手把手教你搭建MinIO分布式集群
搭建MinIO 分布式集群
手把手教你搭建MinIO分布式集群
要求:
MinIO集群规格:2节点2个磁盘。
Minio域名:test_minio.com
数据目录:/opt/minio/data1,/opt/minio/data2
两节点证书保持一致
关闭防火墙
建议:参考英文官网
1. Linux场景:MinIO分布式集群构建
1.1 规定MinIO的目录结构
[root@192 opt]# tree -f minio/
minio
├── minio/bin # 二进制文件目录
│ └── minio/bin/minio
├── minio/certs # 证书文件目录
│ ├── minio/certs/private.key # 私钥文件
│ ├── minio/certs/public.crt # 证书文件
├── minio/config # 配置文件目录
├── minio/data1 # minio数据目录1
├── minio/data2 # minio数据目录2
├── minio/log # 日志文件目录
│ └── minio/log/minio.log # 日志文件
└── minio/run # 自定义脚本
├── minio/run/create_cert.sh # 生成证书脚本
├── minio/run/minio.service # minio service文件
├── minio/run/stop.sh # minio服务停止脚本
└── minio/run/start.sh # minio服务启动脚本
8 directories, 9 files
1.2 定义minio.service和启动、停止脚本
- minio.service文件
[Unit]
Description=Minio service
Documentation=This is a Minio Service.
[Service]
Type=forking
# 启动服务时的等待的秒数,TimeoutStartSec 的值指定为 0,从而关闭超时检测。
TimeoutStartSec=10
# 工作目录
WorkingDirectory=/opt/minio
# 服务运行用户
User=root
# 服务运行用户组
Group=root
Restart=on-failure
RestartSec=15s
ExecStart=/opt/minio/run/start.sh
ExecStop=/opt/minio/run/stop.sh
[Install]
WantedBy=multi-user.target
- start.sh 启动脚本
注意调整CURRENT_IP的值为当前节点的IP地址。
#!/bin/bash
## MinIO启动脚本
# 设置环境变量
# 设置HOME
export MINIO_HOME=opt/minio
# 默认配置文件目录${HOME}/.minio,默认会将配置信息生成到config.json文件
export MINIO_COFNIG_DIR=/${MINIO_HOME}/config
# TLS证书目录:
# 私钥private.key
# 证书public.crt
export MINIO_CERTS_DIR=/${MINIO_HOME}/certs
# 日志目录
export MINIO_LOG_PATH=/${MINIO_HOME}/log
# 访问凭证AK
export MINIO_ROOT_USER=minio_admin
# 访问凭证SK
export MINIO_ROOT_PASSWORD=minio_admin!@#
# 是否开启web访问,默认是开启
export MINIO_BROWSER=on
# 证书密码
export MINIO_CERT_PASSWD=admin123!@#
# 支持path-style访问,默认 http://mydomain.com/bucket/object
export MINIO_DOMAIN=test_minio.com
# MINIO的集群中各节点IP
export MINIO_HOST_1=192.168.8.109
export MINIO_HOST_2=192.168.8.120
export CURRENT_IP=$MINIO_HOST_2
# 39000 为API调用接口, 9000为web console接口
# 启动minio
nohup /${MINIO_HOME}/bin/minio server \
--config-dir ${MINIO_COFNIG_DIR} \
--certs-dir ${MINIO_CERTS_DIR} \
--address ${CURRENT_IP}:39000 --console-address ":9000" \
https://${MINIO_HOST_1}/${MINIO_HOME}/data1 https://${MINIO_HOST_1}/${MINIO_HOME}/data2 \
https://${MINIO_HOST_2}/${MINIO_HOME}/data1 https://${MINIO_HOST_2}/${MINIO_HOME}/data2 \
>> ${MINIO_LOG_PATH}/minio.log 2>&1 &
- stop.sh 停止脚本
#!/bin/bash
## MinIO停止脚本
ps -ef | grep minio | grep -v 'grep' | awk '{print $2}'| xargs kill -9
if $? != 0;then
echo "minio service stop failed."
