12-MinIO-Configuration

faicel/server

Fork 0

Table of Contents

1. Purpose
2. Network Isolation
3. Secrets Management
4. Environment Configuration
5. Persistent Storage
6. Initial Access
7. Bucket Creation
8. Mattermost Integration
9. Verify Service
10. Security Notes
11. Production Rules

This page documents the MinIO object storage configuration used in production.

Snapshot date: 2026-02
Stack: data
Image: minio/minio:RELEASE.2025-09-07T16-13-09Z-cpuv1
Mode: Docker Swarm

1. Purpose

MinIO provides S3-compatible object storage for:

Mattermost file storage
Attachments
Media uploads
Backup targets (optional)

MinIO runs inside the data stack and is not directly exposed to the internet.

2. Network Isolation

MinIO:

Is attached to the internal overlay network
Does NOT expose port 9000 publicly
Is accessed internally by application services

Verify:

sudo docker service inspect data_minio

Ensure:

No published ports
Network: internal only

3. Secrets Management

MinIO root credentials are stored as Docker secrets.

Generated files:

swarm/secrets/minio_root_user.txt
swarm/secrets/minio_root_password.txt

Create secrets:

sudo docker secret create minio_root_user swarm/secrets/minio_root_user.txt
sudo docker secret create minio_root_password swarm/secrets/minio_root_password.txt

Inside container, secrets are mounted at:

/run/secrets/minio_root_user
/run/secrets/minio_root_password

4. Environment Configuration

MinIO uses secret file references:

environment:
  MINIO_ROOT_USER_FILE: /run/secrets/minio_root_user
  MINIO_ROOT_PASSWORD_FILE: /run/secrets/minio_root_password

This avoids exposing credentials in environment variables.

5. Persistent Storage

MinIO data must be stored in a Docker volume.

Verify volume:

sudo docker volume ls

Inspect volume:

sudo docker volume inspect <minio_volume>

Data directory inside container:

/data

Persistent storage is critical to prevent object loss.

6. Initial Access

Access MinIO console via Nginx reverse proxy:

https://minio.your-domain.com

7. Bucket Creation

Create required buckets manually via console or using mc.

Typical bucket:

mattermost

Set bucket policy according to application requirements.

8. Mattermost Integration

Mattermost must be configured with:

S3 endpoint: http://data_minio:9000
Access key
Secret key
Bucket name
Force path style: true

MinIO is resolved internally using Swarm DNS.

9. Verify Service

Check service:

sudo docker service ls | grep minio

Check logs:

sudo docker service logs data_minio

Verify internal connectivity:

sudo docker exec -it <apps_container> ping data_minio

10. Security Notes

Do not expose MinIO directly to the internet unless required.
Always use strong root credentials.
Create dedicated users for applications instead of using root.
Backup object storage regularly.
Monitor disk usage.

11. Production Rules

MinIO must remain internal.
Never hardcode credentials in stack files.
Always use Docker secrets.
Separate object storage from database backups.