From f54bc44a48ef5e2ff42702541cbefe72e6135c0c Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Thu, 4 May 2023 17:37:34 -0500 Subject: [PATCH 1/2] minio: Install and configure MinIO [MinIO][0] is an S3-compatible object storage server. It is designed to provide storage for cloud-native applications for on-premises deployments. MinIO has not been packaged for Fedora (yet?). As such, the best way to deploy it is usining its official container image. Here, we are using `podman-systemd-generator` (Quadlet) to generate a systemd service unit to manage the container process. --- minio.yml | 3 + roles/minio/defaults/main.yml | 6 ++ roles/minio/handlers/main.yml | 8 ++ roles/minio/tasks/deploy.yml | 107 +++++++++++++++++++++++ roles/minio/tasks/install.yml | 11 +++ roles/minio/tasks/main.yml | 7 ++ roles/minio/templates/minio.container.j2 | 34 +++++++ roles/minio/templates/minio.env.j2 | 4 + 8 files changed, 180 insertions(+) create mode 100644 minio.yml create mode 100644 roles/minio/defaults/main.yml create mode 100644 roles/minio/handlers/main.yml create mode 100644 roles/minio/tasks/deploy.yml create mode 100644 roles/minio/tasks/install.yml create mode 100644 roles/minio/tasks/main.yml create mode 100644 roles/minio/templates/minio.container.j2 create mode 100644 roles/minio/templates/minio.env.j2 diff --git a/minio.yml b/minio.yml new file mode 100644 index 0000000..1221611 --- /dev/null +++ b/minio.yml @@ -0,0 +1,3 @@ +- hosts: minio + roles: + - minio diff --git a/roles/minio/defaults/main.yml b/roles/minio/defaults/main.yml new file mode 100644 index 0000000..e3f82bc --- /dev/null +++ b/roles/minio/defaults/main.yml @@ -0,0 +1,6 @@ +minio_version: latest +minio_container_image: quay.io/minio/minio +minio_storage_path: /var/lib/minio +minio_console_address: '[::]:9090' +minio_root_user: root +minio_root_password: changeme diff --git a/roles/minio/handlers/main.yml b/roles/minio/handlers/main.yml new file mode 100644 index 0000000..7bf2bbd --- /dev/null +++ b/roles/minio/handlers/main.yml @@ -0,0 +1,8 @@ +- name: reload systemd + systemd: + daemon_reload: true + +- name: restart minio + systemd: + name: minio + state: restarted diff --git a/roles/minio/tasks/deploy.yml b/roles/minio/tasks/deploy.yml new file mode 100644 index 0000000..0cda700 --- /dev/null +++ b/roles/minio/tasks/deploy.yml @@ -0,0 +1,107 @@ +- name: load minio secrets + include_vars: '{{ item }}' + with_first_found: + - files: + - vault/minio/{{ inventory_hostname }} + skip: true + tags: + - always + +- name: ensure minio group exists + group: + name: minio + gid: 224 + system: true + state: present + tags: + - user + - group +- name: ensure minio user exists + user: + name: minio + uid: 224 + group: minio + system: true + state: present + tags: + - user + - group + +- name: ensure minio storage path exists + file: + path: '{{ minio_storage_path }}' + owner: minio + group: minio + mode: u=rwx,go= + state: directory + tags: + - datadir + +- name: ensure minio certs directory exists + file: + path: /etc/minio/certs + owner: root + group: minio + mode: u=rwx,g=rx,o= + setype: container_file_t + state: directory + tags: + - cert +- name: ensure minio server certificate is present + copy: + src: '{{ item }}' + dest: /etc/minio/certs/public.crt + owner: root + group: minio + mode: u=rw,g=r,o= + setype: container_file_t + with_fileglob: certs/minio/{{ inventory_hostname }}.cer + tags: + - cert +- name: ensure minio server private key is present + copy: + src: '{{ item }}' + dest: /etc/minio/certs/private.key + owner: root + group: minio + mode: u=rw,g=r,o= + setype: container_file_t + diff: false + with_fileglob: certs/minio/{{ inventory_hostname }}.key + tags: + - cert + +- name: ensure minio environment is configured + template: + src: minio.env.j2 + dest: /etc/sysconfig/minio + owner: root + group: root + mode: u=rw,go= + notify: + - restart minio + tags: + - config + +- name: ensure minio.container systemd unit exists + template: + src: minio.container.j2 + dest: /etc/containers/systemd/minio.container + owner: root + group: root + mode: u=rw,go=r + notify: + - reload systemd + - restart minio + tags: + - systemd + +- name: flush_handlers + meta: flush_handlers + +- name: ensure minio.service is running + systemd: + name: minio.service + state: started + tags: + - service diff --git a/roles/minio/tasks/install.yml b/roles/minio/tasks/install.yml new file mode 100644 index 0000000..251c5ee --- /dev/null +++ b/roles/minio/tasks/install.yml @@ -0,0 +1,11 @@ +- name: ensure podman is installed + package: + name: + - container-selinux + - podman + state: present + +- name: ensure minio container image is present + podman_image: + name: '{{ minio_container_image }}:{{ minio_version }}' + state: present diff --git a/roles/minio/tasks/main.yml b/roles/minio/tasks/main.yml new file mode 100644 index 0000000..116a863 --- /dev/null +++ b/roles/minio/tasks/main.yml @@ -0,0 +1,7 @@ +- block: + - import_tasks: install.yml + tags: + - install + - import_tasks: deploy.yml + tags: + - minio diff --git a/roles/minio/templates/minio.container.j2 b/roles/minio/templates/minio.container.j2 new file mode 100644 index 0000000..ff05f33 --- /dev/null +++ b/roles/minio/templates/minio.container.j2 @@ -0,0 +1,34 @@ +[Unit] +Description=MinIO Object Storage +Wants=network.target +After=network.target + +[Container] +Image={{ minio_container_image }}:{{ minio_version }} +Exec=server /data --certs-dir /certs +User=224 +Group=224 +EnvironmentFile=/etc/sysconfig/minio +Volume={{ minio_storage_path }}:/data:rw,Z +Volume=/etc/minio/certs:/certs:ro,z +Network=host +NoNewPrivileges=yes + +[Service] +MemoryDenyWriteExecute=yes +PrivateTmp=yes +ProtectClock=yes +ProtectHome=yes +ProtectKernelLogs=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +ProtectProc=invisible +ProtectSystem=strict +ReadWritePaths=/var/lib/containers/storage +ReadWritePaths={{ minio_storage_path }} +RestrictRealtime=yes +RestrictSUIDSGID=yes +UMask=0077 + +[Install] +WantedBy=multi-user.target diff --git a/roles/minio/templates/minio.env.j2 b/roles/minio/templates/minio.env.j2 new file mode 100644 index 0000000..c30c72d --- /dev/null +++ b/roles/minio/templates/minio.env.j2 @@ -0,0 +1,4 @@ +MINIO_ROOT_USER={{ minio_root_user }} +MINIO_ROOT_PASSWORD={{ minio_root_password }} + +MINIO_CONSOLE_ADDRESS={{ minio_console_address }} From a3ea838cac41caa4532449151a0e2eede2223e21 Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Thu, 4 May 2023 17:38:02 -0500 Subject: [PATCH 2/2] burp-server: Deploy MinIO We're going to run MinIO on the BURP server to provide a backup target for the [Postgres Operator][0]/[WAL-E][1]. Although the Postgres Operator also supports backups via [WAL-G][2], which supports more backup targets like SFTP, the operator does not support restoring from those targets. As such, the best way to get fully-featured backups for the Postgres Operator, including environment cloning, etc., is to use S3. Since I absolutely do not want to store my backups "in the cloud," using MinIO seems a decent alternative. Running it on the BURP server allows the backups to be stored and rotated along with regular system backups. [0]: https://github.com/zalando/postgres-operator/ [1]: https://github.com/wal-e/wal-e [2]: https://github.com/wal-g/wal-g --- certs/minio/burp1.pyrocufflink.blue.cer | 1 + certs/minio/burp1.pyrocufflink.blue.key | 1 + host_vars/burp1.pyrocufflink.blue.yml | 2 ++ hosts | 3 +++ vault/minio/burp1.pyrocufflink.blue | 10 ++++++++++ 5 files changed, 17 insertions(+) create mode 120000 certs/minio/burp1.pyrocufflink.blue.cer create mode 120000 certs/minio/burp1.pyrocufflink.blue.key create mode 100644 vault/minio/burp1.pyrocufflink.blue diff --git a/certs/minio/burp1.pyrocufflink.blue.cer b/certs/minio/burp1.pyrocufflink.blue.cer new file mode 120000 index 0000000..9ebe139 --- /dev/null +++ b/certs/minio/burp1.pyrocufflink.blue.cer @@ -0,0 +1 @@ +../lego/_.pyrocufflink.net.crt \ No newline at end of file diff --git a/certs/minio/burp1.pyrocufflink.blue.key b/certs/minio/burp1.pyrocufflink.blue.key new file mode 120000 index 0000000..3253dd8 --- /dev/null +++ b/certs/minio/burp1.pyrocufflink.blue.key @@ -0,0 +1 @@ +../lego/_.pyrocufflink.net.key \ No newline at end of file diff --git a/host_vars/burp1.pyrocufflink.blue.yml b/host_vars/burp1.pyrocufflink.blue.yml index 3ac3e4a..89a987b 100644 --- a/host_vars/burp1.pyrocufflink.blue.yml +++ b/host_vars/burp1.pyrocufflink.blue.yml @@ -6,3 +6,5 @@ collectd_plugins: # its domain permissive until the problems are identified and resolved # upstream. collectd_selinux_permissive: true + +minio_storage_path: /srv/minio diff --git a/hosts b/hosts index 53886a0..9665bbf 100644 --- a/hosts +++ b/hosts @@ -89,6 +89,9 @@ k8s-node [metricspi] mtrcs0.pyrocufflink.blue +[minio:children] +burp-server + [motioneye] [named-server:children] diff --git a/vault/minio/burp1.pyrocufflink.blue b/vault/minio/burp1.pyrocufflink.blue new file mode 100644 index 0000000..f58772b --- /dev/null +++ b/vault/minio/burp1.pyrocufflink.blue @@ -0,0 +1,10 @@ +$ANSIBLE_VAULT;1.1;AES256 +62313461666639393836343966373038663838396461353539313837616239376565643533393635 +3663336262643538303934633366636266303032393231650a643036363735653634366363393334 +61353835323163656533613662356235373235303735313862656462623333393863646566666163 +3030623963376631660a656465313765623866376633636136303630343161393833623864623337 +63376363333364343766633363306665363433623332303131626338643633653861363765306234 +35306462306364396263383263363933353330633361623532346563376434313534323539326262 +61616361303563316430616166336433393734383433633237383163326661353833373938616638 +39386532313938353932366565663633613966313566613762653938663331636435353339613038 +6236