Skip to content

Installing MinIO

This page provides an overview of how to install a MinIO S3 compatible storage server on Linux. Generally you will not need to install a MinIO server yourself because an instance is pre-installed on the SIP development VM (SIPVM).

Download and Deploy MinIO

MinIO is distributed as a single binary application, and can be downloaded and deployed like this:

wget https://dl.min.io/server/minio/release/linux-amd64/minio -O minio
chmod +x minio
sudo mv minio /usr/local/bin/

Create a Service Account for the MinIO Server

useradd -r minio-user -s /sbin/nologin

Create Directories and Set Ownership

sudo mkdir -p /usr/local/share/minio
sudo mkdir -p /etc/minio
chown -R minio-user:minio-user /usr/local/share/minio /etc/minio

Create a Configuration file

Using your editor of choice to create a configuration script:

sudo vi /etc/default/minio

Then add the following content:

# MinIO Root Credentials
MINIO_ROOT_USER=admin
MINIO_ROOT_PASSWORD=p@ssw0rd

# MinIO Server Configuration
MINIO_VOLUMES="/usr/local/share/minio"
MINIO_OPTS="--console-address :9001 --address :9000"

Create Systemd Service File

Use your editor of choice to create a new service unit file:

sudo vi /etc/systemd/system/minio.service

Then add the following content:

[Unit]
Description=MinIO Object Storage
Documentation=https://min.io/docs/minio/linux/index.html
Wants=network-online.target
After=network-online.target

[Service]
User=minio-user
Group=minio-user
EnvironmentFile=/etc/default/minio
ExecStart=/usr/local/bin/minio server $MINIO_VOLUMES $MINIO_OPTS
Restart=always
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target

Register and Start The Service

sudo systemctl daemon-reload
sudo systemctl enable --now minio

The MinIO server can be found at port 9000 and the browser UI at port 9001. Currently both are configured to be accessed only via HTTP. If you need to switch to HTTPS, which you will if you need SQL Server to access the server, then continue with the additional steps below:

Create a User Account for Client Access

While clients can access the server using the admin user and password, it is prefereble to create a specific user accounts to be used for client access. If you are running a version of MinIO that has a UI then you can manage users through the UI:

  • Go to Identity > Users and click Create User
  • Enter the username and password and select the readonly or reqdwrite policy as appropriate.
  • Click the save button.

If you have no UI you can create users using the mc client. Example commands:

mc alias set myminio https://sipvm:9000 admin p@ssw0rd
mc admin user add myminio sipagent p@ssw0rd
mc admin policy attach myminio readwrite --user sipagent

Configuring MinIO for TLS

If you wish to secure the communications between client systems and the MinIO server with HTTPS when you need to obtain or create a TLS certificate and configure MinIO to use that certificate

Make a Certificate Configuration File

Move to the directory that contains your certification authority (local-ca) and then Use your favorite text editor to create an OpenSSL configuration file for issuing a server certificate for the MinIO server:

sudo vi minio.cnf

Then add the following content:

# minio.cnf
[req]
prompt              = no
distinguished_name  = dn
default_md          = sha256
req_extensions      = v3_req

[dn]
CN = sipvm # Primary name (doesn't have to include IP)

[v3_req]
# Key usage for a TLS server cert (RSA)
keyUsage = critical, digitalSignature, keyAgreement
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = sipvm
DNS.2 = localhost
IP.1  = 192.168.200.2
IP.2  = 127.0.0.1

Before closing the file, alter the values of CN, DNS.1 and IP.1 to be correct for the MinIO server. If the host system is referred to by other DNS names or IP addresses then you can add additional entries (e.g. DNS.3, DNS.4, IP.3, etc.)

Generate a Private Key for the Server

openssl ecparam -genkey -name prime256v1 -noout -out minio.key

Make a Certificate Signing Request

openssl req -new -key minio.key -out minio.csr -config minio.cnf

Create and Sign the Server Certificate

openssl ca -config local-ca.cnf -in minio.csr -out minio.crt -batch

Verify the Server Certificate

openssl verify -CAfile local-ca.crt minio.crt

Install the Certificate into MinIO and Set Permissions

MinIO requires:

  • The TLS certificate and private key to be located in MINIO_CERTS_DIR
  • The TLS certificate to be named public.crt
  • The private key to be named private.key
sudo mkdir -p /etc/minio/certs
sudo chown -R minio-user:minio-user /etc/minio/certs
sudo chmod 700 /etc/minio/certs

# Copy and protect the certificate
sudo cp minio.crt /etc/minio/certs/public.crt
sudo chown minio-user:minio-user /etc/minio/certs/public.crt
sudo chmod 644 /etc/minio/certs/public.crt

# Copy and protect the private key
sudo cp minio.key /etc/minio/certs/private.key
sudo chown minio-user:minio-user /etc/minio/certs/private.key
sudo chmod 600 /etc/minio/certs/private.key

Edit the MinIO Configuration File

Use your favorite text editor to edit the MinIO configuration file:

sudo vi /etc/default/minio

And append this to end of the existing value of MINIO_OPTS:

--certs-dir /etc/minio/certs

Restart MinIO

sudo systemctl restart minio

Test HTTPS Access

Assuming that you have already established trust of your CA on the client system, go to that system and attempt to access the MinIO admin UI using the HTTPS protocol:

https://sipvm:9001

If all is well you should see the MinIO web admin UI, and the browser application should be reporting the connection to the site as secure.