In an effort to get rid of a virtual machine on my hypervisor, I wanted to move my Minio instance to my Synology. Keeping the storage interface close to the storage container helps with latency and is, well, one less thing I have to worry about in my home lab.
There are a few guides out there for installing Minio on a Synology. Jaroensak Yodkantha walks you through the full process of setting up the Synology and Minio using a docker command line. The folks over at BackupAssist show you how to configure Minio through the Diskstation Manager web portal. I used the BackupAssist article to get myself started, but found myself tweaking the setup because I want to have SSL communication available through my Nginx reverse proxy.
The Basics
Prep Work
I went in to the Shared Folder
section of the DSM control panel and created a new shared folder called minio
. The settings on this share are pretty much up to you, but I did this so that all of my Minio data was in a known location.
Within the minio
folder, I created a data
folder and a blank text file called minio
. Inside the minio
file, I setup my minio configuration:
# MINIO_ROOT_USER and MINIO_ROOT_PASSWORD sets the root account for the MinIO server.
# This user has unrestricted permissions to perform S3 and administrative API operations on any resource in the deployment.
# Omit to use the default values 'minioadmin:minioadmin'.
# MinIO recommends setting non-default values as a best practice, regardless of environment
MINIO_ROOT_USER=myadmin
MINIO_ROOT_PASSWORD=myadminpassword
# MINIO_VOLUMES sets the storage volume or path to use for the MinIO server.
MINIO_VOLUMES="/mnt/data"
# MINIO_SERVER_URL sets the hostname of the local machine for use with the MinIO Server
# MinIO assumes your network control plane can correctly resolve this hostname to the local machine
# Uncomment the following line and replace the value with the correct hostname for the local machine.
MINIO_SERVER_URL="https://s3.mattsdatacenter.net"
MINIO_BROWSER_REDIRECT_URL="https://storage.mattsdatacenter.net"
It is worth noting the URLs: I want to put this system behind my Nginx reverse proxy and let it do SSL termination, and in order to do that, I found it easiest to use two domains: one for the API and one for the Console. I will get into more details on that later.
Also, as always, change your admin username and password!
Setup the Container
Following the BackupAssist article, I installed the Docker package on to my Synology and opened it up. From the Registry
menu, I searched for minio
and found the minio/minio
image:
Click on the row to highlight it, and click on the Download
button. You will be prompted for the label to download, I chose latest
. Once the image is downloaded (you can check the Image
tab for progress), go to the Container
tab and click Create
. This will open the Create Wizard and get you started.
- On the
Image
screen, select theminio/minio:latest
image. - On the
Network
screen, select thebridge
network that is defaulted. If you have a custom network configuration, you may have some work here. - On the
General Settings
screen, you can name the container whatever you like. I enabled the auto-restart option to keep it running. On this screen, click on theAdvanced Settings
button- In the
Environment
tab, changeMINIO_CONFIG_ENV_FILE
to/etc/config.env
- In the
Execution Command
tab, change the execution command tominio server --console-address :9090
- Click
Save
to closeAdvanced Settings
- In the
- On the
Port Settings
screen, add the following mappings:- Local Port 39000 -> Container Port 9000 – Type TCP
- Local Port 39090 -> Container Port 9090 – Type TCP
- On the
Volume Settings
Screen, add the following mappings:- Click
Add File
, select theminio
file created above, and set the mount path to/etc/config.env
- Click Add Folder, select the
data
folder created above, and set the mount path to/mnt/data
- Click
At that point, you can view the Summary and then create the container. Once the container starts, you can access your Minio instance at http://<synology_ip_or_hostname>:39090 and log in with the password saved in your config file.
What Just Happened?
The above steps should have worked to create a Docker container running on Synology on your Minio. Minio has two separate ports: one for the API, and one for the Console. Reviewing Minio’s documentation, adding the --console-address
parameter in the container execution is required now, and that sets the container port for the console. In our case, we set it to 9090. The API port defaults to 9000.
However, I wanted to run on non-standard ports, so I mapped ports 39090 and 39000 to port 9090 and 9000, respectively. That means that traffic coming in on 39090 and 39000 get routed to my Minio container on ports 9090 and 9000, respectively.
Securing traffic with Nginx
I like the ability to have SSL communication whenever possible, even if it is just within my home network. Most systems today default to expecting SSL, and sometimes it can be hard to find that switch to let them work with insecure connections.
I was hoping to get the console and the API behind the same domain, but with SSL, that just isn’t in the cards. So, I chose s3.mattsdatacenter.net
as the domain for the API, and storage.mattsdatacenter.net
as the domain for the Console. No, those aren’t the real domain names.
With that, I added the following sites to my Nginx configuration:
storage.mattsdatacenter.net
map $http_upgrade $connection_upgrade {
default Upgrade;
'' close;
}
server {
server_name storage.mattsdatacenter.net;
client_max_body_size 0;
ignore_invalid_headers off;
location / {
proxy_pass http://10.0.0.23:39090;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-proto $scheme;
proxy_set_header X-Forwarded-port $server_port;
proxy_set_header X-Forwarded-for $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_http_version 1.1;
proxy_read_timeout 900s;
proxy_buffering off;
}
listen 443 ssl; # managed by Certbot
allow 10.0.0.0/24;
deny all;
ssl_certificate /etc/letsencrypt/live/mattsdatacenter.net/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mattsdatacenter.net/privkey.pem; # managed by Certbot
}
s3.mattsdatacenter.net
map $http_upgrade $connection_upgrade {
default Upgrade;
'' close;
}
server {
server_name s3.mattsdatacenter.net;
client_max_body_size 0;
ignore_invalid_headers off;
location / {
proxy_pass http://10.0.0.23:39000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-proto $scheme;
proxy_set_header X-Forwarded-port $server_port;
proxy_set_header X-Forwarded-for $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_http_version 1.1;
proxy_read_timeout 900s;
proxy_buffering off;
}
listen 443 ssl; # managed by Certbot
allow 10.0.0.0/24;
deny all;
ssl_certificate /etc/letsencrypt/live/mattsdatacenter.net/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mattsdatacenter.net/privkey.pem; # managed by Certbot
}
This configuration allows me to access the API and Console via domains using SSL terminated on the proxy. Configuring Minio is pretty easy: set MINIO_BROWSER_REDIRECT_URL
to the URL of your console (In my case, port 39090), and MINIO_SERVER_URL
to the URL of your API (port 39000).
This configuration allows me to address Minio for S3 in two ways:
- Use
https://s3.mattsdatacenter.net
for secure connectivity through the reverse proxy. - Use http://<synology_ip_or_hostname>:39000 for insecure connectivity directly to the instance.
I have not had the opportunity to test the performance difference between option 1 and option 2, but it is nice to have both available. For now, I will most likely lean towards the SSL path until I notice degradation in connection quality or speed.
And, with that, my Minio instance is now running on my Diskstation, which means less VMs to manage and backup on my hypervisor.