Podman Pod Deploy MinIO: Single-Node Single-Drive

# Podman Pod Deploy MinIO: Single-Node Single-Drive <style> .indent-title-1{ margin-left: 1em; } .indent-title-2{ margin-left: 2em; } .indent-title-3{ margin-left: 3em; } </style> # Preface <div class="indent-title-1"> 本篇文章會採取 Step by Step 的方式介紹 - 如何透過 Podman 的 Pod 建立 MinIO 可以透過點擊展開以下目錄，選擇想看的內容，跳轉至特定章節 :::warning :::spoiler 文章目錄 [TOC] ::: </div> ## Step1: Pull the Latest Stable Image of MinIO <div class="indent-title-1"> 執行以下命令，下載 minio 的 Image ``` sudo podman pull quay.io/minio/minio ``` > 在 dockerhub 也有 (`docker://minio/minio`) </div> ## Step2: Create the Environment Variable File 執行以下命令，建立工作目錄 <div class="indent-title-1"> ``` mkdir -p ~/minio/{yaml,data,config,certs/CAs,ssl} ``` </div> 執行以下命令，產生一個啟動環境設定檔 <div class="indent-title-1"> ```bash! echo 'MINIO_ROOT_USER="admin" MINIO_ROOT_PASSWORD="admin123" MINIO_VOLUMES="/data" MINIO_SERVER_URL="https://minio.example.com:9090"' > ~/minio/config/config.env ``` - `MINIO_ROOT_USER`，The access key for the root user. - `MINIO_ROOT_PASSWORD`，The secret key for the root user. - `MINIO_VOLUMES`，The directories or drives the minio server process uses as the storage backend. - `MINIO_SERVER_URL`，Specify the Fully Qualified Domain Name (FQDN) the MinIO Console must use for connecting to the MinIO Server. The Console also uses this value for setting the root hostname when generating presigned URLs. </div> ## Step3: Create an Self-Signed Certificate 執行腳本建立自簽憑證 <div class="indent-title-1"> :::spoiler 產生自簽憑證腳本 ```! domain=$2 ip=$3 help() { cat <<EOF Usage: mk [OPTIONS] Available options: create create [domain] [IP] delete delete cert test test EOF exit } ssl() { openssl genrsa -aes256 -passout pass:password -out ca.key 4096 openssl req -new -x509 -sha256 -days 365 -subj "/C=TW/ST=Taipei/L=Taipei/O=test/OU=lab/CN=example" -passin pass:password -key ca.key -out cacerts.pem openssl genrsa -out private.key 4096 openssl req -new -sha256 -subj "/CN=example" -key private.key -out cert.csr echo -e "subjectAltName=DNS:${domain},IP:${ip}\nextendedKeyUsage = serverAuth" > extfile.cnf openssl x509 -req -sha256 -days 365 -passin pass:password -in cert.csr -CA cacerts.pem -CAkey ca.key -out public.crt -extfile extfile.cnf -CAcreateserial } de() { rm ca.key cacerts.pem ca.srl cert.csr private.key public.crt extfile.cnf &>/dev/null if [ "$?" == "0" ];then echo "delete all cert ok!" else echo "delete cert fail,please check!" fi } ts() { openssl verify -CAfile cacerts.pem -verbose public.crt } case $1 in create) if [ "$#" == "3" ];then ssl else help fi ;; delete) de ;; test) ts ;; *) help ;; esac ``` ::: <br> ``` cd ~/minio/ssl && ./mk create minio.example.com 192.168.11.95 ``` </div> 將要給 Minio 用的私鑰和憑證拷貝至指定目錄區 <div class="indent-title-1"> ``` $ cp private.key public.crt ~/minio/certs ``` </div> 將要給 Minio 用的 CA 憑證拷貝至指定目錄區 <div class="indent-title-1"> ``` $ cp cacerts.pem ~/minio/certs/CAs/ ``` </div> 讓 OS 信任憑證 <div class="indent-title-1"> ``` $ sudo cp cacerts.pem /usr/share/pki/trust/anchors/ $ sudo update-ca-certificates --fresh ``` </div> ## Step4: Create and Run the Pod <div class="indent-title-1"> 編輯 Yaml 檔 ``` nano ~/minio/yaml/minio-podman-pod.yaml ``` ```yaml= apiVersion: v1 kind: Pod metadata: name: minio spec: hostname: minio.example.com