MinIO Knowledge Base

What's new in MinIO AIStor RELEASE.2025-12-20?

Asked by muratkars Answered by muratkars December 19, 2025
0 views
business intermediate verified releasesaistorqosinventoryldapfipssecurityperformanceobservability

MinIO AIStor RELEASE.2025-12-20T04-58-37Z is a major release introducing FIPS 140-3 compliant cryptography, bucket-level QoS enforcement, the new Inventory API, multiple LDAP support, and significant performance improvements.

Answer

This release delivers key enterprise capabilities including enhanced security, workload fairness controls, and operational improvements that simplify management while improving performance.

Features Changed/Deprecated

Global Console → Management Console

What

The Global Console is now the Management Console. This change embeds the graphical console directly into every AIStor (MinIO) server instance.

Key changes:

  • The console is built into every deployment by default
  • Works consistently across bare metal, Kubernetes, and container environments
  • Console and server versions always match
  • No external setup or installation required
  • No remote registration or cross-cluster wiring required

Availability

Already available with AIStor releases.

Why

The motivation behind this change was to simplify and improve the management experience for customers. By embedding the console in every server instance, we remove complexity, reduce points of failure, and ensure consistent behavior across all environments.

The previous Global Console:

  • Did not provide true centralization—users still had to switch between clusters
  • Required separate installation, infrastructure, and high availability setup
  • Encountered firewall and token issues across sites
  • Consumed engineering resources without delivering proportional customer value
  • mc already provided global control capabilities (cross-cluster operations, replication setup, migration workflows)

What This Means for Customers

  • Easier deployment and onboarding with no separate console to install or maintain
  • Fewer compatibility issues between console and server versions
  • More reliable and predictable management experience across all environments
  • Less operational effort and fewer dependencies
  • Immediately usable console everywhere MinIO runs

Firewall → QoS (Quality of Service)

What

The original Firewall feature has been restructured and is now delivered as QoS (Quality of Service) plus API filtering within IAM and bucket policies.

Key changes:

  • API filtering moved into IAM and bucket policies providing a single, unified way to enforce security
  • QoS functionality integrated into the core server with bucket-level enforcement
  • Token bucket-based rate limiting with configurable burst limits
  • Concurrent request restrictions with priority-based rules and prefix matching
  • Comprehensive Prometheus metrics for monitoring throttling behavior
  • The standalone Firewall component has been removed

This provides:

  • A cleaner architecture with fewer moving parts
  • Consistent behavior across bare-metal and Kubernetes deployments
  • Simpler management for administrators

Availability

  • API filtering within IAM and bucket policies: Already available
  • QoS: Available in this release (RELEASE.2025-12-20)

Why

We made this change to simplify the architecture and provide a more consistent and reliable experience across environments.

Moving API filtering to IAM creates a single, unified mechanism for access control. IAM and bucket policies already define who can access what—consolidating access control there removes duplication and fragmentation.

Integrating QoS into the core MinIO server reduces complexity and removes extra components. QoS solves the “noisy neighbor” problem by ensuring that heavy or abusive workloads cannot degrade performance for others. Because QoS understands the cost of each S3 API call, it can apply precise limits based on workload behavior, not just raw bandwidth.

What This Means for Customers

  • Simpler management with fewer moving parts
  • Consistent behavior across bare-metal and Kubernetes
  • Better performance fairness across users and tenants
  • More predictable performance under load
  • No need to deploy or maintain a separate Firewall component
  • Stronger and more unified access control through IAM and bucket policies
  • Finer control than traditional throttling mechanisms in multi-tenant or mixed workload environments

Catalog → Inventory

What

Catalog has been redesigned as a batch processing system optimized for large namespaces. Renamed as Inventory API, the new design:

  • Scans the entire namespace efficiently
  • Applies filters during the scan
  • Saves only matching entries, keeping it scalable and resource-efficient
  • Handles petabyte to exabyte scale
  • Produces results in Parquet format, widely supported by query and analytics engines
  • Allows customers to use any external SQL or analytics tool to explore results
  • Fully compatible with the Amazon S3 Inventory API with richer filtering and higher performance

Key capabilities:

  • Comprehensive inventory APIs with scheduling (hourly through yearly)
  • Job control operations (cancel, suspend, resume)
  • LastUpdate timestamp tracking
  • Structured, query-friendly output format

Availability

Inventory API is available in this release (RELEASE.2025-12-20).

