Documentation

Documentation

Site Replication Overview

Table of Contents

Site replication configures multiple independent MinIO deployments as a cluster of replicas called peer sites.

Site replication assumes the use of either the included MinIO identity provider (IDP) or an external IDP. All configured deployments must use the same IDP. Deployments using an external IDP must use the same configuration across sites.

Overview

What Replicates Across All Sites

Each MinIO deployment (“peer site”) synchronizes the following changes across the other peer sites:

  • Creation, modification, and deletion of buckets and objects, including

  • Creation and deletion of IAM users, groups, policies, and policy mappings to users or groups (for LDAP users or groups)

  • Creation of Security Token Service (STS) credentials for session tokens verifiable from the local root credentials

  • Creation and deletion of access keys (except those owned by the root user)

Site replication enables bucket versioning for all new and existing buckets on all replicated sites.

What Does Not Replicate Across Sites

MinIO deployments in a site replication configuration do not replicate the creation or modification of the following items:

Initial Site Replication Process

After enabling site replication, identity and access management (IAM) settings sync in the following order:

  1. Policies

  2. User accounts (for local users)

  3. Groups

  4. Access Keys

    Access Keys for root do not sync.

  5. Policy mapping for synced user accounts

  6. Policy mapping for Security Token Service (STS) users

  1. Policies

  2. Access Keys associated to OIDC accounts with a valid MinIO Policy. root access keys do not sync.

  3. Policy mapping for synced user accounts

  4. Policy mapping for Security Token Service (STS) users

  1. Policies

  2. Groups

  3. Access Keys associated to LDAP accounts with a valid MinIO Policy. root access keys do not sync.

  4. Policy mapping for synced user accounts

  5. Policy mapping for Security Token Service (STS) users

After the initial synchronization of data across peer sites, MinIO continually replicates and synchronizes replicable data among all sites as they occur on any site.

Site Healing

Any MinIO deployment in the site replication configuration can resynchronize damaged replica-eligible data from the peer with the most updated (“latest”) version of that data.

Changed in version RELEASE.2022-08-11T04-37-28Z: Failed or pending replications requeue automatically when performing any GET or HEAD API method. For example, using mc stat, mc cat, or mc ls commands after a site comes back online prompts healing to requeue.

Changed in version RELEASE.2022-12-02T23-48-47Z: If one site loses data for any reason, resynchronize the data from another healthy site with mc admin replicate resync. This launches an active process that resynchronizes the data without waiting for the passive MinIO scanner to recognize the missing data.

Prerequisites

One Site with Data at Setup

Only one site can have data at the time of setup. The other sites must be empty of buckets and objects.

After configuring site replication, any data on the first deployment replicates to the other sites.

All Sites Must Use the Same IDP

All sites must use the same Identity Provider. Site replication supports the included MinIO IDP, OIDC, or LDAP.

Access to the Same Encryption Service

For SSE-S3 or SSE-KMS encryption via Key Management Service (KMS), all sites must have access to a central KMS deployment.

You can achieve this with a central KES server or multiple KES servers (say one per site) connected via a central supported key vault server.

Load Balancers Installed on Each Multi-Node Site

When replicating to multi-node sites, use the URL or IP address of the site’s load balancer, reverse proxy, or similar network control plane component which automatically routes requests to nodes in the deployment.

Using a single node for configuring site replication creates a single point of failure, where that node being offline results in replication failure.

Switch to Site Replication from Bucket Replication

Bucket replication and multi-site replication are mutually exclusive. You cannot use both replication methods on the same deployments.

If you previously set up bucket replication and wish to now use site replication, you must first delete all of the bucket replication rules on the deployment that has data when initializing site replication. Use mc replicate rm on the command line or the MinIO Console to remove bucket replication rules.

Only one site can have data when setting up site replication. All other sites must be empty.

Tutorials

Configure Site Replication

  1. Deploy two or more separate MinIO sites, using the same Identity Provider for each site

    Only one site can have any buckets or objects on it. The other site(s) must be empty.

  2. In a browser, access the Console for the site with data (if any)

    For example, https://<addressforsite>:9000

    Replace <addressforsite> with the hostname or IP address of the load balancer, reverse proxy, or similar control plane that manages connections to the MinIO deployment.

  3. Select Settings, then Site Replication

    MinIO Console menu with the Settings heading expanded to show Site Replication
  4. Select Add Sites +

    MinIO Console's Add Sites for Replication screen
  5. Complete the requested information:

    This Site:

    • Site Name

      A name or other identifying text to associate to the site.

    • Endpoint

      (required) The hostname or IP of the load balancer managing connections to the site.

    • Access Key

      (required) The user name for root to use for signing in to the site.

    • Secret Key

      (required) The password for root to use for signing in to the site.

    Peer Sites:

    • Site Name

      A name or other identifying text to associate to the site.

    • Endpoint

      (required) The hostname or IP of the load balancer managing connections to the site.

    • Access Key

      (required) The user name for root for the peer site to use for signing in to the site.

    • Secret Key

      (required) The password for root for the peer site to use for signing in to the site.

    When replicating to multi-node sites, use the URL or IP address of the site’s load balancer, reverse proxy, or similar network control plane component which automatically routes requests to nodes in the deployment.

    Using a single node for configuring site replication creates a single point of failure, where that node being offline results in replication failure.

    To add additional sites beyond two, select the + button to the side of one of the Site entries. To remove a site previously added, select the - button to the side of the site.

    Site replication adds a svcacct under the root user of each site to perform replication activities.

  6. Select Save

  7. Select Replication Status button to verify replication has completed across peer sites.

    Any replicable data that exists should show as successfully synced.

    For more on reviewing site replication, see the Site Replication Status tutorial.

The following steps create a new site replication configuration for three distributed deployments. One of the sites contains replicable data.

The three sites use aliases, minio1, minio2, and minio3, and only minio1 contains any data.

  1. Deploy three or more separate MinIO sites, using the same IDP

    Start with empty sites or have no more than one site with any replicable data.

  2. Configure an alias for each site

    When replicating to multi-node sites, use the URL or IP address of the site’s load balancer, reverse proxy, or similar network control plane component which automatically routes requests to nodes in the deployment.

    Using a single node for configuring site replication creates a single point of failure, where that node being offline results in replication failure.

    For example, for three MinIO sites, you might create aliases minio1, minio2, and minio3.

    Use mc alias set to define the hostname or IP of the load balancer managing connections to the site.

    mc alias set minio1 https://minio1.example.com:9000 adminuser adminpassword
    mc alias set minio2 https://minio2.example.com:9000 adminuser adminpassword
    mc alias set minio3 https://minio3.example.com:9000 adminuser adminpassword
    

    or define environment variables

    export MC_HOST_minio1=https://adminuser:adminpassword@minio1.example.com
    export MC_HOST_minio2=https://adminuser:adminpassword@minio2.example.com
    export MC_HOST_minio3=https://adminuser:adminpassword@minio3.example.com
    
  3. Add site replication configuration

    mc admin replicate add minio1 minio2 minio3
    

    If all sites are empty, the order of the aliases does not matter. If one of the sites contains any replicable data, you must list it first.

    No more than one site can contain any replicable data.

  4. Query the site replication configuration to verify

    mc admin replicate info minio1
    

    You can use the alias for any peer site in the site replication configuration.

  5. Query the site replication status to confirm any initial data has replicated to all peer sites.

    mc admin replicate status minio1
    

    You can use the alias for any of the peer sites in the site replication configuration. The output should say that all replicable data is in sync.

    The output could resemble the following:

    Bucket replication status:
    ●  1/1 Buckets in sync
    
    Policy replication status:
    ●  5/5 Policies in sync
    
    User replication status:
    No Users present
    
    Group replication status:
    No Groups present
    

    For more on reviewing site replication, see the Site Replication Status tutorial.

Expand Site Replication

You can add more sites to an existing site replication configuration.

The new site must meet the following requirements:

  • Site is fully deployed and accessible by hostname or IP

  • Shares the IDP configuration as all other sites in the configuration

  • Uses the same root user credentials as other configured sites

  • Contains no bucket or object data

  1. Deploy a new, empty MinIO site

  2. In a browser, access the Console for one of the existing replicated sites

    For example, https://<addressforsite>:9000

  3. Select Settings, then Site Replication

    MinIO Console Site Replication with three sites listed
  4. Select Add Sites +

    MinIO Console's Add Sites for Replication screen
  5. Make the following entries:

    Access Key

    (required) The user name to use for signing in to each site. Should be the same across all sites.

    Secret Key

    (required) The password for the user name to use for signing in to each site. Should be the same across all sites.

    Site Name

    An alias to use for the site name.

    Endpoint

    (required) The hostname or IP of the load balancer managing connections to the site.

    When replicating to multi-node sites, use the URL or IP address of the site’s load balancer, reverse proxy, or similar network control plane component which automatically routes requests to nodes in the deployment.

    Using a single node for configuring site replication creates a single point of failure, where that node being offline results in replication failure.

    To add additional sites beyond two, select the + button to the side of the last Site entry.

  6. Select Save

  1. Deploy three or more separate MinIO sites, using the same external IDP

    Only one site can have any buckets or objects on it. The other sites must be empty.

  2. Configure an alias for each site

    When replicating to multi-node sites, use the URL or IP address of the site’s load balancer, reverse proxy, or similar network control plane component which automatically routes requests to nodes in the deployment.

    Using a single node for configuring site replication creates a single point of failure, where that node being offline results in replication failure.

    To check the existing aliases, use mc alias list.

    For example, for three MinIO sites, you might create aliases minio1, minio2, and minio3.

    Use mc alias set to define the hostname or IP of the load balancer managing connections to the site.

    mc alias set minio1 https://minio1.example.com:9000 adminuser adminpassword
    mc alias set minio2 https://minio2.example.com:9000 adminuser adminpassword
    mc alias set minio3 https://minio3.example.com:9000 adminuser adminpassword
    

    or define environment variables

    export MC_HOST_minio1=https://adminuser:adminpassword@minio1.example.com
    export MC_HOST_minio2=https://adminuser:adminpassword@minio2.example.com
    export MC_HOST_minio3=https://adminuser:adminpassword@minio3.example.com
    
  3. Add site replication configuration

    List all existing replicated sites first, then list the new site(s) to add. In this example, minio1, minio2, and minio3 are already configured for replication. The command adds minio4 and minio5 as new sites to add to the replication. minio4 and minio5 must be empty.

    mc admin replicate add minio1 minio2 minio3 minio4 minio5
    
  4. Query the site replication configuration to verify

    mc admin replicate info minio1
    

Modify a Site’s Endpoint

If a peer site changes its hostname, you can modify the replication configuration to reflect the new hostname.

  1. In a browser, access the Console for one of the replicated sites

    For example, https://<addressforsite>:9000

  2. Select Settings, then Site Replication

  3. Select the pencil Edit icon to the side of the site to update

    MinIO Console's List of Replicated Sites screen with the edit buttons highlighted
  4. Make the following entries:

    New Endpoint

    (required) The new endpoint address and port to use.

    When replicating to multi-node sites, use the URL or IP address of the site’s load balancer, reverse proxy, or similar network control plane component which automatically routes requests to nodes in the deployment.

    Using a single node for configuring site replication creates a single point of failure, where that node being offline results in replication failure.

    Example of the MinIO Console's Edit Replication Endpoint screen
  5. Select Update

  1. Obtain the site’s Deployment ID with mc admin replicate info

    mc admin replicate info <ALIAS>
    
  2. Update the site’s endpoint with mc admin replicate edit

    mc admin replicate edit ALIAS --deployment-id [DEPLOYMENT-ID] --endpoint [NEW-ENDPOINT]
    

    Replace [DEPLOYMENT-ID] with the deployment ID of the site to update.

    Replace [NEW-ENDPOINT] with the new endpoint for the site.

    When replicating to multi-node sites, use the URL or IP address of the site’s load balancer, reverse proxy, or similar network control plane component which automatically routes requests to nodes in the deployment.

    Using a single node for configuring site replication creates a single point of failure, where that node being offline results in replication failure.

Remove a Site from Replication

You can remove a site from replication at any time. You can re-add the site at a later date, but you must first completely wipe bucket and object data from the site.

  1. In a browser, access the Console for one of the replicated sites

    For example, https://<addressforsite>:9000

  2. Select Settings, then Site Replication

  3. Select the trash can Delete icon to the side of the site to update

    MinIO Console's List of Replicated Sites screen with the delete buttons highlighted
  4. Confirm the site deletion at the prompt by selecting Delete

    Example of the MinIO Console's Edit Replication Endpoint screen

Use mc admin replicate remove

mc admin replicate remove <ALIAS> --all --force

The -all flag removes the site as a peer from all participating sites.

The --force flag is required to removes the site from the site replication configuration.

Review Replication Status

MinIO provides information on replication across the sites for users, groups, policies, or buckets.

The summary information includes the number of Synced and Failed items for each category.

  1. In a browser, access the Console for one of the replicated sites

    For example, https://<addressforsite>:9000

  2. Select Settings, then Site Replication

  3. Select Replication Status

    MinIO Console's Replication status from all Sites screen
  4. (Optional) View the replication status for a specific item

    Select the type of item to view in the View Replication Status for a: dropdown

    Specify the name of the specific Bucket, Group, Policy, or User to view

    Example of replication status for a particular bucket item
  5. (Optional) Update the information by selecting Refresh

Use mc admin replicate status

mc admin replicate status <ALIAS> --<flag> <value>

For example:

  • mc admin replicate status minio3 --bucket images

    Displays the replication status for the images bucket on the minio3 site.

    The output resembles the following:

    ●  Bucket config replication summary for: images
    
    Bucket          | MINIO2          | MINIO3          | MINIO4
    Tags            |                 |                 |
    Policy          |                 |                 |
    Quota           |                 |                 |
    Retention       |                 |                 |
    Encryption      |                 |                 |
    Replication     | ✔               | ✔               | ✔
    
  • mc admin replicate status minio3 --all

    Displays the replication status summary for all replication sites of which minio3 is part.

    The output resembles the following:

    Bucket replication status:
    ●  1/1 Buckets in sync
    
    Policy replication status:
    ●  5/5 Policies in sync
    
    User replication status:
    ●  1/1 Users in sync
    
    Group replication status:
    ●  0/2 Groups in sync
    
    Group           | MINIO2          | MINIO3          | MINIO4
    ittechs         | ✗  in-sync      |                 | ✗  in-sync
    managers        | ✗  in-sync      |                 | ✗  in-sync