Spaces:
Running
Running
Upload 7 files
Browse files- Dockerfile +31 -0
- README.md +232 -4
- docs/GITHUB_LOGIN_AND_PRIVATE_DEPLOYMENT.md +170 -0
- docs/HF_DEPLOYMENT_OPTIONS.md +152 -0
- docs/SECURITY.md +36 -0
- scripts/mirror-cos-minio.md +82 -0
- scripts/start-minio.sh +76 -0
Dockerfile
ADDED
|
@@ -0,0 +1,31 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1 |
+
FROM debian:bookworm-slim
|
| 2 |
+
|
| 3 |
+
ENV DEBIAN_FRONTEND=noninteractive
|
| 4 |
+
ENV MINIO_DATA_DIR=/data/minio
|
| 5 |
+
ENV MINIO_BUCKET=great-editor-backup
|
| 6 |
+
ENV MINIO_REGION=us-east-1
|
| 7 |
+
ENV MINIO_BROWSER=off
|
| 8 |
+
ENV PUBLIC_BUCKET=1
|
| 9 |
+
ENV PORT=7860
|
| 10 |
+
|
| 11 |
+
RUN apt-get update \
|
| 12 |
+
&& apt-get install -y --no-install-recommends ca-certificates curl tini \
|
| 13 |
+
&& rm -rf /var/lib/apt/lists/*
|
| 14 |
+
|
| 15 |
+
RUN curl -fsSL https://dl.min.io/server/minio/release/linux-amd64/minio -o /usr/local/bin/minio \
|
| 16 |
+
&& chmod +x /usr/local/bin/minio \
|
| 17 |
+
&& curl -fsSL https://dl.min.io/client/mc/release/linux-amd64/mc -o /usr/local/bin/mc \
|
| 18 |
+
&& chmod +x /usr/local/bin/mc
|
| 19 |
+
|
| 20 |
+
WORKDIR /app
|
| 21 |
+
COPY scripts/start-minio.sh /app/start-minio.sh
|
| 22 |
+
RUN chmod +x /app/start-minio.sh \
|
| 23 |
+
&& mkdir -p /data/minio
|
| 24 |
+
|
| 25 |
+
EXPOSE 7860
|
| 26 |
+
|
| 27 |
+
HEALTHCHECK --interval=60s --timeout=10s --start-period=30s --retries=3 \
|
| 28 |
+
CMD curl -fsS http://127.0.0.1:7860/minio/health/live || exit 1
|
| 29 |
+
|
| 30 |
+
ENTRYPOINT ["/usr/bin/tini", "--"]
|
| 31 |
+
CMD ["/app/start-minio.sh"]
|
README.md
CHANGED
|
@@ -1,10 +1,238 @@
|
|
| 1 |
---
|
| 2 |
-
title: COS HF
|
| 3 |
-
emoji:
|
| 4 |
colorFrom: blue
|
| 5 |
-
colorTo:
|
| 6 |
sdk: docker
|
| 7 |
pinned: false
|
|
|
|
| 8 |
---
|
| 9 |
|
| 10 |
-
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1 |
---
|
| 2 |
+
title: COS HF MinIO
|
| 3 |
+
emoji: 🗄️
|
| 4 |
colorFrom: blue
|
| 5 |
+
colorTo: green
|
| 6 |
sdk: docker
|
| 7 |
pinned: false
|
| 8 |
+
license: mit
|
| 9 |
---
|
| 10 |
|
| 11 |
+
# COS_HF
|
| 12 |
+
|
| 13 |
+
在 Hugging Face Docker Space 上部署一个 **S3/COS 兼容的 MinIO 对象存储服务**,作为腾讯云 COS 的长期备份、应急溢出存储,以及其他 MVP 项目的共享对象存储。
|
| 14 |
+
|
| 15 |
+
## 重要说明:GitHub 登录 vs MinIO 凭证
|
| 16 |
+
|
| 17 |
+
本项目的核心服务是 MinIO,也就是 S3/COS 兼容对象存储。对象存储协议本身使用的是:
|
| 18 |
+
|
| 19 |
+
```text
|
| 20 |
+
Access Key / Secret Key 签名认证
|
| 21 |
+
```
|
| 22 |
+
|
| 23 |
+
因此,下面两个环境变量是 **MinIO 服务启动和 S3 API 写入所必需的内部凭证**,不是普通用户网页登录方式:
|
| 24 |
+
|
| 25 |
+
```bash
|
| 26 |
+
MINIO_ROOT_USER=内部 S3 Access Key
|
| 27 |
+
MINIO_ROOT_PASSWORD=内部 S3 Secret Key
|
| 28 |
+
```
|
| 29 |
+
|
| 30 |
+
如果设置:
|
| 31 |
+
|
| 32 |
+
```bash
|
| 33 |
+
MINIO_BROWSER=off
|
| 34 |
+
```
|
| 35 |
+
|
| 36 |
+
则 MinIO Web Console 默认关闭,浏览器里不会出现“管理员 + 密码”的管理后台登录页。GreatEditor、mc、AWS SDK 等客户端仍然需要使用这组 S3 凭证完成上传、同步和备份。
|
| 37 |
+
|
| 38 |
+
如果要“使用 GitHub 账号登录”,推荐放在外层访问控制完成,而不是替代 MinIO S3 凭证:
|
| 39 |
+
|
| 40 |
+
```text
|
| 41 |
+
方案 1:Hugging Face Space 设为 Private,浏览器访问由 Hugging Face 登录保护
|
| 42 |
+
方案 2:使用 Cloudflare Access + GitHub 登录保护自定义域名
|
| 43 |
+
方案 3:后续单独开发 /admin 管理页使用 GitHub OAuth,S3 API 仍用 Access Key / Secret Key
|
| 44 |
+
```
|
| 45 |
+
|
| 46 |
+
不建议把 GitHub OAuth 强行加到所有 S3 API 路径前面,否则 GreatEditor、MinIO Client、AWS SDK 等对象存储客户端会无法正常工作。
|
| 47 |
+
|
| 48 |
+
## 适用定位
|
| 49 |
+
|
| 50 |
+
推荐定位:
|
| 51 |
+
|
| 52 |
+
```text
|
| 53 |
+
主存储:腾讯云 COS / Cloudflare R2 / 正式对象存储
|
| 54 |
+
备份与应急:Hugging Face MinIO
|
| 55 |
+
MVP 临时存储:Hugging Face MinIO
|
| 56 |
+
业务数据库:PostgreSQL
|
| 57 |
+
缓存 / Session / 配置:KV
|
| 58 |
+
```
|
| 59 |
+
|
| 60 |
+
不建议把 Hugging Face MinIO 作为高并发生产主存储。它更适合作为:
|
| 61 |
+
|
| 62 |
+
```text
|
| 63 |
+
1. 腾讯云 COS 爆满时的临时写入目标
|
| 64 |
+
2. 腾讯云 COS 的周期性备份目标
|
| 65 |
+
3. GreatEditor / 其他 MVP 项目的低成本对象存储
|
| 66 |
+
4. 后续 COS 扩容后迁移回 COS 的中转仓库
|
| 67 |
+
```
|
| 68 |
+
|
| 69 |
+
## 项目结构
|
| 70 |
+
|
| 71 |
+
```text
|
| 72 |
+
.
