minio: Install and configure MinIO
[MinIO][0] is an S3-compatible object storage server. It is designed to provide storage for cloud-native applications for on-premises deployments. MinIO has not been packaged for Fedora (yet?). As such, the best way to deploy it is usining its official container image. Here, we are using `podman-systemd-generator` (Quadlet) to generate a systemd service unit to manage the container process.step-ssh
parent
f6f286ac24
commit
f54bc44a48
|
|
@ -0,0 +1,6 @@
|
|||
minio_version: latest
|
||||
minio_container_image: quay.io/minio/minio
|
||||
minio_storage_path: /var/lib/minio
|
||||
minio_console_address: '[::]:9090'
|
||||
minio_root_user: root
|
||||
minio_root_password: changeme
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
- name: reload systemd
|
||||
systemd:
|
||||
daemon_reload: true
|
||||
|
||||
- name: restart minio
|
||||
systemd:
|
||||
name: minio
|
||||
state: restarted
|
||||
|
|
@ -0,0 +1,107 @@
|
|||
- name: load minio secrets
|
||||
include_vars: '{{ item }}'
|
||||
with_first_found:
|
||||
- files:
|
||||
- vault/minio/{{ inventory_hostname }}
|
||||
skip: true
|
||||
tags:
|
||||
- always
|
||||
|
||||
- name: ensure minio group exists
|
||||
group:
|
||||
name: minio
|
||||
gid: 224
|
||||
system: true
|
||||
state: present
|
||||
tags:
|
||||
- user
|
||||
- group
|
||||
- name: ensure minio user exists
|
||||
user:
|
||||
name: minio
|
||||
uid: 224
|
||||
group: minio
|
||||
system: true
|
||||
state: present
|
||||
tags:
|
||||
- user
|
||||
- group
|
||||
|
||||
- name: ensure minio storage path exists
|
||||
file:
|
||||
path: '{{ minio_storage_path }}'
|
||||
owner: minio
|
||||
group: minio
|
||||
mode: u=rwx,go=
|
||||
state: directory
|
||||
tags:
|
||||
- datadir
|
||||
|
||||
- name: ensure minio certs directory exists
|
||||
file:
|
||||
path: /etc/minio/certs
|
||||
owner: root
|
||||
group: minio
|
||||
mode: u=rwx,g=rx,o=
|
||||
setype: container_file_t
|
||||
state: directory
|
||||
tags:
|
||||
- cert
|
||||
- name: ensure minio server certificate is present
|
||||
copy:
|
||||
src: '{{ item }}'
|
||||
dest: /etc/minio/certs/public.crt
|
||||
owner: root
|
||||
group: minio
|
||||
mode: u=rw,g=r,o=
|
||||
setype: container_file_t
|
||||
with_fileglob: certs/minio/{{ inventory_hostname }}.cer
|
||||
tags:
|
||||
- cert
|
||||
- name: ensure minio server private key is present
|
||||
copy:
|
||||
src: '{{ item }}'
|
||||
dest: /etc/minio/certs/private.key
|
||||
owner: root
|
||||
group: minio
|
||||
mode: u=rw,g=r,o=
|
||||
setype: container_file_t
|
||||
diff: false
|
||||
with_fileglob: certs/minio/{{ inventory_hostname }}.key
|
||||
tags:
|
||||
- cert
|
||||
|
||||
- name: ensure minio environment is configured
|
||||
template:
|
||||
src: minio.env.j2
|
||||
dest: /etc/sysconfig/minio
|
||||
owner: root
|
||||
group: root
|
||||
mode: u=rw,go=
|
||||
notify:
|
||||
- restart minio
|
||||
tags:
|
||||
- config
|
||||
|
||||
- name: ensure minio.container systemd unit exists
|
||||
template:
|
||||
src: minio.container.j2
|
||||
dest: /etc/containers/systemd/minio.container
|
||||
owner: root
|
||||
group: root
|
||||
mode: u=rw,go=r
|
||||
notify:
|
||||
- reload systemd
|
||||
- restart minio
|
||||
tags:
|
||||
- systemd
|
||||
|
||||
- name: flush_handlers
|
||||
meta: flush_handlers
|
||||
|
||||
- name: ensure minio.service is running
|
||||
systemd:
|
||||
name: minio.service
|
||||
state: started
|
||||
tags:
|
||||
- service
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
- name: ensure podman is installed
|
||||
package:
|
||||
name:
|
||||
- container-selinux
|
||||
- podman
|
||||
state: present
|
||||
|
||||
- name: ensure minio container image is present
|
||||
podman_image:
|
||||
name: '{{ minio_container_image }}:{{ minio_version }}'
|
||||
state: present
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
- block:
|
||||
- import_tasks: install.yml
|
||||
tags:
|
||||
- install
|
||||
- import_tasks: deploy.yml
|
||||
tags:
|
||||
- minio
|
||||
|
|
@ -0,0 +1,34 @@
|
|||
[Unit]
|
||||
Description=MinIO Object Storage
|
||||
Wants=network.target
|
||||
After=network.target
|
||||
|
||||
[Container]
|
||||
Image={{ minio_container_image }}:{{ minio_version }}
|
||||
Exec=server /data --certs-dir /certs
|
||||
User=224
|
||||
Group=224
|
||||
EnvironmentFile=/etc/sysconfig/minio
|
||||
Volume={{ minio_storage_path }}:/data:rw,Z
|
||||
Volume=/etc/minio/certs:/certs:ro,z
|
||||
Network=host
|
||||
NoNewPrivileges=yes
|
||||
|
||||
[Service]
|
||||
MemoryDenyWriteExecute=yes
|
||||
PrivateTmp=yes
|
||||
ProtectClock=yes
|
||||
ProtectHome=yes
|
||||
ProtectKernelLogs=yes
|
||||
ProtectKernelModules=yes
|
||||
ProtectKernelTunables=yes
|
||||
ProtectProc=invisible
|
||||
ProtectSystem=strict
|
||||
ReadWritePaths=/var/lib/containers/storage
|
||||
ReadWritePaths={{ minio_storage_path }}
|
||||
RestrictRealtime=yes
|
||||
RestrictSUIDSGID=yes
|
||||
UMask=0077
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
MINIO_ROOT_USER={{ minio_root_user }}
|
||||
MINIO_ROOT_PASSWORD={{ minio_root_password }}
|
||||
|
||||
MINIO_CONSOLE_ADDRESS={{ minio_console_address }}
|
||||
Loading…
Reference in New Issue