Harshavardhana 669c9da85d Disable federated buckets when etcd is namespaced (#8709)
This is to ensure that when we have multiple tenants
deployed all sharing the same etcd for global bucket
should avoid listing each others buckets, this leads
to information leak which should be avoided unless
etcd is not namespaced for IAM assets in which case
it can be assumed that its a federated setup.

Federated setup and namespaced IAM assets on etcd
is not supported since namespacing is only useful
when you wish to separate the tenants as isolated
instances of MinIO.

This PR allows a new type of behavior, primarily
driven by the usecase of m3(mkube) multi-tenant
deployments with global bucket support.
2019-12-29 08:56:45 -08:00
2019-12-27 15:51:32 +05:30
2016-05-20 13:53:15 -07:00
2014-10-30 21:51:52 -07:00
2019-06-06 16:56:43 -07:00

MinIO Quickstart Guide

Slack Go Report Card Docker Pulls

MinIO

MinIO is High Performance Object Storage released under Apache License v2.0. It is API compatible with Amazon S3 cloud storage service. Using MinIO build high performance infrastructure for machine learning, analytics and application data workloads.

Docker Container

Stable

docker pull minio/minio
docker run -p 9000:9000 minio/minio server /data

Edge

docker pull minio/minio:edge
docker run -p 9000:9000 minio/minio:edge server /data

NOTE: Docker will not display the default keys unless you start the container with the -it(interactive TTY) argument. Generally, it is not recommended to use default keys with containers. Please visit MinIO Docker quickstart guide for more information here

macOS

Homebrew

Install minio packages using Homebrew

brew install minio/stable/minio
minio server /data

NOTE: If you previously installed minio using brew install minio then it is recommended that you reinstall minio from minio/stable/minio official repo instead.

brew uninstall minio
brew install minio/stable/minio

Binary Download

Platform Architecture URL
Apple macOS 64-bit Intel https://dl.min.io/server/minio/release/darwin-amd64/minio
chmod 755 minio
./minio server /data

GNU/Linux

Binary Download

Platform Architecture URL
GNU/Linux 64-bit Intel https://dl.min.io/server/minio/release/linux-amd64/minio
wget https://dl.min.io/server/minio/release/linux-amd64/minio
chmod +x minio
./minio server /data
Platform Architecture URL
GNU/Linux ppc64le https://dl.min.io/server/minio/release/linux-ppc64le/minio
wget https://dl.min.io/server/minio/release/linux-ppc64le/minio
chmod +x minio
./minio server /data

Microsoft Windows

Binary Download

Platform Architecture URL
Microsoft Windows 64-bit https://dl.min.io/server/minio/release/windows-amd64/minio.exe
minio.exe server D:\Photos

FreeBSD

Port

Install minio packages using pkg

pkg install minio
sysrc minio_enable=yes
sysrc minio_disks=/home/user/Photos
service minio start

Install from Source

Source installation is only intended for developers and advanced users. If you do not have a working Golang environment, please follow How to install Golang. Minimum version required is go1.13

GO111MODULE=on go get github.com/minio/minio

Allow port access for Firewalls

By default MinIO uses the port 9000 to listen for incoming connections. If your platform blocks the port by default, you may need to enable access to the port.

iptables

For hosts with iptables enabled (RHEL, CentOS, etc), you can use iptables command to enable all traffic coming to specific ports. Use below command to allow access to port 9000

iptables -A INPUT -p tcp --dport 9000 -j ACCEPT
service iptables restart

Below command enables all incoming traffic to ports ranging from 9000 to 9010.

iptables -A INPUT -p tcp --dport 9000:9010 -j ACCEPT
service iptables restart

ufw

For hosts with ufw enabled (Debian based distros), you can use ufw command to allow traffic to specific ports. Use below command to allow access to port 9000

ufw allow 9000

Below command enables all incoming traffic to ports ranging from 9000 to 9010.

ufw allow 9000:9010/tcp

firewall-cmd

For hosts with firewall-cmd enabled (CentOS), you can use firewall-cmd command to allow traffic to specific ports. Use below commands to allow access to port 9000

firewall-cmd --get-active-zones

This command gets the active zone(s). Now, apply port rules to the relevant zones returned above. For example if the zone is public, use

firewall-cmd --zone=public --add-port=9000/tcp --permanent

Note that permanent makes sure the rules are persistent across firewall start, restart or reload. Finally reload the firewall for changes to take effect.

firewall-cmd --reload

Test using MinIO Browser

MinIO Server comes with an embedded web based object browser. Point your web browser to http://127.0.0.1:9000 ensure your server has started successfully.

Screenshot

Test using MinIO Client mc

mc provides a modern alternative to UNIX commands like ls, cat, cp, mirror, diff etc. It supports filesystems and Amazon S3 compatible cloud storage services. Follow the MinIO Client Quickstart Guide for further instructions.

Pre-existing data

When deployed on a single drive, MinIO server lets clients access any pre-existing data in the data directory. For example, if MinIO is started with the command minio server /mnt/data, any pre-existing data in the /mnt/data directory would be accessible to the clients.

The above statement is also valid for all gateway backends.

Upgrading MinIO

MinIO server supports rolling upgrades, i.e. you can update one MinIO instance at a time in a distributed cluster. This allows upgrades with no downtime. Upgrades can be done manually by replacing the binary with the latest release and restarting all servers in a rolling fashion. However, we recommend all our users to use mc admin update from the client. This will update all the nodes in the cluster and restart them, as shown in the following command from the MinIO client (mc):

mc admin update <minio alias, e.g., myminio>

Important things to remember during upgrades:

  • mc admin update will only work if the user running MinIO has write access to the parent directory where the binary is located, for example if the current binary is at /usr/local/bin/minio, you would need write access to /usr/local/bin.
  • In the case of federated setups mc admin update should be run against each cluster individually. Avoid updating mc until all clusters have been updated.
  • If you are updating the server it is always recommended (unless explicitly mentioned in MinIO server release notes), to update mc once all the servers have been upgraded using mc update.
  • mc admin update is disabled in docker/container environments, container environments provide their own mechanisms for updating running containers.
  • If you are using Vault as KMS with MinIO, ensure you have followed the Vault upgrade procedure outlined here: https://www.vaultproject.io/docs/upgrading/index.html
  • If you are using etcd with MinIO for the federation, ensure you have followed the etcd upgrade procedure outlined here: https://github.com/etcd-io/etcd/blob/master/Documentation/upgrades/upgrading-etcd.md

Explore Further

Contribute to MinIO Project

Please follow MinIO Contributor's Guide

Caveats

MinIO in its default mode doesn't use MD5Sum checkums of incoming streams unless requested by the client in Content-Md5 header for validation. This may lead to incompatibility with rare S3 clients like s3ql which unfortunately do not set Content-Md5 but depend on hex MD5Sum for the stream to be calculated by the server. MinIO considers this as a bug in s3ql and should be fixed on the client side because MD5Sum is a poor way to checksum and validate the authenticity of the objects. Although MinIO provides a workaround until client applications are fixed use --compat option instead to start the server.

./minio --compat server /data

License

FOSSA Status

Languages
Go 99%
Shell 0.8%
Makefile 0.1%