New Single Node Multi Disk Deployment: ROOT login from env vars not accepted on login. #20078

teward · 2024-07-11T21:07:45Z

teward
Jul 11, 2024

The expected behavior in the system is that we would have the username and password set in MINIO_ROOT_USER and MINIO_ROOT_PASSWORD from /etc/default/minio as documented in https://min.io/docs/minio/linux/operations/install-deploy-manage/deploy-minio-single-node-multi-drive.html for accepting console login.

Note that this is a fresh installation so this should Just Work with instructions, but it fails.

Expected Behavior

The expected behavior is that we would be logged in with whatever we set for MINIO_ROOT_USER and MINIO_ROOT_PASSWORD.

Current Behavior

Attempting to login with the root user and password immediately gives us an "Invalid Login" for the credentials specified in MINIO_ROOT_USER and MINIO_ROOT_PASSWORD

Possible Solution

No solution, this has cropped up in the most recent installation version of MinIO server.

Steps to Reproduce (for bugs)

Follow instructions at https://min.io/docs/minio/linux/operations/install-deploy-manage/deploy-minio-single-node-multi-drive.html to set up MinIO, use .deb installer with latest .deb from the downloads system, using Ubuntu 24.04.
Set up NGINX reverse proxy per https://min.io/docs/minio/linux/integrations/setup-nginx-proxy-with-minio.htmlhttps://min.io/docs/minio/linux/integrations/setup-nginx-proxy-with-minio.html
Make sure that /etc/default/minio has MINIO_ROOT_USER and MINIO_ROOT_PASSWORD set up.
Make sure that you set the console URL to something like console. for your testing. Also make sure you have SSL enabled (even if you use snakeoil certs with NGINX).
Attempt to login with MINIO_ROOT_USER and MINIO_ROOT_PASSWORD.

Context

This prevents logging into the MinIO panel as an admin. This iwas on a clean installation, so bucket config, etc. is expected to be doable via root access on the console.

Regression

MAJOR Regression
Unsure where this issue became introduced for new installs.

Your Environment

Version used (minio --version):

minio version RELEASE.2024-07-10T18-41-49Z (commit-id=6c6f0987dc04c942c33a2a90ffbe7075c0e2e5eb)
Runtime: go1.22.5 linux/amd64
License: GNU AGPLv3 - https://www.gnu.org/licenses/agpl-3.0.html
Copyright: 2015-2024 MinIO, Inc.

Server setup and configuration: Single Node Multi Drive with NGINX Reverse Proxy. Service started/stopped with SystemD from the Ubuntu .DEB binary package published by MinIO
Operating System and version (uname -a): Ubuntu 24.04 LTS - Linux ubuntu 6.8.0-38-generic #38-Ubuntu SMP PREEMPT_DYNAMIC Fri Jun 7 15:25:01 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

Answered by harshavardhana

Jul 12, 2024

Is your browser URL domain resolvable from the MinIO node? And Is it trusted via curl?

View full answer

marktheunissen · 2024-07-12T00:47:29Z

marktheunissen
Jul 12, 2024
Collaborator

Hi @teward this is likely to be an issue somewhere with your environment configuration.

MinIO is reading the environment variables correctly, this is easy to confirm on the latest version of the binary:

$ MINIO_ROOT_USER=testenvvar MINIO_ROOT_PASSWORD=testenvpass ~/src/minio/minio server  --console-address=":9001"  /mnt/minio{1...4}
MinIO Object Storage Server
Copyright: 2015-2024 MinIO, Inc.
License: GNU AGPLv3 - https://www.gnu.org/licenses/agpl-3.0.html
Version: DEVELOPMENT.2024-07-11T23-13-15Z (go1.22.4 linux/amd64)

API: http://192.168.86.164:9500  http://100.111.197.108:9500  http://10.42.0.1:9500  http://10.42.0.0:9500  http://127.0.0.1:9500
   RootUser: testenvvar
   RootPass: testenvpass

See how MINIO_ROOT_USER was passed and is reported back to me by the startup logs RootUser: testenvvar.

How are you starting MinIO? The .deb installer drops a systemd template which reads the /etc/default/minio file. The MinIO binary does not read this file itself, so if you aren't starting MinIO using systemd, it will not pick up the variables from that file automatically.

$ cat /lib/systemd/system/minio.service
...
EnvironmentFile=-/etc/default/minio
...

0 replies

teward · 2024-07-12T00:51:12Z

teward
Jul 12, 2024
Author

@marktheunissen Disclaimer: I'm a fluent Ubuntu sysadmin, and know the .deb uses the SystemD service. Which is the service in use here, so it's being loaded automatically by SystemD.

I should note that the SystemD binary does not dump RootUser/RootPass to logs - probably for security reasons. We set up a version of MinIO on the 4th last week on the older versions and such that were available for download at the time and it Just Worked. Same defaults settings (except different domain), same NGINX reverse proxy setup.

