¶ Installation Minio sur AlmaLinux
¶ Références
¶ Configuration VM
- VCpu: 2
- Mem: 2Go
- OS: Almalinux v10 ( Installation minimum + ajout cles SH et configuration sudoers )
- Disque:
- OS 20 Go
- Data Disque 41 (4xTaille d'un LV +1 ) Go Type LVM / 4 LV de 10 Go formatées en XFS
- FQDN: minio01.dell.stef.lan
- Lan: vmnet2
La taille des disques DOIT être identique
cf: https://min.io/docs/minio/linux/operations/install-deploy-manage/deploy-minio-single-node-multi-drive.htmlUse Consistent Size of Drive
MinIO limits the size used per drive to the smallest drive in the pool.For example, deploy a pool consisting of the same number of NVMe drives with identical capacity of 7.68TiB. If you deploy one drive with 3.84TiB, MinIO treats all drives in the pool as having that smaller capacity.
¶ Topologie
¶ Preparation Disques
¶ Creation des disques de data (LVM)
lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
sr0 11:0 1 1024M 0 rom
nvme0n1 259:0 0 20G 0 disk
├─nvme0n1p1 259:2 0 1M 0 part
├─nvme0n1p2 259:3 0 1G 0 part /boot
└─nvme0n1p3 259:4 0 19G 0 part
├─almalinux-root 253:0 0 17G 0 lvm /
└─almalinux-swap 253:1 0 2G 0 lvm [SWAP]
nvme0n2 259:1 0 50G 0 disk
¶ Creation du PV sur nvme0n2
sudo pvcreate /dev/nvme0n2
Physical volume "/dev/nvme0n2" successfully created.
¶ Creation du VG
sudo vgcreate vgminio /dev/nvme0n2
Volume group "vgminio" successfully created
¶ Vérification
sudo vgs
VG #PV #LV #SN Attr VSize VFree
almalinux 1 2 0 wz--n- <19.00g 0
vgminio 1 0 0 wz--n- <50.00g <50.00g
¶ Création de 4 LV de 10 Go
sudo lvcreate --size 10G -n mdisk01 vgminio
sudo lvcreate --size 10G -n mdisk02 vgminio
sudo lvcreate --size 10G -n mdisk03 vgminio
sudo lvcreate --size 10G -n mdisk04 vgminio
¶ Vérification
sudo lvs
LV VG Attr LSize Pool Origin Data% Meta% Move Log Cpy%Sync Convert
root almalinux -wi-ao---- <17.00g
swap almalinux -wi-ao---- 2.00g
mdisk01 vgminio -wi-a----- 10.00g
mdisk02 vgminio -wi-a----- 10.00g
mdisk03 vgminio -wi-a----- 10.00g
mdisk04 vgminio -wi-a----- 10.00g
¶ Création des FS (XFS)
sudo mkfs.xfs /dev/mapper/vgminio-mdisk01
sudo mkfs.xfs /dev/mapper/vgminio-mdisk02
sudo mkfs.xfs /dev/mapper/vgminio-mdisk03
sudo mkfs.xfs /dev/mapper/vgminio-mdisk04
¶ Edition fstab
Ajouts des 4 nouveaux fs
UUID=f2be201d-0756-4a1a-965a-73d029a5e34b / xfs defaults 0 0
UUID=8130e5b4-771e-4aae-afdb-79274398a35b /boot xfs defaults 0 0
UUID=b152000e-a47d-4db6-b60e-df9273ac70a3 none swap defaults 0 0
/dev/mapper/vgminio-mdisk01 /opt/minio/disk01 xfs defaults 0 2
/dev/mapper/vgminio-mdisk02 /opt/minio/disk02 xfs defaults 0 2
/dev/mapper/vgminio-mdisk03 /opt/minio/disk03 xfs defaults 0 2
/dev/mapper/vgminio-mdisk04 /opt/minio/disk04 xfs defaults 0 2
¶ Montage & check
systemctl daemon-reload
sudo mkdir -p /opt/minio/disk0{1,2,3,4}
sudo mount -a
df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/mapper/almalinux-root 17756160 1197688 16558472 7% /
devtmpfs 4096 0 4096 0% /dev
tmpfs 855952 0 855952 0% /dev/shm
tmpfs 342384 6188 336196 2% /run
tmpfs 1024 0 1024 0% /run/credentials/systemd-journald.service
/dev/nvme0n1p2 983040 252380 730660 26% /boot
tmpfs 1024 0 1024 0% /run/credentials/getty@tty1.service
tmpfs 171188 4 171184 1% /run/user/0
tmpfs 171188 4 171184 1% /run/user/1000
/dev/mapper/vgminio-mdisk01 10420224 232620 10187604 3% /opt/minio/disk01
/dev/mapper/vgminio-mdisk02 10420224 232620 10187604 3% /opt/minio/disk02
