profile
viewpoint
If you are wondering where the data of this site comes from, please visit https://api.github.com/users/krishnasrinivas/events. GitMemory does not store any data, but only uses NGINX to cache data for a period of time. The idea behind GitMemory is simply to give users a better reading experience.

butlerx/wetty 2879

Terminal in browser over http/https. (Ajaxterm/Anyterm alternative, but much better)

krishnasrinivas/cookbook 8

Collection of Minio recipes

atom2ueki/minio-ios-example 3

iOS swift 3 with Minio server

krishnasrinivas/AdminLTE 1

AdminLTE - Free Premium Admin control Panel Theme That Is Based On Bootstrap 3.x

krishnasrinivas/constor 1

Userspace cow file system

krishnasrinivas/go-middleware 1

Go HTTP middleware

krishnasrinivas/angular-seed 0

Extensible, reliable, modular, PWA ready starter project for Angular (2 and beyond) with statically typed build and AoT compilation

Pull request review commentminio/operator

Add doc for Nginx Ingress controller

+# Ingress Configuration [![Slack](https://slack.min.io/slack?type=svg)](https://slack.min.io)++Ingress exposes HTTP and HTTPS routes from outside the cluster to services within the cluster. Traffic routing is controlled by rules defined on the Ingress resource. This document explains how to enable Ingress for a MinIO Tenant using the [Nginx Ingress Controller](https://kubernetes.github.io/ingress-nginx/).++## Getting Started++### Prerequisites++- MinIO Operator up and running as explained in the [document here](https://github.com/minio/operator#operator-setup).+- Nginx Ingress Controller installed and running as explained [here](https://kubernetes.github.io/ingress-nginx/deploy/).++### Create MinIO Tenant++Use `kubectl minio` plugin to create the MinIO tenant. Ensure to change the values as relevant.++```sh+kubectl create ns tenant1-ns+kubectl minio tenant create --name tenant1 --servers 4 --volumes 16 --capacity 16Ti --namespace tenant1-ns --storage-class default+```++### TLS Certificate++To enable TLS termination at Ingress, we'll need to either acquire a CA certificate or create a self signed certificate. Either way, after acquiring the certificate, we'll need to create a secret with the certificate as its content. We'll then need to refer this secret from the Ingress rule.++Create a self-signed certificate for `minio.example.com` and then add it to a Kubernetes secret using the below commands.++```sh+openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.cert -subj "/CN=minio.example.com/O=minio.example.com"+kubectl create secret tls nginx-tls --key  tls.key --cert tls.cert -n tenant1-ns+```++### Create Ingress Rule++Finally create the Ingress object using the yaml file below. Once created successfully, you should be able to access the MinIO Tenant from outside the cluster+on the domain specified in the rule.++```yaml+apiVersion: networking.k8s.io/v1+kind: Ingress+metadata:+  name: ingress-minio+  namespace: tenant1-ns+  annotations:+    kubernetes.io/ingress.class: "nginx"+    ## Remove if using CA signed certificate+    nginx.ingress.kubernetes.io/proxy-ssl-verify: "off"+    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"+    nginx.ingress.kubernetes.io/rewrite-target: /+    nginx.ingress.kubernetes.io/proxy-body-size: "0"+    nginx.ingress.kubernetes.io/server-snippet: |+      client_max_body_size 0;+spec:+  tls:+  - hosts:+      - minio.example.com+    secretName: nginx-tls+  rules:+  - host: minio.example.com+    http:+      paths:

Or maybe we don't want external clients to be touching the console as a regular course of action. Hm.

nitisht

comment created time in 11 minutes

Pull request review commentminio/operator

Add doc for Nginx Ingress controller

+# Ingress Configuration [![Slack](https://slack.min.io/slack?type=svg)](https://slack.min.io)++Ingress exposes HTTP and HTTPS routes from outside the cluster to services within the cluster. Traffic routing is controlled by rules defined on the Ingress resource. This document explains how to enable Ingress for a MinIO Tenant using the [Nginx Ingress Controller](https://kubernetes.github.io/ingress-nginx/).++## Getting Started++### Prerequisites++- MinIO Operator up and running as explained in the [document here](https://github.com/minio/operator#operator-setup).
- MinIO Operator up and running as explained in the [document here](https://docs.min.io/minio/k8s/deployment/deploy-minio-operator.html).
nitisht

comment created time in 31 minutes

Pull request review commentminio/operator

Add doc for Nginx Ingress controller

+# Ingress Configuration [![Slack](https://slack.min.io/slack?type=svg)](https://slack.min.io)++Ingress exposes HTTP and HTTPS routes from outside the cluster to services within the cluster. Traffic routing is controlled by rules defined on the Ingress resource. This document explains how to enable Ingress for a MinIO Tenant using the [Nginx Ingress Controller](https://kubernetes.github.io/ingress-nginx/).++## Getting Started++### Prerequisites++- MinIO Operator up and running as explained in the [document here](https://github.com/minio/operator#operator-setup).+- Nginx Ingress Controller installed and running as explained [here](https://kubernetes.github.io/ingress-nginx/deploy/).++### Create MinIO Tenant++Use `kubectl minio` plugin to create the MinIO tenant. Ensure to change the values as relevant.++```sh+kubectl create ns tenant1-ns+kubectl minio tenant create --name tenant1 --servers 4 --volumes 16 --capacity 16Ti --namespace tenant1-ns --storage-class default+```++### TLS Certificate++To enable TLS termination at Ingress, we'll need to either acquire a CA certificate or create a self signed certificate. Either way, after acquiring the certificate, we'll need to create a secret with the certificate as its content. We'll then need to refer this secret from the Ingress rule.++Create a self-signed certificate for `minio.example.com` and then add it to a Kubernetes secret using the below commands.
The following example creates a self-signed certificate for `minio.example.com` and then adds it to a Kubernetes secret using the below commands.

