Skip to content

Instantly share code, notes, and snippets.

@masezou

masezou/minio-linux-ubuntu-systemd-setup.sh Secret

Last active February 21, 2025 05:03
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save masezou/89f254421838b8fece935ee0e589d7fa to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save masezou/89f254421838b8fece935ee0e589d7fa to your computer and use it in GitHub Desktop.
Download ZIP
MinIO Setup for Ubuntu Server (Single Node)
Raw
minio-linux-ubuntu-systemd-setup.sh
#!/usr/bin/env bash
#########################################################
MCLOGINUSER=miniologinuser
MCLOGINPASSWORD=miniologinuser
MINIOPATH=/disk/minio
#########################################################
MINIO_ROOT_USER="minioadminuser-n0t-t0-Use"
MINIO_ROOT_PASSWORD="m!n!0Adm!nUs3r$@1192"
### Check connectivity using curl
URL="https://dl.min.io"
if ! curl -Is --connect-timeout 5 "$URL" >/dev/null; then
echo -e "\e[31mError: Unable to reach $URL. Please check your internet connection or firewall settings.\e[0m" >&2
exit 1
fi
echo "Connection to $URL is successful."
### Distribution Check ###
if ! grep -q "Ubuntu" /etc/os-release; then
echo "This script can only run on Ubuntu."
exit 1
fi
if grep -q "ubuntu-desktop" <(dpkg-query -W --showformat='${Package}\n' | grep -E 'ubuntu-desktop|ubuntu-desktop-minimal'); then
echo "This script cannot run on Ubuntu Desktop."
exit 1
fi
UBUNTU_VERSION=$(grep "VERSION_ID" /etc/os-release | cut -d '"' -f2 | tr -d '.')
if [ "$UBUNTU_VERSION" -lt 2004 ]; then
echo "This script requires Ubuntu 20.04 LTS or later."
exit 1
fi
MEM_TOTAL_KB=$(grep MemTotal /proc/meminfo | awk '{print $2}')
MEM_REQUIRED_KB=$((2 * 1024 * 1024)) # 2GB = 2 * 1024 * 1024 KB
if [ "$MEM_TOTAL_KB" -lt "$MEM_REQUIRED_KB" ]; then
echo "At least 2GB of RAM is required."
exit 1
fi
echo "System meets all requirements. Proceeding..."
#### LOCALIP
ETHDEV=$(ip link | grep -E '^[0-9]+: [a-zA-Z0-9]+' | grep -v lo | awk -F': ' '{print $2}' | head -n 1)
LOCALIPADDR=$(ip -f inet -o addr show $ETHDEV | cut -d\ -f 7 | cut -d/ -f 1)
echo ${LOCALIPADDR}
#########################################################
### Application install
ARCH=$(dpkg --print-architecture)
if [ ! -f /usr/local/bin/minio ]; then
case "$ARCH" in
amd64 | arm64 | ppc64le | s390x)
curl -OL https://dl.min.io/server/minio/release/linux-${ARCH}/minio.deb
dpkg -i minio.deb
rm ./minio.deb
;;
arm | mips64)
curl -OL https://dl.min.io/server/minio/release/linux-${ARCH}/minio
mv minio /usr/local/bin/
chmod +x /usr/local/bin/minio
if [ ! -f /etc/systemd/system/minio.service ]; then
(
cd /etc/systemd/system/ || return
curl -O https://raw.githubusercontent.com/minio/minio-service/master/linux-systemd/minio.service
)
sed -i -e "s@/opt/bin/@/usr/local/bin/@g" /etc/systemd/system/minio.service
fi
;;
*)
echo "It is unsupported archtecture."
exit 1
;;
esac
fi
if type "mc" >/dev/null 2>&1; then
mc update
echo -e "\e[32mmc OK. \e[m"
else
curl -OL https://dl.min.io/client/mc/release/linux-${ARCH}/mc
mv mc /usr/local/bin/
chmod +x /usr/local/bin/mc
echo "complete -C /usr/local/bin/mc mc" >/etc/bash_completion.d/mc.sh
mc update
source /etc/bash_completion.d/mc.sh
fi
mc --version
### Setup MinIO directiry
if [ ! -d ${MINIOPATH} ]; then
mkdir -p ${MINIOPATH}/data/data1
chmod -R 755 ${MINIOPATH}/data/data1
fi
useradd -r -s /sbin/nologin -d "${MINIOPATH}" minio-user
chown -R minio-user:miniouser ${MINIOPATH}
chmod -R u+rwx ${MINIOPATH}
if [ ! -f ${MINIOPATH}/.minio/certs/public.crt ]; then
mkdir -p ${MINIOPATH}/.minio/certs/CAs
cd ${MINIOPATH}/.minio/certs/
LOCALHOSTNAME=$(cat /etc/hostname)
openssl genrsa -out rootCA.key 4096
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1825 -out rootCA.pem -subj "/C=JP/ST=Tokyo/L=Nerima/O=cloudshift.corp/OU=development/CN=exmaple CA"
openssl genrsa -out private.key 2048
openssl req -subj "/CN=${LOCALIPADDR}" -sha256 -new -key private.key -out cert.csr
cat <<EOF >extfile.conf
subjectAltName = DNS:${LOCALHOSTNAME}, IP:${LOCALIPADDR}
EOF
openssl x509 -req -days 365 -sha256 -in cert.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out public.crt -extfile extfile.conf
chmod 600 ./private.key
chmod 600 ./public.crt
chmod 600 ./rootCA.pem
cp ./rootCA.pem ${MINIOPATH}/.minio/certs/CAs
openssl x509 -in public.crt -text -noout | grep IP
chown -R minio-user ${MINIOPATH}/.minio
cp public.crt ~/.mc/certs/CAs/
cp ${MINIOPATH}/.minio/certs/public.crt /usr/share/ca-certificates/minio.crt
echo "minio.crt" >>/etc/ca-certificates.conf
update-ca-certificates
