minio/docs/config
Harshavardhana d28bcb4f84 Migrate all backend at .minio.sys/config to encrypted backend (#8474)
- Supports migrating only when the credential ENVs are set,
  so any FS mode deployments which do not have ENVs set will
  continue to remain as is.
- Credential ENVs can be rotated using MINIO_ACCESS_KEY_OLD
  and MINIO_SECRET_KEY_OLD envs, in such scenarios it allowed
  to rotate the encrypted content to a new admin key.
2019-11-01 15:53:16 -07:00
..
config.sample.json Migrate config to KV data format (#8392) 2019-10-22 22:59:13 -07:00
README.md Migrate all backend at .minio.sys/config to encrypted backend (#8474) 2019-11-01 15:53:16 -07:00

MinIO Server Config Guide Slack Docker Pulls

Configuration Directory

Till MinIO release RELEASE.2018-08-02T23-11-36Z, MinIO server configuration file (config.json) was stored in the configuration directory specified by --config-dir or defaulted to ${HOME}/.minio. However from releases after RELEASE.2018-08-18T03-49-57Z, the configuration file (only), has been migrated to the storage backend (storage backend is the directory passed to MinIO server while starting the server).

You can specify the location of your existing config using --config-dir, MinIO will migrate the config.json to your backend storage. Your current config.json will be renamed upon successful migration as config.json.deprecated in your current --config-dir. All your existing configurations are honored after this migration.

Additionally --config-dir is now a legacy option which will is scheduled for removal in future, so please update your local startup, ansible scripts accordingly.

minio server /data

MinIO also encrypts all the config, IAM and policies content with admin credentials.

Certificate Directory

TLS certificates by default are stored under ${HOME}/.minio/certs directory. You need to place certificates here to enable HTTPS based access. Read more about How to secure access to MinIO server with TLS.

Following is the directory structure for MinIO server with TLS certificates.

$ mc tree --files ~/.minio
/home/user1/.minio
└─ certs
   ├─ CAs
   ├─ private.key
   └─ public.crt

You can provide a custom certs directory using --certs-dir command line option.

Credentials

On MinIO admin credentials or root credentials are only allowed to be changed using ENVs namely MINIO_ACCESS_KEY and MINIO_SECRET_KEY. Using the combination of these two values MinIO encrypts the config stored at the backend.

export MINIO_ACCESS_KEY=minio
export MINIO_SECRET_KEY=minio13
minio server /data
Rotating encryption with new credentials

Additionally if you wish to change the admin credentials, then MinIO will automatically detect this and re-encrypt with new credentials as shown below. For one time only special ENVs as shown below needs to be set for rotating the encryption config.

Old ENVs are never remembered in memory and are destroyed right after they are used to migrate your existing content with new credentials. You are safe to remove them after the server as successfully started, by restarting the services once again.

export MINIO_ACCESS_KEY=newminio
export MINIO_SECRET_KEY=newminio123
export MINIO_ACCESS_KEY_OLD=minio
export MINIO_SECRET_KEY_OLD=minio123
minio server /data

Once the migration is complete and server has started successfully remove MINIO_ACCESS_KEY_OLD and MINIO_SECRET_KEY_OLD environment variables, restart the server.

Region

Field Type Description
region name=my_region string region describes the physical location of the server. By default it is blank. You may override this field with MINIO_REGION_NAME environment variable. If you are unsure leave it unset.

Example:

export MINIO_REGION_NAME="my_region"
minio server /data

Worm

Field Type Description
worm state=on string Enable this to turn on Write-Once-Read-Many. By default it is set to off. You may override this field with MINIO_WORM environment variable.

Example:

export MINIO_WORM_STATE=on
minio server /data

Storage Class

Field Type Description
storageclass Set storage class for configurable data and parity, as per object basis.
storageclass standard=EC:4 string Value for standard storage class. It should be in the format EC:Parity, for example to set 4 disk parity for standard storage class objects, set this field to EC:4.
storageclass rrs=EC:2 string Value for reduced redundancy storage class. It should be in the format EC:Parity, for example to set 3 disk parity for reduced redundancy storage class objects, set this field to EC:3.

By default, parity for objects with standard storage class is set to N/2, and parity for objects with reduced redundancy storage class objects is set to 2. Read more about storage class support in MinIO server here.

Cache

Field Type Description
cache drives="/mnt/drive1;/mnt/drive2;/mnt/cache{1...3}" []string List of mounted file system drives with atime support enabled
cache exclude="*.pdf;mybucket/*" []string List of wildcard patterns for prefixes to exclude from cache
cache expiry=90 int Days to cache expiry
cache quota=70 int Percentage of disk available to cache

Notify

Field Type Description
notify_amqp Configure to publish MinIO events via AMQP target.
notify_nats Configure to publish MinIO events via NATS target.
notify_elasticsearch Configure to publish MinIO events via Elasticsearch target.
notify_redis Configure to publish MinIO events via Redis target.
notify_postgresql Configure to publish MinIO events via PostgreSQL target.
notify_kafka Configure to publish MinIO events via Apache Kafka target.
notify_webhook Configure to publish MinIO events via Webhooks target.
notify_mysql Configure to publish MinIO events via MySql target.
notify_mqtt Configure to publish MinIO events via MQTT target.

Accessing configuration file

All configuration changes can be made using mc admin config get/set commands. Following sections provide brief explanation of fields and how to customize them. A complete example of config.json is available here

Environment only settings

Browser

Enable or disable access to web UI. By default it is set to on. You may override this field with MINIO_BROWSER environment variable.

Example:

export MINIO_BROWSER=off
minio server /data

Domain

By default, MinIO supports path-style requests that are of the format http://mydomain.com/bucket/object. MINIO_DOMAIN environment variable is used to enable virtual-host-style requests. If the request Host header matches with (.+).mydomain.com then the matched pattern $1 is used as bucket and the path is used as object. More information on path-style and virtual-host-style here Example:

export MINIO_DOMAIN=mydomain.com
minio server /data

For advanced use cases MINIO_DOMAIN environment variable supports multiple-domains with comma separated values.

export MINIO_DOMAIN=sub1.mydomain.com,sub2.mydomain.com
minio server /data

Explore Further