Why

Previous catalog approaches using interactive GraphQL did not scale and could not support real analytical workloads. Interactive GraphQL lacked power, scalability, and real analytical depth for large namespaces with massive metadata footprints.

By redesigning this as a batch processing system, Inventory can handle massive metadata sets reliably and integrate with existing analytics tools.

What This Means for Customers

  • Powerful metadata exports for very large datasets (petabyte to exabyte scale)
  • Easier reporting, compliance, audit, and analytics workflows
  • Use any external tool (SQL engines, data warehouses, BI systems)
  • Better performance and flexibility than previous Catalog versions
  • No dependency on MinIO-specific query interfaces
  • S3 Inventory API compatibility for familiar workflows

New Features

FIPS 140-3 Compliant Cryptography

What

This release introduces FIPS 140-3 enforcement with weak SSH/SFTP algorithms (DH-SHA1, RC4) blocked by default.

To restore legacy behavior if needed:

Terminal window
export MINIO_API_SECURE_CIPHERS=off

Availability

Available in this release.

Why

FIPS 140-3 compliance is required for many government and regulated industry deployments. Blocking weak algorithms by default improves the security posture of all deployments.

What This Means for Customers

  • Federal and regulatory compliance out of the box
  • Stronger default security for all deployments
  • SFTP clients using legacy ciphers will need updates or explicit opt-out
  • Available as FIPS-specific builds for linux-amd64

Multiple LDAP Configurations

What

Support for connecting to multiple LDAP servers simultaneously for identity management.

Key capabilities:

  • Connect to multiple LDAP directories
  • Improved organizational structure flexibility
  • Site replication compatibility
  • Console UI login support forthcoming

Availability

Available in this release.

Why

Enterprise environments often have complex identity infrastructures with multiple LDAP directories across different organizational units, regions, or merged entities. Supporting multiple LDAP configurations provides the flexibility these environments require.

What This Means for Customers

  • Flexible identity management for complex organizational structures
  • Support for multi-domain environments without consolidation
  • Easier site replication across different identity boundaries
  • Reduced complexity in managing access across organizational units

Extended Backend Format

What

New backend format supporting objects with special naming conventions:

  • Double slashes (//)
  • Leading slashes (/foo)
  • Trailing slashes

Uses Unicode-based encoding with BigCache-based LRU caching while maintaining AWS S3 compatibility.

Availability

Available in this release. Note: Extended backend mode cannot be changed post-deployment.

Why

Some workloads and migration scenarios require object names that weren’t previously supported. This extends compatibility while maintaining S3 API compliance.

What This Means for Customers

  • Broader compatibility with existing data and naming conventions
  • Easier migrations from systems with different naming requirements
  • Full S3 compatibility maintained
  • Plan carefully as this setting is permanent once deployed

Storage Protection Enhancements

What

Enhanced storage protection features:

  • Automatic multipart upload checksums for data integrity
  • Kernel-level protection via SELinux/eBPF
  • Drive usage limits to prevent overutilization
  • Read-after-write verification for consistency

Availability

Available in this release.

Why

Data integrity and protection are critical for enterprise storage. These enhancements provide multiple layers of verification and protection.

What This Means for Customers

  • Stronger data integrity guarantees
  • Protection against accidental or malicious data corruption
  • Better resource management with drive usage limits
  • Verified consistency with read-after-write checks

Performance Improvements

Memory and I/O Optimizations

What

Significant performance improvements in this release:

  • Memory allocations reduced ~46% through pooled erasure buffers and decompressors
  • Delete operations reduced disk IOPS ~50% through concurrent operations
  • Parquet writer throughput improved ~45%
  • Hardware-accelerated CRC32C bitrot for ARM64 architectures

Availability

Available in this release.

