Gitlab Backup Strategy Using Minio
setup Minio somewhere
Minio is an object storage server compatible with the S3 protocol. Head to https://minio.io/ to learn more.
Hint: You might want to use MINIO_WORM=on
to pretect against accidental or malicious deletion of your backups.
seperate users with iam policies
Since RELEASE.2018-10-18T00-28-58Z minio supports seperate users with attached IAM policies. Instead of (or additionally to) using MINIO_WORM=on
you could create a new user and attach a writeonly policy:
$ cat gitlab-wo.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::gitlab/*"
]
}
]
}
$ mc admin policies add myminio gitlab-wo gitlab-wo.json
Added policy `gitlab-wo` successfully.
$ mc admin users add myminio gitlab $randomkey gitlab-wo
Added used `gitlab` successfully.
Note that only allowing s3:PutObject
is not the same as using MINIO_WORM
: the user can still overwrite existing files.
configure Gitlab Omnibus
Add the following to your /etc/gitlab/gitlab.rb
:
gitlab_rails['backup_upload_connection'] = {
'provider' => 'AWS',
'aws_access_key_id' => 'YOUR-ACCESS-KEY-OR-USERNAME-HERE',
'aws_secret_access_key' => 'YOUR-SECRET-KEY-HERE',
'endpoint' => 'https://minio.yourdomain.com:9000',
'path_style' => true
}
gitlab_rails['backup_upload_remote_directory'] = 'gitlab'
Note the addition of 'path_style' => true
and the endpoint url.
The bucket gitlab
should exist already:
$ mc mb myminio/gitlab
Bucket created successfully `myminio/gitlab`.
Afterwards run gitlab-ctl reconfigure
as usual and launch a backup with
gitlab-rake gitlab:backup:create
to verify correct operation.
$ mc ls myminio/gitlab
[2018-07-27 14:47:48 CEST] 288MiB 1532695658_2018_07_27_10.8.4_gitlab_backup.tar