/dev/mapper/vgminio-mdisk03 10420224 232620 10187604 3% /opt/minio/disk03
/dev/mapper/vgminio-mdisk04 10420224 232620 10187604 3% /opt/minio/disk04
¶ Installation Minio
¶ Récupération du rpm
sudo su -
wget https://dl.min.io/server/minio/release/linux-amd64/archive/minio-20250524170830.0.0-1.x86_64.rpm -O minio.rpm
¶ Vérification du contenu rpm
rpm -ql ./minio.rpm
/lib/systemd/system/minio.service
/usr/local/bin/minio
¶ Installation
rpm -i minio.rpm
¶ Création du user minio
groupadd -r minio-user
useradd -M -r -g minio-user minio-user
¶ Assignation des disques de data au user technique minio
chown minio-user:minio-user /opt/minio/disk01 /opt/minio/disk02 /opt/minio/disk03 /opt/minio/disk04
¶ Edition de la configuration /etc/default/minio
# MINIO_ROOT_USER and MINIO_ROOT_PASSWORD sets the root account for the MinIO server.
# This user has unrestricted permissions to perform S3 and administrative API operations on any resource in the deployment.
# Omit to use the default values 'minioadmin:minioadmin'.
# MinIO recommends setting non-default values as a best practice, regardless of environment.
MINIO_ROOT_USER=<a modifier>
MINIO_ROOT_PASSWORD=<a modifier>
# MINIO_VOLUMES sets the storage volumes or paths to use for the MinIO server.
# The specified path uses MinIO expansion notation to denote a sequential series of drives between 1 and 4, inclusive.
# All drives or paths included in the expanded drive list must exist *and* be empty or freshly formatted for MinIO to start successfully.
MINIO_VOLUMES="/opt/minio/disk0{1...4}"
# MINIO_OPTS sets any additional commandline options to pass to the MinIO server.
# For example, `--console-address :9001` sets the MinIO Console listen port
MINIO_OPTS="--console-address :9001"
¶ Ouverture firewall
¶ Verification des zones
sudo firewall-cmd --get-active-zones
public (default)
interfaces: ens160
¶ Création du service Minio pour firewalld
sudo firewall-cmd --permanent --new-service=minio
sudo firewall-cmd --permanent --service=minio --set-description="Default Minio Gui service"
sudo firewall-cmd --permanent --service=minio --set-short="Minio"
sudo firewall-cmd --permanent --service=minio --add-port=9001/tcp
systemctl restart firewalld
firewall-cmd --zone=public --add-service=minio --permanent
¶ Vérification
firewall-cmd --zone=public --list-all
public (default, active)
target: default
ingress-priority: 0
egress-priority: 0
icmp-block-inversion: no
interfaces: ens160
sources:
services: cockpit dhcpv6-client minio ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
Ajouter egalement le port 9000 pour acces externe à l'API S3
¶ Installation client
Voir https://min.io/docs/minio/linux/reference/minio-mc.html
¶ Configuration SSL
¶ Certificats
Copie des certificats dans /opt/minio/certs/
Dans mon cas le zen6ca.crt est le certificat racine de ma PKI interne
[stef@minio01 certs]$ sudo tree /opt/minio/certs/
/opt/minio/certs/
├── CAs
│ └── zen6ca.crt <= Certificat Ca
├── private.key <= key du service
└── public.crt <= certificat du service
sudo chown -R minio-user: /opt/minio/certs/
Bien penser à ajouter les a+x ( ou u+x) sur l'arborescence de repertoires accédant aux certificats afin que user-minio puisse les lires, si ce n'est pas le cas les services WebUi et API ne montent pas la couche TLS. Les logs minio n'indiquent rien en ce cas ...