- If you want to use a different hostname for your tenants, replace `minio.example.com` with the preferred hostname throughout this procedure.

- If specifying a certificate signed by your preferred CA, perform only the `kubectl create` command, replacing the values for `--key` and `-cert` with your TLS `.key` and `.cert` files respectively.
nitisht

comment created time in 21 minutes

Pull request review commentminio/operator

Add doc for Nginx Ingress controller

+# Ingress Configuration [![Slack](https://slack.min.io/slack?type=svg)](https://slack.min.io)++Ingress exposes HTTP and HTTPS routes from outside the cluster to services within the cluster. Traffic routing is controlled by rules defined on the Ingress resource. This document explains how to enable Ingress for a MinIO Tenant using the [Nginx Ingress Controller](https://kubernetes.github.io/ingress-nginx/).++## Getting Started++### Prerequisites++- MinIO Operator up and running as explained in the [document here](https://github.com/minio/operator#operator-setup).+- Nginx Ingress Controller installed and running as explained [here](https://kubernetes.github.io/ingress-nginx/deploy/).++### Create MinIO Tenant++Use `kubectl minio` plugin to create the MinIO tenant. Ensure to change the values as relevant.++```sh+kubectl create ns tenant1-ns+kubectl minio tenant create --name tenant1 --servers 4 --volumes 16 --capacity 16Ti --namespace tenant1-ns --storage-class default+```++### TLS Certificate++To enable TLS termination at Ingress, we'll need to either acquire a CA certificate or create a self signed certificate. Either way, after acquiring the certificate, we'll need to create a secret with the certificate as its content. We'll then need to refer this secret from the Ingress rule.++Create a self-signed certificate for `minio.example.com` and then add it to a Kubernetes secret using the below commands.++```sh+openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.cert -subj "/CN=minio.example.com/O=minio.example.com"+kubectl create secret tls nginx-tls --key  tls.key --cert tls.cert -n tenant1-ns+```++### Create Ingress Rule++Finally create the Ingress object using the yaml file below. Once created successfully, you should be able to access the MinIO Tenant from outside the cluster

So IIRC you have to create the ingress object in the same namespace as the MinIO Tenant. I had some issues getting ingress to work without doing this - if I'm right, we might need to specify

Use the `kubectl apply -f ingress.yaml -n tenant1-ns`` using the example YAML file below to create the Ingress object in the `tenant1-ns` namespace. Once created successfully, you should be able to access the MinIO Tenant from clients outside the Kubernetes cluster using the specified hostname

nitisht

comment created time in 25 minutes

Pull request review commentminio/operator

Add doc for Nginx Ingress controller

+# Ingress Configuration [![Slack](https://slack.min.io/slack?type=svg)](https://slack.min.io)++Ingress exposes HTTP and HTTPS routes from outside the cluster to services within the cluster. Traffic routing is controlled by rules defined on the Ingress resource. This document explains how to enable Ingress for a MinIO Tenant using the [Nginx Ingress Controller](https://kubernetes.github.io/ingress-nginx/).++## Getting Started++### Prerequisites++- MinIO Operator up and running as explained in the [document here](https://github.com/minio/operator#operator-setup).+- Nginx Ingress Controller installed and running as explained [here](https://kubernetes.github.io/ingress-nginx/deploy/).++### Create MinIO Tenant++Use `kubectl minio` plugin to create the MinIO tenant. Ensure to change the values as relevant.++```sh+kubectl create ns tenant1-ns+kubectl minio tenant create --name tenant1 --servers 4 --volumes 16 --capacity 16Ti --namespace tenant1-ns --storage-class default+```++### TLS Certificate++To enable TLS termination at Ingress, we'll need to either acquire a CA certificate or create a self signed certificate. Either way, after acquiring the certificate, we'll need to create a secret with the certificate as its content. We'll then need to refer this secret from the Ingress rule.++Create a self-signed certificate for `minio.example.com` and then add it to a Kubernetes secret using the below commands.++```sh+openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.cert -subj "/CN=minio.example.com/O=minio.example.com"+kubectl create secret tls nginx-tls --key  tls.key --cert tls.cert -n tenant1-ns+```+

*Note*: Using self-signed certificates may prevent client applications which require strict TLS validation and trust from connecting to the cluster. You may need to disable TLS validation / verification to allow connections to the Tenant. 

nitisht

comment created time in 15 minutes

Pull request review commentminio/operator

Add doc for Nginx Ingress controller

+# Ingress Configuration [![Slack](https://slack.min.io/slack?type=svg)](https://slack.min.io)++Ingress exposes HTTP and HTTPS routes from outside the cluster to services within the cluster. Traffic routing is controlled by rules defined on the Ingress resource. This document explains how to enable Ingress for a MinIO Tenant using the [Nginx Ingress Controller](https://kubernetes.github.io/ingress-nginx/).++## Getting Started++### Prerequisites++- MinIO Operator up and running as explained in the [document here](https://github.com/minio/operator#operator-setup).+- Nginx Ingress Controller installed and running as explained [here](https://kubernetes.github.io/ingress-nginx/deploy/).++### Create MinIO Tenant++Use `kubectl minio` plugin to create the MinIO tenant. Ensure to change the values as relevant.
Use the `kubectl minio` plugin to create the MinIO tenant if one does not already exist. See [Deploy a MinIO Tenant using the MinIO Plugin](https://docs.min.io/minio/k8s/tenant-management/deploy-minio-tenant.html) for more complete documentation. 