containers: - name: minio image: quay.io/minio/minio command: - /bin/bash - -c - | /usr/bin/docker-entrypoint.sh minio server /data --console-address ":9090" env: - name: MINIO_CONFIG_ENV_FILE value: /root/.minio/config.env volumeMounts: - mountPath: "/data" name: minio-data-storage - mountPath: "/root/.minio/" name: minio-config-storage - mountPath: "/root/.minio/certs" name: minio-certs-storage ports: - name: api containerPort: 9000 hostPort: 9000 protocol: TCP - name: web containerPort: 9090 hostPort: 9090 protocol: TCP securityContext: privileged: true volumes: - type: hostPath name: minio-data-storage hostPath: type: DirectoryOrCreate path: /home/rancher/minio/data - type: hostPath name: minio-config-storage hostPath: type: DirectoryOrCreate path: /home/rancher/minio/config - type: hostPath name: minio-certs-storage hostPath: type: DirectoryOrCreate path: /home/rancher/minio/certs restartPolicy: always ``` </div> ### 建立 Pod <div class="indent-title-1"> ``` $ sudo podman play kube ~/minio/yaml/minio-podman-pod.yaml ``` > 用 Rootless 建立，會遇到身分驗證的問題，請用 Rootful 建立 Pod 檢查是否符合預期 ``` $ sudo podman pod ps ``` 螢幕輸出 : ```! POD ID NAME STATUS CREATED INFRA ID # OF CONTAINERS 86979a9842e9 minio Running 16 seconds ago fb62ef293d6f 2 ``` </div> ## Step5: Access MinIO Web Console - 將 `cacerts.pem` 匯入瀏覽器 - 連線至 `https://192.168.11.95:9090/login` - 帳號 : `admin` - 密碼 : `admin123` <div class="indent-title-2"> ![](https://hackmd.io/_uploads/rJmW17Xh2.png) </div> ## Step6: Start Minio on boot 以下 `podman generate` 和 `podman Quadlet` 擇一執行即可 ### by `podman generate` ```bash! cd ~/minio sudo podman generate systemd --name minio --files sudo cp container-minio-minio.service pod-minio.service /usr/lib/systemd/system/ sudo systemctl daemon-reload sudo systemctl enable --now pod-minio.service container-minio-minio.service ``` ### by `podman Quadlet` ``` # 1. 建立一個目錄，用來存放 Podman Quadlet 要使用的 Kubernetes YAML 設定檔 sudo mkdir -p /etc/containers/{kube,systemd} # 2. 將預先定義好的 NFS Pod YAML 檔複製到上述目錄中 sudo cp ~/minio/yaml/minio-podman-pod.yaml /etc/containers/kube/minio-podman-pod.yaml # 3. 使用 "here document" 的方式，建立一個 systemd 的 Quadlet unit 檔案。 # 這個 .kube 檔案會告訴 systemd 如何使用指定的 YAML 檔來管理一個 Pod。 sudo tee /etc/containers/systemd/minio-pod.kube >/dev/null <<'EOF' [Unit] Description=Podman Quadlet: Minio Pod (minio-pod) # 指定此服務依賴於網路連線 Wants=network-online.target After=network-online.target [Kube] # 指定要使用的 Kubernetes YAML 設定檔路徑 Yaml=/etc/containers/kube/minio-podman-pod.yaml # StopTimeout=120 [Service] # 設定服務失敗時自動重啟 Restart=always # 設定重啟間隔為 5 秒 RestartSec=5s # 設定停止服務的等待時間為 120 秒 TimeoutStopSec=120s [Install] # 設定此服務在系統開機後，進入多使用者模式時啟動 WantedBy=multi-user.target EOF # 4. 重新載入 systemd 設定，讓系統讀取到剛剛建立的新服務檔案 sudo systemctl daemon-reload # 5. 設定 minio-pod 服務開機自動啟動，並立即啟動它 sudo systemctl start minio-pod.service # 6. 檢查 minio-pod 服務目前的運行狀態 sudo systemctl status minio-pod.service ``` # 參考文章 ## Minio - [Deploy MinIO: Single-Node Single-Drive - MinIO Docs](https://min.io/docs/minio/container/operations/install-deploy-manage/deploy-minio-single-node-single-drive.html) - [MinIO Server - MinIO Docs](https://min.io/docs/minio/linux/reference/minio-server/minio-server.html#id6) - [MinIO Server Config Guide](http://192.241.195.202/docs/minio-server-configuration-guide.html)