BestHub
Sign in
Cloud Computing 35 min read

Deploying MinIO: A Complete Guide to Private S3‑Compatible Object Storage

This guide explains why traditional block and file storage struggle with massive unstructured data, introduces MinIO as a high‑performance, Go‑based S3‑compatible object storage, and provides step‑by‑step instructions for single‑node and erasure‑coded multi‑node deployments, TLS setup, client usage, policies, monitoring, backup, and troubleshooting.

MaGe Linux Operations
MaGe Linux Operations
MaGe Linux Operations
Deploying MinIO: A Complete Guide to Private S3‑Compatible Object Storage

Overview

MinIO is an open‑source, S3‑compatible object storage written in Go. It runs as a single binary without external dependencies and supports the full S3 API (multipart upload, versioning, object lock, S3 Select, encryption, etc.).

Key Technical Features

S3 Full Compatibility : Implements AWS Signature V4, multipart upload, pre‑signed URLs, and most S3 SDK operations.

Erasure Coding : Reed‑Solomon based; data is split into data and parity blocks, providing redundancy without full replicas. Default layout in a 4‑node, 4‑disk‑per‑node cluster creates 8 data + 8 parity blocks, tolerating any 8 disk failures with 50 % raw capacity utilization.

Zero‑Dependency Deployment : Single Go binary, no database or ZooKeeper.

High Performance : Multi‑core CPU and NVMe SSD utilization, tens of GB/s throughput.

Bucket Notification : Webhook, Kafka, AMQP, Redis integrations.

Identity Management : LDAP, OpenID Connect, Keycloak integration.

Environment Requirements

OS: Ubuntu 22.04 LTS or CentOS 8+ (Ubuntu 22.04 recommended).

CPU/RAM: 4 CPU 8 GB (production 8 CPU 16 GB). Minimum 4 disks per node for erasure coding.

Disk: XFS (recommended for small‑file workloads).

Network: 10 GbE between nodes (required for erasure‑set data shuffling).

Single‑Node Deployment (testing only)

# Download binary
wget https://dl.min.io/server/minio/release/linux-amd64/minio
chmod +x minio
sudo mv minio /usr/local/bin/
# Verify version
minio --version
# Create system user and data directory
sudo useradd -r -s /sbin/nologin minio-user
sudo mkdir -p /data/minio
sudo chown minio-user:minio-user /data/minio
# Environment variables (/etc/default/minio)
MINIO_ROOT_USER=minioadmin
MINIO_ROOT_PASSWORD=Change-Me-2025!
MINIO_VOLUMES="/data/minio"
MINIO_OPTS="--address :9000 --console-address :9001"
# systemd service (/etc/systemd/system/minio.service)
[Unit]
Description=MinIO Object Storage
After=network-online.target
Wants=network-online.target
[Service]
User=minio-user
Group=minio-user
EnvironmentFile=/etc/default/minio
ExecStart=/usr/local/bin/minio server $MINIO_VOLUMES $MINIO_OPTS
Restart=always
LimitNOFILE=65536
OOMScoreAdjust=-500
TasksMax=infinity
TimeoutStopSec=infinity
SendSIGKILL=no
[Install]
WantedBy=multi-user.target
# Enable and start
sudo systemctl daemon-reload
sudo systemctl enable --now minio
# Health check
curl -s http://localhost:9000/minio/health/live   # returns HTTP 200

Single‑node mode has no erasure coding; any disk failure results in data loss.

Erasure‑Coded Multi‑Node Cluster

Cluster Planning Example (4 nodes, 4 NVMe SSD per node)

# Format disks as XFS (recommended)
sudo mkfs.xfs /dev/nvme0n1
sudo mkfs.xfs /dev/nvme1n1
sudo mkfs.xfs /dev/nvme2n1
sudo mkfs.xfs /dev/nvme3n1
# Create mount points
sudo mkdir -p /data/disk{1,2,3,4}
# Persist in /etc/fstab (noatime improves metadata performance)
cat <<'EOF' | sudo tee -a /etc/fstab
/dev/nvme0n1 /data/disk1 xfs defaults,noatime 0 2
/dev/nvme1n1 /data/disk2 xfs defaults,noatime 0 2
/dev/nvme2n1 /data/disk3 xfs defaults,noatime 0 2
/dev/nvme3n1 /data/disk4 xfs defaults,noatime 0 2
EOF
sudo mount -a
sudo chown minio-user:minio-user /data/disk{1,2,3,4}
# /etc/default/minio (identical on all nodes)
MINIO_ROOT_USER=minioadmin
MINIO_ROOT_PASSWORD=Change-Me-2025!
# Use MinIO's three‑dot expansion syntax {1...4}
MINIO_VOLUMES="http://minio-{1...4}.example.com:9000/data/disk{1...4}"
MINIO_SERVER_URL="https://minio.example.com"
MINIO_OPTS="--address :9000 --console-address :9001"

Start the service on each node (systemd) and verify cluster health:

# Live check
curl -s http://minio-1.example.com:9000/minio/health/live
# Cluster ready check (all nodes online)
curl -s http://minio-1.example.com:9000/minio/health/cluster
# Cluster info (requires mc client)
mc admin info myminio

TLS Configuration

Place certificates in ~/.minio/certs/ (or /etc/minio/certs/) with filenames public.crt and private.key. For self‑signed CAs, copy the CA certificate to CAs/. Restart MinIO after adding certificates. When TLS is enabled, use https:// URLs in environment variables and mc aliases.

