官方对MinIO的介绍是:高性能,Kubernetes原生支持的对象存储系统。MinIO的高性能软件定义对象存储套件可以使用户能够为机器学习、分析和应用程序数据工作负载构建云原生支持的数据基础设施,有关MINIO的详细介绍我就不做详细介绍,只讲解MINIO结合KMS对对象加解密存储。
本次部署操作系统为:Centos 7
IP:192.168.1.170
官网:https://min.io/
官方文档: https://docs.min.io/cn/
一 结构图
二 部署Minio
2.1 下载minio并添加执行权限,然后移动到/usr/local/sbin,方便启动服务
# wget https://dl.min.io/server/minio/release/linux-amd64/minio
# chmod +x minio
# mv minio /usr/local/sbin/2.2 启动脚本
创建minio脚本及配置的路径
# mkdir -p /usr/local/minio/{etc,bin}编辑配置文件,里面配置环境变量,启动服务需要
# vim /usr/local/minio/etc/minio.conf
export MINIO_KMS_KES_ENDPOINT=https://192.168.1.170:7373
export MINIO_KMS_KES_KEY_FILE=/opt/miniokes/minio.key
export MINIO_KMS_KES_CERT_FILE=/opt/miniokes/minio.cert
export MINIO_KMS_KES_KEY_NAME=my-minio-key
export MINIO_KMS_KES_CA_PATH=/opt/miniokes/server.cert
export MINIO_KMS_AUTO_ENCRYPTION=on
export MINIO_ACCESS_KEY=minioadmin
export MINIO_SECRET_KEY=minioadminpwd
export MINIO_DATA_DIR=/miniodata此处配置文件路径/opt/miniokes/为kes和minio需要用到的路径,存放它们会用到的密钥、证书、私钥等
2.3 编辑启动脚本
编辑脚本
# vim /usr/local/minio/bin/run.sh
#!/bin/bash
. /usr/local/minio/etc/minio.conf
minio server $MINIO_DATA_DIR
# chmod +x /usr/local/minio/bin/run.sh
创建systemctl管理文件
# vim /usr/lib/systemd/system/minio.service
[Unit]
Description=Minio service
Documentation=https://docs.minio.io/
[Service]
WorkingDirectory=/usr/local/minio/
ExecStart=/usr/local/minio/bin/run.sh
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target2.4 添加开机启动并启动服务
# systemctl enable minio.service
# systemctl start minio.service2.5 使用nginx反向代理minio
# vim /usr/local/nginx/conf/nginx.conf ---在http下面添加server
#minio http
server {
listen 80;
server_name test-minio.xxxx.com;
ignore_invalid_headers off;
client_max_body_size 0;
proxy_buffering off;
location / {
proxy_pass http://192.168.1.170:9000/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Connection "";
chunked_transfer_encoding off;
}
}
#minio https
server{
listen 443 ssl;
server_name test-minio.xxxx.com;
ssl_certificate /opt/keys/sqianbao_cn.crt;
ssl_certificate_key /opt/keys/sqianbao_cn.key;
ssl_session_timeout 5m;
error_page 500 502 503 504 /50x.html;
client_max_body_size 0;
location / {
proxy_pass http://192.168.1.170:9000/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_http_version 1.1;
proxy_set_header Connection "";
chunked_transfer_encoding off;
}
}
# nginx -t
# nginx -s reload三 部署minio客户端mc
3.1 下载客户端mc
# wget https://dl.min.io/client/mc/release/linux-amd64/mc
# chmod +x mc
# mv mc /usr/local/sbin/3.2 添加服务端相关信息并测试
# mc config host add minio http://192.168.1.170:9000 minioadmin minioadminpwd --api "s3v4" ---添加服务器信息
创建bucket
# mc mb minio/test
上传文件
# mc cp ./20200714142040.png minio/test
列出minio有哪些bucket或者bucket有哪些文件
# mc ls minio/test
设置bucket权限,目前可以设置这四种权限:none, download, upload, public
# mc policy set public minio/test 设置服务器,test bucket为public,即可用url直接下载(永久链接)
浏览public的bucket文件
# mc policy --recursive links minio/test 浏览public的bucket文件,并打印出下载链接 ,bucket不是public输出为空
http://192.168.1.170:9000/test/20200714142040.png
查看bucket权限
# mc policy list minio/test/
test/* => readwrite四 部署KES
4.1 下载kes
# wget https://github.com/minio/kes/releases/latest/download/kes-linux-amd64
# chmod +x kes-linux-amd64
# mv kes-linux-amd64 /usr/local/sbin/kes4.1 创建路径
# mkdir /opt/miniokes
# cd /opt/miniokes4.2 自建CA证书
如果kes使用权威机构颁发的证书,就不需要此操作。kes配置文件server-config.yml的tls项就配置权威机构颁发的证书存放路径。
创建私钥
# openssl ecparam -genkey -name prime256v1 | openssl ec -out server.key
用上一步的私钥使用TLS X.509创建证书(此处生产的CA证书有效期可以设置长一些,避免证书频繁更换)
# openssl req -new -x509 -days 36500 -key server.key -out server.cert -subj "/C=/ST=/L=/O=/CN=localhost" -addext "subjectAltName = IP:192.168.1.170"
注意,如果出现提示-addext参数不支持,则升级openssl为1.1及以后版本
升级方法
# wget https://www.openssl.org/source/openssl-1.1.1g.tar.gz
# tar xvf openssl-1.1.1g.tar.gz
# cd openssl-1.1.1g/
# ./config
# make && make install
# cp libcrypto.so.1.1 libssl.so.1.1 /usr/lib64/
查看版本(如果版本没更新,另外开一个窗口执行就可以了)
# openssl version
OpenSSL 1.1.1g 21 Apr 20204.3 创建minio访问kes所需私钥和证书
使用kes创建minio所需私钥和证书(此证书和私钥及密钥务必保存好)
# kes tool identity new --key=minio.key --cert=minio.cert MinIO
查看证书身份信息(kes配置文件server-config.yml的identities需要配置下面命令的输出内容)
# kes tool identity of minio.cert
Identity: 7bfa6c28975e1d8ec885da45511f1352e1dbf8fc601d9c609c9b0a7653aa61ab4.4 编辑kes配置文件
# vim server-config.yml
address: 0.0.0.0:7373
root: disabled # We disable the root identity since we don't need it in this guide
tls:
key : /opt/miniokes/server.key
cert: /opt/miniokes/server.cert
policy:
my-app:
paths:
- /v1/key/create/my-minio-key
- /v1/key/generate/my-minio-key
- /v1/key/decrypt/my-minio-key
identities:
- 7bfa6c28975e1d8ec885da45511f1352e1dbf8fc601d9c609c9b0a7653aa61ab
keys:
fs:
path: /opt/miniokes/keys # Choose a location for your secret keys
讲解:
policy:策略
may-app: 此处设置策略别名,自定义
v1是kes内置的规则库,create,generate,decrypt是权限,my-minio-key即为kes key create my-minio-key -k生成的密钥文件4.5 编写脚本
# mkdir -p /usr/local/kes/bin/
# vim /usr/local/kes/bin/run.sh
#!/bin/bash
#--auth=off,因为是用的自签证书,所有跳过验证
kes server --config=/opt/miniokes/server-config.yml --auth=off
# chmod +x /usr/local/kes/bin/run.sh
创建systemctl管理文件
# vim /usr/lib/systemd/system/kes.service
[Unit]
Description=KES service
Documentation=https://github.com/minio/kes
[Service]
WorkingDirectory=/usr/local/kes/
ExecStart=/usr/local/kes/bin/run.sh
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target4.6 添加开机启动,并启动kes
# systemctl enable kes.service
# systemctl start kes.service4.5 kes创建的私钥及证书创建密钥文件
通过kes创建的私钥及证书创建密钥文件(用于匹配加密规则后的认证)
# export KES_CLIENT_CERT=minio.cert
# export KES_CLIENT_KEY=minio.key
创建加解密所需密钥(一定要保存好,如果丢失将不能)
# kes key create my-minio-key -k
注意:此步骤必须是启动kes服务后,才可执行,否则汇报连不上kes4.7 重启minio和kes
# systemctl restart minio.service
# systemctl restart kes.service五 错误排查
测试的时候打开minio实时日志
# journalctl -u minio.service -f错误实例如下:
错误1:
Error: Post https://192.168.1.170:7373/v1/key/generate/my-minio-key: dial tcp 192.168.1.170:7373: connect: connection refused
此错误表示kes服务没有启动,请启动kes
错误2:
Error: Post https://192.168.1.170:7373/v1/key/generate/my-minio-key: x509: cannot validate certificate for 192.168.1.170 because it doesn't contain any IP SANs .'
表示openssl生成的证书server.cert没有包含IP等信息(比如生成命令:openssl req -new -x509 -days 30 -key server.key -out server.cert -subj "/C=/ST=/L=/O=/CN=localhost" 此处没有-addext "subjectAltName = IP:xxx.xxx.xxx.xxx")
错误3:
Error: Post https://192.168.1.170:7373/v1/key/generate/my-minio-key: x509: certificate signed by unknown authority
表示kes配置文件(/usr/local/minio/etc/minio.conf)没有配置变量 MINIO_KMS_KES_CA_PATH;如果用的是权威机构颁发的证书minio.conf就不需要设置此变量
错误4:
Error: Unable to setup KMS with current KMS config: crypto: '/opt/miniokes/server.key' is not a valid PEM-encoded certificate
表示kes配置文件(/usr/local/minio/etc/minio.conf)MINIO_KMS_KES_CA_PATH变量配置的是/opt/miniokes/server.key,这里需要配置为/opt/miniokes/server.cert
错误5:
Error: prohibited by policy
表示kes配置文件(server-config.yml)的加解密规则不匹配(即配置错误)
错误6:
Error: ciphertext is not authentic
表示加解密证书不匹配,不能加解密(此错误出现在加解密证书更换或者丢失)