diff --git a/Dockerfile b/Dockerfile index 9ab5f0f1c..f48928ce9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -11,7 +11,7 @@ RUN \ git clone https://github.com/minio/minio && cd minio && \ git checkout master && go install -v -ldflags "$(go run buildscripts/gen-ldflags.go)" -FROM alpine:3.12 +FROM registry.access.redhat.com/ubi8/ubi-minimal:8.3 ENV MINIO_ACCESS_KEY_FILE=access_key \ MINIO_SECRET_KEY_FILE=secret_key \ @@ -22,11 +22,14 @@ ENV MINIO_ACCESS_KEY_FILE=access_key \ EXPOSE 9000 COPY --from=builder /go/bin/minio /usr/bin/minio -COPY --from=builder /go/minio/CREDITS /third_party/ +COPY --from=builder /go/minio/CREDITS /licenses/CREDITS +COPY --from=builder /go/minio/LICENSE /licenses/LICENSE COPY --from=builder /go/minio/dockerscripts/docker-entrypoint.sh /usr/bin/ RUN \ - apk add --no-cache ca-certificates 'curl>7.61.0' 'su-exec>=0.2' && \ + microdnf update --nodocs && \ + microdnf install curl ca-certificates shadow-utils util-linux --nodocs && \ + microdnf clean all && \ echo 'hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4' >> /etc/nsswitch.conf ENTRYPOINT ["/usr/bin/docker-entrypoint.sh"] diff --git a/Dockerfile.cicd b/Dockerfile.cicd index ad01bd72c..1d509c9d8 100644 --- a/Dockerfile.cicd +++ b/Dockerfile.cicd @@ -7,30 +7,35 @@ ENV CGO_ENABLED 0 ENV GO111MODULE on RUN \ - apk add --no-cache git && \ - git clone https://github.com/minio/minio && cd minio && \ - git checkout master && go install -v -ldflags "$(go run buildscripts/gen-ldflags.go)" + apk add --no-cache git && \ + git clone https://github.com/minio/minio && cd minio && \ + git checkout master && go install -v -ldflags "$(go run buildscripts/gen-ldflags.go)" -FROM alpine:3.12 +FROM registry.access.redhat.com/ubi8/ubi-minimal:8.3 + +ARG TARGETARCH ENV MINIO_ACCESS_KEY_FILE=access_key \ - MINIO_SECRET_KEY_FILE=secret_key \ - MINIO_KMS_MASTER_KEY_FILE=kms_master_key \ - MINIO_SSE_MASTER_KEY_FILE=sse_master_key \ - MINIO_UPDATE_MINISIGN_PUBKEY="RWTx5Zr1tiHQLwG9keckT0c45M3AGeHD6IvimQHpyRywVWGbP1aVSGav" + MINIO_SECRET_KEY_FILE=secret_key \ + MINIO_KMS_MASTER_KEY_FILE=kms_master_key \ + MINIO_SSE_MASTER_KEY_FILE=sse_master_key \ + MINIO_UPDATE_MINISIGN_PUBKEY="RWTx5Zr1tiHQLwG9keckT0c45M3AGeHD6IvimQHpyRywVWGbP1aVSGav" EXPOSE 9000 COPY --from=builder /go/bin/minio /usr/bin/minio -COPY --from=builder /go/minio/CREDITS /third_party/ +COPY --from=builder /go/minio/CREDITS /licenses/CREDITS +COPY --from=builder /go/minio/LICENSE /licenses/LICENSE COPY --from=builder /go/minio/dockerscripts/docker-entrypoint.sh /usr/bin/ RUN \ - apk add --no-cache ca-certificates 'curl>7.61.0' 'su-exec>=0.2' && \ - echo 'hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4' >> /etc/nsswitch.conf + microdnf update --nodocs && \ + microdnf install curl ca-certificates shadow-utils util-linux --nodocs && \ + microdnf clean all && \ + echo 'hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4' >> /etc/nsswitch.conf ENTRYPOINT ["/usr/bin/docker-entrypoint.sh"] VOLUME ["/data"] -CMD ["minio", "server", "/data"] \ No newline at end of file +CMD ["minio", "server", "/data"] diff --git a/Dockerfile.dev b/Dockerfile.dev index db7cd78cd..ce9a8524d 100644 --- a/Dockerfile.dev +++ b/Dockerfile.dev @@ -1,22 +1,27 @@ -FROM alpine:3.12 +FROM