MinIO Client (mc) Usage

# Install mc
wget https://dl.min.io/client/mc/release/linux-amd64/mc
chmod +x mc
sudo mv mc /usr/local/bin/
# Configure alias
mc alias set myminio https://minio.example.com:9000 minioadmin "Change-Me-2025!"
# Basic bucket operations
mc mb myminio/my-bucket
mc ls myminio
mc rb myminio/old-bucket --force
# Object operations
mc cp localfile.tar.gz myminio/my-bucket/
mc cp myminio/my-bucket/file.tar.gz ./
mc rm myminio/my-bucket/old-file.log
# Recursive upload / mirror
mc cp --recursive ./logs/ myminio/my-bucket/logs/
mc mirror ./data myminio/my-bucket/data
# IAM management
mc admin user add myminio app-user App-Pass-2025!
mc admin policy attach myminio readwrite --user app-user
# Real‑time request tracing
mc admin trace myminio

Bucket Policies and Lifecycle

# Public read‑only policy (JSON)
{
  "Version":"2012-10-17",
  "Statement":[{
    "Effect":"Allow",
    "Principal":{"AWS":["*"]},
    "Action":["s3:GetObject"],
    "Resource":["arn:aws:s3:::static-assets/*"]
  }]
}
# Apply policy
mc anonymous set-json public-read.json myminio/static-assets

# Custom read‑write policy example
{
  "Version":"2012-10-17",
  "Statement":[{
    "Effect":"Allow",
    "Action":["s3:PutObject","s3:GetObject","s3:DeleteObject","s3:ListBucket"],
    "Resource":["arn:aws:s3:::app-data","arn:aws:s3:::app-data/uploads/*"]
  }]
}
mc admin policy create myminio app-rw-policy app-rw-policy.json
mc admin policy attach myminio app-rw-policy --user app-user

# Lifecycle script (expire objects)
#!/bin/bash
set -euo pipefail
MINIO_ALIAS="myminio"
BUCKET_NAME="$1"
PREFIX="$2"
EXPIRE_DAYS="$3"
mc ilm rule add "$MINIO_ALIAS/$BUCKET_NAME" --prefix "$PREFIX" --expire-days "$EXPIRE_DAYS" --tags "managed-by=lifecycle-script"

Best Practices & Caveats

Erasure‑code sizing : Choose EC configuration based on redundancy vs. capacity. Common choices – EC:4 (12 data : 4 parity, 75 % utilization) for dev/testing; EC:8 (8 : 8, 50 % utilization) for production.

Disk type : NVMe SSD for metadata‑intensive workloads; SATA SSD for mixed workloads; HDD for cold archive.

JBOD vs RAID : Prefer JBOD so MinIO manages redundancy; RAID only when hardware cannot be disabled.

IAM least‑privilege : Create service accounts with bucket‑scoped policies; disable anonymous access.

Object Lock : Enable at bucket creation with --with-lock; choose GOVERNANCE (admin can bypass) or COMPLIANCE (no bypass) mode.

Time synchronization : All nodes must run NTP/Chrony; clock drift >15 s breaks signature verification.

Memory usage : Each Erasure Set consumes ~2‑3 GB RAM; plan accordingly for large clusters.

Monitoring & Alerting

MinIO exposes Prometheus metrics at /minio/v2/metrics/cluster. Generate a scrape config with mc admin prometheus generate myminio. Key metrics include: minio_node_disk_free_bytes – alert when <10 % free. minio_s3_requests_errors_total – error rate >1 % triggers warning. minio_s3_ttfb_seconds – 99th‑percentile latency >500 ms. minio_heal_objects_total – non‑zero value persisting >1 h indicates unrepaired data.

Sample Prometheus alert rules (disk space, error rate, node offline) should be added to prometheus‑rules.yml.

Backup & Disaster Recovery

# Incremental backup with mc mirror
SOURCE_ALIAS="myminio"
TARGET_ALIAS="backup-minio"
BUCKETS=("app-data" "user-uploads" "logs-archive")
for bucket in "${BUCKETS[@]}"; do
  mc mirror --overwrite --remove "$SOURCE_ALIAS/$bucket" "$TARGET_ALIAS/${bucket}-backup"
  if [[ ${PIPESTATUS[0]} -ne 0 ]]; then
    echo "Backup failed for $bucket"
  fi
done

Site Replication provides multi‑site, bidirectional sync of objects, buckets, and IAM configuration:

mc admin replicate add site1-minio site2-minio site3-minio
mc admin replicate status site1-minio
mc admin replicate metrics site1-minio

Recovery steps: stop MinIO, replace failed disks, ensure correct mount points, start service, run mc admin heal myminio --recursive, and verify with mc admin info. Use mc mirror to restore from a backup cluster if needed.

Summary

MinIO delivers a lightweight, high‑performance, S3‑compatible object store suitable for petabyte‑scale workloads. Proper planning of erasure‑coding topology, disk selection, IAM policies, and monitoring is essential for production reliability. Automated backup (mc mirror) and optional Site Replication ensure data durability across geographic regions.

KubernetesMinIOBackuperasure codingObject StorageS3 Compatibility
MaGe Linux Operations
Written by

MaGe Linux Operations

Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment