How to Set Up Minio Object Storage on Linux with Systemd

Introduction:

Minio is an open-source object storage server that is compatible with the Amazon S3 API. It is a lightweight, high-performance solution for storing large amounts of unstructured data like images, videos, log files, and backups. This guide will take you through the process of installing Minio on a Linux server and configuring it to run as a systemd service.

Prerequisites:

• A Linux server with root or sudo access.

• Internet access to download the Minio binary.

Step 1: Set Up Directories

The first step is to create the necessary directories for the Minio installation and backup storage.

mkdir -p /opt/minio/bin
mkdir /backup

• /opt/minio/bin:- will hold the Minio server binary.

• /backup:- will be the data partition where Minio stores its objects.

Step 2: Create a Minio User

Next, we’ll create a dedicated user for running the Minio service. This user will have no login privileges and will be used solely to manage Minio.

useradd -s /sbin/nologin -d /opt/minio minio

This command creates a new user named minio with no shell access and sets /opt/minio as its home directory.

Step 3: Install the Minio Server Binary

We’ll now download the Minio server binary and set it to be executable.

wget https://dl.min.io/server/minio/release/linux-amd64/minio -O /opt/minio/bin/minio
chmod +x /opt/minio/bin/minio

This command fetches the Linux x64 binary of the Minio server and ensures that it is executable.

Step 4: Create a Minio Configuration File

Minio requires a configuration file to define key environment variables, such as the location of the data partition. We’ll create this file under /opt/minio/.

vim /opt/minio/minio.conf

Add the following lines:

MINIO_VOLUMES="/backup"
MINIO_OPTS="--console-address :9001"
MINIO_ROOT_USER="root"
MINIO_ROOT_PASSWORD="Minio1234"

This configuration specifies:

• MINIO_VOLUMES:- The directory where Minio will store data.

• MINIO_OPTS:- Custom options, in this case, setting the console to be accessible on port 9001.

• MINIO_ROOT_USER and MINIO_ROOT_PASSWORD:- Credentials for accessing the Minio server.

Step 5: Set File Permissions

To ensure that the minio user has the necessary permissions, we’ll change the ownership of the /opt/minio and /backup directories.

chown -R minio:minio /opt/minio
chown -R minio:minio /backup

This command recursively sets the ownership of all files and directories under /opt/minio and /backup to the minio user and group.

Step 6: Configure Minio as a Systemd Service

Systemd is a system and service manager for Linux. We’ll create a systemd service file for Minio, which will allow us to start, stop, and manage Minio like any other service.

Create the service file:

vim /etc/systemd/system/minio.service

Copy the following configuration into the file:

[Unit]
Description=Minio
Documentation=https://docs.minio.io
Wants=network-online.target
After=network-online.target
AssertFileIsExecutable=/opt/minio/bin/minio

[Service]
WorkingDirectory=/opt/minio

User=minio
Group=minio

#PermissionsStartOnly=true

EnvironmentFile=-/opt/minio/minio.conf
ExecStartPre=/bin/bash -c "[ -n \"${MINIO_VOLUMES}\" ] || echo \"Variable MINIO_VOLUMES not set in /opt/minio/minio.conf\""

ExecStart=/opt/minio/bin/minio server $MINIO_OPTS $MINIO_VOLUMES 
StandardOutput=journal
StandardError=inherit
# Specifies the maximum file descriptor number that can be opened by this process
LimitNOFILE=65536
# Disable timeout logic and wait until process is stopped
TimeoutStopSec=0
# SIGTERM signal is used to stop Minio
KillSignal=SIGTERM
SendSIGKILL=no
SuccessExitStatus=0
[Install]
WantedBy=multi-user.target

This configuration ensures that Minio starts with the correct environment settings and permissions, integrating smoothly with the Linux service management framework.

Step 7: Enable and Start the Minio Service

To make sure Minio starts on boot and runs immediately, enable and start the service using the following commands:

systemctl enable minio
systemctl start minio

Step 8: Verify Minio Service Status

Finally, confirm that the Minio service is running correctly by checking its status:

systemctl status minio

You should see an output indicating that the service is active and running without issues.

