debops.minio default variables

UNIX environment

minio__user

The name of the UNIX system account used by the MinIO service.

minio__user: 'minio'
minio__group

The name of the UNIX system group used by the MinIO service.

minio__group: 'minio'
minio__additional_groups

List of additional UNIX groups to add to the MinIO UNIX account, required for access to additional resources.

minio__additional_groups: '{{ [ "ssl-cert" ] if minio__pki_enabled|bool else [] }}'
minio__home

The absolute path of the MinIO UNIX account home directory.

minio__home: '{{ (ansible_local.fhs.home | d("/var/local"))
                 + "/" + minio__user }}'
minio__shell

The UNIX shell used by the MinIO account.

minio__shell: '/usr/sbin/nologin'
minio__comment

The GECOS field set on the MinIO UNIX account.

minio__comment: 'MinIO'

Go application deployment

These variables control how the minio binary is installed on the host. The installation is performed by the debops.golang role, refer to its documentation for details. The installation definition can be found in the minio__golang__dependent_packages variable.

minio__upstream_gpg_key

The fingerprint of the GPG key which is used to sign the MinIO releases. It will be used to verify the downloaded signature file as well as the git tags in the source repository.

minio__upstream_gpg_key: '4405 F3F0 DDBA 1B9E 68A3  1D25 12C7 4390 F9AA C728'
minio__upstream_type

Specify the method which should be used to install MinIO binary. Either url to download the configured binary directly and virify it using the specified GPG key, or git to clone the MinIO git repository and build the specified version from source.

minio__upstream_type: 'url'
minio__upstream_upgrade

Enable or disable automatic upgrades of MinIO downloaded from upstream. This does not affect installations built from the git repository.

MinIO is updated quite freqently. Remember that already downloaded MinIO releases are not removed automatically; check the download directory (by default /var/local/_golang/go/src/releases/linux-amd64/minio/ ) and remove old releases.

minio__upstream_upgrade: False
minio__upstream_url_mirror

The base URL of the MinIO download page, should end with the / character.

minio__upstream_url_mirror: 'https://dl.min.io/server/minio/release/'
minio__upstream_platform

Specify the OS type and platform architecture to use for installation. The list of supported architectures and OS types can be found on the https://dl.min.io/server/minio/release/ page.

minio__upstream_platform: 'linux-amd64'
minio__upstream_url_release

The version of MinIO to download from upstream on a given host. You should specify the RELEASE.YYYY-MM-DDTHH-MM-SSZ tagged release number.

Available MinIO releases: https://github.com/minio/minio/releases

minio__upstream_url_release: '{{ minio__env_upstream_url_release }}'
minio__upstream_url_binary

The path to the MinIO binary on the upstream HTTPS server, relative to the OS type and platform directory.

minio__upstream_url_binary: '{{ "archive/minio." + minio__upstream_url_release }}'
minio__upstream_git_repository

The URL of the upstream git repository which contains MinIO source code.

minio__upstream_git_repository: 'https://github.com/minio/minio'
minio__upstream_git_release

The version of MinIO to build from source on a given host. The build version depends on the availability of a specific Golang version and other factors. Latest MinIO versions which can be built on a given OS distribution release are preferable.

minio__upstream_git_release: '{{ "RELEASE.2019-03-27T22-35-21Z"
                                 if (ansible_distribution_release in
                                     [ "stretch", "buster", "xenial", "bionic" ])
                                     else ("RELEASE.2019-09-05T23-24-38Z"
                                       if (ansible_distribution_release in
                                           [ "bullseye" ])
                                       else minio__upstream_url_release) }}'
minio__binary

Absolute path to the minio Go binary installed on the host. See the debops.golang role for more details.

minio__binary: '{{ ansible_local.golang.binaries["minio"]
                   if (ansible_local.golang.binaries|d() and
                       ansible_local.golang.binaries.minio|d())
                   else "" }}'

Filesystem layout

minio__config_dir

The directory which contains MinIO tenant configuration files with environment variables for each MinIO instance.

minio__config_dir: '/etc/minio'
minio__volumes_dir

The directory which contains MinIO volumes. If not specified otherwise, each MinIO tenant will have its volume subdirectory created in this directory.

minio__volumes_dir: '/srv/minio'
minio__volumes

List of directories in the filesystem which should be created to contain MinIO volumes, defined on all hosts in the Ansible inventory. You can specify a relative path which will be created under the minio__volumes_dir directory, or an absolute filesystem path.

minio__volumes: []
minio__group_volumes

List of directories in the filesystem which should be created to contain MinIO volumes, defined on hosts in a specific Ansible inventory group. You can specify a relative path which will be created under the minio__volumes_dir directory, or an absolute filesystem path.