Why

Performance improvements reduce operational costs and improve user experience, especially at scale.

What This Means for Customers

  • Lower memory footprint for the same workloads
  • Faster delete operations with less disk impact
  • Improved analytics performance with faster Parquet writes
  • Better ARM64 performance for modern infrastructure

Observability Enhancements

56 New v3 Metrics

What

Added 56 new v3 metrics including:

  • Network interface statistics
  • CPU load metrics
  • Real-time replication metrics
  • Time-windowed disk statistics
  • QoS metrics for throttling behavior monitoring

Availability

Available in this release. Drive metrics and logs are still evolving.

Why

Comprehensive observability is essential for operating storage infrastructure at scale. These metrics provide deeper insight into system behavior.

What This Means for Customers

  • Deeper operational visibility into system performance
  • Better capacity planning with detailed resource metrics
  • Proactive issue detection through comprehensive monitoring
  • Integration with existing monitoring systems via Prometheus-compatible endpoints

Tech Preview Features

S3 over RDMA / NVIDIA GPUDirect Storage

What

Support for S3 over RDMA / NVIDIA GPUDirect Storage enables high-speed, direct data movement between storage and GPUs.

Key capabilities:

  • Direct GPU-to-storage data transfer
  • Low-latency, high-throughput data paths
  • Reduced CPU involvement and overhead
  • Improved GPU utilization for training, inference, and preprocessing
  • Full enterprise S3 compatibility

Architecture supports both RDMA and GPUDirect with minimal changes, allowing both GPU and non-GPU applications to use the accelerated path seamlessly.

Availability

Tech preview only. No current plans for GA, primarily due to upstream dependency on NVIDIA’s still-evolving GPUDirect libraries.

Why

This capability addresses a key performance bottleneck in AI and accelerated computing environments. Direct GPU-to-storage transfers enable higher GPU utilization, faster training cycles, and lower CPU load.

What This Means for Customers

  • Early access to cutting-edge accelerated data paths
  • Significant performance improvements for GPU-heavy environments
  • Opportunity to validate workloads and provide feedback
  • Note: This remains tech preview—contact MinIO for working sessions

AIStor Tables (Iceberg Catalog)

What

Native support for Iceberg Catalog REST APIs.

Key capabilities:

  • Iceberg v3 support
  • Views
  • Migration support
  • Integration of IAM policies (making Iceberg catalog a first-class feature)

Features planned post-GA:

  • Maintenance features (compaction, snapshot management, orphaned data expiration)
  • Replication

Availability

Tech preview (confirmed stable as of latest Edge release). Expected GA in January 2025.

Why

Iceberg is becoming the standard for analytics table formats. Native integration with IAM policies provides unified access control and simplifies analytics workflows.

What This Means for Customers

  • Early access to native Iceberg support
  • Opportunity to request features for prioritization
  • Validate workloads and provide feedback during tech preview
  • Unified access control through IAM policy integration

Breaking Changes

Be aware of these breaking changes when upgrading:

ChangeImpactMitigation
FIPS 140-3 enforcementSFTP clients using legacy ciphers will failUpdate clients or set MINIO_API_SECURE_CIPHERS=off
Default root credentialsDisallowed with MINIO_API_ROOT_ACCESS=offConfigure proper credentials
Extended backend modeCannot be changed post-deploymentPlan deployment configuration carefully
Free tier restrictionsDistributed features restrictedUpgrade to commercial license for full features

Summary

MinIO AIStor RELEASE.2025-12-20 delivers significant improvements across security, performance, and operational simplicity:

  • Simplified management with embedded Management Console
  • Workload fairness with integrated QoS
  • Enterprise-scale inventory with the new Inventory API
  • FIPS 140-3 compliance for regulated environments
  • ~46% memory reduction and ~50% faster deletes
  • 56 new observability metrics
  • Tech preview access to GPU acceleration and Iceberg support

References

For questions about specific features or to schedule demos, contact your MinIO account team.

0