DEV Community: RD17🧑🏽‍💻

How to Set Up Minio Object Storage on Linux with Systemd

RD17🧑🏽‍💻 — Tue, 03 Sep 2024 10:27:44 +0000

Introduction:

Minio is an open-source object storage server that is compatible with the Amazon S3 API. It is a lightweight, high-performance solution for storing large amounts of unstructured data like images, videos, log files, and backups. This guide will take you through the process of installing Minio on a Linux server and configuring it to run as a systemd service.

Prerequisites:

A Linux server with root or sudo access.
Internet access to download the Minio binary.

Step 1: Set Up Directories

The first step is to create the necessary directories for the Minio installation and backup storage.

mkdir -p /opt/minio/bin
mkdir /backup

/opt/minio/bin:- will hold the Minio server binary.
/backup:- will be the data partition where Minio stores its objects.

Step 2: Create a Minio User

Next, we’ll create a dedicated user for running the Minio service. This user will have no login privileges and will be used solely to manage Minio.

useradd -s /sbin/nologin -d /opt/minio minio

This command creates a new user named minio with no shell access and sets /opt/minio as its home directory.

Step 3: Install the Minio Server Binary

We’ll now download the Minio server binary and set it to be executable.

wget https://dl.min.io/server/minio/release/linux-amd64/minio -O /opt/minio/bin/minio
chmod +x /opt/minio/bin/minio

This command fetches the Linux x64 binary of the Minio server and ensures that it is executable.

Step 4: Create a Minio Configuration File

Minio requires a configuration file to define key environment variables, such as the location of the data partition. We’ll create this file under /opt/minio/.

vim /opt/minio/minio.conf

Add the following lines:

MINIO_VOLUMES="/backup"
MINIO_OPTS="--console-address :9001"
MINIO_ROOT_USER="root"
MINIO_ROOT_PASSWORD="Minio1234"

This configuration specifies:

MINIO_VOLUMES:- The directory where Minio will store data.
MINIO_OPTS:- Custom options, in this case, setting the console to be accessible on port 9001.
MINIO_ROOT_USER and MINIO_ROOT_PASSWORD:- Credentials for accessing the Minio server.

Step 5: Set File Permissions

To ensure that the minio user has the necessary permissions, we’ll change the ownership of the /opt/minio and /backup directories.

chown -R minio:minio /opt/minio
chown -R minio:minio /backup

This command recursively sets the ownership of all files and directories under /opt/minio and /backup to the minio user and group.

Step 6: Configure Minio as a Systemd Service

Systemd is a system and service manager for Linux. We’ll create a systemd service file for Minio, which will allow us to start, stop, and manage Minio like any other service.

Create the service file:

vim /etc/systemd/system/minio.service

Copy the following configuration into the file:

[Unit]
Description=Minio
Documentation=https://docs.minio.io
Wants=network-online.target
After=network-online.target
AssertFileIsExecutable=/opt/minio/bin/minio

[Service]
WorkingDirectory=/opt/minio

User=minio
Group=minio

#PermissionsStartOnly=true

EnvironmentFile=-/opt/minio/minio.conf
ExecStartPre=/bin/bash -c "[ -n \"${MINIO_VOLUMES}\" ] || echo \"Variable MINIO_VOLUMES not set in /opt/minio/minio.conf\""

ExecStart=/opt/minio/bin/minio server $MINIO_OPTS $MINIO_VOLUMES 
StandardOutput=journal
StandardError=inherit
# Specifies the maximum file descriptor number that can be opened by this process
LimitNOFILE=65536
# Disable timeout logic and wait until process is stopped
TimeoutStopSec=0
# SIGTERM signal is used to stop Minio
KillSignal=SIGTERM
SendSIGKILL=no
SuccessExitStatus=0
[Install]
WantedBy=multi-user.target

This configuration ensures that Minio starts with the correct environment settings and permissions, integrating smoothly with the Linux service management framework.

Step 7: Enable and Start the Minio Service

To make sure Minio starts on boot and runs immediately, enable and start the service using the following commands:

systemctl enable minio
systemctl start minio

Step 8: Verify Minio Service Status

Finally, confirm that the Minio service is running correctly by checking its status:

systemctl status minio

You should see an output indicating that the service is active and running without issues.

Step 9: Secure Minio with SSL/TLS

Additionally, to secure Minio with SSL/TLS encryption, follow these steps:

Generate a Self-Signed SSL/TLS Certificate

Use the script below to generate a self-signed certificate:

#!/bin/bash

# Prompt the user for each part of the subject
read -p "Enter Country (e.g., US): " COUNTRY
read -p "Enter State (e.g., California): " STATE
read -p "Enter Locality (e.g., San Francisco): " LOCALITY
read -p "Enter Organization (e.g., MyCompany): " ORGANIZATION
read -p "Enter Organizational Unit (e.g., IT): " ORG_UNIT
read -p "Enter Common Name (e.g., domain.com): " COMMON_NAME

# Construct the subject string
SUBJECT="/C=$COUNTRY/ST=$STATE/L=$LOCALITY/O=$ORGANIZATION/OU=$ORG_UNIT/CN=$COMMON_NAME"

# Prompt the user for the domain names or IPs to include in the SAN (Subject Alternative Name)
read -p "Enter the domain names or IP addresses for the SAN (comma-separated, e.g., domain.com, www.domain.com, 192.168.1.1): " DOMAINS

# Generate CA key and certificate
openssl genrsa -out CAcert.key 4096
openssl req -x509 -new -nodes -key CAcert.key -sha512 -days 3650 -out CAcert.crt -subj "$SUBJECT"

# Generate server key
openssl genrsa -out Server.key 4096

# Generate a CSR using the server key
openssl req -sha512 -new -key Server.key -out Server.csr -subj "$SUBJECT"

# Create v3.ext file with SAN entries
echo "authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]" > v3.ext

# Convert the comma-separated domains/IPs into the v3.ext format
IFS=',' read -ra ADDR <<< "$DOMAINS"
for i in "${!ADDR[@]}"; do
    # Check if the input is an IP address or domain
    if [[ "${ADDR[$i]}" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
        echo "IP.$(($i + 1))=${ADDR[$i]}" >> v3.ext
    else
        echo "DNS.$(($i + 1))=${ADDR[$i]}" >> v3.ext
    fi
done

# Generate the server certificate using the CSR and CA certificate
openssl x509 -req -sha512 -days 3650 \
    -extfile v3.ext \
    -CA CAcert.crt -CAkey CAcert.key -CAcreateserial \
    -in Server.csr \
    -out Server.crt

# Clean up the serial file and CSR
rm -f Server.csr CAcert.srl

# Notify user of completion
echo "Self-signed SSL certificate and key have been generated:"
echo "CA Certificate: CAcert.crt"
echo "CA Key: CAcert.key"
echo "Server Certificate: Server.crt"
echo "Server Key: Server.key"

Rename certificates

Rename the generated certificate files for Minio:

mv Server.crt public.crt
mv Server.key private.key

Create the necessary directories for the certificate and copy ssl certificates in these directories

Create directories for the certificates and copy them into the appropriate locations:

mkdir -p /opt/minio/certs/CAs
mkdir -p /opt/minio/certs/internal-example.net
mkdir -p /opt/minio/certs/s3-example.net

Copy Certificates

Copy the certificates to the newly created directories:

cp CAcert.crt /opt/minio/certs/CAs
cp CAcert.key /opt/minio/certs/CAs
cp public.crt /opt/minio/certs/internal-example.net
cp private.key /opt/minio/certs/internal-example.net
cp public.crt /opt/minio/certs/s3-example.net
cp private.key /opt/minio/certs/s3-example.net
cp public.crt /opt/minio/certs
cp private.key /opt/minio/certs
chmod +x minio:minio /opt/minio/certs

Update Minio Configuration for SSL/TLS

Edit the Minio configuration file to include the SSL certificate and key paths:

vim /opt/minio/minio.conf

Add or update the following lines:

MINIO_OPTS="--console-address :9001 --certs-dir /opt/minio/certs"

Restart Minio Service

Restart the Minio service to apply the new SSL/TLS configuration:

systemctl restart minio

Verify SSL/TLS Configuration

Access Minio via HTTPS at your domain. You should see that the connection is secured with SSL/TLS.

Conclusion:

By following these steps, Minio is now configured to securely handle your object storage needs, offering a reliable and scalable solution. If you have any questions or encounter issues, feel free to comment below. Keep exploring Linux and Kubernetes!

Deploying and Managing Contour Ingress Controller on Kubernetes

RD17🧑🏽‍💻 — Mon, 02 Sep 2024 08:32:45 +0000

Introduction

In the Kubernetes ecosystem, managing external access to services within your cluster is a critical task. While NGINX is a popular choice for Ingress controllers, Contour, an Envoy-based Ingress controller, offers a powerful alternative with its high performance, scalability, and deep integration with the Envoy proxy. In this post, we’ll guide you through deploying Contour as an Ingress controller on your Kubernetes cluster.