cd || exit
fi
chown -R minio-user:minio-user ${MINIOPATH}
if [ ! -f /etc/default/minio ]; then
cat <<EOT >/etc/default/minio
# Volume to be used for MinIO server.
MINIO_VOLUMES="${MINIOPATH}/data/data1"
# Use if you want to run MinIO on a custom port.
MINIO_OPTS="--address :9000 --console-address :9001"
# Access Key of the server.
MINIO_ROOT_USER=miniorootuser
# Secret key of the server.
MINIO_ROOT_PASSWORD=miniorootuser
MINIO_API_ROOT_ACCESS=on
MINIO_COMPRESSION_ENABLE=on
MINIO_COMPRESSION_EXTENSIONS=".txt, .log, .csv, .json, .tar, .xml, .bin"
MINIO_BROWSER=on
MINIO_BROWSER_LOGIN_ANIMATION=on
MINIO_BROWSER_SESSION_DURATION=12h
MINIO_BROWSER_CONTENT_SECURITY_POLICY="default-src 'self' 'unsafe-eval' 'unsafe-inline';"
EOT
fi
### Open Firewall
ufw allow 9000
ufw allow 9001
systemctl enable --now minio.service
systemctl status minio.service --no-pager
sleep 3
MINIO_ENDPOINT=https://${LOCALIPADDR}:9000
mc alias rm local
mc alias set local ${MINIO_ENDPOINT} miniorootuser miniorootuser --api S3v4
mc admin user add local ${MCLOGINUSER} ${MCLOGINPASSWORD}
mc admin policy attach local consoleAdmin --user ${MCLOGINUSER}
sed -i "s/MINIO_API_ROOT_ACCESS=on/MINIO_API_ROOT_ACCESS=off/g" /etc/default/minio
sed -i "s/^MINIO_ROOT_USER=.*$/MINIO_ROOT_USER=${MINIO_ROOT_USER}/" /etc/default/minio
sed -i "s/^MINIO_ROOT_PASSWORD=.*$/MINIO_ROOT_PASSWORD=${MINIO_ROOT_PASSWORD}/" /etc/default/minio
systemctl daemon-reload
systemctl restart minio.service
sleep 3
mc alias rm local
mc alias set local ${MINIO_ENDPOINT} ${MCLOGINUSER} ${MCLOGINPASSWORD} --api S3v4
cd ${MINIOPATH}
cat <<EOF >consoleAdmin-local.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"admin:*"
]
},
{
"Effect": "Allow",
"Action": [
"kms:*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::*"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"10.0.0.0/8",
"172.16.0.0/12",
"192.168.0.0/16"
]
}
}
}
]
}
EOF
mc admin policy create local consoleAdmin-local consoleAdmin-local.json
rm consoleAdmin-local.json
cat <<EOF >diagnostics-local.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"admin:BandwidthMonitor",
"admin:ConsoleLog",
"admin:OBDInfo",
"admin:Profiling",
"admin:Prometheus",
"admin:ServerInfo",
"admin:ServerTrace",
"admin:TopLocksInfo"
],
"Resource": [
"arn:aws:s3:::*"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"10.0.0.0/8",
"172.16.0.0/12",
"192.168.0.0/16"
]
}
}
}
]
}
EOF
mc admin policy create local diagnostics-local diagnostics-local.json
rm diagnostics-local.json
cat <<EOF >readwrite-local.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::*"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"10.0.0.0/8",
"172.16.0.0/12",
"192.168.0.0/16"
]
}
}
}
]
}
EOF
mc admin policy create local readwrite-local readwrite-local.json
rm readwrite-local.json
cat <<EOF >readonly-local.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::*"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"10.0.0.0/8",
"172.16.0.0/12",
"192.168.0.0/16"
]
}
}
}
]
}
EOF
mc admin policy create local readonly-local readonly-local.json
rm readonly-local.json
cat <<EOF >writeonly-local.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::*"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"10.0.0.0/8",
"172.16.0.0/12",
"192.168.0.0/16"
]
}
}
}
]
}
EOF
mc admin policy create local writeonly-local writeonly-local.json
rm writeonly-local.json
# SUDO Login
if [ ! -z $SUDO_USER ]; then
mkdir -p /home/$SUDO_USER/.mc/certs/CAs/
cp ~/.mc/certs/CAs/public.crt /home/$SUDO_USER/.mc/certs/CAs/
chown -R $SUDO_USER /home/$SUDO_USER/.mc/
sudo -u $SUDO_USER mc alias rm local
sudo -u $SUDO_USER mc alias set local ${MINIO_ENDPOINT} ${MCLOGINUSER} ${MCLOGINPASSWORD} --api S3v4
fi
echo ""
mc admin info local/
mc alias list local
echo ""
echo "minio and mc were installed and configured successfully"
echo "*************************************************************************************"
echo -e "\e[32m Minio API endpoint is ${MINIO_ENDPOINT} \e[m"
echo -e "\e[32m Access Key: ${MCLOGINUSER} \e[m"
echo -e "\e[32m Secret Key ${MCLOGINPASSWORD} \e[m"
echo -e "\e[32m Minio console is https://${LOCALIPADDR}:9001 \e[m"
echo -e "\e[32m username: ${MCLOGINUSER} \e[m"
echo -e "\e[32m password: ${MCLOGINPASSWORD} \e[m"
echo -e "\e[32m mc command's profile: local \e[m"
echo ""
echo "*************************************************************************************"
echo "Next Step"
echo "source /etc/bash_completion.d/mc.sh or re-login"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment