diff --git a/README.md b/README.md index 378c387..e1e3cff 100644 --- a/README.md +++ b/README.md @@ -56,8 +56,8 @@ Compose Anything helps users quickly deploy various services by providing a set | [Milvus Standalone Embed](./src/milvus-standalone-embed) | 2.6.2 | | [Milvus Standalone](./src/milvus-standalone) | 2.6.2 | | [Minecraft Bedrock Server](./src/minecraft-bedrock-server) | latest | -| [MinerU SGALNG](./src/mineru-sgalng) | 2.2.2 | -| [MinerU vLLM](./builds/mineru-vllm) | 2.5.4 | +| [MinerU SGLang](./src/mineru-sglang) | 2.2.2 | +| [MinerU vLLM](./builds/mineru-vllm) | 2.6.4 | | [MinIO](./src/minio) | RELEASE.2025-09-07T16-13-09Z | | [MLflow](./src/mlflow) | v2.20.2 | | [MongoDB ReplicaSet Single](./src/mongodb-replicaset-single) | 8.0.13 | @@ -74,6 +74,7 @@ Compose Anything helps users quickly deploy various services by providing a set | [Odoo](./src/odoo) | 19.0 | | [Ollama](./src/ollama) | 0.12.0 | | [Open WebUI](./src/open-webui) | main | +| [Open WebUI Rust](./src/open-webui-rust) | latest | | [OpenCoze](./src/opencoze) | See Docs | | [OpenCut](./src/opencut) | latest | | [OpenList](./src/openlist) | latest | diff --git a/README.zh.md b/README.zh.md index db80849..fa3f283 100644 --- a/README.zh.md +++ b/README.zh.md @@ -56,8 +56,8 @@ Compose Anything 通过提供一组高质量的 Docker Compose 配置文件, | [Milvus Standalone Embed](./src/milvus-standalone-embed) | 2.6.2 | | [Milvus Standalone](./src/milvus-standalone) | 2.6.2 | | [Minecraft Bedrock Server](./src/minecraft-bedrock-server) | latest | -| [MinerU SGALNG](./src/mineru-sgalng) | 2.2.2 | -| [MinerU vLLM](./builds/mineru-vllm) | 2.5.4 | +| [MinerU SGLang](./src/mineru-sglang) | 2.2.2 | +| [MinerU vLLM](./builds/mineru-vllm) | 2.6.4 | | [MinIO](./src/minio) | RELEASE.2025-09-07T16-13-09Z | | [MLflow](./src/mlflow) | v2.20.2 | | [MongoDB ReplicaSet Single](./src/mongodb-replicaset-single) | 8.0.13 | @@ -74,6 +74,7 @@ Compose Anything 通过提供一组高质量的 Docker Compose 配置文件, | [Odoo](./src/odoo) | 19.0 | | [Ollama](./src/ollama) | 0.12.0 | | [Open WebUI](./src/open-webui) | main | +| [Open WebUI Rust](./src/open-webui-rust) | latest | | [OpenCoze](./src/opencoze) | See Docs | | [OpenCut](./src/opencut) | latest | | [OpenList](./src/openlist) | latest | diff --git a/builds/io-paint/docker-compose.yaml b/builds/io-paint/docker-compose.yaml index 6682b84..c06a8a3 100644 --- a/builds/io-paint/docker-compose.yaml +++ b/builds/io-paint/docker-compose.yaml @@ -7,9 +7,9 @@ x-defaults: &defaults max-file: "3" services: - lama-cleaner: + io-paint: <<: *defaults - image: ${DOCKER_REGISTRY:-docker.io}/local/lama-cleaner:${BUILD_VERSION:-1.6.0} + image: ${DOCKER_REGISTRY:-docker.io}/alexsuntop/io-paint:${BUILD_VERSION:-1.6.0} ports: - 8080:8080 build: diff --git a/builds/mineru-vllm/README.md b/builds/mineru-vllm/README.md index 052b944..50ef73a 100644 --- a/builds/mineru-vllm/README.md +++ b/builds/mineru-vllm/README.md @@ -39,7 +39,7 @@ mineru -p demo.pdf -o ./output -b vlm-http-client -u http://localhost:30000 ## Configuration -- `MINERU_DOCKER_IMAGE`: The Docker image for MinerU, default is `alexsuntop/mineru:2.5.4`. +- `MINERU_DOCKER_IMAGE`: The Docker image for MinerU, default is `alexsuntop/mineru:2.6.4`. - `MINERU_PORT_OVERRIDE_VLLM`: The host port for the VLLM server, default is `30000`. - `MINERU_PORT_OVERRIDE_API`: The host port for the API service, default is `8000`. - `MINERU_PORT_OVERRIDE_GRADIO`: The host port for the Gradio WebUI, default is `7860`. diff --git a/builds/mineru-vllm/README.zh.md b/builds/mineru-vllm/README.zh.md index 0f2ad82..dbd593c 100644 --- a/builds/mineru-vllm/README.zh.md +++ b/builds/mineru-vllm/README.zh.md @@ -39,7 +39,7 @@ mineru -p demo.pdf -o ./output -b vlm-http-client -u http://localhost:30000 ## 配置 -- `MINERU_DOCKER_IMAGE`: MinerU 的 Docker 镜像,默认为 `alexsuntop/mineru:2.5.4`。 +- `MINERU_DOCKER_IMAGE`: MinerU 的 Docker 镜像,默认为 `alexsuntop/mineru:2.6.4`。 - `MINERU_PORT_OVERRIDE_VLLM`: VLLM 服务器的主机端口,默认为 `30000`。 - `MINERU_PORT_OVERRIDE_API`: API 服务的主机端口,默认为 `8000`。 - `MINERU_PORT_OVERRIDE_GRADIO`: Gradio WebUI 的主机端口,默认为 `7860`。 