search string side menu

BRIX On-Premises > Prepare infrastructure > Databases > Prepare external databases / MinIO S3

MinIO S3

This article shows an example of how to deploy MinIO as an S3 object storage for BRIX. The article covers deploying MinIO in a single-node single-drive configuration (SNSD). SNSD deployments don’t provide better reliability or availability apart from what the underlying storage volume (RAID, LVM, ZFS, etc.) implements. Learn more in the MinIO documentation.

начало внимание

In the example in this article, the bucket name is s3elma365, the user is elma365user, and the password is SecretPassword.

When you set up MinIO for your company, follow your organization’s security policies.

конец внимание

The configuration consists of several steps:

  1. Prepare the drive.
  2. Install MinIO.
  3. Install MinIO Client.
  4. Create a user and a group named minio-user.
  5. Create the systemd service for MinIO.
  6. Create an environment file for MinIO.
  7. Run the MinIO service.
  8. Set up connection to MinIO.
  9. Create a bucket.
  10. Configure CORS.
  11. Connect BRIX to MinIO.

Step 1. Prepare the drive (optional)

  1. Create a directory to mount the drive:

sudo mkdir -p /var/lib/minio/data1

For better performance, we recommend that you use the XFS file system. In the example, we are going to use the /dev/sdb drive.

  1. Prepare the XFS file system on the drive:

sudo mkfs.xfs /dev/sdb -L DISK1

  1. Add a drive mount point in the /etc/fstab file:

LABEL=DISK1 /var/lib/minio/data1 xfs defaults,noatime 0 2

  1. Make sure the prepared drive has been mounted:

sudo mount -av

Step 2. Install MinIO

Download the latest stable MinIO binary file and install it in the system:

wget https://dl.min.io/server/minio/release/linux-amd64/minio
chmod +x minio
sudo mv minio /usr/local/bin/

Step 3. Install MinIO Client

Download the latest stable MinIO Client binary file and install it in the system:

wget https://dl.min.io/client/mc/release/linux-amd64/mc
chmod +x mс
sudo mv mc /usr/local/bin/

Step 4. Create a user and a group named minio-user

  1. Create a user and a group named minio-user:

sudo groupadd -r minio-user
sudo useradd -M -r -g minio-user minio-user
sudo chown minio-user:minio-user /var/lib/minio/data1

  1. Create directories to store TLS certificates using the following command:

sudo mkdir -p /etc/minio/certs/CAs

  1. Set permissions for directories used in MinIO:

sudo chown -R minio-user:minio-user /etc/minio
sudo chown -R minio-user:minio-user /var/lib/minio

Step 5. Create the systemd service for MinIO

  1. Download the MinIO service official file:

sudo curl -O https://raw.githubusercontent.com/minio/minio-service/master/linux-systemd/minio.service

  1. Check the content of the minio.service file before you use it by opening it in a text editor and move it to the systemd configuration directory:

sudo mv minio.service /etc/systemd/system

начало внимание

At this step, don’t run minio.service yet.

конец внимание

Step 6. Create an environment file for MinIO

Create an environment file in /etc/default/minio. The MinIO service uses this file as a source of all environment variables used by MinIO and the minio.service file.

Example of an environment file in /etc/default/minio:

# Set the hosts and volumes MinIO uses at startup
# The command uses MinIO expansion notation {x...y} to denote a
# sequential series.
 
# The following example covers four MinIO hosts
# with4 drives each at the specified hostname and drive locations.
# The command includes the port that each MinIO server listens on
# (default 9000)
 
MINIO_VOLUMES="/var/lib/minio/data1/minio"
 
# Set all MinIO server options
 
# The following explicitly sets the MinIO Console listen address to
# port 9001 on all network interfaces. The default behavior is dynamic
# port selection.
 
MINIO_OPTS="--certs-dir /etc/minio/certs --console-address :9001"
 
MINIO_REGION="eu-central-1"
 
# Set the root username. This user has unrestricted permissions to
# perform S3 and administrative API operations on any resource in the
# deployment.
 
# Defer to your organizations requirements for superadmin user name.
 
MINIO_ROOT_USER=elma365user
 
# Set the root password
 
# Use a long, random, unique string that meets your organizations
# requirements for passwords.
 
MINIO_ROOT_PASSWORD=SecretPassword
 
# Set to the URL of the load balancer for the MinIO deployment
# This value *must* match across all MinIO servers. If you do
# not have a load balancer, set this value to to any *one* of the
# MinIO hosts in the deployment as a temporary measure.
 