|
| 73 |
+
├── Dockerfile # Hugging Face Docker Space 入口
|
| 74 |
+
├── scripts/start-minio.sh # 启动 MinIO,并自动初始化 bucket
|
| 75 |
+
├── scripts/mirror-cos-minio.md # 腾讯 COS ↔ MinIO 迁移/同步命令
|
| 76 |
+
├── worker/keepalive.js # Cloudflare Worker 保活模板
|
| 77 |
+
├── docs/ # 部署、安全、GitHub 登录说明
|
| 78 |
+
└── README.md
|
| 79 |
+
```
|
| 80 |
+
|
| 81 |
+
## Hugging Face 部署步骤
|
| 82 |
+
|
| 83 |
+
### 1. 创建 Hugging Face Space
|
| 84 |
+
|
| 85 |
+
创建 Docker Space,连接本仓库或直接上传本仓库文件。
|
| 86 |
+
|
| 87 |
+
建议启用 Persistent Storage,并确保数据目录挂载到:
|
| 88 |
+
|
| 89 |
+
```text
|
| 90 |
+
/data
|
| 91 |
+
```
|
| 92 |
+
|
| 93 |
+
本项目默认 MinIO 数据目录为:
|
| 94 |
+
|
| 95 |
+
```text
|
| 96 |
+
/data/minio
|
| 97 |
+
```
|
| 98 |
+
|
| 99 |
+
### 2. 配置 Space Secrets
|
| 100 |
+
|
| 101 |
+
在 Hugging Face Space 的 `Settings → Variables and secrets` 中配置:
|
| 102 |
+
|
| 103 |
+
```bash
|
| 104 |
+
MINIO_ROOT_USER=内部 S3 Access Key,例如 coshf_admin
|
| 105 |
+
MINIO_ROOT_PASSWORD=内部 S3 Secret Key,请使用强密码
|
| 106 |
+
MINIO_BUCKET=great-editor-backup
|
| 107 |
+
MINIO_REGION=us-east-1
|
| 108 |
+
MINIO_BROWSER=off
|
| 109 |
+
PUBLIC_BUCKET=1
|
| 110 |
+
```
|
| 111 |
+
|
| 112 |
+
可选:
|
| 113 |
+
|
| 114 |
+
```bash
|
| 115 |
+
MINIO_SERVER_URL=https://your-space-name.hf.space
|
| 116 |
+
MINIO_API_CORS_ALLOW_ORIGIN=*
|
| 117 |
+
```
|
| 118 |
+
|
| 119 |
+
说明:
|
| 120 |
+
|
| 121 |
+
```text
|
| 122 |
+
MINIO_ROOT_USER / MINIO_ROOT_PASSWORD:S3 Access Key / Secret Key,用于程序上传和同步,不是 GitHub 登录
|
| 123 |
+
MINIO_BUCKET:默认自动创建的 bucket
|
| 124 |
+
PUBLIC_BUCKET=1:设置 bucket 为匿名可读,适合图片 URL 直接访问
|
| 125 |
+
PUBLIC_BUCKET=0:bucket 私有,适合冷备份
|
| 126 |
+
MINIO_BROWSER=off:关闭 Web Console,HF 默认只暴露一个端口,优先暴露 S3 API
|
| 127 |
+
```
|
| 128 |
+
|
| 129 |
+
### 3. 访问健康检查
|
| 130 |
+
|
| 131 |
+
部署成功后,可以访问:
|
| 132 |
+
|
| 133 |
+
```text
|
| 134 |
+
https://your-space-name.hf.space/minio/health/live
|
| 135 |
+
https://your-space-name.hf.space/minio/health/ready
|
| 136 |
+
```
|
| 137 |
+
|
| 138 |
+
Cloudflare Worker 保活建议定时访问:
|
| 139 |
+
|
| 140 |
+
```text
|
| 141 |
+
/minio/health/live
|
| 142 |
+
```
|
| 143 |
+
|
| 144 |
+
## Private 部署建议
|
| 145 |
+
|
| 146 |
+
如果这个 Space 主要作为冷备份:
|
| 147 |
+
|
| 148 |
+
```text
|
| 149 |
+
HF Space Visibility:Private
|
| 150 |
+
PUBLIC_BUCKET=0
|
| 151 |
+
MINIO_BROWSER=off
|
| 152 |
+
```
|
| 153 |
+
|
| 154 |
+
这样浏览器访问由 Hugging Face 自己的登录体系保护。你可以使用 Hugging Face 账号登录;如果你的 Hugging Face 账号绑定了 GitHub,也可以通过 GitHub 方式进入 Hugging Face。
|
| 155 |
+
|
| 156 |
+
如果这个 Space 要临时承接 GreatEditor 图片访问:
|
| 157 |
+
|
| 158 |
+
```text
|
| 159 |
+
HF Space Visibility:Public
|
| 160 |
+
PUBLIC_BUCKET=1
|
| 161 |
+
MINIO_BROWSER=off
|
| 162 |
+
```
|
| 163 |
+
|
| 164 |
+
这样图片 URL 可以被浏览器直接读取,写入仍然需要 MinIO S3 凭证。
|
| 165 |
+
|
| 166 |
+
## S3 / COS 兼容连接参数
|
| 167 |
+
|
| 168 |
+
给 GreatEditor 或其他 MVP 应用使用时,可以配置为:
|
| 169 |
+
|
| 170 |
+
```bash
|
| 171 |
+