The following example deploys a MinIO Tenant with 4 servers and 16 volumes in total and a total capacity of 16 Terabytes into the `tenant1-ns` namespace using the default Kubernetes storage class. Change these values as appropriate for your requirements.
nitisht

comment created time in 29 minutes

Pull request review commentminio/operator

Add doc for Nginx Ingress controller

+# Ingress Configuration [![Slack](https://slack.min.io/slack?type=svg)](https://slack.min.io)++Ingress exposes HTTP and HTTPS routes from outside the cluster to services within the cluster. Traffic routing is controlled by rules defined on the Ingress resource. This document explains how to enable Ingress for a MinIO Tenant using the [Nginx Ingress Controller](https://kubernetes.github.io/ingress-nginx/).++## Getting Started++### Prerequisites++- MinIO Operator up and running as explained in the [document here](https://github.com/minio/operator#operator-setup).+- Nginx Ingress Controller installed and running as explained [here](https://kubernetes.github.io/ingress-nginx/deploy/).+

- Network routing rules that enable external client access to Kubernetes worker nodes. For example, this tutorial assumes `minio.example.net` as an externally resolvable URL. 
nitisht

comment created time in 22 minutes

Pull request review commentminio/operator

Add doc for Nginx Ingress controller

+# Ingress Configuration [![Slack](https://slack.min.io/slack?type=svg)](https://slack.min.io)++Ingress exposes HTTP and HTTPS routes from outside the cluster to services within the cluster. Traffic routing is controlled by rules defined on the Ingress resource. This document explains how to enable Ingress for a MinIO Tenant using the [Nginx Ingress Controller](https://kubernetes.github.io/ingress-nginx/).++## Getting Started++### Prerequisites++- MinIO Operator up and running as explained in the [document here](https://github.com/minio/operator#operator-setup).+- Nginx Ingress Controller installed and running as explained [here](https://kubernetes.github.io/ingress-nginx/deploy/).++### Create MinIO Tenant++Use `kubectl minio` plugin to create the MinIO tenant. Ensure to change the values as relevant.++```sh+kubectl create ns tenant1-ns+kubectl minio tenant create --name tenant1 --servers 4 --volumes 16 --capacity 16Ti --namespace tenant1-ns --storage-class default+```++### TLS Certificate++To enable TLS termination at Ingress, we'll need to either acquire a CA certificate or create a self signed certificate. Either way, after acquiring the certificate, we'll need to create a secret with the certificate as its content. We'll then need to refer this secret from the Ingress rule.++Create a self-signed certificate for `minio.example.com` and then add it to a Kubernetes secret using the below commands.++```sh+openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.cert -subj "/CN=minio.example.com/O=minio.example.com"+kubectl create secret tls nginx-tls --key  tls.key --cert tls.cert -n tenant1-ns+```++### Create Ingress Rule++Finally create the Ingress object using the yaml file below. Once created successfully, you should be able to access the MinIO Tenant from outside the cluster+on the domain specified in the rule.++```yaml+apiVersion: networking.k8s.io/v1+kind: Ingress+metadata:+  name: ingress-minio+  namespace: tenant1-ns+  annotations:+    kubernetes.io/ingress.class: "nginx"+    ## Remove if using CA signed certificate+    nginx.ingress.kubernetes.io/proxy-ssl-verify: "off"+    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"+    nginx.ingress.kubernetes.io/rewrite-target: /+    nginx.ingress.kubernetes.io/proxy-body-size: "0"+    nginx.ingress.kubernetes.io/server-snippet: |+      client_max_body_size 0;+spec:+  tls:+  - hosts:+      - minio.example.com+    secretName: nginx-tls+  rules:+  - host: minio.example.com+    http:+      paths:

This is more an open question - can we add an additional path like:

- path: /console
  backend:
     serviceName: minio-console
     servicePort: 9090

So that users can hit both the tenant and the console via Ingress? I probably have the wrong serviceName, I think it changes per tenant.

nitisht

comment created time in 32 minutes

push eventminio/docs

ravindk89

commit sha 11ad3d57c4e5e777c805051def2d4e888c91851d

Fix typo in replication tutorials

view details

push time in 34 minutes

issue openedminio/minio

Public metrics are not public?

