rs3gw 0.1.0 Released — A Pure Rust, Drop-in S3-Compatible Object Storage Gateway

Object storage you can read end to end — no daemon zoo, no GC pauses, no opaque blob to trust.

Today we released rs3gw 0.1.0 — a Pure Rust, S3-compatible object storage gateway built for AI/ML workloads, scientific computing, and large-scale data management, powered by scirs2-io.

No C. No C++. No Go. No Fortran. No garbage collector. MinIO is Go and pauses when you least want it to; Ceph RGW is a C++ stack you operate rather than run. rs3gw is neither. It compiles to a single static binary, runs in a 50MB container, and gives you predictable, low-latency S3 access without a runtime babysitter. It is a sovereign, auditable storage layer: every byte of the data path, the SigV4 authenticator, the dedup index, and the query engine is Rust you can read.

Why rs3gw 0.1.0 matters

If you have ever run object storage in production, you know the tax. MinIO and Ceph mean clusters to operate, GC pauses that wander into your tail latency, opaque binaries you cannot fully audit, and — if you reach for the real thing — vendor lock-in to AWS S3 itself. rs3gw was built to remove that tax while keeping the API everyone already speaks.

Concrete wins in the debut:

• Drop-in S3 compatibility. A complete S3 API with 100+ operations means existing aws-cli, boto3, and S3 SDK code points at rs3gw with one line changed: the endpoint URL.
• Storage that pays for itself. Content-addressed deduplication (SHA256) delivers 30–70% storage savings, with transparent Zstd and LZ4 compression on top.
• Latency you can plan around. HeadObject returns in 18µs (53 GiB/s); reads sustain 18 GiB/s on the local filesystem backend; bucket tagging is 40µs (put) / 17µs (get).
• Query at the source. S3 Select with predicate pushdown and column pruning cuts I/O by 50–80%, with 3–4x parallel-execution speedup — so you scan less data, not more.
• One artifact, no runtime. A single static binary in a 50MB container. No GC, no JVM, no helper daemons.

Technical Deep Dive

rs3gw is built on scirs2-io, the SciRS2 high-performance storage engine, and organized into clean layers you can navigate by reading src/.

(a) The S3 API surface and authentication. src/api/ hosts the S3 router (s3_router.rs), request handlers, multipart uploads (multipart.rs), and batch operations (batch.rs). Authentication lives in src/auth/: AWS Signature V4 with timestamp validation (v4.rs), chunked signing (chunked.rs), and presigned POST policies (presigned_post.rs). Fine-grained access control is in src/auth/abac/ — a policy evaluator with IP filtering (IPv4/IPv6 CIDR) and time-window restrictions.

(b) The storage engine and backends. src/storage/core/ is the StorageEngine itself, fronting a backend abstraction (40+ methods) in src/storage/backend/: localbackend, miniobackend, and s3backend (AWS SDK) are live, with stub backends for GCS, Azure Blob, Ceph/RADOS, and GlusterFS behind a backend factory. Around the engine sit deduplication (dedup.rs), server-side encryption (encryption.rs, AES-256-GCM and ChaCha20-Poly1305 with envelope DEK/KEK and key rotation), the ML-based smart cache (ml_cache.rs), audit logging (audit.rs), compliance reporting (compliance.rs), tiering, archival, backup, and Object Lambda.

(c) The S3 Select query engine. src/api/select/ is a real SQL engine: a parser (parser.rs), advanced SQL (advanced_sql.rs), and window functions (window_functions.rs), supporting aggregations, GROUP BY, ORDER BY, JOINs, and CTEs over CSV, JSON, Parquet, Avro, ORC, Protobuf, and MessagePack. select_optimizer.rs does predicate pushdown and column pruning; select_cache.rs is an LRU query-plan cache (1000 entries).

(d) Multi-protocol access and observability. Beyond REST, src/grpc/ exposes a gRPC API (661-line protobuf schema, bidirectional streaming, 40+ operations) and src/api/graphql.rs provides a GraphQL endpoint with WebSocket subscriptions and a Playground. src/observability/ brings anomaly detection (Z-score), predictive analytics, continuous profiling (profiling.rs), and OpenTelemetry tracing (tracing.rs). Clustering for multi-node HA lives in src/cluster/ (node.rs, replication.rs, advanced_replication.rs).

Getting Started

rs3gw is a server. Clone, build, and run:

git clone https://github.com/cool-japan/rs3gw.git
cd rs3gw
cargo build --release
./target/release/rs3gw

Configure it via environment variables:

export RS3GW_BIND_ADDR="0.0.0.0:9000"
export RS3GW_STORAGE_ROOT="./data"
export RS3GW_ACCESS_KEY="minioadmin"
export RS3GW_SECRET_KEY="minioadmin"
export RS3GW_COMPRESSION="zstd:3"

Then talk to it with the AWS CLI — just point --endpoint-url at port 9000:

aws --endpoint-url http://localhost:9000 s3 mb s3://my-bucket
aws --endpoint-url http://localhost:9000 s3 cp myfile.txt s3://my-bucket/
aws --endpoint-url http://localhost:9000 s3 ls s3://my-bucket/

Or from Python with boto3:

import boto3

s3 = boto3.client(
    "s3",
    endpoint_url="http://localhost:9000",
    aws_access_key_id="minioadmin",
    aws_secret_access_key="minioadmin",
    region_name="us-east-1",
)
s3.create_bucket(Bucket="my-bucket")
s3.upload_file("myfile.txt", "my-bucket", "myfile.txt")

What’s inside

S3 API (100+ operations)

• Bucket ops: create, delete, list, head, policy, tagging, lifecycle.
• Object ops: get, put, delete, copy, head, tagging — with streaming support.
• Multipart upload: create, upload parts, complete, abort, list parts.
• Range requests and conditional headers (If-Match, If-None-Match).
• AWS Signature V4 authentication with timestamp validation; presigned URLs (GET, PUT, POST).
• Axum web server on Tokio, TLS/HTTPS via rustls, graceful shutdown (SIGINT/SIGTERM).

Storage engine

• Local filesystem backend with async I/O and .meta sidecar files.
• Transparent Zstd and LZ4 compression with configurable levels.
• ETag generation (SHA256); checksum validation (CRC32C, CRC32, SHA256, SHA1, MD5).
• Data deduplication via SHA256 content-addressing (30–70% savings).
• Zero-copy optimizations: direct I/O, splice/sendfile on Linux, memory-mapped metadata.

Advanced features

• S3 Select: SQL over CSV/JSON/Parquet/Avro/ORC/Protobuf/MessagePack with pushdown, column pruning, parallel execution, and a query-plan LRU cache.
• ML-based smart cache (predictive prefetching, adaptive TTL); Object Lambda (PII redaction, format conversion).
• Server-side encryption (SSE-S3, SSE-C; AES-256-GCM), envelope encryption (DEK/KEK), key rotation, ChaCha20-Poly1305.
• Object versioning (UUID version IDs, delete markers), Object Lock (GOVERNANCE/COMPLIANCE), event notifications, tiered storage, backup & recovery (snapshots, incremental, point-in-time).

Multi-backend

• Backend abstraction (40+ methods): LocalBackend, MinIOBackend, S3Backend (AWS SDK); stubs for GCS, Azure Blob, Ceph/RADOS, GlusterFS; backend factory.

Protocols

• REST (S3 compat), gRPC (protobuf, bidirectional streaming, client libs in Python/Go/Rust), GraphQL (queries, WebSocket subscriptions, Playground at /graphql), WebSocket event streaming, OpenAPI/Swagger at /swagger-ui.

Security and compliance

• ABAC (time-based restrictions, IP whitelist/blacklist), immutable HMAC-SHA256 audit chain with tamper detection, compliance reports (SOC2, HIPAA, GDPR), log forwarding (webhook, syslog RFC 5424, S3, file).

Observability

• Prometheus metrics (50+), OpenTelemetry OTLP distributed tracing (W3C Trace Context, Jaeger/Tempo), continuous profiling (CPU/memory/I/O, pprof), anomaly detection (7 types), predictive analytics, /health, auto-scaling (dynamic thread pool, adaptive rate limiting, load shedding).

Cluster / HA

• Multi-node, multi-leader; sync/async/quorum replication; gossip protocol; vector-clock conflict resolution; configurable replication factor.

Tooling and deployment

• CLI tools: rs3ctl (admin), s3-migrate (migration), testdata-generator.
• Multi-stage Dockerfile (50MB images), Docker Compose (Prometheus/Grafana/Jaeger/MinIO), Kubernetes manifests (kustomize), Helm chart, ARM64 multi-arch.
• TOML + env-var config (50+ options); optional features: io_uring (Linux 5.11+), video-transcoding, wasm-plugins (pure Rust via Wasmtime).

Built over 9 months of development and ~63,000 lines of Rust, with 594 tests (527 unit + 67 integration), zero clippy warnings, every file under 2000 lines, and no unwrap() in production code.

Tips

• Tune compression for your workload. RS3GW_COMPRESSION="zstd:3" is a balanced default; use zstd:10 for a higher ratio on cold data, or lz4 when throughput matters more than size.
• Turn on dedup for large, repetitive datasets. SHA256 content-addressing reclaims 30–70% on ML checkpoints, dataset shards, and backup snapshots.
• Migrate without rewriting code. Point any boto3 / aws-cli / S3 SDK at the :9000 endpoint — it’s a drop-in replacement for AWS S3 and MinIO.
• Push queries down, not data up. Use S3 Select with column pruning to cut I/O by 50–80%; scanning a few Parquet columns hits 200–400 MB/s instead of dragging whole objects over the wire.
• On Linux, build for io_uring. cargo build --release --features io_uring on kernel 5.11+ yields roughly a 60% I/O improvement.
• Always set credentials. Auth is off by default for dev; export RS3GW_ACCESS_KEY and RS3GW_SECRET_KEY before anything leaves your laptop.
• Wire up observability early. Scrape Prometheus at /metrics and ship OTel traces to Jaeger or Tempo — the anomaly detector earns its keep once it has history.

This is the foundation

rs3gw 0.1.0 is an early, humble entry into a growing set of sovereign Rust infrastructure. It stands on scirs2-io and the broader SciRS2 scientific computing stack, alongside the other foundations that have shipped so far — NumRS2, OptiRS, PandRS, OxiBLAS, and OxiCode. It is a debut, not a finished product: a first, auditable building block for storage you actually own.

Repository: https://github.com/cool-japan/rs3gw

Star the repo if a Pure Rust storage gateway is something you’ve been waiting for. Pure Rust object storage is here — fast, safe, and sovereign.

— KitaSan at COOLJAPAN OÜ January 04, 2026