In this guide we will learn how to mount a MinIO server that can be used by multiple users.

Follow Civo on Twitter @civocloud

Introduction

By following this guide, you will set up your own version of an Amazon S3-compatible storage service that can be configured to be accessed by multiple users. You can host your MinIO server on any host that you have administrator access to, such as instances on Civo.

Civo offers $50 free credits to new users: Sign up here. This will be enough to run a Medium-sized Instance with 50 GB of local SSD storage for over a month.

Introduction to MinIO

MinIO is a drop-in open-source replacement for Amazon S3 (Simple Storage Service) for backing up files, as a storage back-end for tools such as a container registry, or even to host static websites.

MinIO describes itself as:

The 100% Open Source, Enterprise-Grade, Amazon S3 Compatible Object Storage

For this guide, we will use Civo to host an instance, which will provide a public IP address, where other servers or your project can connect. You will have the option to create a user per server, one user to all servers, or a user per project such as Django to upload all your media and static assets.

Provision your Instance

  • Log into your Civo dashboard
  • Create a Medium Instance and call it minio-cloud.

  • Select Debian 9 for the Operating System, add your SSH key for login, make sure you select the option for a public IP, and keep the default firewall.

Your Instance will be up in around 45 seconds. Once the instance is up we can start.

Install MinIO

Connect via ssh to the IP address of the instance. To prepare for installing MinIO server, first of all we want to create a directory to store all data created by users. We will using /srv/minio/data for our data store. In the instance terminal, run:

$ sudo mkdir -p /srv/minio/data
$ wget https://dl.min.io/server/minio/release/linux-amd64/minio
$ chmod +x minio
$ sudo mv ./minio /usr/local/bin/minio

Then start the MinIO server:

$ sudo minio server /srv/minio/data &

You will see your access key and secret key printed on the console. These are going to be required later on, so take a note of them. You can exit from the server for now by pressing Ctrl-C.

Now we will create a new user called minio-user and give it permissions to the data-store:

$ sudo useradd minio-user
$ sudo chown minio-user -R /srv/minio/data

After this we need to create a file /etc/default/minio, with the content of this file as:

MINIO_VOLUMES="/srv/minio/data"
MINIO_OPTS=""
MINIO_ACCESS_KEY="YOUR-MINIO-ACCESS-KEY-ID"
MINIO_SECRET_KEY="YOUR-MINIO-SECRET-KEY"

The MINIO_ACCESS_KEY and MINIO_SECRET_KEY are the keys you took note of above. These will be the keys to manage the server.

We will use systemd to automatically start the MinIO server when the instance starts, to make sure it is automatically available: First, install curl (or check it is installed):

$ sudo apt install curl -y

Then, get the MinIO service file and place it in the correct directory:

$ cd /etc/systemd/system/ && sudo curl -O https://raw.githubusercontent.com/minio/minio-service/master/linux-systemd/minio.service

The content of the minio.service is this:

[Unit]
Description=minio
Documentation=https://docs.min.io
Wants=network-online.target
After=network-online.target
AssertFileIsExecutable=/usr/local/bin/minio

[Service]
WorkingDirectory=/usr/local/
User=minio-user
Group=minio-user
EnvironmentFile=/etc/default/minio
ExecStart=/usr/local/bin/minio server $MINIO_OPTS $MINIO_VOLUMES

# Let systemd restart this service always
Restart=always

# Specifies the maximum file descriptor number that can be opened by this process
LimitNOFILE=65536

# Disable timeout logic and wait until process is stopped
TimeoutStopSec=infinity
SendSIGKILL=no

[Install]
WantedBy=multi-user.target

Note: If you want to bind to a port < 1024 with the service running as a regular user, you will need to add bind capability via the AmbientCapabilities directive in the minio.service file:

[Service]
AmbientCapabilities=CAP_NET_BIND_SERVICE
WorkingDirectory=/usr/local/

Now we can enable the minio service:

$ systemctl enable minio.service

Turn on TLS for Minio

By default, MinIO does not ship with TLS enabled. You can turn on this encryption by following this guide: How to secure access to MinIO server with TLS

Install MinIO Client

MinIO Client (mc) provides a modern alternative to UNIX commands like ls, cat, cp, mirror, diff etc. You can follow this link https://docs.min.io/docs/minio-client-complete-guide and download the client for the Debian instance or your local machine.

