minio: expand on service configuration, tls, todos (team#41257)

140d3ee0 · anarcat · 94e1449d · 140d3ee0
Verified Commit 140d3ee0 authored 1 year ago by anarcat
--- a/service/object-storage.md
+++ b/service/object-storage.md
@@ -286,6 +286,10 @@ client][] which is [also available as a Docker container][].
 The installation was done in [issue tpo/tpa/team#41257](https://gitlab.torproject.org/tpo/tpa/team/-/issues/41257) which may
 have more details.
+The actual systemd configuration was severely modified since then to
+adapt to various constraints including firewalling, TLS configuration,
+and more.
 TODO: consider podman "quadlets" in podman 4.4 https://www.redhat.com/sysadmin/quadlet-podman
 ## Upgrades
@@ -315,7 +319,30 @@ TODO: sum up RFC-56 and current architecture
 ## Services
-TODO: services <!-- open ports, daemons, cron jobs -->
+MinIO provides an admin interface on port `9090` and a S3-compatible
+interface on port `9000`. The admin interface is limited to
+`localhost` and is accessible with port forwarding over SSH, e.g.
+    ssh -L 9090:localhost:9090 minio-01.torproject.org
+... then using <https://localhost:9090> should work. Note that it will
+yield a certificate warning which can safely be ignored
+(unfortunately).
+This endpoint *should* be publicly available, but
+firewalled. Unfortunately, we've had trouble firewalling ports
+forwarded by podman, see [tpo/tpa/team#41259](https://gitlab.torproject.org/tpo/tpa/team/-/issues/41259) for details.
+The main S3 API is available globally at
+<https://minio.torproject.org:9090>, a CNAME that currently points at
+the `minio-01` instance. The HTTPS certificate is managed by our
+normal Let's Encrypt certificate rotation, but required us to pull the
+`DH PARAMS`, see [this limitation of crypto/tls in Golang](https://github.com/golang/go/issues/38788) and
+commit letsencrypt-domains@ee1a0f7 (stop appending DH PARAMS to
+certificates files, 2023-07-11) for details.
+The MinIO daemon itself runs under `podman` and `systemd` under the
+`container-minio.service` unit.
 ## Storage
@@ -329,8 +356,9 @@ MinIO with a [low priority object scanner](https://min.io/docs/minio/container/a
 ## Interfaces
-MinIO provides an admin interface on port `9090` and a S3-compatible
+There are two main interfaces, the S3 API on port 9000 and the MinIO
-interface on port `9000`. TODO: make those real hostnames?
+management console on port 9090, see the [services section](#services) for
+more information.
 ## Authentication
@@ -353,8 +381,7 @@ use the [password reset](#password-reset) procedures to recover.
 ## Implementation
-MinIO is implemented in Golang. We deploy the Docker containers with
+MinIO is implemented in Golang, as a single binary.
-podman.
 ## Related services
@@ -376,6 +403,8 @@ label ~Foo.
 TODO: make a label for object-storage
+TODO: link to upstream issue tracker and support options
 ## Maintainer
 anarcat setup this service in July 2023 and TPA is responsible for
@@ -418,6 +447,8 @@ This is not seen as a deal-breaker in using MinIO for TPA.
 <!-- describe how this service is monitored, how security issues and -->
 <!-- upgrades are tracked, see also "Upgrades" above. -->
+TODO: prometheus metrics and monitoring
 ## Tests
 To make sure the service still works after an upgrade, you can try
@@ -476,6 +507,9 @@ TODO: reference upstream docs
 -->
+TODO: document, runs as root? should run rootless, but requires --user
+session, see also https://github.com/containers/podman/issues/12778
 ## Technical debt and next steps
 <!--