What is Contour?

Contour is a Kubernetes-native Ingress controller that uses Envoy as its data plane. It provides advanced features such as dynamic service discovery, load balancing, and routing for your applications. With Contour, you gain fine-grained control over your traffic management, making it an excellent choice for modern microservices architectures.

Why Contour?

Contour bridges gaps found in other solutions by offering several key advantages:

Dynamic Configuration Updates: Contour dynamically updates Ingress configurations with minimal dropped connections, ensuring high availability and seamless transitions during changes.
Multi-Tenancy Support: It safely supports various types of Ingress configurations, making it ideal for multi-team Kubernetes clusters where different teams might have different requirements.
Broad Protocol Support: Contour supports multiple Ingress types, including Ingress/v1, HTTPProxy (a custom resource defined by Contour), and the emerging Gateway API, giving you flexibility in managing traffic.
Seamless Kubernetes Integration: Contour integrates cleanly with the Kubernetes object model, providing a native experience that leverages the full power of Kubernetes for traffic management.

Prerequisites

Before we begin, ensure you have the following:

A running Kubernetes cluster. (Minikube, AKS, EKS, GKE, or any other)
kubectl command-line tool configured to interact with your cluster.
Helm installed on your local machine.

Step 1: Deploy Contour with Helm

Contour can be deployed quickly using Helm. First, add the Contour Helm repository:

helm repo add bitnami https://charts.bitnami.com/bitnami
helm repo update

Now, install Contour with the following command:

helm install contour bitnami/contour --namespace contour --create-namespace

Step 2: Verify the Installation

After the installation is complete, verify that the Nginx Ingress Controller is running:

Check Pods

kubectl get pods -n contour

Check Services

kubectl get svc -n contour

You should see an output indicating that the contour Ingress Controller pods are running and that a service of type LoadBalancer is available.

Step 3: Deploy an Nginx Pod

To demonstrate the functionality of the contour Ingress Controller, we'll deploy a simple Nginx pod and expose it using a service.

Deploy an NGINX Pod
Deploying a pod is straightforward with the kubectl run command. This command creates a deployment with a single NGINX pod.

kubectl run nginx-pod --image=nginx

Expose the NGINX Pod
To access the NGINX pod, you need to expose it. Let’s create a Service of type ClusterIP:

kubectl expose pod nginx-pod --port=80 --type=ClusterIP --name=nginx-service

Step 4: Create a Secret for the SSL Certificate

If you plan to use TLS with your Ingress resource, you need to create a Kubernetes Secret to store your SSL certificate and private key.

Convert SSL Certificate to Base64

First, convert your SSL certificate (tls.crt) and private key (tls.key) to base64:

cat tls.crt | base64
cat tls.key | base64

Create the Secret File:
Create a file named contour-tls-secret.yaml with the following content, replacing and with the actual base64 encoded values:

apiVersion: v1
kind: Secret
metadata:
  name: example-tls
  namespace: default
data:
  tls.crt: <base64 encoded cert>
  tls.key: <base64 encoded key>
type: kubernetes.io/tls

Deploy the Secret:

kubectl create -f contour-tls-secret.yaml

Step 5: Expose Your Application Using Ingress

Create an Ingress resource to expose your application, including TLS configuration:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: example-ingress
  annotations:
    kubernetes.io/ingress.class: contour
spec:
  tls:
  - hosts:
    - example.com
    secretName: example-tls-secret
  rules:
  - host: example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: example-service
            port:
              number: 80

Apply the configuration:

kubectl apply -f example-ingress.yaml

Step 6: Use HTTPProxy for Advanced Routing and TLS

For more complex scenarios, create an HTTPProxy resource with TLS:

apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
  name: simple-httpproxy
  namespace: default
spec:
  virtualhost:
    fqdn: example.com
    tls:
      secretName: example-tls-secret
  routes:
  - conditions:
    - prefix: /
    services:
    - name: example-servic
      port: 80

Apply the configuration:

kubectl apply -f example-httpproxy.yaml

Step 7: Verifying Ingress and HTTPProxy Resources

Once you've deployed the Ingress resource or HTTPProxy resource, you can verify their status using the following commands:

Check Ingress Resources:

kubectl get ingress

Check HTTPProxy Resources:

kubectl get httpproxy

Step 8: Configure DNS Entry

After deploying the Contour Ingress resource or the HTTPProxy resource, you need to map your domain name (e.g., example.com) to the external IP address of the Contour Ingress Controller's load balancer.

Get the Load Balancer IP:

Run the following command to get the external IP address

kubectl get svc contour-envoy --namespace contour

Update DNS Record:

Once you have the external IP address, update the DNS record for your domain to point to this IP address. This process will vary depending on your DNS provider, but generally, you will need to create an A record for example.com with the external IP address.

Conclusion

By following these steps, the Contour Ingress Controller is now successfully deployed in your Kubernetes cluster using Helm.

If you have any questions or encounter issues, feel free to comment below. Keep exploring Kubernetes and happy learning!

Deploying Nginx Ingress Controller Using Helm in Kubernetes.

RD17🧑🏽‍💻 — Sun, 28 Jul 2024 16:03:59 +0000

Introduction

In Kubernetes, an Ingress Controller is essential for managing external access to services within your cluster, typically HTTP and HTTPS. The Nginx Ingress Controller is one of the most popular Ingress Controllers available. This guide will walk you through deploying the Nginx Ingress Controller using Helm, a powerful package manager for Kubernetes.

Prerequisites

Before we begin, ensure you have the following:

A running Kubernetes cluster. (Minikube, AKS, EKS, GKE, or any other)
kubectl command-line tool configured to interact with your cluster.
Helm installed on your local machine.

Step 1: Install Helm

If you haven't installed Helm yet, you can do so using the following commands:

On MacOS

 brew install helm

On Linux

curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash

On Windows(From Chocolatey/Scoop/Winget)

choco install kubernetes-helm
scoop install helm
winget install Helm.Helm

Verify your Helm installation:

helm version

Step 2: Add the Nginx Ingress Helm Repository

Helm uses repositories to distribute charts. We need to add the official Nginx Ingress repository:

helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update

This command adds the ingress-nginx repository and updates your Helm repository list to ensure you have the latest charts.

Step 3: Install the Nginx Ingress Controller

Now, let's install the Nginx Ingress Controller using the Helm chart. We'll name our release k8s-nginx-ingress and install it into a new namespace called ingress-nginx.

helm install k8s-nginx-ingress ingress-nginx/ingress-nginx --namespace ingress-nginx --create-namespace

Breakdown of the Command:

helm install: Command to install a Helm chart.
k8s-nginx-ingress: Name of the Helm release.
ingress-nginx/ingress-nginx: Specifies the chart to install from the ingress-nginx repository.
--namespace ingress-nginx: Namespace in which to install the Ingress Controller.
--create-namespace: Creates the namespace if it doesn’t already exist.

Step 4: Verify the Installation

After the installation is complete, verify that the Nginx Ingress Controller is running:

Check Pods

kubectl get pods -n ingress-nginx

Check Services

kubectl get svc -n ingress-nginx

You should see an output indicating that the Nginx Ingress Controller pods are running and that a service of type LoadBalancer (or NodePort in some environments) is available.

Step 5: Deploy an Nginx Pod

To demonstrate the functionality of the Nginx Ingress Controller, we'll deploy a simple Nginx pod and expose it using a service.

Deploy an NGINX Pod
Deploying a pod is straightforward with the kubectl run command. This command creates a deployment with a single NGINX pod.

kubectl run nginx-pod --image=nginx

Expose the NGINX Pod
To access the NGINX pod, you need to expose it. Let’s create a Service of type ClusterIP:

kubectl expose pod nginx-pod --port=80 --type=ClusterIP --name=nginx-service

Step 6: Create a Secret for the SSL Certificate

If you plan to use TLS with your Ingress resource, you need to create a Kubernetes Secret to store your SSL certificate and private key.

Convert SSL Certificate to Base64
First, convert your SSL certificate (tls.crt) and private key (tls.key) to base64:

cat tls.crt | base64
cat tls.key | base64

Create the Secret File
Create a file named nginx-tls-secret.yaml with the following content, replacing and with the actual base64 encoded values:

apiVersion: v1
kind: Secret
metadata:
  name: example-tls
  namespace: default
data:
  tls.crt: <base64 encoded cert>
  tls.key: <base64 encoded key>
type: kubernetes.io/tls

Deploy the Secret

kubectl create -f nginx-tls-secret.yaml

Step 7: Create an Ingress Resource

With the Nginx Ingress Controller and the Nginx pod running, you can now create an Ingress resource to route traffic to the Nginx service.