<!--- Provide a general summary of the issue in the Title above -->

Expected Behavior

When MINIO_PROMETHEUS_AUTH_TYPE: public, metrics return without login

Current Behavior

Docs: https://docs.min.io/docs/how-to-monitor-minio-using-prometheus.html#2-configure-authentication-type-for-prometheus-metrics

  1. curl https://play.min.io/minio/v2/metrics/cluster or my-cluster/minio/v2/metrics/cluster
  2. Both return login screen

Possible Solution

<!--- Not obligatory, but suggest a fix/reason for the bug, --> <!--- or ideas how to implement the addition or change -->

Steps to Reproduce (for bugs)

  1. Install bitnami minio helm chart, it is setting MINIO_PROMETHEUS_AUTH_TYPE: public by default image
  2. Try to query /minio/v2/metrics/cluster
  3. Try to query https://play.min.io/minio/v2/metrics/cluster

Context

More details: https://github.com/bitnami/charts/issues/6704

Regression

Seems yes

Your Environment

  • Version used (minio --version): minio version DEVELOPMENT.2021-06-17T03-17-14Z
  • Server setup and configuration:
  • Output of helm version:
version.BuildInfo{Version:"v3.6.0", GitCommit:"7f2df6467771a75f5646b7f12afb408590ed1755", GitTreeState:"clean", GoVersion:"go1.16.3"}
  • Output of kubectl version:
Client Version: version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.7", GitCommit:"1dd5338295409edcfff11505e7bb246f0d325d15", GitTreeState:"clean", BuildDate:"2021-01-13T13:23:52Z", GoVersion:"go1.15.5", Compiler:"gc", Platform:"windows/amd64"}
Server Version: version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.1+k3s1", GitCommit:"75dba57f9b1de3ec0403b148c52c348e1dee2a5e", GitTreeState:"clean", BuildDate:"2021-05-21T16:12:29Z", GoVersion:"go1.16.4", Compiler:"gc", Platform:"linux/amd64"}
  • Operating System and version (uname -a):

created time in 2 hours

pull request commentminio/minio

heal: Add MRF metrics to background heal API response

Error running mint automation
+ mkdir -p 12398-6460b5a/gopath/src/github.com/minio
+ git -C 12398-6460b5a/gopath/src/github.com/minio clone --quiet https://github.com/minio/minio.git
+ git -C 12398-6460b5a/gopath/src/github.com/minio/minio remote add minio https://github.com/minio/minio.git
+ git -C 12398-6460b5a/gopath/src/github.com/minio/minio fetch --quiet minio pull/12398/head:pr12398
+ git -C 12398-6460b5a/gopath/src/github.com/minio/minio checkout --quiet pr12398
+ GO111MODULE=on
+ GOPATH=/home/mint-auto/mint-auto/12398-6460b5a/gopath
+ make -C 12398-6460b5a/gopath/src/github.com/minio/minio --quiet
go: github.com/minio/madmin-go@v1.0.12 (replaced by /home/vadmeste/work/gospace/src/github.com/minio/madmin-go): reading /home/vadmeste/work/gospace/src/github.com/minio/madmin-go/go.mod: open /home/vadmeste/work/gospace/src/github.com/minio/madmin-go/go.mod: no such file or directory
go: github.com/minio/madmin-go@v1.0.12 (replaced by /home/vadmeste/work/gospace/src/github.com/minio/madmin-go): reading /home/vadmeste/work/gospace/src/github.com/minio/madmin-go/go.mod: open /home/vadmeste/work/gospace/src/github.com/minio/madmin-go/go.mod: no such file or directory
make: *** [build] Error 1

vadmeste

comment created time in 2 hours

issue commentminio/mc

Very slow Get/Read Performance 1000's Small Files (250KB<)

@mirajgodha Several improvements and new features has been made since then.

ghost

comment created time in 2 hours

issue commentminio/minio

too many 503 error on a distributed minio server

running the command on the server machine, I got the same output. If there is a different cmd, please write it.

demis-svenska

comment created time in 2 hours

issue commentminio/mc

Very slow Get/Read Performance 1000's Small Files (250KB<)

So, the conclusion is minio is not a good choice for small files?

ghost

comment created time in 2 hours

issue commentminio/minio

too many 503 error on a distributed minio server

@demis-svenska I know. Post the output from your servers, not the client.

demis-svenska

comment created time in 2 hours

PR opened minio/operator

Add doc for Nginx Ingress controller
+65 -0

0 comment

1 changed file

pr created time in 3 hours

issue commentminio/minio

too many 503 error on a distributed minio server

It's the output of the command mc admin info minionew where minionewis an alias

demis-svenska

comment created time in 3 hours

issue commentminio/minio

too many 503 error on a distributed minio server

@demis-svenska It is the output from stderr written by the server.

demis-svenska

comment created time in 3 hours

issue commentminio/minio

too many 503 error on a distributed minio server

cluster is already set up. Is there any other way to check it? Here is config for cluster health info

CMD: mc admin info minionew
● minio1:9000
Uptime: 2 days
Version: 2021-06-14T01:29:23Z
Network: 8/8 OK
Drives: 2/2 OK

● minio2:9000
Uptime: 14 hours
Version: 2021-06-14T01:29:23Z
Network: 8/8 OK
Drives: 2/2 OK

● minio4:9000 Uptime: 2 days Version: 2021-06-14T01:29:23Z Network: 8/8 OK Drives: 2/2 OK

● minio5:9000 Uptime: 2 days Version: 2021-06-14T01:29:23Z Network: 8/8 OK Drives: 2/2 OK

● minio6:9000 Uptime: 2 days Version: 2021-06-14T01:29:23Z Network: 8/8 OK Drives: 2/2 OK

● minio7:9000 Uptime: 2 days Version: 2021-06-14T01:29:23Z Network: 8/8 OK Drives: 2/2 OK ● minio8:9000 Uptime: 2 days Version: 2021-06-14T01:29:23Z Network: 8/8 OK Drives: 2/2 OK

● minio3:9000 Uptime: 2 days Version: 2021-06-14T01:29:23Z Network: 8/8 OK Drives: 2/2 OK

demis-svenska

comment created time in 3 hours

issue closedminio/minio

throttle api calls auto by setup mode

Is your feature request related to a problem? Please describe. ram_per_request is now 22Mib+ with erasure block size,it's unreliable in gateway and single drive mode

Describe the solution you'd like setting by setup mode

Describe alternatives you've considered

Additional context

closed time in 4 hours

TestMsr

issue commentminio/minio

throttle api calls auto by setup mode

Use MINIO_API_REQUESTS_MAX env var or mc admin config set myminio api requests_max=n

TestMsr

comment created time in 4 hours

issue openedminio/minio

throttle api calls auto by setup mode

Is your feature request related to a problem? Please describe. ram_per_request is now 22Mib+ with erasure block size,it's unreliable in gateway and single drive mode

Describe the solution you'd like setting by setup mode

Describe alternatives you've considered

Additional context

created time in 4 hours

pull request commentminio/minio

Use rate.Limiter for bandwidth monitoring

@poornas

2021-06-18T01:32:09.3426309Z WARNING: DATA RACE
2021-06-18T01:32:09.3426948Z Read at 0x00c0223b0a20 by goroutine 2515:
2021-06-18T01:32:09.3427542Z   runtime.mapiterinit()
2021-06-18T01:32:09.3428320Z       /opt/hostedtoolcache/go/1.16.5/x64/src/runtime/map.go:802 +0x0
2021-06-18T01:32:09.3429519Z   github.com/minio/minio/internal/bucket/bandwidth.(*Monitor).generateBandwidth()
2021-06-18T01:32:09.3430565Z       /home/runner/work/minio/minio/internal/bucket/bandwidth/monitor.go:86 +0x2d4
2021-06-18T01:32:09.3431056Z 
2021-06-18T01:32:09.3431606Z Previous write at 0x00c0223b0a20 by goroutine 2552:
2021-06-18T01:32:09.3432220Z   [failed to restore the stack]
2021-06-18T01:32:09.3432547Z 
2021-06-18T01:32:09.3433027Z Goroutine 2515 (running) created at:
2021-06-18T01:32:09.3433816Z   github.com/minio/minio/internal/bucket/bandwidth.NewMonitor()
2021-06-18T01:32:09.3434778Z       /home/runner/work/minio/minio/internal/bucket/bandwidth/monitor.go:121 +0x230
2021-06-18T01:32:09.3435625Z   github.com/minio/minio/cmd.newAllSubsystems()
2021-06-18T01:32:09.3437036Z       /home/runner/work/minio/minio/cmd/server-main.go:215 +0x144
2021-06-18T01:32:09.3437858Z   github.com/minio/minio/cmd.UnstartedTestServer()
2021-06-18T01:32:09.3439126Z       /home/runner/work/minio/minio/cmd/test-utils_test.go:349 +0x6f9
2021-06-18T01:32:09.3439982Z   github.com/minio/minio/cmd.StartTestServer()
2021-06-18T01:32:09.3441014Z       /home/runner/work/minio/minio/cmd/test-utils_test.go:387 +0xaa
2021-06-18T01:32:09.3441829Z   github.com/minio/minio/cmd.(*TestSuiteCommon).SetUpSuite()
2021-06-18T01:32:09.3442675Z       /home/runner/work/minio/minio/cmd/server_test.go:152 +0x57c
2021-06-18T01:32:09.3443383Z   github.com/minio/minio/cmd.runAllTests()
2021-06-18T01:32:09.3444123Z       /home/runner/work/minio/minio/cmd/server_test.go:77 +0x64
2021-06-18T01:32:09.3444948Z   github.com/minio/minio/cmd.TestServerSuite.func1()
2021-06-18T01:32:09.3445809Z       /home/runner/work/minio/minio/cmd/server_test.go:138 +0x124
2021-06-18T01:32:09.3446414Z   testing.tRunner()
2021-06-18T01:32:09.3447149Z       /opt/hostedtoolcache/go/1.16.5/x64/src/testing/testing.go:1193 +0x202
2021-06-18T01:32:09.3447616Z 
2021-06-18T01:32:09.3448294Z Goroutine 2552 (running) created at:
2021-06-18T01:32:09.3448885Z   net/http.(*Server).Serve()
2021-06-18T01:32:09.3449681Z       /opt/hostedtoolcache/go/1.16.5/x64/src/net/http/server.go:3013 +0x644
2021-06-18T01:32:09.3450500Z   net/http/httptest.(*Server).goServe.func1()
2021-06-18T01:32:09.3451426Z       /opt/hostedtoolcache/go/1.16.5/x64/src/net/http/httptest/server.go:308 +0xd
poornas

comment created time in 7 hours

issue commentminio/minio

too many 503 error on a distributed minio server

@demis-svenska Without more information we are just guessing. You need to set up your cluster so you capture logs.

demis-svenska

comment created time in 7 hours

issue commentminio/minio

too many 503 error on a distributed minio server

Hi, the log is empty. It only displays Logs begin at Mon 2021-03-29 13:19:09 UTC on all nodes