exit 1
fi
1.3 生成https证书文件,参考英文官网 3.2.2 Generate a private key with RSA
因为这里创建的MinIO的规格是2节点2个磁盘,所以中创建证书时SANs中IP为本地IP和另一节点IP, DNS信息为节点的网关地址或者域名地址。
create_cert.sh 证书生成脚本,执行过程中需要自定义域名、证书路径、证书密码、另一节点IP。
#!/bin/bash
# 用来生成pem证书文件
# sh create_cert.sh
set -e
# 从外界读取输入参数到指定变量
function read_input() {
read -p "please input $1 parms:" $2
}
# 初始化输入参数
function init_input_param() {
read_input "cert domain" "DOMAIN"
read_input "cert path" "CERT_PATH"
read_input "cert password" "PASSWORD"
read_input "peer ip" "PEER_IP"
readonly IP=$(ip addr | grep 'state UP' -A2 | tail -n1 | awk '{print $2}' | awk -F"/" '{print $1}')
readonly DNS=$(ip addr | grep 'state UP' -A2 | tail -n1 | awk '{print $4}' | awk -F"/" '{print $1}')
}
# 生成openssl.conf文件
function generate_openssl_config() {
cat > ${CERT_PATH}/openssl.conf <<-EOF
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = CN
ST = VA
L = Somewhere
O = MyOrg
OU = MyOU
CN = ${DOMAIN}
[v3_req]
subjectAltName = @alt_names
[alt_names]
IP.1 = 127.0.0.1
IP.2 = ${IP}
IP.3 = ${PEER_IP}
DNS.1 = ${DNS}
DNS.2 = ${DOMAIN}
EOF
}
# openssl 生成私钥
function generate_private_key() {
# 生成长度为2048的私钥
openssl genrsa -aes256 -passout pass:${PASSWORD} -out ${CERT_PATH}/private-pkcs8.key 2048
# 转换为PCKS-1
openssl rsa -passin pass:${PASSWORD} -in ${CERT_PATH}/private-pkcs8.key -aes256 -passout pass:${PASSWORD} -out ${CERT_PATH}/private.key
}
# 生成自签名文件
function generate_self_sign_cert() {
openssl req -new -x509 -nodes -days 730 -keyout ${CERT_PATH}/private.key -passout pass:${PASSWORD} -out ${CERT_PATH}/public.crt -config ${CERT_PATH}/openssl.conf
}
# 清除
function clean() {
rm -rf ${CERT_PATH}/openssl.conf
rm -rf ${CERT_PATH}/private-pkcs8.key
}
# 执行流程
function main() {
init_input_param
generate_openssl_config
generate_private_key
generate_self_sign_cert
clean
}
main
执行命令: sh create_cert.sh,输入以下参数,如图所示:
1.4 验证MinIO分布式集群
执行以下命令,注册系统服务,并启动服务
mv /opt/minio/run/minio.service /etc/systemd/system/
chmod 755 /etc/systemd/system/minio.service
chmod 755 /opt/minio/run/*
# 开机自启minio.service
systemctl enable minio.service
# 刷新服务
systemctl daemon-reload
# 启动服务
systemctl start minio.service
通过web 浏览器登录console端:https://192.168.8.109:9000/login
查看minio.log日志
若1.4执行失败,可在所有节点执行如下命令清理环境,重试。
rm -rf /opt/minio/log/*
rm -rf /opt/minio/data1
rm -rf /opt/minio/data2
rm -rf /opt/minio/config
mkdir -p /opt/minio/data1
mkdir -p /opt/minio/data2
mkdir -p /opt/minio/config
systemctl start minio
1.5 FAQ
1.5.1 错误: x509: cannot validate certificate for 192.168.8.109 because it doesn’t contain any IP SANs
API: SYSTEM()
Time: 13:13:42 UTC 03/06/2022
Error: Read failed. Insufficient number of disks online (*errors.errorString)
5: cmd/prepare-storage.go:266:cmd.connectLoadInitFormats()
4: cmd/prepare-storage.go:326:cmd.waitForFormatErasure()
3: cmd/erasure-server-pool.go:91:cmd.newErasureServerPools()
2: cmd/server-main.go:640:cmd.newObjectLayer()
1: cmd/server-main.go:491:cmd.serverMain()
Waiting for a minimum of 2 disks to come online (elapsed 52s)Unable to read ‘format.json’ from https://192.168.8.109:39000/opt/minio/data1: Post “https://192.168.8.109:39000/minio/storage/opt/minio/data1/v43/readall?disk-id=&file-path=format.json&volume=.minio.sys”: x509: cannot validate certificate for 192.168.8.109 because it doesn’t contain any IP SANs
Unable to read ‘format.json’ from https://192.168.8.109:39000/opt/minio/data2: Post “https://192.168.8.109:39000/minio/storage/opt/minio/data2/v43/readall?disk-id=&file-path=format.json&volume=.minio.sys”: x509: cannot validate certificate for 192.168.8.109 because it doesn’t contain any IP SANs
原因分析:生成证书时,SANs中IP信息不正确导致。
解决办法:使用ip -a查看机器IP,填写正确SANs信息,重新生成证书。
华为开发者空间,是为全球开发者打造的专属开发空间,汇聚了华为优质开发资源及工具,致力于让每一位开发者拥有一台云主机,基于华为根生态开发、创新。
更多推荐
4
1- 0
已为社区贡献2条内容
所有评论(0)