529e67dc7e
- Adds info the docs about recent changes to LDAP and SFTP authentication - Adds new config/envvar parameter - Adds new sftp option for server - Adds new example for forcing ldap or sa auth to SFTP - Adds new example for using certificate authority for auth to SFTP Closes #1240 Closes #1229 Closes #1226 Closes #1208
13 KiB
MinIO Server
minio
Table of Contents
minio
MinIO Server
The minio server
command starts the MinIO server process:
minio server /mnt/disk{1...4}For examples of deploying minio server on a bare metal environment, see minio-installation.
For examples of deploying minio server on a Kubernetes environment, see Deploying a MinIO Tenant <minio-k8s-deploy-minio-tenant>.
Syntax
minio server
Starts the minio server process.
The command has the following syntax:
minio server [FLAGS] HOSTNAME/DIRECTORIES [HOSTNAME/DIRECTORIES..]The command accepts the following arguments:
HOSTNAME
The hostname of a minio server process.
For standalone deployments, this field is optional. You can
start a standalone ~minio server process with only the ~minio server DIRECTORIES
argument.
For distributed deployments, specify the hostname of each minio server in the
deployment. The group of minio server processes represent a single Server Pool <minio-intro-server-pool>.
~minio server HOSTNAME supports MinIO expansion
notation {x...y} to denote a sequential series of
hostnames. MinIO requires sequential hostnames to identify each
minio server process in
the set.
For example, https://minio{1...4}.example.net expands
to:
https://minio1.example.nethttps://minio2.example.nethttps://minio3.example.nethttps://minio4.example.net
You must run the minio server command with the same combination
of ~minio server HOSTNAME and ~minio server DIRECTORIES
on each host in the Server Pool.
Each additional HOSTNAME/DIRECTORIES pair denotes an
additional Server Set for the purpose of horizontal expansion of the
MinIO deployment. For more information on Server Pools, see Server Pool <minio-intro-server-pool>.
DIRECTORIES
The directories or drives the minio server process uses as the storage backend.
~minio server DIRECTORIES supports MinIO expansion
notation {x...y} to denote a sequential series of folders
or drives. For example, /mnt/disk{1...4} expands to:
/mnt/disk1/mnt/disk2/mnt/disk3/mnt/disk4
The ~minio server DIRECTORIES path(s) must be
empty when first starting the minio <minio server> process.
The minio server
process requires at least 4 drives or directories to enable
erasure coding <minio-erasure-coding>.
Important
MinIO recommends locally-attached drives, where the ~minio server DIRECTORIES
path points to each drive on the host machine. MinIO recommends
against using network-attached storage, as network latency
reduces performance of those drives compared to locally-attached
storage.
For development or evaluation, you can specify multiple logical directories or partitions on a single physical volume to enable erasure coding on the deployment.
For production environments, MinIO does not recommend using multiple logical directories or partitions on a single physical disk. While MinIO supports those configurations, the potential cost savings come at the risk of decreased reliability.
--address
Binds the minio <minio server> server process to a specific
network address and port number. Specify the address and port as
ADDRESS:PORT, where ADDRESS is an IP address
or hostname and PORT is a valid and open port on the host
system. MinIO supports both IPv4 and IPv6 addressing, provided that the
specified addresses are routable and resolveable.
To change the port number for all IP addresses or hostnames
configured on the host machine, specify only :PORT where
PORT is a valid and open port on the host.
RELEASE.2023-01-02T09-40-09Z
You can configure your hosts file to have MinIO only listen on specific IPs. For example, if the machine's /etc/hosts file contains the following:
127.0.1.1 minioip
127.0.1.2 minioipA command like the following would listen for API calls on port
9000 on both configured IP addresses.
minio server --address "minioip:9000" ~/miniodirectoryIf omitted, minio <minio server> binds to port
9000 on all configured IPv4 addresses, IPv6 addresses, and
hostnames on the host machine.
--console-address
Specifies a static port for the embedded MinIO Console.
Omit to direct MinIO to generate a dynamic port at server startup. The MinIO server outputs the port to the system log.
--ftp
Enable and configure a File Transfer Protocol (FTP) or
File Transfer Protocol over SSL/TLS (FTPS) server. Use this
flag multiple times to specify an address port, a passive port range of
addresses, or a TLS certificate and key as key-value pairs.