Configure the MinIO Client

Now we need to add a host to the client. mc stores all its configuration information in the file ~/.mc/config.json. We are going to add a new host, our instance, to the MinIO mc running on that instance. First we need export the public IP address of the instance, in this exmple 91.211.152.61, which you can easily see on your Civo dashboard or using the CLI tool:

On the instance where you downloaded mc run:

export MINIO_IP="91.211.152.61" # use your instance IP

After we can configure the mc client:

$ sudo mc config host add minio-cloud http://$MINIO_IP:9000 <YOUR-ACCESS-KEY> <YOUR-SECRET-KEY>

The output will be something like this:

$ mc: Configuration written to `/root/.mc/config.json`. Please update your access credentials.
$ mc: Successfully created `/root/.mc/share`.
$ mc: Initialized share uploads `/root/.mc/share/uploads.json` file.
$ mc: Initialized share downloads `/root/.mc/share/downloads.json` file.
$ Added `minio-cloud` successfully.

Now we will create the first storage bucket for the user, in my case I use my username alejandrojnm for the name of the bucket:

$ sudo mc mb minio-cloud/alejandrojnm
Bucket created successfully `minio-cloud/alejandrojnm`.

After this we need to create a file to put all management policies for the user. I have called this file user.json, and you can save it in any place - but remember where you stored it! The contents of the file will be:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "s3:PutBucketPolicy",
        "s3:GetBucketPolicy",
        "s3:DeleteBucketPolicy",
        "s3:ListAllMyBuckets",
        "s3:ListBucket"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::alejandrojnm"
      ],
      "Sid": ""
    },
    {
      "Action": [
        "s3:AbortMultipartUpload",
        "s3:DeleteObject",
        "s3:GetObject",
        "s3:ListMultipartUploadParts",
        "s3:PutObject"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::alejandrojnm/*"
      ],
      "Sid": ""
    }
  ]
}

To learn more about the policy you can read this. Now we can add the policy to our MinIO server and we do it this way:

$ sudo mc admin policy add minio-cloud user /path-to-the-file/user.json

And to check that all has gone fine, you can run this command:

$ sudo mc admin policy info minio-cloud user

Now the part where we create the user:

$ sudo mc admin user add minio-cloud alejandrojnm mypassword

Then we need to apply the policy we created a few steps back:

$ sudo mc admin policy set minio-cloud user user=alejandrojnm

To see if everything is in order we can run this command:

$ sudo mc admin user list minio-cloud --json

And we can see something like this, in the result:

{
 "status": "success",
 "accessKey": "alejandrojnm",
 "policyName": "user",
 "userStatus": "enabled"
}

Install mc on Other Server(s)

So far so good, now we'll configure the client with this new user, which is the same as we’ve done so far in "Install" and "Configure the MinIO mc Client", but on a new server such as on your local machine.

You could also use the user and password in programs such as Transmit, or even in web apps like Django, or like in this guide written by Alex Ellis, in Restic for running back-ups.

For now we'll add a new host to the MinIO client, on the new host.

$ sudo mc config host add minio-cloud http://$MINIO_IP:9000 alejandrojnm mypassword

Now, if you visit the web UI of MinIO (navigating your browser to the IP address of the instance on port 9000), you will only see your bucket. If you use any client or mc you will only see your bucket. You can run this to check:

$ sudo mc ls minio-cloud/alejandrojnm

In this way you could have many different and private users with buckets between them, you could use it for company projects, as well as keep project files separate and private. By adding multiple people to the same bucket, each user will have access to the same files.

This process of adding policy and user creation can also be automated using the MinIO API, which is available for many languages.

Need help?

Civo prides itself on being a cloud platform for developers, run by developers who can provide technical support and expert help via Intercom and the community forums.

Next steps