Minio

Introduction

Nous allons installer un serveur S3 minio pour y stocker les sauvegardes de nos volumes persistants et de la config de notre environnement kuberntes.

Prérequis

un serveur Rocky 9
disque supplémentaire sur notre VM (20G)

Nom du serveur	Adresse IP	Rôle
minio1	172.31.10.13	serveur S3

Installation

Préparation du disque

sudo pvcreate /dev/sdb
sudo vgcreate datavg /dev/sdb
sudo lvcreate -l 100%VG -n datalv datavg
sudo mkfs.xfs /dev/mapper/datavg-datalv
sudo mkdir /mnt/data
sudo sh -c 'echo "/dev/mapper/datavg-datalv /mnt/data                   xfs     defaults        0 0" >> /etc/fstab'
sudo mount -a
df -h

Groupe et utilisateur

sudo groupadd -r minio-user
sudo useradd -M -r -g minio-user minio-user
sudo chown minio-user:minio-user /mnt/data

Installation de minio

Serveur

wget https://dl.min.io/server/minio/release/linux-arm64/minio
sudo mv minio /usr/local/bin/
sudo chmod +x /usr/local/bin/minio

Client

sudo wget https://dl.min.io/client/mc/release/linux-arm64/mc
sudo mv mc /usr/local/bin/
sudo chmod +x /usr/local/bin/mc

Création du fichier de service systemd

sudo cat << EOF | sudo tee /etc/systemd/system/minio.service
[Unit]
Description=MinIO
Documentation=https://min.io/docs/minio/linux/index.html
Wants=network-online.target
After=network-online.target
AssertFileIsExecutable=/usr/local/bin/minio

[Service]
WorkingDirectory=/usr/local/bin

User=minio-user
Group=minio-user
ProtectProc=invisible

EnvironmentFile=-/etc/default/minio
ExecStartPre=/bin/bash -c "if [ -z \"\${MINIO_VOLUMES}\" ]; then echo \"Variable MINIO_VOLUMES not set in /etc/default/minio\"; exit 1; fi"
ExecStart=/usr/local/bin/minio server \$MINIO_OPTS \$MINIO_VOLUMES

# Let systemd restart this service always
Restart=always

# Specifies the maximum file descriptor number that can be opened by this process
LimitNOFILE=65536

# Specifies the maximum number of threads this process can create
TasksMax=infinity

# Disable timeout logic and wait until process is stopped
TimeoutStopSec=infinity
SendSIGKILL=no

[Install]
WantedBy=multi-user.target

# Built for \${project.name}-\${project.version} (\${project.name})
EOF

Configuration serveur

Note

Remplacer le mot de passe adminPasswordAChanger ci-dessous

sudo cat << EOF | sudo tee /etc/default/minio
# MINIO_ROOT_USER and MINIO_ROOT_PASSWORD sets the root account for the MinIO server.
# This user has unrestricted permissions to perform S3 and administrative API operations on any resource in the deployment.
# Omit to use the default values 'minioadmin:minioadmin'.
# MinIO recommends setting non-default values as a best practice, regardless of environment

MINIO_ROOT_USER=minioadmin
MINIO_ROOT_PASSWORD=adminPasswordAChanger

# MINIO_VOLUMES sets the storage volume or path to use for the MinIO server.

MINIO_VOLUMES="/mnt/data"

# Use if you want to run Minio on a custom port.
MINIO_OPTS="--address :9000 --console-address :9001"

# MINIO_SERVER_URL sets the hostname of the local machine for use with the MinIO Server
# MinIO assumes your network control plane can correctly resolve this hostname to the local machine

# Uncomment the following line and replace the value with the correct hostname for the local machine.

#MINIO_SERVER_URL="http://minio.example.net"
EOF

Firewall

sudo firewall-cmd --permanent --add-port=9000/tcp
sudo firewall-cmd --permanent --add-port=9001/tcp
sudo firewall-cmd --reload

Démarrer le service minio

sudo systemctl start minio.service
sudo systemctl enable minio.service
sudo systemctl status minio.service
sudo journalctl -f -u minio.service

La résultat de la commande journalctl doit ressembler à ce qui suit:

-- Logs begin at Tue 2023-02-21 12:19:58 CET. --
Feb 21 13:45:28 gmoos3.ville-geneve.ch minio[7818]: MinIO Object Storage Server
Feb 21 13:45:28 gmoos3.ville-geneve.ch minio[7818]: Copyright: 2015-2023 MinIO, Inc.
Feb 21 13:45:28 gmoos3.ville-geneve.ch minio[7818]: License: GNU AGPLv3 <https://www.gnu.org/licenses/agpl-3.0.html>
Feb 21 13:45:28 gmoos3.ville-geneve.ch minio[7818]: Version: RELEASE.2023-02-17T17-52-43Z (go1.19.6 linux/amd64)
Feb 21 13:45:28 gmoos3.ville-geneve.ch minio[7818]: Status:         1 Online, 0 Offline.
Feb 21 13:45:28 gmoos3.ville-geneve.ch minio[7818]: API: http://172.31.10.13:9000  http://127.0.0.1:9000
Feb 21 13:45:28 gmoos3.ville-geneve.ch minio[7818]: Console: http://172.31.10.13:9001 http://127.0.0.1:9001
Feb 21 13:45:28 gmoos3.ville-geneve.ch minio[7818]: Documentation: https://min.io/docs/minio/linux/index.html

Configuration du client

mc alias set minioadmin http://localhost:9000 minioadmin adminPasswordAChanger

Note

Le mot de passe adminPasswordAChanger doit correspondre à celui défini dans /etc/default/minio (MINIO_ROOT_PASSWORD=)

Création de bucket

Nos allons créer deux buckets longhorn-backup et velero-backups avec chacun un utilisateur et une politique d'accès

mc mb minioadmin/longhorn-backups
mc mb minioadmin/velero-backups

Utilisateur

Création d'utilisateur

mc admin user add minioadmin longhorn-backups-user userPasswordAChanger
mc admin user add minioadmin velero-backups-user userPasswordAChanger

Configuration du client

mc alias set longhorn-backups-user http://localhost:9000 longhorn-backups-user userPasswordAChanger
mc alias set velero-backups-user http://localhost:9000 velero-backups-user userPasswordAChanger

Note

Le mot de passe userPasswordAChanger doit correspondre à celui défini lors de la création des utilisateurs ci-dessus.

Attribution des politiques

Longhorn

cat > /tmp/longhorn-backups-policy.json <<EOF
{
  "Version": "2012-10-17",
      "Statement": [
    {
      "Action": [
        "s3:PutBucketPolicy",
        "s3:GetBucketPolicy",
        "s3:DeleteBucketPolicy",
        "s3:ListAllMyBuckets",
        "s3:ListBucket"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::longhorn-backups"
      ],
      "Sid": ""
    },
    {
      "Action": [
        "s3:AbortMultipartUpload",
        "s3:DeleteObject",
        "s3:GetObject",
        "s3:ListMultipartUploadParts",
        "s3:PutObject"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::longhorn-backups/*"
      ],
      "Sid": ""
    }
  ]
}
EOF

mc admin policy create minioadmin longhorn-backups-policy /tmp/longhorn-backups-policy.json
mc admin policy attach minioadmin longhorn-backups-policy --user=longhorn-backups-user

Velero

cat > /tmp/velero-backups-policy.json <<EOF
{
  "Version": "2012-10-17",
      "Statement": [
    {
      "Action": [
        "s3:PutBucketPolicy",
        "s3:GetBucketPolicy",
        "s3:DeleteBucketPolicy",
        "s3:ListAllMyBuckets",
        "s3:ListBucket"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::velero-backups"
      ],
      "Sid": ""
    },
    {
      "Action": [
        "s3:AbortMultipartUpload",
        "s3:DeleteObject",
        "s3:GetObject",
        "s3:ListMultipartUploadParts",
        "s3:PutObject"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::velero-backups/*"
      ],
      "Sid": ""
    }
  ]
}
EOF

mc admin policy create minioadmin velero-backups-policy /tmp/velero-backups-policy.json
mc admin policy attach minioadmin velero-backups-policy --user=velero-backups-user

Accès à l'interface WEB

http://srvminio.gmolab.net:9001

Le username et le password correspondent à ceux définis dans /etc/default/minio

MINIO_ROOT_USER=minioadmin
MINIO_ROOT_PASSWORD=adminPasswordAChanger

Source

Deploy single node
Using MinIO as Backup Target Longhorn Download minio

Version	Date	Change	Auteur
1.0	28.03.2023	Création	GMo