独立Nginx+双节点MinIO高可用部署方案(Ubuntu 24.04版)
一、节点信息汇总(固定IP+角色分工)
| 节点角色 | 主机名 | 固定IP | 硬件配置(最小要求) | 系统版本 | 核心职责 |
|---|---|---|---|---|---|
| 独立Nginx节点 | minio-nginx-proxy | 192.168.192.115 | 2C2G,20GB系统盘 | Ubuntu 24.04 LTS | 负载均衡(9000控制台/9001 API)、HTTPS终止、统一访问入口 |
| MinIO节点1 | minio-node1 | 192.168.192.116 | 2C4G,2块≥100GB数据盘 | Ubuntu 24.04 LTS | 分布式存储、数据冗余(纠删码) |
| MinIO节点2 | minio-node2 | 192.168.192.117 | 2C4G,2块≥100GB数据盘 | Ubuntu 24.04 LTS | 分布式存储、数据冗余(纠删码) |
二、架构设计
1. 拓扑逻辑
客户端 → 独立Nginx(192.168.192.115:9000/9001)→ 双MinIO节点(192.168.192.116/117:9000/9001)→ 分布式存储(每节点2块数据盘,纠删码4+2)
2. 核心特性
- 统一入口:客户端仅访问Nginx节点IP(192.168.192.115),无需感知MinIO节点
- 高可用:单MinIO节点故障/单磁盘故障,服务不中断、数据不丢失
- 安全隔离:MinIO节点仅开放9000/9001端口给Nginx,不对外暴露
三、前置条件(所有节点执行,Ubuntu 24.04适配)
1. 系统基础配置(统一操作)
(1)更新系统并安装依赖
# 更新软件源
sudo apt update && sudo apt upgrade -y
# 安装核心依赖(curl、wget、ntpdate、net-tools)
sudo apt install -y curl wget ntpdate net-tools
(2)时间同步(避免节点时间差)
# 同步阿里云NTP服务器
sudo ntpdate ntp.aliyun.com
# 设置定时同步(每5分钟一次)
echo "*/5 * * * * root ntpdate ntp.aliyun.com" | sudo tee -a /etc/crontab
(3)关闭不必要服务(优化资源)
# 关闭防火墙?不,后续配置精细化规则,保持ufw开启
sudo ufw enable
2. MinIO节点额外前置(116/117均执行)
(1)磁盘准备(每节点2块空闲磁盘,假设为/dev/sdb、/dev/sdc)
# 格式化磁盘为xfs(先安装xfs工具)
sudo apt install -y xfsprogs
# 检查磁盘是否存在
lsblk | grep sd[b,c]
# 格式化磁盘为xfs
sudo mkfs.xfs /dev/sdb && sudo mkfs.xfs /dev/sdc
# 创建挂载目录
sudo mkdir -p /mnt/minio/data{1..2}
# 配置开机自动挂载(写入/etc/fstab)
echo "/dev/sdb /mnt/minio/data1 xfs defaults 0 0" | sudo tee -a /etc/fstab
echo "/dev/sdc /mnt/minio/data2 xfs defaults 0 0" | sudo tee -a /etc/fstab
# 立即挂载并验证
sudo mount -a && df -h | grep /mnt/minio
# 检查挂载状态
mount | grep minio
(2)配置防火墙(仅允许Nginx节点访问9000/9001)
# 允许Nginx节点(192.168.192.115)访问MinIO API(9000)和控制台(9001)
sudo ufw allow from 192.168.192.115 to any port 9000
sudo ufw allow from 192.168.192.115 to any port 9001
# 允许MinIO节点间通信(集群内部通信)
sudo ufw allow from 192.168.192.116 to 192.168.192.117 port 9000
sudo ufw allow from 192.168.192.117 to 192.168.192.116 port 9000
sudo ufw allow 22/tcp
# 重载防火墙规则
sudo ufw reload
# 验证规则(应显示允许115访问9000/9001,以及节点间通信规则)
sudo ufw status numbered
3. Nginx节点额外前置(115执行)
(1)开放��客户端访问端口(9000/9001)
# 开放新的HTTP端口
sudo ufw allow 22/tcp
sudo ufw allow 9000/tcp
sudo ufw allow 9001/tcp
# 重载防火墙
sudo ufw reload
# 验证规则
sudo ufw status numbered
四、MinIO双节点部署(116/117均执行)
步骤1:创建MinIO运行用户(在116和117节点均执行)
# 创建非root用户minio-user
sudo useradd -m minio-user
# 授权存储目录权限
sudo chown -R minio-user:minio-user /mnt/minio
# 验证用户创建成功
id minio-user
echo $SHELL
步骤2:下载MinIO二进制文件(在116和117节点均执行)
# 下载MinIO服务器端(稳定版)
sudo wget https://dl.min.io/server/minio/release/linux-amd64/minio -P /usr/local/bin/
# 下载MinIO客户端(mc)
sudo wget https://dl.min.io/client/mc/release/linux-amd64/mc -P /usr/local/bin/
# 授权执行权限
sudo chmod +x /usr/local/bin/minio /usr/local/bin/mc
# 验证安装(应输出版本信息)
minio --version
步骤3:配置MinIO环境变量(核心配置)(在116和117节点均执行)
# 创建环境变量文件
sudo tee /etc/minio.env << EOF
# 管理员账号(自定义,生产环境建议使用强密码)
MINIO_ROOT_USER=minioadmin_2025
# 管理员密码(至少8位,生产建议复杂密码)
MINIO_ROOT_PASSWORD=MinIO@123456
# 纠删码冗余度(双节点4盘,配置parity=2)
MINIO_ERASURE_CODE_PARITY=2
# 日志目录
MINIO_LOG_DIR=/var/log/minio
# 设置服务器区域(可选,有助于性能优化)
MINIO_SITE_REGION=us-east-1
# 添加MinIO服务器地址配置(重要:确保与Nginx配置中的地址一致)
MINIO_SERVER_URL=http://192.168.192.115:9000
MINIO_BROWSER_REDIRECT_URL=http://192.168.192.115:9001
EOF
# 授权文件权限(仅minio-user可读)
sudo chmod 600 /etc/minio.env
sudo chown minio-user:minio-user /etc/minio.env
# 创建日志目录并授权
sudo mkdir -p /var/log/minio
sudo chown -R minio-user:minio-user /var/log/minio
步骤4:编写systemd服务脚本(在116和117节点均执行)
# 创建MinIO服务文件
sudo tee /usr/lib/systemd/system/minio.service << EOF
[Unit]
Description=MinIO Distributed Server
Documentation=https://docs.min.io
After=network.target
[Service]
User=minio-user
Group=minio-user
EnvironmentFile=/etc/minio.env
WorkingDirectory=/home/minio-user
# 简化ExecStart,避免换行转义错误
ExecStart=/usr/local/bin/minio server --console-address ":9001" http://192.168.192.116/mnt/minio/data1 http://192.168.192.116/mnt/minio/data2 http://192.168.192.117/mnt/minio/data1 http://192.168.192.117/mnt/minio/data2
Restart=always
RestartSec=5
LimitNOFILE=65536
TimeoutStartSec=300
TimeoutStopSec=300
OOMPolicy=continue
# 添加关键环境变量,确保MinIO知道自己的外部访问地址
Environment=MINIO_PROMETHEUS_AUTH_TYPE=public
Environment=MINIO_SERVER_URL=http://192.168.192.115:9001
Environment=MINIO_BROWSER_REDIRECT_URL=http://192.168.192.115:9000
StandardOutput=journal
StandardError=journal
[Install]
WantedBy=multi-user.target
EOF
步骤5:启动MinIO集群并验证(先在116节点执行,再在117节点执行)
# 重载systemd配置
sudo systemctl daemon-reload
# 启动MinIO并设置开机自启
sudo systemctl enable --now minio
# 查看启动状态(应显示active(running))
sudo systemctl status minio
# 查看日志(验证集群启动成功)
sudo journalctl -u minio -f
- 成功特征:日志显示
Status: 4 Online, 0 Offline、Endpoint: http://192.168.192.116:9000 http://192.168.192.117:9000
五、独立Nginx部署与负载均衡配置(115执行)
步骤1:安装Nginx(Ubuntu 24.04默认版本足够,无需额外源)
# 安装Nginx
sudo apt install -y nginx
# 启动Nginx并设置开机自启
sudo systemctl enable --now nginx
# 验证启动状态(应显示active(running))
sudo systemctl status nginx
步骤2:配置MinIO负载均衡(核心配置文件)
# 创建MinIO专用代理配置文件
useradd -r -s /sbin/nologin nginx
sudo tee /etc/nginx/nginx.conf << 'EOF'
worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 4096;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
keepalive_timeout 65;
# ====================== 上游集群配置(你的MinIO节点)======================
upstream minio {
server 192.168.192.116:9000 max_fails=3 fail_timeout=30s;
server 192.168.192.117:9000 max_fails=3 fail_timeout=30s;
}
upstream console {
ip_hash; # Console必需ip_hash,避免会话漂移
server 192.168.192.116:9001 max_fails=3 fail_timeout=30s;
server 192.168.192.117:9001 max_fails=3 fail_timeout=30s;
}
# ====================== MinIO API代理(端口9000)======================
server {
listen 9000;
listen [::]:9000;
server_name 192.168.192.115; # 你的负载均衡IP
# S3协议核心适配(参考配置关键项)
ignore_invalid_headers off;
client_max_body_size 0;
proxy_buffering off;
proxy_request_buffering off;
location / {
proxy_set_header Host $http_host; # 自动包含端口,避免S3签名错误
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_connect_timeout 300;
proxy_http_version 1.1;
proxy_set_header Connection "";
chunked_transfer_encoding off; # 修复S3分块传输问题
proxy_pass http://minio;
}
}
# ====================== MinIO Console代理(端口9001)======================
server {
listen 9001;
listen [::]:9001;
server_name 192.168.192.115;
# Console核心适配
ignore_invalid_headers off;
client_max_body_size 0;
proxy_buffering off;
proxy_request_buffering off;
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-NginX-Proxy true;
real_ip_header X-Real-IP;
proxy_connect_timeout 300;
# 支持Console的websocket(参考配置关键项)
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
chunked_transfer_encoding off;
proxy_pass http://console;
}
}
}
EOF
步骤3:配置HTTPS证书(Let's Encrypt免费证书)
# 如果需要启用HTTPS,可以安装certbot和Nginx插件
# sudo apt install -y certbot python3-certbot-nginx
# 如需使用HTTPS,可通过以下方式之一:
# 1. 使用Let's Encrypt(需要有效域名)
# 2. 生成自签名证书(测试环境使用)
# 3. 使用企业内部CA签发的证书
# 注意:纯IP地址无法通过Let's Encrypt获取有效证书
步骤4:验证Nginx配置并重启
# 检查配置语法(必须显示test is successful)
sudo nginx -t
# 重启Nginx生效配置
sudo systemctl restart nginx
六、完整功能验证(关键测试步骤)
1. 基础访问验证
(1)控制台访问
浏览器打开:http://192.168.192.115:9001
- 输入账号:
minioadmin_2025,密码:MinIO@123456 - 验证:登录后左侧「Server Info」→「Nodes」,显示2个节点(116/117)、4块磁盘均为「Online」
(2)API访问(mc工具测试)
在任意客户端节点安装mc,连接Nginx代理:
# 安装mc
wget https://dl.min.io/client/mc/release/linux-amd64/mc -P /usr/local/bin/
chmod +x /usr/local/bin/mc
# 配置连接Nginx代理
mc alias set minio-cluster http://192.168.192.115:9000 minioadmin_2025 MinIO@123456
# 测试操作
mc mb minio-cluster/test-bucket # 创建测试桶
mc cp /etc/hosts minio-cluster/test-bucket/ # 上传文件
mc ls minio-cluster/test-bucket/ # 列出文件(应显示hosts文件)
2. 负载均衡验证
查看Nginx访问日志,确认请求均匀分发到116/117:
# 查看API访问日志
sudo tail -f /var/log/nginx/minio-api-access.log
- 日志中应交替出现
upstream_addr=192.168.192.116:9000和192.168.192.117:9000
3. 故障切换验证(核心高可用测试)
(1)模拟MinIO节点故障(停止116节点)
# 在192.168.192.116执行
sudo systemctl stop minio
(2)验证服务可用性
- 浏览器访问
http://192.168.192.115:9001,仍可正常登录 - 下载文件:
mc cp minio-cluster/test-bucket/hosts ./hosts-backup,能正常下载 - 查看Nginx日志:仅显示转发到117节点,无报错
(3)恢复节点并验证同步
# 在116节点重启MinIO
sudo systemctl start minio
# 查看116节点日志,确认数据同步
sudo journalctl -u minio -f | grep "sync"
# 验证负载恢复:日志中再次出现116节点的转发记录
sudo tail -f /var/log/nginx/minio-api-access.log
4. 磁盘故障验证(可选)
# 在116节点卸载1块磁盘(模拟故障)
sudo umount /mnt/minio/data1
# 验证:浏览器控制台→「Server Info」→「Disks」,116的data1为Offline,其余3块Online
# 访问文件:mc cat minio-cluster/test-bucket/hosts,仍可正常读取
# 恢复磁盘
sudo mount /mnt/minio/data1
sudo journalctl -u minio -f | grep "disk online" # 确认磁盘恢复
5. 数据备份和恢复策略(生产必备)
# 备份MinIO数据(示例脚本)
#!/bin/bash
# 备份脚本路径:/opt/minio/backup.sh
# 设置变量
BACKUP_DIR="/backup/minio"
DATE=$(date +%Y%m%d_%H%M%S)
MINIO_ALIAS="minio-cluster"
# 创建备份目录
mkdir -p ${BACKUP_DIR}/${DATE}
# 备份所有存储桶列表
mc ls ${MINIO_ALIAS} > ${BACKUP_DIR}/${DATE}/buckets.list
# 备份每个存储桶(示例:备份test-bucket)
mc cp -r ${MINIO_ALIAS}/test-bucket ${BACKUP_DIR}/${DATE}/
# 压缩备份文件
tar -czf ${BACKUP_DIR}/${DATE}.tar.gz -C ${BACKUP_DIR} ${DATE}
# 删除原始备份目录
rm -rf ${BACKUP_DIR}/${DATE}
# 保留最近7天的备份
find ${BACKUP_DIR} -name "*.tar.gz" -mtime +7 -delete
echo "Backup completed: ${BACKUP_DIR}/${DATE}.tar.gz"
七、Ubuntu 24.04专属注意事项
1. 系统兼容性
- Ubuntu 24.04默认使用systemd-resolved,DNS解析无冲突,无需额外配置
- 包管理器apt默认源已适配MinIO、Nginx、certbot等工具,无需添加第三方源
2. 防火墙规则
- Ubuntu 24.04默认启用ufw,所有规则已在前置步骤配置,避免误关闭ufw
- 如需修改规则,使用
sudo ufw edit allow from 192.168.192.115 to any port 9000(示例)
3. Nginx权限
- Ubuntu 24.04中Nginx运行用户为
www-data,配置文件中无需修改用户,保持默认即可 - 日志目录
/var/log/nginx默认权限正确,无需额外授权
4. MinIO磁盘挂载
- 若使用NVMe磁盘(如/dev/nvme0n1p3),格式化和挂载命令相同,仅需替换设备名
- 验证挂载:
lsblk可查看磁盘挂载状态,确保/dev/sdb→/mnt/minio/data1,/dev/sdc→/mnt/minio/data2
八、生产环境优化建议
1. Nginx性能优化(115节点)
编辑/etc/nginx/nginx.conf,调整以下参数:
# 备份原配置文件
sudo cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.backup
# 更新Nginx主配置文件
sudo tee /etc/nginx/nginx.conf << 'EOF'
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
use epoll;
worker_connections 10240;
multi_accept on;
}
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
keepalive_requests 1000;
types_hash_max_size 2048;
# 包含MIME类型
include /etc/nginx/mime.types;
default_type application/octet-stream;
# 日志格式
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
error_log /var/log/nginx/error.log warn;
# Gzip压缩
gzip on;
gzip_vary on;
gzip_min_length 1024;
gzip_proxied any;
gzip_comp_level 6;
gzip_types
text/plain
text/css
text/xml
text/javascript
application/json
application/javascript
application/xml+rss
