
|
||||
-c secret=xxxx \
|
||||
shared amazons3 amazons3::accesskey
|
||||
```
|
||||
|
||||
Adapt the `hostname`, `port`, `use_ssl`, `key`, and `secret` entries to your configuration.
|
||||
Do not change the `use_path_style` and `legacy_auth` entries, other configurations are not supported.
|
||||
|
||||
*External link:* [Nextcloud Documentation > occ command > files external](https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/occ_command.html#files-external-label)
|
||||
|
||||
|
||||
## Peertube
|
||||
|
||||
Peertube proposes a clever integration of S3 by directly exposing its endpoint instead of proxifying requests through the application.
|
||||
In other words, Peertube is only responsible of the "control plane" and offload the "data plane" to Garage.
|
||||
In return, this system is a bit harder to configure.
|
||||
We show how it is still possible to configure Garage with Peertube, allowing you to spread the load and the bandwidth usage on the Garage cluster.
|
||||
|
||||
Starting from version 5.0, Peertube also supports improving the security for private videos by not exposing them directly
|
||||
but relying on a single control point in the Peertube instance. This is based on S3 per-object and prefix ACL, which are not currently supported
|
||||
in Garage, so this feature is unsupported. While this technically impedes security for private videos, it is not a blocking issue and could be
|
||||
a reasonable trade-off for some instances.
|
||||
|
||||
### Create resources in Garage
|
||||
|
||||
Create a key for Peertube:
|
||||
|
||||
```bash
|
||||
garage key create peertube-key
|
||||
```
|
||||
|
||||
Keep the Key ID and the Secret key in a pad, they will be needed later.
|
||||
|
||||
We need two buckets, one for normal videos (named peertube-video) and one for webtorrent videos (named peertube-playlist).
|
||||
```bash
|
||||
garage bucket create peertube-videos
|
||||
garage bucket create peertube-playlist
|
||||
```
|
||||
|
||||
Now we allow our key to read and write on these buckets:
|
||||
|
||||
```
|
||||
garage bucket allow peertube-playlists --read --write --owner --key peertube-key
|
||||
garage bucket allow peertube-videos --read --write --owner --key peertube-key
|
||||
```
|
||||
|
||||
We also need to expose these buckets publicly to serve their content to users:
|
||||
|
||||
```bash
|
||||
garage bucket website --allow peertube-playlists
|
||||
garage bucket website --allow peertube-videos
|
||||
```
|
||||
|
||||
Finally, we must allow Cross-Origin Resource Sharing (CORS).
|
||||
CORS are required by your browser to allow requests triggered from the peertube website (eg. peertube.tld) to your bucket's domain (eg. peertube-videos.web.garage.tld)
|
||||
|
||||
```bash
|
||||
export CORS='{"CORSRules":[{"AllowedHeaders":["*"],"AllowedMethods":["GET"],"AllowedOrigins":["*"]}]}'
|
||||
aws --endpoint http://s3.garage.localhost s3api put-bucket-cors --bucket peertube-playlists --cors-configuration $CORS
|
||||
aws --endpoint http://s3.garage.localhost s3api put-bucket-cors --bucket peertube-videos --cors-configuration $CORS
|
||||
```
|
||||
|
||||
These buckets are now accessible on the web port (by default 3902) with the following URL: `http://<bucket><root_domain>:<web_port>` where the root domain is defined in your configuration file (by default `.web.garage`). So we have currently the following URLs:
|
||||
* http://peertube-playlists.web.garage:3902
|
||||
* http://peertube-videos.web.garage:3902
|
||||
|
||||
Make sure you (will) have a corresponding DNS entry for them.
|
||||
|
||||
|
||||
### Configure Peertube
|
||||
|
||||
You must edit the file named `config/production.yaml`, we are only modifying the root key named `object_storage`:
|
||||
|
||||
```yaml
|
||||
object_storage:
|
||||
enabled: true
|
||||
|
||||
# Put localhost only if you have a garage instance running on that node
|
||||
endpoint: 'http://localhost:3900' # or "garage.example.com" if you have TLS on port 443
|
||||
|
||||
# Garage supports only one region for now, named garage
|
||||
region: 'garage'
|
||||
|
||||
credentials:
|
||||
access_key_id: 'GKxxxx'
|
||||
secret_access_key: 'xxxx'
|
||||
|
||||
max_upload_part: 2GB
|
||||
|
||||
proxy:
|
||||
# You may enable this feature, yet it will not provide any security benefit, so
|
||||
# you should rather benefit from Garage public endpoint for all videos
|
||||
proxify_private_files: false
|
||||
|
||||
streaming_playlists:
|
||||
bucket_name: 'peertube-playlist'
|
||||
|
||||
# Keep it empty for our example
|
||||
prefix: ''
|
||||
|
||||
# You must fill this field to make Peertube use our reverse proxy/website logic
|
||||
base_url: 'http://peertube-playlists.web.garage.localhost' # Example: 'https://mirror.example.com'
|
||||
|
||||
# Same settings but for webtorrent videos
|
||||
videos:
|
||||
bucket_name: 'peertube-videos'
|
||||
prefix: ''
|
||||
# You must fill this field to make Peertube use our reverse proxy/website logic
|
||||
base_url: 'http://peertube-videos.web.garage.localhost'
|
||||
```
|
||||
|
||||
### That's all
|
||||
|
||||
Everything must be configured now, simply restart Peertube and try to upload a video.
|
||||
|
||||
Peertube will start by serving the video from its own domain while it is encoding.
|
||||
Once the encoding is done, the video is uploaded to Garage.
|
||||
You can now reload the page and see in your browser console that data are fetched directly from your bucket.
|
||||
|
||||
*External link:* [Peertube Documentation > Remote Storage](https://docs.joinpeertube.org/admin-remote-storage)
|
||||
|
||||
## Mastodon
|
||||
|
||||
Mastodon natively supports the S3 protocol to store media files, and it works out-of-the-box with Garage.
|
||||
You will need to expose your Garage bucket as a website: that way, media files will be served directly from Garage.
|
||||
|
||||
### Performance considerations
|
||||
|
||||
Mastodon tends to store many small objects over time: expect hundreds of thousands of objects,
|
||||
with average object size ranging from 50 KB to 150 KB.
|
||||
|
||||
As such, your Garage cluster should be configured appropriately for good performance:
|
||||
|
||||
- use Garage v0.8.0 or higher with the [LMDB database engine](@documentation/reference-manual/configuration.md#db-engine-since-v0-8-0).
|
||||
Older versions of Garage used the Sled database engine which had issues, such as databases quickly ending up taking tens of GB of disk space.
|
||||
- the Garage database should be stored on a SSD
|
||||
|
||||
### Creating your bucket
|
||||
|
||||
This is the usual Garage setup:
|
||||
|
||||
```bash
|
||||
garage key create mastodon-key
|
||||
garage bucket create mastodon-data
|
||||
garage bucket allow mastodon-data --read --write --key mastodon-key
|
||||
```
|
||||
|
||||
Note the Key ID and Secret Key.
|
||||
|
||||
### Exposing your bucket as a website
|
||||
|
||||
Create a DNS name to serve your media files, such as `my-social-media.mydomain.tld`.
|
||||
This name will be publicly exposed to the users of your Mastodon instance: they
|
||||
will load images directly from this DNS name.
|
||||
|
||||
As [documented here](@/documentation/cookbook/exposing-websites.md),
|
||||
add this DNS name as alias to your bucket, and expose it as a website:
|
||||
|
||||
```bash
|
||||
garage bucket alias mastodon-data my-social-media.mydomain.tld
|
||||
garage bucket website --allow mastodon-data
|
||||
```
|
||||
|
||||
Then you will likely need to [setup a reverse proxy](@/documentation/cookbook/reverse-proxy.md)
|
||||
in front of it to serve your media files over HTTPS.
|
||||
|
||||
### Cleaning up old media files before migration
|
||||
|
||||
Mastodon instance quickly accumulate a lot of media files from the federation.
|
||||
Most of them are not strictly necessary because they can be fetched again from
|
||||
other servers. As such, it is highly recommended to clean them up before
|
||||
migration, this will greatly reduce the migration time.
|
||||
|
||||
From the [official Mastodon documentation](https://docs.joinmastodon.org/admin/tootctl/#media):
|
||||
|
||||
```bash
|
||||
$ RAILS_ENV=production bin/tootctl media remove --days 3
|
||||
$ RAILS_ENV=production bin/tootctl media remove-orphans
|
||||
$ RAILS_ENV=production bin/tootctl preview_cards remove --days 15
|
||||
```
|
||||
|
||||
Here is a typical disk usage for a small but multi-year instance after cleanup:
|
||||
|
||||
```bash
|
||||
$ RAILS_ENV=production bin/tootctl media usage
|
||||
Attachments: 5.67 GB (1.14 GB local)
|
||||
Custom emoji: 295 MB (0 Bytes local)
|
||||
Preview cards: 154 MB
|
||||
Avatars: 3.77 GB (127 KB local)
|
||||
Headers: 8.72 GB (242 KB local)
|
||||
Backups: 0 Bytes
|
||||
Imports: 1.7 KB
|
||||
Settings: 0 Bytes
|
||||
```
|
||||
|
||||
Unfortunately, [old avatars and headers cannot currently be cleaned up](https://github.com/mastodon/mastodon/issues/9567).
|
||||
|
||||
### Migrating your data
|
||||
|
||||
Data migration should be done with an efficient S3 client.
|
||||
The [minio client](@documentation/connect/cli.md#minio-client) is a good choice
|
||||
thanks to its mirror mode:
|
||||
|
||||
```bash
|
||||
mc mirror ./public/system/ garage/mastodon-data
|
||||
```
|
||||
|
||||
Here is a typical bucket usage after all data has been migrated:
|
||||
|
||||
```bash
|
||||
$ garage bucket info mastodon-data
|
||||
|
||||
Size: 20.3 GiB (21.8 GB)
|
||||
Objects: 175968
|
||||
```
|
||||
|
||||
### Configuring Mastodon
|
||||
|
||||
In your `.env.production` configuration file:
|
||||
|
||||
```bash
|
||||
S3_ENABLED=true
|
||||
# Internal access to Garage
|
||||
S3_ENDPOINT=http://my-garage-instance.mydomain.tld:3900
|
||||
S3_REGION=garage
|
||||
S3_BUCKET=mastodon-data
|
||||
# Change this (Key ID and Secret Key of your Garage key)
|
||||
AWS_ACCESS_KEY_ID=GKe88df__CHANGETHIS__c5145
|
||||
AWS_SECRET_ACCESS_KEY=a2f7__CHANGETHIS__77fcfcf7a58f47a4aa4431f2e675c56da37821a1070000
|
||||
# What name gets exposed to users (HTTPS is implicit)
|
||||
S3_ALIAS_HOST=my-social-media.mydomain.tld
|
||||
```
|
||||
|
||||
For more details, see the [reference Mastodon documentation](https://docs.joinmastodon.org/admin/config/#cdn).
|
||||
|
||||
Restart all Mastodon services and everything should now be using Garage!
|
||||
You can check the URLs of images in the Mastodon web client, they should start
|
||||
with `https://my-social-media.mydomain.tld`.
|
||||
|
||||
### Last migration sync
|
||||
|
||||
After Mastodon is successfully using Garage, you can run a last sync from the local filesystem to Garage:
|
||||
|
||||
```bash
|
||||
mc mirror --newer-than "3h" ./public/system/ garage/mastodon-data
|
||||
```
|
||||
|
||||
### References
|
||||
|
||||
[cybrespace's guide to migrate to S3](https://github.com/cybrespace/cybrespace-meta/blob/master/s3.md)
|
||||
(the guide is for Amazon S3, so the configuration is a bit different, but the rest is similar)
|
||||
|
||||
|
||||
## Matrix
|
||||
|
||||
Matrix is a chat communication protocol. Its main stable server implementation, [Synapse](https://matrix-org.github.io/synapse/latest/), provides a module to store media on a S3 backend. Additionally, a server independent media store supporting S3 has been developped by the community, it has been made possible thanks to how the matrix API has been designed and will work with implementations like Conduit, Dendrite, etc.
|
||||
|
||||
### synapse-s3-storage-provider (synapse only)
|
||||
|
||||
Supposing you have a working synapse installation, you can add the module with pip:
|
||||
|
||||
```bash
|
||||
pip3 install --user git+https://github.com/matrix-org/synapse-s3-storage-provider.git
|
||||
```
|
||||
|
||||
Now create a bucket and a key for your matrix instance (note your Key ID and Secret Key somewhere, they will be needed later):
|
||||
|
||||
```bash
|
||||
garage key create matrix-key
|
||||
garage bucket create matrix
|
||||
garage bucket allow matrix --read --write --key matrix-key
|
||||
```
|
||||
|
||||
Then you must edit your server configuration (eg. `/etc/matrix-synapse/homeserver.yaml`) and add the `media_storage_providers` root key:
|
||||
|
||||
```yaml
|
||||
media_storage_providers:
|
||||
- module: s3_storage_provider.S3StorageProviderBackend
|
||||
store_local: True # do we want to store on S3 media created by our users?
|
||||
store_remote: True # do we want to store on S3 media created
|
||||
# by users of others servers federated to ours?
|
||||
store_synchronous: True # do we want to wait that the file has been written before returning?
|
||||
config:
|
||||
bucket: matrix # the name of our bucket, we chose matrix earlier
|
||||
region_name: garage # only "garage" is supported for the region field
|
||||
endpoint_url: http://localhost:3900 # the path to the S3 endpoint
|
||||
access_key_id: "GKxxx" # your Key ID
|
||||
secret_access_key: "xxxx" # your Secret Key
|
||||
```
|
||||
|
||||
Note that uploaded media will also be stored locally and this behavior can not be deactivated, it is even required for
|
||||
some operations like resizing images.
|
||||
In fact, your local filesysem is considered as a cache but without any automated way to garbage collect it.
|
||||
|
||||
We can build our garbage collector with `s3_media_upload`, a tool provided with the module.
|
||||
If you installed the module with the command provided before, you should be able to bring it in your path:
|
||||
|
||||
```
|
||||
PATH=$HOME/.local/bin/:$PATH
|
||||
command -v s3_media_upload
|
||||
```
|
||||
|
||||
Now we can write a simple script (eg `~/.local/bin/matrix-cache-gc`):
|
||||
|
||||
```bash
|
||||
#!/bin/bash
|
||||
|
||||
## CONFIGURATION ##
|
||||
AWS_ACCESS_KEY_ID=GKxxx
|
||||
AWS_SECRET_ACCESS_KEY=xxxx
|
||||
AWS_ENDPOINT_URL=http://localhost:3900
|
||||
S3_BUCKET=matrix
|
||||
MEDIA_STORE=/var/lib/matrix-synapse/media
|
||||
PG_USER=matrix
|
||||
PG_PASS=xxxx
|
||||
PG_DB=synapse
|
||||
PG_HOST=localhost
|
||||
PG_PORT=5432
|
||||
|
||||
## CODE ##
|
||||
PATH=$HOME/.local/bin/:$PATH
|
||||
cat > database.yaml <<EOF
|
||||
user: $PG_USER
|
||||
password: $PG_PASS
|
||||
database: $PG_DB
|
||||
host: $PG_HOST
|
||||
port: $PG_PORT
|
||||
EOF
|
||||
|
||||
s3_media_upload update-db 1d
|
||||
s3_media_upload --no-progress check-deleted $MEDIA_STORE
|
||||
s3_media_upload --no-progress upload $MEDIA_STORE $S3_BUCKET --delete --endpoint-url $AWS_ENDPOINT_URL
|
||||
```
|
||||
|
||||
This script will list all the medias that were not accessed in the 24 hours according to your database.
|
||||
It will check if, in this list, the file still exists in the local media store.
|
||||
For files that are still in the cache, it will upload them to S3 if they are not already present (in case of a crash or an initial synchronisation).
|
||||
Finally, the script will delete these files from the cache.
|
||||
|
||||
Make this script executable and check that it works:
|
||||
|
||||
```bash
|
||||
chmod +x $HOME/.local/bin/matrix-cache-gc
|
||||
matrix-cache-gc
|
||||
```
|
||||
|
||||
Add it to your crontab. Open the editor with:
|
||||
|
||||
```bash
|
||||
crontab -e
|
||||
```
|
||||
|
||||
And add a new line. For example, to run it every 10 minutes:
|
||||
|
||||
```cron
|
||||
*/10 * * * * $HOME/.local/bin/matrix-cache-gc
|
||||
```
|
||||
|
||||
*External link:* [Github > matrix-org/synapse-s3-storage-provider](https://github.com/matrix-org/synapse-s3-storage-provider)
|
||||
|
||||
### matrix-media-repo (server independent)
|
||||
|
||||
*External link:* [matrix-media-repo Documentation > S3](https://docs.t2bot.io/matrix-media-repo/configuration/s3-datastore.html)
|
||||
|
||||
## ejabberd
|
||||
|
||||
ejabberd is an XMPP server implementation which, with the `mod_s3_upload`
|
||||
module in the [ejabberd-contrib](https://github.com/processone/ejabberd-contrib)
|
||||
repository, can be integrated to store chat media files in Garage.
|
||||
|
||||
For uploads, this module leverages presigned URLs - this allows XMPP clients to
|
||||
directly send media to Garage. Receiving clients then retrieve this media
|
||||
through the [static website](@/documentation/cookbook/exposing-websites.md)
|
||||
functionality.
|
||||
|
||||
As the data itself is publicly accessible to someone with knowledge of the
|
||||
object URL - users are recommended to use
|
||||
[E2EE](@/documentation/cookbook/encryption.md) to protect this data-at-rest
|
||||
from unauthorized access.
|
||||
|
||||
Install the module with:
|
||||
|
||||
```bash
|
||||
ejabberdctl module_install mod_s3_upload
|
||||
```
|
||||
|
||||
Create the required key and bucket with:
|
||||
|
||||
```bash
|
||||
garage key new --name ejabberd
|
||||
garage bucket create objects.xmpp-server.fr
|
||||
garage bucket allow objects.xmpp-server.fr --read --write --key ejabberd
|
||||
garage bucket website --allow objects.xmpp-server.fr
|
||||
```
|
||||
|
||||
The module can then be configured with:
|
||||
|
||||
```
|
||||
mod_s3_upload:
|
||||
#bucket_url: https://objects.xmpp-server.fr.my-garage-instance.mydomain.tld
|
||||
bucket_url: https://my-garage-instance.mydomain.tld/objects.xmpp-server.fr
|
||||
access_key_id: GK...
|
||||
access_key_secret: ...
|
||||
region: garage
|
||||
download_url: https://objects.xmpp-server.fr
|
||||
```
|
||||
|
||||
Other configuration options can be found in the
|
||||
[configuration YAML file](https://github.com/processone/ejabberd-contrib/blob/master/mod_s3_upload/conf/mod_s3_upload.yml).
|
||||
|
||||
## Pixelfed
|
||||
|
||||
[Pixelfed Technical Documentation > Configuration](https://docs.pixelfed.org/technical-documentation/env.html#filesystem)
|
||||
|
||||
## Pleroma
|
||||
|
||||
[Pleroma Documentation > Pleroma.Uploaders.S3](https://docs-develop.pleroma.social/backend/configuration/cheatsheet/#pleromauploaderss3)
|
||||
|
||||
## Lemmy
|
||||
|
||||
Lemmy uses pict-rs that [supports S3 backends](https://git.asonix.dog/asonix/pict-rs/commit/f9f4fc63d670f357c93f24147c2ee3e1278e2d97).
|
||||
This feature requires `pict-rs >= 4.0.0`.
|
||||
|
||||
### Creating your bucket
|
||||
|
||||
This is the usual Garage setup:
|
||||
|
||||
```bash
|
||||
garage key new --name pictrs-key
|
||||
garage bucket create pictrs-data
|
||||
garage bucket allow pictrs-data --read --write --key pictrs-key
|
||||
```
|
||||
|
||||
Note the Key ID and Secret Key.
|
||||
|
||||
### Migrating your data
|
||||
|
||||
If your pict-rs instance holds existing data, you first need to migrate to the S3 bucket.
|
||||
|
||||
Stop pict-rs, then run the migration utility from local filesystem to the bucket:
|
||||
|
||||
```
|
||||
pict-rs \
|
||||
filesystem -p /path/to/existing/files \
|
||||
object-store \
|
||||
-e my-garage-instance.mydomain.tld:3900 \
|
||||
-b pictrs-data \
|
||||
-r garage \
|
||||
-a GK... \
|
||||
-s abcdef0123456789...
|
||||
```
|
||||
|
||||
This is pretty slow, so hold on while migrating.
|
||||
|
||||
### Running pict-rs with an S3 backend
|
||||
|
||||
Pict-rs supports both a configuration file and environment variables.
|
||||
|
||||
Either set the following section in your `pict-rs.toml`:
|
||||
|
||||
```
|
||||
[store]
|
||||
type = 'object_storage'
|
||||
endpoint = 'http://my-garage-instance.mydomain.tld:3900'
|
||||
bucket_name = 'pictrs-data'
|
||||
region = 'garage'
|
||||
access_key = 'GK...'
|
||||
secret_key = 'abcdef0123456789...'
|
||||
```
|
||||
|
||||
... or set these environment variables:
|
||||
|
||||
|
||||
```
|
||||
PICTRS__STORE__TYPE=object_storage
|
||||
PICTRS__STORE__ENDPOINT=http://my-garage-instance.mydomain.tld:3900
|
||||
PICTRS__STORE__BUCKET_NAME=pictrs-data
|
||||
PICTRS__STORE__REGION=garage
|
||||
PICTRS__STORE__ACCESS_KEY=GK...
|
||||
PICTRS__STORE__SECRET_KEY=abcdef0123456789...
|
||||
```
|
||||
|
||||
|
||||
## Funkwhale
|
||||
|
||||
[Funkwhale Documentation > S3 Storage](https://docs.funkwhale.audio/admin/configuration.html#s3-storage)
|
||||
|
||||
## Misskey
|
||||
|
||||
[Misskey Github > commit 9d94424](https://github.com/misskey-dev/misskey/commit/9d944243a3a59e8880a360cbfe30fd5a3ec8d52d)
|
||||
|
||||
## Prismo
|
||||
|
||||
[Prismo Gitlab > .env.production.sample](https://gitlab.com/prismosuite/prismo/-/blob/dev/.env.production.sample#L26-33)
|
||||
|
||||
## Owncloud Infinite Scale (ocis)
|
||||
|
||||
OCIS could be compatible with S3:
|
||||
- [Deploying OCIS with S3](https://owncloud.dev/ocis/deployment/ocis_s3/)
|
||||
- [OCIS 1.7 release note](https://central.owncloud.org/t/owncloud-infinite-scale-tech-preview-1-7-enables-s3-storage/32514/3)
|
||||
|
||||
## Unsupported
|
||||
|
||||
- Mobilizon: No S3 integration
|
||||
- WriteFreely: No S3 integration
|
||||
- Plume: No S3 integration
|
|
@ -1,163 +0,0 @@
|
|||
+++
|
||||
title = "Backups (restic, duplicity...)"
|
||||
weight = 25
|
||||
+++
|
||||
|
||||
|
||||
Backups are essential for disaster recovery but they are not trivial to manage.
|
||||
Using Garage as your backup target will enable you to scale your storage as needed while ensuring high availability.
|
||||
|
||||
## Borg Backup
|
||||
|
||||
Borg Backup is very popular among the backup tools but it is not yet compatible with the S3 API.
|
||||
We recommend using any other tool listed in this guide because they are all compatible with the S3 API.
|
||||
If you still want to use Borg, you can use it with `rclone mount`.
|
||||
|
||||
## git-annex
|
||||
|
||||
[git-annex](https://git-annex.branchable.com/) supports synchronizing files
|
||||
with its [S3 special remote](https://git-annex.branchable.com/special_remotes/S3/).
|
||||
|
||||
Note that `git-annex` requires to be compiled with Haskell package version
|
||||
`aws-0.24` to work with Garage.
|
||||
|
||||
```bash
|
||||
garage key new --name my-key
|
||||
garage bucket create my-git-annex
|
||||
garage bucket allow my-git-annex --read --write --key my-key
|
||||
```
|
||||
|
||||
Register your Key ID and Secret key in your environment:
|
||||
|
||||
```bash
|
||||
export AWS_ACCESS_KEY_ID=GKxxx
|
||||
export AWS_SECRET_ACCESS_KEY=xxxx
|
||||
```
|
||||
|
||||
Within a git-annex enabled repository, configure your Garage S3 endpoint with
|
||||
the following command:
|
||||
|
||||
```bash
|
||||
git annex initremote garage type=S3 encryption=none host=my-garage-instance.mydomain.tld protocol=https bucket=my-git-annex requeststyle=path region=garage signature=v4
|
||||
```
|
||||
|
||||
Files can now be synchronized using the usual `git-annex` `copy` or `get`
|
||||
commands.
|
||||
|
||||
Note that for simplicity - this example does not enable encryption for the files
|
||||
sent to Garage - please refer to the
|
||||
[git-annex encryption page](https://git-annex.branchable.com/encryption/) for
|
||||
how to configure this.
|
||||
|
||||
## Restic
|
||||
|
||||
Create your key and bucket:
|
||||
|
||||
```bash
|
||||
garage key create my-key
|
||||
garage bucket create backups
|
||||
garage bucket allow backups --read --write --key my-key
|
||||
```
|
||||
|
||||
Then register your Key ID and Secret key in your environment:
|
||||
|
||||
```bash
|
||||
export AWS_ACCESS_KEY_ID=GKxxx
|
||||
export AWS_SECRET_ACCESS_KEY=xxxx
|
||||
```
|
||||
|
||||
Configure restic from environment too:
|
||||
|
||||
```bash
|
||||
export RESTIC_REPOSITORY="s3:http://localhost:3900/backups"
|
||||
|
||||
echo "Generated password (save it safely): $(openssl rand -base64 32)"
|
||||
export RESTIC_PASSWORD=xxx # copy paste your generated password here
|
||||
```
|
||||
|
||||
Do not forget to save your password safely (in your password manager or print it). It will be needed to decrypt your backups.
|
||||
|
||||
Now you can use restic:
|
||||
|
||||
```bash
|
||||
# Initialize the bucket, must be run once
|
||||
restic init
|
||||
|
||||
# Backup your PostgreSQL database
|
||||
# (We suppose your PostgreSQL daemon is stopped for all commands)
|
||||
restic backup /var/lib/postgresql
|
||||
|
||||
# Show backup history
|
||||
restic snapshots
|
||||
|
||||
# Backup again your PostgreSQL database, it will be faster as only changes will be uploaded
|
||||
restic backup /var/lib/postgresql
|
||||
|
||||
# Show backup history (again)
|
||||
restic snapshots
|
||||
|
||||
# Restore a backup
|
||||
# (79766175 is the ID of the snapshot you want to restore)
|
||||
mv /var/lib/postgresql /var/lib/postgresql.broken
|
||||
restic restore 79766175 --target /var/lib/postgresql
|
||||
```
|
||||
|
||||
Restic has way more features than the ones presented here.
|
||||
You can discover all of them by accessing its documentation from the link below.
|
||||
|
||||
Files on Android devices can also be backed up with [restic-android](https://github.com/lhns/restic-android).
|
||||
|
||||
*External links:* [Restic Documentation > Amazon S3](https://restic.readthedocs.io/en/stable/030_preparing_a_new_repo.html#amazon-s3)
|
||||
|
||||
## Duplicity
|
||||
|
||||
*External links:* [Duplicity > man](https://duplicity.gitlab.io/duplicity-web/vers8/duplicity.1.html) (scroll to "URL Format" and "A note on Amazon S3")
|
||||
|
||||
## Duplicati
|
||||
|
||||
*External links:* [Duplicati Documentation > Storage Providers](https://duplicati.readthedocs.io/en/latest/05-storage-providers/#s3-compatible)
|
||||
|
||||
The following fields need to be specified:
|
||||
```
|
||||
Storage Type: S3 Compatible
|
||||
Use SSL: [ ] # Only if you have SSL
|
||||
Server: Custom server url (s3.garage.localhost:3900)
|
||||
Bucket name: bucket-name
|
||||
Bucket create region: Custom region value (garage) # Or as you've specified in garage.toml
|
||||
AWS Access ID: Key ID from "garage key info key-name"
|
||||
AWS Access Key: Secret key from "garage key info key-name"
|
||||
Client Library to use: Minio SDK
|
||||
```
|
||||
|
||||
Click `Test connection` and then no when asked `The bucket name should start with your username, prepend automatically?`. Then it should say `Connection worked!`.
