How to enable Gitlab Container Registry with Minio custom S3 Bucket ? Part1

efe136

Efkan Isazade

Posted on November 16, 2020

How to enable Gitlab Container Registry with Minio custom S3 Bucket ? Part1

By default there is a setup may or may not enabled gitlab registry in Gitlab Omnibus. In this Post you will learn how to enable it and integrate with Minio S3 bucket. In this Part1 we will install and configure Minio server.

Pre-requisites

For this setup we need:

  • Gitlab Omnibus Server (ce, ee)
  • Ubuntu 20.04 Server (minimum 4gb ram, 4 cpu, and 250 gb storage)
  • Docker server to test Gitlab container registry
  • Openssl or Letsencrypt for secure connection

Minio installation

You can install the Minio server by compiling the source code or via a binary file. To install it from the source, you need to have at least Go 1.12 installed on your system.
First, log in to your server, replacing efe with your username and your_server_ip with your Ubuntu 20.04 server’s IP address:

ssh efe@your_server_ip
Enter fullscreen mode Exit fullscreen mode

Then you have to update package database:

sudo apt update
Enter fullscreen mode Exit fullscreen mode

Next, download the Minio server’s binary file from the official website:

wget https://dl.min.io/server/minio/release/linux-amd64/minio
Enter fullscreen mode Exit fullscreen mode

The output will be similar:

Output
--2020-07-31 15:08:49--  https://dl.min.io/server/minio/release/linux-amd64/minio
Resolving dl.min.io (dl.min.io)... 178.128.69.202
Connecting to dl.min.io (dl.min.io)|178.128.69.202|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 44511616 (42M) [application/octet-stream]
Saving to: ‘minio’

minio               100%[===================>]  42.45M  21.9MB/s    in 1.9s

2020-07-31 15:08:51 (21.9 MB/s) - ‘minio’ saved [44511616/44511616]
Enter fullscreen mode Exit fullscreen mode

When the download is finished, a file named minio will be in your working directory. By the following command to make it executable:

sudo chmod +x minio
Enter fullscreen mode Exit fullscreen mode

Next move the file into the /usr/local/bin directory that Minio’s systemd startup script expects to find it:

sudo mv minio /usr/local/bin
Enter fullscreen mode Exit fullscreen mode

For security reason it is the best practice to avoid Minio server running as root. So we need to create minio user and group.

sudo useradd -r minio-user -s /sbin/nologin
Enter fullscreen mode Exit fullscreen mode

Next, change ownership of the Minio binary to minio-user:

sudo chown minio-user:minio-user /usr/local/bin/minio
Enter fullscreen mode Exit fullscreen mode

Next, we need to create a directory where Minio will store files.

sudo mkdir /usr/local/share/minio
Enter fullscreen mode Exit fullscreen mode

Now we need to give ownership of minio-user to this directory:

sudo chown minio-user:minio-user /usr/local/share/minio
Enter fullscreen mode Exit fullscreen mode

Now we need to create directory inside /etc in order to store Minio configuration file:

sudo mkdir /etc/minio
Enter fullscreen mode Exit fullscreen mode

And then again give ownership of mini-user too:

sudo chown minio-user:minio-user /etc/minio
Enter fullscreen mode Exit fullscreen mode

Now we need to add and modify minio default configuration file:

vim /etc/default/minio
Enter fullscreen mode Exit fullscreen mode

Once the file is open, add in the following lines to set some important environment variables:

MINIO_ACCESS_KEY="minio"
MINIO_VOLUMES="/usr/local/share/minio/"
MINIO_OPTS="-C /etc/minio --address your_server_ip:9000"
MINIO_SECRET_KEY="miniostorage"
Enter fullscreen mode Exit fullscreen mode

You need to change the variables with your own.

Now it is the time to install Minio Systemd Startup Script:

curl -O https://raw.githubusercontent.com/minio/minio-service/master/linux-systemd/minio.service
Enter fullscreen mode Exit fullscreen mode

The output will be similar to the following:

Output

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   835  100   835    0     0   6139      0 --:--:-- --:--:-- --:--:--  6139
Enter fullscreen mode Exit fullscreen mode

In order to audit the contents of minio.service before applying it, open it in a text editor:

vim minio.service
Enter fullscreen mode Exit fullscreen mode

It will show the following:

[Unit]
Description=MinIO
Documentation=https://docs.min.io
Wants=network-online.target
After=network-online.target
AssertFileIsExecutable=/usr/local/bin/minio

[Service]
WorkingDirectory=/usr/local/

User=minio-user
Group=minio-user

EnvironmentFile=/etc/default/minio
ExecStartPre=/bin/bash -c "if [ -z \"${MINIO_VOLUMES}\" ]; then echo \"Variable MINIO_VOLUMES not set in /etc/default/minio\"; exit 1; fi"