registry.access.redhat.com/ubi8/ubi-minimal:8.3 + +ARG TARGETARCH LABEL maintainer="MinIO Inc " COPY dockerscripts/docker-entrypoint.sh /usr/bin/ COPY minio /usr/bin/ -COPY CREDITS /third_party/ +COPY CREDITS /licenses/CREDITS +COPY LICENSE /licenses/LICENSE -ENV MINIO_UPDATE off -ENV MINIO_ACCESS_KEY_FILE=access_key \ +ENV MINIO_UPDATE=off \ + MINIO_ACCESS_KEY_FILE=access_key \ MINIO_SECRET_KEY_FILE=secret_key \ MINIO_KMS_MASTER_KEY_FILE=kms_master_key \ MINIO_SSE_MASTER_KEY_FILE=sse_master_key -RUN \ - apk add --no-cache ca-certificates 'curl>7.61.0' 'su-exec>=0.2' && \ - echo 'hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4' >> /etc/nsswitch.conf && \ - chmod +x /usr/bin/minio && \ - chmod +x /usr/bin/docker-entrypoint.sh +RUN \ + microdnf update --nodocs && \ + microdnf install curl ca-certificates shadow-utils util-linux --nodocs && \ + microdnf clean all && \ + echo 'hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4' >> /etc/nsswitch.conf && \ + chmod +x /usr/bin/minio && \ + chmod +x /usr/bin/docker-entrypoint.sh EXPOSE 9000 diff --git a/Dockerfile.release b/Dockerfile.release index ab5b429a8..5bccaa119 100644 --- a/Dockerfile.release +++ b/Dockerfile.release @@ -1,14 +1,20 @@ -FROM alpine:3.12 +FROM registry.access.redhat.com/ubi8/ubi-minimal:8.3 ARG TARGETARCH -LABEL maintainer="MinIO Inc " +LABEL name="MinIO" \ + vendor="MinIO Inc " \ + maintainer="MinIO Inc " \ + version="RELEASE.2020-11-25T22-36-25Z" \ + release="RELEASE.2020-11-25T22-36-25Z" \ + summary="MinIO is a High Performance Object Storage, API compatible with Amazon S3 cloud storage service." \ + description="MinIO object storage is fundamentally different. Designed for performance and the S3 API, it is 100% open-source. MinIO is ideal for large, private cloud environments with stringent security requirements and delivers mission-critical availability across a diverse range of workloads." ENV MINIO_ACCESS_KEY_FILE=access_key \ MINIO_SECRET_KEY_FILE=secret_key \ MINIO_KMS_MASTER_KEY_FILE=kms_master_key \ MINIO_SSE_MASTER_KEY_FILE=sse_master_key \ - MINIO_UPDATE_MINISIGN_PUBKEY="RWTx5Zr1tiHQLwG9keckT0c45M3AGeHD6IvimQHpyRywVWGbP1aVSGav" + MINIO_UPDATE_MINISIGN_PUBKEY="RWTx5Zr1tiHQLwG9keckT0c45M3AGeHD6IvimQHpyRywVWGbP1aVSGav" COPY dockerscripts/verify-minio.sh /usr/bin/verify-minio.sh COPY dockerscripts/docker-entrypoint.sh /usr/bin/docker-entrypoint.sh @@ -16,16 +22,17 @@ COPY CREDITS /licenses/CREDITS COPY LICENSE /licenses/LICENSE RUN \ - echo "http://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories && \ - apk update && apk add --no-cache ca-certificates 'curl>7.61.0' 'su-exec>=0.2' minisign && \ - echo 'hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4' >> /etc/nsswitch.conf && \ + microdnf update --nodocs && \ + microdnf install curl ca-certificates shadow-utils util-linux --nodocs && \ + rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm && \ + microdnf install minisign --nodocs && \ curl -s -q https://dl.min.io/server/minio/release/linux-${TARGETARCH}/minio -o /usr/bin/minio && \ curl -s -q https://dl.min.io/server/minio/release/linux-${TARGETARCH}/minio.sha256sum -o /usr/bin/minio.sha256sum && \ curl -s -q https://dl.min.io/server/minio/release/linux-${TARGETARCH}/minio.minisig -o /usr/bin/minio.minisig && \ + microdnf clean all && \ chmod +x /usr/bin/minio && \ chmod +x /usr/bin/docker-entrypoint.sh && \ chmod +x /usr/bin/verify-minio.sh && \ - curl -s -q -O https://raw.githubusercontent.com/minio/minio/master/CREDITS && \ /usr/bin/verify-minio.sh EXPOSE 9000 diff --git a/Dockerfile.release.ubi b/Dockerfile.release.ubi deleted file mode 100644 index 820efb5b1..000000000 --- a/Dockerfile.release.ubi +++ /dev/null @@ -1,49 +0,0 @@ -FROM registry.access.redhat.com/ubi8/ubi-minimal:8.3 - -ARG TARGETARCH - -LABEL name="MinIO" \ - vendor="MinIO Inc " \ - maintainer="MinIO Inc " \ - version="RELEASE.2020-11-25T22-36-25Z" \ - release="RELEASE.2020-11-25T22-36-25Z" \ - summary="MinIO is a High Performance Object Storage, API compatible with Amazon S3 cloud storage service." \ - description="MinIO object storage is fundamentally different. Designed for performance and the S3 API, it is 100% open-source. MinIO is ideal for large, private cloud environments with stringent security requirements and delivers mission-critical availability across a diverse range of workloads." - -ENV MINIO_ACCESS_KEY_FILE=access_key \ - MINIO_SECRET_KEY_FILE=secret_key \ - MINIO_KMS_MASTER_KEY_FILE=kms_master_key \ - MINIO_SSE_MASTER_KEY_FILE=sse_master_key \ - MINIO_UPDATE_MINISIGN_PUBKEY="RWTx5Zr1tiHQLwG9keckT0c45M3AGeHD6IvimQHpyRywVWGbP1aVSGav" - -COPY dockerscripts/verify-minio.sh /usr/bin/verify-minio.sh -COPY dockerscripts/docker-entrypoint.ubi.sh /usr/bin/docker-entrypoint.ubi.sh -COPY CREDITS /licenses/CREDITS -COPY LICENSE /licenses/LICENSE - -RUN \ - microdnf update --nodocs && \ - microdnf install curl ca-certificates shadow-utils --nodocs && \ - curl -s -q https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm -o epel-release.rpm && \ - rpm -ivh epel-release.rpm && microdnf install minisign --nodocs && \ - curl -s -q https://dl.min.io/server/minio/release/linux-${TARGETARCH}/minio -o /usr/bin/minio && \ - curl -s -q https://dl.min.io/server/minio/release/linux-${TARGETARCH}/minio.sha256sum -o /usr/bin/minio.sha256sum && \ - curl -s -q https://dl.min.io/server/minio/release/linux-${TARGETARCH}/minio.minisig -o /usr/bin/minio.minisig && \ - microdnf clean all && \ - chmod +x /usr/bin/minio && \ - chmod +x /usr/bin/docker-entrypoint.ubi.sh && \ - chmod +x /usr/bin/verify-minio.sh && \ - /usr/bin/verify-minio.sh && \ - groupadd --gid 1000 minio && \ - useradd -M --uid 1000 --gid 1000 --home /usr/share/minio minio && \ - mkdir -p /data && chown -R minio:minio /usr/bin /data - -EXPOSE 9000 - -USER minio - -ENTRYPOINT ["/usr/bin/docker-entrypoint.ubi.sh"] - -VOLUME ["/data"] - -CMD ["minio"] diff --git a/docker-buildx-ubi.sh b/docker-buildx-ubi.sh deleted file mode 100755 index 219c1345f..000000000 --- a/docker-buildx-ubi.sh +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/bash - -sudo sysctl net.ipv6.conf.wlp59s0.disable_ipv6=1 - -release=$(git describe --abbrev=0 --tags) -docker buildx build --push --no-cache -t "minio/minio:${release}-ubi" \ - --platform=linux/arm64,linux/amd64,linux/ppc64le,linux/s390x \ - -f Dockerfile.release.ubi . - -docker buildx prune -f - -sudo sysctl net.ipv6.conf.wlp59s0.disable_ipv6=0 diff --git a/dockerscripts/docker-entrypoint.sh b/dockerscripts/docker-entrypoint.sh