S3_ENDPOINT=https://your-space-name.hf.space
|
| 172 |
+
S3_ACCESS_KEY_ID=MINIO_ROOT_USER 的值
|
| 173 |
+
S3_SECRET_ACCESS_KEY=MINIO_ROOT_PASSWORD 的值
|
| 174 |
+
S3_BUCKET=great-editor-backup
|
| 175 |
+
S3_REGION=us-east-1
|
| 176 |
+
S3_FORCE_PATH_STYLE=true
|
| 177 |
+
```
|
| 178 |
+
|
| 179 |
+
MinIO 的 URL 通常是 path-style:
|
| 180 |
+
|
| 181 |
+
```text
|
| 182 |
+
https://your-space-name.hf.space/great-editor-backup/path/to/file.jpg
|
| 183 |
+
```
|
| 184 |
+
|
| 185 |
+
## 腾讯 COS 与 MinIO 同步
|
| 186 |
+
|
| 187 |
+
推荐使用 MinIO Client `mc` 做同步。详见:
|
| 188 |
+
|
| 189 |
+
```text
|
| 190 |
+
scripts/mirror-cos-minio.md
|
| 191 |
+
```
|
| 192 |
+
|
| 193 |
+
典型命令:
|
| 194 |
+
|
| 195 |
+
```bash
|
| 196 |
+
mc alias set cos https://cos.ap-guangzhou.myqcloud.com "$COS_SECRET_ID" "$COS_SECRET_KEY"
|
| 197 |
+
mc alias set hfminio https://your-space-name.hf.space "$MINIO_ROOT_USER" "$MINIO_ROOT_PASSWORD"
|
| 198 |
+
|
| 199 |
+
# COS -> HF MinIO 备份
|
| 200 |
+
mc mirror --overwrite cos/your-cos-bucket hfminio/great-editor-backup
|
| 201 |
+
|
| 202 |
+
# HF MinIO -> COS 恢复
|
| 203 |
+
mc mirror --overwrite hfminio/great-editor-backup cos/your-cos-bucket
|
| 204 |
+
```
|
| 205 |
+
|
| 206 |
+
## 与 GreatEditor 的集成建议
|
| 207 |
+
|
| 208 |
+
建议后续在 GreatEditor 中增加统一存储抽象:
|
| 209 |
+
|
| 210 |
+
```text
|
| 211 |
+
STORAGE_PROVIDER=cos | s3 | r2 | hf_minio
|
| 212 |
+
```
|
| 213 |
+
|
| 214 |
+
当腾讯 COS 空间不足时,临时切换:
|
| 215 |
+
|
| 216 |
+
```text
|
| 217 |
+
STORAGE_PROVIDER=hf_minio
|
| 218 |
+
```
|
| 219 |
+
|
| 220 |
+
当腾讯 COS 扩容完成后,执行 MinIO → COS 同步,再切回:
|
| 221 |
+
|
| 222 |
+
```text
|
| 223 |
+
STORAGE_PROVIDER=cos
|
| 224 |
+
```
|
| 225 |
+
|
| 226 |
+
## 重要风险
|
| 227 |
+
|
| 228 |
+
Hugging Face Space + MinIO 不等于正式云对象存储,存在以下风险:
|
| 229 |
+
|
| 230 |
+
```text
|
| 231 |
+
1. Space 可能重启、冷启动或被限流
|
| 232 |
+
2. 单节点 MinIO 不具备高可用
|
| 233 |
+
3. 大量公网图片访问可能不适合 HF 流量模型
|
| 234 |
+
4. 需要自行负责备份、迁移和访问控制
|
| 235 |
+
5. MinIO 许可证为 AGPLv3,商业闭源集成需注意合规
|
| 236 |
+
```
|
| 237 |
+
|
| 238 |
+
因此,本项目推荐作为备份、应急、MVP 低成本存储,不建议一开始替代正式 COS/R2。
|
docs/GITHUB_LOGIN_AND_PRIVATE_DEPLOYMENT.md
ADDED
|
@@ -0,0 +1,170 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1 |
+
# GitHub 登录与 Private 部署说明
|
| 2 |
+
|
| 3 |
+
本项目是 MinIO / S3 兼容对象存储服务,不是普通 Web 应用。登录方式需要区分两类访问:
|
| 4 |
+
|
| 5 |
+
```text
|
| 6 |
+
1. 浏览器访问:人打开网页、查看控制台、健康检查
|
| 7 |
+
2. S3 API 访问:GreatEditor / mc / SDK 上传、下载、同步文件
|
| 8 |
+
```
|
| 9 |
+
|
| 10 |
+
## 结论
|
| 11 |
+
|
| 12 |
+
不建议把 GitHub OAuth 登录直接加在 MinIO S3 API 前面。
|
| 13 |
+
|
| 14 |
+
原因是 S3 客户端使用的是 Access Key / Secret Key 签名认证,而 GitHub OAuth 是浏览器交互登录。两者认证机制不同。如果在 S3 API 前强行加 GitHub 登录,会导致 GreatEditor、MinIO Client `mc`、AWS SDK 等无法正常请求。
|
| 15 |
+
|
| 16 |
+
因此推荐以下部署策略:
|
| 17 |
+
|
| 18 |
+
```text
|
| 19 |
+
生产主存储:腾讯 COS / Cloudflare R2
|
| 20 |
+
HF MinIO:备份、应急、MVP 临时对象存储
|
| 21 |
+
HF MinIO 写入权限:MinIO Access Key / Secret Key
|
| 22 |
+