diff --git a/builds/mineru-vllm/docker-compose.yaml b/builds/mineru-vllm/docker-compose.yaml index d29d9e4..8b45518 100644 --- a/builds/mineru-vllm/docker-compose.yaml +++ b/builds/mineru-vllm/docker-compose.yaml @@ -8,7 +8,7 @@ x-defaults: &defaults x-mineru-vllm: &mineru-vllm <<: *defaults - image: ${MINERU_DOCKER_IMAGE:-alexsuntop/mineru:2.6.2} + image: ${MINERU_DOCKER_IMAGE:-alexsuntop/mineru:2.6.4} build: context: . dockerfile: Dockerfile diff --git a/src/mineru-sgalng/.env.example b/src/mineru-sglang/.env.example similarity index 100% rename from src/mineru-sgalng/.env.example rename to src/mineru-sglang/.env.example diff --git a/src/mineru-sgalng/README.md b/src/mineru-sglang/README.md similarity index 100% rename from src/mineru-sgalng/README.md rename to src/mineru-sglang/README.md diff --git a/src/mineru-sgalng/README.zh.md b/src/mineru-sglang/README.zh.md similarity index 100% rename from src/mineru-sgalng/README.zh.md rename to src/mineru-sglang/README.zh.md diff --git a/src/mineru-sgalng/docker-compose.yaml b/src/mineru-sglang/docker-compose.yaml similarity index 100% rename from src/mineru-sgalng/docker-compose.yaml rename to src/mineru-sglang/docker-compose.yaml diff --git a/src/open-webui-rust/.env.example b/src/open-webui-rust/.env.example new file mode 100644 index 0000000..e3e6e9c --- /dev/null +++ b/src/open-webui-rust/.env.example @@ -0,0 +1,133 @@ +# Global Settings +GLOBAL_REGISTRY= +TZ=UTC + +# Version Tags +POSTGRES_VERSION=16-alpine +REDIS_VERSION=7-alpine +RUST_BACKEND_VERSION=latest +SANDBOX_RUNTIME_VERSION=latest +SANDBOX_EXECUTOR_VERSION=latest +FRONTEND_VERSION=latest + +# Port Overrides +POSTGRES_PORT_OVERRIDE=5432 +REDIS_PORT_OVERRIDE=6379 +RUST_BACKEND_PORT_OVERRIDE=8080 +SANDBOX_EXECUTOR_PORT_OVERRIDE=8090 +FRONTEND_PORT_OVERRIDE=3000 + +# PostgreSQL Configuration +POSTGRES_DB=open_webui +POSTGRES_USER=open_webui +POSTGRES_PASSWORD=open_webui_password + +# PostgreSQL Resource Limits +POSTGRES_CPU_LIMIT=1 +POSTGRES_MEMORY_LIMIT=1G +POSTGRES_CPU_RESERVATION=0.25 +POSTGRES_MEMORY_RESERVATION=256M + +# Redis Resource Limits +REDIS_CPU_LIMIT=0.5 +REDIS_MEMORY_LIMIT=512M +REDIS_CPU_RESERVATION=0.1 +REDIS_MEMORY_RESERVATION=128M + +# Rust Backend Configuration +ENV=prod +WEBUI_SECRET_KEY=your-secret-key-min-32-chars-generate-with-uuidgen + +# Database Connection Pool +DATABASE_POOL_SIZE=20 +DATABASE_POOL_MAX_OVERFLOW=10 +DATABASE_POOL_TIMEOUT=30 +DATABASE_POOL_RECYCLE=1800 + +# Redis +ENABLE_REDIS=true + +# Authentication +JWT_EXPIRES_IN=30d +ENABLE_SIGNUP=true +ENABLE_LOGIN_FORM=true +ENABLE_API_KEY=true +DEFAULT_USER_ROLE=user +SHOW_ADMIN_DETAILS=true +WEBUI_URL=http://localhost:3000 + +# CORS +CORS_ALLOW_ORIGIN=* + +# WebSocket/Socket.IO +ENABLE_SOCKETIO=true +ENABLE_WEBSOCKET_SUPPORT=true +WEBSOCKET_MANAGER=redis + +# Features +ENABLE_OPENAI_API=true +ENABLE_CHANNELS=true +ENABLE_IMAGE_GENERATION=false +ENABLE_CODE_EXECUTION=true +ENABLE_CODE_INTERPRETER=true +ENABLE_WEB_SEARCH=false +ENABLE_ADMIN_CHAT_ACCESS=true +ENABLE_ADMIN_EXPORT=true +ENABLE_NOTES=true +ENABLE_COMMUNITY_SHARING=true +ENABLE_MESSAGE_RATING=true + +# Logging +GLOBAL_LOG_LEVEL=info +RUST_LOG=info + +# OpenAI (Optional) +OPENAI_API_BASE_URL= +OPENAI_API_KEY= + +# Rust Backend Resource Limits +RUST_BACKEND_CPU_LIMIT=2 +RUST_BACKEND_MEMORY_LIMIT=2G +RUST_BACKEND_CPU_RESERVATION=0.5 +RUST_BACKEND_MEMORY_RESERVATION=512M + +# Sandbox Executor Configuration +SANDBOX_MAX_EXECUTION_TIME=60 +SANDBOX_MAX_MEMORY_MB=512 +SANDBOX_MAX_CPU_QUOTA=100000 +SANDBOX_MAX_DISK_MB=100 +SANDBOX_MAX_CONCURRENT_EXECUTIONS=10 +SANDBOX_RATE_LIMIT_PER_MINUTE=30 +SANDBOX_RATE_LIMIT_BURST=10 +SANDBOX_NETWORK_MODE=none +SANDBOX_READ_ONLY_ROOT=false +SANDBOX_DROP_ALL_CAPABILITIES=true +SANDBOX_ENABLE_STREAMING=true +SANDBOX_KEEP_CONTAINERS=false +SANDBOX_ENABLE_PYTHON=true +SANDBOX_ENABLE_JAVASCRIPT=true +SANDBOX_ENABLE_SHELL=true +SANDBOX_ENABLE_RUST=true +SANDBOX_ENABLE_AUDIT_LOG=true + +# Sandbox Executor Resource Limits +SANDBOX_EXECUTOR_CPU_LIMIT=2 +SANDBOX_EXECUTOR_MEMORY_LIMIT=2G +SANDBOX_EXECUTOR_CPU_RESERVATION=0.25 +SANDBOX_EXECUTOR_MEMORY_RESERVATION=256M + +# Frontend Configuration +RAG_EMBEDDING_MODEL=sentence-transformers/all-MiniLM-L6-v2 +RAG_RERANKING_MODEL= +RAG_EMBEDDING_MODEL_AUTO_UPDATE=false +WHISPER_MODEL=base +ENABLE_RAG_WEB_SEARCH=false +ENABLE_RAG_HYBRID_SEARCH=false +SCARF_NO_ANALYTICS=true +DO_NOT_TRACK=true + +# Frontend Resource Limits +FRONTEND_CPU_LIMIT=1 +FRONTEND_MEMORY_LIMIT=1G +FRONTEND_CPU_RESERVATION=0.25 +FRONTEND_MEMORY_RESERVATION=256M diff --git a/src/open-webui-rust/README.md b/src/open-webui-rust/README.md new file mode 100644 index 0000000..938a6d9 --- /dev/null +++ b/src/open-webui-rust/README.md @@ -0,0 +1,345 @@ +# Open WebUI Rust + +High-performance Rust implementation of Open WebUI with native async runtime and improved resource efficiency. + +## Overview + +Open WebUI Rust is a complete rewrite of the Open WebUI backend in Rust, offering: + +- **10-50x faster response times** for API endpoints +- **70% lower memory usage** under load +- **Native concurrency** with Tokio's async runtime +- **Type safety** preventing entire classes of runtime errors +- **Zero-copy streaming** for chat completions +- **Production-ready** with comprehensive error handling + +This deployment includes: + +- **Rust Backend**: High-performance API server with WebSocket support +- **PostgreSQL**: Primary database for data persistence +- **Redis**: Caching and WebSocket session management +- **Sandbox Executor**: Secure code execution environment with Docker isolation +- **Frontend**: SvelteKit-based user interface with Nginx reverse proxy + +## Features + +- ✅ **Full API Compatibility** with Open WebUI Python backend +- ✅ **Native WebSocket/Socket.IO** implementation in Rust +- ✅ **Secure Code Execution** via isolated Docker containers +- ✅ **Multi-language Support** (Python, JavaScript, Shell, Rust) +- ✅ **RAG & Embeddings** with vector database integration +- ✅ **Authentication & Authorization** with JWT tokens +- ✅ **Rate Limiting & Security** built-in protection +- ✅ **Comprehensive Logging** for debugging and monitoring + +## Prerequisites + +- Docker 20.10+ +- Docker Compose 2.0+ +- 4GB+ available memory +- Access to Docker socket (for sandbox execution) + +## Quick Start + +### 1. Create `.env` file + +```bash +cp .env.example .env +``` + +Edit `.env` and set required variables: + +```bash +# IMPORTANT: Generate a secure secret key (min 32 characters) +WEBUI_SECRET_KEY=$(uuidgen | tr '[:upper:]' '[:lower:]' | tr -d '-') + +# Optional: Configure OpenAI API +OPENAI_API_KEY=sk-your-api-key +OPENAI_API_BASE_URL=https://api.openai.com/v1 +``` + +### 2. Start services + +```bash +docker compose up -d +``` + +### 3. Access the application + +- **Frontend UI**: +- **Rust Backend API**: +- **Sandbox Executor**: + +### 4. Initial setup + +1. Open +2. Create an admin account (first user becomes admin) +3. Configure your AI models in Settings + +## Architecture + +```text +┌─────────────┐ +│ Frontend │ :3000 +│ (SvelteKit) │ +└──────┬──────┘ + │ + ↓ +┌─────────────┐ ┌──────────────┐ +│Rust Backend │────→│ PostgreSQL │ :5432 +│ (API) │ │ (Database) │ +└──────┬──────┘ └──────────────┘ + │ + ├───────────→┌──────────────┐ + │ │ Redis │ :6379 + │ │ (Cache) │ + │ └──────────────┘ + │ + └───────────→┌──────────────┐ + │ Sandbox │ :8090 + │ Executor │ + └──────────────┘ +``` + +## Configuration + +### Core Environment Variables + +| Variable | Default | Description | +| ---------------------------- | --------------------- | ---------------------------------------- | +| `WEBUI_SECRET_KEY` | (required) | Secret key for JWT tokens (min 32 chars) | +| `POSTGRES_PASSWORD` | `open_webui_password` | PostgreSQL password | +| `FRONTEND_PORT_OVERRIDE` | `3000` | Frontend access port | +| `RUST_BACKEND_PORT_OVERRIDE` | `8080` | Backend API port | +| `TZ` | `UTC` | Timezone setting | + +### Feature Flags + +| Variable | Default | Description | +| ------------------------- | ------- | ---------------------------- | +| `ENABLE_CODE_EXECUTION` | `true` | Enable secure code execution | +| `ENABLE_CODE_INTERPRETER` | `true` | Enable code