En cas de mauvaises ACL vous pouvez verifier si le user à acces au certificats comme suis
[root@minio01 certs]# su -c 'cat /opt/minio/certs/private.key' minio-user
cat: /opt/minio/certs/private.key: Permission denied
Si nécessaire, ajouter le certificat de l'authorité au niveau os pour cela, copier le/les certificats de CA dans /usr/share/pki/ca-trust-source/anchors/ puis lancer la commande update-ca-certificates
Vérifications de la signature du certificat par l'authorité:
[stef@minio01 certs]$ sudo openssl verify -verbose public.crt
public.crt: OK
Vérification de la cohérance certificat/ Clé
[stef@minio01 certs]$ sudo openssl x509 -noout -modulus -in ./public.crt | openssl md5
MD5(stdin)= 099b0e33534299b947997dadcd2a551e
[stef@minio01 certs]$ sudo openssl rsa -noout -modulus -in ./private.key | openssl md5
MD5(stdin)= 099b0e33534299b947997dadcd2a551e
Les MD5 doivent être identiques
Vous pouvez lire les informations du certificat afin de vous assurer que l'url du service minio que vous allez configurer et bien présent dans le cn ou dans les alt name.
Dans mon cas j'ai généré un certificat qui matchera SSL avec: minio.dell.stef.lan, minio01.dell.stef.lan, minio02.dell.stef.lan, 127.0.0.1 et 192.168.70.15.
openssl x509 -in /opt/minio/certs/public.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 6563150758174778831 (0x5b14fed76c57e5cf)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=zen-ca, C=FR, ST=Ile de France, L=MALAKOFF, O=Zen6, OU=Lab
Validity
Not Before: Jun 13 11:30:35 2025 GMT
Not After : Jun 11 11:30:35 2035 GMT
Subject: CN=minio.dell.stef.lan, C=FR, ST=Ile de France, L=BURES SUR YVETTE, O=Zen6, OU=Lab
Subject Public Key Info:
...
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
...
X509v3 Subject Alternative Name:
DNS:minio.dell.stef.lan, DNS:minio01.dell.stef.lan, DNS:minio02.dell.stef.lan, IP Address:127.0.0.1, IP Address:192.168.70.15
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
...
¶ Modification /etc/default/minio
Changement de l'url d'acces API MINIO_SERVER_URL & Ajout de la localisation du répertoire de certificats ( option --certs-dir )
# MINIO_ROOT_USER and MINIO_ROOT_PASSWORD sets the root account for the MinIO server.
# This user has unrestricted permissions to perform S3 and administrative API operations on any resource in the deployment.
# Omit to use the default values 'minioadmin:minioadmin'.
# MinIO recommends setting non-default values as a best practice, regardless of environment.
MINIO_ROOT_USER=xxxxxxx
MINIO_ROOT_PASSWORD=xxxxxxx
# MINIO_VOLUMES sets the storage volumes or paths to use for the MinIO server.
# The specified path uses MinIO expansion notation to denote a sequential series of drives between 1 and 4, inclusive.
# All drives or paths included in the expanded drive list must exist *and* be empty or freshly formatted for MinIO to start successfully.
