debops.minio default variables¶
Sections
UNIX environment¶
-
minio__user¶
The name of the UNIX system account used by the MinIO service.
minio__user: 'minio'
-
minio__group¶
The name of the UNIX system group used by the MinIO service.
minio__group: 'minio'
-
minio__additional_groups¶
List of additional UNIX groups to add to the MinIO UNIX account, required for access to additional resources.
minio__additional_groups: '{{ [ "ssl-cert" ] if minio__pki_enabled|bool else [] }}'
-
minio__home¶
The absolute path of the MinIO UNIX account home directory.
minio__home: '{{ (ansible_local.fhs.home | d("/var/local"))
+ "/" + minio__user }}'
-
minio__shell¶
The UNIX shell used by the MinIO account.
minio__shell: '/usr/sbin/nologin'
-
minio__comment¶
The GECOS field set on the MinIO UNIX account.
minio__comment: 'MinIO'
Go application deployment¶
These variables control how the minio binary is installed on the
host. The installation is performed by the debops.golang role, refer
to its documentation for details. The installation definition can be found in
the minio__golang__dependent_packages variable.
-
minio__upstream_gpg_key¶
The fingerprint of the GPG key which is used to sign the MinIO releases. It will be used to verify the downloaded signature file as well as the git tags in the source repository.
minio__upstream_gpg_key: '4405 F3F0 DDBA 1B9E 68A3 1D25 12C7 4390 F9AA C728'
-
minio__upstream_type¶
Specify the method which should be used to install MinIO binary. Either
url to download the configured binary directly and virify it using the
specified GPG key, or git to clone the MinIO git repository
and build the specified version from source.
minio__upstream_type: 'url'
-
minio__upstream_upgrade¶
Enable or disable automatic upgrades of MinIO downloaded from upstream. This does not affect installations built from the git repository.
MinIO is updated quite freqently. Remember that already downloaded MinIO
releases are not removed automatically; check the download directory (by
default /var/local/_golang/go/src/releases/linux-amd64/minio/ ) and
remove old releases.
minio__upstream_upgrade: False
-
minio__upstream_url_mirror¶
The base URL of the MinIO download page, should end with the / character.
minio__upstream_url_mirror: 'https://dl.min.io/server/minio/release/'
-
minio__upstream_platform¶
Specify the OS type and platform architecture to use for installation. The list of supported architectures and OS types can be found on the https://dl.min.io/server/minio/release/ page.
minio__upstream_platform: 'linux-amd64'
-
minio__upstream_url_release¶
The version of MinIO to download from upstream on a given host. You should
specify the RELEASE.YYYY-MM-DDTHH-MM-SSZ tagged release number.
Available MinIO releases: https://github.com/minio/minio/releases
minio__upstream_url_release: '{{ minio__env_upstream_url_release }}'
-
minio__upstream_url_binary¶
The path to the MinIO binary on the upstream HTTPS server, relative to the OS type and platform directory.
minio__upstream_url_binary: '{{ "archive/minio." + minio__upstream_url_release }}'
-
minio__upstream_git_repository¶
The URL of the upstream git repository which contains MinIO source code.
minio__upstream_git_repository: 'https://github.com/minio/minio'
-
minio__upstream_git_release¶
The version of MinIO to build from source on a given host. The build version depends on the availability of a specific Golang version and other factors. Latest MinIO versions which can be built on a given OS distribution release are preferable.
minio__upstream_git_release: '{{ "RELEASE.2019-03-27T22-35-21Z"
if (ansible_distribution_release in
[ "stretch", "buster", "xenial", "bionic" ])
else ("RELEASE.2019-09-05T23-24-38Z"
if (ansible_distribution_release in
[ "bullseye" ])
else minio__upstream_url_release) }}'
-
minio__binary¶
Absolute path to the minio Go binary installed on the host. See the debops.golang role for more details.
minio__binary: '{{ ansible_local.golang.binaries["minio"]
if (ansible_local.golang.binaries|d() and
ansible_local.golang.binaries.minio|d())
else "" }}'
Filesystem layout¶
-
minio__config_dir¶
The directory which contains MinIO tenant configuration files with environment variables for each MinIO instance.
minio__config_dir: '/etc/minio'
-
minio__volumes_dir¶
The directory which contains MinIO volumes. If not specified otherwise, each MinIO tenant will have its volume subdirectory created in this directory.
minio__volumes_dir: '/srv/minio'
-
minio__volumes¶
List of directories in the filesystem which should be created to contain
MinIO volumes, defined on all hosts in the Ansible inventory.
You can specify a relative path which will be created under
the minio__volumes_dir directory, or an absolute filesystem path.
minio__volumes: []
-
minio__group_volumes¶
List of directories in the filesystem which should be created to contain
MinIO volumes, defined on hosts in a specific Ansible inventory group.
You can specify a relative path which will be created under
the minio__volumes_dir directory, or an absolute filesystem path.
minio__group_volumes: []
-
minio__host_volumes¶
List of directories in the filesystem which should be created to contain
MinIO volumes, defined on specific hosts in the Ansible inventory.
You can specify a relative path which will be created under
the minio__volumes_dir directory, or an absolute filesystem path.
minio__host_volumes: []
DNS configuration¶
-
minio__fqdn¶
The Fully Qualified Domain Name of a host on which MinIO is installed. This
variable is used in the nginx configuration to point the upstream
to the local MinIO service when TLS support is enabled, due to the X.509
certificate requirements. If you want to change the FQDN on which
a particular MinIO instance is accessible via nginx, use the
item.fqdn parameter instead.
minio__fqdn: '{{ ansible_fqdn }}'
-
minio__domain¶
This variable is used in the nginx configuration to generate the FQDN of the MinIO service based on the MinIO instance name and DNS domain specified here.
minio__domain: '{{ ansible_domain }}'
Transport Layer Security (TLS) support¶
These variables are used to configure the TLS support in MinIO. The debops.pki Ansible is used to manage the private keys and X.509 certificates.
-
minio__pki_enabled¶
Enable or disable support for encrypted communication between MinIO instances via TLS. The support will be enabled in the debops.pki Ansible role is configured on a host.
minio__pki_enabled: '{{ ansible_local.pki.enabled
if (ansible_local|d() and ansible_local.pki|d() and
ansible_local.pki.enabled is defined)
else False }}'
-
minio__pki_base_path¶
The absolute path to the directory which contains the PKI realm subdirectories.
minio__pki_base_path: '{{ ansible_local.pki.base_path|d("/etc/pki/realms") }}'
-
minio__pki_realm¶
Name of the PKI realm to use by the MinIO service.
minio__pki_realm: '{{ ansible_local.pki.realm|d("domain") }}'
-
minio__pki_key¶
The name of the file which contains the private key used by the X.509 certificate, relative to the PKI realm directory.
minio__pki_key: '{{ ansible_local.pki.key|d("default.key") }}'
-
minio__pki_crt¶
The name of the file which contains the X.509 certificate chain used by MinIO, relative to the PKI realm directory.
MinIO requires a full X.509 chain with the intermediate CA and the Root Certificate Authority included. Otherwise you will see the error message "Unable to load the TLS configuration: Invalid TLS certificate".
minio__pki_crt: 'public/full.pem'
-
minio__tls_certs_dir¶
Absolute path to the directory where the debops.minio role will create symlinks to the private key and X.509 certificate chain used by MinIO for TLS connections.
minio__tls_certs_dir: '{{ minio__home + "/.minio/certs" }}'
-
minio__tls_private_key¶
Absolute path to the private key used by MinIO which will be symlinked as the
private.key file inside of the certs/ directory.
minio__tls_private_key: '{{ minio__pki_base_path + "/" + minio__pki_realm + "/" + minio__pki_key }}'
-
minio__tls_public_crt¶
Absolute path to the X.509 certificate chain used by MinIO which will be
symlinked as the public.crt file inside of the certs/
directory.
minio__tls_public_crt: '{{ minio__pki_base_path + "/" + minio__pki_realm + "/" + minio__pki_crt }}'
MinIO instance configuration¶
The variables below define a list of MinIO instances to manage on a particular host. See minio__instances for more details.
-
minio__default_instances¶
The list of the default MinIO instances defined by the role.
minio__default_instances:
# This instance configuration overrides the nginx configuration to use the
# host's FQDN instead of the instance name. It also supports using host
# subdomains as the bucket names.
- name: 'main'
port: '9000'
console_port: '19000'
fqdn: '{{ minio__fqdn }}'
domain: '{{ minio__fqdn }}'
-
minio__instances¶
The list of the MinIO instances which should be defined on all hosts in the Ansible inventory.
minio__instances: []
-
minio__group_instances¶
The list of the MinIO instances which should be defined on hosts in a specific Ansible inventory group.
minio__group_instances: []
-
minio__host_instances¶
The list of the MinIO instances which should be defined on specific hosts in the Ansible inventory.
minio__host_instances: []
-
minio__combined_instances¶
The variable which combines all other MinIO instance variables and is used in the role tasks and templates.
minio__combined_instances: '{{ minio__default_instances
+ minio__instances
+ minio__group_instances
+ minio__host_instances }}'
Configuration for other Ansible roles¶
-
minio__golang__dependent_packages¶
Configuration for the debops.golang Ansible role.
minio__golang__dependent_packages:
- name: 'minio'
upstream_type: '{{ minio__upstream_type }}'
gpg: '{{ minio__upstream_gpg_key }}'
url:
- src: '{{ minio__upstream_url_mirror + minio__upstream_platform + "/" + minio__upstream_url_binary }}'
dest: 'releases/{{ minio__upstream_platform }}/minio/minio.{{ minio__upstream_url_release }}'
checksum: 'sha256:{{ minio__upstream_url_mirror + minio__upstream_platform + "/" + minio__upstream_url_binary }}.sha256sum'
- src: '{{ minio__upstream_url_mirror + minio__upstream_platform + "/" + minio__upstream_url_binary + ".asc" }}'
dest: 'releases/{{ minio__upstream_platform }}/minio/minio.{{ minio__upstream_url_release }}.asc'
gpg_verify: True
url_binaries:
- src: 'releases/{{ minio__upstream_platform }}/minio/minio.{{ minio__upstream_url_release }}'
dest: 'minio'
notify: 'Restart minio'
git:
- repo: '{{ minio__upstream_git_repository }}'
version: '{{ minio__upstream_git_release }}'
build_script: |
make clean build
git_binaries:
- src: '{{ minio__upstream_git_repository.split("://")[1] + "/minio" }}'
dest: 'minio'
notify: 'Restart minio'
-
minio__etc_services__dependent_list¶
Configuration for the debops.etc_services Ansible role, generated dynamically based on the MinIO instance configuration.
minio__etc_services__dependent_list: '{{ minio__env_etc_services_dependent_list }}'
-
minio__sysctl__dependent_parameters¶
Configuration for the debops.sysctl Ansible role.
minio__sysctl__dependent_parameters:
# Ref: https://github.com/minio/minio/tree/master/docs/deployment/kernel-tuning
- name: 'minio'
weight: '80'
options:
- name: 'net.ipv4.tcp_fin_timeout'
comment: |
A socket left in memory takes approximately 1.5Kb of memory. It makes
sense to close the unused sockets preemptively to ensure no memory
leakage. This way, even if a peer doesn't close the socket due to
some reason, the system itself closes it after a timeout.
The "tcp_fin_timeout" variable defines this timeout and tells kernel
how long to keep sockets in the state FIN-WAIT-2. We recommend
setting it to 30.
value: 30
- name: 'net.ipv4.tcp_keepalive_probes'
comment: |
This variable defines the number of unacknowledged probes to be sent
before considering a connection dead.
value: 5
- name: 'net.core.wmem_max'
comment: |
This parameter sets the max OS send buffer size for all types of
connections.
value: 540000
- name: 'net.core.rmem_max'
comment: |
This parameter sets the max OS receive buffer size for all types of
connections.
value: 540000
- name: 'vm.swappiness'
comment: |
This parameter controls the relative weight given to swapping out
runtime memory, as opposed to dropping pages from the system page
cache. It takes values from 0 to 100, both inclusive. We recommend
setting it to 10.
value: 10
- name: 'vm.dirty_background_ratio'
comment: |
This is the percentage of system memory that can be filled with dirty
pages, i.e. memory pages that still need to be written to disk. We
recommend writing the data to the disk as soon as possible. To do
this, set the dirty_background_ratio to 1.
value: 1
- name: 'vm.dirty_ratio'
comment: |
This defines is the absolute maximum amount of system memory that can
be filled with dirty pages before everything must get committed to
disk.
value: 1
- name: 'kernel.sched_min_granularity_ns'
comment: |
This parameter decides the minimum time a task will be be allowed to
run on CPU before being pre-empted out. We recommend setting it to
10ms.
value: 10000000
- name: 'kernel.sched_wakeup_granularity_ns'
comment: |
Lowering this parameter improves wake-up latency and throughput for
latency critical tasks, particularly when a short duty cycle load
component must compete with CPU bound components.
value: 15000000
-
minio__sysfs__dependent_attributes¶
Configuration for the debops.sysfs Ansible role.
minio__sysfs__dependent_attributes:
- role: 'minio'
config:
- name: 'transparent_hugepages'
state: 'present'
-
minio__ferm__dependent_rules¶
Configuration for the debops.ferm Ansible role, generated dynamically based on the MinIO instance configuration.
minio__ferm__dependent_rules: '{{ minio__env_ferm_dependent_rules }}'
-
minio__nginx__dependent_upstreams¶
Upstream configuration for the debops.nginx Ansible role, generated dynamically based on the MinIO instance configuration.
minio__nginx__dependent_upstreams: '{{ minio__env_nginx_dependent_upstreams }}'
-
minio__nginx__dependent_servers¶
Server configuration for the debops.nginx Ansible role, generated dynamically based on the MinIO instance configuration.
minio__nginx__dependent_servers: '{{ minio__env_nginx_dependent_servers }}'