ExecStart=/usr/local/bin/minio server $MINIO_OPTS $MINIO_VOLUMES

# Let systemd restart this service always
Restart=always

# Specifies the maximum file descriptor number that can be opened by this process
LimitNOFILE=65536

# Disable timeout logic and wait until process is stopped
TimeoutStopSec=infinity
SendSIGKILL=no

[Install]
WantedBy=multi-user.target

# Built for ${project.name}-${project.version} (${project.name})
Enter fullscreen mode Exit fullscreen mode

Then we need to change unit files directories. Systemd requires that unit files be stored in the systemd configuration directory:

sudo mv minio.service /etc/systemd/system
Enter fullscreen mode Exit fullscreen mode

Then, we need to run the following commands to reload all systemd units and enable Minio to start on boot and start Minio:

sudo systemctl daemon-reload
sudo systemctl enable minio
sudo systemctl start minio
Enter fullscreen mode Exit fullscreen mode

I will use default 9000 port on Minio server. So for that we need to enable access configured port through firewall:

sudo ufw allow 9000
sudo ufw enable
Enter fullscreen mode Exit fullscreen mode

You will get the following prompt:

Output
Command may disrupt existing ssh connections. Proceed with operation (y|n)?
Enter fullscreen mode Exit fullscreen mode

Press y and ENTER to confirm this. Output should be like following:

Output
Firewall is active and enabled on system startup
Enter fullscreen mode Exit fullscreen mode

Now our Minio server is ready to accept traffic but in order to make it secure, we need another step to configure Let’s Encrypt(it is free to use) ssl to our Minio server:

First, allow HTTP and HTTPS access through firewall.

sudo ufw allow 80
sudo ufw allow 443
Enter fullscreen mode Exit fullscreen mode

Once all done we can check status:

sudo ufw status verbose
Enter fullscreen mode Exit fullscreen mode

Output should be like that:

Output
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp (OpenSSH)           ALLOW IN    Anywhere
9000                       ALLOW IN    Anywhere
443                        ALLOW IN    Anywhere
80                         ALLOW IN    Anywhere
22/tcp (OpenSSH (v6))      ALLOW IN    Anywhere (v6)
9000 (v6)                  ALLOW IN    Anywhere (v6)
443 (v6)                   ALLOW IN    Anywhere (v6)
80 (v6)                    ALLOW IN    Anywhere (v6)
Enter fullscreen mode Exit fullscreen mode

Next we will install Certbot. Before generating free wildcard certificates, we need first to make sure certbot is installed and running… To install it, run the commands below:

sudo apt update
sudo apt-get install letsencrypt
Enter fullscreen mode Exit fullscreen mode

Now we can obtain certificate:

sudo certbot certonly --standalone -d minio-server.your_domain
Enter fullscreen mode Exit fullscreen mode

Output should be like that:

Output
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):
Enter fullscreen mode Exit fullscreen mode

Add your email and press ENTER.

Will then ask you to register with Let’s Encrypt:

Output
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel:
Enter fullscreen mode Exit fullscreen mode

Type A and press ENTER to agree.

Next you will see this output:

Output
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o:
Enter fullscreen mode Exit fullscreen mode

You can answer it yourself both Y or N, then your public and private keys will be generated and saved in the /etc/letsencrypt/live/minio-server.your_domain_name directory.

Next, we need to copy two files (privkey.pem and fullchain.pem) into the certs directory under Minio’s server configuration folder and rename it to private.key:

sudo cp /etc/letsencrypt/live/minio-server.your_domain_name/privkey.pem /etc/minio/certs/private.key
Enter fullscreen mode Exit fullscreen mode

Then do the same for fullchain.pem, naming rename public.crt:

sudo cp /etc/letsencrypt/live/minio-server.your_domain_name/fullchain.pem /etc/minio/certs/public.crt
Enter fullscreen mode Exit fullscreen mode

Now we need to change ownership of private.key and public.crt to mini-user:

sudo chown minio-user:minio-user /etc/minio/certs/private.key
sudo chown minio-user:minio-user /etc/minio/certs/public.crt
Enter fullscreen mode Exit fullscreen mode

Before connect Minio server Web interface, we need to restart it:

sudo systemctl restart minio
Enter fullscreen mode Exit fullscreen mode

At last we can Access the web interface by pointing to https://minio-server.your_domain:9000.

You will see login screen like that:

Alt Text

Now, log in to the main interface by entering credentials.(MINIO_ACCESS_KEY, MINIO_SECRET_KEY)

Then you can create bucket through:

Alt Text

That is it for now... Follow for next Part2. I will share how to connect Gitlab container registry to Minio bucket.

💖 💪 🙅 🚩
efe136
Efkan Isazade

Posted on November 16, 2020

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related