# MINIO_SERVER_URL="https://minio.example:9000"

Where:

  • MINIO_VOLUMES is the directory where files uploaded to S3 will be stored.
  • MINIO_ROOT_USER is the username of the MinIO administrator.
  • MINIO_ROOT_PASSWORD is the password. We recommend using a password of at least 16 characters.

How to enable TSL/SSL in MinIO

 
To make TLS/SSL available in MinIO:

  1. Place the certificate file and the private key file into the /etc/minio/certs directory.
  2. Rename the server certificate file to public.crt.
  3. Rename the private key file to private.key.
  4. If you’re using self-signed certificates, place the root CA file into /etc/minio/certs/CAs.

Read more about TLS/SSL in MinIO in the official MinIO documentation.

Step 7. Run the MinIO service

  1. Run the following commands to start the MinIO service:

sudo systemctl daemon-reload
sudo systemctl enable minio.service
sudo systemctl start minio.service

  1. Make sure that the MinIO service is running and works without errors:

sudo systemctl status minio.service
journalctl -f -u minio.service

Step 8. Set up connection to MinIO

Create an alias for MinIO:

/usr/local/bin/mc alias set minio http://minio.your_domain:9000 elma365user SecretPassword

Step 9. Create a bucket

Important: the bucket in S3 should have the following format: s3elma365*.

начало примера

Examples of bucket names

  • s3elma365
  • s3elma365-dev
  • s3elma365-prod

конец примера

For BRIX to work, create a bucket named s3elma365 by running the following command:

/usr/local/bin/mc mb -p minio/s3elma365 --region=eu-central-1

Step 10. Configure CORS

Cross-Origin Resource Sharing (CORS) is a mechanism to restrict access to web application resources from third-party domains. You can define a list of domains from which requests to the BRIX application are allowed, and specify the available HTTP headers and methods.

Configure CORS in one of the following ways:

  1. Using the CORS configuration file.
  2. Via the web interface of a data management service, e.g. Yandex Object Storage.

Set the CORS settings in the configuration file

  1. Create the cors.xml file with the CORS configuration, for example:

<?xml version=“1.0” encoding=“UTF-8” ?
<CORSConfiguration xmlns=“http://s3.amazonaws.com/doc/2006-03-01/”>
<CORSRule>
<AllowedHeader>*</AllowedHeader>
<AllowedMethod>GET</AllowedMethod>
<AllowedMethod>PUT</AllowedMethod>
<AllowedMethod>HEAD</AllowedMethod>
<AllowedMethod>POST</AllowedMethod>
<AllowedMethod>DELETE</AllowedMethod>
<AllowedOrigin>https://*.brix.eu</AllowedOrigin>
<MaxAgeSeconds>3000</MaxAgeSeconds>
</CORSRule>
</CORSConfiguration>

Where:

  • AllowedHeader. The headers that are available in the requests. To allow all headers, use the * symbol.
  • AllowedMethod. Allowed HTTP methods, e.g. GET, POST, PUT, DELETE, and HEAD.
  • AllowedOrigin. The sources from which the web application resources can be accessed. To allow access from any domains, use the * symbol. To increase security, it is recommended to specify specific domains, for example https://*.brix.eu.
  • MaxAgeSeconds. To reduce the number of requests and improve performance, you can store in the browser cache the permission for requests from a certain source. It is checked in the preliminary request, which is executed before the main one. Specify the time in seconds during which the permission is stored in the cache and no new preliminary requests are sent.

You can also specify the ExposeHeader parameter in the CORS configuration. This parameter defines the headers that are displayed in responses to requests. Do not specify this parameter in the .xml file if you do not want the headers to be displayed in the responses.

  1. Apply the CORS settings to the bucket using the command:

/usr/local/bin/mc cors set minio/s3elma365 cors.xml

  1. Verify that the CORS settings are applied correctly by running the command:

/usr/local/bin/mc cors get minio/s3elma365 --json

Set the CORS configuration through a data management service

You can configure CORS through the web interface of a data management service.

Example of configuring CORS parameters in Yandex Object Storage:

configure-minio-1

Read more about how to configure CORS in the official Yandex Cloud documentation.

Step 11. Connect BRIX to MinIO

Here are the parameters used to establish a connection with MinIO:

  • address: minio.your_domain:9000
  • bucket: s3elma365
  • region: eu-central-1
  • access key ID: elma365user
  • secret access key: SecretPassword
  • upload method: PUT
  • enable SSL? No

If TLS/SSL connection is used, set the enable SSL? parameter to Yes.

rabbitmq.html configure-system.html