minio__group_volumes: []
minio__host_volumes

List of directories in the filesystem which should be created to contain MinIO volumes, defined on specific hosts in the Ansible inventory. You can specify a relative path which will be created under the minio__volumes_dir directory, or an absolute filesystem path.

minio__host_volumes: []

DNS configuration

minio__fqdn

The Fully Qualified Domain Name of a host on which MinIO is installed. This variable is used in the nginx configuration to point the upstream to the local MinIO service when TLS support is enabled, due to the X.509 certificate requirements. If you want to change the FQDN on which a particular MinIO instance is accessible via nginx, use the item.fqdn parameter instead.

minio__fqdn: '{{ ansible_fqdn }}'
minio__domain

This variable is used in the nginx configuration to generate the FQDN of the MinIO service based on the MinIO instance name and DNS domain specified here.

minio__domain: '{{ ansible_domain }}'

Transport Layer Security (TLS) support

These variables are used to configure the TLS support in MinIO. The debops.pki Ansible is used to manage the private keys and X.509 certificates.

minio__pki_enabled

Enable or disable support for encrypted communication between MinIO instances via TLS. The support will be enabled in the debops.pki Ansible role is configured on a host.

minio__pki_enabled: '{{ ansible_local.pki.enabled
                        if (ansible_local|d() and ansible_local.pki|d() and
                            ansible_local.pki.enabled is defined)
                        else False }}'
minio__pki_base_path

The absolute path to the directory which contains the PKI realm subdirectories.

minio__pki_base_path: '{{ ansible_local.pki.base_path|d("/etc/pki/realms") }}'
minio__pki_realm

Name of the PKI realm to use by the MinIO service.

minio__pki_realm: '{{ ansible_local.pki.realm|d("domain") }}'
minio__pki_key

The name of the file which contains the private key used by the X.509 certificate, relative to the PKI realm directory.

minio__pki_key: '{{ ansible_local.pki.key|d("default.key") }}'
minio__pki_crt

The name of the file which contains the X.509 certificate chain used by MinIO, relative to the PKI realm directory.

MinIO requires a full X.509 chain with the intermediate CA and the Root Certificate Authority included. Otherwise you will see the error message "Unable to load the TLS configuration: Invalid TLS certificate".

minio__pki_crt: 'public/full.pem'
minio__tls_certs_dir

Absolute path to the directory where the debops.minio role will create symlinks to the private key and X.509 certificate chain used by MinIO for TLS connections.

minio__tls_certs_dir: '{{ minio__home + "/.minio/certs" }}'
minio__tls_private_key

Absolute path to the private key used by MinIO which will be symlinked as the private.key file inside of the certs/ directory.

minio__tls_private_key: '{{ minio__pki_base_path + "/" + minio__pki_realm + "/" + minio__pki_key }}'
minio__tls_public_crt

Absolute path to the X.509 certificate chain used by MinIO which will be symlinked as the public.crt file inside of the certs/ directory.

minio__tls_public_crt: '{{ minio__pki_base_path + "/" + minio__pki_realm + "/" + minio__pki_crt }}'

MinIO instance configuration

The variables below define a list of MinIO instances to manage on a particular host. See minio__instances for more details.

minio__default_instances

The list of the default MinIO instances defined by the role.

minio__default_instances:

  # This instance configuration overrides the nginx configuration to use the
  # host's FQDN instead of the instance name. It also supports using host
  # subdomains as the bucket names.
  - name: 'main'
    port: '9000'
    fqdn: '{{ minio__fqdn }}'
    domain: '{{ minio__fqdn }}'
minio__instances

The list of the MinIO instances which should be defined on all hosts in the Ansible inventory.

minio__instances: []
minio__group_instances

The list of the MinIO instances which should be defined on hosts in a specific Ansible inventory group.

minio__group_instances: []
minio__host_instances

The list of the MinIO instances which should be defined on specific hosts in the Ansible inventory.

minio__host_instances: []
minio__combined_instances

The variable which combines all other MinIO instance variables and is used in the role tasks and templates.

minio__combined_instances: '{{ minio__default_instances
                               + minio__instances
                               + minio__group_instances
                               + minio__host_instances }}'

Configuration for other Ansible roles

minio__golang__dependent_packages

Configuration for the debops.golang Ansible role.

minio__golang__dependent_packages:

  - name: 'minio'
    upstream_type: '{{ minio__upstream_type }}'
    gpg: '{{ minio__upstream_gpg_key }}'
    url:

      - src: '{{ minio__upstream_url_mirror + minio__upstream_platform + "/" + minio__upstream_url_binary }}'
        dest: 'releases/{{ minio__upstream_platform }}/minio/minio.{{ minio__upstream_url_release }}'
        checksum: 'sha256:{{ minio__upstream_url_mirror + minio__upstream_platform + "/" + minio__upstream_url_binary }}.sha256sum'

      - src: '{{ minio__upstream_url_mirror + minio__upstream_platform + "/" + minio__upstream_url_binary + ".asc" }}'
        dest: 'releases/{{ minio__upstream_platform }}/minio/minio.{{ minio__upstream_url_release }}.asc'
        gpg_verify: True

    url_binaries:
      - src: 'releases/{{ minio__upstream_platform }}/minio/minio.{{ minio__upstream_url_release }}'
        dest: 'minio'
        notify: 'Restart minio'
    git:
      - repo: '{{ minio__upstream_git_repository }}'
        version: '{{ minio__upstream_git_release }}'
        build_script: |
          make clean build
    git_binaries:
      - src: '{{ minio__upstream_git_repository.split("://")[1] + "/minio" }}'
        dest: 'minio'
        notify: 'Restart minio'
minio__etc_services__dependent_list

Configuration for the debops.etc_services Ansible role, generated dynamically based on the MinIO instance configuration.

minio__etc_services__dependent_list: '{{ minio__env_etc_services_dependent_list }}'
minio__sysctl__dependent_parameters

Configuration for the debops.sysctl Ansible role.

minio__sysctl__dependent_parameters:

  # Ref: https://github.com/minio/minio/tree/master/docs/deployment/kernel-tuning
  - name: 'minio'
    weight: '80'
    options:

      - name: 'net.ipv4.tcp_fin_timeout'
        comment: |
          A socket left in memory takes approximately 1.5Kb of memory. It makes
          sense to close the unused sockets preemptively to ensure no memory
          leakage. This way, even if a peer doesn't close the socket due to
          some reason, the system itself closes it after a timeout.

          The "tcp_fin_timeout" variable defines this timeout and tells kernel
          how long to keep sockets in the state FIN-WAIT-2. We recommend
          setting it to 30.
        value: 30

      - name: 'net.ipv4.tcp_keepalive_probes'
        comment: |
          This variable defines the number of unacknowledged probes to be sent
          before considering a connection dead.
        value: 5

      - name: 'net.core.wmem_max'
        comment: |
          This parameter sets the max OS send buffer size for all types of
          connections.
        value: 540000

      - name: 'net.core.rmem_max'
        comment: |
          This parameter sets the max OS receive buffer size for all types of
          connections.
        value: 540000

      - name: 'vm.swappiness'
        comment: |
          This parameter controls the relative weight given to swapping out
          runtime memory, as opposed to dropping pages from the system page
          cache. It takes values from 0 to 100, both inclusive. We recommend
          setting it to 10.
        value: 10

      - name: 'vm.dirty_background_ratio'
        comment: |
          This is the percentage of system memory that can be filled with dirty
          pages, i.e. memory pages that still need to be written to disk. We
          recommend writing the data to the disk as soon as possible. To do
          this, set the dirty_background_ratio to 1.
        value: 1

      - name: 'vm.dirty_ratio'
        comment: |
          This defines is the absolute maximum amount of system memory that can
          be filled with dirty pages before everything must get committed to
          disk.
        value: 1

      - name: 'kernel.sched_min_granularity_ns'
        comment: |
          This parameter decides the minimum time a task will be be allowed to
          run on CPU before being pre-empted out. We recommend setting it to
          10ms.
        value: 10000000

      - name: 'kernel.sched_wakeup_granularity_ns'
        comment: |
          Lowering this parameter improves wake-up latency and throughput for
          latency critical tasks, particularly when a short duty cycle load
          component must compete with CPU bound components.
        value: 15000000
minio__sysfs__dependent_attributes

Configuration for the debops.sysfs Ansible role.

minio__sysfs__dependent_attributes:

  - role: 'minio'
    config:
      - name: 'transparent_hugepages'
        state: 'present'
minio__ferm__dependent_rules

Configuration for the debops.ferm Ansible role, generated dynamically based on the MinIO instance configuration.

minio__ferm__dependent_rules: '{{ minio__env_ferm_dependent_rules }}'
minio__nginx__dependent_upstreams

Upstream configuration for the debops.nginx Ansible role, generated dynamically based on the MinIO instance configuration.

minio__nginx__dependent_upstreams: '{{ minio__env_nginx_dependent_upstreams }}'
minio__nginx__dependent_servers

Server configuration for the debops.nginx Ansible role, generated dynamically based on the MinIO instance configuration.

minio__nginx__dependent_servers: '{{ minio__env_nginx_dependent_servers }}'