前言:
minio作为轻量级的对象存储服务安装还是比较简单的,但分布式集群可以大大提高存储的安全性,可靠性。分布式集群是在单实例的基础上扩展而来的
minio的分布式集群有如下要求:
- 所有运行分布式 MinIO 的节点需要具有相同的访问密钥和秘密密钥才能连接。建议在执行 MINIO 服务器命令之前,将访问密钥作为环境变量,MINIO access key 和 MINIO secret key 导出到所有节点上 。
- Minio 创建4到16个驱动器的擦除编码集。
- Minio 选择最大的 EC 集大小,该集大小除以给定的驱动器总数。 例如,8个驱动器将用作一个大小为8的 EC 集,而不是两个大小为4的 EC 集 。
- 建议所有运行分布式 MinIO 设置的节点都是同构的,即相同的操作系统、相同数量的磁盘和相同的网络互连 。
- 运行分布式 MinIO 实例的服务器时间差不应超过15分钟。
单实例部署可以见我原来写的博文:Linux|minio对象存储服务的部署和初步使用总结_linux部署minio-CSDN博客
首先,minio的安装部署方式很多,可以使用docker,二进制,rpm 亦或者集成部署在kubernetes内,综合各种部署方式的优劣,本文选择rpm安装部署,该方式其实和二进制没什么太大区别,但足够简单,省去了很多麻烦。
其次就是minio的drive问题,minio要求ta使用的存储空间也就是drive必须是一个空的,单独挂载的磁盘,那么,有时候根据我们的使用目的,比如,我仅仅需要velero这个工具通过minio来存储kubernetes的备份文件,那么,对存储空间的要求就没有那么高了,因此,本文采用的是虚拟磁盘的挂载技术
最后,就是minio的console-address的问题,每一个minio单实例都集成有console,也就是web控制台,该控制台配置文件里不显式写也会启动,但端口是随机的,如果你需要更安全,那么,建议不写console,让ta自动分配随机端口,需要使用console的时候,通过日志来查询后使用
本次实践是使用的VMware虚拟机,VMware虚拟机服务器总计四台,IP分别是192.168.123.11,192.168.123.12,192.168.123.13,192.168.123.14,操作系统是centos-7.7,minio的版本为minio-20230413030807.0.0.x86_64
一,
minio集群的环境初始化
这些都是老生常谈的问题,就不在此详细说明了,防火墙关闭,selinux关闭,时间服务器,本集群无需内部域名映射
内核优化(每个节点都执行):
cat > /etc/sysctl.d/minio.conf <<EOF
# maximum number of open files/file descriptors
fs.file-max = 4194303
# use as little swap space as possible
vm.swappiness = 1
# prioritize application RAM against disk/swap cache
vm.vfs_cache_pressure = 50
# minimum free memory
vm.min_free_kbytes = 1000000
# follow mellanox best practices https://community.mellanox.com/s/article/linux-sysctl-tuning
# the following changes are recommended for improving IPv4 traffic performance by Mellanox
# disable the TCP timestamps option for better CPU utilization
net.ipv4.tcp_timestamps = 0
# enable the TCP selective acks option for better throughput
net.ipv4.tcp_sack = 1
# increase the maximum length of processor input queues
net.core.netdev_max_backlog = 250000
# increase the TCP maximum and default buffer sizes using setsockopt()
net.core.rmem_max = 4194304
net.core.wmem_max = 4194304
net.core.rmem_default = 4194304
net.core.wmem_default = 4194304
net.core.optmem_max = 4194304
# increase memory thresholds to prevent packet dropping:
net.ipv4.tcp_rmem = 4096 87380 4194304
net.ipv4.tcp_wmem = 4096 65536 4194304
# enable low latency mode for TCP:
net.ipv4.tcp_low_latency = 1
# the following variable is used to tell the kernel how much of the socket buffer
# space should be used for TCP window size, and how much to save for an application
# buffer. A value of 1 means the socket buffer will be divided evenly between.
# TCP windows size and application.
net.ipv4.tcp_adv_win_scale = 1
# maximum number of incoming connections
net.core.somaxconn = 65535
# maximum number of packets queued
net.core.netdev_max_backlog = 10000
# queue length of completely established sockets waiting for accept
net.ipv4.tcp_max_syn_backlog = 4096
# time to wait (seconds) for FIN packet
net.ipv4.tcp_fin_timeout = 15
# disable icmp send redirects
net.ipv4.conf.all.send_redirects = 0
# disable icmp accept redirect
net.ipv4.conf.all.accept_redirects = 0
# drop packets with LSR or SSR
net.ipv4.conf.all.accept_source_route = 0
# MTU discovery, only enable when ICMP blackhole detected
net.ipv4.tcp_mtu_probing = 1
EOF
sysctl -p /etc/sysctl.d/minio.conf
# `Transparent Hugepage Support`*: This is a Linux kernel feature intended to improve
# performance by making more efficient use of processor’s memory-mapping hardware.
# But this may cause https://blogs.oracle.com/linux/performance-issues-with-transparent-huge-pages-thp
# for non-optimized applications. As most Linux distributions set it to `enabled=always` by default,
# we recommend changing this to `enabled=madvise`. This will allow applications optimized
# for transparent hugepages to obtain the performance benefits, while preventing the
# associated problems otherwise. Also, set `transparent_hugepage=madvise` on your kernel
# command line (e.g. in /etc/default/grub) to persistently set this value.
echo "Enabling THP madvise"
echo madvise | sudo tee /sys/kernel/mm/transparent_hugepage/enabled
二,
minio集群的drive创建
每个节点都执行,这里是每个虚拟磁盘1G,分别挂载到/data1目录下的,如果是生产环境,建议 vim /etc/fstab 固化挂载
使用的普通用户minio-user 设置不可登陆,并赋予相关目录该用户的属组
mkdir -p /data1/minio{1..4}
groupadd -r minio-user
useradd -M -r -g minio-user minio-userchown -Rf minio-user. /data1/dd if=/dev/zero of=/media/testfile1 bs=200M count=5
dd if=/dev/zero of=/media/testfile2 bs=200M count=5
dd if=/dev/zero of=/media/testfile3 bs=200M count=5
dd if=/dev/zero of=/media/testfile4 bs=200M count=5
mkfs.xfs /media/testfile1
mkfs.xfs /media/testfile2
mkfs.xfs /media/testfile3
mkfs.xfs /media/testfile4mount -t xfs /media/testfile1 /data1/minio1/
mount -t xfs /media/testfile2 /data1/minio2/
mount -t xfs /media/testfile3 /data1/minio3/
mount -t xfs /media/testfile4 /data1/minio4/
固化挂载:
tail -f /etc/fstab/media/testfile1 /data1/minio1/ xfs defaults 0 0
/media/testfile2 /data1/minio2/ xfs defaults 0 0
/media/testfile3 /data1/minio3/ xfs defaults 0 0
/media/testfile4 /data1/minio4/ xfs defaults 0 0
[root@node1 ~]# df -ah
Filesystem Size Used Avail Use% Mounted on
sysfs 0 0 0 - /sys
proc 0 0 0 - /proc
devtmpfs 2.0G 0 2.0G 0% /dev
securityfs 0 0 0 - /sys/kernel/security
tmpfs 2.0G 52K 2.0G 1% /dev/shm
devpts 0 0 0 - /dev/pts
tmpfs 2.0G 68M 1.9G 4% /run
tmpfs 2.0G 0 2.0G 0% /sys/fs/cgroup
。。。。略略略。。。
/dev/loop0 997M 99M 899M 10% /data1/minio1
/dev/loop1 997M 99M 899M 10% /data1/minio2
/dev/loop2 997M 99M 899M 10% /data1/minio3
/dev/loop3 997M 99M 899M 10% /data1/minio4
三,
正式安装部署minio
每个节点都执行:
rpm -ivh minio-20230413030807.0.0.x86_64.rpm
安装完毕后,查看minio的启动脚本:
[root@node1 ~]# cat /etc/systemd/system/minio.service
[Unit]
Description=MinIO
Documentation=https://docs.min.io
Wants=network-online.target
After=network-online.target
AssertFileIsExecutable=/usr/local/bin/minio[Service]
WorkingDirectory=/usr/localUser=minio-user
Group=minio-user
ProtectProc=invisibleEnvironmentFile=-/etc/default/minio
ExecStartPre=/bin/bash -c "if [ -z \"${MINIO_VOLUMES}\" ]; then echo \"Variable MINIO_VOLUMES not set in /etc/default/minio\"; exit 1; fi"
ExecStart=/usr/local/bin/minio server $MINIO_OPTS $MINIO_VOLUMES# Let systemd restart this service always
Restart=always# Specifies the maximum file descriptor number that can be opened by this process
LimitNOFILE=1048576# Specifies the maximum number of threads this process can create
TasksMax=infinity# Disable timeout logic and wait until process is stopped
TimeoutStopSec=infinity
SendSIGKILL=no[Install]
WantedBy=multi-user.target# Built for ${project.name}-${project.version} (${project.name})
观察该脚本,发现用户这方面我们已经设置好了,前面创建了用户,现在是两个关键变量$MINIO_OPTS $MINIO_VOLUMES 以及存放变量的文件/etc/default/minio
可以看到,刚安装完毕是没有这个文件的,需要我们自己创建(每个节点都一样的):