application/atom+xml
image/svg+xml;
# 包含站点配置
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
EOF
重启Nginx:sudo systemctl restart nginx
2. MinIO性能优化(116/117节点)
- 磁盘IO优化:添加磁盘读写缓存参数到
/etc/fstab,重新挂载:sudo sed -i 's/defaults/defaults,noatime,nodiratime/' /etc/fstab
sudo mount -a - 网络优化:调整TCP参数,提升并发连接:
sudo tee -a /etc/sysctl.conf << EOF
net.core.somaxconn = 65535
net.ipv4.tcp_max_syn_backlog = 65535
net.ipv4.tcp_fin_timeout = 30
EOF
sudo sysctl -p
3. 监控配置(生产必备)
(1)MinIO监控(对接Prometheus)
MinIO自带监控接口,在Prometheus中添加配置:
scrape_configs:
- job_name: 'minio'
static_configs:
- targets: ['192.168.192.116:9000', '192.168.192.117:9000']
metrics_path: '/minio/v2/metrics/cluster'
# 添加基本认证(如果启用了)
# basic_auth:
# username: minioadmin_2025
# password: MinIO@123456
(2)Nginx监控(安装nginx-prometheus-exporter)
# 在115节点安装
sudo apt install -y nginx-prometheus-exporter
sudo systemctl enable --now nginx-prometheus-exporter
在Prometheus中添加192.168.192.115:9113作为监��控目标
(3)告警规则配置(Prometheus rules)
groups:
- name: minio.rules
rules:
- alert: MinIONodeDown
expr: minio_cluster_nodes_offline_total > 0
for: 1m
labels:
severity: critical
annotations:
summary: "MinIO node is down"
description: "{{ $labels.instance }} MinIO node is down"
- alert: MinIODiskOffline
expr: minio_cluster_disk_offline_total > 0
for: 1m
labels:
severity: warning
annotations:
summary: "MinIO disk is offline"
description: "{{ $labels.instance }} MinIO disk is offline"
- alert: HighErrorRate
expr: rate(minio_s3_requests_errors_total[5m]) > 0.01
for: 5m
labels:
severity: warning
annotations:
summary: "High error rate"
description: "{{ $labels.instance }} MinIO has high error rate"
4. 版本升级策略(生产必备)
(1)滚动升级步骤
- 确保集群健康状态良好
- 逐个停止并升级MinIO节点
- 验证升级后节点功能正常
- 继续升级下一个节点
(2)升级脚本示例
#!/bin/bash
# MinIO升级脚本路径:/opt/minio/upgrade.sh
# 停止MinIO服务
sudo systemctl stop minio
# 备份当前MinIO二进制文件
sudo cp /usr/local/bin/minio /usr/local/bin/minio.backup.$(date +%Y%m%d)
# 下载新版本MinIO
sudo wget https://dl.min.io/server/minio/release/linux-amd64/minio -O /usr/local/bin/minio.new
# 替换二进制文件
sudo mv /usr/local/bin/minio.new /usr/local/bin/minio
# 授权执行权限
sudo chmod +x /usr/local/bin/minio
# 启动MinIO服务
sudo systemctl start minio
# 验证版本
minio --version
echo "MinIO upgrade completed"
5. 故障排查指南
(1)常见问题排查命令
# 查看MinIO服务状态
sudo systemctl status minio
# 查看MinIO服务日志
sudo journalctl -u minio -f
# 查看集群健康状态
mc admin info minio-cluster
# 查看存储桶和对象信息
mc ls minio-cluster
# 查看磁盘状态
mc admin info minio-cluster --json | jq '.storage'
# 查看网络连接状态
ss -tuln | grep 9000
(2)性能监控命令
# 查看系统资源使用情况
top -p $(pgrep minio)
# 查看磁盘IO情况
iostat -x 1
# 查看网络流量
iftop -i eth0
# 查看内存使用情况
free -h