172.19.4.47 | -- Logs begin at Mon 2021-03-29 13:19:09 UTC. -- 172.19.4.41 -- Logs begin at Sun 2021-02-21 19:08:14 UTC. -- 172.19.4.53 -- Logs begin at Thu 2021-04-08 18:26:19 UTC. -- 172.19.4.56 -- Logs begin at Thu 2021-04-08 18:28:25 UTC. -- 172.19.4.57 -- Logs begin at Thu 2021-04-08 18:28:37 UTC. -- 172.19.4.40 -- Logs begin at Sun 2021-05-09 05:21:40 UTC. -- 172.19.4.55 -- Logs begin at Thu 2021-04-08 18:28:18 UTC. -- 172.19.4.54 -- Logs begin at Thu 2021-04-08 18:28:09 UTC. --

demis-svenska

comment created time in 8 hours

issue closedminio/minio

Federated Minio in gateway mode breaks with OpenID login for cross-account bucket access

<!--- Provide a general summary of the issue in the Title above -->

Expected Behavior

<!--- If you're describing a bug, tell us what should happen --> <!--- If you're suggesting a change/improvement, tell us how it should work --> With a federated Minio deployment consisting of two Minio instances in gateway mode (each of which have IAM credentials for a separate AWS account), I expected that Minio Browser with OpenID login would work similar to logging in with the access key and secret key.

Current Behavior

<!--- If describing a bug, tell us what happens instead of the expected behavior --> <!--- If suggesting a change/improvement, explain the difference from current behavior --> When logging in to Account A Minio Browser with access/secret keys I am able to interact with buckets owned by the IAM user of Account B Minio.

When logging in to Account A Minio Browser with OpenID I get [403 Forbidden] s3.GetBucketLocation when interacting with buckets owned by the IAM user of Account B Minio.

When using access and secret key login the Credential passed in the Authorization header as part of the GetBucketLocation request in Account B Minio's trace is the IAM access key from Account A Minio.

Using OIDC login, the Credential passed in the Authorization header as part of the GetBucketLocation request in Account B Minio's trace appears to be a access key from Minio STS.

Using the SDK performing operations via the Account A Minio endpoint the Credential passed in the Authorization header as part of the GetBucketLocation request in Account B Minio's trace also appears to be a access key from Minio STS, but an X-Amz-Security-Token is included and the GetBucketLocation request is successful.

Possible Solution

<!--- Not obligatory, but suggest a fix/reason for the bug, --> <!--- or ideas how to implement the addition or change --> Unsure.

Steps to Reproduce (for bugs)

<!--- Provide a link to a live example, or an unambiguous set of steps to --> <!--- reproduce this bug. Include code to reproduce, if relevant --> <!--- and make sure you have followed https://github.com/minio/minio/tree/release/docs/debugging to capture relevant logs -->

  1. Deploy federated Minio in gateway mode consisting of 2 Minio instances each with IAM credentials for a separate AWS account
  2. Configure OpenID login by integrating with Keycloak following standard Minio documentation
  3. Login to Minio Browser in Account A with OpenID and try to access a bucket owned by the IAM user from Minio in Account B

Trace from Account B using access and secret key login via Account A Minio Browser:

172.20.16.197 [REQUEST s3.GetBucketLocation] [14:02:06.825] [Client IP: 11.68.111.122]
172.20.16.197 GET /prod-minio/?location=
172.20.16.197 Proto: HTTP/1.1
172.20.16.197 Host: 172.20.16.197:9000
172.20.16.197 X-Amz-Date: 20210331T140206Z
172.20.16.197 Authorization: AWS4-HMAC-SHA256 Credential=<redacted>/20210331/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=5e66e5be61502e05f8062f8856c11bbb08085f9d3b33a995f74dff4572172fb8
172.20.16.197 Content-Length: 0
172.20.16.197 User-Agent: MinIO (linux; amd64) minio-go/v7.0.11
172.20.16.197 X-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
172.20.16.197
172.20.16.197 [RESPONSE] [14:02:06.936] [ Duration 110.916ms  ↑ 77 B  ↓ 389 B ]
172.20.16.197 200 OK
172.20.16.197 Content-Security-Policy: block-all-mixed-content
172.20.16.197 Content-Type: application/xml
172.20.16.197 X-Amz-Request-Id: 167172382E6E5C67
172.20.16.197 X-Xss-Protection: 1; mode=block
172.20.16.197 Accept-Ranges: bytes
172.20.16.197 Content-Length: 137
172.20.16.197 Server: MinIO
172.20.16.197 Vary: Origin
172.20.16.197 X-Amz-Bucket-Region: eu-west-1
172.20.16.197 <?xml version="1.0" encoding="UTF-8"?>
<LocationConstraint xmlns="http://s3.amazonaws.com/doc/2006-03-01/">eu-west-1</LocationConstraint>

Trace from Account A Minio with OIDC login:

minio.example.com [REQUEST web.ListObjects] [13:17:12.359] [Client IP: 11.69.20.26]
minio.example.com POST /prod-minio
minio.example.com Proto: HTTP/1.1
minio.example.com Host: minio.example.com
minio.example.com X-Amz-Date: 20210331T131711Z
minio.example.com X-Forwarded-For: 11.69.20.26
minio.example.com X-Original-Forwarded-For: 11.69.20.26
minio.example.com Accept-Encoding: gzip, deflate, br
minio.example.com Accept-Language: en-ZA,en-GB;q=0.9,en-US;q=0.8,en;q=0.7
minio.example.com Authorization: Bearer eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhY2Nlc3NLZXkiOiJBS0lBNENUREpES040NFkzTUhHMiIsImV4cCI6MTYxNzI4MjY0Mywic3ViIjoiQUtJQTRDVERKREtONDRZM01IRzIifQ.Yu_1OluzhQMVUd9h7SSMU17U_4bBOYj5aJk5dT-ejoeaDtbPPnHliHp2p1qqH4WnZ6onzxKA7bxuXzizTQ5WYQ
minio.example.com Sec-Fetch-Dest: empty
minio.example.com Sec-Fetch-Site: same-origin
minio.example.com X-Forwarded-Host: minio.example.com
minio.example.com X-Forwarded-Proto: https
minio.example.com X-Real-Ip: 11.69.20.26
minio.example.com Accept: */*
minio.example.com Content-Type: application/json
minio.example.com Cookie: _ga=GA1.2.1649810565.1605078671
minio.example.com User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
minio.example.com X-Request-Id: 4814ea2fa8f1a2767806f3782ae41477
minio.example.com Content-Length: 100
minio.example.com X-Forwarded-Port: 443
minio.example.com X-Scheme: https
minio.example.com Dnt: 1
minio.example.com Origin: https://minio.example.com
minio.example.com Referer: https://minio.example.com/minio/prod-minio/
minio.example.com Sec-Fetch-Mode: cors
minio.example.com X-Amzn-Trace-Id: Root=1-60647657-13b203866855074567c66e9d
minio.example.com 
minio.example.com [RESPONSE] [13:17:12.359] [ Duration 367.363ms  ↑ 100 B  ↓ 1.5 KiB ]
minio.example.com 200 OK
minio.example.com Access-Control-Allow-Origin: https://minio.example.com
minio.example.com Content-Security-Policy: block-all-mixed-content
minio.example.com X-Amz-Request-Id: 16716FC4BDD1FD64
minio.example.com X-Content-Type-Options: nosniff
minio.example.com Access-Control-Allow-Credentials: true
minio.example.com Content-Type: application/json; charset=utf-8
minio.example.com Vary: Origin
minio.example.com X-Xss-Protection: 1; mode=block
minio.example.com Access-Control-Expose-Headers: Date, Etag, Server, Connection, Accept-Ranges, Content-Range, Content-Encoding, Content-Length, Content-Type, Content-Disposition, Last-Modified, Content-Language, Cache-Control, Retry-After, X-Amz-Bucket-Region, Expires, X-Amz*, X-Amz*, *
minio.example.com <BODY>

Trace from Account B Minio with OIDC login:

172.20.16.197 [REQUEST s3.GetBucketLocation] [13:09:02.373] [Client IP: 11.68.111.122]
172.20.16.197 GET /prod-minio/?location=
172.20.16.197 Proto: HTTP/1.1
172.20.16.197 Host: 172.20.16.197:9000
172.20.16.197 User-Agent: MinIO (linux; amd64) minio-go/v7.0.11
172.20.16.197 X-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
172.20.16.197 X-Amz-Date: 20210331T130902Z
172.20.16.197 Authorization: AWS4-HMAC-SHA256 Credential=O0B2M14KP7XSC272Y60C/20210331/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=224e4224932782773e21869c8bf467da2eede87dee31a5b1627160d137695240
172.20.16.197 Content-Length: 0
172.20.16.197 
172.20.16.197 [RESPONSE] [13:09:02.373] [ Duration 231µs  ↑ 77 B  ↓ 598 B ]
172.20.16.197 403 Forbidden
172.20.16.197 Accept-Ranges: bytes
172.20.16.197 Content-Security-Policy: block-all-mixed-content
172.20.16.197 Content-Type: application/xml
172.20.16.197 Vary: Origin
172.20.16.197 X-Amz-Bucket-Region: eu-west-1
172.20.16.197 X-Amz-Request-Id: 16716F52BE4E0D13
172.20.16.197 Content-Length: 339
172.20.16.197 Server: MinIO
172.20.16.197 X-Xss-Protection: 1; mode=block
172.20.16.197 <?xml version="1.0" encoding="UTF-8"?>
<Error><Code>InvalidTokenId</Code><Message>The security token included in the request is invalid</Message><BucketName>prod-minio</BucketName><Resource>/prod-minio/</Resource><Region>eu-west-1</Region><RequestId>16716F52BE4E0D13</RequestId><HostId>6f325c34-b40a-4e53-bb5c-038322f23414</HostId></Error>

Trace from Account B Minio when usind SDK with STS via Account A Minio endpoint:

minio.example.com [REQUEST s3.GetBucketLocation] [13:53:46.578] [Client IP: 11.69.20.26]
minio.example.com GET /prod-minio?location=
minio.example.com Proto: HTTP/1.1
minio.example.com Host: minio.example.com
minio.example.com Authorization: AWS4-HMAC-SHA256 Credential=01H8D3X7KZIRET6RLLZ6/20210331/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date;x-amz-security-token, Signature=0c48b07565b5a099970b175e8f1e507f876560f856996f720c7f590ea678b10b
minio.example.com X-Original-Forwarded-For: 11.69.20.26
minio.example.com Accept-Encoding: identity
minio.example.com X-Amz-Security-Token: eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhY2Nlc3NLZXkiOiIwMUg4RDNYN0taSVJFVDZSTExaNiIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiIl0sImF1ZCI6ImFjY291bnQiLCJhenAiOiJtaW5pbyIsImVtYWlsIjoid2lsbGVtQHplbmFwdGl4LmNvbSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwiZXhwIjoiMTYxNzIwMDQyNyIsImZhbWlseV9uYW1lIjoiQmFzc29uIiwiZ2l2ZW5fbmFtZSI6IldpbGxlbSIsImlhdCI6MTYxNzE5NjgyNywiaXNzIjoiaHR0cHM6Ly9rZXljbG9hay5kZXYubWRwLmNsb3VkL2F1dGgvcmVhbG1zL21pbmlvIiwianRpIjoiYmY3OTE1NGMtZjExZC00MGFlLTkxMTQtOGNlYTU4ZDI5ZTE2IiwibmFtZSI6IldpbGxlbSBCYXNzb24iLCJwb2xpY3kiOiJwcmluY2lwYWwiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ3aWxsZW0uYmFzc29uIiwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6InByb2ZpbGUgZW1haWwgcG9saWN5X3JvbGVfYXR0cmlidXRlIiwic2Vzc2lvbl9zdGF0ZSI6ImFjM2IxYjkyLTZhYmItNDZkOS05YTBhLTA1OThjOGQxOWE2NSIsInN1YiI6IjA4ZDVkZTY2LWNjYzQtNDhhYy1iMGFkLWEwYjczNTY3Y2Y1NCIsInR5cCI6IkJlYXJlciJ9.i8mazrtVKYzBZLZOpy1HF1XCAxesPfaXBQgfZXEinL4qZPXeul7HNnGHcVAAzES4bHRcJhiSMNX7uB8TUQ28pg
minio.example.com X-Scheme: https
minio.example.com X-Amz-Date: 20210331T135345Z
minio.example.com X-Real-Ip: 11.69.20.26
minio.example.com X-Request-Id: 43e1473f781d8e9a1e3744f02a23fce7
minio.example.com Content-Length: 0
minio.example.com User-Agent: MinIO (Linux; x86_64) minio-py/7.0.3
minio.example.com X-Amz-Content-Sha256: UNSIGNED-PAYLOAD
minio.example.com X-Forwarded-Host: minio.example.com
minio.example.com X-Forwarded-Port: 443
minio.example.com X-Forwarded-Proto: https
minio.example.com X-Amzn-Trace-Id: Root=1-60647eea-60346771341461836000665e
minio.example.com X-Forwarded-For: 11.69.20.26, 11.68.114.179
minio.example.com 
minio.example.com [RESPONSE] [13:53:46.694] [ Duration 116.017ms  ↑ 255 B  ↓ 389 B ]
minio.example.com 200 OK
minio.example.com Accept-Ranges: bytes
minio.example.com Content-Security-Policy: block-all-mixed-content
minio.example.com Vary: Origin
minio.example.com X-Amz-Request-Id: 167171C3B55C6AD5
minio.example.com X-Xss-Protection: 1; mode=block
minio.example.com Content-Length: 137
minio.example.com Content-Type: application/xml
minio.example.com Server: MinIO
minio.example.com X-Amz-Bucket-Region: eu-west-1
minio.example.com <?xml version="1.0" encoding="UTF-8"?>
<LocationConstraint xmlns="http://s3.amazonaws.com/doc/2006-03-01/">eu-west-1</LocationConstraint>

Context

<!--- How has this issue affected you? What are you trying to accomplish? --> We have S3 buckets in multiple AWS accounts and would like to centralize access and policy management as well as allowing users to authenticate using OIDC.

<!--- Providing context helps us come up with a solution that is most useful in the real world -->

Regression

<!-- Is this issue a regression? (Yes / No) --> <!-- If Yes, optionally please include minio version or commit id or PR# that caused this regression, if you have these details. --> Unsure.

Your Environment

<!--- Include as many relevant details about the environment you experienced the bug in -->

  • Version used: RELEASE.2021-03-17T02-33-02Z
  • Server setup and configuration: Kubernetes
  • Operating System and version: EKS v1.15

closed time in 9 hours

wdbasson

issue commentminio/minio

Federated Minio in gateway mode breaks with OpenID login for cross-account bucket access

This is not a relevant issue anymore since WebUI has moved to embedded minio/console

wdbasson

comment created time in 9 hours

push eventminio/minio

Harshavardhana

commit sha cdeccb5510f25d0019682f978c2c0aa02a5e12bf

feat: Deprecate embedded browser and import console (#12460) This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with ``` --console-address ":9001" ```

view details

push time in 12 hours

PR merged minio/minio

Reviewers
feat: Deprecate embedded browser and import console next-release

Description

feat: Deprecate embedded browser and import console

Motivation and Context

This feature also changes the default port where the browser is running, now the port has moved to 9001 and it can be configured with

--console-address ":9001"

How to test this PR?

Just start minio server ~/test and point to http://localhost:9001

Types of changes

  • [ ] Bug fix (non-breaking change which fixes an issue)
  • [x] New feature (non-breaking change which adds functionality)
  • [ ] Optimization (provides speedup with no functional changes)
  • [x] Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

  • [ ] Fixes a regression (If yes, please add commit-id or PR # here)
  • [x] Documentation updated
  • [x] Unit tests added/updated
+2035 -59010

4 comments

264 changed files

harshavardhana

pr closed time in 12 hours

Pull request review commentminio/minio

Use rate.Limiter for bandwidth monitoring

 func (a adminAPIHandlers) SetRemoteTargetHandler(w http.ResponseWriter, r *http. 		} 		target = tgt 	}++	if target.BandwidthLimit*8 < 100*1000*1000 {

bandwidth is taken as input in bits/sec in mc but sent to server as bytes.

poornas

comment created time in 13 hours