Introduction:
Minio is an open-source object storage server that is compatible with the Amazon S3 API. It is a lightweight, high-performance solution for storing large amounts of unstructured data like images, videos, log files, and backups. This guide will take you through the process of installing Minio on a Linux server and configuring it to run as a systemd service.
Prerequisites:
A Linux server with root or sudo access.
Internet access to download the Minio binary.
Step 1: Set Up Directories
The first step is to create the necessary directories for the Minio installation and backup storage.
mkdir -p /opt/minio/bin
mkdir /backup
/opt/minio/bin:- will hold the Minio server binary.
/backup:- will be the data partition where Minio stores its objects.
Step 2: Create a Minio User
Next, we’ll create a dedicated user for running the Minio service. This user will have no login privileges and will be used solely to manage Minio.
useradd -s /sbin/nologin -d /opt/minio minio
This command creates a new user named minio with no shell access and sets /opt/minio as its home directory.
Step 3: Install the Minio Server Binary
We’ll now download the Minio server binary and set it to be executable.
wget https://dl.min.io/server/minio/release/linux-amd64/minio -O /opt/minio/bin/minio
chmod +x /opt/minio/bin/minio
This command fetches the Linux x64 binary of the Minio server and ensures that it is executable.
Step 4: Create a Minio Configuration File
Minio requires a configuration file to define key environment variables, such as the location of the data partition. We’ll create this file under /opt/minio/.
vim /opt/minio/minio.conf
Add the following lines:
MINIO_VOLUMES="/backup"
MINIO_OPTS="--console-address :9001"
MINIO_ROOT_USER="root"
MINIO_ROOT_PASSWORD="Minio1234"
This configuration specifies:
MINIO_VOLUMES:- The directory where Minio will store data.
MINIO_OPTS:- Custom options, in this case, setting the console to be accessible on port 9001.
MINIO_ROOT_USER and MINIO_ROOT_PASSWORD:- Credentials for accessing the Minio server.
Step 5: Set File Permissions
To ensure that the minio user has the necessary permissions, we’ll change the ownership of the /opt/minio and /backup directories.
chown -R minio:minio /opt/minio
chown -R minio:minio /backup
This command recursively sets the ownership of all files and directories under /opt/minio and /backup to the minio user and group.
Step 6: Configure Minio as a Systemd Service
Systemd is a system and service manager for Linux. We’ll create a systemd service file for Minio, which will allow us to start, stop, and manage Minio like any other service.
Create the service file:
vim /etc/systemd/system/minio.service
Copy the following configuration into the file:
[Unit]
Description=Minio
Documentation=https://docs.minio.io
Wants=network-online.target
After=network-online.target
AssertFileIsExecutable=/opt/minio/bin/minio
[Service]
WorkingDirectory=/opt/minio
User=minio
Group=minio
#PermissionsStartOnly=true
EnvironmentFile=-/opt/minio/minio.conf
ExecStartPre=/bin/bash -c "[ -n \"${MINIO_VOLUMES}\" ] || echo \"Variable MINIO_VOLUMES not set in /opt/minio/minio.conf\""
ExecStart=/opt/minio/bin/minio server $MINIO_OPTS $MINIO_VOLUMES
StandardOutput=journal
StandardError=inherit
# Specifies the maximum file descriptor number that can be opened by this process
LimitNOFILE=65536
# Disable timeout logic and wait until process is stopped
TimeoutStopSec=0
# SIGTERM signal is used to stop Minio
KillSignal=SIGTERM
SendSIGKILL=no
SuccessExitStatus=0
[Install]
WantedBy=multi-user.target
This configuration ensures that Minio starts with the correct environment settings and permissions, integrating smoothly with the Linux service management framework.
Step 7: Enable and Start the Minio Service
To make sure Minio starts on boot and runs immediately, enable and start the service using the following commands:
systemctl enable minio
systemctl start minio
Step 8: Verify Minio Service Status
Finally, confirm that the Minio service is running correctly by checking its status:
systemctl status minio
You should see an output indicating that the service is active and running without issues.
Step 9: Secure Minio with SSL/TLS
Additionally, to secure Minio with SSL/TLS encryption, follow these steps:
- Generate a Self-Signed SSL/TLS Certificate
Use the script below to generate a self-signed certificate:
#!/bin/bash
# Prompt the user for each part of the subject
read -p "Enter Country (e.g., US): " COUNTRY
read -p "Enter State (e.g., California): " STATE
read -p "Enter Locality (e.g., San Francisco): " LOCALITY
read -p "Enter Organization (e.g., MyCompany): " ORGANIZATION
read -p "Enter Organizational Unit (e.g., IT): " ORG_UNIT
read -p "Enter Common Name (e.g., domain.com): " COMMON_NAME
# Construct the subject string
SUBJECT="/C=$COUNTRY/ST=$STATE/L=$LOCALITY/O=$ORGANIZATION/OU=$ORG_UNIT/CN=$COMMON_NAME"
# Prompt the user for the domain names or IPs to include in the SAN (Subject Alternative Name)
read -p "Enter the domain names or IP addresses for the SAN (comma-separated, e.g., domain.com, www.domain.com, 192.168.1.1): " DOMAINS
# Generate CA key and certificate
openssl genrsa -out CAcert.key 4096
openssl req -x509 -new -nodes -key CAcert.key -sha512 -days 3650 -out CAcert.crt -subj "$SUBJECT"
# Generate server key
openssl genrsa -out Server.key 4096
# Generate a CSR using the server key
openssl req -sha512 -new -key Server.key -out Server.csr -subj "$SUBJECT"
# Create v3.ext file with SAN entries
echo "authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]" > v3.ext
# Convert the comma-separated domains/IPs into the v3.ext format
IFS=',' read -ra ADDR <<< "$DOMAINS"
for i in "${!ADDR[@]}"; do
# Check if the input is an IP address or domain
if [[ "${ADDR[$i]}" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
echo "IP.$(($i + 1))=${ADDR[$i]}" >> v3.ext
else
echo "DNS.$(($i + 1))=${ADDR[$i]}" >> v3.ext
fi
done
# Generate the server certificate using the CSR and CA certificate
openssl x509 -req -sha512 -days 3650 \
-extfile v3.ext \
-CA CAcert.crt -CAkey CAcert.key -CAcreateserial \
-in Server.csr \
-out Server.crt
# Clean up the serial file and CSR
rm -f Server.csr CAcert.srl
# Notify user of completion
echo "Self-signed SSL certificate and key have been generated:"
echo "CA Certificate: CAcert.crt"
echo "CA Key: CAcert.key"
echo "Server Certificate: Server.crt"
echo "Server Key: Server.key"
- Rename certificates
Rename the generated certificate files for Minio:
mv Server.crt public.crt
mv Server.key private.key
- Create the necessary directories for the certificate and copy ssl certificates in these directories
Create directories for the certificates and copy them into the appropriate locations:
mkdir -p /opt/minio/certs/CAs
mkdir -p /opt/minio/certs/internal-example.net
mkdir -p /opt/minio/certs/s3-example.net
- Copy Certificates
Copy the certificates to the newly created directories:
cp CAcert.crt /opt/minio/certs/CAs
cp CAcert.key /opt/minio/certs/CAs
cp public.crt /opt/minio/certs/internal-example.net
cp private.key /opt/minio/certs/internal-example.net
cp public.crt /opt/minio/certs/s3-example.net
cp private.key /opt/minio/certs/s3-example.net
cp public.crt /opt/minio/certs
cp private.key /opt/minio/certs
chmod +x minio:minio /opt/minio/certs
- Update Minio Configuration for SSL/TLS
Edit the Minio configuration file to include the SSL certificate and key paths:
vim /opt/minio/minio.conf
Add or update the following lines:
MINIO_OPTS="--console-address :9001 --certs-dir /opt/minio/certs"
- Restart Minio Service
Restart the Minio service to apply the new SSL/TLS configuration:
systemctl restart minio
- Verify SSL/TLS Configuration
Access Minio via HTTPS at your domain. You should see that the connection is secured with SSL/TLS.
Conclusion:
By following these steps, Minio is now configured to securely handle your object storage needs, offering a reliable and scalable solution. If you have any questions or encounter issues, feel free to comment below. Keep exploring Linux and Kubernetes!
Top comments (0)