interpreter | +| `ENABLE_IMAGE_GENERATION` | `false` | Enable image generation | +| `ENABLE_WEB_SEARCH` | `false` | Enable web search | +| `ENABLE_SIGNUP` | `true` | Allow new user registration | + +### Resource Limits + +Each service has configurable CPU and memory limits: + +```bash +# Rust Backend +RUST_BACKEND_CPU_LIMIT=2 +RUST_BACKEND_MEMORY_LIMIT=2G + +# PostgreSQL +POSTGRES_CPU_LIMIT=1 +POSTGRES_MEMORY_LIMIT=1G + +# Sandbox Executor +SANDBOX_EXECUTOR_CPU_LIMIT=2 +SANDBOX_EXECUTOR_MEMORY_LIMIT=2G +``` + +### Sandbox Security + +Configure sandbox execution limits: + +```bash +SANDBOX_MAX_EXECUTION_TIME=60 # Max execution time in seconds +SANDBOX_MAX_MEMORY_MB=512 # Max memory per execution +SANDBOX_MAX_CONCURRENT_EXECUTIONS=10 # Max parallel executions +SANDBOX_NETWORK_MODE=none # Disable network access +``` + +## Usage Examples + +### Basic Chat + +```bash +curl -X POST http://localhost:8080/api/chat/completions \ + -H "Authorization: Bearer YOUR_API_KEY" \ + -H "Content-Type: application/json" \ + -d '{ + "model": "gpt-3.5-turbo", + "messages": [{"role": "user", "content": "Hello!"}] + }' +``` + +### Code Execution + +```bash +curl -X POST http://localhost:8090/api/v1/execute \ + -H "Content-Type: application/json" \ + -d '{ + "language": "python", + "code": "print(\"Hello from sandbox!\")" + }' +``` + +## Monitoring + +### View Logs + +```bash +# All services +docker compose logs -f + +# Specific service +docker compose logs -f rust-backend +docker compose logs -f sandbox-executor +``` + +### Check Service Health + +```bash +# Rust Backend +curl http://localhost:8080/health + +# Sandbox Executor +curl http://localhost:8090/api/v1/health + +# PostgreSQL +docker compose exec postgres pg_isready +``` + +### Resource Usage + +```bash +docker stats +``` + +## Maintenance + +### Backup Database + +```bash +docker compose exec postgres pg_dump -U open_webui open_webui > backup.sql +``` + +### Restore Database + +```bash +cat backup.sql | docker compose exec -T postgres psql -U open_webui open_webui +``` + +### Update Services + +```bash +docker compose pull +docker compose up -d +``` + +### Clean Reset + +```bash +# Stop and remove all data +docker compose down -v + +# Start fresh +docker compose up -d +``` + +## Troubleshooting + +### Cannot connect to services + +Check if all containers are healthy: + +```bash +docker compose ps +``` + +### JWT token errors + +Ensure `WEBUI_SECRET_KEY` is set and consistent across restarts. + +### Code execution fails + +1. Verify Docker socket is accessible +2. Check sandbox executor logs: `docker compose logs sandbox-executor` +3. Ensure runtime image is available: `docker images | grep sandbox-runtime` + +### High memory usage + +Adjust resource limits in `.env`: + +```bash +RUST_BACKEND_MEMORY_LIMIT=1G +SANDBOX_EXECUTOR_MEMORY_LIMIT=1G +``` + +## Security Considerations + +### Production Deployment + +1. **Change default passwords** + + ```bash + POSTGRES_PASSWORD=$(openssl rand -base64 32) + WEBUI_SECRET_KEY=$(openssl rand -base64 48) + ``` + +2. **Restrict network access** + + ```bash + CORS_ALLOW_ORIGIN=https://yourdomain.com + ``` + +3. **Disable signup after initial setup** + + ```bash + ENABLE_SIGNUP=false + ``` + +4. **Enable HTTPS** using a reverse proxy (nginx, Traefik, Caddy) + +5. **Limit sandbox resources** + + ```bash + SANDBOX_MAX_EXECUTION_TIME=30 + SANDBOX_MAX_MEMORY_MB=256 + SANDBOX_NETWORK_MODE=none + ``` + +### Docker Socket Access + +The sandbox executor requires access to the Docker socket (`/var/run/docker.sock`) for container isolation. This is a privileged operation and should be: + +- Used only in trusted environments +- Protected with proper network isolation +- Monitored for suspicious activity + +Consider using alternatives like: + +- Docker-in-Docker (DinD) for better isolation +- Kubernetes with pod security policies +- Dedicated sandbox service on separate nodes + +## Performance + +Typical resource usage: + +| Service | CPU (idle) | Memory (idle) | CPU (load) | Memory (load) | +| ---------------- | ---------- | ------------- | ---------- | ------------- | +| Rust