Efkan Isazade
Posted on November 16, 2020
By default there is a setup may or may not enabled gitlab registry in Gitlab Omnibus. In this Post you will learn how to enable it and integrate with Minio S3 bucket. In this Part1 we will install and configure Minio server.
Pre-requisites
For this setup we need:
- Gitlab Omnibus Server (ce, ee)
- Ubuntu 20.04 Server (minimum 4gb ram, 4 cpu, and 250 gb storage)
- Docker server to test Gitlab container registry
- Openssl or Letsencrypt for secure connection
Minio installation
You can install the Minio server by compiling the source code or via a binary file. To install it from the source, you need to have at least Go 1.12 installed on your system.
First, log in to your server, replacing efe with your username and your_server_ip with your Ubuntu 20.04 server’s IP address:
ssh efe@your_server_ip
Then you have to update package database:
sudo apt update
Next, download the Minio server’s binary file from the official website:
wget https://dl.min.io/server/minio/release/linux-amd64/minio
The output will be similar:
Output
--2020-07-31 15:08:49-- https://dl.min.io/server/minio/release/linux-amd64/minio
Resolving dl.min.io (dl.min.io)... 178.128.69.202
Connecting to dl.min.io (dl.min.io)|178.128.69.202|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 44511616 (42M) [application/octet-stream]
Saving to: ‘minio’
minio 100%[===================>] 42.45M 21.9MB/s in 1.9s
2020-07-31 15:08:51 (21.9 MB/s) - ‘minio’ saved [44511616/44511616]
When the download is finished, a file named minio will be in your working directory. By the following command to make it executable:
sudo chmod +x minio
Next move the file into the /usr/local/bin directory that Minio’s systemd startup script expects to find it:
sudo mv minio /usr/local/bin
For security reason it is the best practice to avoid Minio server running as root. So we need to create minio user and group.
sudo useradd -r minio-user -s /sbin/nologin
Next, change ownership of the Minio binary to minio-user:
sudo chown minio-user:minio-user /usr/local/bin/minio
Next, we need to create a directory where Minio will store files.
sudo mkdir /usr/local/share/minio
Now we need to give ownership of minio-user to this directory:
sudo chown minio-user:minio-user /usr/local/share/minio
Now we need to create directory inside /etc in order to store Minio configuration file:
sudo mkdir /etc/minio
And then again give ownership of mini-user too:
sudo chown minio-user:minio-user /etc/minio
Now we need to add and modify minio default configuration file:
vim /etc/default/minio
Once the file is open, add in the following lines to set some important environment variables:
MINIO_ACCESS_KEY="minio"
MINIO_VOLUMES="/usr/local/share/minio/"
MINIO_OPTS="-C /etc/minio --address your_server_ip:9000"
MINIO_SECRET_KEY="miniostorage"
You need to change the variables with your own.
Now it is the time to install Minio Systemd Startup Script:
curl -O https://raw.githubusercontent.com/minio/minio-service/master/linux-systemd/minio.service
The output will be similar to the following:
Output
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 835 100 835 0 0 6139 0 --:--:-- --:--:-- --:--:-- 6139
In order to audit the contents of minio.service before applying it, open it in a text editor:
vim minio.service
It will show the following:
[Unit]
Description=MinIO
Documentation=https://docs.min.io
Wants=network-online.target
After=network-online.target
AssertFileIsExecutable=/usr/local/bin/minio
[Service]
WorkingDirectory=/usr/local/
User=minio-user
Group=minio-user
EnvironmentFile=/etc/default/minio
ExecStartPre=/bin/bash -c "if [ -z \"${MINIO_VOLUMES}\" ]; then echo \"Variable MINIO_VOLUMES not set in /etc/default/minio\"; exit 1; fi"
ExecStart=/usr/local/bin/minio server $MINIO_OPTS $MINIO_VOLUMES
# Let systemd restart this service always
Restart=always
# Specifies the maximum file descriptor number that can be opened by this process
LimitNOFILE=65536
# Disable timeout logic and wait until process is stopped
TimeoutStopSec=infinity
SendSIGKILL=no
[Install]
WantedBy=multi-user.target
# Built for ${project.name}-${project.version} (${project.name})
Then we need to change unit files directories. Systemd requires that unit files be stored in the systemd configuration directory:
sudo mv minio.service /etc/systemd/system
Then, we need to run the following commands to reload all systemd units and enable Minio to start on boot and start Minio:
sudo systemctl daemon-reload
sudo systemctl enable minio
sudo systemctl start minio
I will use default 9000 port on Minio server. So for that we need to enable access configured port through firewall:
sudo ufw allow 9000
sudo ufw enable
You will get the following prompt:
Output
Command may disrupt existing ssh connections. Proceed with operation (y|n)?
Press y and ENTER to confirm this. Output should be like following:
Output
Firewall is active and enabled on system startup
Now our Minio server is ready to accept traffic but in order to make it secure, we need another step to configure Let’s Encrypt(it is free to use) ssl to our Minio server:
First, allow HTTP and HTTPS access through firewall.
sudo ufw allow 80
sudo ufw allow 443
Once all done we can check status:
sudo ufw status verbose
Output should be like that:
Output
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp (OpenSSH) ALLOW IN Anywhere
9000 ALLOW IN Anywhere
443 ALLOW IN Anywhere
80 ALLOW IN Anywhere
22/tcp (OpenSSH (v6)) ALLOW IN Anywhere (v6)
9000 (v6) ALLOW IN Anywhere (v6)
443 (v6) ALLOW IN Anywhere (v6)
80 (v6) ALLOW IN Anywhere (v6)
Next we will install Certbot. Before generating free wildcard certificates, we need first to make sure certbot is installed and running… To install it, run the commands below:
sudo apt update
sudo apt-get install letsencrypt
Now we can obtain certificate:
sudo certbot certonly --standalone -d minio-server.your_domain
Output should be like that:
Output
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):
Add your email and press ENTER.
Will then ask you to register with Let’s Encrypt:
Output
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel:
Type A and press ENTER to agree.
Next you will see this output:
Output
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o:
You can answer it yourself both Y or N, then your public and private keys will be generated and saved in the /etc/letsencrypt/live/minio-server.your_domain_name directory.
Next, we need to copy two files (privkey.pem and fullchain.pem) into the certs directory under Minio’s server configuration folder and rename it to private.key:
sudo cp /etc/letsencrypt/live/minio-server.your_domain_name/privkey.pem /etc/minio/certs/private.key
Then do the same for fullchain.pem, naming rename public.crt:
sudo cp /etc/letsencrypt/live/minio-server.your_domain_name/fullchain.pem /etc/minio/certs/public.crt
Now we need to change ownership of private.key and public.crt to mini-user:
sudo chown minio-user:minio-user /etc/minio/certs/private.key
sudo chown minio-user:minio-user /etc/minio/certs/public.crt
Before connect Minio server Web interface, we need to restart it:
sudo systemctl restart minio
At last we can Access the web interface by pointing to https://minio-server.your_domain:9000.
You will see login screen like that:
Now, log in to the main interface by entering credentials.(MINIO_ACCESS_KEY, MINIO_SECRET_KEY)
Then you can create bucket through:
That is it for now... Follow for next Part2. I will share how to connect Gitlab container registry to Minio bucket.
Posted on November 16, 2020
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.
Related
February 3, 2023
November 16, 2020