Updates for MinIO RELEASE.2023-04-07T05-28-58Z (#823)

- Adds new environment variable for ILM expiration workers - Adds new metrics for locks - Adds keyrotate batch job type - Adds info about batch replicate from remote to local Closes #806 Staged: http://192.241.195.202:9000/staging/minio-2023-04-07/administration/batch-framework.html
2025-07-30 07:03:26 +03:00 · 2023-05-01 16:42:13 -05:00
parent 101ad648dd
commit 363e688617
8 changed files with 198 additions and 11 deletions
--- a/source/administration/batch-framework.rst
+++ b/source/administration/batch-framework.rst
@ -40,6 +40,9 @@ The MinIO Batch Framework supports the following job types:
   * - ``replicate``
     - Perform a one-time replication procedure from one MinIO location to another MinIO location.

+   * - ``keyrotate``
+     - Perform a one-time process to cycle the :ref:`sse-s3 or sse-kms <minio-sse-data-encryption>` cryptographic keys on objects.
+
 MinIO Batch CLI
 ---------------

@ -84,10 +87,16 @@ Job Types
 Replicate
 ~~~~~~~~~

-Use the ``replicate`` job type to create a batch job that replicates objects from the local MinIO deployment to another MinIO location.
+Use the ``replicate`` job type to create a batch job that replicates objects from one MinIO deployment to another MinIO location.
+At least one of the deployment locations, either the source or the target, must be ``local``.
 The definition file can limit the replication by bucket, prefix, and/or filters to only replicate certain objects.

-For example, you can use a batch job to perform a one-time replication sync of objects from ``minio-alpha/invoices/`` to ``minio-baker/invoices``.
+.. versionchanged:: MinIO RELEASE.2023-04-07T05-28-58Z
+
+   You can replicate from a remote MinIO deployment to the local deployment that runs the batch job.
+
+For example, you can use a batch job to perform a one-time replication sync to push objects from a bucket on a local deployment at ``minio-local/invoices/`` to a bucket on a remote deployment at ``minio-remote/invoices``.
+You can also pull objects from the remote deployment at ``minio-remote/invoices`` to the local deployment at ``minio-local/invoices``.

 The advantages of Batch Replication over :mc:`mc mirror` include:

@ -106,4 +115,22 @@ Sample YAML Description File for a ``replicate`` Job Type
 Create a basic ``replicate`` job definition file you can edit with :mc:`mc batch generate`.

 .. literalinclude:: /includes/code/replicate.yaml
-   :language: yaml
+   :language: yaml
+
+Key Rotate
+~~~~~~~~~~
+
+.. versionadded:: MinIO RELEASE.2023-04-07T05-28-58Z
+
+Use the ``keyrotate`` job type to create a batch job that cycles the :ref:`sse-s3 or sse-kms keys <minio-sse-data-encryption>` for encrypted objects.
+
+The YAML configuration supports filters to restrict key rotation to  a specific set of objects by creation date, tags, metadata, or kms key.
+You can also define retry attempts or set a notification endpoint and token.
+
+Sample YAML Description File for a ``keyrotate`` Job Type
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+Create a basic ``keyrotate`` job definition file you can edit with :mc:`mc batch generate`.
+
+.. literalinclude:: /includes/code/replicate.yaml
+   :language: yaml
--- a/source/includes/code/keyrotate.yaml
+++ b/source/includes/code/keyrotate.yaml
@ -0,0 +1,37 @@
+keyrotate:
+  apiVersion: v1
+  bucket: bucket
+  prefix: 
+  encryption:
+    type: sse-kms # valid values are sse-s3 and sse-kms
+    
+    # The following encryption values only apply for sse-kms type.
+    # For sse-s3 key types, MinIO uses the key provided by the MINIO_KMS_KES_KEY_FILE environment variable.
+    # The following two values are ignored if type is set to sse-s3.
+    key: my-new-keys2 # valid only for sse-kms
+    context: <new-kms-key-context> # valid only for sse-kms
+
+  # optional flags based filtering criteria
+  flags:
+    filter:
+      newerThan: "84h" # match objects newer than this value (e.g. 7d10h31s)
+      olderThan: "80h" # match objects older than this value (e.g. 7d10h31s)