|
||||
|
||||
|
||||
## knoxite
|
||||
|
||||
*External links:* [Knoxite Documentation > Storage Backends](https://knoxite.com/docs/storage-backends/#amazon-s3)
|
||||
|
||||
## kopia
|
||||
|
||||
*External links:* [Kopia Documentation > Repositories](https://kopia.io/docs/repositories/#amazon-s3)
|
||||
|
||||
To create the Kopia repository, you need to specify the region, the HTTP(S) endpoint, the bucket name and the access keys.
|
||||
For instance, if you have an instance of garage running on `https://garage.example.com`:
|
||||
|
||||
```
|
||||
kopia repository create s3 --region=garage --bucket=mybackups --access-key=KEY_ID --secret-access-key=SECRET_KEY --endpoint=garage.example.com
|
||||
```
|
||||
|
||||
Or if you have an instance running on localhost, without TLS:
|
||||
|
||||
```
|
||||
kopia repository create s3 --region=garage --bucket=mybackups --access-key=KEY_ID --secret-access-key=SECRET_KEY --endpoint=localhost:3900 --disable-tls
|
||||
```
|
||||
|
||||
After the repository has been created, check that everything works as expected:
|
||||
|
||||
```
|
||||
kopia repository validate-provider
|
||||
```
|
||||
|
||||
You can then run all the standard kopia commands: `kopia snapshot create`, `kopia mount`...
|
||||
Everything should work out-of-the-box.
|
|
@ -1,317 +0,0 @@
|
|||
+++
|
||||
title = "Browsing tools"
|
||||
weight = 20
|
||||
+++
|
||||
|
||||
Browsing tools allow you to query the S3 API without too many abstractions.
|
||||
These tools are particularly suitable for debug, backups, website deployments or any scripted task that need to handle data.
|
||||
|
||||
| Name | Status | Note |
|
||||
|------|--------|------|
|
||||
| [Minio client](#minio-client) | ✅ | Recommended |
|
||||
| [AWS CLI](#aws-cli) | ✅ | Recommended |
|
||||
| [rclone](#rclone) | ✅ | |
|
||||
| [s3cmd](#s3cmd) | ✅ | |
|
||||
| [s5cmd](#s5cmd) | ✅ | |
|
||||
| [(Cyber)duck](#cyberduck) | ✅ | |
|
||||
| [WinSCP (libs3)](#winscp) | ✅ | CLI instructions only |
|
||||
| [sftpgo](#sftpgo) | ✅ | |
|
||||
|
||||
|
||||
## Minio client
|
||||
|
||||
Use the following command to set an "alias", i.e. define a new S3 server to be
|
||||
used by the Minio client:
|
||||
|
||||
```bash
|
||||
mc alias set \
|
||||
garage \
|
||||
<endpoint> \
|
||||
<access key> \
|
||||
<secret key> \
|
||||
--api S3v4
|
||||
```
|
||||
|
||||
Remember that `mc` is sometimes called `mcli` (such as on Arch Linux), to avoid conflicts
|
||||
with Midnight Commander.
|
||||
|
||||
Some commands:
|
||||
|
||||
```bash
|
||||
# list buckets
|
||||
mc ls garage/
|
||||
|
||||
# list objets in a bucket
|
||||
mc ls garage/my_files
|
||||
|
||||
# copy from your filesystem to garage
|
||||
mc cp /proc/cpuinfo garage/my_files/cpuinfo.txt
|
||||
|
||||
# copy from garage to your filesystem
|
||||
mc cp garage/my_files/cpuinfo.txt /tmp/cpuinfo.txt
|
||||
|
||||
# mirror a folder from your filesystem to garage
|
||||
mc mirror --overwrite ./book garage/garagehq.deuxfleurs.fr
|
||||
```
|
||||
|
||||
|
||||
## AWS CLI
|
||||
|
||||
Create a file named `~/.aws/credentials` and put:
|
||||
|
||||
```toml
|
||||
[default]
|
||||
aws_access_key_id=xxxx
|
||||
aws_secret_access_key=xxxx
|
||||
```
|
||||
|
||||
Then a file named `~/.aws/config` and put:
|
||||
|
||||
```toml
|
||||
[default]
|
||||
region=garage
|
||||
endpoint_url=http://127.0.0.1:3900
|
||||
```
|
||||
|
||||
Now, supposing Garage is listening on `http://127.0.0.1:3900`, you can list your buckets with:
|
||||
|
||||
```bash
|
||||
aws s3 ls
|
||||
```
|
||||
|
||||
If you're using awscli `<1.29.0` or `<2.13.0`, you need to pass `--endpoint-url` to each CLI invocation explicitly.
|
||||
As a workaround, you can redefine the aws command by editing the file `~/.bashrc` in this case:
|
||||
|
||||
```
|
||||
function aws { command aws --endpoint-url http://127.0.0.1:3900 $@ ; }
|
||||
```
|
||||
|
||||
*Do not forget to run `source ~/.bashrc` or to start a new terminal before running the next commands.*
|
||||
|
||||
Now you can simply run:
|
||||
|
||||
```bash
|
||||
# list buckets
|
||||
aws s3 ls
|
||||
|
||||
# list objects of a bucket
|
||||
aws s3 ls s3://my_files
|
||||
|
||||
# copy from your filesystem to garage
|
||||
aws s3 cp /proc/cpuinfo s3://my_files/cpuinfo.txt
|
||||
|
||||
# copy from garage to your filesystem
|
||||
aws s3 cp s3/my_files/cpuinfo.txt /tmp/cpuinfo.txt
|
||||
```
|
||||
|
||||
## `rclone`
|
||||
|
||||
`rclone` can be configured using the interactive assistant invoked using `rclone config`.
|
||||
|
||||
You can also configure `rclone` by writing directly its configuration file.
|
||||
Here is a template `rclone.ini` configuration file (mine is located at `~/.config/rclone/rclone.conf`):
|
||||
|
||||
```ini
|
||||
[garage]
|
||||
type = s3
|
||||
provider = Other
|
||||
env_auth = false
|
||||
access_key_id = <access key>
|
||||
secret_access_key = <secret key>
|
||||
region = <region>
|
||||
endpoint = <endpoint>
|
||||
force_path_style = true
|
||||
acl = private
|
||||
bucket_acl = private
|
||||
```
|
||||
|
||||
Now you can run:
|
||||
|
||||
```bash
|
||||
# list buckets
|
||||
rclone lsd garage:
|
||||
|
||||
# list objects of a bucket aggregated in directories
|
||||
rclone lsd garage:my-bucket
|
||||
|
||||
# copy from your filesystem to garage
|
||||
echo hello world > /tmp/hello.txt
|
||||
rclone copy /tmp/hello.txt garage:my-bucket/
|
||||
|
||||
# copy from garage to your filesystem
|
||||
rclone copy garage:quentin.divers/hello.txt .
|
||||
|
||||
# see all available subcommands
|
||||
rclone help
|
||||
```
|
||||
|
||||
**Advice with rclone:** use the `--fast-list` option when accessing buckets with large amounts of objects.
|
||||
This will tremendously accelerate operations such as `rclone sync` or `rclone ncdu` by reducing the number
|
||||
of ListObjects calls that are made.
|
||||
|
||||
|
||||
## `s3cmd`
|
||||
|
||||
Here is a template for the `s3cmd.cfg` file to talk with Garage:
|
||||
|
||||
```ini
|
||||
[default]
|
||||
access_key = <access key>
|
||||
secret_key = <secret key>
|
||||
host_base = <endpoint without http(s)://>
|
||||
host_bucket = <same as host_base>
|
||||
use_https = <False or True>
|
||||
```
|
||||
|
||||
And use it as follow:
|
||||
|
||||
```bash
|
||||
# List buckets
|
||||
s3cmd ls
|
||||
|
||||
# s3cmd objects inside a bucket
|
||||
s3cmd ls s3://my-bucket
|
||||
|
||||
# copy from your filesystem to garage
|
||||
echo hello world > /tmp/hello.txt
|
||||
s3cmd put /tmp/hello.txt s3://my-bucket/
|
||||
|
||||
# copy from garage to your filesystem
|
||||
s3cmd get s3://my-bucket/hello.txt hello.txt
|
||||
```
|
||||
|
||||
## `s5cmd`
|
||||
|
||||
Configure a credentials file as follows:
|
||||
|
||||
```bash
|
||||
export AWS_ACCESS_KEY_ID=GK...
|
||||
export AWS_SECRET_ACCESS_KEY=
|
||||
export AWS_DEFAULT_REGION='garage'
|
||||
export AWS_ENDPOINT='http://localhost:3900'
|
||||
```
|
||||
|
||||
After adding these environment variables in your shell, `s5cmd` can be used
|
||||
with:
|
||||
|
||||
```bash
|
||||
s5cmd --endpoint-url=$AWS_ENDPOINT ls
|
||||
```
|
||||
|
||||
See its usage output for other commands available.
|
||||
|
||||
## Cyberduck & duck {#cyberduck}
|
||||
|
||||
Both Cyberduck (the GUI) and duck (the CLI) have a concept of "Connection Profiles" that contain some presets for a specific provider.
|
||||
|
||||
Within Cyberduck, a
|
||||
[Garage connection profile](https://docs.cyberduck.io/protocols/s3/garage/) is
|
||||
available within the `Preferences -> Profiles` section. This can enabled and
|
||||
then connections to Garage may be configured.
|
||||
|
||||
### Instuctions for the CLI
|
||||
|
||||
To configure duck (Cyberduck's CLI tool), start by creating its folder hierarchy:
|
||||
|
||||
```
|
||||
mkdir -p ~/.duck/profiles/
|
||||
```
|
||||
|
||||
Then, save the connection profile for Garage in `~/.duck/profiles/garage.cyberduckprofile`.
|
||||
To set your credentials in `~/.duck/credentials`, use the following commands to generate the appropriate string:
|
||||
|
||||
```bash
|
||||
export AWS_ACCESS_KEY_ID="GK..."
|
||||
export AWS_SECRET_ACCESS_KEY="..."
|
||||
export HOST="s3.garage.localhost"
|
||||
export PORT="4443"
|
||||
export PROTOCOL="https"
|
||||
|
||||
cat > ~/.duck/credentials <<EOF
|
||||
$PROTOCOL\://$AWS_ACCESS_KEY_ID@$HOST\:$PORT=$AWS_SECRET_ACCESS_KEY
|
||||
EOF
|
||||
```
|
||||
|
||||
And finally, I recommend appending a small wrapper to your `~/.bashrc` to avoid setting the username on each command (do not forget to replace `GK...` by your access key):
|
||||
|
||||
```bash
|
||||
function duck { command duck --username GK... $@ ; }
|
||||
```
|
||||
|
||||
Finally, you can then use `duck` as follow:
|
||||
|
||||
```bash
|
||||
# List buckets
|
||||
duck --list garage:/
|
||||
|
||||
# List objects in a bucket
|
||||
duck --list garage:/my-files/
|
||||
|
||||
# Download an object
|
||||
duck --download garage:/my-files/an-object.txt /tmp/object.txt
|
||||
|
||||
# Upload an object
|
||||
duck --upload /tmp/object.txt garage:/my-files/another-object.txt
|
||||
|
||||
# Delete an object
|
||||
duck --delete garage:/my-files/an-object.txt
|
||||
```
|
||||
|
||||
## WinSCP (libs3) {#winscp}
|
||||
|
||||
*You can find instructions on how to use the GUI in french [in our wiki](https://guide.deuxfleurs.fr/prise_en_main/winscp/).*
|
||||
|
||||
How to use `winscp.com`, the CLI interface of WinSCP:
|
||||
|
||||
```
|
||||
open s3://GKxxxxx:yyyyyyy@127.0.0.1:4443 -certificate=* -rawsettings S3DefaultRegion=garage S3UrlStyle=1
|
||||
ls
|
||||
ls my-files/
|
||||
get my-files/an-object.txt Z:\tmp\object.txt
|
||||
put Z:\tmp\object.txt my-files/another-object.txt
|
||||
rm my-files/an-object
|
||||
exit
|
||||
```
|
||||
|
||||
Notes:
|
||||
- It seems WinSCP supports only TLS connections for S3
|
||||
- `-certificate=*` allows self-signed certificates, remove it if you have valid certificates
|
||||
|
||||
|
||||
## sftpgo {#sftpgo}
|
||||
|
||||
sftpgo needs a database to work, by default it uses sqlite and does not require additional configuration.
|
||||
You can then directly init it:
|
||||
|
||||
```
|
||||
sftpgo initprovider
|
||||
```
|
||||
|
||||
Then you can directly launch the daemon that will listen by default on `:8080 (http)` and `:2022 (ssh)`:
|
||||
|
||||
```
|
||||
sftpgo serve
|
||||
```
|
||||
|
||||
Go to the admin web interface (http://[::1]:8080/web/admin/), create the required admin account, then create a user account.
|
||||
Choose a username (eg: `ada`) and a password.
|
||||
|
||||
In the filesystem section, choose:
|
||||
- Storage: AWS S3 (Compatible)
|
||||
- Bucket: *your bucket name*
|
||||
- Region: `garage` (or the one you defined in `config.toml`)
|
||||
- Access key: *your access key*
|
||||
- Access secret: *your secret key*
|
||||
- Endpoint: *your endpoint*, eg. `https://garage.example.tld`, note that the protocol (`https` here) must be specified. Non standard ports and `http` have not been tested yet.
|
||||
- Keep the default values for other fields
|
||||
- Tick "Use path-style addressing". It should work without ticking it if you have correctly configured your instance to use URL vhost-style.
|
||||
|
||||
Now you can access your bucket through SFTP:
|
||||
|
||||
```
|
||||
sftp -P2022 ada@[::1]
|
||||
ls
|
||||
```
|
||||
|
||||
And through the web interface at http://[::1]:8080/web/client
|
||||
|
|
@ -1,71 +0,0 @@
|
|||
+++
|
||||
title = "FUSE (s3fs, goofys, s3backer...)"
|
||||
weight = 25
|
||||
+++
|
||||
|
||||
**WARNING! Garage is not POSIX compatible.
|
||||
Mounting S3 buckets as filesystems will not provide POSIX compatibility.
|
||||
If you are not careful, you will lose or corrupt your data.**
|
||||
|
||||
Do not use these FUSE filesystems to store any database files (eg. MySQL, Postgresql, Mongo or sqlite),
|
||||
any daemon cache (dovecot, openldap, gitea, etc.),
|
||||
and more generally any software that use locking, advanced filesystems features or make any synchronisation assumption.
|
||||
Ideally, avoid these solutions at all for any serious or production use.
|
||||
|
||||
## rclone mount
|
||||
|
||||
rclone uses the same configuration when used [in CLI](@/documentation/connect/cli.md) and mount mode.
|
||||
We suppose you have the following entry in your `rclone.ini` (mine is located in `~/.config/rclone/rclone.conf`):
|
||||
|
||||
```toml
|
||||
[garage]
|
||||
type = s3
|
||||
provider = Other
|
||||
env_auth = false
|
||||
access_key_id = <access key>
|
||||
secret_access_key = <secret key>
|
||||
region = <region>
|
||||
endpoint = <endpoint>
|
||||
force_path_style = true
|
||||
acl = private
|
||||
bucket_acl = private
|
||||
```
|
||||
|
||||
Then you can mount and access any bucket as follow:
|
||||
|
||||
```bash
|
||||
# mount the bucket
|
||||
mkdir /tmp/my-bucket
|
||||
rclone mount --daemon garage:my-bucket /tmp/my-bucket
|
||||
|
||||
# set your working directory to the bucket
|
||||
cd /tmp/my-bucket
|
||||
|
||||
# create a file
|
||||
echo hello world > hello.txt
|
||||
|
||||
# access the file
|
||||
cat hello.txt
|
||||
|
||||
# unmount the bucket
|
||||
cd
|
||||
fusermount -u /tmp/my-bucket
|
||||
```
|
||||
|
||||
*External link:* [rclone documentation > rclone mount](https://rclone.org/commands/rclone_mount/)
|
||||
|
||||
## s3fs
|
||||
|
||||
*External link:* [s3fs github > README.md](https://github.com/s3fs-fuse/s3fs-fuse#user-content-examples)
|
||||
|
||||
## goofys
|
||||
|
||||
*External link:* [goofys github > README.md](https://github.com/kahing/goofys#user-content-usage)
|
||||
|
||||
## s3backer
|
||||
|
||||
*External link:* [s3backer github > manpage](https://github.com/archiecobbs/s3backer/wiki/ManPage)
|
||||
|
||||
## csi-s3
|
||||
|
||||
*External link:* [csi-s3 Github > README.md](https://github.com/ctrox/csi-s3)
|
|
@ -1,57 +0,0 @@
|
|||
+++
|
||||
title = "Observability"
|
||||
weight = 25
|
||||
+++
|
||||
|
||||
An object store can be used as data storage location for metrics, and logs which
|
||||
can then be leveraged for systems observability.
|
||||
|
||||
## Metrics
|
||||
|
||||
### Prometheus
|
||||
|
||||
Prometheus itself has no object store capabilities, however two projects exist
|
||||
which support storing metrics in an object store:
|
||||
|
||||
- [Cortex](https://cortexmetrics.io/)
|
||||
- [Thanos](https://thanos.io/)
|
||||
|
||||
## System logs
|
||||
|
||||
### Vector
|
||||
|
||||
[Vector](https://vector.dev/) natively supports S3 as a
|
||||
[data sink](https://vector.dev/docs/reference/configuration/sinks/aws_s3/)
|
||||
(and [source](https://vector.dev/docs/reference/configuration/sources/aws_s3/)).
|
||||
|
||||
This can be configured with Garage with the following:
|
||||
|
||||
```bash
|
||||
garage key new --name vector-system-logs
|
||||
garage bucket create system-logs
|
||||
garage bucket allow system-logs --read --write --key vector-system-logs
|
||||
```
|
||||
|
||||
The `vector.toml` can then be configured as follows:
|
||||
|
||||
```toml
|
||||
[sources.journald]
|
||||
type = "journald"
|
||||
current_boot_only = true
|
||||
|
||||
[sinks.out]
|
||||
encoding.codec = "json"
|
||||
type = "aws_s3"
|
||||
inputs = [ "journald" ]
|
||||
bucket = "system-logs"
|
||||
key_prefix = "%F/"
|
||||
compression = "none"
|
||||
region = "garage"
|
||||
endpoint = "https://my-garage-instance.mydomain.tld"
|
||||
auth.access_key_id = ""
|
||||
auth.secret_access_key = ""
|
||||
```
|
||||
|
||||
This is an example configuration - please refer to the Vector documentation for
|
||||
all configuration and transformation possibilities. Also note that Garage
|
||||
performs its own compression, so this should be disabled in Vector.
|
|
@ -1,211 +0,0 @@
|
|||
+++
|
||||
title = "Repositories (Docker, Nix, Git...)"
|
||||
weight = 15
|
||||
+++
|
||||
|
||||
Whether you need to store and serve binary packages or source code, you may want to deploy a tool referred as a repository or registry.
|
||||
Garage can also help you serve this content.
|
||||
|
||||
| Name | Status | Note |
|
||||
|------|--------|------|
|
||||
| [Gitea](#gitea) | ✅ | |
|
||||
| [Docker](#docker) | ✅ | Requires garage >= v0.6.0 |
|
||||
| [Nix](#nix) | ✅ | |
|
||||
| [Gitlab](#gitlab) | ❓ | Not yet tested |
|
||||
|
||||
|
||||
|
||||
## Gitea
|
||||
|
||||
You can use Garage with Gitea to store your [git LFS](https://git-lfs.github.com/) data, your users' avatar, and their attachements.
|
||||
You can configure a different target for each data type (check `[lfs]` and `[attachment]` sections of the Gitea documentation) and you can provide a default one through the `[storage]` section.
|
||||
|
||||
Let's start by creating a key and a bucket (your key id and secret will be needed later, keep them somewhere):
|
||||
|
||||
```bash
|
||||
garage key create gitea-key
|
||||
garage bucket create gitea
|
||||
garage bucket allow gitea --read --write --key gitea-key
|
||||
```
|
||||
|
||||
Then you can edit your configuration (by default `/etc/gitea/conf/app.ini`):
|
||||
|
||||
```ini
|
||||
[storage]
|
||||
STORAGE_TYPE=minio
|
||||
MINIO_ENDPOINT=localhost:3900
|
||||
MINIO_ACCESS_KEY_ID=GKxxx
|
||||
MINIO_SECRET_ACCESS_KEY=xxxx
|
||||
MINIO_BUCKET=gitea
|
||||
MINIO_LOCATION=garage
|
||||
MINIO_USE_SSL=false
|
||||
```
|
||||
|
||||
You can also pass this configuration through environment variables:
|
||||
|
||||
```bash
|
||||
GITEA__storage__STORAGE_TYPE=minio
|
||||
GITEA__storage__MINIO_ENDPOINT=localhost:3900
|
||||
GITEA__storage__MINIO_ACCESS_KEY_ID=GKxxx
|
||||
GITEA__storage__MINIO_SECRET_ACCESS_KEY=xxxx
|
||||
GITEA__storage__MINIO_BUCKET=gitea
|
||||
GITEA__storage__MINIO_LOCATION=garage
|
||||
GITEA__storage__MINIO_USE_SSL=false
|
||||
```
|
||||
|
||||
Then restart your gitea instance and try to upload a custom avatar.
|
||||
If it worked, you should see some content in your gitea bucket (you must configure your `aws` command before):
|
||||
|
||||
```
|
||||
$ aws s3 ls s3://gitea/avatars/
|
||||
2021-11-10 12:35:47 190034 616ba79ae2b84f565c33d72c2ec50861
|
||||
```
|
||||
|
||||
|
||||
*External link:* [Gitea Documentation > Configuration Cheat Sheet](https://docs.gitea.io/en-us/config-cheat-sheet/)
|
||||
|
||||
## Docker
|
||||
|
||||
Create a bucket and a key for your docker registry, then create `config.yml` with the following content:
|
||||
|
||||
```yml
|
||||
version: 0.1
|
||||
http:
|
||||
addr: 0.0.0.0:5000
|
||||
secret: asecretforlocaldevelopment
|
||||
debug:
|
||||
addr: localhost:5001
|
||||
storage:
|
||||
s3:
|
||||
accesskey: GKxxxx
|
||||
secretkey: yyyyy
|
||||
region: garage
|
||||
regionendpoint: http://localhost:3900
|
||||
bucket: docker
|
||||
secure: false
|
||||
v4auth: true
|
||||
rootdirectory: /
|
||||
```
|
||||
|
||||
Replace the `accesskey`, `secretkey`, `bucket`, `regionendpoint` and `secure` values by the one fitting your deployment.
|
||||
|
||||
Then simply run the docker registry:
|
||||
|
||||
```bash
|
||||
docker run \
|
||||
--net=host \
|
||||
-v `pwd`/config.yml:/etc/docker/registry/config.yml \
|
||||
registry:2
|
||||
```
|
||||
|
||||
*We started a plain text registry but docker clients require encrypted registries. You must either [setup TLS](https://docs.docker.com/registry/deploying/#run-an-externally-accessible-registry) on your registry or add `--insecure-registry=localhost:5000` to your docker daemon parameters.*
|
||||
|
||||
|
||||
*External link:* [Docker Documentation > Registry storage drivers > S3 storage driver](https://docs.docker.com/registry/storage-drivers/s3/)
|
||||
|
||||
## Nix
|
||||
|
||||
Nix has no repository in its terminology: instead, it breaks down this concept in 2 parts: binary cache and channel.
|
||||
|
||||
**A channel** is a set of `.nix` definitions that generate definitions for all the software you want to serve.
|
||||
|
||||
Because we do not want all our clients to compile all these derivations by themselves,
|
||||
we can compile them once and then serve them as part of our **binary cache**.
|
||||
|
||||
It is possible to use a **binary cache** without a channel, you only need to serve your nix definitions
|
||||
through another support, like a git repository.
|
||||
|
||||
As a first step, we will need to create a bucket on Garage and enabling website access on it:
|
||||
|
||||
```bash
|
||||
garage key create nix-key
|
||||
garage bucket create nix.example.com
|
||||
garage bucket allow nix.example.com --read --write --key nix-key
|
||||
garage bucket website nix.example.com --allow
|
||||
```
|
||||
|
||||
If you need more information about exposing buckets as websites on Garage,
|
||||
check [Exposing buckets as websites](@/documentation/cookbook/exposing-websites.md)
|
||||
and [Configuring a reverse proxy](@/documentation/cookbook/reverse-proxy.md).
|
||||
|
||||
Next, we want to check that our bucket works:
|
||||
|
||||
```bash
|
||||
echo nix repo > /tmp/index.html
|
||||
mc cp /tmp/index.html garage/nix/
|
||||
rm /tmp/index.html
|
||||
|
||||
curl https://nix.example.com
|
||||
# output: nix repo
|
||||
```
|
||||
|
||||
### Binary cache
|
||||
|
||||
To serve binaries as part of your cache, you need to sign them with a key specific to nix.
|
||||
You can generate the keypair as follow:
|
||||
|
||||
```bash
|
||||
nix-store --generate-binary-cache-key <name> cache-priv-key.pem cache-pub-key.pem
|
||||
```
|
||||
|
||||
You can then manually sign the packages of your store with the following command:
|
||||
|
||||
```bash
|
||||
nix sign-paths --all -k cache-priv-key.pem
|
||||
```
|
||||
|
||||
Setting a key in `nix.conf` will do the signature at build time automatically without additional commands.
|
||||
Edit the `nix.conf` of your builder:
|
||||
|
||||
```toml
|
||||
secret-key-files = /etc/nix/cache-priv-key.pem
|
||||
```
|
||||
|
||||
Now that your content is signed, you can copy a derivation to your cache.
|
||||
For example, if you want to copy a specific derivation of your store:
|
||||
|
||||
```bash
|
||||
nix copy /nix/store/wadmyilr414n7bimxysbny876i2vlm5r-bash-5.1-p8 --to 's3://nix?endpoint=garage.example.com®ion=garage'
|
||||
```
|
||||
|
||||
*Note that if you have not signed your packages, you can append to the end of your S3 URL `&secret-key=/etc/nix/cache-priv-key.pem`.*
|
||||
|
||||
Sometimes you don't want to hardcode this store path in your script.
|
||||
Let suppose that you are working on a codebase that you build with `nix-build`, you can then run:
|
||||
|
||||
```bash
|
||||
nix copy $(nix-build) --to 's3://nix?endpoint=garage.example.com®ion=garage'
|
||||
```
|
||||
|
||||
*This command works because the only thing that `nix-build` outputs on stdout is the paths of the built derivations in your nix store.*
|
||||
|
||||
You can include your derivation dependencies:
|
||||
|
||||
```bash
|
||||
nix copy $(nix-store -qR $(nix-build)) --to 's3://nix?endpoint=garage.example.com®ion=garage'
|
||||
```
|
||||
|
||||
Now, your binary cache stores your derivation and all its dependencies.
|
||||
Just inform your users that they must update their `nix.conf` file with the following lines:
|
||||
|
||||
```toml
|
||||
substituters = https://cache.nixos.org https://nix.example.com
|
||||
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= nix.example.com:eTGL6kvaQn6cDR/F9lDYUIP9nCVR/kkshYfLDJf1yKs=
|
||||
```
|
||||
|
||||
*You must re-add cache.nixorg.org because redeclaring these keys override the previous configuration instead of extending it.*
|
||||
|
||||
Now, when your clients will run `nix-build` or any command that generates a derivation for which a hash is already present
|
||||
on the binary cache, the client will download the result from the cache instead of compiling it, saving lot of time and CPU!
|
||||
|
||||
|
||||
### Channels
|
||||
|
||||
Channels additionnaly serve Nix definitions, ie. a `.nix` file referencing
|
||||
all the derivations you want to serve.
|
||||
|
||||
## Gitlab
|
||||
|
||||
*External link:* [Gitlab Documentation > Object storage](https://docs.gitlab.com/ee/administration/object_storage.html)
|
||||
|
||||
|
|
@ -1,86 +0,0 @@
|
|||
+++
|
||||
title = "Websites (Hugo, Jekyll, Publii...)"
|
||||
weight = 10
|
||||
+++
|
||||
|
||||
Garage is also suitable [to host static websites](@/documentation/cookbook/exposing-websites.md).
|
||||
While they can be deployed with traditional CLI tools, some static website generators have integrated options to ease your workflow.
|
||||
|
||||
| Name | Status | Note |
|
||||
|------|--------|------|
|
||||
| [Hugo](#hugo) | ✅ | Publishing logic is integrated in the tool |
|
||||
| [Publii](#publii) | ✅ | Require a correctly configured s3 vhost endpoint |
|
||||
| [Generic Static Site Generator](#generic-static-site-generator) | ✅ | Works for Jekyll, Zola, Gatsby, Pelican, etc. |
|
||||
|
||||
## Hugo
|
||||
|
||||
Add to your `config.toml` the following section:
|
||||
|
||||
```toml
|
||||
[[deployment.targets]]
|
||||
URL = "s3://<bucket>?endpoint=<endpoint>&disableSSL=<bool>&s3ForcePathStyle=true®ion=garage"
|
||||
```
|
||||
|
||||
For example:
|
||||
|
||||
```toml
|
||||
[[deployment.targets]]
|
||||
URL = "s3://my-blog?endpoint=localhost:9000&disableSSL=true&s3ForcePathStyle=true®ion=garage"
|
||||
```
|
||||
|
||||
Then inform hugo of your credentials:
|
||||
|
||||
```bash
|
||||
export AWS_ACCESS_KEY_ID=GKxxx
|
||||
export AWS_SECRET_ACCESS_KEY=xxx
|
||||
```
|
||||
|
||||
And finally build and deploy your website:
|
||||
|
||||
```bsh
|
||||
hugo
|
||||
hugo deploy
|
||||
```
|
||||
|
||||
*External links:*
|
||||
- [gocloud.dev > aws > Supported URL parameters](https://pkg.go.dev/gocloud.dev/aws?utm_source=godoc#ConfigFromURLParams)
|
||||
- [Hugo Documentation > hugo deploy](https://gohugo.io/hosting-and-deployment/hugo-deploy/)
|
||||
|
||||
## Publii
|
||||
|
||||
[![A screenshot of Publii's GUI](./publii.png)](./publii.png)
|
||||
|
||||
Deploying a website to Garage from Publii is natively supported.
|
||||
First, make sure that your Garage administrator allowed and configured Garage to support vhost access style.
|
||||
We also suppose that your bucket ("my-bucket") and key is already created and configured.
|
||||
|
||||
Then, from the left menu, click on server. Choose "S3" as the protocol.
|
||||
In the configuration window, enter:
|
||||
- Your finale website URL (eg. "http://my-bucket.web.garage.localhost:3902")
|
||||
- Tick "Use a custom S3 provider"
|
||||
- Set the S3 endpoint, (eg. "http://s3.garage.localhost:3900")
|
||||
- Then put your access key (eg. "GK..."), your secret key, and your bucket (eg. "my-bucket")
|
||||
- And hit the button "Save settings"
|
||||
|
||||
Now, each time you want to publish your website from Publii, just hit the bottom left button "Sync your website"!
|
||||
|
||||
|
||||
|
||||
## Generic Static Site Generator
|
||||
|
||||
Some tools do not support sending to a S3 backend but output a compiled folder on your system.
|
||||
We can then use any CLI tool to upload this content to our S3 target.
|
||||
|
||||
First, start by [configuring minio client](@/documentation/connect/cli.md#minio-client).
|
||||
|
||||
Then build your website (example for jekyll):
|
||||
|
||||
```bash
|
||||
jekyll build
|
||||
```
|
||||
|
||||
And copy its output folder (`_site` for Jekyll) on S3:
|
||||
|
||||
```bash
|
||||
mc mirror --overwrite _site garage/my-site
|
||||
```
|
|
@ -1,39 +0,0 @@
|
|||
+++
|
||||
title="Cookbook"
|
||||
template = "documentation.html"
|
||||
weight = 20
|
||||
sort_by = "weight"
|
||||
+++
|
||||
|
||||
A cookbook, when you cook, is a collection of recipes.
|
||||
Similarly, Garage's cookbook contains a collection of recipes that are known to work well!
|
||||
This chapter could also be referred as "Tutorials" or "Best practices".
|
||||
|
||||
- **[Multi-node deployment](@/documentation/cookbook/real-world.md):** This page will walk you through all of the necessary
|
||||
steps to deploy Garage in a real-world setting.
|
||||
|
||||
- **[Building from source](@/documentation/cookbook/from-source.md):** This page explains how to build Garage from
|
||||
source in case a binary is not provided for your architecture, or if you want to
|
||||
hack with us!
|
||||
|
||||
- **[Binary packages](@/documentation/cookbook/binary-packages.md):** This page
|
||||
lists the different platforms that provide ready-built software packages for
|
||||
Garage.
|
||||
|
||||
- **[Integration with Systemd](@/documentation/cookbook/systemd.md):** This page explains how to run Garage
|
||||
as a Systemd service (instead of as a Docker container).
|
||||
|
||||
- **[Configuring a gateway node](@/documentation/cookbook/gateways.md):** This page explains how to run a gateway node in a Garage cluster, i.e. a Garage node that doesn't store data but accelerates access to data present on the other nodes.
|
||||
|
||||
- **[Hosting a website](@/documentation/cookbook/exposing-websites.md):** This page explains how to use Garage
|
||||
to host a static website.
|
||||
|
||||
- **[Configuring a reverse-proxy](@/documentation/cookbook/reverse-proxy.md):** This page explains how to configure a reverse-proxy to add TLS support to your S3 api endpoint.
|
||||
|
||||
- **[Deploying on Kubernetes](@/documentation/cookbook/kubernetes.md):** This page explains how to deploy Garage on Kubernetes using our Helm chart.
|
||||
|
||||
- **[Deploying with Ansible](@/documentation/cookbook/ansible.md):** This page lists available Ansible roles developed by the community to deploy Garage.
|
||||
|
||||
- **[Monitoring Garage](@/documentation/cookbook/monitoring.md)** This page
|
||||
explains the Prometheus metrics available for monitoring the Garage
|
||||
cluster/nodes.
|
|
@ -1,51 +0,0 @@
|
|||
+++
|
||||
title = "Deploying with Ansible"
|
||||
weight = 35
|
||||
+++
|
||||
|
||||
While Ansible is not officially supported to deploy Garage, several community members
|
||||
have published Ansible roles. We list them and compare them below.
|
||||
|
||||
## Comparison of Ansible roles
|
||||
|
||||
| Feature | [ansible-role-garage](#zorun-ansible-role-garage) | [garage-docker-ansible-deploy](#moan0s-garage-docker-ansible-deploy) |
|
||||
|------------------------------------|---------------------------------------------|---------------------------------------------------------------|
|
||||
| **Runtime** | Systemd | Docker |
|
||||
| **Target OS** | Any Linux | Any Linux |
|
||||
| **Architecture** | amd64, arm64, i686 | amd64, arm64 |
|
||||
| **Additional software** | None | Traefik |
|
||||
| **Automatic node connection** | ❌ | ✅ |
|
||||
| **Layout management** | ❌ | ✅ |
|
||||
| **Manage buckets & keys** | ❌ | ✅ (basic) |
|
||||
| **Allow custom Garage config** | ✅ | ❌ |
|
||||
| **Facilitate Garage upgrades** | ✅ | ❌ |
|
||||
| **Multiple instances on one host** | ✅ | ✅ |
|
||||
|
||||
|
||||
## zorun/ansible-role-garage
|
||||
|
||||
[Source code](https://github.com/zorun/ansible-role-garage), [Ansible galaxy](https://galaxy.ansible.com/zorun/garage)
|
||||
|
||||
This role is voluntarily simple: it relies on the official Garage static
|
||||
binaries and only requires Systemd. As such, it should work on any
|
||||
Linux-based OS.
|
||||
|
||||
To make things more flexible, the user has to provide a Garage
|
||||
configuration template. This allows to customize Garage configuration in
|
||||
any way.
|
||||
|
||||
Some more features might be added, such as a way to automatically connect
|
||||
nodes to each other or to define a layout.
|
||||
|
||||
## moan0s/garage-docker-ansible-deploy
|
||||
|
||||
[Source code](https://github.com/moan0s/garage-docker-ansible-deploy), [Blog post](https://hyteck.de/post/garage/)
|
||||
|
||||
This role is based on the Docker image for Garage, and comes with
|
||||
"batteries included": it will additionally install Docker and Traefik. In
|
||||
addition, it is "opinionated" in the sense that it expects a particular
|
||||
deployment structure (one instance per disk, one gateway per host,
|
||||
structured DNS names, etc).
|
||||
|
||||
As a result, this role makes it easier to start with Garage on Ansible,
|
||||
but is less flexible.
|
|
@ -1,41 +0,0 @@
|
|||
+++
|
||||
title = "Binary packages"
|
||||
weight = 11
|
||||
+++
|
||||
|
||||
Garage is also available in binary packages on:
|
||||
|
||||
## Alpine Linux
|
||||
|
||||
If you use Alpine Linux, you can simply install the
|
||||
[garage](https://pkgs.alpinelinux.org/packages?name=garage) package from the
|
||||
Alpine Linux repositories (available since v3.17):
|
||||
|
||||
```bash
|
||||
apk add garage
|
||||
```
|
||||
|
||||
The default configuration file is installed to `/etc/garage.toml`. You can run
|
||||
Garage using: `rc-service garage start`. If you don't specify `rpc_secret`, it
|
||||
will be automatically replaced with a random string on the first start.
|
||||
|
||||
Please note that this package is built without Consul discovery, Kubernetes
|
||||
discovery, OpenTelemetry exporter, and K2V features (K2V will be enabled once
|
||||
it's stable).
|
||||
|
||||
|
||||
## Arch Linux
|
||||
|
||||
Garage is available in the [AUR](https://aur.archlinux.org/packages/garage).
|
||||
|
||||
## FreeBSD
|
||||
|
||||
```bash
|
||||
pkg install garage
|
||||
```
|
||||
|
||||
## NixOS
|
||||
|
||||
```bash
|
||||
nix-shell -p garage
|
||||
```
|
|
@ -1,139 +0,0 @@
|
|||
+++
|
||||
title = "Encryption"
|
||||
weight = 50
|
||||
+++
|
||||
|
||||
Encryption is a recurring subject when discussing Garage.
|
||||
Garage does not handle data encryption by itself, but many things can
|
||||
already be done with Garage's current feature set and the existing ecosystem.
|
||||
|
||||
This page takes a high level approach to security in general and data encryption
|
||||
in particular.
|
||||
|
||||
|
||||
# Examining your need for encryption
|
||||
|
||||
- Why do you want encryption in Garage?
|
||||
|
||||
- What is your threat model? What are you fearing?
|
||||
- A stolen HDD?
|
||||
- A curious administrator?
|
||||
- A malicious administrator?
|
||||
- A remote attacker?
|
||||
- etc.
|
||||
|
||||
- What services do you want to protect with encryption?
|
||||
- An existing application? Which one? (eg. Nextcloud)
|
||||
- An application that you are writing
|
||||
|
||||
- Any expertise you may have on the subject
|
||||
|
||||
This page explains what Garage provides, and how you can improve the situation by yourself
|
||||
by adding encryption at different levels.
|
||||
|
||||
We would be very curious to know your needs and thougs about ideas such as
|
||||
encryption practices and things like key management, as we want Garage to be a
|
||||
serious base platform for the developpment of secure, encrypted applications.
|
||||
Do not hesitate to come talk to us if you have any thoughts or questions on the
|
||||
subject.
|
||||
|
||||
|
||||
# Capabilities provided by Garage
|
||||
|
||||
## Traffic is encrypted between Garage nodes
|
||||
|
||||
RPCs between Garage nodes are encrypted. More specifically, contrary to many
|
||||
distributed software, it is impossible in Garage to have clear-text RPC. We
|
||||
use the [kuska handshake](https://github.com/Kuska-ssb/handshake) library which
|
||||
implements a protocol that has been clearly reviewed, Secure ScuttleButt's
|
||||
Secret Handshake protocol. This is why setting a `rpc_secret` is mandatory,
|
||||
and that's also why your nodes have super long identifiers.
|
||||
|
||||
## HTTP API endpoints provided by Garage are in clear text
|
||||
|
||||
Adding TLS support built into Garage is not currently planned.
|
||||
|
||||
## Garage stores data in plain text on the filesystem or encrypted using customer keys (SSE-C)
|
||||
|
||||
For standard S3 API requests, Garage does not encrypt data at rest by itself.
|
||||
For the most generic at rest encryption of data, we recommend setting up your
|
||||
storage partitions on encrypted LUKS devices.
|
||||
|
||||
If you are developping your own client software that makes use of S3 storage,
|
||||
we recommend implementing data encryption directly on the client side and never
|
||||
transmitting plaintext data to Garage. This makes it easy to use an external
|
||||
untrusted storage provider if necessary.
|
||||
|
||||
Garage does support [SSE-C
|
||||
encryption](https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html),
|
||||
an encryption mode of Amazon S3 where data is encrypted at rest using
|
||||
encryption keys given by the client. The encryption keys are passed to the
|
||||
server in a header in each request, to encrypt or decrypt data at the moment of
|
||||
reading or writing. The server discards the key as soon as it has finished
|
||||
using it for the request. This mode allows the data to be encrypted at rest by
|
||||
Garage itself, but it requires support in the client software. It is also not
|
||||
adapted to a model where the server is not trusted or assumed to be
|
||||
compromised, as the server can easily know the encryption keys. Note however
|
||||
that when using SSE-C encryption, the only Garage node that knows the
|
||||
encryption key passed in a given request is the node to which the request is
|
||||
directed (which can be a gateway node), so it is easy to have untrusted nodes
|
||||
in the cluster as long as S3 API requests containing SSE-C encryption keys are
|
||||
not directed to them.
|
||||
|
||||
Implementing automatic data encryption directly in Garage without client-side
|
||||
management of keys (something like
|
||||
[SSE-S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingServerSideEncryption.html))
|
||||
could make things simpler for end users that don't want to setup LUKS, but also
|
||||
raises many more questions, especially around key management: for encryption of
|
||||
data, where could Garage get the encryption keys from? If we encrypt data but
|
||||
keep the keys in a plaintext file next to them, it's useless. We probably don't
|
||||
want to have to manage secrets in Garage as it would be very hard to do in a
|
||||
secure way. At the time of speaking, there are no plans to implement this in
|
||||
Garage.
|
||||
|
||||
|
||||
# Adding data encryption using external tools
|
||||
|
||||
## Encrypting traffic between a Garage node and your client
|
||||
|
||||
You have multiple options to have encryption between your client and a node:
|
||||
|
||||
- Setup a reverse proxy with TLS / ACME / Let's encrypt
|
||||
- Setup a Garage gateway locally, and only contact the garage daemon on `localhost`
|
||||
- Only contact your Garage daemon over a secure, encrypted overlay network such as Wireguard
|
||||
|
||||
## Encrypting data at rest
|
||||
|
||||
Protects against the following threats:
|
||||
|
||||
- Stolen HDD
|
||||
|
||||
Crucially, does not protect againt malicious sysadmins or remote attackers that
|
||||
might gain access to your servers.
|
||||
|
||||
Methods include full-disk encryption with tools such as LUKS.
|
||||
|
||||
## Encrypting data on the client side
|
||||
|
||||
Protects againt the following threats:
|
||||
|
||||
- A honest-but-curious administrator
|
||||
- A malicious administrator that tries to corrupt your data
|
||||
- A remote attacker that can read your server's data
|
||||
|
||||
Implementations are very specific to the various applications. Examples:
|
||||
|
||||
- Matrix: uses the OLM protocol for E2EE of user messages. Media files stored
|
||||
in Matrix are probably encrypted using symmetric encryption, with a key that is
|
||||
distributed in the end-to-end encrypted message that contains the link to the object.
|
||||
|
||||
- XMPP: clients normally support either OMEMO / OpenPGP for the E2EE of user
|
||||
messages. Media files are encrypted per
|
||||
[XEP-0454](https://xmpp.org/extensions/xep-0454.html).
|
||||
|
||||
- Aerogramme: use the user's password as a key to decrypt data in the user's bucket
|
||||
|
||||
- Cyberduck: comes with support for
|
||||
[Cryptomator](https://docs.cyberduck.io/cryptomator/) which allows users to
|
||||
create client-side vaults to encrypt files in before they are uploaded to a
|
||||
cloud storage endpoint.
|
|
@ -1,71 +0,0 @@
|
|||
+++
|
||||
title = "Exposing buckets as websites"
|
||||
weight = 25
|
||||
+++
|
||||
|
||||
## Configuring a bucket for website access
|
||||
|
||||
There are three methods to expose buckets as website:
|
||||
|
||||
1. using the PutBucketWebsite S3 API call, which is allowed for access keys that have the owner permission bit set
|
||||
|
||||
2. from the Garage CLI, by an adminstrator of the cluster
|
||||
|
||||
3. using the Garage administration API
|
||||
|
||||
The `PutBucketWebsite` API endpoint [is documented](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html) in the official AWS docs.
|
||||
This endpoint can also be called [using `aws s3api`](https://docs.aws.amazon.com/cli/latest/reference/s3api/put-bucket-website.html) on the command line.
|
||||
The website configuration supported by Garage is only a subset of the possibilities on Amazon S3: redirections are not supported, only the index document and error document can be specified.
|
||||
|
||||
If you want to expose your bucket as a website from the CLI, use this simple command:
|
||||
|
||||
```bash
|
||||
garage bucket website --allow my-website
|
||||
```
|
||||
|
||||
Now it will be **publicly** exposed on the web endpoint (by default listening on port 3902).
|
||||
|
||||
## How exposed websites work
|
||||
|
||||
Our website serving logic is as follow:
|
||||
|
||||
- Supports only static websites (no support for PHP or other languages)
|
||||
- Does not support directory listing
|
||||
- The index file is defined per-bucket and can be specified in the `PutBucketWebsite` call
|
||||
or on the CLI using the `--index-document` parameter (default: `index.html`)
|
||||
- A custom error document for 404 errors can be specified in the `PutBucketWebsite` call
|
||||
or on the CLI using the `--error-document` parameter
|
||||
|
||||
Now we need to infer the URL of your website through your bucket name.
|
||||
Let assume:
|
||||
- we set `root_domain = ".web.example.com"` in `garage.toml` ([ref](@/documentation/reference-manual/configuration.md#web_root_domain))
|
||||
- our bucket name is `garagehq.deuxfleurs.fr`.
|
||||
|
||||
Our bucket will be served if the Host field matches one of these 2 values (the port is ignored):
|
||||
|
||||
- `garagehq.deuxfleurs.fr.web.example.com`: you can dedicate a subdomain to your users (here `web.example.com`).
|
||||
|
||||
- `garagehq.deuxfleurs.fr`: your users can bring their own domain name, they just need to point them to your Garage cluster.
|
||||
|
||||
You can try this logic locally, without configuring any DNS, thanks to `curl`:
|
||||
|
||||
```bash
|
||||
# prepare your test
|
||||
echo hello world > /tmp/index.html
|
||||
mc cp /tmp/index.html garage/garagehq.deuxfleurs.fr
|
||||
|
||||
curl -H 'Host: garagehq.deuxfleurs.fr' http://localhost:3902
|
||||
# should print "hello world"
|
||||
|
||||
curl -H 'Host: garagehq.deuxfleurs.fr.web.example.com' http://localhost:3902
|
||||
# should also print "hello world"
|
||||
```
|
||||
|
||||
Now that you understand how website logic works on Garage, you can:
|
||||
|
||||
- make the website endpoint listens on port 80 (instead of 3902)
|
||||
- use iptables to redirect the port 80 to the port 3902:
|
||||
`iptables -t nat -A PREROUTING -p tcp -dport 80 -j REDIRECT -to-port 3902`
|
||||
- or configure a [reverse proxy](@/documentation/cookbook/reverse-proxy.md) in front of Garage to add TLS (HTTPS), CORS support, etc.
|
||||
|
||||
You can also take a look at [Website Integration](@/documentation/connect/websites.md) to see how you can add Garage to your workflow.
|
|
@ -1,95 +0,0 @@
|
|||
+++
|
||||
title = "Compiling Garage from source"
|
||||
weight = 10
|
||||
+++
|
||||
|
||||
|
||||
Garage is a standard Rust project. First, you need `rust` and `cargo`. For instance on Debian:
|
||||
|
||||
```bash
|
||||
sudo apt-get update
|
||||
sudo apt-get install -y rustc cargo
|
||||
```
|
||||
|
||||
You can also use [Rustup](https://rustup.rs/) to setup a Rust toolchain easily.
|
||||
|
||||
In addition, you will need a full C toolchain. On Debian-based distributions, it can be installed as follows:
|
||||
|
||||
```bash
|
||||
sudo apt-get update
|
||||
sudo apt-get install build-essential
|
||||
```
|
||||
|
||||
## Building from source from the Gitea repository
|
||||
|
||||
The primary location for Garage's source code is the
|
||||
[Gitea repository](https://git.deuxfleurs.fr/Deuxfleurs/garage),
|
||||
which contains all of the released versions as well as the code
|
||||
for the developpement of the next version.
|
||||
|
||||
Clone the repository and enter it as follows:
|
||||
|
||||
```bash
|
||||
git clone https://git.deuxfleurs.fr/Deuxfleurs/garage.git
|
||||
cd garage
|
||||
```
|
||||
|
||||
If you wish to build a specific version of Garage, check out the corresponding tag. For instance:
|
||||
|
||||
```bash
|
||||
git tag # List available tags
|
||||
git checkout v0.8.0 # Change v0.8.0 with the version you wish to build
|
||||
```
|
||||
|
||||
Otherwise you will be building a developpement build from the `main` branch
|
||||
that includes all of the changes to be released in the next version.
|
||||
Be careful that such a build might be unstable or contain bugs,
|
||||
and could be incompatible with nodes that run stable versions of Garage.
|
||||
|
||||
Finally, build Garage with the following command:
|
||||
|
||||
```bash
|
||||
cargo build --release
|
||||
```
|
||||
|
||||
The binary built this way can now be found in `target/release/garage`.
|
||||
You may simply copy this binary to somewhere in your `$PATH` in order to
|
||||
have the `garage` command available in your shell, for instance:
|
||||
|
||||
```bash
|
||||
sudo cp target/release/garage /usr/local/bin/garage
|
||||
```
|
||||
|
||||
If you are planning to develop Garage,
|
||||
you might be interested in producing debug builds, which compile faster but run slower:
|
||||
this can be done by removing the `--release` flag, and the resulting build can then
|
||||
be found in `target/debug/garage`.
|
||||
|
||||
## List of available Cargo feature flags
|
||||
|
||||
Garage supports a number of compilation options in the form of Cargo feature flags,
|
||||
which can be used to provide builds adapted to your system and your use case.
|
||||
To produce a build with a given set of features, invoke the `cargo build` command
|
||||
as follows:
|
||||
|
||||
```bash
|
||||
# This will build the default feature set plus feature1, feature2 and feature3
|
||||
cargo build --release --features feature1,feature2,feature3
|
||||
# This will build ONLY feature1, feature2 and feature3
|
||||
cargo build --release --no-default-features \
|
||||
--features feature1,feature2,feature3
|
||||
```
|
||||
|
||||
The following feature flags are available in v0.8.0:
|
||||
|
||||
| Feature flag | Enabled | Description |
|
||||
| ------------ | ------- | ----------- |
|
||||
| `bundled-libs` | *by default* | Use bundled version of sqlite3, zstd, lmdb and libsodium |
|
||||
| `system-libs` | optional | Use system version of sqlite3, zstd, lmdb and libsodium<br>if available (exclusive with `bundled-libs`, build using<br>`cargo build --no-default-features --features system-libs`) |
|
||||
| `k2v` | optional | Enable the experimental K2V API (if used, all nodes on your<br>Garage cluster must have it enabled as well) |
|
||||
| `kubernetes-discovery` | optional | Enable automatic registration and discovery<br>of cluster nodes through the Kubernetes API |
|
||||
| `metrics` | *by default* | Enable collection of metrics in Prometheus format on the admin API |
|
||||
| `telemetry-otlp` | optional | Enable collection of execution traces using OpenTelemetry |
|
||||
| `syslog` | optional | Enable logging to Syslog |
|
||||
| `lmdb` | *by default* | Enable using LMDB to store Garage's metadata |
|
||||
| `sqlite` | *by default* | Enable using Sqlite3 to store Garage's metadata |
|
|
@ -1,39 +0,0 @@
|
|||
+++
|
||||
title = "Configuring a gateway node"
|
||||
weight = 20
|
||||
+++
|
||||
|
||||
Gateways allow you to expose Garage endpoints (S3 API and websites) without storing data on the node.
|
||||
|
||||
## Benefits
|
||||
|
||||
You can configure Garage as a gateway on all nodes that will consume your S3 API, it will provide you the following benefits:
|
||||
|
||||
- **It removes 1 or 2 network RTT.** Instead of (querying your reverse proxy then) querying a random node of the cluster that will forward your request to the nodes effectively storing the data, your local gateway will directly knows which node to query.
|
||||
|
||||
- **It eases server management.** Instead of tracking in your reverse proxy and DNS what are the current Garage nodes, your gateway being part of the cluster keeps this information for you. In your software, you will always specify `http://localhost:3900`.
|
||||
|
||||
- **It simplifies security.** Instead of having to maintain and renew a TLS certificate, you leverage the Secret Handshake protocol we use for our cluster. The S3 API protocol will be in plain text but limited to your local machine.
|
||||
|
||||
|
||||
## Spawn a Gateway
|
||||
|
||||
The instructions are similar to a regular node, the only option that is different is while configuring the node, you must set the `--gateway` parameter:
|
||||
|
||||
```bash
|
||||
garage layout assign --gateway --tag gw1 -z dc1 <node_id>
|
||||
garage layout show # review the changes you are making
|
||||
garage layout apply # once satisfied, apply the changes
|
||||
```
|
||||
|
||||
Then use `http://localhost:3900` when a S3 endpoint is required:
|
||||
|
||||
```bash
|
||||
aws --endpoint-url http://127.0.0.1:3900 s3 ls
|
||||
```
|
||||
|
||||
If a newly added gateway node seems to not be working, do a full table resync to ensure that bucket and key list are correctly propagated:
|
||||
|
||||
```bash
|
||||
garage repair -a --yes tables
|
||||
```
|
|
@ -1,88 +0,0 @@
|
|||
+++
|
||||
title = "Deploying on Kubernetes"
|
||||
weight = 32
|
||||
+++
|
||||
|
||||
Garage can also be deployed on a kubernetes cluster via helm chart.
|
||||
|
||||
## Deploying
|
||||
|
||||
Firstly clone the repository:
|
||||
|
||||
```bash
|
||||
git clone https://git.deuxfleurs.fr/Deuxfleurs/garage
|
||||
cd garage/scripts/helm
|
||||
```
|
||||
|
||||
Deploy with default options:
|
||||
|
||||
```bash
|
||||
helm install --create-namespace --namespace garage garage ./garage
|
||||
```
|
||||
|
||||
Or deploy with custom values:
|
||||
|
||||
```bash
|
||||
helm install --create-namespace --namespace garage garage ./garage -f values.override.yaml
|
||||
```
|
||||
|
||||
After deploying, cluster layout must be configured manually as described in [Creating a cluster layout](@/documentation/quick-start/_index.md#creating-a-cluster-layout). Use the following command to access garage CLI:
|
||||
|
||||
```bash
|
||||
kubectl exec --stdin --tty -n garage garage-0 -- ./garage status
|
||||
```
|
||||
|
||||
## Overriding default values
|
||||
|
||||
All possible configuration values can be found with:
|
||||
|
||||
```bash
|
||||
helm show values ./garage
|
||||
```
|
||||
|
||||
This is an example `values.overrride.yaml` for deploying in a microk8s cluster with a https s3 api ingress route:
|
||||
|
||||
```yaml
|
||||
garage:
|
||||
# Use only 2 replicas per object
|
||||
replicationMode: "2"
|
||||
|
||||
# Start 4 instances (StatefulSets) of garage
|
||||
deployment:
|
||||
replicaCount: 4
|
||||
|
||||
# Override default storage class and size
|
||||
persistence:
|
||||
meta:
|
||||
storageClass: "openebs-hostpath"
|
||||
size: 100Mi
|
||||
data:
|
||||
storageClass: "openebs-hostpath"
|
||||
size: 1Gi
|
||||
|
||||
ingress:
|
||||
s3:
|
||||
api:
|
||||
enabled: true
|
||||
className: "public"
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: "letsencrypt-prod"
|
||||
nginx.ingress.kubernetes.io/proxy-body-size: 500m
|
||||
hosts:
|
||||
- host: s3-api.my-domain.com
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
tls:
|
||||
- secretName: garage-ingress-cert
|
||||
hosts:
|
||||
- s3-api.my-domain.com
|
||||
```
|
||||
|
||||
## Removing
|
||||
|
||||
```bash
|
||||
helm delete --namespace garage garage
|
||||
```
|
||||
|
||||
Note that this will leave behind custom CRD `garagenodes.deuxfleurs.fr`, which must be removed manually if desired.