HF MinIO 访问范围:由 Space 可见性、bucket policy、S3 key 权限控制
|
| 23 |
+
```
|
| 24 |
+
|
| 25 |
+
## 什么是 Private 部署
|
| 26 |
+
|
| 27 |
+
这里的 Private 部署有两层含义:
|
| 28 |
+
|
| 29 |
+
### 1. GitHub 仓库 Private
|
| 30 |
+
|
| 31 |
+
`CaPaCaptain/COS_HF` 可以保持 GitHub Private。这样源码和部署配置不公开。
|
| 32 |
+
|
| 33 |
+
如果 Hugging Face 不能直接关联 GitHub Private 仓库,可以选择:
|
| 34 |
+
|
| 35 |
+
```text
|
| 36 |
+
1. 临时设为 Public,部署成功后再转回 Private
|
| 37 |
+
2. 手动把文件上传到 Hugging Face Space 仓库
|
| 38 |
+
3. 使用 Hugging Face 自己的 Space Git 仓库作为部署仓库
|
| 39 |
+
```
|
| 40 |
+
|
| 41 |
+
### 2. Hugging Face Space Private
|
| 42 |
+
|
| 43 |
+
如果 Hugging Face Space 设置为 Private,则普通浏览器访问需要 Hugging Face 账号权限。
|
| 44 |
+
|
| 45 |
+
这适合:
|
| 46 |
+
|
| 47 |
+
```text
|
| 48 |
+
1. 冷备份
|
| 49 |
+
2. 内部应急存储
|
| 50 |
+
3. 不需要公开图片 URL 的场景
|
| 51 |
+
```
|
| 52 |
+
|
| 53 |
+
但不适合:
|
| 54 |
+
|
| 55 |
+
```text
|
| 56 |
+
1. GreatEditor 直接把图片 URL 展示给公网用户
|
| 57 |
+
2. 需要浏览器匿名加载图片缩略图
|
| 58 |
+
3. 需要第三方 S3 客户端无 HF 登录访问
|
| 59 |
+
```
|
| 60 |
+
|
| 61 |
+
原因是 Private Space 的访问会被 Hugging Face 登录层拦截,普通图片 URL 和 S3 SDK 请求可能无法像公开对象存储一样直接工作。
|
| 62 |
+
|
| 63 |
+
## 推荐部署模式
|
| 64 |
+
|
| 65 |
+
### 模式 A:Public Space + MinIO 私有写权限(推荐给 MVP / 应急)
|
| 66 |
+
|
| 67 |
+
```text
|
| 68 |
+
Hugging Face Space:Public
|
| 69 |
+
MINIO_ROOT_USER / MINIO_ROOT_PASSWORD:保密
|
| 70 |
+
PUBLIC_BUCKET=1 或 0 按需求选择
|
| 71 |
+
```
|
| 72 |
+
|
| 73 |
+
特点:
|
| 74 |
+
|
| 75 |
+
```text
|
| 76 |
+
1. GreatEditor / mc / SDK 可以正常使用 S3 API
|
| 77 |
+
2. 写入仍然需要 MinIO key
|
| 78 |
+
3. 如果 PUBLIC_BUCKET=1,图片 URL 可直接访问
|
| 79 |
+
4. 最适合作为 COS 爆满时的临时对象存储
|
| 80 |
+
```
|
| 81 |
+
|
| 82 |
+
适合 GreatEditor 的应急存储。
|
| 83 |
+
|
| 84 |
+
### 模式 B:Private Space + MinIO 私有写权限(推荐给冷备份)
|
| 85 |
+
|
| 86 |
+
```text
|
| 87 |
+
Hugging Face Space:Private
|
| 88 |
+
MINIO_ROOT_USER / MINIO_ROOT_PASSWORD:保密
|
| 89 |
+
PUBLIC_BUCKET=0
|
| 90 |
+
```
|
| 91 |
+
|
| 92 |
+
特点:
|
| 93 |
+
|
| 94 |
+
```text
|
| 95 |
+
1. 更私密
|
| 96 |
+
2. 适合备份
|
| 97 |
+
3. 不适合直接作为公开图片 CDN
|
| 98 |
+
4. GreatEditor 前端不应直接依赖这种 URL
|
| 99 |
+
```
|
| 100 |
+
|
| 101 |
+
适合作为腾讯 COS 的长期备份仓库。
|
| 102 |
+
|
| 103 |
+
### 模式 C:GitHub 登录保护管理页,不保护 S3 API(后续增强)
|
| 104 |
+
|
| 105 |
+
如果后续确实需要“使用 GitHub 账号登录管理界面”,建议单独开发一个轻量管理面板:
|
| 106 |
+
|
| 107 |
+
```text
|
| 108 |
+
/admin -> GitHub OAuth 登录
|
| 109 |
+
/s3 API -> 仍然保持 MinIO S3 Access Key / Secret Key
|
| 110 |
+
/health -> 可公开或用简单 token
|
| 111 |
+
```
|
| 112 |
+
|
| 113 |
+
这种方式不会破坏 S3 API。
|
| 114 |
+
|
| 115 |
+
不建议做成:
|
| 116 |
+
|
| 117 |
+
```text
|
| 118 |
+
所有路径都强制 GitHub OAuth
|
| 119 |
+
```
|
| 120 |
+
|
| 121 |
+
因为这会破坏 S3 API 的签名认证流程。
|
| 122 |
+
|
| 123 |
+
## 当前项目默认策略
|
| 124 |
+
|
| 125 |
+
当前项目默认采用:
|
| 126 |
+
|
| 127 |
+
```text
|
| 128 |
+
Public Space + MinIO S3 Key 认证 + 可选公开 bucket
|
| 129 |
+
```
|
| 130 |
+
|
| 131 |
+
也就是:
|
| 132 |
+
|
| 133 |
+
```text
|
| 134 |
+