+      createdAfter: "2023-03-02T15:04:05Z07:00" # match objects created after "date"
+      createdBefore: "2023-03-02T15:04:05Z07:00" # match objects created before "date"
+      tags:
+        - key: "name"
+          value: "pick*" # match objects with tag 'name', with all values starting with 'pick'
+      metadata:
+        - key: "content-type"
+          value: "image/*" # match objects with 'content-type', with all values starting with 'image/'
+      kmskey: "key-id" # match objects with KMS key-id (applicable only for sse-kms)
+  
+  # optional entries to add notifications for the job
+  notify:
+    endpoint: "https://notify.endpoint" # notification endpoint to receive job status events
+    token: "Bearer xxxxx" # optional authentication token for the notification endpoint
+  
+  # optional entries to add retry attempts if the job is interrupted
+  retry:
+    attempts: 10 # number of retries for the job before giving up
+    delay: "500ms" # least amount of delay between each retry
--- a/source/operations/monitoring/metrics-and-alerts.rst
+++ b/source/operations/monitoring/metrics-and-alerts.rst
@ -577,6 +577,21 @@ Software and Process Metrics
   
   Resident memory size in bytes.

+Lock Metrics
+~~~~~~~~~~~~
+
+.. metric:: minio_locks_total
+
+   Total number of current locks on the peer.
+
+.. metric:: minio_locks_write_total
+
+   Number of current WRITE locks on the peer.
+
+.. metric:: minio_locks_read_total
+
+   Number of current READ locks on the peer.
+
 .. toctree::
   :titlesonly:
   :hidden:
--- a/source/operations/server-side-encryption.rst
+++ b/source/operations/server-side-encryption.rst
@ -1,3 +1,5 @@
+.. _minio-sse-data-encryption:
+
 =====================
 Data Encryption (SSE)
 =====================
--- a/source/reference/minio-mc-admin/mc-admin-rebalance.rst
+++ b/source/reference/minio-mc-admin/mc-admin-rebalance.rst
@ -28,7 +28,7 @@ Rebalancing redistributes objects across all pools in the deployment.
 .. end-mc-admin-rebalance-desc

 MinIO does not automatically rebalance objects when adding a new server pool.
-Instead, MinIO ref:`writes new objects <minio-writing-files>` to the pool with relatively more free space compared to the other available pools on the deployment.
+Instead, MinIO :ref:`writes new objects <minio-writing-files>` to the pool with relatively more free space compared to the other available pools on the deployment.
 Triggering a manual rebalancing procedure prompts MinIO to scan the entire deployment and move objects as necessary to achieve a similar available free space across all pools.

 This is an expensive and time consuming operation.
--- a/source/reference/minio-mc/mc-batch-generate.rst
+++ b/source/reference/minio-mc/mc-batch-generate.rst
@ -74,7 +74,7 @@ Parameters
   
   The type of job to generate a YAML document for.
   
-   Currently, :mc:`mc batch` only supports the ``replicate`` job type.
+   Currently, :mc:`mc batch` supports the ``replicate`` and ``keyrotate`` job types.


 Global Flags
@ -101,7 +101,7 @@ The following command generates a YAML blueprint for a replicate type batch job

 - Replace ``replicate`` with the type of job to generate a yaml file for.
 
-  At the time of release, :mc:``mc batch`` only supports the ``replicate`` job type. 
+  :mc:``mc batch`` supports the ``replicate`` and ``keyrotate`` job types. 


 S3 Compatibility
@ -123,7 +123,11 @@ Job Types
  Replicate objects between two MinIO deployments.
  Provides similar functionality to :ref:`bucket replication <minio-bucket-replication>` as a batch job rather than continual scanning function.

-MinIO may add more job types in the future.
+- ``keyrotate``
+
+  .. versionadded:: MinIO RELEASE.2023-04-07T05-28-58Z 
+  
+  Rotate the sse-s3 or sse-kms keys for objects at rest on a MinIO deployment.

 ``replicate``
 ~~~~~~~~~~~~~
@ -131,8 +135,13 @@ MinIO may add more job types in the future.
 Use the ``replicate`` job type to create a batch job that replicates objects from the local MinIO deployment to another MinIO location.