Example Ingress Resource
Create a file named nginx-ingress.yaml with the following content:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-example
  namespace: default
spec:
  ingressClassName: nginx
  rules:
    - host: example.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service: 
                name: nginx-service
                port:
                  number: 80
  # This section is only required if TLS is to be enabled for the Ingress
  tls:
    - hosts:
      - example.com
      secretName: example-tls

Deploy the Ingress Resource

kubectl create -f nginx-ingress.yaml

Step 8: Configure DNS Entry

After deploying the Nginx Ingress Controller and the Ingress resource, you need to map your domain name (example.com) to the external IP address of the Nginx Ingress Controller's load balancer.

Get the Load Balancer IP
Run the following command to get the external IP address assigned to the Nginx Ingress Controller's load balancer:

kubectl get svc -n ingress-nginx

Update DNS Record
Once you have the external IP address, update the DNS record for your domain to point to this IP address. This process will vary depending on your DNS provider, but generally, you will need to create an A record for example.com with the external IP address.

Conclusion

By following these steps, the Nginx Ingress Controller is now deployed in the Kubernetes cluster using Helm.

If you have any questions or encounter issues, feel free to comment below. Keep exploring Kubernetes!

Deploying Nginx on Linux (RHEL and Ubuntu)

RD17🧑🏽‍💻 — Thu, 18 Jul 2024 09:59:34 +0000

Nginx is a popular open-source web server used for serving static content, reverse proxying, load balancing, and more. This guide will walk you through installing and configuring Nginx on both RHEL and Ubuntu Linux distributions.

Prerequisites

A running instance of either RHEL or Ubuntu.
Root or sudo privileges.

Step 1: Update the System

Before installing any new packages, it’s a good practice to update your package index.

##For RHEL:

sudo yum update -y

##For Ubuntu:

sudo apt update -y
sudo apt upgrade -y

Step 2: Install Nginx

##For RHEL:

Enable the EPEL repository:

sudo yum install epel-release -y

Install Nginx:

sudo yum install nginx -y

##For Ubuntu:

Install Nginx:

sudo apt install nginx -y

Step 3: Start and Enable Nginx

Ensure that Nginx starts on boot and is running.

##For RHEL:

sudo systemctl start nginx
sudo systemctl enable nginx

##For Ubuntu:

sudo systemctl start nginx
sudo systemctl enable nginx

Step 4: Configure Firewall

Allow HTTP and HTTPS traffic through the firewall.

##For RHEL:

sudo firewall-cmd --zone=public --permanent --add-service=http
sudo firewall-cmd --zone=public --permanent --add-service=https
sudo firewall-cmd --reload

##For Ubuntu:

sudo ufw allow 'Nginx Full'

Step 5: Verify Nginx Installation

To verify that Nginx is installed and running, open a web browser and navigate to your server's IP address. You should see the default Nginx welcome page.

Alternatively, you can use the following command to check Nginx’s status:

sudo systemctl status nginx

Step 6: Basic Nginx Configuration

Nginx configuration files are located in /etc/nginx directory.

Main Configuration File:
The main configuration file is located at /etc/nginx/nginx.conf.
Site-Specific Configuration:
For RHEL: /etc/nginx/conf.d/default.conf
For Ubuntu: /etc/nginx/sites-available/default

Editing the Configuration

You can edit the default configuration file to customize your Nginx setup. For example, to change the root directory of your web server or to set up a reverse proxy.

sudo vim /etc/nginx/nginx.conf

After making changes, you need to restart Nginx to apply the changes:

sudo systemctl restart nginx

Step 7: Creating a Simple Website

To create a simple HTML page served by Nginx, follow these steps:

Create a directory for your website:

sudo mkdir -p /var/www/html

Create an HTML file:

sudo vim /var/www/html/index.html

Add the following content:

<!DOCTYPE html>
<html>
<head>
    <title>Welcome to Nginx</title>
</head>
<body>
    <h1>Hello, World!</h1>
    <p>This is a simple web page served by Nginx on Linux.</p>
</body>
</html>

Point Nginx to your website directory:

Edit the site-specific configuration file to set the root directory.

##For RHEL:

sudo vim /etc/nginx/conf.d/default.conf

##For Ubuntu:

sudo vim /etc/nginx/sites-available/default

Change the root directive to your new directory:

server {
    listen 80;
    server_name your_domain_or_IP;

    root /var/www/html;
    index index.html index.htm;

    location / {
        try_files $uri $uri/ =404;
    }
}

Restart Nginx:

sudo systemctl restart nginx

Now, navigate to your server's IP address in a web browser, and you should see your "Hello, World!" page.

Conclusion

You have successfully installed and configured Nginx on both RHEL and Ubuntu servers. From here, you can further customize Nginx to suit your needs, whether it's for serving static content, setting up reverse proxies, or load balancing. Happy hosting!