From 3aa3d9cf148ed8b3938fb466340d960a7a8d1f67 Mon Sep 17 00:00:00 2001 From: Andreas Auernhammer Date: Sat, 28 Oct 2023 21:19:49 +0200 Subject: [PATCH] switch minio container base image to ubi-mciro (#18329) This commit changes the container base image from ubi-minimal to ubi-micro. The docker build process happens now in two stages. The build stage: - downloads the latest CA certificate bundle - downloads MinIO binary (for requested version/os/arch) - downloads MinIO binary signature and verifies it using minisign Then it creates an image based on ubi-micro with just the minio binary was downloaded and verified during the build stage. The build stage is simplified to just verifying the minisign signature. Signed-off-by: Andreas Auernhammer --- Dockerfile | 4 +-- Dockerfile.hotfix | 58 ++++++++++++++++++++--------------- Dockerfile.release | 58 +++++++++++++++++++---------------- Dockerfile.release.fips | 51 +++++++++++++++--------------- dockerscripts/verify-minio.sh | 31 ------------------- 5 files changed, 93 insertions(+), 109 deletions(-) delete mode 100755 dockerscripts/verify-minio.sh diff --git a/Dockerfile b/Dockerfile index 6b98cd4a6..3318f7435 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,8 +1,6 @@ FROM minio/minio:latest -ENV PATH=/opt/bin:$PATH - -COPY ./minio /opt/bin/minio +COPY ./minio /usr/bin/minio COPY dockerscripts/docker-entrypoint.sh /usr/bin/docker-entrypoint.sh ENTRYPOINT ["/usr/bin/docker-entrypoint.sh"] diff --git a/Dockerfile.hotfix b/Dockerfile.hotfix index 4d2340b31..b15b575de 100644 --- a/Dockerfile.hotfix +++ b/Dockerfile.hotfix @@ -1,4 +1,30 @@ -FROM registry.access.redhat.com/ubi9/ubi-minimal:9.2 +FROM golang:1.21-alpine as build + +ARG TARGETARCH +ARG RELEASE + +ENV GOPATH /go +ENV CGO_ENABLED 0 + +# Install curl and minisign +RUN apk add -U --no-cache ca-certificates && \ + apk add -U --no-cache curl && \ + go install aead.dev/minisign/cmd/minisign@v0.2.0 + +# Download minio binary and signature file +RUN curl -s -q https://dl.min.io/server/minio/hotfixes/linux-${TARGETARCH}/archive/minio.${RELEASE} -o /go/bin/minio && \ + curl -s -q https://dl.min.io/server/minio/hotfixes/linux-${TARGETARCH}/archive/minio.${RELEASE}.minisig -o /go/bin/minio.minisig && \ + chmod +x /go/bin/minio + +# Download mc binary and signature file +RUN curl -s -q https://dl.min.io/client/mc/release/linux-${TARGETARCH}/mc -o /go/bin/mc && \ + curl -s -q https://dl.min.io/client/mc/release/linux-${TARGETARCH}/mc.minisig -o /go/bin/mc.minisig + +# Verify binary signature using public key "RWTx5Zr1tiHQLwG9keckT0c45M3AGeHD6IvimQHpyRywVWGbP1aVSGavRUN" +RUN minisign -Vqm /go/bin/minio -x /go/bin/minio.minisig -P RWTx5Zr1tiHQLwG9keckT0c45M3AGeHD6IvimQHpyRywVWGbP1aVSGav && \ + minisign -Vqm /go/bin/mc -x /go/bin/mc.minisig -P RWTx5Zr1tiHQLwG9keckT0c45M3AGeHD6IvimQHpyRywVWGbP1aVSGav + +FROM registry.access.redhat.com/ubi9/ubi-micro:9.2 ARG RELEASE @@ -17,34 +43,18 @@ ENV MINIO_ACCESS_KEY_FILE=access_key \ MINIO_KMS_SECRET_KEY_FILE=kms_master_key \ MINIO_UPDATE_MINISIGN_PUBKEY="RWTx5Zr1tiHQLwG9keckT0c45M3AGeHD6IvimQHpyRywVWGbP1aVSGav" \ MINIO_CONFIG_ENV_FILE=config.env \ - MC_CONFIG_DIR=/tmp/.mc \ - PATH=/opt/bin:$PATH + MC_CONFIG_DIR=/tmp/.mc + +COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ +COPY --from=build /go/bin/minio /usr/bin/minio +COPY --from=build /go/bin/mc /usr/bin/mc -COPY dockerscripts/verify-minio.sh /usr/bin/verify-minio.sh -COPY dockerscripts/docker-entrypoint.sh /usr/bin/docker-entrypoint.sh COPY CREDITS /licenses/CREDITS COPY LICENSE /licenses/LICENSE - -RUN \ - microdnf clean all && \ - microdnf update --nodocs && \ - rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm && \ - microdnf install curl ca-certificates shadow-utils util-linux gzip lsof tar net-tools iproute iputils jq minisign --nodocs && \ - mkdir -p /opt/bin && chmod -R 777 /opt/bin && \ - curl -s -q https://dl.min.io/server/minio/hotfixes/linux-amd64/archive/minio.${RELEASE} -o /opt/bin/minio && \ - curl -s -q https://dl.min.io/server/minio/hotfixes/linux-amd64/archive/minio.${RELEASE}.sha256sum -o /opt/bin/minio.sha256sum && \ - curl -s -q https://dl.min.io/server/minio/hotfixes/linux-amd64/archive/minio.${RELEASE}.minisig -o /opt/bin/minio.minisig && \ - microdnf clean all && \ - chmod +x /opt/bin/minio && \ - chmod +x /usr/bin/docker-entrypoint.sh && \ - chmod +x /usr/bin/verify-minio.sh && \ - /usr/bin/verify-minio.sh && \ - microdnf clean all +COPY dockerscripts/docker-entrypoint.sh /usr/bin/docker-entrypoint.sh EXPOSE 9000 - -ENTRYPOINT ["/usr/bin/docker-entrypoint.sh"] - VOLUME ["/data"] +ENTRYPOINT ["/usr/bin/docker-entrypoint.sh"] CMD ["minio"] diff --git a/Dockerfile.release b/Dockerfile.release index ab721e37d..05252d3c9 100644 --- a/Dockerfile.release +++ b/Dockerfile.release @@ -1,6 +1,30 @@ -FROM registry.access.redhat.com/ubi9/ubi-minimal:9.2 +FROM golang:1.21-alpine as build ARG TARGETARCH +ARG RELEASE + +ENV GOPATH /go +ENV CGO_ENABLED 0 + +# Install curl and minisign +RUN apk add -U --no-cache ca-certificates && \ + apk add -U --no-cache curl && \ + go install aead.dev/minisign/cmd/minisign@v0.2.0 + +# Download minio binary and signature file +RUN curl -s -q https://dl.min.io/server/minio/release/linux-${TARGETARCH}/archive/minio.${RELEASE} -o /go/bin/minio && \ + curl -s -q https://dl.min.io/server/minio/release/linux-${TARGETARCH}/archive/minio.${RELEASE}.minisig -o /go/bin/minio.minisig && \ + chmod +x /go/bin/minio + +# Download mc binary and signature file +RUN curl -s -q https://dl.min.io/client/mc/release/linux-${TARGETARCH}/mc -o /go/bin/mc && \ + curl -s -q https://dl.min.io/client/mc/release/linux-${TARGETARCH}/mc.minisig -o /go/bin/mc.minisig + +# Verify binary signature using public key "RWTx5Zr1tiHQLwG9keckT0c45M3AGeHD6IvimQHpyRywVWGbP1aVSGavRUN" +RUN minisign -Vqm /go/bin/minio -x /go/bin/minio.minisig -P RWTx5Zr1tiHQLwG9keckT0c45M3AGeHD6IvimQHpyRywVWGbP1aVSGav && \ + minisign -Vqm /go/bin/mc -x /go/bin/mc.minisig -P RWTx5Zr1tiHQLwG9keckT0c45M3AGeHD6IvimQHpyRywVWGbP1aVSGav + +FROM registry.access.redhat.com/ubi9/ubi-micro:9.2 ARG RELEASE @@ -19,36 +43,18 @@ ENV MINIO_ACCESS_KEY_FILE=access_key \ MINIO_KMS_SECRET_KEY_FILE=kms_master_key \ MINIO_UPDATE_MINISIGN_PUBKEY="RWTx5Zr1tiHQLwG9keckT0c45M3AGeHD6IvimQHpyRywVWGbP1aVSGav" \ MINIO_CONFIG_ENV_FILE=config.env \ - MC_CONFIG_DIR=/tmp/.mc \ - PATH=/opt/bin:$PATH + MC_CONFIG_DIR=/tmp/.mc + +COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ +COPY --from=build /go/bin/minio /usr/bin/minio +COPY --from=build /go/bin/mc /usr/bin/mc -COPY dockerscripts/verify-minio.sh /usr/bin/verify-minio.sh -COPY dockerscripts/docker-entrypoint.sh /usr/bin/docker-entrypoint.sh COPY CREDITS /licenses/CREDITS COPY LICENSE /licenses/LICENSE - -RUN \ - microdnf clean all && \ - microdnf update --nodocs && \ - rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm && \ - microdnf install curl ca-certificates shadow-utils util-linux gzip lsof tar net-tools iproute iputils jq minisign --nodocs && \ - mkdir -p /opt/bin && chmod -R 777 /opt/bin && \ - curl -s -q https://dl.min.io/server/minio/release/linux-${TARGETARCH}/archive/minio.${RELEASE} -o /opt/bin/minio && \ - curl -s -q https://dl.min.io/server/minio/release/linux-${TARGETARCH}/archive/minio.${RELEASE}.sha256sum -o /opt/bin/minio.sha256sum && \ - curl -s -q https://dl.min.io/server/minio/release/linux-${TARGETARCH}/archive/minio.${RELEASE}.minisig -o /opt/bin/minio.minisig && \ - curl -s -q https://dl.min.io/client/mc/release/linux-${TARGETARCH}/mc -o /opt/bin/mc && \ - microdnf clean all && \ - chmod +x /opt/bin/minio && \ - chmod +x /opt/bin/mc && \ - chmod +x /usr/bin/docker-entrypoint.sh && \ - chmod +x /usr/bin/verify-minio.sh && \ - /usr/bin/verify-minio.sh && \ - microdnf clean all +COPY dockerscripts/docker-entrypoint.sh /usr/bin/docker-entrypoint.sh EXPOSE 9000 - -ENTRYPOINT ["/usr/bin/docker-entrypoint.sh"] - VOLUME ["/data"] +ENTRYPOINT ["/usr/bin/docker-entrypoint.sh"] CMD ["minio"] diff --git a/Dockerfile.release.fips b/Dockerfile.release.fips index 21b007e18..c6e9201c3 100644 --- a/Dockerfile.release.fips +++ b/Dockerfile.release.fips @@ -1,6 +1,25 @@ -FROM registry.access.redhat.com/ubi9/ubi-minimal:9.2 +FROM golang:1.21-alpine as build ARG TARGETARCH +ARG RELEASE + +ENV GOPATH /go +ENV CGO_ENABLED 0 + +# Install curl and minisign +RUN apk add -U --no-cache ca-certificates && \ + apk add -U --no-cache curl && \ + go install aead.dev/minisign/cmd/minisign@v0.2.0 + +# Download minio binary and signature file +RUN curl -s -q https://dl.min.io/server/minio/release/linux-${TARGETARCH}/archive/minio.${RELEASE}.fips -o /go/bin/minio && \ + curl -s -q https://dl.min.io/server/minio/release/linux-${TARGETARCH}/archive/minio.