 The YAML **must** define the source and target deployments.
+If the _source_ deployment is remote, then the _target_ deployment **must** be ``local``.
 Optionally, the YAML can also define flags to filter which objects replicate, send notifications for the job, or define retry attempts for the job.

+.. versionchanged:: MinIO RELEASE.2023-04-07T05-28-58Z
+
+   You can replicate from a remote MinIO deployment to the local deployment that runs the batch job.
+
 For the **source deployment**

 - Required information
@ -156,7 +165,8 @@ For the **source deployment**
       - The prefix on the object(s) that should replicate.

     * - ``endpoint:`` 
-       - | Location of the source deployment, must be ``local``.
+       - | Location of the source deployment.
+         | If the location is not remote, use ``local``.

     * - ``credentials:`` 
       - The ``accesskey:`` and ``secretKey:`` or the ``sessionToken:`` that grants access to the object(s).
@ -186,6 +196,7 @@ For the **target deployment**
     * - ``endpoint:`` 
       - | The location of the source deployment.
         | If the location is not remote, use ``local``.
+         | If the location of the source is remote, the source for target **must** be ``local``. 

     * - ``credentials:`` 
       - The ``accesskey`` and ``secretKey`` or the ``sessionToken`` that grants access to the object(s).
@ -245,3 +256,93 @@ Sample YAML

 .. literalinclude:: /includes/code/replicate.yaml
   :language: yaml
+
+``keyrotate``
+~~~~~~~~~~~~~
+
+.. versionadded:: MinIO RELEASE.2023-04-07T05-28-58Z 
+
+Use the ``keyrotate`` job type to create a batch job that cycles the :ref:`sse-s3 or sse-kms keys <minio-sse-data-encryption>` for encrypted objects.
+
+Required information
++++++++++++++++++++
+
+  .. list-table::
+     :widths: 25 75
+     :width: 100%
+
+     * - ``type:`` 
+       - Either ``sse-s3`` or ``sse-kms``.
+     * - ``key:`` 
+       - Only for use with the ``sse-kms`` type. 
+         The key to use to unseal the key vault.
+     * - ``context:``
+       - Only for use with the ``sse-kms`` type.
+         The context within which to perform actions. 
+
+   
+Optional information
++++++++++++++++++++
+
+For **flag based filters**
+
+.. list-table::
+   :widths: 25 75
+   :width: 100%
+
+   * - ``newerThan:`` 
+     - A string representing a length of time in ``#d#h#s`` format.
+       
+       Keys rotate only for objects newer than the specified length of time.
+       For example, ``7d``, ``24h``, ``5d12h30s`` are valid strings.
+   * - ``olderThan:`` 
+     - A string representing a length of time in ``#d#h#s`` format.
+       
+       Keys rotate only for objects older than the specified length of time.
+   * - ``createdAfter:`` 
+     - A date in ``YYYY-MM-DD`` format.
+  
+       Keys rotate only for objects created after the date.
+   * - ``createdBefore:`` 
+     - A date in ``YYYY-MM-DD`` format.
+       
+       Keys rotate only for objects created prior to the date.
+   * - ``tags:``
+     - Rotate keys only for objects with tags that match the specified ``key:`` and ``value:``.  
+   * - ``metadtaa:``
+     - Rotate keys only for objects with metadata that match the specified ``key:`` and ``value:``.  
+   * - ``kmskey:``
+     - Rotate keys only for objects with a KMS key-id that match the specified value.  
+       This is only applicable for the ``sse-kms`` type. 
+
+For **notifications**
+
+.. list-table::
+   :widths: 25 75
+   :width: 100%
+
+   * - ``endpoint:`` 
+     - The predefined endpoint to send events for notifications.
+   * - ``token:`` 
+     - An optional :abbr:`JWT <JSON Web Token>` to access the ``endpoint``.
+
+For **retry attempts**
+
+If something interrupts the job, you can define a maximum number of retry attempts.
+For each retry, you can also define how long to wait between attempts.
+
+.. list-table::
+   :widths: 25 75
+   :width: 100%
+
+   * - ``attempts:`` 
+     - Number of tries to complete the batch job before giving up.
+   * - ``delay:`` 
+     - The amount of time to wait between each attempt.
+
+
+Sample YAML
+++++++++++
+
+.. literalinclude:: /includes/code/keyrotate.yaml
+   :language: yaml
--- a/source/reference/minio-mc/mc-mv.rst
+++ b/source/reference/minio-mc/mc-mv.rst
@ -222,7 +222,7 @@ Parameters
   Recursively move the contents of each bucket or directory
   :mc-cmd:`~mc mv SOURCE` to the :mc-cmd:`~mc mv TARGET` bucket.

-.. mc-cmd:: --storage-class, sc
+.. mc-cmd:: --storage-class
   :optional:

   Set the storage class for the new object(s) on the 
@ -313,7 +313,7 @@ Move Bucket Between S3-Compatible Services
 Move File to S3-Compatible Host with Specific Storage Class
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-Use :mc:`mc mv` with the :mc-cmd:`~mc mv storage-class` option to set
+Use :mc:`mc mv` with the :mc-cmd:`~mc mv --storage-class` option to set
 the storage class on the destination S3-compatible host.

 .. code-block:: shell
@ -321,7 +321,7 @@ the storage class on the destination S3-compatible host.

   mc mv --storage-class CLASS FILEPATH ALIAS/PATH

- Replace :mc-cmd:`CLASS <mc mv storage-class>` with the storage class to 
+- Replace :mc-cmd:`CLASS <mc mv --storage-class>` with the storage class to 
  associate to the files.

 - Replace :mc-cmd:`FILEPATH <mc mv SOURCE>` with the full file path to the
--- a/source/reference/minio-server/minio-server.rst
+++ b/source/reference/minio-server/minio-server.rst
@ -222,6 +222,11 @@ Core Configuration

   Specifies the full path to the file the MinIO server process uses for loading environment variables.

+.. envvar:: MINIO_ILM_EXPIRY_WORKERS
+
+   Specifies the number of workers to make available to expire objects configured with ILM rules for expiration.
+   When not set, MinIO defaults to using up to half of the available processing cores available.
+
 Root Credentials
 ~~~~~~~~~~~~~~~~