index b55a999cd..9c6cbf439 100755 --- a/dockerscripts/docker-entrypoint.sh +++ b/dockerscripts/docker-entrypoint.sh @@ -75,18 +75,15 @@ docker_sse_encryption_env() { # su-exec to requested user, if service cannot run exec will fail. docker_switch_user() { if [ ! -z "${MINIO_USERNAME}" ] && [ ! -z "${MINIO_GROUPNAME}" ]; then - - if [ ! -z "${MINIO_UID}" ] && [ ! -z "${MINIO_GID}" ]; then - addgroup -S -g "$MINIO_GID" "$MINIO_GROUPNAME" && \ - adduser -S -u "$MINIO_UID" -G "$MINIO_GROUPNAME" "$MINIO_USERNAME" - else - addgroup -S "$MINIO_GROUPNAME" && \ - adduser -S -G "$MINIO_GROUPNAME" "$MINIO_USERNAME" - fi - - exec su-exec "${MINIO_USERNAME}:${MINIO_GROUPNAME}" "$@" + if [ ! -z "${MINIO_UID}" ] && [ ! -z "${MINIO_GID}" ]; then + groupadd -g "$MINIO_GID" "$MINIO_GROUPNAME" && \ + useradd -u "$MINIO_UID" -g "$MINIO_GROUPNAME" "$MINIO_USERNAME" + else + groupadd "$MINIO_GROUPNAME" && \ + useradd -g "$MINIO_GROUPNAME" "$MINIO_USERNAME" + fi + exec setpriv --reuid="${MINIO_USERNAME}" --regid="${MINIO_GROUPNAME}" --keep-groups "$@" else - # fallback exec "$@" fi } diff --git a/dockerscripts/docker-entrypoint.ubi.sh b/dockerscripts/docker-entrypoint.ubi.sh deleted file mode 100755 index 466c67408..000000000 --- a/dockerscripts/docker-entrypoint.ubi.sh +++ /dev/null @@ -1,84 +0,0 @@ -#!/bin/sh -# -# MinIO Cloud Storage, (C) 2020 MinIO, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -# If command starts with an option, prepend minio in UBI container image -if [ "${1}" != "minio" ]; then - if [ -n "${1}" ]; then - set -- minio "$@" - fi -fi - -## Look for docker secrets at given absolute path or in default documented location. -docker_secrets_env() { - if [ -f "$MINIO_ACCESS_KEY_FILE" ]; then - ACCESS_KEY_FILE="$MINIO_ACCESS_KEY_FILE" - else - ACCESS_KEY_FILE="/run/secrets/$MINIO_ACCESS_KEY_FILE" - fi - if [ -f "$MINIO_SECRET_KEY_FILE" ]; then - SECRET_KEY_FILE="$MINIO_SECRET_KEY_FILE" - else - SECRET_KEY_FILE="/run/secrets/$MINIO_SECRET_KEY_FILE" - fi - - if [ -f "$ACCESS_KEY_FILE" ] && [ -f "$SECRET_KEY_FILE" ]; then - if [ -f "$ACCESS_KEY_FILE" ]; then - MINIO_ACCESS_KEY="$(cat "$ACCESS_KEY_FILE")" - export MINIO_ACCESS_KEY - fi - if [ -f "$SECRET_KEY_FILE" ]; then - MINIO_SECRET_KEY="$(cat "$SECRET_KEY_FILE")" - export MINIO_SECRET_KEY - fi - fi -} - -## Set KMS_MASTER_KEY from docker secrets if provided -docker_kms_encryption_env() { - if [ -f "$MINIO_KMS_MASTER_KEY_FILE" ]; then - KMS_MASTER_KEY_FILE="$MINIO_KMS_MASTER_KEY_FILE" - else - KMS_MASTER_KEY_FILE="/run/secrets/$MINIO_KMS_MASTER_KEY_FILE" - fi - - if [ -f "$KMS_MASTER_KEY_FILE" ]; then - MINIO_KMS_MASTER_KEY="$(cat "$KMS_MASTER_KEY_FILE")" - export MINIO_KMS_MASTER_KEY - fi -} - -## Legacy -## Set SSE_MASTER_KEY from docker secrets if provided -docker_sse_encryption_env() { - SSE_MASTER_KEY_FILE="/run/secrets/$MINIO_SSE_MASTER_KEY_FILE" - - if [ -f "$SSE_MASTER_KEY_FILE" ]; then - MINIO_SSE_MASTER_KEY="$(cat "$SSE_MASTER_KEY_FILE")" - export MINIO_SSE_MASTER_KEY - fi -} - -## Set access env from secrets if necessary. -docker_secrets_env - -## Set kms encryption from secrets if necessary. -docker_kms_encryption_env - -## Set sse encryption from secrets if necessary. Legacy -docker_sse_encryption_env - -exec "$@"