MINIO_ROOT_USER / MINIO_ROOT_PASSWORD 控制写入和管理权限
|
| 135 |
+
PUBLIC_BUCKET=1 控制图片是否可匿名读取
|
| 136 |
+
MINIO_BROWSER=off 优先暴露 S3 API
|
| 137 |
+
```
|
| 138 |
+
|
| 139 |
+
## 如果必须要 GitHub 登录
|
| 140 |
+
|
| 141 |
+
建议不是改 MinIO 本身,而是在 Cloudflare 侧做访问控制:
|
| 142 |
+
|
| 143 |
+
```text
|
| 144 |
+
1. 给 HF Space 绑定自定义域名,例如 cos.example.com
|
| 145 |
+
2. 用 Cloudflare Access 配置 GitHub / GitHub Organization 登录
|
| 146 |
+
3. 只保护管理面板或内部路径
|
| 147 |
+
4. 不要保护 S3 API 上传下载路径
|
| 148 |
+
```
|
| 149 |
+
|
| 150 |
+
如果一定要保护全部路径,则该服务只能作为“人类浏览器访问”的后台,不适合 GreatEditor / S3 SDK 直接使用。
|
| 151 |
+
|
| 152 |
+
## 实用建议
|
| 153 |
+
|
| 154 |
+
对当前目标,建议这样配置:
|
| 155 |
+
|
| 156 |
+
```text
|
| 157 |
+
COS_HF GitHub 仓库:Private
|
| 158 |
+
HF Space:Public 或 Private 分场景
|
| 159 |
+
备份 Space:Private
|
| 160 |
+
应急 Space:Public
|
| 161 |
+
MinIO bucket:备份 private,应急 public-read
|
| 162 |
+
写入权限:MinIO Access Key / Secret Key
|
| 163 |
+
```
|
| 164 |
+
|
| 165 |
+
可以创建两个 Space:
|
| 166 |
+
|
| 167 |
+
```text
|
| 168 |
+
cos-hf-backup-private # Private,冷备份
|
| 169 |
+
cos-hf-overflow-public # Public,COS 爆满时应急承接图片访问
|
| 170 |
+
```
|
docs/HF_DEPLOYMENT_OPTIONS.md
ADDED
|
@@ -0,0 +1,152 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1 |
+
# Hugging Face 部署方式:完整迁移 vs 单 Dockerfile 拉取
|
| 2 |
+
|
| 3 |
+
## 结论
|
| 4 |
+
|
| 5 |
+
推荐方式:把本仓库内容同步到 Hugging Face Space 仓库,或直接用 Hugging Face 的 GitHub 仓库关联/同步能力。
|
| 6 |
+
|
| 7 |
+
不推荐方式:只在 Hugging Face Space 放一个 Dockerfile,然后在 Dockerfile 里从 GitHub Private 仓库拉取整个项目。
|
| 8 |
+
|
| 9 |
+
原因:Private GitHub 仓库需要 token,Docker build 阶段使用 token 容易泄露到镜像层、构建日志或缓存中;并且 Hugging Face Space 本身就是一个 Git 仓库,每次提交会自动 rebuild,没必要绕一层 git clone。
|
| 10 |
+
|
| 11 |
+
## 方式 A:Hugging Face Space 直接保存完整项目文件(推荐)
|
| 12 |
+
|
| 13 |
+
Hugging Face Space 本身就是 Git 仓库。把本项目这些文件同步到 Space 仓库即可:
|
| 14 |
+
|
| 15 |
+
```text
|
| 16 |
+
README.md
|
| 17 |
+
Dockerfile
|
| 18 |
+
scripts/start-minio.sh
|
| 19 |
+
scripts/mirror-cos-minio.md
|
| 20 |
+
worker/keepalive.js
|
| 21 |
+
docs/*
|
| 22 |
+
```
|
| 23 |
+
|
| 24 |
+
优点:
|
| 25 |
+
|
| 26 |
+
```text
|
| 27 |
+
1. 最符合 Hugging Face Space 的工作方式
|
| 28 |
+
2. 每次 push 自动构建和重启
|
| 29 |
+
3. 不需要 GitHub token 参与 Docker build
|
| 30 |
+
4. Secret 只保存在 Hugging Face Space Secrets
|
| 31 |
+
5. 出错时日志更清晰
|
| 32 |
+
```
|
| 33 |
+
|
| 34 |
+
适合:
|
| 35 |
+
|
| 36 |
+
```text
|
| 37 |
+
正式部署
|
| 38 |
+
长期维护
|
| 39 |
+
Private Space
|
| 40 |
+
备份或应急对象存储
|
| 41 |
+
```
|
| 42 |
+
|
| 43 |
+
## 方式 B:GitHub Actions 同步到 Hugging Face Space(推荐)
|
| 44 |
+
|
| 45 |
+
如果你希望继续以 GitHub 仓库 `CaPaCaptain/COS_HF` 为主仓库,可以使用 GitHub Actions 自动把 main 分支推送到 Hugging Face Space 仓库。
|
| 46 |
+
|
| 47 |
+
流程:
|
| 48 |
+
|
| 49 |
+
```text
|
| 50 |
+
GitHub COS_HF main push
|
| 51 |
+
↓
|
| 52 |
+
GitHub Actions
|
| 53 |
+
↓
|
| 54 |
+
Push 到 Hugging Face Space Git 仓库
|
| 55 |
+
↓
|
| 56 |
+
Hugging Face 自动 rebuild
|
| 57 |
+
```
|
| 58 |
+
|
| 59 |
+