cat >/etc/default/minio <<EOF
# Set the hosts and volumes MinIO uses at startup
# The command uses MinIO expansion notation {x...y} to denote a
# sequential series.
#
# The following example covers four MinIO hosts
# with 4 drives each at the specified hostname and drive locations.
# The command includes the port that each MinIO server listens on
# (default 9000)
## 这块是文件磁盘的位置 因为我们是集群节点是163-166 这边是一种池化写法
MINIO_VOLUMES="http://192.168.123.{11...14}:39111/data1/minio{1...4}"# Set all MinIO server options
#
# The following explicitly sets the MinIO Console listen address to
# port 9001 on all network interfaces. The default behavior is dynamic
# port selection.## minio-console的地址 就是web界面控制台
MINIO_OPTS="--address :39111 --console-address :39112"# Set the root username. This user has unrestricted permissions to
# perform S3 and administrative API operations on any resource in the
# deployment.
#
# Defer to your organizations requirements for superadmin user name.# console的登陆账号
MINIO_ROOT_USER=minioadmin# Set the root password
#
# Use a long, random, unique string that meets your organizations
# requirements for passwords.# console的登陆密码
MINIO_ROOT_PASSWORD=minioadmin
EOF
该配置文件的说明:
MINIO_VOLUMES="http://192.168.123.{11...14}:39111/data1/minio{1...4}"
可以拆开写成 MINIO_VOLUMES="http://192.168.123.11:39111/data1/minio{1...4} http://192.168.123.12:39111/data1/minio{1...4} http://192.168.123.13:39111/data1/minio{1...4}
http://192.168.123.14:39111/data1/minio{1...4}"
因为,四个VMware服务器IP是连续的,所以可以写成上面的简略形式,下面的拆开写法也是OK的
MINIO_OPTS="--address :39111 --console-address :39112"
可以改成MINIO_OPTS="--address :39111 " ,修改为这种形式的时候,minio启动的时候console就会使用随机端口,minio server的服务端口是39111,默认是9000,建议修改端口以提高服务的安全性
MINIO_ROOT_USER=minioadmin
MINIO_ROOT_PASSWORD=minioadmin
这两个是minio服务的web登录账号密码,实际生产中建议设置密码复杂一些
最后还需要给该文件赋权:
chown -Rf minio-user. /etc/default/minio
四,
启动minio服务
systemctl enable minio
systemctl start minio
systemctl status minio
最后一个命令输出如下,表示服务正常:
Dec 28 23:45:57 node1 minio[23188]: MinIO Object Storage Server
Dec 28 23:45:57 node1 minio[23188]: Copyright: 2015-2023 MinIO, Inc.
Dec 28 23:45:57 node1 minio[23188]: License: GNU AGPLv3 <https://www.gnu.org/licenses/agpl-3.0.html>
Dec 28 23:45:57 node1 minio[23188]: Version: RELEASE.2023-04-13T03-08-07Z (go1.20.3 linux/amd64)
Dec 28 23:45:57 node1 minio[23188]: Status: 16 Online, 0 Offline.
Dec 28 23:45:57 node1 minio[23188]: API: http://10.96.24.248:39111 http://192.168.123.11:39111 http://169.254.25.10:39111 http://10.96.0.3:39111 http://10.96.0.1:39111 http://172.17.0.1:39111 http://10.244.26.0:39111 http://127.0.0.1:39111
Dec 28 23:45:57 node1 minio[23188]: Console: http://10.96.24.248:43585 http://192.168.123.11:43585 http://169.254.25.10:43585 http://10.96.0.3:43585 http://10.96.0.1:43585 http://172.17.0.1:43585 http://10.244.26.0:43585 http://127.0.0.1:43585
Dec 28 23:45:57 node1 minio[23188]: Documentation: https://min.io/docs/minio/linux/index.html
Dec 28 23:45:58 node1 minio[23188]: You are running an older version of MinIO released 8 months ago
Dec 28 23:45:58 node1 minio[23188]: Update: Run `mc admin update`
关键字段是Dec 28 23:45:57 node1 minio[23188]: Status: 16 Online, 0 Offline. 这个表示drive全部被发现
最下面有一个警告,说的是minio版本有点低,可以忽略,You are running an older version of MinIO released 8 months ago
还有一个警告找不到了,不过也是无所谓,那个警告大体意思是操作系统内核太低,建议内核版本4以上,minio的性能会更好一点。
目前的内核版本:
[root@node4 ~]# uname -a
Linux node4 3.10.0-1062.el7.x86_64 #1 SMP Wed Aug 7 18:08:02 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
console也就是web管理界面的端口:
Console: http://10.96.24.248:35382 http://192.168.123.14:35382 http://169.254.25.10:35382 http://10.96.0.3:35382 http://10.96.0.1:35382 http://172.17.0.1:35382 http://10.244.41.0:35382 http://127.0.0.1:35382
很明显是 http://192.168.123.14:35382 其它的IP可能由于是minio和kubernetes运行在一起了吧,忽略掉就可以了
登录web管理界面:
创建桶(我已经创建过了,叫test)
monitoring 可以看到有使用多少磁盘
传一个大文件上去:
传输速度还是比较快的,比ftp什么的快多了
在看看磁盘使用空间:
可以看到,一个800多M的文件被minio打散了分布存储到了各个节点上了
下载文件:
可以看到,下载是先从minio server上各个节点收集文件在下载的
五,
测试高可用
192.168.123.14节点关机
仍然可以正常下载 上传文件:
查看服务状态:
[root@node1 ~]# systemctl status minio
● minio.service - MinIOLoaded: loaded (/etc/systemd/system/minio.service; enabled; vendor preset: disabled)Active: active (running) since Fri 2023-12-29 18:53:31 CST; 7h agoDocs: https://docs.min.ioProcess: 15886 ExecStartPre=/bin/bash -c if [ -z "${MINIO_VOLUMES}" ]; then echo "Variable MINIO_VOLUMES not set in /etc/default/minio"; exit 1; fi (code=exited, status=0/SUCCESS)Main PID: 15889 (minio)Tasks: 15Memory: 144.9MCGroup: /system.slice/minio.service└─15889 /usr/local/bin/minio server --address :39111 --console-address :39112 http://192.168.123.{11...14}:39111/data1/minio{1...4}Dec 30 01:59:23 node1 minio[15889]: API: SYSTEM()
Dec 30 01:59:23 node1 minio[15889]: Time: 17:59:23 UTC 12/29/2023
Dec 30 01:59:23 node1 minio[15889]: DeploymentID: 5e75dcd3-d3de-4a08-bdee-3197016ceded
Dec 30 01:59:23 node1 minio[15889]: Error: Marking 192.168.123.14:39111 offline temporarily; caused by Post "http://192.168.123.14:39111/minio/peer/v30/log": dial tcp 192.168.123.14:39111: connect: no route to host (*fmt.wrapError)
Dec 30 01:59:23 node1 minio[15889]: 6: internal/logger/logonce.go:118:logger.(*logOnceType).logOnceIf()
Dec 30 01:59:23 node1 minio[15889]: 5: internal/logger/logonce.go:149:logger.LogOnceIf()
Dec 30 01:59:23 node1 minio[15889]: 4: internal/rest/client.go:259:rest.(*Client).Call()
Dec 30 01:59:23 node1 minio[15889]: 3: cmd/peer-rest-client.go:68:cmd.(*peerRESTClient).callWithContext()
Dec 30 01:59:23 node1 minio[15889]: 2: cmd/peer-rest-client.go:710:cmd.(*peerRESTClient).doConsoleLog()
Dec 30 01:59:23 node1 minio[15889]: 1: cmd/peer-rest-client.go:734:cmd.(*peerRESTClient).ConsoleLog.func1()
在关闭一个节点,上传不了了,也下载不了任何文件了,只能看看:
两个关闭的节点在开启,很快的啊,啪 的一下 就恢复了:
下载和上传功能完全恢复,很快的,就不演示了, 在看服务状态就没什么报错了:
[root@node1 ~]# systemctl status minio
● minio.service - MinIOLoaded: loaded (/etc/systemd/system/minio.service; enabled; vendor preset: disabled)Active: active (running) since Sat 2023-12-30 02:37:20 CST; 1s agoDocs: https://docs.min.ioProcess: 64997 ExecStartPre=/bin/bash -c if [ -z "${MINIO_VOLUMES}" ]; then echo "Variable MINIO_VOLUMES not set in /etc/default/minio"; exit 1; fi (code=exited, status=0/SUCCESS)Main PID: 64999 (minio)Tasks: 11Memory: 143.1MCGroup: /system.slice/minio.service└─64999 /usr/local/bin/minio server --address :39111 --console-address :39112 http://192.168.123.{11...14}:39111/data1/minio{1...4}Dec 30 02:37:20 node1 minio[64999]: Copyright: 2015-2023 MinIO, Inc.
Dec 30 02:37:20 node1 minio[64999]: License: GNU AGPLv3 <https://www.gnu.org/licenses/agpl-3.0.html>
Dec 30 02:37:20 node1 minio[64999]: Version: RELEASE.2023-04-13T03-08-07Z (go1.20.3 linux/amd64)
Dec 30 02:37:20 node1 minio[64999]: Use `mc admin info` to look for latest server/drive info
Dec 30 02:37:20 node1 minio[64999]: Status: 15 Online, 1 Offline.
Dec 30 02:37:20 node1 minio[64999]: API: http://10.96.24.248:39111 http://192.168.123.11:39111 http://169.254.25.10:39111 http://10.96.0.3:39111 http://10.96.0.1:39111 http://172.17.0.1:39111 http://10.244.26.0:39111 http://127.0.0.1:39111
Dec 30 02:37:20 node1 minio[64999]: Console: http://10.96.24.248:39112 http://192.168.123.11:39112 http://169.254.25.10:39112 http://10.96.0.3:39112 http://10.96.0.1:39112 http://172.17.0.1:39112 http://10.244.26.0:39112 http://127.0.0.1:39112
Dec 30 02:37:20 node1 minio[64999]: Documentation: https://min.io/docs/minio/linux/index.html
Dec 30 02:37:21 node1 minio[64999]: You are running an older version of MinIO released 8 months ago
总结:
minio可以作为网盘使用,但一般是与其它组件联合使用,例如,kubernetes集群内部使用,kafka,redis等等,根据实际需求持久化数据,minio自带有比较完整的权限系统,安全性还是有一定保障的。
本例中,1个节点关闭或者损坏不影响minio集群的使用,2个节点关闭或者损坏将只能读存储,不可以上传或者下载了,也就是只能看看
minio是去中心化的,也就是没有什么主从之分的,因此可以使用nginx做负载均衡:
upstream minio_servers {server 192.168.123.11:39111;server 192.168.123.12:39111;server 192.168.123.13:39111;server 192.168.123.14:39111;
}
server {listen 80;server_name 192.168.123.11;# To allow special characters in headersignore_invalid_headers off;# Allow any size file to be uploaded.# Set to a value such as 1000m; to restrict file size to a specific valueclient_max_body_size 0;# To disable bufferingproxy_buffering off;location / {proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto $scheme;proxy_set_header Host $http_host;proxy_connect_timeout 300;# Default is HTTP/1, keepalive is only enabled in HTTP/1.1proxy_http_version 1.1;proxy_set_header Connection "";chunked_transfer_encoding off;proxy_pass http://minio_servers; # If you are using docker-compose this would be the hostname i.e. minio# Health Check endpoint might go here. See https://www.nginx.com/resources/wiki/modules/healthcheck/# /minio/health/live;}access_log /var/log/nginx/minio_access.log custom_sls_log;error_log /var/log/nginx/minio.error.log;
}
当然了,如果console显式的配置了端口并且是统一的端口,那么,也可以放nginx里负载均衡,和上面基本一样的配置,就不演示了