|
|
@ -1,53 +0,0 @@
|
|||
+++
|
||||
title = "Monitoring Garage"
|
||||
weight = 40
|
||||
+++
|
||||
|
||||
Garage exposes some internal metrics in the Prometheus data format.
|
||||
This page explains how to exploit these metrics.
|
||||
|
||||
## Setting up monitoring
|
||||
|
||||
### Enabling the Admin API endpoint
|
||||
|
||||
If you have not already enabled the [administration API endpoint](@/documentation/reference-manual/admin-api.md), do so by adding the following lines to your configuration file:
|
||||
|
||||
```toml
|
||||
[admin]
|
||||
api_bind_addr = "0.0.0.0:3903"
|
||||
```
|
||||
|
||||
This will allow anyone to scrape Prometheus metrics by fetching
|
||||
`http://localhost:3903/metrics`. If you want to restrict access
|
||||
to the exported metrics, set the `metrics_token` configuration value
|
||||
to a bearer token to be used when fetching the metrics endpoint.
|
||||
|
||||
### Setting up Prometheus and Grafana
|
||||
|
||||
Add a scrape config to your Prometheus daemon to scrape metrics from
|
||||
all of your nodes:
|
||||
|
||||
```yaml
|
||||
scrape_configs:
|
||||
- job_name: 'garage'
|
||||
static_configs:
|
||||
- targets:
|
||||
- 'node1.mycluster:3903'
|
||||
- 'node2.mycluster:3903'
|
||||
- 'node3.mycluster:3903'
|
||||
```
|
||||
|
||||
If you have set a metrics token in your Garage configuration file,
|
||||
add the following lines in your Prometheus scrape config:
|
||||
|
||||
```yaml
|
||||
authorization:
|
||||
type: Bearer
|
||||
credentials: 'your metrics token'
|
||||
```
|
||||
|
||||
To visualize the scraped data in Grafana,
|
||||
you can either import our [Grafana dashboard for Garage](https://git.deuxfleurs.fr/Deuxfleurs/garage/raw/branch/main/script/telemetry/grafana-garage-dashboard-prometheus.json)
|
||||
or make your own.
|
||||
|
||||
The list of exported metrics is available on our [dedicated page](@/documentation/reference-manual/monitoring.md) in the Reference manual section.
|
|
@ -1,373 +0,0 @@
|
|||
+++
|
||||
title = "Deployment on a cluster"
|
||||
weight = 5
|
||||
+++
|
||||
|
||||
To run Garage in cluster mode, we recommend having at least 3 nodes.
|
||||
This will allow you to setup Garage for three-way replication of your data,
|
||||
the safest and most available mode proposed by Garage.
|
||||
|
||||
We recommend first following the [quick start guide](@/documentation/quick-start/_index.md) in order
|
||||
to get familiar with Garage's command line and usage patterns.
|
||||
|
||||
|
||||
## Preparing your environment
|
||||
|
||||
### Prerequisites
|
||||
|
||||
To run a real-world deployment, make sure the following conditions are met:
|
||||
|
||||
- You have at least three machines with sufficient storage space available.
|
||||
|
||||
- Each machine has an IP address which makes it directly reachable by all other machines.
|
||||
In many cases, nodes will be behind a NAT and will not each have a public
|
||||
IPv4 addresses. In this case, is recommended that you use IPv6 for this
|
||||
end-to-end connectivity if it is available. Otherwise, using a mesh VPN such as
|
||||
[Nebula](https://github.com/slackhq/nebula) or
|
||||
[Yggdrasil](https://yggdrasil-network.github.io/) are approaches to consider
|
||||
in addition to building out your own VPN tunneling.
|
||||
|
||||
- This guide will assume you are using Docker containers to deploy Garage on each node.
|
||||
Garage can also be run independently, for instance as a [Systemd service](@/documentation/cookbook/systemd.md).
|
||||
You can also use an orchestrator such as Nomad or Kubernetes to automatically manage
|
||||
Docker containers on a fleet of nodes.
|
||||
|
||||
Before deploying Garage on your infrastructure, you must inventory your machines.
|
||||
For our example, we will suppose the following infrastructure with IPv6 connectivity:
|
||||
|
||||
| Location | Name | IP Address | Disk Space |
|
||||
|----------|---------|------------|------------|
|
||||
| Paris | Mercury | fc00:1::1 | 1 TB |
|
||||
| Paris | Venus | fc00:1::2 | 2 TB |
|
||||
| London | Earth | fc00:B::1 | 2 TB |
|
||||
| Brussels | Mars | fc00:F::1 | 1.5 TB |
|
||||
|
||||
Note that Garage will **always** store the three copies of your data on nodes at different
|
||||
locations. This means that in the case of this small example, the usable capacity
|
||||
of the cluster is in fact only 1.5 TB, because nodes in Brussels can't store more than that.
|
||||
This also means that nodes in Paris and London will be under-utilized.
|
||||
To make better use of the available hardware, you should ensure that the capacity
|
||||
available in the different locations of your cluster is roughly the same.
|
||||
For instance, here, the Mercury node could be moved to Brussels; this would allow the cluster
|
||||
to store 2 TB of data in total.
|
||||
|
||||
### Best practices
|
||||
|
||||
- If you have reasonably fast networking between all your nodes, and are planing to store
|
||||
mostly large files, bump the `block_size` configuration parameter to 10 MB
|
||||
(`block_size = "10M"`).
|
||||
|
||||
- Garage stores its files in two locations: it uses a metadata directory to store frequently-accessed
|
||||
small metadata items, and a data directory to store data blocks of uploaded objects.
|
||||
Ideally, the metadata directory would be stored on an SSD (smaller but faster),
|
||||
and the data directory would be stored on an HDD (larger but slower).
|
||||
|
||||
- For the data directory, Garage already does checksumming and integrity verification,
|
||||
so there is no need to use a filesystem such as BTRFS or ZFS that does it.
|
||||
We recommend using XFS for the data partition, as it has the best performance.
|
||||
EXT4 is not recommended as it has more strict limitations on the number of inodes,
|
||||
which might cause issues with Garage when large numbers of objects are stored.
|
||||
|
||||
- Servers with multiple HDDs are supported natively by Garage without resorting
|
||||
to RAID, see [our dedicated documentation page](@/documentation/operations/multi-hdd.md).
|
||||
|
||||
- For the metadata storage, Garage does not do checksumming and integrity
|
||||
verification on its own, so it is better to use a robust filesystem such as
|
||||
BTRFS or ZFS. Users have reported that when using the LMDB database engine
|
||||
(the default), database files have a tendency of becoming corrupted after an
|
||||
unclean shutdown (e.g. a power outage), so you should take regular snapshots
|
||||
to be able to recover from such a situation. This can be done using Garage's
|
||||
built-in automatic snapshotting (since v0.9.4), or by using filesystem level
|
||||
snapshots. If you cannot do so, you might want to switch to Sqlite which is
|
||||
more robust.
|
||||
|
||||
- LMDB is the fastest and most tested database engine, but it has the following
|
||||
weaknesses: 1/ data files are not architecture-independent, you cannot simply
|
||||
move a Garage metadata directory between nodes running different architectures,
|
||||
and 2/ LMDB is not suited for 32-bit platforms. Sqlite is a viable alternative
|
||||
if any of these are of concern.
|
||||
|
||||
- If you only have an HDD and no SSD, it's fine to put your metadata alongside
|
||||
the data on the same drive, but then consider your filesystem choice wisely
|
||||
(see above). Having lots of RAM for your kernel to cache the metadata will
|
||||
help a lot with performance. The default LMDB database engine is the most
|
||||
tested and has good performance.
|
||||
|
||||
## Get a Docker image
|
||||
|
||||
Our docker image is currently named `dxflrs/garage` and is stored on the [Docker Hub](https://hub.docker.com/r/dxflrs/garage/tags?page=1&ordering=last_updated).
|
||||
We encourage you to use a fixed tag (eg. `v1.0.0`) and not the `latest` tag.
|
||||
For this example, we will use the latest published version at the time of the writing which is `v1.0.0` but it's up to you
|
||||
to check [the most recent versions on the Docker Hub](https://hub.docker.com/r/dxflrs/garage/tags?page=1&ordering=last_updated).
|
||||
|
||||
For example:
|
||||
|
||||
```
|
||||
sudo docker pull dxflrs/garage:v1.0.0
|
||||
```
|
||||
|
||||
## Deploying and configuring Garage
|
||||
|
||||
On each machine, we will have a similar setup,
|
||||
especially you must consider the following folders/files:
|
||||
|
||||
- `/etc/garage.toml`: Garage daemon's configuration (see below)
|
||||
|
||||
- `/var/lib/garage/meta/`: Folder containing Garage's metadata,
|
||||
put this folder on a SSD if possible
|
||||
|
||||
- `/var/lib/garage/data/`: Folder containing Garage's data,
|
||||
this folder will be your main data storage and must be on a large storage (e.g. large HDD)
|
||||
|
||||
|
||||
A valid `/etc/garage.toml` for our cluster would look as follows:
|
||||
|
||||
```toml
|
||||
metadata_dir = "/var/lib/garage/meta"
|
||||
data_dir = "/var/lib/garage/data"
|
||||
db_engine = "lmdb"
|
||||
metadata_auto_snapshot_interval = "6h"
|
||||
|
||||
replication_factor = 3
|
||||
|
||||
compression_level = 2
|
||||
|
||||
rpc_bind_addr = "[::]:3901"
|
||||
rpc_public_addr = "<this node's public IP>:3901"
|
||||
rpc_secret = "<RPC secret>"
|
||||
|
||||
[s3_api]
|
||||
s3_region = "garage"
|
||||
api_bind_addr = "[::]:3900"
|
||||
root_domain = ".s3.garage"
|
||||
|
||||
[s3_web]
|
||||
bind_addr = "[::]:3902"
|
||||
root_domain = ".web.garage"
|
||||
index = "index.html"
|
||||
```
|
||||
|
||||
Check the following for your configuration files:
|
||||
|
||||
- Make sure `rpc_public_addr` contains the public IP address of the node you are configuring.
|
||||
This parameter is optional but recommended: if your nodes have trouble communicating with
|
||||
one another, consider adding it.
|
||||
|
||||
- Make sure `rpc_secret` is the same value on all nodes. It should be a 32-bytes hex-encoded secret key.
|
||||
You can generate such a key with `openssl rand -hex 32`.
|
||||
|
||||
## Starting Garage using Docker
|
||||
|
||||
On each machine, you can run the daemon with:
|
||||
|
||||
```bash
|
||||
docker run \
|
||||
-d \
|
||||
--name garaged \
|
||||
--restart always \
|
||||
--network host \
|
||||
-v /etc/garage.toml:/etc/garage.toml \
|
||||
-v /var/lib/garage/meta:/var/lib/garage/meta \
|
||||
-v /var/lib/garage/data:/var/lib/garage/data \
|
||||
dxflrs/garage:v1.0.0
|
||||
```
|
||||
|
||||
With this command line, Garage should be started automatically at each boot.
|
||||
Please note that we use host networking as otherwise the network indirection
|
||||
added by Docker would prevent Garage nodes from communicating with one another
|
||||
(especially if using IPv6).
|
||||
|
||||
If you want to use `docker-compose`, you may use the following `docker-compose.yml` file as a reference:
|
||||
|
||||
```yaml
|
||||
version: "3"
|
||||
services:
|
||||
garage:
|
||||
image: dxflrs/garage:v1.0.0
|
||||
network_mode: "host"
|
||||
restart: unless-stopped
|
||||
volumes:
|
||||
- /etc/garage.toml:/etc/garage.toml
|
||||
- /var/lib/garage/meta:/var/lib/garage/meta
|
||||
- /var/lib/garage/data:/var/lib/garage/data
|
||||
```
|
||||
|
||||
If you wish to upgrade your cluster, make sure to read the corresponding
|
||||
[documentation page](@/documentation/operations/upgrading.md) first, as well as
|
||||
the documentation relevant to your version of Garage in the case of major
|
||||
upgrades. With the containerized setup proposed here, the upgrade process
|
||||
will require stopping and removing the existing container, and re-creating it
|
||||
with the upgraded version.
|
||||
|
||||
## Controlling the daemon
|
||||
|
||||
The `garage` binary has two purposes:
|
||||
- it acts as a daemon when launched with `garage server`
|
||||
- it acts as a control tool for the daemon when launched with any other command
|
||||
|
||||
Ensure an appropriate `garage` binary (the same version as your Docker image) is available in your path.
|
||||
If your configuration file is at `/etc/garage.toml`, the `garage` binary should work with no further change.
|
||||
|
||||
You can also use an alias as follows to use the Garage binary inside your docker container:
|
||||
|
||||
```bash
|
||||
alias garage="docker exec -ti <container name> /garage"
|
||||
```
|
||||
|
||||
You can test your `garage` CLI utility by running a simple command such as:
|
||||
|
||||
```bash
|
||||
garage status
|
||||
```
|
||||
|
||||
At this point, nodes are not yet talking to one another.
|
||||
Your output should therefore look like follows:
|
||||
|
||||
```
|
||||
Mercury$ garage status
|
||||
==== HEALTHY NODES ====
|
||||
ID Hostname Address Tag Zone Capacity
|
||||
563e1ac825ee3323… Mercury [fc00:1::1]:3901 NO ROLE ASSIGNED
|
||||
```
|
||||
|
||||
|
||||
## Connecting nodes together
|
||||
|
||||
When your Garage nodes first start, they will generate a local node identifier
|
||||
(based on a public/private key pair).
|
||||
|
||||
To obtain the node identifier of a node, once it is generated,
|
||||
run `garage node id`.
|
||||
This will print keys as follows:
|
||||
|
||||
```bash
|
||||
Mercury$ garage node id
|
||||
563e1ac825ee3323aa441e72c26d1030d6d4414aeb3dd25287c531e7fc2bc95d@[fc00:1::1]:3901
|
||||
|
||||
Venus$ garage node id
|
||||
86f0f26ae4afbd59aaf9cfb059eefac844951efd5b8caeec0d53f4ed6c85f332@[fc00:1::2]:3901
|
||||
|
||||
etc.
|
||||
```
|
||||
|
||||
You can then instruct nodes to connect to one another as follows:
|
||||
|
||||
```bash
|
||||
# Instruct Venus to connect to Mercury (this will establish communication both ways)
|
||||
Venus$ garage node connect 563e1ac825ee3323aa441e72c26d1030d6d4414aeb3dd25287c531e7fc2bc95d@[fc00:1::1]:3901
|
||||
```
|
||||
|
||||
You don't need to instruct all node to connect to all other nodes:
|
||||
nodes will discover one another transitively.
|
||||
|
||||
Now if your run `garage status` on any node, you should have an output that looks as follows:
|
||||
|
||||
```
|
||||
==== HEALTHY NODES ====
|
||||
ID Hostname Address Tag Zone Capacity
|
||||
563e1ac825ee3323… Mercury [fc00:1::1]:3901 NO ROLE ASSIGNED
|
||||
86f0f26ae4afbd59… Venus [fc00:1::2]:3901 NO ROLE ASSIGNED
|
||||
68143d720f20c89d… Earth [fc00:B::1]:3901 NO ROLE ASSIGNED
|
||||
212f7572f0c89da9… Mars [fc00:F::1]:3901 NO ROLE ASSIGNED
|
||||
```
|
||||
|
||||
## Creating a cluster layout
|
||||
|
||||
We will now inform Garage of the disk space available on each node of the cluster
|
||||
as well as the zone (e.g. datacenter) in which each machine is located.
|
||||
This information is called the **cluster layout** and consists
|
||||
of a role that is assigned to each active cluster node.
|
||||
|
||||
For our example, we will suppose we have the following infrastructure
|
||||
(Capacity, Identifier and Zone are specific values to Garage described in the following):
|
||||
|
||||
| Location | Name | Disk Space | Identifier | Zone (`-z`) | Capacity (`-c`) |
|
||||
|----------|---------|------------|------------|-------------|-----------------|
|
||||
| Paris | Mercury | 1 TB | `563e` | `par1` | `1T` |
|
||||
| Paris | Venus | 2 TB | `86f0` | `par1` | `2T` |
|
||||
| London | Earth | 2 TB | `6814` | `lon1` | `2T` |
|
||||
| Brussels | Mars | 1.5 TB | `212f` | `bru1` | `1.5T` |
|
||||
|
||||
#### Node identifiers
|
||||
|
||||
After its first launch, Garage generates a random and unique identifier for each nodes, such as:
|
||||
|
||||
```
|
||||
563e1ac825ee3323aa441e72c26d1030d6d4414aeb3dd25287c531e7fc2bc95d
|
||||
```
|
||||
|
||||
Often a shorter form can be used, containing only the beginning of the identifier, like `563e`,
|
||||
which identifies the server "Mercury" located in "Paris" according to our previous table.
|
||||
|
||||
The most simple way to match an identifier to a node is to run:
|
||||
|
||||
```
|
||||
garage status
|
||||
```
|
||||
|
||||
It will display the IP address associated with each node;
|
||||
from the IP address you will be able to recognize the node.
|
||||
|
||||
We will now use the `garage layout assign` command to configure the correct parameters for each node.
|
||||
|
||||
#### Zones
|
||||
|
||||
Zones are simply a user-chosen identifier that identify a group of server that are grouped together logically.
|
||||
It is up to the system administrator deploying Garage to identify what does "grouped together" means.
|
||||
|
||||
In most cases, a zone will correspond to a geographical location (i.e. a datacenter).
|
||||
Behind the scene, Garage will use zone definition to try to store the same data on different zones,
|
||||
in order to provide high availability despite failure of a zone.
|
||||
|
||||
Zones are passed to Garage using the `-z` flag of `garage layout assign` (see below).
|
||||
|
||||
#### Capacity
|
||||
|
||||
Garage needs to know the storage capacity (disk space) it can/should use on
|
||||
each node, to be able to correctly balance data.
|
||||
|
||||
Capacity values are expressed in bytes and are passed to Garage using the `-c` flag of `garage layout assign` (see below).
|
||||
|
||||
#### Tags
|
||||
|
||||
You can add additional tags to nodes using the `-t` flag of `garage layout assign` (see below).
|
||||
Tags have no specific meaning for Garage and can be used at your convenience.
|
||||
|
||||
#### Injecting the topology
|
||||
|
||||
Given the information above, we will configure our cluster as follow:
|
||||
|
||||
```bash
|
||||
garage layout assign 563e -z par1 -c 1T -t mercury
|
||||
garage layout assign 86f0 -z par1 -c 2T -t venus
|
||||
garage layout assign 6814 -z lon1 -c 2T -t earth
|
||||
garage layout assign 212f -z bru1 -c 1.5T -t mars
|
||||
```
|
||||
|
||||
At this point, the changes in the cluster layout have not yet been applied.
|
||||
To show the new layout that will be applied, call:
|
||||
|
||||
```bash
|
||||
garage layout show
|
||||
```
|
||||
|
||||
Make sure to read carefully the output of `garage layout show`.
|
||||
Once you are satisfied with your new layout, apply it with:
|
||||
|
||||
```bash
|
||||
garage layout apply
|
||||
```
|
||||
|
||||
**WARNING:** if you want to use the layout modification commands in a script,
|
||||
make sure to read [this page](@/documentation/operations/layout.md) first.
|
||||
|
||||
|
||||
## Using your Garage cluster
|
||||
|
||||
Creating buckets and managing keys is done using the `garage` CLI,
|
||||
and is covered in the [quick start guide](@/documentation/quick-start/_index.md).
|
||||
Remember also that the CLI is self-documented thanks to the `--help` flag and
|
||||
the `help` subcommand (e.g. `garage help`, `garage key --help`).
|
||||
|
||||
Configuring S3-compatible applications to interact with Garage
|
||||
is covered in the [Integrations](@/documentation/connect/_index.md) section.
|
|
@ -1,503 +0,0 @@
|
|||
+++
|
||||
title = "Configuring a reverse proxy"
|
||||
weight = 30
|
||||
+++
|
||||
|
||||
The main reason to add a reverse proxy in front of Garage is to provide TLS to your users and serve multiple web services on port 443.
|
||||
|
||||
In production you will likely need your certificates signed by a certificate authority.
|
||||
The most automated way is to use a provider supporting the [ACME protocol](https://datatracker.ietf.org/doc/html/rfc8555)
|
||||
such as [Let's Encrypt](https://letsencrypt.org/), [ZeroSSL](https://zerossl.com/) or [Buypass Go SSL](https://www.buypass.com/ssl/products/acme).
|
||||
|
||||
If you are only testing Garage, you can generate a self-signed certificate to follow the documentation:
|
||||
|
||||
```bash
|
||||
openssl req \
|
||||
-new \
|
||||
-x509 \
|
||||
-keyout /tmp/garage.key \
|
||||
-out /tmp/garage.crt \
|
||||
-nodes \
|
||||
-subj "/C=XX/ST=XX/L=XX/O=XX/OU=XX/CN=localhost/emailAddress=X@X.XX" \
|
||||
-addext "subjectAltName = DNS:localhost, IP:127.0.0.1"
|
||||
|
||||
cat /tmp/garage.key /tmp/garage.crt > /tmp/garage.pem
|
||||
```
|
||||
|
||||
Be careful as you will need to allow self signed certificates in your client.
|
||||
For example, with minio, you must add the `--insecure` flag.
|
||||
An example:
|
||||
|
||||
```bash
|
||||
mc ls --insecure garage/
|
||||
```
|
||||
|
||||
## socat (only for testing purposes)
|
||||
|
||||
If you want to test Garage with a TLS frontend, socat can do it for you in a single command:
|
||||
|
||||
```bash
|
||||
socat \
|
||||
"openssl-listen:443,\
|
||||
reuseaddr,\
|
||||
fork,\
|
||||
verify=0,\
|
||||
cert=/tmp/garage.pem" \
|
||||
tcp4-connect:localhost:3900
|
||||
```
|
||||
|
||||
## Nginx
|
||||
|
||||
Nginx is a well-known reverse proxy suitable for production.
|
||||
We do the configuration in 3 steps: first we define the upstream blocks ("the backends")
|
||||
then we define the server blocks ("the frontends") for the S3 endpoint and finally for the web endpoint.
|
||||
|
||||
The following configuration blocks can be all put in the same `/etc/nginx/sites-available/garage.conf`.
|
||||
To make your configuration active, run `ln -s /etc/nginx/sites-available/garage.conf /etc/nginx/sites-enabled/`.
|
||||
If you directly put the instructions in the root `nginx.conf`, keep in mind that these configurations must be enclosed inside a `http { }` block.
|
||||
|
||||
And do not forget to reload nginx with `systemctl reload nginx` or `nginx -s reload`.
|
||||
|
||||
### Exposing the S3 endpoints
|
||||
|
||||
First, we need to tell to nginx how to access our Garage cluster.
|
||||
Because we have multiple nodes, we want to leverage all of them by spreading the load.
|
||||
In nginx, we can do that with the `upstream` directive.
|
||||
|
||||
Then in a `server` directive, we define the vhosts, the TLS certificates and the proxy rule.
|
||||
|
||||
A possible configuration:
|
||||
|
||||
```nginx
|
||||
upstream s3_backend {
|
||||
# If you have a garage instance locally.
|
||||
server 127.0.0.1:3900;
|
||||
# You can also put your other instances.
|
||||
server 192.168.1.3:3900;
|
||||
# Domain names also work.
|
||||
server garage1.example.com:3900;
|
||||
# A "backup" server is only used if all others have failed.
|
||||
server garage-remote.example.com:3900 backup;
|
||||
# You can assign weights if you have some servers
|
||||
# that can serve more requests than others.
|
||||
server garage2.example.com:3900 weight=2;
|
||||
}
|
||||
|
||||
server {
|
||||
listen [::]:443 http2 ssl;
|
||||
|
||||
ssl_certificate /tmp/garage.crt;
|
||||
ssl_certificate_key /tmp/garage.key;
|
||||
|
||||
# You need multiple server names here:
|
||||
# - s3.garage.tld is used for path-based s3 requests
|
||||
# - *.s3.garage.tld is used for vhost-based s3 requests
|
||||
server_name s3.garage.tld *.s3.garage.tld;
|
||||
|
||||
location / {
|
||||
proxy_pass http://s3_backend;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header Host $host;
|
||||
# Disable buffering to a temporary file.
|
||||
proxy_max_temp_file_size 0;
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
### Exposing the web endpoint
|
||||
|
||||
To better understand the logic involved, you can refer to the [Exposing buckets as websites](/cookbook/exposing_websites.html) section.
|
||||
Otherwise, the configuration is very similar to the S3 endpoint.
|
||||
You must only adapt `upstream` with the web port instead of the s3 port and change the `server_name` and `proxy_pass` entry
|
||||
|
||||
A possible configuration:
|
||||
|
||||
|
||||
```nginx
|
||||
upstream web_backend {
|
||||
server 127.0.0.1:3902;
|
||||
server 192.168.1.3:3902;
|
||||
server garage1.example.com:3902;
|
||||
server garage2.example.com:3902 weight=2;
|
||||
}
|
||||
|
||||
server {
|
||||
listen [::]:443 http2 ssl;
|
||||
|
||||
ssl_certificate /tmp/garage.crt;
|
||||
ssl_certificate_key /tmp/garage.key;
|
||||
|
||||
# You need multiple server names here:
|
||||
# - *.web.garage.tld is used for your users wanting a website without reserving a domain name
|
||||
# - example.com, my-site.tld, etc. are reserved domain name by your users that chose to host their website as a garage's bucket
|
||||
server_name *.web.garage.tld example.com my-site.tld;
|
||||
|
||||
location / {
|
||||
proxy_pass http://web_backend;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header Host $host;
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
## Apache httpd
|
||||
|
||||
@TODO
|
||||
|
||||
## Traefik v2
|
||||
|
||||
We will see in this part how to set up a reverse proxy with [Traefik](https://docs.traefik.io/).
|
||||
|
||||
Here is [a basic configuration file](https://doc.traefik.io/traefik/https/acme/#configuration-examples):
|
||||
|
||||
```toml
|
||||
[entryPoints]
|
||||
[entryPoints.web]
|
||||
address = ":80"
|
||||
|
||||
[entryPoints.websecure]
|
||||
address = ":443"
|
||||
|
||||
[certificatesResolvers.myresolver.acme]
|
||||
email = "your-email@example.com"
|
||||
storage = "acme.json"
|
||||
[certificatesResolvers.myresolver.acme.httpChallenge]
|
||||
# used during the challenge
|
||||
entryPoint = "web"
|
||||
```
|
||||
|
||||
### Add Garage service
|
||||
|
||||
To add Garage on Traefik you should declare two new services using its IP
|
||||
address (or hostname) and port, these are used for the S3, and web components
|
||||
of Garage:
|
||||
|
||||
```toml
|
||||
[http.services]
|
||||
[http.services.garage-s3-service.loadBalancer]
|
||||
[[http.services.garage-s3-service.loadBalancer.servers]]
|
||||
url = "http://xxx.xxx.xxx.xxx"
|
||||
port = 3900
|
||||
|
||||
[http.services.garage-web-service.loadBalancer]
|
||||
[[http.services.garage-web-service.loadBalancer.servers]]
|
||||
url = "http://xxx.xxx.xxx.xxx"
|
||||
port = 3902
|
||||
```
|
||||
|
||||
It's possible to declare multiple Garage servers as back-ends:
|
||||
|
||||
```toml
|
||||
[http.services]
|
||||
[[http.services.garage-s3-service.loadBalancer.servers]]
|
||||
url = "http://xxx.xxx.xxx.xxx"
|
||||
port = 3900
|
||||
[[http.services.garage-s3-service.loadBalancer.servers]]
|
||||
url = "http://yyy.yyy.yyy.yyy"
|
||||
port = 3900
|
||||
[[http.services.garage-s3-service.loadBalancer.servers]]
|
||||
url = "http://zzz.zzz.zzz.zzz"
|
||||
port = 3900
|
||||
|
||||
[[http.services.garage-web-service.loadBalancer.servers]]
|
||||
url = "http://xxx.xxx.xxx.xxx"
|
||||
port = 3902
|
||||
[[http.services.garage-web-service.loadBalancer.servers]]
|
||||
url = "http://yyy.yyy.yyy.yyy"
|
||||
port = 3902
|
||||
[[http.services.garage-web-service.loadBalancer.servers]]
|
||||
url = "http://zzz.zzz.zzz.zzz"
|
||||
port = 3902
|
||||
```
|
||||
|
||||
Traefik can remove unhealthy servers automatically with [a health check configuration](https://doc.traefik.io/traefik/routing/services/#health-check):
|
||||
|
||||
```
|
||||
[http.services]
|
||||
[http.services.garage-s3-service.loadBalancer]
|
||||
[http.services.garage-s3-service.loadBalancer.healthCheck]
|
||||
path = "/health"
|
||||
port = "3903"
|
||||
#interval = "15s"
|
||||
#timeout = "2s"
|
||||
|
||||
[http.services.garage-web-service.loadBalancer]
|
||||
[http.services.garage-web-service.loadBalancer.healthCheck]
|
||||
path = "/health"
|
||||
port = "3903"
|
||||
#interval = "15s"
|
||||
#timeout = "2s"
|
||||
```
|
||||
|
||||
### Adding a website
|
||||
|
||||
To add a new website, add the following declaration to your Traefik configuration file:
|
||||
|
||||
```toml
|
||||
[http.routers]
|
||||
[http.routers.garage-s3]
|
||||
rule = "Host(`s3.example.org`)"
|
||||
service = "garage-s3-service"
|
||||
entryPoints = ["websecure"]
|
||||
|
||||
[http.routers.my_website]
|
||||
rule = "Host(`yoururl.example.org`)"
|
||||
service = "garage-web-service"
|
||||
entryPoints = ["websecure"]
|
||||
```
|
||||
|
||||
Enable HTTPS access to your website with the following configuration section ([documentation](https://doc.traefik.io/traefik/https/overview/)):
|
||||
|
||||
```toml
|
||||
...
|
||||
entryPoints = ["websecure"]
|
||||
[http.routers.my_website.tls]
|
||||
certResolver = "myresolver"
|
||||
...
|
||||
```
|
||||
|
||||
### Adding compression
|
||||
|
||||
Add the following configuration section [to compress response](https://doc.traefik.io/traefik/middlewares/http/compress/) using [gzip](https://developer.mozilla.org/en-US/docs/Glossary/GZip_compression) before sending them to the client:
|
||||
|
||||
```toml
|
||||
[http.routers]
|
||||
[http.routers.my_website]
|
||||
...
|
||||
middlewares = ["compression"]
|
||||
...
|
||||
[http.middlewares]
|
||||
[http.middlewares.compression.compress]
|
||||
```
|
||||
|
||||
### Add caching response
|
||||
|
||||
Traefik's caching middleware is only available on [entreprise version](https://doc.traefik.io/traefik-enterprise/middlewares/http-cache/), however the freely-available [Souin plugin](https://github.com/darkweak/souin#tr%C3%A6fik-container) can also do the job. (section to be completed)
|
||||
|
||||
### Complete example
|
||||
|
||||
```toml
|
||||
[entryPoints]
|
||||
[entryPoints.web]
|
||||
address = ":80"
|
||||
|
||||
[entryPoints.websecure]
|
||||
address = ":443"
|
||||
|
||||
[certificatesResolvers.myresolver.acme]
|
||||
email = "your-email@example.com"
|
||||
storage = "acme.json"
|
||||
[certificatesResolvers.myresolver.acme.httpChallenge]
|
||||
# used during the challenge
|
||||
entryPoint = "web"
|
||||
|
||||
[http.routers]
|
||||
[http.routers.garage-s3]
|
||||
rule = "Host(`s3.example.org`)"
|
||||
service = "garage-s3-service"
|
||||
entryPoints = ["websecure"]
|
||||
|
||||
[http.routers.my_website]
|
||||
rule = "Host(`yoururl.example.org`)"
|
||||
service = "garage-web-service"
|
||||
middlewares = ["compression"]
|
||||
entryPoints = ["websecure"]
|
||||
|
||||
[http.services]
|
||||
[http.services.garage-s3-service.loadBalancer]
|
||||
[http.services.garage-s3-service.loadBalancer.healthCheck]
|
||||
path = "/health"
|
||||
port = "3903"
|
||||
#interval = "15s"
|
||||
#timeout = "2s"
|
||||
|
||||
[http.services.garage-web-service.loadBalancer]
|
||||
[http.services.garage-web-service.loadBalancer.healthCheck]
|
||||
path = "/health"
|
||||
port = "3903"
|
||||
#interval = "15s"
|
||||
#timeout = "2s"
|
||||
|
||||
[[http.services.garage-s3-service.loadBalancer.servers]]
|
||||
url = "http://xxx.xxx.xxx.xxx"
|
||||
port = 3900
|
||||
[[http.services.garage-s3-service.loadBalancer.servers]]
|
||||
url = "http://yyy.yyy.yyy.yyy"
|
||||
port = 3900
|
||||
[[http.services.garage-s3-service.loadBalancer.servers]]
|
||||
url = "http://zzz.zzz.zzz.zzz"
|
||||
port = 3900
|
||||
|
||||
[[http.services.garage-web-service.loadBalancer.servers]]
|
||||
url = "http://xxx.xxx.xxx.xxx"
|
||||
port = 3902
|
||||
[[http.services.garage-web-service.loadBalancer.servers]]
|
||||
url = "http://yyy.yyy.yyy.yyy"
|
||||
port = 3902
|
||||
[[http.services.garage-web-service.loadBalancer.servers]]
|
||||
url = "http://zzz.zzz.zzz.zzz"
|
||||
port = 3902
|
||||
|
||||
[http.middlewares]
|
||||
[http.middlewares.compression.compress]
|
||||
```
|
||||
|
||||
## Caddy
|
||||
|
||||
Your Caddy configuration can be as simple as:
|
||||
|
||||
```caddy
|
||||
s3.garage.tld, *.s3.garage.tld {
|
||||
reverse_proxy localhost:3900 192.168.1.2:3900 example.tld:3900 {
|
||||
health_uri /health
|
||||
health_port 3903
|
||||
#health_interval 15s
|
||||
#health_timeout 5s
|
||||
}
|
||||
}
|
||||
|
||||
*.web.garage.tld {
|
||||
reverse_proxy localhost:3902 192.168.1.2:3902 example.tld:3902 {
|
||||
health_uri /health
|
||||
health_port 3903
|
||||
#health_interval 15s
|
||||
#health_timeout 5s
|
||||
}
|
||||
}
|
||||
|
||||
admin.garage.tld {
|
||||
reverse_proxy localhost:3903 {
|
||||
health_uri /health
|
||||
health_port 3903
|
||||
#health_interval 15s
|
||||
#health_timeout 5s
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
But at the same time, the `reverse_proxy` is very flexible.
|
||||
For a production deployment, you should [read its documentation](https://caddyserver.com/docs/caddyfile/directives/reverse_proxy) as it supports features like DNS discovery of upstreams, load balancing with checks, streaming parameters, etc.
|
||||
|
||||
### Caching
|
||||
|
||||
Caddy can compiled with a
|
||||
[cache plugin](https://github.com/caddyserver/cache-handler) which can be used
|
||||
to provide a hot-cache at the webserver-level for static websites hosted by
|
||||
Garage.
|
||||
|
||||
This can be configured as follows:
|
||||
|
||||
```caddy
|
||||
# Caddy global configuration section
|
||||
{
|
||||
# Bare minimum configuration to enable cache.
|
||||
order cache before rewrite
|
||||
|
||||
cache
|
||||
|
||||
#cache
|
||||
# allowed_http_verbs GET
|
||||
# default_cache_control public
|
||||
# ttl 8h
|
||||
#}
|
||||
}
|
||||
|
||||
# Site specific section
|
||||
https:// {
|
||||
cache
|
||||
|
||||
#cache {
|
||||
# timeout {
|
||||
# backend 30s
|
||||
# }
|
||||
#}
|
||||
|
||||
reverse_proxy ...
|
||||
}
|
||||
```
|
||||
|
||||
Caching is a complicated subject, and the reader is encouraged to study the
|
||||
available options provided by the plugin.
|
||||
|
||||
### On-demand TLS
|
||||
|
||||
Caddy supports a technique called
|
||||
[on-demand TLS](https://caddyserver.com/docs/automatic-https#on-demand-tls), by
|
||||
which one can configure the webserver to provision TLS certificates when a
|
||||
client first connects to it.
|
||||
|
||||
In order to prevent an attack vector whereby domains are simply pointed at your
|
||||
webserver and certificates are requested for them - Caddy can be configured to
|
||||
ask Garage if a domain is authorized for web hosting, before it then requests
|
||||
a TLS certificate.
|
||||
|
||||
This 'check' endpoint, which is on the admin port (3903 by default), can be
|
||||
configured in Caddy's global section as follows:
|
||||
|
||||
```caddy
|
||||
{
|
||||
...
|
||||
on_demand_tls {
|
||||
ask http://localhost:3903/check
|
||||
interval 2m
|
||||
burst 5
|
||||
}
|
||||
...
|
||||
}
|
||||
```
|
||||
|
||||
The host section can then be configured with (note that this uses the web
|
||||
endpoint instead):
|
||||
|
||||
```caddy
|
||||
# For a specific set of subdomains
|
||||
*.web.garage.tld {
|
||||
tls {
|
||||
on_demand
|
||||
}
|
||||
|
||||
reverse_proxy localhost:3902 192.168.1.2:3902 example.tld:3902
|
||||
}
|
||||
|
||||
# Accept all domains on HTTPS
|
||||
# Never configure this without global section above
|
||||
https:// {
|
||||
tls {
|
||||
on_demand
|
||||
}
|
||||
|
||||
reverse_proxy localhost:3902 192.168.1.2:3902 example.tld:3902
|
||||
}
|
||||
```
|
||||
|
||||
More information on how this endpoint is implemented in Garage is available
|
||||
in the [Admin API Reference](@/documentation/reference-manual/admin-api.md) page.
|
||||
|
||||
### Fileserver browser
|
||||
|
||||
Caddy's built-in
|
||||
[file_server](https://caddyserver.com/docs/caddyfile/directives/file_server)
|
||||
browser functionality can be extended with the
|
||||
[caddy-fs-s3](https://github.com/sagikazarmark/caddy-fs-s3) module.
|
||||
|
||||
This can be configured to use Garage as a backend with the following
|
||||
configuration:
|
||||
|
||||
```caddy
|
||||
browse.garage.tld {
|
||||
file_server {
|
||||
fs s3 {
|
||||
bucket test-bucket
|
||||
region garage
|
||||
|
||||
endpoint https://s3.garage.tld
|
||||
use_path_style
|
||||
}
|
||||
|
||||
browse
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
Caddy must also be configured with the required `AWS_ACCESS_KEY_ID` and
|
||||
`AWS_SECRET_ACCESS_KEY` environment variables to access the bucket.
|
|
@ -1,66 +0,0 @@
|
|||
+++
|
||||
title = "Starting Garage with systemd"
|
||||
weight = 15
|
||||
+++
|
||||
|
||||
We make some assumptions for this systemd deployment.
|
||||
|
||||
- Your garage binary is located at `/usr/local/bin/garage`.
|
||||
|
||||
- Your configuration file is located at `/etc/garage.toml`.
|
||||
|
||||
- Your `garage.toml` must be set with `metadata_dir=/var/lib/garage/meta` and `data_dir=/var/lib/garage/data`. This is mandatory to use `systemd` hardening feature [Dynamic User](https://0pointer.net/blog/dynamic-users-with-systemd.html). Note that in your host filesystem, Garage data will be held in `/var/lib/private/garage`.
|
||||
|
||||
|
||||
|
||||
Create a file named `/etc/systemd/system/garage.service`:
|
||||
|
||||
```toml
|
||||
[Unit]
|
||||
Description=Garage Data Store
|
||||
After=network-online.target
|
||||
Wants=network-online.target
|
||||
|
||||
[Service]
|
||||
Environment='RUST_LOG=garage=info' 'RUST_BACKTRACE=1'
|
||||
ExecStart=/usr/local/bin/garage server
|
||||
StateDirectory=garage
|
||||
DynamicUser=true
|
||||
ProtectHome=true
|
||||
NoNewPrivileges=true
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
```
|
||||
|
||||
**A note on hardening:** Garage will be run as a non privileged user, its user
|
||||
id is dynamically allocated by systemd (set with `DynamicUser=true`). It cannot
|
||||
access (read or write) home folders (`/home`, `/root` and `/run/user`), the
|
||||
rest of the filesystem can only be read but not written, only the path seen as
|
||||
`/var/lib/garage` is writable as seen by the service. Additionnaly, the process
|
||||
can not gain new privileges over time.
|
||||
|
||||
For this to work correctly, your `garage.toml` must be set with
|
||||
`metadata_dir=/var/lib/garage/meta` and `data_dir=/var/lib/garage/data`. This
|
||||
is mandatory to use the DynamicUser hardening feature of systemd, which
|
||||
autocreates these directories as virtual mapping. If the directory
|
||||
`/var/lib/garage` already exists before starting the server for the first time,
|
||||
the systemd service might not start correctly. Note that in your host
|
||||
filesystem, Garage data will be held in `/var/lib/private/garage`.
|
||||
|
||||
To start the service then automatically enable it at boot:
|
||||
|
||||
```bash
|
||||
sudo systemctl start garage
|
||||
sudo systemctl enable garage
|
||||
```
|
||||
|
||||
To see if the service is running and to browse its logs:
|
||||
|
||||
```bash
|
||||
sudo systemctl status garage
|
||||
sudo journalctl -u garage
|
||||
```
|
||||
|
||||
If you want to modify the service file, do not forget to run `systemctl daemon-reload`
|
||||
to inform `systemd` of your modifications.
|
|
@ -1,35 +0,0 @@
|
|||
+++
|
||||
title = "Design"
|
||||
weight = 70
|
||||
sort_by = "weight"
|
||||
template = "documentation.html"
|
||||
+++
|
||||
|
||||
The design section helps you to see Garage from a "big picture"
|
||||
perspective. It will allow you to understand if Garage is a good fit for
|
||||
you, how to better use it, how to contribute to it, what can Garage could
|
||||
and could not do, etc.
|
||||
|
||||
- **[Goals and use cases](@/documentation/design/goals.md):** This page explains why Garage was concieved and what practical use cases it targets.
|
||||
|
||||
- **[Related work](@/documentation/design/related-work.md):** This pages presents the theoretical background on which Garage is built, and describes other software storage solutions and why they didn't work for us.
|
||||
|
||||
- **[Internals](@/documentation/design/internals.md):** This page enters into more details on how Garage manages data internally.
|
||||
|
||||
## Talks
|
||||
|
||||
We love to talk and hear about Garage, that's why we keep a log here:
|
||||
|
||||
- [(en, 2023-01-18) Presentation of Garage with some details on CRDTs and data partitioning among nodes](https://git.deuxfleurs.fr/Deuxfleurs/garage/src/commit/4cff37397f626ef063dad29e5b5e97ab1206015d/doc/talks/2023-01-18-tocatta/talk.pdf)
|
||||
|
||||
- [(fr, 2022-11-19) De l'auto-hébergement à l'entre-hébergement : Garage, pour conserver ses données ensemble](https://git.deuxfleurs.fr/Deuxfleurs/garage/src/commit/4cff37397f626ef063dad29e5b5e97ab1206015d/doc/talks/2022-11-19-Capitole-du-Libre/pr%C3%A9sentation.pdf)
|
||||
|
||||
- [(en, 2022-06-23) General presentation of Garage](https://git.deuxfleurs.fr/Deuxfleurs/garage/src/commit/4cff37397f626ef063dad29e5b5e97ab1206015d/doc/talks/2022-06-23-stack/talk.pdf)
|
||||
|
||||
- [(fr, 2021-11-13, video) Garage : Mille et une façons de stocker vos données](https://video.tedomum.net/w/moYKcv198dyMrT8hCS5jz9) and [slides (html)](https://rfid.deuxfleurs.fr/presentations/2021-11-13/garage/) - during [RFID#1](https://rfid.deuxfleurs.fr/programme/2021-11-13/) event
|
||||
|
||||
- [(en, 2021-04-28) Distributed object storage is centralised](https://git.deuxfleurs.fr/Deuxfleurs/garage/src/commit/b1f60579a13d3c5eba7f74b1775c84639ea9b51a/doc/talks/2021-04-28_spirals-team/talk.pdf)
|
||||
|
||||
- [(fr, 2020-12-02) Garage : jouer dans la cour des grands quand on est un hébergeur associatif](https://git.deuxfleurs.fr/Deuxfleurs/garage/src/commit/b1f60579a13d3c5eba7f74b1775c84639ea9b51a/doc/talks/2020-12-02_wide-team/talk.pdf)
|
||||
|
||||
|
Before Width: | Height: | Size: 129 KiB |
Before Width: | Height: | Size: 124 KiB |
|
@ -1,84 +0,0 @@
|
|||
+++
|
||||
title = "Benchmarks"
|
||||
weight = 40
|
||||
+++
|
||||
|
||||
With Garage, we wanted to build a software defined storage service that follow the [KISS principle](https://en.wikipedia.org/wiki/KISS_principle),
|
||||
that is suitable for geo-distributed deployments and more generally that would work well for community hosting (like a Mastodon instance).
|
||||
|
||||
In our benchmarks, we aim to quantify how Garage performs on these goals compared to the other available solutions.
|
||||
|
||||
## Geo-distribution
|
||||
|
||||
The main challenge in a geo-distributed setup is latency between nodes of the cluster.
|
||||
The more a user request will require intra-cluster requests to complete, the more its latency will increase.
|
||||
This is especially true for sequential requests: requests that must wait the result of another request to be sent.
|
||||
We designed Garage without consensus algorithms (eg. Paxos or Raft) to minimize the number of sequential and parallel requests.
|
||||
|
||||
This serie of benchmarks quantifies the impact of this design choice.
|
||||
|
||||
### On a simple simulated network
|
||||
|
||||
We start with a controlled environment, all the instances are running on the same (powerful enough) machine.
|
||||
|
||||
To control the network latency, we simulate the network with [mknet](https://git.deuxfleurs.fr/trinity-1686a/mknet) (a tool we developped, based on `tc` and the linux network stack).
|
||||
To mesure S3 endpoints latency, we use our own tool [s3lat](https://git.deuxfleurs.fr/quentin/s3lat/) to observe only the intra-cluster latency and not some contention on the nodes (CPU, RAM, disk I/O, network bandwidth, etc.).
|
||||
Compared to other benchmark tools, S3Lat sends only one (small) request at the same time and measures its latency.
|
||||
We selected 5 standard endpoints that are often in the critical path: ListBuckets, ListObjects, GetObject, PutObject and RemoveObject.
|
||||
|
||||
In this first benchmark, we consider 5 instances that are located in a different place each. To simulate the distance, we configure mknet with a RTT between each node of 100 ms +/- 20 ms of jitter. We get the following graph, where the colored bars represent the mean latency while the error bars the minimum and maximum one:
|
||||
|
||||
![Comparison of endpoints latency for minio and garage](./endpoint-latency.png)
|
||||
|
||||
Compared to garage, minio latency drastically increases on 3 endpoints: GetObject, PutObject, RemoveObject.
|
||||
|
||||
We suppose that these requests on minio make transactions over Raft, involving 4 sequential requests: 1) sending the message to the leader, 2) having the leader dispatch it to the other nodes, 3) waiting for the confirmation of followers and finally 4) commiting it. With our current configuration, one Raft transaction will take around 400 ms. GetObject seems to correlate to 1 transaction while PutObject and RemoveObject seems to correlate to 2 or 3. Reviewing minio code would be required to confirm this hypothesis.
|
||||
|
||||
Conversely, garage uses an architecture similar to DynamoDB and never require global cluster coordination to answer a request.
|
||||
Instead, garage can always contact the right node in charge of the requested data, and can answer in as low as one request in the case of GetObject and PutObject. We also observed that Garage latency, while often lower to minio, is more dispersed: garage is still in beta and has not received any performance optimization yet.
|
||||
|
||||
As a conclusion, Garage performs well in such setup while minio will be hard to use, especially for interactive use cases.
|
||||
|
||||
### On a complex simulated network
|
||||
|
||||
This time we consider a more heterogeneous network with 6 servers spread in 3 datacenter, giving us 2 servers per datacenters.
|
||||
We consider that intra-DC communications are now very cheap with a latency of 0.5ms and without any jitter.
|
||||
The inter-DC remains costly with the same value as before (100ms +/- 20ms of jitter).
|
||||
We plot a similar graph as before:
|
||||
|
||||
![Comparison of endpoints latency for minio and garage with 6 nodes in 3 DC](./endpoint-latency-dc.png)
|
||||
|
||||
This new graph is very similar to the one before, neither minio or garage seems to benefit from this new topology, but they also do not suffer from it.
|
||||
|
||||
Considering garage, this is expected: nodes in the same DC are put in the same zone, and then data are spread on different zones for data resiliency and availaibility.
|
||||
Then, in the default mode, requesting data requires to query at least 2 zones to be sure that we have the most up to date information.
|
||||
These requests will involve at least one inter-DC communication.
|
||||
In other words, we prioritize data availability and synchronization over raw performances.
|
||||
|
||||
Minio's case is a bit different as by default a minio cluster is not location aware, so we can't explain its performances through location awareness.
|
||||
*We know that minio has a multi site mode but it is definitely not a first class citizen: data are asynchronously replicated from one minio cluster to another.*
|
||||
We suppose that, due to the consensus, for many of its requests minio will wait for a response of the majority of the server, also involving inter-DC communications.
|
||||
|
||||
As a conclusion, our new topology did not influence garage or minio performances, confirming that in presence of latency, garage is the best fit.
|
||||
|
||||
### On a real world deployment
|
||||
|
||||
*TODO*
|
||||
|
||||
|
||||
## Performance stability
|
||||
|
||||
A storage cluster will encounter different scenario over its life, many of them will not be predictable.
|
||||
In this context, we argue that, more than peak performances, we should seek predictable and stable performances to ensure data availability.
|
||||
|
||||
### Reference
|
||||
|
||||
*TODO*
|
||||
|
||||
### On a degraded cluster
|
||||
|
||||
*TODO*
|
||||
|
||||
### At scale
|
||||
|
||||
*TODO*
|
|
@ -1,52 +0,0 @@
|
|||
+++
|
||||
title = "Goals and use cases"
|
||||
weight = 10
|
||||
+++
|
||||
|
||||
## Goals and non-goals
|
||||
|
||||
Garage is a lightweight geo-distributed data store that implements the
|
||||
[Amazon S3](https://docs.aws.amazon.com/AmazonS3/latest/API/Welcome.html)
|
||||
object storage protocol. It enables applications to store large blobs such
|
||||
as pictures, video, images, documents, etc., in a redundant multi-node
|
||||
setting. S3 is versatile enough to also be used to publish a static
|
||||
website.
|
||||
|
||||
Garage is an opinionated object storage solution, we focus on the following **desirable properties**:
|
||||
|
||||
- **Internet enabled**: made for multi-sites (eg. datacenters, offices, households, etc.) interconnected through regular Internet connections.
|
||||
- **Self-contained & lightweight**: works everywhere and integrates well in existing environments to target [hyperconverged infrastructures](https://en.wikipedia.org/wiki/Hyper-converged_infrastructure).
|
||||
- **Highly resilient**: highly resilient to network failures, network latency, disk failures, sysadmin failures.
|
||||
- **Simple**: simple to understand, simple to operate, simple to debug.
|
||||
|
||||
We also noted that the pursuit of some other goals are detrimental to our initial goals.
|
||||
The following has been identified as **non-goals** (if these points matter to you, you should not use Garage):
|
||||
|
||||
- **Extreme performances**: high performances constrain a lot the design and the infrastructure; we seek performances through minimalism only.
|
||||
- **Feature extensiveness**: we do not plan to add additional features compared to the ones provided by the S3 API.
|
||||
- **Storage optimizations**: erasure coding or any other coding technique both increase the difficulty of placing data and synchronizing; we limit ourselves to duplication.
|
||||
- **POSIX/Filesystem compatibility**: we do not aim at being POSIX compatible or to emulate any kind of filesystem. Indeed, in a distributed environment, such synchronizations are translated in network messages that impose severe constraints on the deployment.
|
||||
|
||||
## Use-cases
|
||||
|
||||
*Are you also using Garage in your organization? [Open a PR](https://git.deuxfleurs.fr/Deuxfleurs/garage) to add your use case here!*
|
||||
|
||||
### Deuxfleurs
|
||||
|
||||
[Deuxfleurs](https://deuxfleurs.fr) is an experimental non-profit hosting
|
||||
organization that develops Garage. Deuxfleurs is focused on building highly
|
||||
available infrastructure through redundancy in multiple geographical
|
||||
locations. They use Garage themselves for the following tasks:
|
||||
|
||||
- Hosting of [main website](https://deuxfleurs.fr), [this website](https://garagehq.deuxfleurs.fr), as well as the personal website of many of the members of the organization
|
||||
|
||||
- As a [Matrix media backend](https://github.com/matrix-org/synapse-s3-storage-provider)
|
||||
|
||||
- As a Nix binary cache
|
||||
|
||||
- To store personal data and shared documents through [Bagage](https://git.deuxfleurs.fr/Deuxfleurs/bagage), a homegrown WebDav-to-S3 and SFTP-to-S3 proxy
|
||||
|
||||
- As a backup target using `rclone` and `restic`
|
||||
|
||||
The Deuxfleurs Garage cluster is a multi-site cluster currently composed of
|
||||
9 nodes in 3 physical locations.
|
|
@ -1,144 +0,0 @@
|
|||
+++
|
||||
title = "Internals"
|
||||
weight = 20
|
||||
+++
|
||||
|
||||
## Overview
|
||||
|
||||
TODO: write this section
|
||||
|
||||
- The Dynamo ring (see [this paper](https://dl.acm.org/doi/abs/10.1145/1323293.1294281) and [that paper](https://www.usenix.org/conference/nsdi16/technical-sessions/presentation/eisenbud))
|
||||
|
||||
- CRDTs (see [this paper](https://link.springer.com/chapter/10.1007/978-3-642-24550-3_29))
|
||||
|
||||
- Consistency model of Garage tables
|
||||
|
||||
In the meantime, you can find some information at the following links:
|
||||
|
||||
- [this presentation (in French)](https://git.deuxfleurs.fr/Deuxfleurs/garage/src/branch/main/doc/talks/2020-12-02_wide-team/talk.pdf)
|
||||
|
||||
- [an old design draft](@/documentation/working-documents/design-draft.md)
|
||||
|
||||
|
||||
## Request routing logic
|
||||
|
||||
Data retrieval requests to Garage endpoints (S3 API and websites) are resolved
|
||||
to an individual object in a bucket. Since objects are replicated to multiple nodes
|
||||
Garage must ensure consistency before answering the request.
|
||||
|
||||
### Using quorum to ensure consistency
|
||||
|
||||
Garage ensures consistency by attempting to establish a quorum with the
|
||||
data nodes responsible for the object. When a majority of the data nodes
|
||||
have provided metadata on a object Garage can then answer the request.