${RELEASE}.fips.minisig -o /go/bin/minio.minisig && \ + chmod +x /go/bin/minio + +# Verify binary signature using public key "RWTx5Zr1tiHQLwG9keckT0c45M3AGeHD6IvimQHpyRywVWGbP1aVSGavRUN" +RUN minisign -Vqm /go/bin/minio -x /go/bin/minio.minisig -P RWTx5Zr1tiHQLwG9keckT0c45M3AGeHD6IvimQHpyRywVWGbP1aVSGav + +FROM registry.access.redhat.com/ubi9/ubi-micro:9.2 ARG RELEASE @@ -18,35 +37,17 @@ ENV MINIO_ACCESS_KEY_FILE=access_key \ MINIO_ROOT_PASSWORD_FILE=secret_key \ MINIO_KMS_SECRET_KEY_FILE=kms_master_key \ MINIO_UPDATE_MINISIGN_PUBKEY="RWTx5Zr1tiHQLwG9keckT0c45M3AGeHD6IvimQHpyRywVWGbP1aVSGav" \ - MINIO_CONFIG_ENV_FILE=config.env \ - MC_CONFIG_DIR=/tmp/.mc \ - PATH=/opt/bin:$PATH + MINIO_CONFIG_ENV_FILE=config.env + +COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ +COPY --from=build /go/bin/minio /usr/bin/minio -COPY dockerscripts/verify-minio.sh /usr/bin/verify-minio.sh -COPY dockerscripts/docker-entrypoint.sh /usr/bin/docker-entrypoint.sh COPY CREDITS /licenses/CREDITS COPY LICENSE /licenses/LICENSE - -RUN \ - microdnf clean all && \ - microdnf update --nodocs && \ - rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm && \ - microdnf install curl ca-certificates shadow-utils util-linux gzip lsof tar net-tools iproute iputils jq minisign --nodocs && \ - mkdir -p /opt/bin && chmod -R 777 /opt/bin && \ - curl -s -q https://dl.min.io/server/minio/release/linux-${TARGETARCH}/archive/minio.${RELEASE}.fips -o /opt/bin/minio && \ - curl -s -q https://dl.min.io/server/minio/release/linux-${TARGETARCH}/archive/minio.${RELEASE}.fips.sha256sum -o /opt/bin/minio.sha256sum && \ - curl -s -q https://dl.min.io/server/minio/release/linux-${TARGETARCH}/archive/minio.${RELEASE}.fips.minisig -o /opt/bin/minio.minisig && \ - microdnf clean all && \ - chmod +x /opt/bin/minio && \ - chmod +x /usr/bin/docker-entrypoint.sh && \ - chmod +x /usr/bin/verify-minio.sh && \ - /usr/bin/verify-minio.sh && \ - microdnf clean all +COPY dockerscripts/docker-entrypoint.sh /usr/bin/docker-entrypoint.sh EXPOSE 9000 - -ENTRYPOINT ["/usr/bin/docker-entrypoint.sh"] - VOLUME ["/data"] +ENTRYPOINT ["/usr/bin/docker-entrypoint.sh"] CMD ["minio"] diff --git a/dockerscripts/verify-minio.sh b/dockerscripts/verify-minio.sh deleted file mode 100755 index f0f2beea7..000000000 --- a/dockerscripts/verify-minio.sh +++ /dev/null @@ -1,31 +0,0 @@ -#!/bin/sh -# - -set -e - -if [ ! -x "/opt/bin/minio" ]; then - echo "minio executable binary not found refusing to proceed" - exit 1 -fi - -verify_sha256sum() { - echo "verifying binary checksum" - echo "$(awk '{print $1}' /opt/bin/minio.sha256sum) /opt/bin/minio" | sha256sum -c -} - -verify_signature() { - if [ "${TARGETARCH}" = "arm" ]; then - echo "ignoring verification of binary signature" - return - fi - echo "verifying binary signature" - minisign -VQm /opt/bin/minio -P RWTx5Zr1tiHQLwG9keckT0c45M3AGeHD6IvimQHpyRywVWGbP1aVSGav -} - -main() { - verify_sha256sum - - verify_signature -} - -main "$@"