Backend | ~1% | 50MB | 10-30% | 200MB | +| PostgreSQL | ~1% | 50MB | 5-15% | 300MB | +| Redis | <1% | 10MB | 2-5% | 50MB | +| Sandbox Executor | <1% | 30MB | varies | 512MB | +| Frontend | <1% | 50MB | 5-10% | 200MB | + +## License + +This project follows the original Open WebUI license. + +## Related Projects + +- [Open WebUI](https://github.com/open-webui/open-webui) - Original Python implementation +- [Open WebUI Rust](https://github.com/knoxchat/open-webui-rust) - Official Rust backend repository + +## Support + +For issues and questions: + +- [Open WebUI Rust Issues](https://github.com/knoxchat/open-webui-rust/issues) +- [Open WebUI Documentation](https://docs.openwebui.com/) diff --git a/src/open-webui-rust/README.zh.md b/src/open-webui-rust/README.zh.md new file mode 100644 index 0000000..2111bfe --- /dev/null +++ b/src/open-webui-rust/README.zh.md @@ -0,0 +1,345 @@ +# Open WebUI Rust + +基于 Rust 的高性能 Open WebUI 实现,具有原生异步运行时和优化的资源效率。 + +## 概述 + +Open WebUI Rust 是 Open WebUI 后端的完整 Rust 重写版本,提供: + +- **10-50 倍更快的响应时间**:API 端点性能显著提升 +- **70% 更低的内存使用**:负载下内存占用大幅降低 +- **原生并发**:基于 Tokio 的异步运行时 +- **类型安全**:防止整类运行时错误 +- **零拷贝流式传输**:聊天补全高效传输 +- **生产就绪**:全面的错误处理机制 + +此部署包含: + +- **Rust 后端**:高性能 API 服务器,支持 WebSocket +- **PostgreSQL**:数据持久化的主数据库 +- **Redis**:缓存和 WebSocket 会话管理 +- **Sandbox Executor**:安全的代码执行环境,具有 Docker 隔离 +- **Frontend**:基于 SvelteKit 的用户界面,配备 Nginx 反向代理 + +## 特性 + +- ✅ **完全兼容** Open WebUI Python 后端的 API +- ✅ **原生 WebSocket/Socket.IO** 使用 Rust 实现 +- ✅ **安全的代码执行**:通过隔离的 Docker 容器 +- ✅ **多语言支持**:Python、JavaScript、Shell、Rust +- ✅ **RAG 和嵌入**:集成向量数据库 +- ✅ **身份验证和授权**:JWT 令牌 +- ✅ **速率限制和安全**:内置保护机制 +- ✅ **全面的日志记录**:用于调试和监控 + +## 前置要求 + +- Docker 20.10+ +- Docker Compose 2.0+ +- 4GB+ 可用内存 +- 访问 Docker 套接字(用于沙箱执行) + +## 快速开始 + +### 1. 创建 `.env` 文件 + +```bash +cp .env.example .env +``` + +编辑 `.env` 并设置必需的变量: + +```bash +# 重要:生成一个安全的密钥(至少 32 个字符) +WEBUI_SECRET_KEY=$(uuidgen | tr '[:upper:]' '[:lower:]' | tr -d '-') + +# 可选:配置 OpenAI API +OPENAI_API_KEY=sk-your-api-key +OPENAI_API_BASE_URL=https://api.openai.com/v1 +``` + +### 2. 启动服务 + +```bash +docker compose up -d +``` + +### 3. 访问应用程序 + +- **前端界面**: +- **Rust 后端 API**: +- **Sandbox Executor**: + +### 4. 初始设置 + +1. 打开 +2. 创建管理员账户(第一个用户成为管理员) +3. 在设置中配置您的 AI 模型 + +## 架构 + +```text +┌─────────────┐ +│ Frontend │ :3000 +│ (SvelteKit) │ +└──────┬──────┘ + │ + ↓ +┌─────────────┐ ┌──────────────┐ +│Rust Backend │────→│ PostgreSQL │ :5432 +│ (API) │ │ (Database) │ +└──────┬──────┘ └──────────────┘ + │ + ├───────────→┌──────────────┐ + │ │ Redis │ :6379 + │ │ (Cache) │ + │ └──────────────┘ + │ + └───────────→┌──────────────┐ + │ Sandbox │ :8090 + │ Executor │ + └──────────────┘ +``` + +## 配置 + +### 核心环境变量 + +| 变量 | 默认值 | 描述 | +| ---------------------------- | --------------------- | -------------------------------- | +| `WEBUI_SECRET_KEY` | (必需) | JWT 令牌的密钥(至少 32 个字符) | +| `POSTGRES_PASSWORD` | `open_webui_password` | PostgreSQL 密码 | +| `FRONTEND_PORT_OVERRIDE` | `3000` | 前端访问端口 | +| `RUST_BACKEND_PORT_OVERRIDE` | `8080` | 后端 API 端口 | +| `TZ` | `UTC` | 时区设置 | + +### 功能开关 + +| 变量 | 默认值 | 描述 | +| ------------------------- | ------- | ---------------- | +| `ENABLE_CODE_EXECUTION` | `true` | 启用安全代码执行 | +| `ENABLE_CODE_INTERPRETER` | `true` | 启用代码解释器 | +| `ENABLE_IMAGE_GENERATION` | `false` | 启用图像生成 | +| `ENABLE_WEB_SEARCH` | `false` | 启用网络搜索 | +| `ENABLE_SIGNUP` | `true` | 允许新用户注册 | + +### 资源限制 + +每个服务都有可配置的 CPU 和内存限制: + +```bash +# Rust 后端 +RUST_BACKEND_CPU_LIMIT=2 +RUST_BACKEND_MEMORY_LIMIT=2G + +# PostgreSQL +POSTGRES_CPU_LIMIT=1 +POSTGRES_MEMORY_LIMIT=1G + +# Sandbox Executor +SANDBOX_EXECUTOR_CPU_LIMIT=2 +SANDBOX_EXECUTOR_MEMORY_LIMIT=2G +``` + +### 沙箱安全 + +配置沙箱执行限制: + +```bash +SANDBOX_MAX_EXECUTION_TIME=60 # 最大执行时间(秒) +SANDBOX_MAX_MEMORY_MB=512 # 每次执行的最大内存 +SANDBOX_MAX_CONCURRENT_EXECUTIONS=10 # 最大并行执行数 +SANDBOX_NETWORK_MODE=none # 禁用网络访问 +``` + +## 使用示例 + +### 基础聊天 + +```bash +curl -X POST http://localhost:8080/api/chat/completions \ + -H "Authorization: Bearer YOUR_API_KEY" \ + -H "Content-Type: application/json" \ + -d '{ + "model": "gpt-3.5-turbo", + "messages": [{"role": "user", "content": "你好!"