|
||||
|
||||
When a request arrives Garage will, assuming the recommended 3 replicas, perform the following actions:
|
||||
|
||||
- Make a request to the two preferred nodes for object metadata
|
||||
- Try the third node if one of the two initial requests fail
|
||||
- Check that the metadata from at least 2 nodes match
|
||||
- Check that the object hasn't been marked deleted
|
||||
- Answer the request with inline data from metadata if object is small enough
|
||||
- Or get data blocks from the preferred nodes and answer using the assembled object
|
||||
|
||||
Garage dynamically determines which nodes to query based on health, preference, and
|
||||
which nodes actually host a given data. Garage has no concept of "primary" so any
|
||||
healthy node with the data can be used as long as a quorum is reached for the metadata.
|
||||
|
||||
### Node health
|
||||
|
||||
Garage keeps a TCP session open to each node in the cluster and periodically pings them. If a connection
|
||||
cannot be established, or a node fails to answer a number of pings, the target node is marked as failed.
|
||||
Failed nodes are not used for quorum or other internal requests.
|
||||
|
||||
### Node preference
|
||||
|
||||
Garage prioritizes which nodes to query according to a few criteria:
|
||||
|
||||
- A node always prefers itself if it can answer the request
|
||||
- Then the node prioritizes nodes in the same zone
|
||||
- Finally the nodes with the lowest latency are prioritized
|
||||
|
||||
|
||||
For further reading on the cluster structure look at the [gateway](@/documentation/cookbook/gateways.md)
|
||||
and [cluster layout management](@/documentation/operations/layout.md) pages.
|
||||
|
||||
## Garbage collection
|
||||
|
||||
A faulty garbage collection procedure has been the cause of
|
||||
[critical bug #39](https://git.deuxfleurs.fr/Deuxfleurs/garage/issues/39).
|
||||
This precise bug was fixed in the code, however there are potentially more
|
||||
general issues with the garbage collector being too eager and deleting things
|
||||
too early. This has been the subject of
|
||||
[PR #135](https://git.deuxfleurs.fr/Deuxfleurs/garage/pulls/135).
|
||||
This section summarizes the discussions on this topic.
|
||||
|
||||
Rationale: we want to ensure Garage's safety by making sure things don't get
|
||||
deleted from disk if they are still needed. Two aspects are involved in this.
|
||||
|
||||
### 1. Garbage collection of table entries (in `meta/` directory)
|
||||
|
||||
The `Entry` trait used for table entries (defined in `tables/schema.rs`)
|
||||
defines a function `is_tombstone()` that returns `true` if that entry
|
||||
represents an entry that is deleted in the table. CRDT semantics by default
|
||||
keep all tombstones, because they are necessary for reconciliation: if node A
|
||||
has a tombstone that supersedes a value `x`, and node B has value `x`, A has to
|
||||
keep the tombstone in memory so that the value `x` can be properly deleted at
|
||||
node `B`. Otherwise, due to the CRDT reconciliation rule, the value `x` from B
|
||||
would flow back to A and a deleted item would reappear in the system.
|
||||
|
||||
Here, we have some control on the nodes involved in storing Garage data.
|
||||
Therefore we have a garbage collector that is able to delete tombstones UNDER
|
||||
CERTAIN CONDITIONS. This garbage collector is implemented in `table/gc.rs`. To
|
||||
delete a tombstone, the following condition has to be met:
|
||||
|
||||
- All nodes responsible for storing this entry are aware of the existence of
|
||||
the tombstone, i.e. they cannot hold another version of the entry that is
|
||||
superseeded by the tombstone. This ensures that deleting the tombstone is
|
||||
safe and that no deleted value will come back in the system.
|
||||
|
||||
Garage uses atomic database operations (such as compare-and-swap and
|
||||
transactions) to ensure that only tombstones that have been correctly
|
||||
propagated to other nodes are ever deleted from the local entry tree.
|
||||
|
||||
This GC is safe in the following sense: no non-tombstone data is ever deleted
|
||||
from Garage tables.
|
||||
|
||||
**However**, there is an issue with the way this interacts with data
|
||||
rebalancing in the case when a partition is moving between nodes. If a node has
|
||||
some data of a partition for which it is not responsible, it has to offload it.
|
||||
However that offload process takes some time. In that interval, the GC does not
|
||||
check with that node if it has the tombstone before deleting the tombstone, so
|
||||
perhaps it doesn't have it and when the offload finally happens, old data comes
|
||||
back in the system.
|
||||
|
||||
**PR 135 mostly fixes this** by implementing a 24-hour delay before anything is
|
||||
garbage collected in a table. This works under the assumption that rebalances
|
||||
that follow data shuffling terminate in less than 24 hours.
|
||||
|
||||
**However**, in distributed systems, it is generally considered a bad practice
|
||||
to make assumptions that information propagates in a certain time interval:
|
||||
this consists in making a synchrony assumption, meaning that we are basically
|
||||
assuming a computing model that has much stronger properties than otherwise. To
|
||||
maximize the applicability of Garage, we would like to remove this assumption,
|
||||
and implement a system where time does not play a role. To do this, we would
|
||||
need to find a way to safely disable the GC when data is being shuffled around,
|
||||
and safely detect that the shuffling has terminated and thus the GC can be
|
||||
resumed. This introduces some complexity to the protocol and hasn't been
|
||||
tackled yet.
|
||||
|
||||
### 2. Garbage collection of data blocks (in `data/` directory)
|
||||
|
||||
Blocks in the data directory are reference-counted. In Garage versions before
|
||||
PR #135, blocks could get deleted from local disk as soon as their reference
|
||||
counter reached zero. We had a mechanism to not trigger this immediately at the
|
||||
rc-reaches-zero event, but the cleanup could be triggered by other means (for
|
||||
example by a block repair operation...). PR #135 added a safety measure so that
|
||||
blocks never get deleted in a 10 minute interval following the time when the RC
|
||||
reaches zero. This is a measure to make impossible race conditions such as #39.
|
||||
We would have liked to use a larger delay (e.g. 24 hours), but in the case of a
|
||||
rebalance of data, this would have led to the disk utilization to explode
|
||||
during the rebalancing, only to shrink again after 24 hours. The 10-minute
|
||||
delay is a compromise that gives good security while not having this problem of
|
||||
disk space explosion on rebalance.
|
||||
|
|
@ -1,19 +0,0 @@
|
|||
+++
|
||||
title = "Development"
|
||||
weight = 80
|
||||
sort_by = "weight"
|
||||
template = "documentation.html"
|
||||
+++
|
||||
|
||||
Now that you are a Garage expert, you want to enhance it, you are in the right place!
|
||||
We discuss here how to hack on Garage, how we manage its development, etc.
|
||||
|
||||
## Rust API (docs.rs)
|
||||
If you encounter a specific bug in Garage or plan to patch it, you may jump directly to the source code's documentation!
|
||||
|
||||
- [garage\_api](https://docs.rs/garage_api/latest/garage_api/) - contains the S3 standard API endpoint
|
||||
- [garage\_model](https://docs.rs/garage_model/latest/garage_model/) - contains Garage's model built on the table abstraction
|
||||
- [garage\_rpc](https://docs.rs/garage_rpc/latest/garage_rpc/) - contains Garage's federation protocol
|
||||
- [garage\_table](https://docs.rs/garage_table/latest/garage_table/) - contains core Garage's CRDT datatypes
|
||||
- [garage\_util](https://docs.rs/garage_util/latest/garage_util/) - contains garage helpers
|
||||
- [garage\_web](https://docs.rs/garage_web/latest/garage_web/) - contains the S3 website endpoint
|
|
@ -1,148 +0,0 @@
|
|||
+++
|
||||
title = "Setup your environment"
|
||||
weight = 5
|
||||
+++
|
||||
|
||||
Depending on your tastes, you can bootstrap your development environment in a traditional Rust way or through Nix.
|
||||
|
||||
## The Nix way
|
||||
|
||||
Nix is a generic package manager we use to precisely define our development environment.
|
||||
Instructions on how to install it are given on their [Download page](https://nixos.org/download.html).
|
||||
|
||||
Check that your installation is working by running the following commands:
|
||||
|
||||
```
|
||||
nix-shell --version
|
||||
nix-build --version
|
||||
nix-env --version
|
||||
```
|
||||
|
||||
Now, you can clone our git repository (run `nix-env -iA git` if you do not have git yet):
|
||||
|
||||
```bash
|
||||
git clone https://git.deuxfleurs.fr/Deuxfleurs/garage
|
||||
cd garage
|
||||
```
|
||||
|
||||
*Optionally, you can use our nix.conf file to speed up compilations:*
|
||||
|
||||
```bash
|
||||
sudo mkdir -p /etc/nix
|
||||
sudo cp nix/nix.conf /etc/nix/nix.conf
|
||||
sudo killall nix-daemon
|
||||
```
|
||||
|
||||
Now you can enter our nix-shell, all the required packages will be downloaded but they will not pollute your environment outside of the shell:
|
||||
|
||||
```bash
|
||||
nix-shell
|
||||
```
|
||||
|
||||
You can use the traditional Rust development workflow:
|
||||
|
||||
```bash
|
||||
cargo build # compile the project
|
||||
cargo run # execute the project
|
||||
cargo test # run the tests
|
||||
cargo fmt # format the project, run it before any commit!
|
||||
cargo clippy # run the linter, run it before any commit!
|
||||
```
|
||||
|
||||
You can build the project with Nix by running:
|
||||
|
||||
```bash
|
||||
nix-build
|
||||
```
|
||||
|
||||
You can parallelize the build (if you use our nix.conf file, it is already automatically done).
|
||||
To use all your cores when building a derivation use `-j`, and to build multiple derivations at once use `--max-jobs`.
|
||||
The special value `auto` will be replaced by the number of cores of your computer.
|
||||
An example:
|
||||
|
||||
```bash
|
||||
nix-build -j $(nproc) --max-jobs auto
|
||||
```
|
||||
|
||||
Our build has multiple parameters you might want to set:
|
||||
- `release` build with release optimisations instead of debug
|
||||
- `target allows` for cross compilation
|
||||
- `compileMode` can be set to test or bench to build a unit test runner
|
||||
- `git_version` to inject the hash to display when running `garage stats`
|
||||
|
||||
An example:
|
||||
|
||||
```bash
|
||||
nix-build \
|
||||
--arg release true \
|
||||
--argstr target x86_64-unknown-linux-musl \
|
||||
--argstr compileMode build \
|
||||
--git_version $(git rev-parse HEAD)
|
||||
```
|
||||
|
||||
*The result is located in `result/bin`. You can pass arguments to cross compile: check `.woodpecker/release.yml` for examples.*
|
||||
|
||||
If you modify a `Cargo.toml` or regenerate any `Cargo.lock`, you must run `cargo2nix`:
|
||||
|
||||
```
|
||||
cargo2nix -f
|
||||
```
|
||||
|
||||
Many tools like rclone, `mc` (minio-client), or `aws` (awscliv2) will be available in your environment and will be useful to test Garage.
|
||||
|
||||
**This is the recommended method.**
|
||||
|
||||
## The Rust way
|
||||
|
||||
You need a Rust distribution installed on your computer.
|
||||
The most simple way is to install it from [rustup](https://rustup.rs).
|
||||
Please avoid using your package manager to install Rust as some tools might be outdated or missing.
|
||||
|
||||
Now, check your Rust distribution works by running the following commands:
|
||||
|
||||
```bash
|
||||
rustc --version
|
||||
cargo --version
|
||||
rustfmt --version
|
||||
clippy-driver --version
|
||||
```
|
||||
|
||||
Now, you need to clone our git repository ([how to install git](https://git-scm.com/downloads)):
|
||||
|
||||
```bash
|
||||
git clone https://git.deuxfleurs.fr/Deuxfleurs/garage
|
||||
cd garage
|
||||
```
|
||||
|
||||
You can now use the following commands:
|
||||
|
||||
```bash
|
||||
cargo build # compile the project
|
||||
cargo run # execute the project
|
||||
cargo test # run the tests
|
||||
cargo fmt # format the project, run it before any commit!
|
||||
cargo clippy # run the linter, run it before any commit!
|
||||
```
|
||||
|
||||
This is specific to our project, but you will need one last tool, `cargo2nix`.
|
||||
To install it, run:
|
||||
|
||||
```bash
|
||||
cargo install --git https://github.com/superboum/cargo2nix --branch main cargo2nix
|
||||
```
|
||||
|
||||
You must use it every time you modify a `Cargo.toml` or regenerate a `Cargo.lock` file as follow:
|
||||
|
||||
```bash
|
||||
cargo build # Rebuild Cargo.lock if needed
|
||||
cargo2nix -f
|
||||
```
|
||||
|
||||
It will output a `Cargo.nix` file which is a specific `Cargo.lock` file dedicated to Nix that is required by our CI
|
||||
which means you must include it in your commits.
|
||||
|
||||
Later, to use our scripts and integration tests, you might need additional tools.
|
||||
These tools are listed at the end of the `shell.nix` package in the `nativeBuildInputs` part.
|
||||
It is up to you to find a way to install the ones you need on your computer.
|
||||
|
||||
**A global drawback of this method is that it is up to you to adapt your environment to the one defined in the Nix files.**
|
|
@ -1,99 +0,0 @@
|
|||
+++
|
||||
title = "Miscellaneous notes"
|
||||
weight = 20
|
||||
+++
|
||||
|
||||
## Quirks about cargo2nix/rust in Nix
|
||||
|
||||
If you use submodules in your crate (like `crdt` and `replication` in `garage_table`), you must list them in `default.nix`
|
||||
|
||||
The Windows target does not work. it might be solvable through [overrides](https://github.com/cargo2nix/cargo2nix/blob/master/overlay/overrides.nix). Indeed, we pass `x86_64-pc-windows-gnu` but mingw need `x86_64-w64-mingw32`
|
||||
|
||||
We have a simple [PR on cargo2nix](https://github.com/cargo2nix/cargo2nix/pull/201) that fixes critical bugs but the project does not seem very active currently. We must use [my patched version of cargo2nix](https://github.com/superboum/cargo2nix) to enable i686 and armv6l compilation. We might need to contribute to cargo2nix in the future.
|
||||
|
||||
|
||||
## Nix
|
||||
|
||||
Nix has no armv7 + musl toolchains but armv7l is backward compatible with armv6l.
|
||||
|
||||
```bash
|
||||
cat > $HOME/.awsrc <<EOF
|
||||
export AWS_ACCESS_KEY_ID="xxx"
|
||||
export AWS_SECRET_ACCESS_KEY="xxx"
|
||||
EOF
|
||||
|
||||
# source each time you want to send on the cache
|
||||
source ~/.awsrc
|
||||
|
||||
# copy garage build dependencies (and not only the output)
|
||||
nix-build
|
||||
nix-store -qR --include-outputs $(nix-instantiate default.nix)
|
||||
| xargs nix copy --to 's3://nix?endpoint=garage.deuxfleurs.fr®ion=garage'
|
||||
|
||||
# copy shell dependencies
|
||||
nix-build shell.nix -A inputDerivation
|
||||
nix copy $(nix-store -qR result/) --to 's3://nix?endpoint=garage.deuxfleurs.fr®ion=garage'
|
||||
```
|
||||
|
||||
More example of nix-copy
|
||||
|
||||
```
|
||||
# nix-build produces a result/ symlink
|
||||
nix copy result/ --to 's3://nix?endpoint=garage.deuxfleurs.fr®ion=garage'
|
||||
|
||||
# alternative ways to use nix copy
|
||||
nix copy nixpkgs.garage --to ...
|
||||
nix copy /nix/store/3rbb9qsc2w6xl5xccz5ncfhy33nzv3dp-crate-garage-0.3.0 --to ...
|
||||
```
|
||||
|
||||
|
||||
Clear the cache:
|
||||
|
||||
```bash
|
||||
mc rm --recursive --force garage/nix/
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
A desirable `nix.conf` for a consumer:
|
||||
|
||||
```toml
|
||||
substituters = https://cache.nixos.org https://nix.web.deuxfleurs.fr
|
||||
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= nix.web.deuxfleurs.fr:eTGL6kvaQn6cDR/F9lDYUIP9nCVR/kkshYfLDJf1yKs=
|
||||
```
|
||||
|
||||
And now, whenever you run a command like:
|
||||
|
||||
```
|
||||
nix-shell
|
||||
nix-build
|
||||
```
|
||||
|
||||
Our cache will be checked.
|
||||
|
||||
### Some references about Nix
|
||||
|
||||
|
||||
- https://doc.rust-lang.org/nightly/rustc/platform-support.html
|
||||
- https://nix.dev/tutorials/cross-compilation
|
||||
- https://nixos.org/manual/nix/unstable/package-management/s3-substituter.html
|
||||
- https://fzakaria.com/2020/09/28/nix-copy-closure-your-nix-shell.html
|
||||
- http://www.lpenz.org/articles/nixchannel/index.html
|
||||
|
||||
|
||||
## Woodpecker
|
||||
|
||||
Woodpecker can do parallelism both at the step and the pipeline level. At the step level, parallelism is restricted to the same runner.
|
||||
|
||||
## Building Docker containers
|
||||
|
||||
We were:
|
||||
- Unable to use the official Docker plugin because
|
||||
- it requires to mount docker socket in the container but it is not recommended
|
||||
- you cant set the platform when building
|
||||
- Unable to use buildah because it needs `CLONE_USERNS` capability
|
||||
- Unable to use the kaniko plugin for Drone as we can't set the target platform
|
||||
- Unable to use the kaniko container provided by Google as we can't run arbitrary logic: we need to put our secret in .docker/config.json.
|
||||
|
||||
Finally we chose to build kaniko through nix and use it in a `nix-shell`.
|
||||
We then switched to using kaniko from nixpkgs when it was packaged.
|
|
@ -1,178 +0,0 @@
|
|||
+++
|
||||
title = "Release process"
|
||||
weight = 15
|
||||
+++
|
||||
|
||||
Before releasing a new version of Garage, our code pass through a succession of checks and transformations.
|
||||
We define them as our release process.
|
||||
|
||||
## Trigger and classify a release
|
||||
|
||||
While we run some tests on every commits, we do not make a release for all of them.
|
||||
|
||||
A release can be triggered manually by "promoting" a successful build.
|
||||
Otherwise, every night, a release build is triggered on the `main` branch.
|
||||
|
||||
If the build is from a tag following the regex: `v[0-9]+\.[0-9]+\.[0-9]+`, it will be listed as stable.
|
||||
If it is a tag but with a different format, it will be listed as Extra.
|
||||
Otherwise, if it is a commit, it will be listed as development.
|
||||
This logic is defined in `nix/build_index.nix`.
|
||||
|
||||
## Testing
|
||||
|
||||
For each commit, we first pass the code to a formatter (rustfmt) and a linter (clippy).
|
||||
Then we try to build it in debug mode and run both unit tests and our integration tests.
|
||||
|
||||
Additionnaly, when releasing, our integration tests are run on the release build for amd64 and i686.
|
||||
|
||||
## Generated Artifacts
|
||||
|
||||
We generate the following binary artifacts for now:
|
||||
- **architecture**: amd64, i686, aarch64, armv6
|
||||
- **os**: linux
|
||||
- **format**: static binary, docker container
|
||||
|
||||
Additionnaly we also build two web pages and one JSON document:
|
||||
- the documentation (this website)
|
||||
- [the release page](https://garagehq.deuxfleurs.fr/_releases.html)
|
||||
- [the release list in JSON format](https://garagehq.deuxfleurs.fr/_releases.json)
|
||||
|
||||
We publish the static binaries on our own garage cluster (you can access them through the releases page)
|
||||
and the docker containers on Docker Hub.
|
||||
|
||||
## Automation
|
||||
|
||||
We automated our release process with Nix and Woodpecker to make it more reliable.
|
||||
Here we describe how we have done in case you want to debug or improve it.
|
||||
|
||||
### Caching build steps
|
||||
|
||||
To speed up the CI, we use the caching feature provided by Nix.
|
||||
|
||||
You can benefit from it by using our provided `nix.conf` as recommended or by simply adding the following lines to your file:
|
||||
|
||||
```toml
|
||||
substituters = https://cache.nixos.org https://nix.web.deuxfleurs.fr
|
||||
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= nix.web.deuxfleurs.fr:eTGL6kvaQn6cDR/F9lDYUIP9nCVR/kkshYfLDJf1yKs=
|
||||
```
|
||||
|
||||
Sending to the cache is done through `nix copy`, for example:
|
||||
|
||||
```bash
|
||||
nix copy --to 's3://nix?endpoint=garage.deuxfleurs.fr®ion=garage&secret-key=/etc/nix/signing-key.sec' result
|
||||
```
|
||||
|
||||
*The signing key possessed by the Garage maintainers is required to update the Nix cache.*
|
||||
|
||||
The previous command will only send the built package and not its dependencies.
|
||||
In the case of our CI pipeline, we want to cache all intermediate build steps
|
||||
as well. This can be done using this quite involved command (here as an example
|
||||
for the `pkgs.amd64.relase` package):
|
||||
|
||||
```bash
|
||||
nix copy -j8 \
|
||||
--to 's3://nix?endpoint=garage.deuxfleurs.fr®ion=garage&secret-key=/etc/nix/nix-signing-key.sec' \
|
||||
$(nix path-info pkgs.amd64.release --file default.nix --derivation --recursive | sed 's/\.drv$/.drv^*/')
|
||||
```
|
||||
|
||||
This command will simultaneously build all of the required Nix paths (using at
|
||||
most 8 parallel Nix builder jobs) and send the resulting objects to the cache.
|
||||
|
||||
This can be run for all the Garage packages we build using the following command:
|
||||
|
||||
```
|
||||
source ~/.awsrc
|
||||
nix-shell --attr cache --run 'refresh_cache'
|
||||
```
|
||||
|
||||
We don't automate this step at each CI build, as *there is currently no automatic garbage collection of the cache.*
|
||||
This means we should also monitor the cache's size; if it ever becomes too big we can erase it with:
|
||||
|
||||
```
|
||||
mc rm --recursive --force 'garage/nix/'
|
||||
```
|
||||
|
||||
### Publishing Garage
|
||||
|
||||
We defined our publishing logic in Nix, mostly as shell hooks.
|
||||
You can inspect them in `shell.nix` to see exactly how.
|
||||
Here, we will give a quick explanation on how to use them to manually publish a release.
|
||||
|
||||
Supposing you just have built garage as follow:
|
||||
|
||||
```bash
|
||||
nix-build --arg release true
|
||||
```
|
||||
|
||||
To publish a static binary in `result/bin` on garagehq, run:
|
||||
|
||||
```bash
|
||||
export AWS_ACCESS_KEY_ID=xxx
|
||||
export AWS_SECRET_ACCESS_KEY=xxx
|
||||
export DRONE_TAG=handcrafted-1.0.0 # or DRONE_COMMIT
|
||||
export TARGET=x86_64-unknown-linux-musl
|
||||
|
||||
nix-shell --run to_s3
|
||||
```
|
||||
|
||||
To create and publish a docker container, run:
|
||||
|
||||
```bash
|
||||
export DOCKER_AUTH='{ "auths": { "https://index.docker.io/v1/": { "auth": "xxxx" }}}'
|
||||
export DOCKER_PLATFORM='linux/amd64' # check GOARCH and GOOS from golang.org
|
||||
export CONTAINER_NAME='me/amd64_garage'
|
||||
export CONTAINER_TAG='handcrafted-1.0.0'
|
||||
|
||||
nix-shell --run to_docker
|
||||
```
|
||||
|
||||
To rebuild the release page, run:
|
||||
```bash
|
||||
export AWS_ACCESS_KEY_ID=xxx
|
||||
export AWS_SECRET_ACCESS_KEY=xxx
|
||||
|
||||
nix-shell --run refresh_index
|
||||
```
|
||||
|
||||
If you want to compile for different architectures, you will need to repeat all these commands for each architecture.
|
||||
|
||||
**In practice, and except for debugging, you will never directly run these commands. Release is handled by Woodpecker.**
|
||||
|
||||
### Drone (obsolete)
|
||||
|
||||
Our instance is available at [https://drone.deuxfleurs.fr](https://drone.deuxfleurs.fr).
|
||||
You need an account on [https://git.deuxfleurs.fr](https://git.deuxfleurs.fr) to use it.
|
||||
|
||||
**Drone CLI** - Drone has a CLI tool to interact with.
|
||||
It can be downloaded from its Github [release page](https://github.com/drone/drone-cli/releases).
|
||||
|
||||
To communicate with our instance, you must setup some environment variables.
|
||||
You can get them from your [Account Settings](https://drone.deuxfleurs.fr/account).
|
||||
|
||||
To make drone easier to use, you could create a `~/.dronerc` that you could source each time you want to use it.
|
||||
|
||||
```
|
||||
export DRONE_SERVER=https://drone.deuxfleurs.fr
|
||||
export DRONE_TOKEN=xxx
|
||||
drone info
|
||||
```
|
||||
|
||||
The CLI tool is very self-discoverable, just append `--help` to each subcommands.
|
||||
Start with:
|
||||
|
||||
```bash
|
||||
drone --help
|
||||
```
|
||||
|
||||
**.drone.yml** - The builds steps are defined in `.drone.yml`.
|
||||
You can not edit this file without resigning it.
|
||||
|
||||
To sign it, you must be a maintainer and then run:
|
||||
|
||||
```bash
|
||||
drone sign --save Deuxfleurs/garage
|
||||
```
|
||||
|
||||
Looking at the file, you will see that most of the commands are `nix-shell` and `nix-build` commands with various parameters.
|
||||
|
||||
|
|
@ -1,116 +0,0 @@
|
|||
+++
|
||||
title = "Development scripts"
|
||||
weight = 10
|
||||
+++
|
||||
|
||||
We maintain a `script/` folder that contains some useful script to ease testing on Garage.
|
||||
|
||||
A fully integrated script, `test-smoke.sh`, runs some basic tests on various tools such as minio client, awscli and rclone.
|
||||
To run it, enter a `nix-shell` (or install all required tools) and simply run:
|
||||
|
||||
```bash
|
||||
nix-build # or cargo build
|
||||
./script/test-smoke.sh
|
||||
```
|
||||
|
||||
If something fails, you can find useful logs in `/tmp/garage.log`.
|
||||
You can inspect the generated configuration and local data created by inspecting your `/tmp` directory:
|
||||
the script creates files and folder prefixed with the name "garage".
|
||||
|
||||
## Bootstrapping a test cluster
|
||||
|
||||
Under the hood `test-smoke.sh` uses multiple helpers scripts you can also run in case you want to manually test Garage.
|
||||
In this section, we introduce 3 scripts to quickly bootstrap a full test cluster with 3 instances.
|
||||
|
||||
### 1. Start each daemon
|
||||
|
||||
```bash
|
||||
./script/dev-cluster.sh
|
||||
```
|
||||
|
||||
This script spawns 3 Garage instances with 3 configuration files.
|
||||
You can inspect the detailed configuration, including ports, by inspecting `/tmp/config.1` (change 1 by the instance number you want).
|
||||
|
||||
This script also spawns a simple HTTPS reverse proxy through `socat` for the S3 endpoint that listens on port `4443`.
|
||||
Some libraries might require a TLS endpoint to work, refer to our issue [#64](https://git.deuxfleurs.fr/Deuxfleurs/garage/issues/64) for more detailed information on this subject.
|
||||
|
||||
This script covers the [Launching the garage server](@/documentation/quick-start/_index.md#launching-the-garage-server) section of our Quick start page.
|
||||
|
||||
### 2. Make them join the cluster
|
||||
|
||||
```bash
|
||||
./script/dev-configure.sh
|
||||
```
|
||||
|
||||
This script will configure each instance by assigning them a zone (`dc1`) and a weight (`1`).
|
||||
|
||||
This script covers the [Creating a cluster layout](@/documentation/quick-start/_index.md#creating-a-cluster-layout) section of our Quick start page.
|
||||
|
||||
### 3. Create a key and a bucket
|
||||
|
||||
```bash
|
||||
./script/dev-bucket.sh
|
||||
```
|
||||
|
||||
This script will create a bucket named `eprouvette` with a key having read and write rights on this bucket.
