minio: expand on service configuration, tls, todos (team#41257)

140d3ee0 · anarcat · 94e1449d · 140d3ee0
Verified Commit 140d3ee0 authored 1 year ago by anarcat
--- a/service/object-storage.md
+++ b/service/object-storage.md
@@ -286,6 +286,10 @@ client][] which is [also available as a Docker container][].
 The installation was done in [issue tpo/tpa/team#41257](https://gitlab.torproject.org/tpo/tpa/team/-/issues/41257) which may
 have more details.

+The actual systemd configuration was severely modified since then to
+adapt to various constraints including firewalling, TLS configuration,
+and more.
+
 TODO: consider podman "quadlets" in podman 4.4 https://www.redhat.com/sysadmin/quadlet-podman

 ## Upgrades
@@ -315,7 +319,30 @@ TODO: sum up RFC-56 and current architecture

 ## Services

-TODO: services <!-- open ports, daemons, cron jobs -->
+MinIO provides an admin interface on port `9090` and a S3-compatible
+interface on port `9000`. The admin interface is limited to
+`localhost` and is accessible with port forwarding over SSH, e.g.
+
+    ssh -L 9090:localhost:9090 minio-01.torproject.org
+
+... then using <https://localhost:9090> should work. Note that it will
+yield a certificate warning which can safely be ignored
+(unfortunately).
+
+This endpoint *should* be publicly available, but
+firewalled. Unfortunately, we've had trouble firewalling ports
+forwarded by podman, see [tpo/tpa/team#41259](https://gitlab.torproject.org/tpo/tpa/team/-/issues/41259) for details.
+
+The main S3 API is available globally at
+<https://minio.torproject.org:9090>, a CNAME that currently points at
+the `minio-01` instance. The HTTPS certificate is managed by our
+normal Let's Encrypt certificate rotation, but required us to pull the
+`DH PARAMS`, see [this limitation of crypto/tls in Golang](https://github.com/golang/go/issues/38788) and
+commit letsencrypt-domains@ee1a0f7 (stop appending DH PARAMS to
+certificates files, 2023-07-11) for details.
+
+The MinIO daemon itself runs under `podman` and `systemd` under the
+`container-minio.service` unit.

 ## Storage

@@ -329,8 +356,9 @@ MinIO with a [low priority object scanner](https://min.io/docs/minio/container/a

 ## Interfaces

-MinIO provides an admin interface on port `9090` and a S3-compatible
-interface on port `9000`. TODO: make those real hostnames?
+There are two main interfaces, the S3 API on port 9000 and the MinIO
+management console on port 9090, see the [services section](#services) for
+more information.

 ## Authentication

@@ -353,8 +381,7 @@ use the [password reset](#password-reset) procedures to recover.

 ## Implementation

-MinIO is implemented in Golang. We deploy the Docker containers with
-podman.
+MinIO is implemented in Golang, as a single binary.

 ## Related services

@@ -376,6 +403,8 @@ label ~Foo.

 TODO: make a label for object-storage

+TODO: link to upstream issue tracker and support options
+
 ## Maintainer

 anarcat setup this service in July 2023 and TPA is responsible for
@@ -418,6 +447,8 @@ This is not seen as a deal-breaker in using MinIO for TPA.
 <!-- describe how this service is monitored, how security issues and -->
 <!-- upgrades are tracked, see also "Upgrades" above. -->

+TODO: prometheus metrics and monitoring
+
 ## Tests

 To make sure the service still works after an upgrade, you can try
@@ -476,6 +507,9 @@ TODO: reference upstream docs

 -->

+TODO: document, runs as root? should run rootless, but requires --user
+session, see also https://github.com/containers/podman/issues/12778
+
 ## Technical debt and next steps

 <!--