这种方式适合 GitHub Private 仓库。
|
| 60 |
+
|
| 61 |
+
需要在 GitHub Secrets 中配置:
|
| 62 |
+
|
| 63 |
+
```text
|
| 64 |
+
HF_TOKEN
|
| 65 |
+
HF_SPACE_REPO,例如 username/cos-hf
|
| 66 |
+
```
|
| 67 |
+
|
| 68 |
+
示例 workflow 可后续添加到:
|
| 69 |
+
|
| 70 |
+
```text
|
| 71 |
+
.github/workflows/sync-to-hf.yml
|
| 72 |
+
```
|
| 73 |
+
|
| 74 |
+
## 方式 C:HF Space 关联 GitHub 仓库
|
| 75 |
+
|
| 76 |
+
如果 Hugging Face 当前界面允许直接关联 GitHub 仓库,也可以直接关联 `CaPaCaptain/COS_HF`。
|
| 77 |
+
|
| 78 |
+
但注意:
|
| 79 |
+
|
| 80 |
+
```text
|
| 81 |
+
1. GitHub Private 仓库可能需要授权 Hugging Face 访问
|
| 82 |
+
2. 关联失败时,改用方式 B 更稳
|
| 83 |
+
3. Space 仍建议设置 Secrets,而不要把密钥写进仓库
|
| 84 |
+
```
|
| 85 |
+
|
| 86 |
+
## 方式 D:只放一个 Dockerfile,Dockerfile 自动 git clone(不推荐)
|
| 87 |
+
|
| 88 |
+
技术上可以:
|
| 89 |
+
|
| 90 |
+
```Dockerfile
|
| 91 |
+
FROM debian:bookworm-slim
|
| 92 |
+
RUN apt-get update && apt-get install -y git
|
| 93 |
+
RUN git clone https://github.com/CaPaCaptain/COS_HF.git /app
|
| 94 |
+
WORKDIR /app
|
| 95 |
+
RUN chmod +x scripts/start-minio.sh
|
| 96 |
+
CMD ["scripts/start-minio.sh"]
|
| 97 |
+
```
|
| 98 |
+
|
| 99 |
+
但这只适合 Public GitHub 仓库。
|
| 100 |
+
|
| 101 |
+
如果是 Private GitHub 仓库,需要 token,例如:
|
| 102 |
+
|
| 103 |
+
```Dockerfile
|
| 104 |
+
ARG GITHUB_TOKEN
|
| 105 |
+
RUN git clone https://$GITHUB_TOKEN@github.com/CaPaCaptain/COS_HF.git /app
|
| 106 |
+
```
|
| 107 |
+
|
| 108 |
+
不推荐原因:
|
| 109 |
+
|
| 110 |
+
```text
|
| 111 |
+
1. token 可能进入 Docker 镜像层
|
| 112 |
+
2. token 可能出现在构建日志或缓存里
|
| 113 |
+
3. Dockerfile 变成部署入口,但真实代码不在 Space 仓库,排查困难
|
| 114 |
+
4. Hugging Face Secrets 更适合运行时,不适合作为 Docker build clone 私有仓库的认证来源
|
| 115 |
+
5. 与 Hugging Face Space 自动 rebuild 的 Git 工作流重复
|
| 116 |
+
```
|
| 117 |
+
|
| 118 |
+
## 推荐选择
|
| 119 |
+
|
| 120 |
+
### 当前 COS_HF 推荐部署方式
|
| 121 |
+
|
| 122 |
+
```text
|
| 123 |
+
GitHub 仓库:Private,作为源码主仓库
|
| 124 |
+
Hugging Face Space:Docker Space
|
| 125 |
+
同步方式:GitHub Actions 推送完整文件到 HF Space 仓库
|
| 126 |
+
运行密钥:Hugging Face Space Secrets
|
| 127 |
+
持久目录:/data/minio
|
| 128 |
+
```
|
| 129 |
+
|
| 130 |
+
### 备用快速方式
|
| 131 |
+
|
| 132 |
+
如果只是先跑通:
|
| 133 |
+
|
| 134 |
+
```text
|
| 135 |
+
手动把 GitHub 仓库所有文件上传到 HF Space 仓库
|
| 136 |
+
配置 Space Secrets
|
| 137 |
+
启动 Docker Space
|
| 138 |
+
```
|
| 139 |
+
|
| 140 |
+
## 为什么不是“只迁移 Dockerfile”
|
| 141 |
+
|
| 142 |
+
本项目 Dockerfile 依赖:
|
| 143 |
+
|
| 144 |
+
```text
|
| 145 |
+
scripts/start-minio.sh
|
| 146 |
+
README.md metadata
|
| 147 |
+
可选 docs 与 worker 模板
|
| 148 |
+
```
|
| 149 |
+
|
| 150 |
+
如果只迁移 Dockerfile,至少还要在 Dockerfile 中内嵌启动脚本或远程下载脚本。这样可维护性更差。
|
| 151 |
+
|
| 152 |
+
所以更建议迁移完整项目文件,而不是只迁移 Dockerfile。
|
docs/SECURITY.md
ADDED
|
@@ -0,0 +1,36 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1 |
+
# Security Notes
|
| 2 |
+
|
| 3 |
+
## Access keys
|
| 4 |
+
|
| 5 |
+
`MINIO_ROOT_USER` and `MINIO_ROOT_PASSWORD` are equivalent to S3 Access Key and Secret Key.