MINIO_SERVER_URL="https://minio01.dell.stef.lan:9000"
MINIO_VOLUMES="/opt/minio/disk0{1...4}"
# MINIO_OPTS sets any additional commandline options to pass to the MinIO server.
# For example, `--console-address :9001` sets the MinIO Console listen port
MINIO_OPTS="--console-address :9001 --certs-dir /opt/minio/certs"
¶ Redemarrage Minio
systemctl restart minio
systemctl status minio
● minio.service - MinIO
Loaded: loaded (/usr/lib/systemd/system/minio.service; enabled; preset: disabled)
Active: active (running) since Thu 2025-06-12 22:01:15 CEST; 6s ago
Invocation: d04ca2cc97524cd581f2a069e3fd63b0
Docs: https://docs.min.io
Main PID: 2413 (minio)
Tasks: 9
CPU: 589ms
CGroup: /system.slice/minio.service
└─2413 /usr/local/bin/minio server --console-address :9001 --certs-dir /opt/minio/certs /opt/minio/disk0{1...4}
Jun 12 22:01:14 minio01 systemd[1]: Starting minio.service - MinIO...
Jun 12 22:01:15 minio01 systemd[1]: Started minio.service - MinIO.
Jun 12 22:01:15 minio01 minio[2413]: MinIO Object Storage Server
Jun 12 22:01:15 minio01 minio[2413]: Copyright: 2015-2025 MinIO, Inc.
Jun 12 22:01:15 minio01 minio[2413]: License: GNU AGPLv3 - https://www.gnu.org/licenses/agpl-3.0.html
Jun 12 22:01:15 minio01 minio[2413]: Version: RELEASE.2025-05-24T17-08-30Z (go1.24.3 linux/amd64)
Jun 12 22:01:15 minio01 minio[2413]: API: https://minio01.dell.stef.lan:9000
Jun 12 22:01:15 minio01 minio[2413]: WebUI: https://192.168.70.15:9001 https://127.0.0.1:9001
Jun 12 22:01:15 minio01 minio[2413]: Docs: https://docs.min.io
Si tout se passe bien les urls sont maintenant présentés en https
¶ Configuration Minio client
¶ Ajout de l'acces TLS
mc alias set minio01 https://minio01.dell.stef.lan:9000 <compte> <password>
Added `minio01` successfully.
mc admin info minio01
● minio01.dell.stef.lan:9000
Uptime: 5 minutes
Version: 2025-05-24T17:08:30Z
Network: 1/1 OK
Drives: 4/4 OK
Pool: 1
┌──────┬──────────────────────┬─────────────────────┬──────────────┐
│ Pool │ Drives Usage │ Erasure stripe size │ Erasure sets │
│ 1st │ 2.2% (total: 20 GiB) │ 4 │ 1 │
└──────┴──────────────────────┴─────────────────────┴──────────────┘
0 B Used, 1 Bucket, 0 Objects
4 drives online, 0 drives offline, EC:2
¶ Tests fonctionnels
¶ Test acces bucket
mc ls minio01
[2025-06-12 14:00:40 CEST] 0B test/
¶ Copie de fichier
echo 'Fichier de test' > file01.txt
mc cp file01.txt /test minio01
mc ls -r minio01
[2025-06-12 22:11:42 CEST] 16B STANDARD test/file01.txt
¶ Vue WebUI
¶ Ajout utilisateur et creation de la configuration d'acces SSL
mc admin user add minio01 dummy01 lemotdepasse
mc alias set dummy https://minio01.dell.stef.lan:9000 dummy01 lemotdepasse
mc admin policy attach minio01 readwrite --user dummy01
Attached Policies: [readwrite]
To User: dummy01
¶ Création bucket et vérification acces nouveau user
mc mb minio01/bucket-test
Bucket created successfully `minio01/bucket-test`.
mc ls -r dummy/bucket-test
mc cp file01.txt dummy/bucket-test
mc ls -r dummy/bucket-test
[2025-06-12 22:35:28 CEST] 16B STANDARD file01.txt
¶ Modification configuration
# MINIO_ROOT_USER and MINIO_ROOT_PASSWORD sets the root account for the MinIO server.
# This user has unrestricted permissions to perform S3 and administrative API operations on any resource in the deployment.