Valid keys:
address, which takes a single port to use for the server, typically8021(Optional)
passive-port-range, which restricts the range of potential ports the server can use to transfer data, such as when tight firewall rules limit the port the FTP server can request for the connection(Optional)
tls-private-key, which takes the path to the user's private key for accessing the MinIO deployment by TLSUse with
tls-public-cert.(Optional)
tls-public-cert, which takes the path to the certificate for accessing the MinIO deployment by TLSUse with
tls-private-key.
For MinIO deployments with TLS enabled, omit
tls-private-key and tls-public-key to direct
MinIO to use the default TLS keys for the MinIO deployment. See minio-tls for more
information. You only need to specify a certificate and private key to a
different set of TLS certificate and key than the MinIO default (for
example, to use a different domain).
For example:
minio server http://server{1...4}/disk{1...4} \
--ftp="address=:8021" \
--ftp="passive-port-range=30000-40000" \
--ftp="tls-private-key=path/to/private.key" \
--ftp="tls-public-cert=path/to/public.crt" \
...--sftp
Enable and configure a SSH File Transfer Protocol (SFTP)
server. Use multiple times to specify each desired key-value pair.
The following table lists valid keys.
| Key | Description | Valid values |
|---|---|---|
address |
Port to use for connecting to SFTP. | Any valid port number, typically 8022. |
ssh-private-key |
Path to the user's private key file. | Absolute path or relative path from current location to the key file to use. |
trusted-user-ca-key |
Specifies a file containing public key of a certificate authority that is trusted to sign user certificates for authentication. The file must contain a user principals list, and the list must include the user(s) that can authenticate with the key. | Absolute path or relative path from current location to the user's trusted certificate authority public key file. |
|
Comma-separated list of the public key algorithms to support. |
.. code-block:: text
|
|
Comma-separated list in priority order of the key-exchange algorithms to support. |
.. code-block:: text
|
|
Comma-separated list of cipher algorithms to support |
.. code-block:: text
|
|
Comma-separated list in preference order of MAC algorithms to
support. Based on RFC
4253 section 6.4 with the exception of |
.. code-block:: text
|
disable-password-auth |
Disable password authentication. | true |
For example:
minio server http://server{1...4}/disk{1...4} \
--sftp="address=:8022" --sftp="ssh-private-key=/home/miniouser/.ssh/id_rsa" \
--sftp="kex-algos=diffie-hellman-group14-sha256,curve25519-sha256@libssh.org" \
...--certs-dir, -S
Specifies the path to the folder containing certificates the minio process uses for
configuring TLS/SSL connectivity.
The contents of the specified folder must follow that of the default path structure <minio-tls-user-generated>.
For example, the path contents of --certs-dir /etc/minio
should resemble the following:
/etc/minio
private.key
public.crt
domain.tld/
private.key
public.crt
CAs/
full-chain-ca.crtOmit to use the default directory paths:
- Linux/macOS:
${HOME}/.minio/certs - Windows:
%%USERPROFILE%%\.minio\certs.
See minio-TLS for
more information on TLS/SSL connectivity.
Important
MinIO Server RELEASE.2023-12-09T18-17-51Z <RELEASE.2023-12-09T18-17-51Z>
removes the deprecated --config-dir | -C parameter.
Deployments using this flag may start without TLS enabled. Replace those
parameters with --certs-dir | -S and restart to re-enable
TLS.
--quiet
Disables startup information.
--anonymous
Hides sensitive information from logging.
--json
Outputs server logs and startup information in JSON
format.
Note
You can define any of the minio parameters above by
setting them in the MINIO_OPTS environment variable. This variable
takes as its value a single string that contains any of the above
parameters and their values that you want to set when starting the MinIO
Server.
Settings
You can perform other customizations to the MinIO Server process by
defining additional Configuration Values <minio-server-configuration-options>
or Environment Variables <minio-server-environment-variables>.
Many configuration values and environment variables define the same value. If you set both a configuration value and the matching environment variable, MinIO uses the value from the environment variable.
/reference/minio-server/settings /reference/minio-server/settings/core /reference/minio-server/settings/root-credentials /reference/minio-server/settings/storage-class /reference/minio-server/settings/console /reference/minio-server/settings/metrics-and-logging /reference/minio-server/settings/notifications /reference/minio-server/settings/iam /reference/minio-server/settings/ilm /reference/minio-server/settings/kes /reference/minio-server/settings/object-lambda /reference/minio-server/settings/deprecated