Step 9: Secure Minio with SSL/TLS

Additionally, to secure Minio with SSL/TLS encryption, follow these steps:

• Generate a Self-Signed SSL/TLS Certificate

Use the script below to generate a self-signed certificate:

#!/bin/bash

# Prompt the user for each part of the subject
read -p "Enter Country (e.g., US): " COUNTRY
read -p "Enter State (e.g., California): " STATE
read -p "Enter Locality (e.g., San Francisco): " LOCALITY
read -p "Enter Organization (e.g., MyCompany): " ORGANIZATION
read -p "Enter Organizational Unit (e.g., IT): " ORG_UNIT
read -p "Enter Common Name (e.g., domain.com): " COMMON_NAME

# Construct the subject string
SUBJECT="/C=$COUNTRY/ST=$STATE/L=$LOCALITY/O=$ORGANIZATION/OU=$ORG_UNIT/CN=$COMMON_NAME"

# Prompt the user for the domain names or IPs to include in the SAN (Subject Alternative Name)
read -p "Enter the domain names or IP addresses for the SAN (comma-separated, e.g., domain.com, www.domain.com, 192.168.1.1): " DOMAINS

# Generate CA key and certificate
openssl genrsa -out CAcert.key 4096
openssl req -x509 -new -nodes -key CAcert.key -sha512 -days 3650 -out CAcert.crt -subj "$SUBJECT"

# Generate server key
openssl genrsa -out Server.key 4096

# Generate a CSR using the server key
openssl req -sha512 -new -key Server.key -out Server.csr -subj "$SUBJECT"

# Create v3.ext file with SAN entries
echo "authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]" > v3.ext

# Convert the comma-separated domains/IPs into the v3.ext format
IFS=',' read -ra ADDR <<< "$DOMAINS"
for i in "${!ADDR[@]}"; do
    # Check if the input is an IP address or domain
    if [[ "${ADDR[$i]}" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
        echo "IP.$(($i + 1))=${ADDR[$i]}" >> v3.ext
    else
        echo "DNS.$(($i + 1))=${ADDR[$i]}" >> v3.ext
    fi
done

# Generate the server certificate using the CSR and CA certificate
openssl x509 -req -sha512 -days 3650 \
    -extfile v3.ext \
    -CA CAcert.crt -CAkey CAcert.key -CAcreateserial \
    -in Server.csr \
    -out Server.crt

# Clean up the serial file and CSR
rm -f Server.csr CAcert.srl

# Notify user of completion
echo "Self-signed SSL certificate and key have been generated:"
echo "CA Certificate: CAcert.crt"
echo "CA Key: CAcert.key"
echo "Server Certificate: Server.crt"
echo "Server Key: Server.key"

• Rename certificates

Rename the generated certificate files for Minio:

mv Server.crt public.crt
mv Server.key private.key

• Create the necessary directories for the certificate and copy ssl certificates in these directories

Create directories for the certificates and copy them into the appropriate locations:

mkdir -p /opt/minio/certs/CAs
mkdir -p /opt/minio/certs/internal-example.net
mkdir -p /opt/minio/certs/s3-example.net

• Copy Certificates

Copy the certificates to the newly created directories:

cp CAcert.crt /opt/minio/certs/CAs
cp CAcert.key /opt/minio/certs/CAs
cp public.crt /opt/minio/certs/internal-example.net
cp private.key /opt/minio/certs/internal-example.net
cp public.crt /opt/minio/certs/s3-example.net
cp private.key /opt/minio/certs/s3-example.net
cp public.crt /opt/minio/certs
cp private.key /opt/minio/certs
chmod +x minio:minio /opt/minio/certs

• Update Minio Configuration for SSL/TLS

Edit the Minio configuration file to include the SSL certificate and key paths:

vim /opt/minio/minio.conf

Add or update the following lines:

MINIO_OPTS="--console-address :9001 --certs-dir /opt/minio/certs"

• Restart Minio Service

Restart the Minio service to apply the new SSL/TLS configuration:

systemctl restart minio

• Verify SSL/TLS Configuration

Access Minio via HTTPS at your domain. You should see that the connection is secured with SSL/TLS.

Conclusion:

By following these steps, Minio is now configured to securely handle your object storage needs, offering a reliable and scalable solution. If you have any questions or encounter issues, feel free to comment below. Keep exploring Linux and Kubernetes!