I don't have that binary here (because it's on a secure network segment I can't exfil data from right now from here), but it seems this is a brand new issue compared to those versions.

0 replies

marktheunissen · 2024-07-12T01:00:10Z

marktheunissen
Jul 12, 2024
Collaborator

Ok, start by confirming that MinIO has loaded the correct env:

$ sudo cat /proc/<pidnumber>/environ | tr '\0' '\n' | grep ROOT
MINIO_ROOT_PASSWORD=rootpass
MINIO_ROOT_USER=roottest

If it has the correct env vars, use mc and/or the console (directly connect to the MinIO port), and try authenticate using those creds.

If all that works, then the problem would be more likely to be coming from the nginx config? Just start by eliminating things.

0 replies

harshavardhana · 2024-07-12T01:03:24Z

harshavardhana
Jul 12, 2024
Maintainer

4. Make sure that you set the console URL to something like console. for your testing. Also make sure you have SSL enabled (even if you use snakeoil certs with NGINX).

Can you share what you are doing here?

The latest release is running on https://play.min.io which hosts nginx and then directs the traffic to MinIO on port 9500

nginx.conf

server {
 listen 443 ssl;
 ssl_certificate /home/minio/.minio/certs/public.crt;
 ssl_certificate_key /home/minio/.minio/certs/private.key;
 server_name play.min.io play.minio.io;

 # To allow special characters in headers
 ignore_invalid_headers off;
 # Allow any size file to be uploaded.
 # Set to a value such as 1000m; to restrict file size to a specific value
 client_max_body_size 100m;
 # To disable buffering
 proxy_buffering off;

 location / {
   proxy_set_header X-Real-IP $remote_addr;
   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   proxy_set_header X-Forwarded-Proto $scheme;
   proxy_set_header Host $http_host;
   proxy_set_header X-NginX-Proxy true;

   # This is necessary to pass the correct IP to be hashed
   real_ip_header X-Real-IP;
   
   proxy_connect_timeout 300;
   # Default is HTTP/1, keepalive is only enabled in HTTP/1.1
   proxy_http_version 1.1;
   proxy_set_header Connection "";
   chunked_transfer_encoding off;

   proxy_pass https://127.0.0.1:9500; # If you are using docker-compose this would be the hostname i.e. minio
 }
}

server {
 listen 9443 ssl;
 ssl_certificate /home/minio/.minio/certs/public.crt;
 ssl_certificate_key /home/minio/.minio/certs/private.key;
 server_name play.min.io play.minio.io;

 # To allow special characters in headers
 ignore_invalid_headers off;
 # Allow any size file to be uploaded.
 # Set to a value such as 1000m; to restrict file size to a specific value
 client_max_body_size 100m;
 # To disable buffering
 proxy_buffering off;

 location / {
   proxy_set_header X-Real-IP $remote_addr;
   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   proxy_set_header X-Forwarded-Proto $scheme;
   proxy_set_header Host $http_host;
   proxy_set_header X-NginX-Proxy true;

   # This is necessary to pass the correct IP to be hashed
   real_ip_header X-Real-IP;

   proxy_connect_timeout 300;

   # To support websocket
   proxy_http_version 1.1;
   proxy_set_header Upgrade $http_upgrade;
   proxy_set_header Connection "upgrade";

   chunked_transfer_encoding off;

   proxy_pass https://127.0.0.1:9001; # If you are using docker-compose this would be the hostname i.e. minio
 }
}

I suspect something to do with using some snake oil certificates here, so please describe whether this URL that is set is trusted, etc.

Also share your /etc/default/minio

play root credentials

mc alias list play
play
  URL       : https://play.min.io
  AccessKey : Q3AM3UQ867SPQQA43P2F
  SecretKey : zuf tfteSlswRu7BJ86wekitnifILbZam1KYY3TG
  API       : S3v4
  Path      : auto

0 replies

teward · 2024-07-12T01:09:50Z

teward
Jul 12, 2024
Author

@harshavardhana Here's some extra stuff here:

NGINX frontend config (local access only on my development network!)

upstream minio_s3 {
        least_conn;
        server localhost:9500;
}

upstream minio_console {
        least_conn;
        server localhost:9001;
}

server {
        listen 80;

        server_name *.minio.dev.test minio.dev.test;

        return 301 https://$host$request_uri;
}

server {
        listen 443 ssl;
        server_name minio.dev.test;

        include /etc/nginx/snippets/minio_ssl.conf;

        # Allow special characters in headers
        ignore_invalid_headers off;

        # Allow any size file for upload.
        # Set to a value such as 1000M to restrict to specific values.
        client_max_body_size 0;

        # Disable buffering
        proxy_buffering off;
        proxy_request_buffering off;

        location / {
                proxy_set_header Host $http_host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;

                proxy_connect_timeout 300;
                # Default is HTTP/1, keepalive only in HTTP/1.1
                proxy_http_version 1.1;
                proxy_set_header Connection "";
                chunked_transfer_encoding off;

                proxy_pass http://minio_s3;
        }
}

server {
        listen 443 ssl;
        server_name console.minio.dev.test;

        include /etc/nginx/snippets/minio_ssl.conf;