}] + }' +``` + +### 代码执行 + +```bash +curl -X POST http://localhost:8090/api/v1/execute \ + -H "Content-Type: application/json" \ + -d '{ + "language": "python", + "code": "print(\"Hello from sandbox!\")" + }' +``` + +## 监控 + +### 查看日志 + +```bash +# 所有服务 +docker compose logs -f + +# 特定服务 +docker compose logs -f rust-backend +docker compose logs -f sandbox-executor +``` + +### 检查服务健康状态 + +```bash +# Rust 后端 +curl http://localhost:8080/health + +# Sandbox Executor +curl http://localhost:8090/api/v1/health + +# PostgreSQL +docker compose exec postgres pg_isready +``` + +### 资源使用情况 + +```bash +docker stats +``` + +## 维护 + +### 备份数据库 + +```bash +docker compose exec postgres pg_dump -U open_webui open_webui > backup.sql +``` + +### 恢复数据库 + +```bash +cat backup.sql | docker compose exec -T postgres psql -U open_webui open_webui +``` + +### 更新服务 + +```bash +docker compose pull +docker compose up -d +``` + +### 清理重置 + +```bash +# 停止并删除所有数据 +docker compose down -v + +# 全新启动 +docker compose up -d +``` + +## 故障排除 + +### 无法连接到服务 + +检查所有容器是否健康: + +```bash +docker compose ps +``` + +### JWT 令牌错误 + +确保 `WEBUI_SECRET_KEY` 已设置并在重启后保持一致。 + +### 代码执行失败 + +1. 验证 Docker 套接字是否可访问 +2. 检查 sandbox executor 日志:`docker compose logs sandbox-executor` +3. 确保运行时镜像可用:`docker images | grep sandbox-runtime` + +### 内存使用过高 + +在 `.env` 中调整资源限制: + +```bash +RUST_BACKEND_MEMORY_LIMIT=1G +SANDBOX_EXECUTOR_MEMORY_LIMIT=1G +``` + +## 安全注意事项 + +### 生产部署 + +1. **更改默认密码** + + ```bash + POSTGRES_PASSWORD=$(openssl rand -base64 32) + WEBUI_SECRET_KEY=$(openssl rand -base64 48) + ``` + +2. **限制网络访问** + + ```bash + CORS_ALLOW_ORIGIN=https://yourdomain.com + ``` + +3. **初始设置后禁用注册** + + ```bash + ENABLE_SIGNUP=false + ``` + +4. **使用反向代理启用 HTTPS**(nginx、Traefik、Caddy) + +5. **限制沙箱资源** + + ```bash + SANDBOX_MAX_EXECUTION_TIME=30 + SANDBOX_MAX_MEMORY_MB=256 + SANDBOX_NETWORK_MODE=none + ``` + +### Docker 套接字访问 + +Sandbox Executor 需要访问 Docker 套接字(`/var/run/docker.sock`)以实现容器隔离。这是一个特权操作,应该: + +- 仅在受信任的环境中使用 +- 通过适当的网络隔离进行保护 +- 监控可疑活动 + +考虑使用以下替代方案: + +- Docker-in-Docker(DinD)以获得更好的隔离 +- 带有 Pod 安全策略的 Kubernetes +- 在单独节点上的专用沙箱服务 + +## 性能 + +典型资源使用情况: + +| 服务 | CPU(空闲) | 内存(空闲) | CPU(负载) | 内存(负载) | +| ---------------- | ----------- | ------------ | ----------- | ------------ | +| Rust Backend | ~1% | 50MB | 10-30% | 200MB | +| PostgreSQL | ~1% | 50MB | 5-15% | 300MB | +| Redis | <1% | 10MB | 2-5% | 50MB | +| Sandbox Executor | <1% | 30MB | 变化 | 512MB | +| Frontend | <1% | 50MB | 5-10% | 200MB | + +## 许可证 + +本项目遵循原 Open WebUI 的许可证。 + +## 相关项目 + +- [Open WebUI](https://github.com/open-webui/open-webui) - 原始 Python 实现 +- [Open WebUI Rust](https://github.com/knoxchat/open-webui-rust) - 官方 Rust 后端仓库 + +## 支持 + +问题和疑问: + +- [Open WebUI Rust Issues](https://github.com/knoxchat/open-webui-rust/issues) +- [Open WebUI 文档](https://docs.openwebui.com/) diff --git a/src/open-webui-rust/docker-compose.yaml b/src/open-webui-rust/docker-compose.yaml new file mode 100644 index 0000000..80d892a --- /dev/null +++ b/src/open-webui-rust/docker-compose.yaml @@ -0,0 +1,310 @@ +x-defaults: &defaults + restart: unless-stopped + logging: + driver: json-file + options: + max-size: 100m + max-file: "3" + +services: + # PostgreSQL Database + postgres: + <<: *defaults + image: ${GLOBAL_REGISTRY:-}postgres:${POSTGRES_VERSION:-16-alpine} + environment: + POSTGRES_DB: ${POSTGRES_DB:-open_webui} + POSTGRES_USER: ${POSTGRES_USER:-open_webui} + POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-open_webui_password} + POSTGRES_INITDB_ARGS: "-E UTF8" + TZ: ${TZ:-UTC} + volumes: + - postgres_data:/var/lib/postgresql/data + ports: + - "${POSTGRES_PORT_OVERRIDE:-5432}:5432" + healthcheck: + test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-open_webui}"] + interval: 10s + timeout: 5s + retries: 5 + start_period: 10s + deploy: + resources: + limits: + cpus: ${POSTGRES_CPU_LIMIT:-1} + memory: ${POSTGRES_MEMORY_LIMIT:-1G} + reservations: + cpus: ${POSTGRES_CPU_RESERVATION:-0.25} + memory: ${POSTGRES_MEMORY_RESERVATION:-256M} + networks: + - open-webui-network + + # Redis for caching and WebSocket management + redis: + <<: *defaults + image: ${GLOBAL_REGISTRY:-}redis:${REDIS_VERSION:-7-alpine} + command: redis-server --appendonly yes + environment: + TZ: ${TZ:-UTC} + volumes: + - redis_data:/data + ports: + - "${REDIS_PORT_OVERRIDE:-6379}:6379" + healthcheck: + test: ["CMD", "redis-cli", "ping"] + interval: 10s + timeout: 5s + retries: 5 + start_period: 10s + deploy: + resources: + limits: + cpus: ${REDIS_CPU_LIMIT:-0.5} + memory: ${REDIS_MEMORY_LIMIT:-512M} + reservations: + cpus: ${REDIS_CPU_RESERVATION:-0.1} + memory: ${REDIS_MEMORY_RESERVATION:-128M} + networks: + - open-webui-network + + # Rust Backend + rust-backend: + <<: *defaults + image: ${GLOBAL_REGISTRY:-}public.ecr.aws/o3p7x2f5/knoxchat/open-webui-rust-backend:${RUST_BACKEND_VERSION:-latest} + environment: + # Server + HOST: 0.0.0.0 + PORT: 8080 + ENV: ${ENV:-prod} + WEBUI_SECRET_KEY: ${WEBUI_SECRET_KEY} + TZ: ${TZ:-UTC} + + # Database + DATABASE_URL: postgresql://${POSTGRES_USER:-open_webui}:${POSTGRES_PASSWORD:-open_webui_password}@postgres:5432/${POSTGRES_DB:-open_webui} + DATABASE_POOL_SIZE: ${DATABASE_POOL_SIZE:-20} + DATABASE_POOL_MAX_OVERFLOW: ${DATABASE_POOL_MAX_OVERFLOW:-10} + DATABASE_POOL_TIMEOUT: ${DATABASE_POOL_TIMEOUT:-30} + DATABASE_POOL_RECYCLE: ${DATABASE_POOL_RECYCLE:-1800} + + # Redis + ENABLE_REDIS: ${ENABLE_REDIS:-true} + REDIS_URL: redis://redis:6379 + + # Authentication + JWT_EXPIRES_IN: ${JWT_EXPIRES_IN:-30d} + ENABLE_SIGNUP: ${ENABLE_SIGNUP:-true} + ENABLE_LOGIN_FORM: ${ENABLE_LOGIN_FORM:-true} + ENABLE_API_KEY: ${ENABLE_API_KEY:-true} + DEFAULT_USER_ROLE: ${DEFAULT_USER_ROLE:-user} + SHOW_ADMIN_DETAILS: ${SHOW_ADMIN_DETAILS:-true} + WEBUI_URL: ${WEBUI_URL:-http://localhost:3000} + + # CORS + CORS_ALLOW_ORIGIN: ${CORS_ALLOW_ORIGIN:-*} + + # WebSocket/Socket.IO (Native Rust Implementation) + ENABLE_SOCKETIO: ${ENABLE_SOCKETIO:-true} + ENABLE_WEBSOCKET_SUPPORT: ${ENABLE_WEBSOCKET_SUPPORT:-true} + WEBSOCKET_MANAGER: ${WEBSOCKET_MANAGER:-redis} + WEBSOCKET_REDIS_URL: redis://redis:6379 + + # Features + ENABLE_OPENAI_API: ${ENABLE_OPENAI_API:-true} + ENABLE_CHANNELS: ${ENABLE_CHANNELS:-true} + ENABLE_IMAGE_GENERATION: ${ENABLE_IMAGE_GENERATION:-false} + ENABLE_CODE_EXECUTION: ${ENABLE_CODE_EXECUTION:-true} + CODE_EXECUTION_SANDBOX_URL: http://sandbox-executor:8090 + ENABLE_CODE_INTERPRETER: ${ENABLE_CODE_INTERPRETER:-true} + CODE_INTERPRETER_SANDBOX_URL: http://sandbox-executor:8090 + ENABLE_WEB_SEARCH: ${ENABLE_WEB_SEARCH:-false} + ENABLE_ADMIN_CHAT_ACCESS: ${ENABLE_ADMIN_CHAT_ACCESS:-true} + ENABLE_ADMIN_EXPORT: ${ENABLE_ADMIN_EXPORT:-true} + ENABLE_NOTES: ${ENABLE_NOTES:-true} + ENABLE_COMMUNITY_SHARING: ${ENABLE_COMMUNITY_SHARING:-true} + ENABLE_MESSAGE_RATING: ${ENABLE_MESSAGE_RATING:-true} + + # Storage + UPLOAD_DIR: /app/data/uploads + CACHE_DIR: /app/data/cache + STATIC_DIR: /app/static + + # Logging + GLOBAL_LOG_LEVEL: ${GLOBAL_LOG_LEVEL:-info} + RUST_LOG: ${RUST_LOG:-info} + + # OpenAI + OPENAI_API_BASE_URL: ${OPENAI_API_BASE_URL:-} + OPENAI_API_KEY: ${OPENAI_API_KEY:-} + + volumes: + - rust_backend_data:/app/data + ports: + - "${RUST_BACKEND_PORT_OVERRIDE:-8080}:8080" + depends_on: + postgres: + condition: service_healthy + redis: + condition: service_healthy + sandbox-executor: + condition: service_healthy + healthcheck: + test: ["CMD-SHELL", "curl -f http://localhost:8080/health || exit 1"] + interval: 30s + timeout: 10s + retries: 3 + start_period: 40s + deploy: + resources: + limits: + cpus: ${RUST_BACKEND_CPU_LIMIT:-2} + memory: ${RUST_BACKEND_MEMORY_LIMIT:-2G} + reservations: + cpus: ${RUST_BACKEND_CPU_RESERVATION:-0.5} + memory: ${RUST_BACKEND_MEMORY_RESERVATION:-512M} + networks: + - open-webui-network + + # Sandbox Runtime + sandbox-runtime: + <<: *defaults + image: ${GLOBAL_REGISTRY:-}public.ecr.aws/o3p7x2f5/knoxchat/sandbox-runtime:${SANDBOX_RUNTIME_VERSION:-latest} + command: /bin/true + environment: + TZ: ${TZ:-UTC} + networks: + - open-webui-network + + # Sandbox Executor Service + sandbox-executor: + <<: *defaults + image: ${GLOBAL_REGISTRY:-}public.ecr.aws/o3p7x2f5/knoxchat/sandbox-executor:${SANDBOX_EXECUTOR_VERSION:-latest} + user: root + ports: + - "${SANDBOX_EXECUTOR_PORT_OVERRIDE:-8090}:8090" + volumes: + - /var/run/docker.sock:/var/run/docker.sock + - sandbox_logs:/var/log/sandbox-executor + environment: + SANDBOX_HOST: 0.0.0.0 + SANDBOX_PORT: 8090 + DOCKER_HOST: unix:///var/run/docker.sock + MAX_EXECUTION_TIME: ${SANDBOX_MAX_EXECUTION_TIME:-60} + MAX_MEMORY_MB: ${SANDBOX_MAX_MEMORY_MB:-512} + MAX_CPU_QUOTA: ${SANDBOX_MAX_CPU_QUOTA:-100000} + MAX_DISK_MB: ${SANDBOX_MAX_DISK_MB:-100} + MAX_CONCURRENT_EXECUTIONS: ${SANDBOX_MAX_CONCURRENT_EXECUTIONS:-10} + RATE_LIMIT_PER_MINUTE: ${SANDBOX_RATE_LIMIT_PER_MINUTE:-30} + RATE_LIMIT_BURST: ${SANDBOX_RATE_LIMIT_BURST:-10} + CONTAINER_IMAGE: public.ecr.aws/o3p7x2f5/knoxchat/sandbox-runtime:latest + NETWORK_MODE: ${SANDBOX_NETWORK_MODE:-none} + READ_ONLY_ROOT: ${SANDBOX_READ_ONLY_ROOT:-false} + DROP_ALL_CAPABILITIES: ${SANDBOX_DROP_ALL_CAPABILITIES:-true} + ENABLE_STREAMING: ${SANDBOX_ENABLE_STREAMING:-true} + KEEP_CONTAINERS: ${SANDBOX_KEEP_CONTAINERS:-false} + ENABLE_PYTHON: ${SANDBOX_ENABLE_PYTHON:-true} + ENABLE_JAVASCRIPT: ${SANDBOX_ENABLE_JAVASCRIPT:-true} + ENABLE_SHELL: ${SANDBOX_ENABLE_SHELL:-true} + ENABLE_RUST: ${SANDBOX_ENABLE_RUST:-true} + ENABLE_AUDIT_LOG: ${SANDBOX_ENABLE_AUDIT_LOG:-true} + AUDIT_LOG_PATH: /var/log/sandbox-executor/audit.log + TZ: ${TZ:-UTC} + depends_on: + - sandbox-runtime + healthcheck: + test: ["CMD", "curl", "-f", "http://localhost:8090/api/v1/health"] + interval: 30s + timeout: 10s + retries: 3 + start_period: 10s + deploy: + resources: + limits: + cpus: ${SANDBOX_EXECUTOR_CPU_LIMIT:-2} + memory: ${SANDBOX_EXECUTOR_MEMORY_LIMIT:-2G} + reservations: + cpus: ${SANDBOX_EXECUTOR_CPU_RESERVATION:-0.25} + memory: ${SANDBOX_EXECUTOR_MEMORY_RESERVATION:-256M} + networks: + - open-webui-network + + # Frontend (SvelteKit) + frontend: + <<: *defaults + image: ${GLOBAL_REGISTRY:-}public.ecr.aws/o3p7x2f5/knoxchat/open-webui-frontend:${FRONTEND_VERSION:-latest} + environment: + # Backend URLs (Socket.IO now served by Rust backend) + BACKEND_URL: http://rust-backend:8080 + SANDBOX_EXECUTOR_URL: http://sandbox-executor:8090 + + # Server + ENV: ${ENV:-prod} + PORT: 8080 + WEBUI_SECRET_KEY: ${WEBUI_SECRET_KEY} + TZ: ${TZ:-UTC} + + # Database + DATABASE_URL: postgresql://${POSTGRES_USER:-open_webui}:${POSTGRES_PASSWORD:-open_webui_password}@postgres:5432/${POSTGRES_DB:-open_webui} + + # OpenAI + OPENAI_API_BASE_URL: ${OPENAI_API_BASE_URL:-} + OPENAI_API_KEY: ${OPENAI_API_KEY:-} + + # RAG & Embeddings + RAG_EMBEDDING_MODEL: ${RAG_EMBEDDING_MODEL:-sentence-transformers/all-MiniLM-L6-v2} + RAG_RERANKING_MODEL: ${RAG_RERANKING_MODEL:-} + RAG_EMBEDDING_MODEL_AUTO_UPDATE: ${RAG_EMBEDDING_MODEL_AUTO_UPDATE:-false} + + # Whisper + WHISPER_MODEL: ${WHISPER_MODEL:-base} + + # Redis + REDIS_URL: redis://redis:6379 + + # Features + ENABLE_RAG_WEB_SEARCH: ${ENABLE_RAG_WEB_SEARCH:-false} + ENABLE_RAG_HYBRID_SEARCH: ${ENABLE_RAG_HYBRID_SEARCH:-false} + ENABLE_IMAGE_GENERATION: ${ENABLE_IMAGE_GENERATION:-false} + + # Analytics + SCARF_NO_ANALYTICS: ${SCARF_NO_ANALYTICS:-true} + DO_NOT_TRACK: ${DO_NOT_TRACK:-true} + + volumes: + - frontend_data:/app/backend/data + ports: + - "${FRONTEND_PORT_OVERRIDE:-3000}:8080" + depends_on: + rust-backend: + condition: service_healthy + postgres: + condition: service_healthy + redis: + condition: service_healthy + sandbox-executor: + condition: service_healthy + healthcheck: + test: ["CMD-SHELL", "curl -f http://localhost:8080/health || exit 1"] + interval: 30s + timeout: 10s + retries: 3 + start_period: 60s + deploy: + resources: + limits: + cpus: ${FRONTEND_CPU_LIMIT:-1} + memory: ${FRONTEND_MEMORY_LIMIT:-1G} + reservations: + cpus: ${FRONTEND_CPU_RESERVATION:-0.25} + memory: ${FRONTEND_MEMORY_RESERVATION:-256M} + networks: + - open-webui-network + +volumes: + postgres_data: + redis_data: + rust_backend_data: + sandbox_logs: + frontend_data: + +networks: + open-webui-network: + driver: bridge