|
| 6 |
+
|
| 7 |
+
Do not commit real keys into GitHub.
|
| 8 |
+
|
| 9 |
+
Configure them as Hugging Face Space Secrets.
|
| 10 |
+
|
| 11 |
+
## Public bucket
|
| 12 |
+
|
| 13 |
+
`PUBLIC_BUCKET=1` makes the default bucket anonymously readable. This is convenient for image hosting, but anyone with the object URL can read the file.
|
| 14 |
+
|
| 15 |
+
For private user files, set:
|
| 16 |
+
|
| 17 |
+
```bash
|
| 18 |
+
PUBLIC_BUCKET=0
|
| 19 |
+
```
|
| 20 |
+
|
| 21 |
+
Then proxy downloads through your application backend, or generate temporary signed URLs.
|
| 22 |
+
|
| 23 |
+
## Recommended usage
|
| 24 |
+
|
| 25 |
+
This repository is designed for backup, emergency overflow, and MVP object storage. It is not a substitute for a highly available production object storage service.
|
| 26 |
+
|
| 27 |
+
## Backup strategy
|
| 28 |
+
|
| 29 |
+
Keep at least one additional backup outside the Hugging Face Space persistent volume.
|
| 30 |
+
|
| 31 |
+
Suggested minimum:
|
| 32 |
+
|
| 33 |
+
```text
|
| 34 |
+
Tencent COS -> HF MinIO
|
| 35 |
+
HF MinIO -> local archive or another object storage
|
| 36 |
+
```
|
scripts/mirror-cos-minio.md
ADDED
|
@@ -0,0 +1,82 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1 |
+
# 腾讯 COS ↔ Hugging Face MinIO 同步指南
|
| 2 |
+
|
| 3 |
+
本文件用于在腾讯云 COS 与 Hugging Face MinIO 之间做备份、恢复和临时迁移。
|
| 4 |
+
|
| 5 |
+
推荐工具:MinIO Client `mc`。
|
| 6 |
+
|
| 7 |
+
## 1. 安装 mc
|
| 8 |
+
|
| 9 |
+
macOS:
|
| 10 |
+
|
| 11 |
+
```bash
|
| 12 |
+
brew install minio/stable/mc
|
| 13 |
+
```
|
| 14 |
+
|
| 15 |
+
Linux:
|
| 16 |
+
|
| 17 |
+
```bash
|
| 18 |
+
curl -fsSL https://dl.min.io/client/mc/release/linux-amd64/mc -o mc
|
| 19 |
+
chmod +x mc
|
| 20 |
+
sudo mv mc /usr/local/bin/mc
|
| 21 |
+
```
|
| 22 |
+
|
| 23 |
+
## 2. 配置别名
|
| 24 |
+
|
| 25 |
+
把下面变量替换成你自己的值。
|
| 26 |
+
|
| 27 |
+
腾讯 COS endpoint 示例:
|
| 28 |
+
|
| 29 |
+
```text
|
| 30 |
+
https://cos.ap-guangzhou.myqcloud.com
|
| 31 |
+
```
|
| 32 |
+
|
| 33 |
+
Hugging Face MinIO endpoint 示例:
|
| 34 |
+
|
| 35 |
+
```text
|
| 36 |
+
https://your-space-name.hf.space
|
| 37 |
+
```
|
| 38 |
+
|
| 39 |
+
```bash
|
| 40 |
+
mc alias set cos https://cos.ap-guangzhou.myqcloud.com "$COS_ID" "$COS_KEY"
|
| 41 |
+
mc alias set hfminio https://your-space-name.hf.space "$MINIO_USER" "$MINIO_PASS"
|
| 42 |
+
```
|
| 43 |
+
|
| 44 |
+
## 3. COS 备份到 HF MinIO
|
| 45 |
+
|
| 46 |
+
```bash
|
| 47 |
+
mc mirror --overwrite cos/your-cos-bucket hfminio/great-editor-backup
|
| 48 |
+
```
|
| 49 |
+
|
| 50 |
+
只同步新增和变化文件:
|
| 51 |
+
|
| 52 |
+
```bash
|
| 53 |
+
mc mirror cos/your-cos-bucket hfminio/great-editor-backup
|
| 54 |
+
```
|
| 55 |
+
|
| 56 |
+
## 4. HF MinIO 恢复回 COS
|
| 57 |
+
|
| 58 |
+
```bash
|
| 59 |
+
mc mirror --overwrite hfminio/great-editor-backup cos/your-cos-bucket
|
| 60 |
+
```
|
| 61 |
+
|
| 62 |
+
## 5. 定时备份建议
|
| 63 |
+
|
| 64 |
+
可以用 GitHub Actions、Cloudflare Worker 调度外部任务、VPS cron 或本地定时任务执行。
|
| 65 |
+
|
| 66 |
+
建议策略:
|
| 67 |
+
|
| 68 |
+
```text
|
| 69 |
+
每日:COS -> HF MinIO 增量备份
|
| 70 |
+
COS 爆满:GreatEditor 临时切换到 HF MinIO
|
| 71 |
+
COS 扩容:HF MinIO -> COS 恢复
|
| 72 |
+
恢复完成:GreatEditor 切回 COS
|
| 73 |
+
```
|
| 74 |
+
|
| 75 |
+
## 6. 注意事项
|
| 76 |
+
|
| 77 |
+
```text
|
| 78 |
+
1. mc mirror 默认会保持对象路径结构。
