minio
注意:
1. minio要求数据存储位置,是一个单独的磁盘,不能和其他数据共享,所以需要单独挂载一个磁盘
2. 推荐使用SSD磁盘
1、单机部署
1、创建文件夹:/data/minio_sso/{data,conf,logs}
2、/data/minio_sso/data 是单独挂载的磁盘
3、进入到目录 /data/minio_sso
1、下载minio
wget http://dl.minio.org.cn/server/minio/release/linux-amd64/minio
修改权限:
chmod +x minio
2、编写启动脚本
#!/bin/sh
# 账号
export MINIO_ROOT_USER=admin
# 密码
export MINIO_ROOT_PASSWORD=jm123456.
# 浏览器, off on
export MINIO_BROWSER=on
# 1、--address 是API端口
# 2、--console-address 是控制台端口
nohup ./minio server --config-dir /data/minio_sso/conf --address ":9555" /data/minio_sso/data --console-address ":9556" > /opt/minio/logs/minio.log 2>&1 &
停止脚本
#!/bin/bash
#MinIO停止脚本
ps -ef | grep minio | grep -v 'grep' | awk '{print $2}'| xargs kill -9
if $? != 0;then
echo "minio service stop failed."
exit 1
fi
EOF
4、将minio做成服务
cat < /etc/systemd/system/minio.service
[Unit]
Description=Minio service
Documentation=https://docs.minio.io/
[Service]
WorkingDirectory=/data/minio_sso/
ExecStart=/data/minio_sso/start.sh
ExecStop=/data/minio_sso/stop.sh
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target
EOF
修改服务权限
chmod +x /etc/systemd/system/minio.service && chmod +x /data/minio_sso/minio && chmod +x /data/minio_sso/run.sh && chmod +x /data/minio_sso/stop.sh
详见:服务器/centos
3、访问
2、单机多磁盘部署
1、在单机部署的基础上,挂载多个硬盘
如:
/data/minio_sso/data/storage1 ----硬盘1
/data/minio_sso/data/storage2 ----硬盘2
/data/minio_sso/data/storage3 ----硬盘3
/data/minio_sso/data/storage4 ----硬盘4
2、修改启动脚本
#!/bin/bash
# chkconfig: 2345 85 15
# description: minio server
# 账号
export MINIO_ROOT_USER=admin
# 密码
export MINIO_ROOT_PASSWORD=jm123456.
# 浏览器, off on
export MINIO_BROWSER=on
# 服务IP
IP=
# 服务端口
PORT=9555
# 控制台端口
CONSOLE_PORT=9556
MINIO_BASE=/data/minio_sso
MINIO_DATA=$MINIO_BASE/data/storage{1...4}
MINIO_RUN_LOG=$MINIO_BASE/logs
MINIO_CONFIG=$MINIO_BASE/conf
PID=minio.pid
case "$1" in
start)
nohup $MINIO_BASE/minio server \
--config-dir $MINIO_CONFIG \
--address $IP:$PORT \
--console-address $IP:$CONSOLE_PORT \
> $MINIO_RUN_LOG/running.log 2>&1 &
echo $! > $MINIO_BASE/$PID
echo "=== 启动 MinIO 成功"
;;
stop)
kill `cat $MINIO_BASE/$PID`
rm -rf $MINIO_BASE/$PID
sleep 2
P_ID=`ps -ef | grep -w "$MINIO_BASE/minio server" | grep -v "grep" | awk '{print $2}'`
if [ "$P_ID" == "" ]; then
echo "=== $MINIO_BASE/minio process not exists or stop success"
else
echo "=== $MINIO_BASE/minio process pid is:$P_ID"
echo "=== begin kill $MINIO_BASE/minio server process, pid is:$P_ID"
kill -9 $P_ID
fi
echo "=== 停止 MinIO 成功"
;;
status)
echo "=== 查看 MinIO 状态"
echo `ps -ef | grep -w "$MINIO_BASE/minio server"`
;;
logs)
tail -200f $MINIO_RUN_LOG/running.log
;;
restart)
$0 stop
sleep 3
$0 start
echo "=== 重启 MinIO 成功"
;;
esac
exit 0
3、启动
sh pow.sh start
sh pow.sh stop
sh pow.sh status
sh pow.sh logs
sh pow.sh restart
3、多机多磁盘部署
两台机器:
http://192.168.1..128
http://192.168.1..162
1、在单机多磁盘部署的基础上
编辑启动脚本
添加集群地址:
http://192.168.1.128$MINIO_DATA \
http://192.168.1.162$MINIO_DATA \
#!/bin/bash
# chkconfig: 2345 85 15
# description: minio server
# 账号
export MINIO_ROOT_USER=admin
# 密码
export MINIO_ROOT_PASSWORD=jm123456.