# Omit to use the default values 'minioadmin:minioadmin'.
# MinIO recommends setting non-default values as a best practice, regardless of environment.
MINIO_ROOT_USER=minioadmin
MINIO_ROOT_PASSWORD=minioadmin
# MINIO_VOLUMES sets the storage volumes or paths to use for the MinIO server.
# The specified path uses MinIO expansion notation to denote a sequential series of drives between 1 and 4, inclusive.
# All drives or paths included in the expanded drive list must exist *and* be empty or freshly formatted for MinIO to start successfully.
MINIO_SERVER_URL="https://minio01.dell.stef.lan:9000"
MINIO_VOLUMES="/opt/minio/disk0{1...4}"
# MINIO_OPTS sets any additional commandline options to pass to the MinIO server.
# For example, `--console-address :9001` sets the MinIO Console listen port
MINIO_OPTS="--console-address :9001 --certs-dir /opt/minio/certs"
¶ Call API S3
Réference: https://min.io/docs/minio/linux/developers/python/minio-py.html
¶ Ajout des packages python
sudo dnf install python3-pip
sudo pip3 install minio urlib3
¶ Exemple de script
from minio import Minio
from minio.error import S3Error
import urllib3
httpClient = urllib3.PoolManager(
ca_certs='/home/stef/zen6ca.crt')
client = Minio("minio01.dell.stef.lan:9000",
access_key="dummy01",
secret_key="lemotdepasse",
secure=True,
http_client=httpClient,
)
def main():
# The file to upload, change this path if needed
source_file = "/tmp/test-file.txt"
# The destination bucket and filename on the MinIO server
bucket_name = "python-test-bucket"
destination_file = "my-test-file.txt"
# Make the bucket if it doesn't exist.
found = client.bucket_exists(bucket_name)
if not found:
client.make_bucket(bucket_name)
print("Created bucket", bucket_name)
else:
print("Bucket", bucket_name, "already exists")
# Upload the file, renaming it in the process
client.fput_object(
bucket_name, destination_file, source_file,
)
print(
source_file, "successfully uploaded as object",
destination_file, "to bucket", bucket_name,
)
if __name__ == "__main__":
try:
main()
except S3Error as exc:
print("error occurred.", exc)
Le script actuel m'oblige ouvrir la session TLS via une urllib3,Une correction OS doit je pense être effectuée (mauvaise installation du CA)
Non bloquant
¶ Test
[stef@minio01 ~]$ python3 test-minio.py
Bucket python-test-bucket already exists
/tmp/test-file.txt successfully uploaded as object my-test-file.txt to bucket python-test-bucket
¶ Vérification:
stef@minio01 ~]$ mc ls minio01/python-test-bucket
[2025-06-13 13:55:32 CEST] 16B STANDARD my-test-file.txt
¶ Vérifications fonctionnels & techniques
- Acces API S3
- Acces API S3 TLS
- Acces WebUi
- Accest WebUI TLS
- Gestion via client mc
- Gestion buckets via WebUi
- Gestion buckets via Api S3
- Intégration Docker ( doc à faire )
- Playbook ansible
- Integration OpenLDAP ( en cours )
¶ Reste à faire
- Ajout Noeud (si ces possible)
- Integration KMS (https://min.io/docs/minio/linux/administration/server-side-encryption/server-side-encryption-sse-kms.html)
- La nouvelle WebUI Community est restrictive en terme d'admnistration par rapport à l'ancienne => En ecrire une.
- Integration K8S à tester ( cf https://min.io/docs/minio/kubernetes/upstream/index.html )