Installing MinIO
This page provides an overview of how to install a MinIO S3 compatible storage server on Linux. Generally you won't need to install a MinIO server yourself because an instance is pre-installed on the SIP development VM (SIPVM).
Download and Deploy MinIO
MinIO is distributed as a single binary application, and you can download and deploy it like this:
wget https://dl.min.io/server/minio/release/linux-amd64/minio -O minio
chmod +x minio
sudo mv minio /usr/local/bin/
Create a Service Account for the MinIO Server
useradd -r minio-user -s /sbin/nologin
Create Directories and Set Ownership
sudo mkdir -p /usr/local/share/minio
sudo mkdir -p /etc/minio
chown -R minio-user:minio-user /usr/local/share/minio /etc/minio
Create a Configuration file
Use your editor of choice to create a configuration script:
sudo vi /etc/default/minio
Add the following content:
# MinIO Root Credentials
MINIO_ROOT_USER=admin
MINIO_ROOT_PASSWORD=p@ssw0rd
# MinIO Server Configuration
MINIO_VOLUMES="/usr/local/share/minio"
MINIO_OPTS="--console-address :9001 --address :9000"
Create Systemd Service File
Use your editor of choice to create a new service unit file:
sudo vi /etc/systemd/system/minio.service
Add the following content:
[Unit]
Description=MinIO Object Storage
Documentation=https://min.io/docs/minio/linux/index.html
Wants=network-online.target
After=network-online.target
[Service]
User=minio-user
Group=minio-user
EnvironmentFile=/etc/default/minio
ExecStart=/usr/local/bin/minio server $MINIO_VOLUMES $MINIO_OPTS
Restart=always
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
Register and Start the Service
sudo systemctl daemon-reload
sudo systemctl enable --now minio
The MinIO server can be found at port 9000 and the browser UI at port 9001. Currently both are configured to be accessed only via HTTP. If you need to switch to HTTPS, which you will if you need SQL Server to access the server, continue with the additional steps below:
Create a User Account for Client Access
While clients can access the server using the admin user and password, it's better to create specific user accounts to be used for client access. If you're running a version of MinIO that has a UI, you can manage users through the UI:
- Go to
Identity > Usersand clickCreate User. - Enter the
usernameandpasswordand select thereadonlyorreadwritepolicy as appropriate. - Click the
savebutton.
If you have no UI, you can create users using the mc client. Here are some example commands:
mc alias set myminio https://sipvm:9000 admin p@ssw0rd
mc admin user add myminio sipagent p@ssw0rd
mc admin policy attach myminio readwrite --user sipagent
Configuring MinIO for TLS
If you want to secure the communications between client systems and the MinIO server with HTTPS, you'll need to obtain or create a TLS certificate and configure MinIO to use that certificate.
Make a Certificate Configuration File
Move to the directory that contains your certification authority (local-ca) and then use your favorite text editor to create an OpenSSL configuration file for issuing a server certificate for the MinIO server:
sudo vi minio.cnf
Add the following content:
# minio.cnf
[req]
prompt = no
distinguished_name = dn
default_md = sha256
req_extensions = v3_req
[dn]
CN = sipvm # Primary name (doesn't have to include IP)
[v3_req]
# Key usage for a TLS server cert (RSA)
keyUsage = critical, digitalSignature, keyAgreement
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = sipvm
DNS.2 = localhost
IP.1 = 192.168.200.2
IP.2 = 127.0.0.1
Before closing the file, alter the values of CN, DNS.1, and IP.1 to be correct for the MinIO server. If the host system is referred to by other DNS names or IP addresses, you can add additional entries (e.g., DNS.3, DNS.4, IP.3, etc.).
Generate a Private Key for the Server
openssl ecparam -genkey -name prime256v1 -noout -out minio.key
Make a Certificate Signing Request
openssl req -new -key minio.key -out minio.csr -config minio.cnf
Create and Sign the Server Certificate
openssl ca -config local-ca.cnf -in minio.csr -out minio.crt -batch
Verify the Server Certificate
openssl verify -CAfile local-ca.crt minio.crt
---
### Install the Certificate into MinIO and Set Permissions
MinIO requires
- The TLS certificate and private key to be located in MINIO_CERTS_DIR
- The TLS certificate to be named public.crt
- The private key to be named private.key
```bash title="Deploy certificate"
sudo mkdir -p /etc/minio/certs
sudo chown -R minio-user:minio-user /etc/minio/certs
sudo chmod 700 /etc/minio/certs
# Copy and protect the certificate
sudo cp minio.crt /etc/minio/certs/public.crt
sudo chown minio-user:minio-user /etc/minio/certs/public.crt
sudo chmod 644 /etc/minio/certs/public.crt
# Copy and protect the private key
sudo cp minio.key /etc/minio/certs/private.key
sudo chown minio-user:minio-user /etc/minio/certs/private.key
sudo chmod 600 /etc/minio/certs/private.key
Edit the MinIO Configuration File
Use your favorite text editor to edit the MinIO configuration file:
sudo vi /etc/default/minio
Append the following to the end of the existing value of MINIO_OPTS:
--certs-dir /etc/minio/certs
Restart MinIO
sudo systemctl restart minio
Test HTTPS Access
Assuming you've already established trust of your CA on the client system, go to that system and attempt to access the MinIO admin UI using the HTTPS protocol:
https://sipvm:9001
If all is well, you should see the MinIO web admin UI, and the browser application should be reporting the connection to the site as secure.