|
||||
The key is stored in a filed named `/tmp/garage.s3` and can be used by the following tools to pre-configure them.
|
||||
|
||||
This script covers the [Creating buckets and keys](@/documentation/quick-start/_index.md#creating-buckets-and-keys) section of our Quick start page.
|
||||
|
||||
## Handlers for generic tools
|
||||
|
||||
We provide wrappers for some CLI tools that configure themselves for your development cluster.
|
||||
They are meant to save you some configuration time as to use them, you are only required to source the right file.
|
||||
|
||||
### awscli
|
||||
|
||||
```bash
|
||||
source ./script/dev-env-aws.sh
|
||||
|
||||
# some examples
|
||||
aws s3 ls s3://eprouvette
|
||||
aws s3 cp /proc/cpuinfo s3://eprouvette/cpuinfo.txt
|
||||
```
|
||||
|
||||
### minio-client
|
||||
|
||||
|
||||
```bash
|
||||
source ./script/dev-env-mc.sh
|
||||
|
||||
# some examples
|
||||
mc ls garage/
|
||||
mc cp /proc/cpuinfo garage/eprouvette/cpuinfo.txt
|
||||
```
|
||||
|
||||
### rclone
|
||||
|
||||
```bash
|
||||
source ./script/dev-env-rclone.sh
|
||||
|
||||
# some examples
|
||||
rclone lsd garage:
|
||||
rclone copy /proc/cpuinfo garage:eprouvette/cpuinfo.txt
|
||||
```
|
||||
|
||||
### s3cmd
|
||||
|
||||
```bash
|
||||
source ./script/dev-env-s3cmd.sh
|
||||
|
||||
# some examples
|
||||
s3cmd ls
|
||||
s3cmd put /proc/cpuinfo s3://eprouvette/cpuinfo.txt
|
||||
```
|
||||
|
||||
### duck
|
||||
|
||||
*Warning! Duck is not yet provided by nix-shell.*
|
||||
|
||||
```bash
|
||||
source ./script/dev-env-duck.sh
|
||||
|
||||
# some examples
|
||||
duck --list garage:/
|
||||
duck --upload garage:/eprouvette/ /proc/cpuinfo
|
||||
```
|
|
@ -1,23 +0,0 @@
|
|||
+++
|
||||
title = "Operations & Maintenance"
|
||||
weight = 50
|
||||
sort_by = "weight"
|
||||
template = "documentation.html"
|
||||
+++
|
||||
|
||||
This section contains a number of important information on how to best operate a Garage cluster,
|
||||
to ensure integrity and availability of your data:
|
||||
|
||||
- **[Upgrading Garage](@/documentation/operations/upgrading.md):** General instructions on how to
|
||||
upgrade your cluster from one version to the next. Instructions specific for each version upgrade
|
||||
can bef ound in the [working documents](@/documentation/working-documents/_index.md) section.
|
||||
|
||||
- **[Layout management](@/documentation/operations/layout.md):** Best practices for using the `garage layout`
|
||||
commands when adding or removing nodes from your cluster.
|
||||
|
||||
- **[Durability and repairs](@/documentation/operations/durability-repairs.md):** How to check for small things
|
||||
that might be going wrong, and how to recover from such failures.
|
||||
|
||||
- **[Recovering from failures](@/documentation/operations/recovering.md):** Garage's first selling point is resilience
|
||||
to hardware failures. This section explains how to recover from such a failure in the
|
||||
best possible way.
|
|
@ -1,147 +0,0 @@
|
|||
+++
|
||||
title = "Durability & Repairs"
|
||||
weight = 30
|
||||
+++
|
||||
|
||||
To ensure the best durability of your data and to fix any inconsistencies that may
|
||||
pop up in a distributed system, Garage provides a series of repair operations.
|
||||
This guide will explain the meaning of each of them and when they should be applied.
|
||||
|
||||
|
||||
# General syntax of repair operations
|
||||
|
||||
Repair operations described below are of the form `garage repair <repair_name>`.
|
||||
These repairs will not launch without the `--yes` flag, which should
|
||||
be added as follows: `garage repair --yes <repair_name>`.
|
||||
By default these repair procedures will only run on the Garage node your CLI is
|
||||
connecting to. To run on all nodes, add the `-a` flag as follows:
|
||||
`garage repair -a --yes <repair_name>`.
|
||||
|
||||
# Data block operations
|
||||
|
||||
## Data store scrub {#scrub}
|
||||
|
||||
Scrubbing the data store means examining each individual data block to check that
|
||||
their content is correct, by verifying their hash. Any block found to be corrupted
|
||||
(e.g. by bitrot or by an accidental manipulation of the datastore) will be
|
||||
restored from another node that holds a valid copy.
|
||||
|
||||
Scrubs are automatically scheduled by Garage to run every 25-35 days (the
|
||||
actual time is randomized to spread load across nodes). The next scheduled run
|
||||
can be viewed with `garage worker get`.
|
||||
|
||||
A scrub can also be launched manually using `garage repair scrub start`.
|
||||
|
||||
To view the status of an ongoing scrub, first find the task ID of the scrub worker
|
||||
using `garage worker list`. Then, run `garage worker info <scrub_task_id>` to
|
||||
view detailed runtime statistics of the scrub. To gather cluster-wide information,
|
||||
this command has to be run on each individual node.
|
||||
|
||||
A scrub is a very disk-intensive operation that might slow down your cluster.
|
||||
You may pause an ongoing scrub using `garage repair scrub pause`, but note that
|
||||
the scrub will resume automatically 24 hours later as Garage will not let your
|
||||
cluster run without a regular scrub. If the scrub procedure is too intensive
|
||||
for your servers and is slowing down your workload, the recommended solution
|
||||
is to increase the "scrub tranquility" using `garage repair scrub set-tranquility`.
|
||||
A higher tranquility value will make Garage take longer pauses between two block
|
||||
verifications. Of course, scrubbing the entire data store will also take longer.
|
||||
|
||||
## Block check and resync
|
||||
|
||||
In some cases, nodes hold a reference to a block but do not actually have the block
|
||||
stored on disk. Conversely, they may also have on-disk blocks that are not referenced
|
||||
any more. To fix both cases, a block repair may be run with `garage repair blocks`.
|
||||
This will scan the entire block reference counter table to check that the blocks
|
||||
exist on disk, and will scan the entire disk store to check that stored blocks
|
||||
are referenced.
|
||||
|
||||
It is recommended to run this procedure when changing your cluster layout,
|
||||
after the metadata tables have finished synchronizing between nodes
|
||||
(usually a few hours after `garage layout apply`).
|
||||
|
||||
## Inspecting lost blocks
|
||||
|
||||
In extremely rare situations, data blocks may be unavailable from the entire cluster.
|
||||
This means that even using `garage repair blocks`, some nodes may be unable
|
||||
to fetch data blocks for which they hold a reference.
|
||||
|
||||
These errors are stored on each node in a list of "block resync errors", i.e.
|
||||
blocks for which the last resync operation failed.
|
||||
This list can be inspected using `garage block list-errors`.
|
||||
These errors usually fall into one of the following categories:
|
||||
|
||||
1. a block is still referenced but the object was deleted, this is a case
|
||||
of metadata reference inconsistency (see below for the fix)
|
||||
2. a block is referenced by a non-deleted object, but could not be fetched due
|
||||
to a transient error such as a network failure
|
||||
3. a block is referenced by a non-deleted object, but could not be fetched due
|
||||
to a permanent error such as there not being any valid copy of the block on the
|
||||
entire cluster
|
||||
|
||||
To help make the difference between cases 1 and cases 2 and 3, you may use the
|
||||
`garage block info` command to see which objects hold a reference to each block.
|
||||
|
||||
In the second case (transient errors), Garage will try to fetch the block again
|
||||
after a certain time, so the error should disappear naturally. You can also
|
||||
request Garage to try to fetch the block immediately using `garage block retry-now`
|
||||
if you have fixed the transient issue.
|
||||
|
||||
If you are confident that you are in the third scenario and that your data block
|
||||
is definitely lost, then there is no other choice than to declare your S3 objects
|
||||
as unrecoverable, and to delete them properly from the data store. This can be done
|
||||
using the `garage block purge` command.
|
||||
|
||||
## Rebalancing data directories
|
||||
|
||||
In [multi-HDD setups](@/documentation/operations/multi-hdd.md), to ensure that
|
||||
data blocks are well balanced between storage locations, you may run a
|
||||
rebalance operation using `garage repair rebalance`. This is useful when
|
||||
adding storage locations or when capacities of the storage locations have been
|
||||
changed. Once this is finished, Garage will know for each block of a single
|
||||
possible location where it can be, which can increase access speed. This
|
||||
operation will also move out all data from locations marked as read-only.
|
||||
|
||||
|
||||
# Metadata operations
|
||||
|
||||
## Metadata snapshotting
|
||||
|
||||
It is good practice to setup automatic snapshotting of your metadata database
|
||||
file, to recover from situations where it becomes corrupted on disk. This can
|
||||
be done at the filesystem level if you are using ZFS or BTRFS.
|
||||
|
||||
Since Garage v0.9.4, Garage is able to take snapshots of the metadata database
|
||||
itself. This basically amounts to copying the database file, except that it can
|
||||
be run live while Garage is running without the risk of corruption or
|
||||
inconsistencies. This can be setup to run automatically on a schedule using
|
||||
[`metadata_auto_snapshot_interval`](@/documentation/reference-manual/configuration.md#metadata_auto_snapshot_interval).
|
||||
A snapshot can also be triggered manually using the `garage meta snapshot`
|
||||
command. Note that taking a snapshot using this method is very intensive as it
|
||||
requires making a full copy of the database file, so you might prefer using
|
||||
filesystem-level snapshots if possible. To recover a corrupted node from such a
|
||||
snapshot, read the instructions
|
||||
[here](@/documentation/operations/recovering.md#corrupted_meta).
|
||||
|
||||
## Metadata table resync
|
||||
|
||||
Garage automatically resyncs all entries stored in the metadata tables every hour,
|
||||
to ensure that all nodes have the most up-to-date version of all the information
|
||||
they should be holding.
|
||||
The resync procedure is based on a Merkle tree that allows to efficiently find
|
||||
differences between nodes.
|
||||
|
||||
In some special cases, e.g. before an upgrade, you might want to run a table
|
||||
resync manually. This can be done using `garage repair tables`.
|
||||
|
||||
## Metadata table reference fixes
|
||||
|
||||
In some very rare cases where nodes are unavailable, some references between objects
|
||||
are broken. For instance, if an object is deleted, the underlying versions or data
|
||||
blocks may still be held by Garage. If you suspect that such corruption has occurred
|
||||
in your cluster, you can run one of the following repair procedures:
|
||||
|
||||
- `garage repair versions`: checks that all versions belong to a non-deleted object, and purges any orphan version
|
||||
|
||||
- `garage repair block-refs`: checks that all block references belong to a non-deleted object version, and purges any orphan block reference (this will then allow the blocks to be garbage-collected)
|
||||
|
||||
- `garage repair block-rc`: checks that the reference counters for blocks are in sync with the actual number of non-deleted entries in the block reference table
|
|
@ -1,274 +0,0 @@
|
|||
+++
|
||||
title = "Cluster layout management"
|
||||
weight = 20
|
||||
+++
|
||||
|
||||
The cluster layout in Garage is a table that assigns to each node a role in
|
||||
the cluster. The role of a node in Garage can either be a storage node with
|
||||
a certain capacity, or a gateway node that does not store data and is only
|
||||
used as an API entry point for faster cluster access.
|
||||
An introduction to building cluster layouts can be found in the [production deployment](@/documentation/cookbook/real-world.md) page.
|
||||
|
||||
In Garage, all of the data that can be stored in a given cluster is divided
|
||||
into slices which we call *partitions*. Each partition is stored by
|
||||
one or several nodes in the cluster
|
||||
(see [`replication_factor`](@/documentation/reference-manual/configuration.md#replication_factor)).
|
||||
The layout determines the correspondence between these partitions,
|
||||
which exist on a logical level, and actual storage nodes.
|
||||
|
||||
## How cluster layouts work in Garage
|
||||
|
||||
A cluster layout is composed of the following components:
|
||||
|
||||
- a table of roles assigned to nodes, defined by the user
|
||||
- an optimal assignation of partitions to nodes, computed by an algorithm that is ran once when calling `garage layout apply` or the ApplyClusterLayout API endpoint
|
||||
- a version number
|
||||
|
||||
Garage nodes will always use the cluster layout with the highest version number.
|
||||
|
||||
Garage nodes also maintain and synchronize between them a set of proposed role
|
||||
changes that haven't yet been applied. These changes will be applied (or
|
||||
canceled) in the next version of the layout.
|
||||
|
||||
All operations on the layout can be realized using the `garage` CLI or using the
|
||||
[administration API endpoint](@/documentation/reference-manual/admin-api.md).
|
||||
We give here a description of CLI commands, the admin API semantics are very similar.
|
||||
|
||||
The following commands insert modifications to the set of proposed role changes
|
||||
for the next layout version (but they do not create the new layout immediately):
|
||||
|
||||
```bash
|
||||
garage layout assign [...]
|
||||
garage layout remove [...]
|
||||
```
|
||||
|
||||
The following command can be used to inspect the layout that is currently set in the cluster
|
||||
and the changes proposed for the next layout version, if any:
|
||||
|
||||
```bash
|
||||
garage layout show
|
||||
```
|
||||
|
||||
The following commands create a new layout with the specified version number,
|
||||
that either takes into account the proposed changes or cancels them:
|
||||
|
||||
```bash
|
||||
garage layout apply --version <new_version_number>
|
||||
garage layout revert --version <new_version_number>
|
||||
```
|
||||
|
||||
The version number of the new layout to create must be 1 + the version number
|
||||
of the previous layout that existed in the cluster. The `apply` and `revert`
|
||||
commands will fail otherwise.
|
||||
|
||||
## Warnings about Garage cluster layout management
|
||||
|
||||
**⚠️ Never make several calls to `garage layout apply` or `garage layout
|
||||
revert` with the same value of the `--version` flag. Doing so can lead to the
|
||||
creation of several different layouts with the same version number, in which
|
||||
case your Garage cluster will become inconsistent until fixed.** If a call to
|
||||
`garage layout apply` or `garage layout revert` has failed and `garage layout
|
||||
show` indicates that a new layout with the given version number has not been
|
||||
set in the cluster, then it is fine to call the command again with the same
|
||||
version number.
|
||||
|
||||
If you are using the `garage` CLI by typing individual commands in your
|
||||
shell, you shouldn't have much issues as long as you run commands one after
|
||||
the other and take care of checking the output of `garage layout show`
|
||||
before applying any changes.
|
||||
|
||||
If you are using the `garage` CLI or the admin API to script layout changes,
|
||||
follow the following recommendations:
|
||||
|
||||
- If using the CLI, make all of your `garage` CLI calls to the same RPC host.
|
||||
If using the admin API, make all of your API calls to the same Garage node. Do
|
||||
not connect to individual nodes to send them each a piece of the layout changes
|
||||
you are making, as the changes propagate asynchronously between nodes and might
|
||||
not all be taken into account at the time when the new layout is applied.
|
||||
|
||||
- **Only call `garage layout apply`/ApplyClusterLayout once**, and call it
|
||||
**strictly after** all of the `layout assign` and `layout remove`
|
||||
commands/UpdateClusterLayout API calls have returned.
|
||||
|
||||
|
||||
## Understanding unexpected layout calculations
|
||||
|
||||
When adding, removing or modifying nodes in a cluster layout, sometimes
|
||||
unexpected assignations of partitions to node can occur. These assignations
|
||||
are in fact normal and logical, given the objectives of the algorithm. Indeed,
|
||||
**the layout algorithm prioritizes moving less data between nodes over
|
||||
achieving equal distribution of load. It also tries to use all links between
|
||||
pairs of nodes in equal proportions when moving data.** This section presents
|
||||
two examples and illustrates how one can control Garage's behavior to obtain
|
||||
the desired results.
|
||||
|
||||
### Example 1
|
||||
|
||||
In this example, a cluster is originally composed of 3 nodes in 3 different
|
||||
zones (data centers). The three nodes are of equal capacity, therefore they
|
||||
are all fully exploited and all store a copy of all of the data in the cluster.
|
||||
|
||||
Then, a fourth node of the same size is added in the datacenter `dc1`.
|
||||
As illustrated by the following, **Garage will by default not store any data on the new node**:
|
||||
|
||||
```
|
||||
$ garage layout show
|
||||
==== CURRENT CLUSTER LAYOUT ====
|
||||
ID Tags Zone Capacity Usable capacity
|
||||
b10c110e4e854e5a node1 dc1 1000.0 MB 1000.0 MB (100.0%)
|
||||
a235ac7695e0c54d node2 dc2 1000.0 MB 1000.0 MB (100.0%)
|
||||
62b218d848e86a64 node3 dc3 1000.0 MB 1000.0 MB (100.0%)
|
||||
|
||||
Zone redundancy: maximum
|
||||
|
||||
Current cluster layout version: 6
|
||||
|
||||
==== STAGED ROLE CHANGES ====
|
||||
ID Tags Zone Capacity
|
||||
a11c7cf18af29737 node4 dc1 1000.0 MB
|
||||
|
||||
|
||||
==== NEW CLUSTER LAYOUT AFTER APPLYING CHANGES ====
|
||||
ID Tags Zone Capacity Usable capacity
|
||||
b10c110e4e854e5a node1 dc1 1000.0 MB 1000.0 MB (100.0%)
|
||||
a11c7cf18af29737 node4 dc1 1000.0 MB 0 B (0.0%)
|
||||
a235ac7695e0c54d node2 dc2 1000.0 MB 1000.0 MB (100.0%)
|
||||
62b218d848e86a64 node3 dc3 1000.0 MB 1000.0 MB (100.0%)
|
||||
|
||||
Zone redundancy: maximum
|
||||
|
||||
==== COMPUTATION OF A NEW PARTITION ASSIGNATION ====
|
||||
|
||||
Partitions are replicated 3 times on at least 3 distinct zones.
|
||||
|
||||
Optimal partition size: 3.9 MB (3.9 MB in previous layout)
|
||||
Usable capacity / total cluster capacity: 3.0 GB / 4.0 GB (75.0 %)
|
||||
Effective capacity (replication factor 3): 1000.0 MB
|
||||
|
||||
A total of 0 new copies of partitions need to be transferred.
|
||||
|
||||
dc1 Tags Partitions Capacity Usable capacity
|
||||
b10c110e4e854e5a node1 256 (0 new) 1000.0 MB 1000.0 MB (100.0%)
|
||||
a11c7cf18af29737 node4 0 (0 new) 1000.0 MB 0 B (0.0%)
|
||||
TOTAL 256 (256 unique) 2.0 GB 1000.0 MB (50.0%)
|
||||
|
||||
dc2 Tags Partitions Capacity Usable capacity
|
||||
a235ac7695e0c54d node2 256 (0 new) 1000.0 MB 1000.0 MB (100.0%)
|
||||
TOTAL 256 (256 unique) 1000.0 MB 1000.0 MB (100.0%)
|
||||
|
||||
dc3 Tags Partitions Capacity Usable capacity
|
||||
62b218d848e86a64 node3 256 (0 new) 1000.0 MB 1000.0 MB (100.0%)
|
||||
TOTAL 256 (256 unique) 1000.0 MB 1000.0 MB (100.0%)
|
||||
```
|
||||
|
||||
While unexpected, this is logical because of the following facts:
|
||||
|
||||
- storing some data on the new node does not help increase the total quantity
|
||||
of data that can be stored on the cluster, as the two other zones (`dc2` and
|
||||
`dc3`) still need to store a full copy of everything, and their capacity is
|
||||
still the same;
|
||||
|
||||
- there is therefore no need to move any data on the new node as this would be pointless;
|
||||
|
||||
- moving data to the new node has a cost which the algorithm decides to not pay if not necessary.
|
||||
|
||||
This distribution of data can however not be what the administrator wanted: if
|
||||
they added a new node to `dc1`, it might be because the existing node is too
|
||||
slow, and they wish to divide its load by half. In that case, what they need to
|
||||
do to force Garage to distribute the data between the two nodes is to attribute
|
||||
only half of the capacity to each node in `dc1` (in our example, 500M instead of 1G).
|
||||
In that case, Garage would determine that to be able to store 1G in total, it
|
||||
would need to store 500M on the old node and 500M on the added one.
|
||||
|
||||
|
||||
### Example 2
|
||||
|
||||
The following example is a slightly different scenario, where `dc1` had two
|
||||
nodes that were used at 50%, and `dc2` and `dc3` each have one node that is
|
||||
100% used. All node capacities are the same.
|
||||
|
||||
Then, a node from `dc1` is moved into `dc3`. One could expect that the roles of
|
||||
`dc1` and `dc3` would simply be swapped: the remaining node in `dc1` would be
|
||||
used at 100%, and the two nodes now in `dc3` would be used at 50%. Instead,
|
||||
this happens:
|
||||
|
||||
```
|
||||
==== CURRENT CLUSTER LAYOUT ====
|
||||
ID Tags Zone Capacity Usable capacity
|
||||
b10c110e4e854e5a node1 dc1 1000.0 MB 500.0 MB (50.0%)
|
||||
a11c7cf18af29737 node4 dc1 1000.0 MB 500.0 MB (50.0%)
|
||||
a235ac7695e0c54d node2 dc2 1000.0 MB 1000.0 MB (100.0%)
|
||||
62b218d848e86a64 node3 dc3 1000.0 MB 1000.0 MB (100.0%)
|
||||
|
||||
Zone redundancy: maximum
|
||||
|
||||
Current cluster layout version: 8
|
||||
|
||||
==== STAGED ROLE CHANGES ====
|
||||
ID Tags Zone Capacity
|
||||
a11c7cf18af29737 node4 dc3 1000.0 MB
|
||||
|
||||
|
||||
==== NEW CLUSTER LAYOUT AFTER APPLYING CHANGES ====
|
||||
ID Tags Zone Capacity Usable capacity
|
||||
b10c110e4e854e5a node1 dc1 1000.0 MB 1000.0 MB (100.0%)
|
||||
a235ac7695e0c54d node2 dc2 1000.0 MB 1000.0 MB (100.0%)
|
||||
62b218d848e86a64 node3 dc3 1000.0 MB 753.9 MB (75.4%)
|
||||
a11c7cf18af29737 node4 dc3 1000.0 MB 246.1 MB (24.6%)
|
||||
|
||||
Zone redundancy: maximum
|
||||
|
||||
==== COMPUTATION OF A NEW PARTITION ASSIGNATION ====
|
||||
|
||||
Partitions are replicated 3 times on at least 3 distinct zones.
|
||||
|
||||
Optimal partition size: 3.9 MB (3.9 MB in previous layout)
|
||||
Usable capacity / total cluster capacity: 3.0 GB / 4.0 GB (75.0 %)
|
||||
Effective capacity (replication factor 3): 1000.0 MB
|
||||
|
||||
A total of 128 new copies of partitions need to be transferred.
|
||||
|
||||
dc1 Tags Partitions Capacity Usable capacity
|
||||
b10c110e4e854e5a node1 256 (128 new) 1000.0 MB 1000.0 MB (100.0%)
|
||||
TOTAL 256 (256 unique) 1000.0 MB 1000.0 MB (100.0%)
|
||||
|
||||
dc2 Tags Partitions Capacity Usable capacity
|
||||
a235ac7695e0c54d node2 256 (0 new) 1000.0 MB 1000.0 MB (100.0%)
|
||||
TOTAL 256 (256 unique) 1000.0 MB 1000.0 MB (100.0%)
|
||||
|
||||
dc3 Tags Partitions Capacity Usable capacity
|
||||
62b218d848e86a64 node3 193 (0 new) 1000.0 MB 753.9 MB (75.4%)
|
||||
a11c7cf18af29737 node4 63 (0 new) 1000.0 MB 246.1 MB (24.6%)
|
||||
TOTAL 256 (256 unique) 2.0 GB 1000.0 MB (50.0%)
|
||||
```
|
||||
|
||||
As we can see, the node that was moved to `dc3` (node4) is only used at 25% (approximatively),
|
||||
whereas the node that was already in `dc3` (node3) is used at 75%.
|
||||
|
||||
This can be explained by the following:
|
||||
|
||||
- node1 will now be the only node remaining in `dc1`, thus it has to store all
|
||||
of the data in the cluster. Since it was storing only half of it before, it has
|
||||
to retrieve the other half from other nodes in the cluster.
|
||||
|
||||
- The data which it does not have is entirely stored by the other node that was
|
||||
in `dc1` and that is now in `dc3` (node4). There is also a copy of it on node2
|
||||
and node3 since both these nodes have a copy of everything.
|
||||
|
||||
- node3 and node4 are the two nodes that will now be in a datacenter that is
|
||||
under-utilized (`dc3`), this means that those are the two candidates from which
|
||||
data can be removed to be moved to node1.
|
||||
|
||||
- Garage will move data in equal proportions from all possible sources, in this
|
||||
case it means that it will tranfer 25% of the entire data set from node3 to
|
||||
node1 and another 25% from node4 to node1.
|
||||
|
||||
This explains why node3 ends with 75% utilization (100% from before minus 25%
|
||||
that is moved to node1), and node4 ends with 25% (50% from before minus 25%
|
||||
that is moved to node1).
|
||||
|
||||
This illustrates the second principle of the layout computation: **if there is
|
||||
a choice in moving data out of some nodes, then all links between pairs of
|
||||
nodes are used in equal proportions** (this is approximately true, there is
|
||||
randomness in the algorithm to achieve this so there might be some small
|
||||
fluctuations, as we see above).
|
|
@ -1,101 +0,0 @@
|
|||
+++
|
||||
title = "Multi-HDD support"
|
||||
weight = 15
|
||||
+++
|
||||
|
||||
|
||||
Since v0.9, Garage natively supports nodes that have several storage drives
|
||||
for storing data blocks (not for metadata storage).
|
||||
|
||||
## Initial setup
|
||||
|
||||
To set up a new Garage storage node with multiple HDDs,
|
||||
format and mount all your drives in different directories,
|
||||
and use a Garage configuration as follows:
|
||||
|
||||
```toml
|
||||
data_dir = [
|
||||
{ path = "/path/to/hdd1", capacity = "2T" },
|
||||
{ path = "/path/to/hdd2", capacity = "4T" },
|
||||
]
|
||||
```
|
||||
|
||||
Garage will automatically balance all blocks stored by the node
|
||||
among the different specified directories, proportionnally to the
|
||||
specified capacities.
|
||||
|
||||
## Updating the list of storage locations
|
||||
|
||||
If you add new storage locations to your `data_dir`,
|
||||
Garage will not rebalance existing data between storage locations.
|
||||
Newly written blocks will be balanced proportionnally to the specified capacities,
|
||||
and existing data may be moved between drives to improve balancing,
|
||||
but only opportunistically when a data block is re-written (e.g. an object
|
||||
is re-uploaded, or an object with a duplicate block is uploaded).
|
||||
|
||||
To understand precisely what is happening, we need to dive in to how Garage
|
||||
splits data among the different storage locations.
|
||||
|
||||
First of all, Garage divides the set of all possible block hashes
|
||||
in a fixed number of slices (currently 1024), and assigns
|
||||
to each slice a primary storage location among the specified data directories.
|
||||
The number of slices having their primary location in each data directory
|
||||
is proportionnal to the capacity specified in the config file.
|
||||
|
||||
When Garage receives a block to write, it will always write it in the primary
|
||||
directory of the slice that contains its hash.
|
||||
|
||||
Now, to be able to not lose existing data blocks when storage locations
|
||||
are added, Garage also keeps a list of secondary data directories
|
||||
for all of the hash slices. Secondary data directories for a slice indicates
|
||||
storage locations that once were primary directories for that slice, i.e. where
|
||||
Garage knows that data blocks of that slice might be stored.
|
||||
When Garage is requested to read a certain data block,
|
||||
it will first look in the primary storage directory of its slice,
|
||||
and if it doesn't find it there it goes through all of the secondary storage
|
||||
locations until it finds it. This allows Garage to continue operating
|
||||
normally when storage locations are added, without having to shuffle
|
||||
files between drives to place them in the correct location.
|
||||
|
||||
This relatively simple strategy works well but does not ensure that data
|
||||
is correctly balanced among drives according to their capacity.
|
||||
To rebalance data, two strategies can be used:
|
||||
|
||||
- Lazy rebalancing: when a block is re-written (e.g. the object is re-uploaded),
|
||||
Garage checks whether the existing copy is in the primary directory of the slice
|
||||
or in a secondary directory. If the current copy is in a secondary directory,
|
||||
Garage re-writes a copy in the primary directory and deletes the one from the
|
||||
secondary directory. This might never end up rebalancing everything if there
|
||||
are data blocks that are only read and never written.
|
||||
|
||||
- Active rebalancing: an operator of a Garage node can explicitly launch a repair
|
||||
procedure that rebalances the data directories, moving all blocks to their
|
||||
primary location. Once done, all secondary locations for all hash slices are
|
||||
removed so that they won't be checked anymore when looking for a data block.
|
||||
|
||||
## Read-only storage locations
|
||||
|
||||
If you would like to move all data blocks from an existing data directory to one
|
||||
or several new data directories, mark the old directory as read-only:
|
||||
|
||||
```toml
|
||||
data_dir = [
|
||||
{ path = "/path/to/old_data", read_only = true },
|
||||
{ path = "/path/to/new_hdd1", capacity = "2T" },
|
||||
{ path = "/path/to/new_hdd2", capacity = "4T" },
|
||||
]
|
||||
```
|
||||
|
||||
Garage will be able to read requested blocks from the read-only directory.
|
||||
Garage will also move data out of the read-only directory either progressively
|
||||
(lazy rebalancing) or if requested explicitly (active rebalancing).
|
||||
|
||||
Once an active rebalancing has finished, your read-only directory should be empty:
|
||||
it might still contain subdirectories, but no data files. You can check that
|
||||
it contains no files using:
|
||||
|
||||
```bash
|
||||
find -type f /path/to/old_data # should not print anything
|
||||
```
|
||||
|
||||
at which point it can be removed from the `data_dir` list in your config file.
|
|
@ -1,97 +0,0 @@
|
|||
+++
|
||||
title = "Upgrading Garage"
|
||||
weight = 10
|
||||
+++
|
||||
|
||||
Garage is a stateful clustered application, where all nodes are communicating together and share data structures.
|
||||
It makes upgrade more difficult than stateless applications so you must be more careful when upgrading.
|
||||
On a new version release, there is 2 possibilities:
|
||||
- protocols and data structures remained the same ➡️ this is a **minor upgrade**
|
||||
- protocols or data structures changed ➡️ this is a **major upgrade**
|
||||
|
||||
You can quickly know what type of update you will have to operate by looking at the version identifier:
|
||||
when we require our users to do a major upgrade, we will always bump the first nonzero component of the version identifier
|
||||
(e.g. from v0.7.2 to v0.8.0).
|
||||
Conversely, for versions that only require a minor upgrade, the first nonzero component will always stay the same (e.g. from v0.8.0 to v0.8.1).
|
||||
|
||||
Major upgrades are designed to be run only between contiguous versions.
|
||||
Example: migrations from v0.7.1 to v0.8.0 and from v0.7.0 to v0.8.2 are supported but migrations from v0.6.0 to v0.8.0 are not supported.
|
||||
|
||||
The `garage_build_info`
|
||||
[Prometheus metric](@/documentation/reference-manual/monitoring.md) provides
|
||||
an overview for which Garage versions are currently in use within a cluster.
|
||||
|
||||
## Minor upgrades
|
||||
|
||||
Minor upgrades do not imply cluster downtime.
|
||||
Before upgrading, you should still read [the changelog](https://git.deuxfleurs.fr/Deuxfleurs/garage/releases) and ideally test your deployment on a staging cluster before.
|
||||
|
||||
When you are ready, start by checking the health of your cluster.
|
||||
You can force some checks with `garage repair`, we recommend at least running `garage repair --all-nodes --yes tables` which is very quick to run (less than a minute).
|
||||
You will see that the command correctly terminated in the logs of your daemon, or using `garage worker list` (the repair workers should be in the `Done` state).
|
||||
|
||||
Finally, you can simply upgrade nodes one by one.
|
||||
For each node: stop it, install the new binary, edit the configuration if needed, restart it.
|
||||
|
||||
## Major upgrades
|
||||
|
||||
Major upgrades can be done with minimal downtime with a bit of preparation, but the simplest way is usually to put the cluster offline for the duration of the migration.
|
||||
Before upgrading, you must read [the changelog](https://git.deuxfleurs.fr/Deuxfleurs/garage/releases) and you must test your deployment on a staging cluster before.
|
||||
|
||||
We write guides for each major upgrade, they are stored under the "Working Documents" section of this documentation.
|
||||
|
||||
### Major upgrades with full downtime
|
||||
|
||||
From a high level perspective, a major upgrade looks like this:
|
||||
|
||||
1. Disable API access (for instance in your reverse proxy, or by commenting the corresponding section in your Garage configuration file and restarting Garage)
|
||||
2. Check that your cluster is idle
|
||||
3. Make sure the health of your cluster is good (see `garage repair`)
|
||||
4. Stop the whole cluster
|
||||
5. Back up the metadata folder of all your nodes, so that you will be able to restore it if the upgrade fails (data blocks being immutable, they should not be impacted)
|
||||
6. Install the new binary, update the configuration
|
||||
7. Start the whole cluster
|
||||
8. If needed, run the corresponding migration from `garage migrate`
|
||||
9. Make sure the health of your cluster is good
|
||||
10. Enable API access (reverse step 1)
|
||||
11. Monitor your cluster while load comes back, check that all your applications are happy with this new version
|
||||
|
||||
### Major upgarades with minimal downtime
|
||||
|
||||
There is only one operation that has to be coordinated cluster-wide: the switch of one version of the internal RPC protocol to the next.
|
||||
This means that an upgrade with very limited downtime can simply be performed from one major version to the next by restarting all nodes
|
||||
simultaneously in the new version.
|
||||
The downtime will simply be the time required for all nodes to stop and start again, which should be less than a minute.
|
||||
If all nodes fail to stop and restart simultaneously, some nodes might be temporarily shut out from the cluster as nodes using different RPC protocol
|
||||
versions are prevented to talk to one another.
|
||||
|
||||
The entire procedure would look something like this:
|
||||
|
||||
1. Make sure the health of your cluster is good (see `garage repair`)
|
||||
|
||||
2. Take each node offline individually to back up its metadata folder, bring them back online once the backup is done.
|
||||
You can do all of the nodes in a single zone at once as that won't impact global cluster availability.
|
||||
Do not try to make a backup of the metadata folder of a running node.
|
||||
|
||||
**Since Garage v0.9.4,** you can use the `garage meta snapshot --all` command
|
||||
to take a simultaneous snapshot of the metadata database files of all your
|
||||
nodes. This avoids the tedious process of having to take them down one by
|
||||
one before upgrading. Be careful that if automatic snapshotting is enabled,
|
||||
Garage only keeps the last two snapshots and deletes older ones, so you might
|
||||
want to disable automatic snapshotting in your upgraded configuration file
|
||||
until you have confirmed that the upgrade ran successfully. In addition to
|
||||
snapshotting the metadata databases of your nodes, you should back-up at
|
||||
least the `cluster_layout` file of one of your Garage instances (this file
|
||||
should be the same on all nodes and you can copy it safely while Garage is
|
||||
running).
|
||||
|
||||
3. Prepare your binaries and configuration files for the new Garage version
|
||||
|
||||
4. Restart all nodes simultaneously in the new version
|
||||
|
||||
5. If any specific migration procedure is required, it is usually in one of the two cases:
|
||||
|
||||
- It can be run on online nodes after the new version has started, during regular cluster operation.
|
||||
- it has to be run offline, in which case you will have to again take all nodes offline one after the other to run the repair
|
||||
|
||||
For this last step, please refer to the specific documentation pertaining to the version upgrade you are doing.
|
|
@ -1,327 +0,0 @@
|
|||
+++
|
||||
title = "Quick Start"
|
||||
weight = 10
|
||||
sort_by = "weight"
|
||||
template = "documentation.html"
|
||||
+++
|
||||
|
||||
Let's start your Garage journey!
|
||||
In this chapter, we explain how to deploy Garage as a single-node server
|
||||
and how to interact with it.
|
||||
|
||||
## What is Garage?
|
||||
|
||||
Before jumping in, you might be interested in reading the following pages:
|
||||
|
||||
- [Goals and use cases](@/documentation/design/goals.md)
|
||||
- [List of features](@/documentation/reference-manual/features.md)
|
||||
|
||||
## Scope of this tutorial
|
||||
|
||||
Our goal is to introduce you to Garage's workflows.
|
||||
Following this guide is recommended before moving on to
|
||||
[configuring a multi-node cluster](@/documentation/cookbook/real-world.md).
|
||||
|
||||
Note that this kind of deployment should not be used in production,
|
||||
as it provides no redundancy for your data!
|
||||
|
||||
## Get a binary
|
||||
|
||||
Download the latest Garage binary from the release pages on our repository:
|
||||
|
||||
<https://garagehq.deuxfleurs.fr/download/>
|
||||
|
||||
Place this binary somewhere in your `$PATH` so that you can invoke the `garage`
|
||||
command directly (for instance you can copy the binary in `/usr/local/bin`
|
||||
or in `~/.local/bin`).
|
||||
|
||||
You may also check whether your distribution already includes a
|
||||
[binary package for Garage](@/documentation/cookbook/binary-packages.md).
|
||||
|
||||
If a binary of the last version is not available for your architecture,
|
||||
or if you want a build customized for your system,
|
||||
you can [build Garage from source](@/documentation/cookbook/from-source.md).
|
||||
|
||||
|
||||
## Configuring and starting Garage
|
||||
|
||||
### Generating a first configuration file
|
||||
|
||||
This first configuration file should allow you to get started easily with the simplest
|
||||
possible Garage deployment.
|
||||
|
||||
We will create it with the following command line
|
||||
to generate unique and private secrets for security reasons:
|
||||
|
||||
```bash
|
||||
cat > garage.toml <<EOF
|
||||
metadata_dir = "/tmp/meta"
|
||||
data_dir = "/tmp/data"
|
||||
db_engine = "sqlite"
|
||||
|
||||
replication_factor = 1
|
||||
|
||||
rpc_bind_addr = "[::]:3901"
|
||||
rpc_public_addr = "127.0.0.1:3901"
|
||||
rpc_secret = "$(openssl rand -hex 32)"
|
||||
|
||||
[s3_api]
|
||||
s3_region = "garage"
|
||||
api_bind_addr = "[::]:3900"
|
||||
root_domain = ".s3.garage.localhost"
|
||||
|
||||
[s3_web]
|
||||
bind_addr = "[::]:3902"
|
||||
root_domain = ".web.garage.localhost"
|
||||
index = "index.html"
|
||||
|
||||
[k2v_api]
|
||||
api_bind_addr = "[::]:3904"
|
||||
|
||||
[admin]
|
||||
api_bind_addr = "[::]:3903"
|
||||
admin_token = "$(openssl rand -base64 32)"
|
||||
metrics_token = "$(openssl rand -base64 32)"
|
||||
EOF
|
||||
```
|
||||
|
||||
Now that your configuration file has been created, you may save it to the directory of your choice.
|
||||
By default, Garage looks for **`/etc/garage.toml`.**
|
||||
You can also store it somewhere else, but you will have to specify `-c path/to/garage.toml`
|
||||
at each invocation of the `garage` binary (for example: `garage -c ./garage.toml server`, `garage -c ./garage.toml status`).
|
||||
|
||||
As you can see, the `rpc_secret` is a 32 bytes hexadecimal string.
|
||||
You can regenerate it with `openssl rand -hex 32`.
|
||||
If you target a cluster deployment with multiple nodes, make sure that
|
||||
you use the same value for all nodes.
|
||||
|
||||
As you can see in the `metadata_dir` and `data_dir` parameters, we are saving Garage's data
|
||||
in `/tmp` which gets erased when your system reboots. This means that data stored on this
|
||||
Garage server will not be persistent. Change these to locations on your local disk if you want
|
||||
your data to be persisted properly.
|
||||
|
||||
|
||||
### Launching the Garage server
|
||||
|
||||
Use the following command to launch the Garage server:
|
||||
|
||||
```
|
||||
garage -c path/to/garage.toml server
|
||||
```
|
||||
|
||||
If you have placed the `garage.toml` file in `/etc` (its default location), you can simply run `garage server`.
|
||||
|
||||
You can tune Garage's verbosity by setting the `RUST_LOG=` environment variable. \
|
||||
Available log levels are (from less verbose to more verbose): `error`, `warn`, `info` *(default)*, `debug` and `trace`.
|
||||
|
||||
```bash
|
||||
RUST_LOG=garage=info garage server # default
|
||||
RUST_LOG=garage=debug garage server
|
||||
RUST_LOG=garage=trace garage server
|
||||
```
|
||||
|
||||
Log level `info` is the default value and is recommended for most use cases.
|
||||
Log level `debug` can help you check why your S3 API calls are not working.
|
||||
|
||||
|
||||
### Checking that Garage runs correctly
|
||||
|
||||
The `garage` utility is also used as a CLI tool to configure your Garage deployment.
|
||||
It uses values from the TOML configuration file to find the Garage daemon running on the
|
||||
local node, therefore if your configuration file is not at `/etc/garage.toml` you will
|
||||
again have to specify `-c path/to/garage.toml` at each invocation.
|
||||
|
||||
If the `garage` CLI is able to correctly detect the parameters of your local Garage node,
|
||||
the following command should be enough to show the status of your cluster:
|
||||
|
||||
```
|
||||
garage status
|
||||
```
|
||||
|
||||
This should show something like this:
|
||||
|
||||
```
|
||||
==== HEALTHY NODES ====
|
||||
ID Hostname Address Tag Zone Capacity
|
||||
563e1ac825ee3323 linuxbox 127.0.0.1:3901 NO ROLE ASSIGNED
|
||||
```
|
||||
|
||||
## Creating a cluster layout
|
||||
|
||||
Creating a cluster layout for a Garage deployment means informing Garage
|
||||
of the disk space available on each node of the cluster
|
||||
as well as the zone (e.g. datacenter) each machine is located in.
|
||||
|
||||
For our test deployment, we are using only one node. The way in which we configure
|
||||
it does not matter, you can simply write:
|
||||
|
||||
```bash
|
||||
garage layout assign -z dc1 -c 1G <node_id>
|
||||
```
|
||||
|
||||
where `<node_id>` corresponds to the identifier of the node shown by `garage status` (first column).
|
||||
You can enter simply a prefix of that identifier.
|
||||
For instance here you could write just `garage layout assign -z dc1 -c 1G 563e`.
|
||||
|
||||
The layout then has to be applied to the cluster, using:
|
||||
|
||||
```bash
|
||||
garage layout apply
|
||||
```
|
||||
|
||||
|
||||
## Creating buckets and keys
|
||||
|
||||
In this section, we will suppose that we want to create a bucket named `nextcloud-bucket`
|
||||
that will be accessed through a key named `nextcloud-app-key`.
|
||||
|
||||
Don't forget that `help` command and `--help` subcommands can help you anywhere,
|
||||
the CLI tool is self-documented! Two examples:
|
||||
|
||||
```
|
||||
garage help
|
||||
garage bucket allow --help
|
||||
```
|
||||
|
||||
### Create a bucket
|
||||
|
||||
Let's take an example where we want to deploy NextCloud using Garage as the
|
||||
main data storage.
|
||||
|
||||
First, create a bucket with the following command:
|
||||
|
||||
```
|
||||
garage bucket create nextcloud-bucket
|
||||
```
|
||||
|
||||
Check that everything went well:
|
||||
|
||||
```
|
||||
garage bucket list
|
||||
garage bucket info nextcloud-bucket
|
||||
```
|
||||
|
||||
### Create an API key
|
||||
|
||||
The `nextcloud-bucket` bucket now exists on the Garage server,
|
||||
however it cannot be accessed until we add an API key with the proper access rights.
|
||||
|
||||
Note that API keys are independent of buckets:
|
||||
one key can access multiple buckets, multiple keys can access one bucket.
|
||||
|
||||
Create an API key using the following command:
|
||||
|
||||
```
|
||||
garage key create nextcloud-app-key
|
||||
```
|
||||
|
||||
The output should look as follows:
|
||||
|
||||
```
|
||||
Key name: nextcloud-app-key
|
||||
Key ID: GK3515373e4c851ebaad366558
|
||||
Secret key: 7d37d093435a41f2aab8f13c19ba067d9776c90215f56614adad6ece597dbb34
|
||||
Authorized buckets:
|
||||
```
|
||||
|
||||
Check that everything works as intended:
|
||||
|
||||
```
|
||||
garage key list
|
||||
garage key info nextcloud-app-key
|
||||
```
|
||||
|
||||
### Allow a key to access a bucket
|
||||
|
||||
Now that we have a bucket and a key, we need to give permissions to the key on the bucket:
|
||||
|
||||
```
|
||||
garage bucket allow \
|
||||
--read \
|
||||
--write \
|
||||
--owner \
|
||||
nextcloud-bucket \
|
||||
--key nextcloud-app-key
|
||||
```
|
||||
|
||||
You can check at any time the allowed keys on your bucket with:
|
||||
|
||||
```
|
||||
garage bucket info nextcloud-bucket
|
||||
```
|
||||
|
||||
|
||||
## Uploading and downloading from Garage
|
||||
|
||||
To download and upload files on garage, we can use a third-party tool named `awscli`.
|
||||
|
||||
|
||||
### Install and configure `awscli`
|
||||
|
||||
If you have python on your system, you can install it with:
|
||||
|
||||
```bash
|
||||
python -m pip install --user awscli
|
||||
```
|
||||
|
||||
Now that `awscli` is installed, you must configure it to talk to your Garage instance,
|
||||
with your key. There are multiple ways to do that, the simplest one is to create a file
|
||||
named `~/.awsrc` with this content:
|
||||
|
||||
```bash
|
||||
export AWS_ACCESS_KEY_ID=xxxx # put your Key ID here
|
||||
export AWS_SECRET_ACCESS_KEY=xxxx # put your Secret key here
|
||||
export AWS_DEFAULT_REGION='garage'
|
||||
export AWS_ENDPOINT_URL='http://localhost:3900'
|
||||
|
||||
aws --version
|
||||
```
|
||||
|
||||
Note you need to have at least `awscli` `>=1.29.0` or `>=2.13.0`, otherwise you
|
||||
need to specify `--endpoint-url` explicitly on each `awscli` invocation.
|
||||
|
||||
Now, each time you want to use `awscli` on this target, run:
|
||||
|
||||
```bash
|
||||
source ~/.awsrc
|
||||
```
|
||||
|
||||
*You can create multiple files with different names if you
|
||||
have multiple Garage clusters or different keys.
|
||||
Switching from one cluster to another is as simple as
|
||||
sourcing the right file.*
|
||||
|
||||
### Example usage of `awscli`
|
||||
|
||||
```bash
|
||||
# list buckets
|
||||
aws s3 ls
|
||||
|
||||
# list objects of a bucket
|
||||
aws s3 ls s3://nextcloud-bucket
|
||||
|
||||
# copy from your filesystem to garage
|
||||
aws s3 cp /proc/cpuinfo s3://nextcloud-bucket/cpuinfo.txt
|
||||
|
||||
# copy from garage to your filesystem
|
||||
aws s3 cp s3://nextcloud-bucket/cpuinfo.txt /tmp/cpuinfo.txt
|
||||
```
|
||||
|
||||
Note that you can use `awscli` for more advanced operations like
|
||||
creating a bucket, pre-signing a request or managing your website.
|
||||
[Read the full documentation to know more](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3/index.html).
|
||||
|
||||
Some features are however not implemented like ACL or policy.
|
||||
Check [our s3 compatibility list](@/documentation/reference-manual/s3-compatibility.md).
|
||||
|
||||
### Other tools for interacting with Garage
|
||||
|
||||
The following tools can also be used to send and recieve files from/to Garage:
|
||||
|
||||
- [minio-client](@/documentation/connect/cli.md#minio-client)
|
||||
- [s3cmd](@/documentation/connect/cli.md#s3cmd)
|
||||
- [rclone](@/documentation/connect/cli.md#rclone)
|
||||
- [Cyberduck](@/documentation/connect/cli.md#cyberduck)
|
||||
- [WinSCP](@/documentation/connect/cli.md#winscp)
|
||||
|
||||
An exhaustive list is maintained in the ["Integrations" > "Browsing tools" section](@/documentation/connect/_index.md).
|
|
@ -1,148 +0,0 @@
|
|||
+++
|
||||
title = "Administration API"
|
||||
weight = 40
|
||||
+++
|
||||
|
||||
The Garage administration API is accessible through a dedicated server whose
|
||||
listen address is specified in the `[admin]` section of the configuration
|
||||
file (see [configuration file
|
||||
reference](@/documentation/reference-manual/configuration.md))
|
||||
|
||||
**WARNING.** At this point, there is no commitment to the stability of the APIs described in this document.
|
||||
We will bump the version numbers prefixed to each API endpoint each time the syntax
|
||||
or semantics change, meaning that code that relies on these endpoint will break
|
||||
when changes are introduced.
|
||||
|
||||
Versions:
|
||||
- Before Garage 0.7.2 - no admin API
|
||||
- Garage 0.7.2 - admin APIv0
|
||||
- Garage 0.9.0 - admin APIv1, deprecate admin APIv0
|
||||
|
||||
|
||||
|
||||
## Access control
|
||||
|
||||
The admin API uses two different tokens for access control, that are specified in the config file's `[admin]` section:
|
||||
|
||||
- `metrics_token`: the token for accessing the Metrics endpoint (if this token
|
||||
is not set in the config file, the Metrics endpoint can be accessed without
|
||||
access control);
|
||||
|
||||
- `admin_token`: the token for accessing all of the other administration
|
||||
endpoints (if this token is not set in the config file, access to these
|
||||
endpoints is disabled entirely).
|
||||
|
||||
These tokens are used as simple HTTP bearer tokens. In other words, to
|
||||
authenticate access to an admin API endpoint, add the following HTTP header
|
||||
to your request:
|
||||
|
||||
```
|
||||
Authorization: Bearer <token>
|
||||
```
|
||||
|
||||
## Administration API endpoints
|
||||
|
||||
### Metrics `GET /metrics`
|
||||
|
||||
Returns internal Garage metrics in Prometheus format.
|
||||
The metrics are directly documented when returned by the API.
|
||||
|
||||
**Example:**
|
||||
|
||||
```
|
||||
$ curl -i http://localhost:3903/metrics
|
||||
HTTP/1.1 200 OK
|
||||
content-type: text/plain; version=0.0.4
|
||||
content-length: 12145
|
||||
date: Tue, 08 Aug 2023 07:25:05 GMT
|
||||
|
||||
# HELP api_admin_error_counter Number of API calls to the various Admin API endpoints that resulted in errors
|
||||
# TYPE api_admin_error_counter counter
|
||||
api_admin_error_counter{api_endpoint="CheckWebsiteEnabled",status_code="400"} 1
|
||||
api_admin_error_counter{api_endpoint="CheckWebsiteEnabled",status_code="404"} 3
|
||||
# HELP api_admin_request_counter Number of API calls to the various Admin API endpoints
|
||||
# TYPE api_admin_request_counter counter
|
||||
api_admin_request_counter{api_endpoint="CheckWebsiteEnabled"} 7
|
||||
api_admin_request_counter{api_endpoint="Health"} 3
|
||||
# HELP api_admin_request_duration Duration of API calls to the various Admin API endpoints
|
||||
...
|
||||
```
|
||||
|
||||
### Health `GET /health`
|
||||
|
||||
Returns `200 OK` if enough nodes are up to have a quorum (ie. serve requests),
|
||||
otherwise returns `503 Service Unavailable`.
|
||||
|
||||
**Example:**
|
||||
|
||||
```
|
||||
$ curl -i http://localhost:3903/health
|
||||
HTTP/1.1 200 OK
|
||||
content-type: text/plain
|
||||
content-length: 102
|
||||
date: Tue, 08 Aug 2023 07:22:38 GMT
|
||||
|
||||
Garage is fully operational
|
||||
Consult the full health check API endpoint at /v0/health for more details
|
||||
```
|
||||
|
||||
### On-demand TLS `GET /check`
|
||||
|
||||
To prevent abuse for on-demand TLS, Caddy developers have specified an endpoint that can be queried by the reverse proxy
|
||||
to know if a given domain is allowed to get a certificate. Garage implements these endpoints to tell if a given domain is handled by Garage or is garbage.
|
||||
|
||||
Garage responds with the following logic:
|
||||
- If the domain matches the pattern `<bucket-name>.<s3_api.root_domain>`, returns 200 OK
|
||||
- If the domain matches the pattern `<bucket-name>.<s3_web.root_domain>` and website is configured for `<bucket>`, returns 200 OK
|
||||
- If the domain matches the pattern `<bucket-name>` and website is configured for `<bucket>`, returns 200 OK
|
||||
- Otherwise, returns 404 Not Found, 400 Bad Request or 5xx requests.
|
||||
|
||||
*Note 1: because in the path-style URL mode, there is only one domain that is not known by Garage, hence it is not supported by this API endpoint.
|
||||
You must manually declare the domain in your reverse-proxy. Idem for K2V.*
|
||||
|
||||
*Note 2: buckets in a user's namespace are not supported yet by this endpoint. This is a limitation of this endpoint currently.*
|
||||
|
||||
**Example:** Suppose a Garage instance is configured with `s3_api.root_domain = .s3.garage.localhost` and `s3_web.root_domain = .web.garage.localhost`.
|
||||
|
||||
With a private `media` bucket (name in the global namespace, website is disabled), the endpoint will feature the following behavior:
|
||||
|
||||
```
|
||||
$ curl -so /dev/null -w "%{http_code}" http://localhost:3903/check?domain=media.s3.garage.localhost
|
||||
200
|
||||
$ curl -so /dev/null -w "%{http_code}" http://localhost:3903/check?domain=media
|
||||
400
|
||||
$ curl -so /dev/null -w "%{http_code}" http://localhost:3903/check?domain=media.web.garage.localhost
|
||||
400
|
||||
```
|
||||
|
||||
With a public `example.com` bucket (name in the global namespace, website is activated), the endpoint will feature the following behavior:
|
||||
|
||||
```
|
||||
$ curl -so /dev/null -w "%{http_code}" http://localhost:3903/check?domain=example.com.s3.garage.localhost
|
||||
200
|
||||
$ curl -so /dev/null -w "%{http_code}" http://localhost:3903/check?domain=example.com
|
||||
200
|
||||
$ curl -so /dev/null -w "%{http_code}" http://localhost:3903/check?domain=example.com.web.garage.localhost
|
||||
200
|
||||
```
|
||||
|
||||
|
||||
**References:**
|
||||
- [Using On-Demand TLS](https://caddyserver.com/docs/automatic-https#using-on-demand-tls)
|
||||
- [Add option for a backend check to approve use of on-demand TLS](https://github.com/caddyserver/caddy/pull/1939)
|
||||
- [Serving tens of thousands of domains over HTTPS with Caddy](https://caddy.community/t/serving-tens-of-thousands-of-domains-over-https-with-caddy/11179)
|
||||
|
||||
### Cluster operations
|
||||
|
||||
These endpoints have a dedicated OpenAPI spec.
|
||||
- APIv1 - [HTML spec](https://garagehq.deuxfleurs.fr/api/garage-admin-v1.html) - [OpenAPI YAML](https://garagehq.deuxfleurs.fr/api/garage-admin-v1.yml)
|
||||
- APIv0 (deprecated) - [HTML spec](https://garagehq.deuxfleurs.fr/api/garage-admin-v0.html) - [OpenAPI YAML](https://garagehq.deuxfleurs.fr/api/garage-admin-v0.yml)
|
||||
|
||||
Requesting the API from the command line can be as simple as running:
|
||||
|
||||
```bash
|
||||
curl -H 'Authorization: Bearer s3cr3t' http://localhost:3903/v0/status | jq
|
||||
```
|
||||
|
||||
For more advanced use cases, we recommend using a SDK.
|
||||
[Go to the "Build your own app" section to know how to use our SDKs](@/documentation/build/_index.md)
|