1【建立目录】
mkdir -p /opt/minio/run && mkdir -p /etc/minio && mkdir -p /miniodata/{data1,data2,data3,data4}
2【集群启动脚本】
vim /opt/minio/run/run.sh
#!/bin/bash
export MINIO_ACCESS_KEY=minioadmin
export MINIO_SECRET_KEY=minioadmin
/opt/minio/run/minio server --config-dir /etc/minio \
--address ':9001' \
--console-address ':9000' \
--config-dir /etc/minio \
http://172.16.163.180/miniodata/{data1,data2,data3,data4} \
http://172.16.163.181/miniodata/{data1,data2,data3,data4} \
http://172.16.163.182/miniodata/{data1,data2,data3,data4} \
http://172.16.163.183/miniodata/{data1,data2,data3,data4} > /opt/minio/run/minio.log 2>&1
3【minio.service】
vim /usr/lib/systemd/system/minio.service
[Unit]
Description=Minio service
Documentation=https://docs.minio.io/
[Service]
WorkingDirectory=/opt/minio/run/
ExecStart=/opt/minio/run/run.sh
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target
4【修改文件权限】
chmod +x /usr/lib/systemd/system/minio.service && chmod +x /opt/minio/run/minio && chmod +x /opt/minio/run/run.sh
5【开防火墙端口】
firewall-cmd --zone=public --add-port=9000-9001/tcp --permanent
firewall-cmd --reload
6【复制虚拟机181-183】
7【启动集群】
systemctl daemon-reload
systemctl start minio
systemctl enable minio
8【测试集群】
http://172.16.163.180:9000
http://172.16.163.181:9000
http://172.16.163.182:9000
http://172.16.163.183:9000
9【拷贝ssl证书】
上传ssl证书到/root/.minio/certs
private.key public.crt #必须是这命名
scp p* root@172.16.163.181:~/.minio/certs/
scp p* root@172.16.163.182:~/.minio/certs/
scp p* root@172.16.163.183:~/.minio/certs/
10【run脚本的修改】
#!/bin/bash
export MINIO_ACCESS_KEY=minioadmin
export MINIO_SECRET_KEY=tymV@Ys4GH^bV7jX
/opt/minio/run/minio server \
--config-dir /etc/minio \
--address 'upload1.test.org.cn:9000' \
--console-address 'upload1.test.org.cn:9001' \
--config-dir /etc/minio \
--certs-dir /root/.minio/certs \
https://upload{1...4}.tpri.org.cn/miniodata/data{1...4} > /opt/minio/run/minio.log 2>&1
最重要的几点,一是--certs-dir这个手动指定一下,官方说是自动识别,但是我的环境并没有,手动指定了才生效。二是为了解决x509:cannot validate certificate for xxx.xxx.xxx.xxx because it doesn't contain any IP SANs,--address和--console-address都要手动指定一下。然后变换一下节点的数字,例如第二节点就是写upload2.三是DNS解析要弄好。
11【Nginx负载均衡https】
worker_processes 16;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 90;
upstream minio_server {
least_conn;
server upload1.test.org.cn:9000;
server upload2.test.org.cn:9000;
server upload3.test.org.cn:9000;
server upload4.test.org.cn:9000;
}
upstream minio_console {
least_conn;
server upload1.test.org.cn:9001;
server upload2.test.org.cn:9001;
server upload3.test.org.cn:9001;
server upload4.test.org.cn:9001;
}
server {
listen 9000 ssl;
server_name localhost;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_certificate /usr/local/nginx/conf/ssl/upload.tpri.org.cn.pem;
ssl_certificate_key /usr/local/nginx/conf/ssl/upload.tpri.org.cn.key;
ssl_prefer_server_ciphers on;
if ($server_port = 80) {
rewrite ^(.*)$ https://$host$1 permanent;
}
location / {
proxy_pass https://minio_server;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_next_upstream off;
proxy_connect_timeout 30;
proxy_read_timeout 300;
proxy_send_timeout 300;
}
}
server {
listen 80;
listen 9001 ssl;
server_name localhost;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_certificate /usr/local/nginx/conf/ssl/upload.tpri.org.cn.pem;
ssl_certificate_key /usr/local/nginx/conf/ssl/upload.tpri.org.cn.key;
ssl_prefer_server_ciphers on;
if ($server_port = 80) {
rewrite ^(.*)$ https://$host$1 permanent;
}
location / {
proxy_pass https://minio_console;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_next_upstream off;
proxy_connect_timeout 30;
proxy_read_timeout 300;
proxy_send_timeout 300;
}
}
}