        # Allow special characters in headers
        ignore_invalid_headers off;

        # Allow any size file for upload.
        client_max_body_size 0;

        # Disable buffering
        proxy_buffering off;
        proxy_request_buffering off;

        location / {
                proxy_set_header Host $http_host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-NginX-Proxy true;

                # This is necessary to pass the correct IP to be hashed
                real_ip_header X-Real-IP;

                proxy_connect_timeout 300;

                # To support websocket
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";

                chunked_transfer_encoding off;

                proxy_pass http://minio_console/;
        }
}

Contents of /etc/nginx/snippets/minio_ssl.conf:

ssl_certificate /etc/ssl/_.minio.dev.test/fullchain.pem;
ssl_certificate_key /etc/ssl/_.minio.dev.test/privkey.pem;

ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY130;
ssl_prefer_server_ciphers off;

The SSL certificates are issued from an internal CA and trusted by the browser.

This is the /etc/default/minio minus redacted items:

# MINIO_ROOT_USER and MINIO_ROOT_PASSWORD sets the root account for the MinIO server.
# This user has unrestricted permissions to perform S3 and administrative API operations on any resource in the deployment.
# Omit to use the default values 'minioadmin:minioadmin'.
# MinIO recommends setting non-default values as a best practice, regardless of environment.

MINIO_ROOT_USER=REDACTED
MINIO_ROOT_PASSWORD=REDACTED

# MINIO_VOLUMES sets the storage volumes or paths to use for the MinIO server.
# The specified path uses MinIO expansion notation to denote a sequential series of drives between 1 and 4, inclusive.
# All drives or paths included in the expanded drive list must exist *and* be empty or freshly formatted for MinIO to start successfully.

MINIO_VOLUMES="/minio/data{1...2}"

# MINIO_OPTS sets any additional commandline options to pass to the MinIO server.
# For example, `--console-address :9001` sets the MinIO Console listen port
MINIO_OPTS="--console-address :9001"

# MINIO_SERVER_URL sets the hostname of the local machine for use with the MinIO Server.
# MinIO assumes your network control plane can correctly resolve this hostname to the local machine.

# Uncomment the following line and replace the value with the correct hostname for the local machine.

MINIO_SERVER_URL="https://minio.dev.test"
MINIO_BROWSER_REDIRECT_URL="https://console.minio.dev.test"

Since this is being managed from SystemD, I confirmed per @marktheunissen and their suggestion of introspecting the env vars that the MINIO_ROOT_USER and MINIO_ROOT_PASSWORD are being set in the process's environment as entered.

Using these credentials from the command line with the corresponding 'local' alias (yes I set these creds!) works without issue and I can do all command operations (it seems) with the command line.

NGINX config is nearly identical to what @harshavardhana has shared except that it's on port 443 on the NGINX side and handed off to 9001 internally for the minio config just for the console domain.

0 replies

harshavardhana · 2024-07-12T01:58:03Z

harshavardhana
Jul 12, 2024
Maintainer

Is your browser URL domain resolvable from the MinIO node? And Is it trusted via curl?

1 reply

teward Jul 12, 2024
Author

DERP, i knew I forgot something. Added the domain to the /etc/hosts for the minio node itself, and then added the internal CA to the ca-certificates datastore for cURL.

Once I did that everything Just Worked. Issue solved! Thank you for reviewing my config and pointing me at what I broke!

harshavardhana · 2024-07-12T01:58:37Z

harshavardhana
Jul 12, 2024
Maintainer

This is also more or less a configuration issue. Moving this to discussion.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

New Single Node Multi Disk Deployment: ROOT login from env vars not accepted on login. #20078

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 7 comments 1 reply

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

Select a reply

New Single Node Multi Disk Deployment: ROOT login from env vars not accepted on login. #20078

teward Jul 11, 2024

Expected Behavior

Current Behavior

Possible Solution

Steps to Reproduce (for bugs)

Context

Regression

Your Environment

Replies: 7 comments · 1 reply

marktheunissen Jul 12, 2024 Collaborator

teward Jul 12, 2024 Author

marktheunissen Jul 12, 2024 Collaborator

harshavardhana Jul 12, 2024 Maintainer

teward Jul 12, 2024 Author

harshavardhana Jul 12, 2024 Maintainer

teward Jul 12, 2024 Author

harshavardhana Jul 12, 2024 Maintainer

teward
Jul 11, 2024

Replies: 7 comments 1 reply

marktheunissen
Jul 12, 2024
Collaborator

teward
Jul 12, 2024
Author

marktheunissen
Jul 12, 2024
Collaborator

harshavardhana
Jul 12, 2024
Maintainer

teward
Jul 12, 2024
Author

harshavardhana
Jul 12, 2024
Maintainer

teward Jul 12, 2024
Author

harshavardhana
Jul 12, 2024
Maintainer