|
| 79 |
+
2. 如果你希望删除目标端多余文件,可以使用 --remove,但备份场景不建议轻易使用。
|
| 80 |
+
3. 首次全量同步可能耗时较长。
|
| 81 |
+
4. HF Space 适合备份和应急,不建议作为高并发主存储。
|
| 82 |
+
```
|
scripts/start-minio.sh
ADDED
|
@@ -0,0 +1,76 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1 |
+
#!/usr/bin/env bash
|
| 2 |
+
set -euo pipefail
|
| 3 |
+
|
| 4 |
+
PORT="${PORT:-7860}"
|
| 5 |
+
MINIO_DATA_DIR="${MINIO_DATA_DIR:-/data/minio}"
|
| 6 |
+
MINIO_BUCKET="${MINIO_BUCKET:-great-editor-backup}"
|
| 7 |
+
MINIO_REGION="${MINIO_REGION:-us-east-1}"
|
| 8 |
+
PUBLIC_BUCKET="${PUBLIC_BUCKET:-1}"
|
| 9 |
+
MINIO_BROWSER="${MINIO_BROWSER:-off}"
|
| 10 |
+
|
| 11 |
+
if [[ -z "${MINIO_ROOT_USER:-}" || -z "${MINIO_ROOT_PASSWORD:-}" ]]; then
|
| 12 |
+
echo "[COS_HF] ERROR: MINIO_ROOT_USER and MINIO_ROOT_PASSWORD are required." >&2
|
| 13 |
+
exit 1
|
| 14 |
+
fi
|
| 15 |
+
|
| 16 |
+
mkdir -p "$MINIO_DATA_DIR"
|
| 17 |
+
|
| 18 |
+
export MINIO_BROWSER
|
| 19 |
+
export MINIO_REGION_NAME="$MINIO_REGION"
|
| 20 |
+
|
| 21 |
+
# Hugging Face Space usually exposes one HTTP port. We expose S3 API on PORT.
|
| 22 |
+
# The MinIO Console is disabled by default because it needs a second port.
|
| 23 |
+
echo "[COS_HF] Starting MinIO on :$PORT"
|
| 24 |
+
echo "[COS_HF] Data dir: $MINIO_DATA_DIR"
|
| 25 |
+
echo "[COS_HF] Default bucket: $MINIO_BUCKET"
|
| 26 |
+
|
| 27 |
+
minio server "$MINIO_DATA_DIR" --address ":${PORT}" &
|
| 28 |
+
MINIO_PID=$!
|
| 29 |
+
|
| 30 |
+
cleanup() {
|
| 31 |
+
echo "[COS_HF] Stopping MinIO..."
|
| 32 |
+
kill "$MINIO_PID" 2>/dev/null || true
|
| 33 |
+
wait "$MINIO_PID" 2>/dev/null || true
|
| 34 |
+
}
|
| 35 |
+
trap cleanup SIGTERM SIGINT
|
| 36 |
+
|
| 37 |
+
# Wait until MinIO is ready.
|
| 38 |
+
for i in $(seq 1 60); do
|
| 39 |
+
if curl -fsS "http://127.0.0.1:${PORT}/minio/health/ready" >/dev/null 2>&1; then
|
| 40 |
+
break
|
| 41 |
+
fi
|
| 42 |
+
echo "[COS_HF] Waiting for MinIO readiness... ($i/60)"
|
| 43 |
+
sleep 2
|
| 44 |
+
if ! kill -0 "$MINIO_PID" 2>/dev/null; then
|
| 45 |
+
echo "[COS_HF] MinIO exited before readiness." >&2
|
| 46 |
+
wait "$MINIO_PID"
|
| 47 |
+
exit 1
|
| 48 |
+
fi
|
| 49 |
+
done
|
| 50 |
+
|
| 51 |
+
mc alias set local "http://127.0.0.1:${PORT}" "$MINIO_ROOT_USER" "$MINIO_ROOT_PASSWORD" >/dev/null
|
| 52 |
+
|
| 53 |
+
if ! mc ls "local/${MINIO_BUCKET}" >/dev/null 2>&1; then
|
| 54 |
+
echo "[COS_HF] Creating bucket: ${MINIO_BUCKET}"
|
| 55 |
+
mc mb "local/${MINIO_BUCKET}" >/dev/null
|
| 56 |
+
else
|
| 57 |
+
echo "[COS_HF] Bucket exists: ${MINIO_BUCKET}"
|
| 58 |
+
fi
|
| 59 |
+
|
| 60 |
+
if [[ "$PUBLIC_BUCKET" == "1" || "$PUBLIC_BUCKET" == "true" ]]; then
|
| 61 |
+
echo "[COS_HF] Setting bucket anonymous download policy: ${MINIO_BUCKET}"
|
| 62 |
+
mc anonymous set download "local/${MINIO_BUCKET}" >/dev/null || true
|
| 63 |
+
else
|
| 64 |
+
echo "[COS_HF] Bucket remains private: ${MINIO_BUCKET}"
|
| 65 |
+
fi
|
| 66 |
+
|
| 67 |
+
cat <<EOF
|
| 68 |
+
[COS_HF] Ready.
|
| 69 |
+
Health live: /minio/health/live
|
| 70 |
+
Health ready: /minio/health/ready
|
| 71 |
+
Bucket: ${MINIO_BUCKET}
|
| 72 |
+
S3 Endpoint: https://<your-space>.hf.space
|
| 73 |
+
Path URL: https://<your-space>.hf.space/${MINIO_BUCKET}/path/to/file
|
| 74 |
+
EOF
|
| 75 |
+
|
| 76 |
+
wait "$MINIO_PID"
|