MinIO should perform sanity checks at startup about reachability / TLS certificates

[ecerulm]

Is your feature request related to a problem? Please describe.

I did a new setup with 2 minio servers behind an HAProxy. I misconfigured the minio servers with MINIO_SERVER_URL pointing to the "https://haproxyaddress:9000" and the MinIO console was failing to login any user (I don't know the exact reason since it's not reported by minio, that's why I'm writing this issue).

The MinIO console login failed with a (IMHO, misleading) error message of Invalid Login which I think also can be improved (see #3427).

Anyway my problem when away when I just remove the MINIO_SERVER_URL, but I feel minio could have detected that MINIO_SERVER_URL was "wrong" at startup and reported it directly or even refused to start.

Describe the solution you'd like
At startup minio should do sanity checks for

• MINIO_SERVER_URL / default address is reachable by the MinIO console, consider reporting these specifically:
  • DNS resolution failures,
  • Connection timeout ,
  • TLS certificate validation failure

It should print the result of the checks on the startup log, or even refuse to start.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context

@marktheunissen help me on Slack with my initial issue, and probably can write down more "sanity checks" that he already have in mind.

[harshavardhana]

MinIO server URL is an external URL and it is mostly never resolvable from the MinIO nodes themselves.

This is most common style in k8s like deployments where an ingress is not routable.

How would anyone sanity check such environments?

It will always fail. Sanity checks cant be done in such situations.

When you make custom changes like this it is beyond our control.

MINIO_SERVER_URL used to be a requirement but not anymore, our docs may have not caught up - but that's the truth.

This environment is mostly now just vanity and does not warrant any extensive sanity check. It is not useful, it is kept around still for backward compatibility.

[ecerulm]

MinIO server URL is an external URL and it is mostly never resolvable from the MinIO nodes themselves.

In that case then MinIO Console won't work ever? So maybe only do that sanity check when --console-address :9001 is provided.
If --console-address :9001 is provided and MINIO_SERVER_URL is not dns resolvable/reachable/ etc then print a warning saying

WARNING:  MINIO_SERVER_URL is deprecated, https://xxxxx:9000 not reachable from MinIO console, 
if you can't login to MinIO console consider removing MINIO_SERVER_URL so that MinIO Console
connects to the local MinIO address instead."

How would anyone sanity check such environments?

I guess you can't sanity check everything, I was really after MinIO Console sanity checks that it can reach the MinIO server in particular .

When you make custom changes like this it is beyond our control.

I understand that is deprecated and it's my own fault for putting using it there by following outdated/incorrect instructions that I found on the internet, so I'm not blaming you in anyway.

But if I understood right this happens often enough so having this kind of warning at startup may solve some frustration when doing the first distributed setup ,etc and maybe save some time on slack support, etc.

MINIO_SERVER_URL used to be a requirement but not anymore, our docs may have not caught up - but that's the truth.

Yes, maybe this can be solved by changing the documentation for MINIO_SERVER_URL and saying it there that

If MINIO_SERVER_URL is not reachable from the minio process, 
then the MinIO Console won't be able to 
login (Invalid Login, after a 10 second wait). 

Hopefully this github issue itself will improve the situation, as it will appear on searches for "Invalid Login" on MinIO.

This environment is mostly now just vanity and does not warrant any extensive sanity check. It is not useful, it is kept around still for backward compatibility.

Sure, but I didn't mean for extensive sanity check, only for a check that the MinIO console --console-address :9001 can reach it. If that fails, I believe that is always a real error since you won't be able to login.

I must stress that nowhere in the logs nor in the response from MinIO console, there is any indication that MinIO console can't reach the server. Maybe addressing #3427 would be enough, but if the check is at startup then it would be easier to catch.

[cesnietor]

We'll check how to improve our current way we are displaying the login erros, we did a change this year where we hid some errors cause we were exposing too much info and was a security vulnerability but we can definitely see which ones can have more details to let the user know how to troubleshoot.

Some ideas: for the ones we can't catch too easily we can point to documentation showing how to troubleshoot login errors. For the ones we can catch we should show the proper advice on how to fix it, e.g. check your env variable or check the url is correct, etc.