# 浏览器, off on
export MINIO_BROWSER=on
# 服务IP
IP=
# 服务端口
PORT=9555
# 控制台端口
CONSOLE_PORT=9556
MINIO_BASE=/data/minio_sso
MINIO_DATA=$MINIO_BASE/data/storage{1...4}
MINIO_RUN_LOG=$MINIO_BASE/logs
MINIO_CONFIG=$MINIO_BASE/conf
PID=minio.pid
case "$1" in
start)
nohup $MINIO_BASE/minio server \
--config-dir $MINIO_CONFIG \
--address $IP:$PORT \
--console-address $IP:$CONSOLE_PORT \
http://192.168.1.128$MINIO_DATA \
http://192.168.1.162$MINIO_DATA \
> $MINIO_RUN_LOG/running.log 2>&1 &
echo $! > $MINIO_BASE/$PID
echo "=== 启动 MinIO 成功"
;;
stop)
kill `cat $MINIO_BASE/$PID`
rm -rf $MINIO_BASE/$PID
sleep 2
P_ID=`ps -ef | grep -w "$MINIO_BASE/minio server" | grep -v "grep" | awk '{print $2}'`
if [ "$P_ID" == "" ]; then
echo "=== $MINIO_BASE/minio process not exists or stop success"
else
echo "=== $MINIO_BASE/minio process pid is:$P_ID"
echo "=== begin kill $MINIO_BASE/minio server process, pid is:$P_ID"
kill -9 $P_ID
fi
echo "=== 停止 MinIO 成功"
;;
status)
echo "=== 查看 MinIO 状态"
echo `ps -ef | grep -w "$MINIO_BASE/minio server"`
;;
logs)
tail -200f $MINIO_RUN_LOG/running.log
;;
restart)
$0 stop
sleep 3
$0 start
echo "=== 重启 MinIO 成功"
;;
esac
exit 0
2、在集群其他主机上做上面相同的操作,在启动集群中所有服务
sh pow.sh start
sh pow.sh stop
sh pow.sh status
sh pow.sh logs
sh pow.sh restart
3、nginx配置
自己测试的配置
# 监听后端接口服务 -可用于分布式部署
upstream minio_server{
# server 192.168.1.233:8848 max_fails=3 fail_timeout=5s;
# server 192.168.1.233:18847 max_fails=3 fail_timeout=5s;
# server 192.168.1.233:28846 max_fails=3 fail_timeout=5s;
server 192.168.1.128:9555 weight=1;
server 192.168.1.162:9555 weight=1;
}
upstream minio_console_server{
# server 192.168.1.233:8848 max_fails=3 fail_timeout=5s;
# server 192.168.1.233:18847 max_fails=3 fail_timeout=5s;
# server 192.168.1.233:28846 max_fails=3 fail_timeout=5s;
server 192.168.1.128:9556 weight=1;
server 192.168.1.162:9556 weight=1;
}
server {
listen 9555;
server_name 192.168.1.233;
location / {
proxy_pass http://minio_server/;
#proxy_set_header Host $host;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_next_upstream http_500 http_502 http_503 http_504 error timeout invalid_header;
}
}
server {
listen 9556;
server_name 192.168.1.233;
location / {
proxy_pass http://minio_console_server/;
#proxy_set_header Host $host;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_next_upstream http_500 http_502 http_503 http_504 error timeout invalid_header;
}
}
网上的配置
upstream minio_console {
server 172.16.11.1:9000 max_fails=3 fail_timeout=5s;
server 172.16.11.2:9000 max_fails=3 fail_timeout=5s;
}
upstream minio_api {
server 172.16.11.1:9029 max_fails=3 fail_timeout=5s;
server 172.16.11.2:9029 max_fails=3 fail_timeout=5s;
}
server {
listen 80;
listen 443 ssl;
server_name cons.minio.com;
ssl_certificate keys/cons/server.crt;
ssl_certificate_key keys/cons/server.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
client_max_body_size 1G; #如果上传文件大于1G,就需要更改这个参数
client_header_timeout 1m;
client_body_timeout 1m;
proxy_connect_timeout 60s;
proxy_read_timeout 1m;
proxy_send_timeout 1m;
location / {
proxy_next_upstream http_500 http_502 http_503 http_504 error timeout invalid_header;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://minio_console;
expires 0;
}
}
server {
listen 80;
listen 443 ssl;
server_name api.minio.com;
ssl_certificate keys/cons/server.crt;
ssl_certificate_key keys/cons/server.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
client_max_body_size 1G;
client_header_timeout 1m;
client_body_timeout 1m;
proxy_connect_timeout 60s;
proxy_read_timeout 1m;
proxy_send_timeout 1m;
location / {
proxy_next_upstream http_500 http_502 http_503 http_504 error timeout invalid_header;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://minio_api;
expires 0;
}
}
4、访问
4、minio集群,多机热备份MC
要在linux环境下,实现minio数据两台节点数据同步,达到非集群高可用,查阅一些资料,做了以下测试,记录粗略过程,与大家共同学习。
1.安装包下载
minio、mc安装包下载地址
中国镜像站
中国镜像站
https://dl.minio.org.cn/client/mc/release/linux-amd64
https://dl.minio.org.cn/client/mc/release/linux-amd64/mc
2.安装启动minio-server
准备两台服务器,比如111,112两个地址,分别安装minio-server,安装启动步骤可参考上面
3.安装启动minio-client
3.1 128依次上执行
mv mc /data/minio_sso/client
chmod +x mc
# 配置mc的主从节点地址和账号密码
mc config host add minio_master http://192.168.1.128:9555 admin jm123456.
mc config host add minio_slave http://192.168.1.162:9555 admin jm123456.
#数据流向128->162
mc mirror --remove --overwrite --watch minio_master minio_slave
3.2 162上依次执行
mv mc /usr/local/bin
chmod +x mc
mc config host add minio_master http://192.168.1.162:9555 admin jm123456.
mc config host add minio_slave http://192.168.1.128:9555 admin jm123456.
#数据流向162->128
mc mirror --remove --overwrite --watch minio_master minio_slave
4.总结
测试结果:
当两台节点正常运行工作时,两台节点数据一致
当其中某一台宕机后,另一台可继续工作使用
当宕机服务起来后,可同步另一台新增的数据
5、可以做成服务
5、配置桶的策略
1、自用策略
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"*"
]
},
"Action": [
"s3:GetBucketLocation",
"s3:ListBucketMultipartUploads"
],
"Resource": [
"arn:aws:s3:::java-server"
]
},
{
"Effect": "Allow",
"Principal": {
"AWS": [
"*"
]
},
"Action": [
"s3:PutObject",
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:GetObject",
"s3:ListMultipartUploadParts"
],
"Resource": [
"arn:aws:s3:::java-server/*"
]
}
]
}
2、配置解释
通过json来控制S3桶的访问权限,以下示例策略用于访问存储桶。该策略允许用户仅对 MY-BUCKET 执行 s3:ListBucket、s3:PutObject 和 s3:GetObject 操作:
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"s3:ListBucket"
],
"Resource":"arn:aws:s3:::MY-BUCKET"
},
{
"Effect":"Allow",
"Action":[
"s3:PutObject",
"s3:GetObject"
],
"Resource":"arn:aws:s3:::MY-BUCKET/*"
}
]
}
Version 策略版本号(一般为时间戳)
Statement 策略的声明(列表的形式,里面定义了访问策略对象)
Effect 策略的效果(权限的拒绝或者允许,Deny,Allow)
Action 操作(定义操作,可以为字符串数组,也可以是字符串,如果为"s3:*" ,那么为全部操作)
Resource 策略附加到的资源(可以为字符串数组,也可以是字符串,AWS中每个资源都有对应的arn)
其他例子
{
"Version":"2012-10-17",
"Statement": [
{
"Sid":"GrantAnonymousReadPermissions",
"Effect":"Allow",
"Principal": "*",
"Action":["s3:GetObject"],
"Resource":["arn:aws:s3:::awsexamplebucket1/*"]
}
]
}
Sid 策略的ID标识(一般为描述信息)
Principal 用于指定被允许或拒绝访问资源的用户、账户、服务或其他实体(“Principal”:"*"匿名访问,及授予每个人权限)
S3的条件键Condition
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "statement1",
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": [
"arn:aws:s3:::awsexamplebucket1/*"
],
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "public-read"
}
}
}
]
}
Condition 指定策略生效时的条件
可以指定以下这些条件,如:
指定IP访问范围
"Condition" : {
"IpAddress" : {
"aws:SourceIp": "192.0.2.0/24"
},
"NotIpAddress" : {
"aws:SourceIp": "192.0.2.188/32"
}
}
要求用户上传对象时需具有特定访问权限
"Condition": {
"StringEquals": {
"s3:x-amz-grant-full-control": "id=AccountA-CanonicalUserID"
}
}
更多条件字段请查阅官方文档:https://docs.aws.amazon.com/zh_cn/AmazonS3/latest/dev/list_amazons3.html.
将亚马逊 AWS S3 存储桶的访问权限到一个特定 IAM 角色
其中111111111111为账户号,ROLENAME为角色名。
//使用Principal指定111111111111账户中的ROLENAME
//拥有对MyExampleBucket桶的ListBucket权限
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111111111111:role/ROLENAME"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::MyExampleBucket"
}
//通过Condition指定角色
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::MyExampleBucket",
"arn:aws:s3:::MyExampleBucket/*"
],
"Condition": {
"StringNotLike": {
"aws:userId": [
"AROAEXAMPLEID:*",
"111111111111"
]
}
}
}
//通过Principal给role/ROLENAME和user/USERNAME权限
{
"Effect": "Allow",
"Principal": [
{
"AWS": [
"arn:aws:iam::222222222222:role/ROLENAME",
"arn:aws:iam::222222222222:user/USERNAME"
]
}
],
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::MyExampleBucket"
}