fix: support dropping privileges with arbitrary users (#18386)

fixes #18380

.github/workflows/mint/minio-compress-encrypt.yaml

@@ -16,10 +16,10 @@ x-minio-common: &minio-common
     MINIO_COMPRESSION_ALLOW_ENCRYPTION: "on"
     MINIO_KMS_SECRET_KEY: "my-minio-key:OSMM+vkKUTCvQs9YL/CVMIMt43HFhkUpqJxTmGl6rYw="
   healthcheck:
-    test: ["CMD", "curl", "-f", "http://localhost:9000/minio/health/live"]
+    test: ["CMD", "mc", "ready", "local"]
-    interval: 30s
+    interval: 5s
-    timeout: 20s
+    timeout: 5s
-    retries: 3
+    retries: 5
 
 # starts 4 docker containers running minio server instances.
 # using nginx reverse proxy, load balancing, you can access

.github/workflows/mint/minio-erasure.yaml

@@ -13,10 +13,10 @@ x-minio-common: &minio-common
     MINIO_ROOT_PASSWORD: "minio123"
     MINIO_KMS_SECRET_KEY: "my-minio-key:OSMM+vkKUTCvQs9YL/CVMIMt43HFhkUpqJxTmGl6rYw="
   healthcheck:
-    test: ["CMD", "curl", "-f", "http://localhost:9000/minio/health/live"]
+    test: ["CMD", "mc", "ready", "local"]
-    interval: 30s
+    interval: 5s
-    timeout: 20s
+    timeout: 5s
-    retries: 3
+    retries: 5
 
 # starts 4 docker containers running minio server instances.
 # using nginx reverse proxy, load balancing, you can access

.github/workflows/mint/minio-pools.yaml

@@ -13,10 +13,10 @@ x-minio-common: &minio-common
     MINIO_ROOT_PASSWORD: "minio123"
     MINIO_KMS_SECRET_KEY: "my-minio-key:OSMM+vkKUTCvQs9YL/CVMIMt43HFhkUpqJxTmGl6rYw="
   healthcheck:
-    test: ["CMD", "curl", "-f", "http://localhost:9000/minio/health/live"]
+    test: ["CMD", "mc", "ready", "local"]
-    interval: 30s
+    interval: 5s
-    timeout: 20s
+    timeout: 5s
-    retries: 3
+    retries: 5
 
 # starts 4 docker containers running minio server instances.
 # using nginx reverse proxy, load balancing, you can access

.gitignore

@@ -42,3 +42,4 @@ docs/debugging/healing-bin/healing-bin
 docs/debugging/inspect/inspect
 docs/debugging/pprofgoparser/pprofgoparser
 docs/debugging/reorder-disks/reorder-disks
+docs/debugging/populate-hard-links/populate-hardlinks

buildscripts/upgrade-tests/compose.yml

@@ -9,11 +9,6 @@ x-minio-common: &minio-common
   expose:
     - "9000"
     - "9001"
-  healthcheck:
-    test: ["CMD", "curl", "-f", "http://localhost:9000/minio/health/live"]
-    interval: 30s
-    timeout: 20s
-    retries: 3
 
 # starts 4 docker containers running minio server instances.
 # using nginx reverse proxy, load balancing, you can access

dockerscripts/docker-entrypoint.sh

@@ -8,22 +8,19 @@ if [ "${1}" != "minio" ]; then
 	fi
 fi
 
-# su-exec to requested user, if service cannot run exec will fail.
 docker_switch_user() {
 	if [ -n "${MINIO_USERNAME}" ] && [ -n "${MINIO_GROUPNAME}" ]; then
 		if [ -n "${MINIO_UID}" ] && [ -n "${MINIO_GID}" ]; then
-			groupadd -f -g "$MINIO_GID" "$MINIO_GROUPNAME" &&
+			chroot --userspec=${MINIO_UID}:${MINIO_GID} / "$@"
-				useradd -u "$MINIO_UID" -g "$MINIO_GROUPNAME" "$MINIO_USERNAME"
 		else
-			groupadd -f "$MINIO_GROUPNAME" &&
+			echo "${MINIO_USERNAME}:x:1000:1000:${MINIO_USERNAME}:/:/sbin/nologin" >>/etc/passwd
-				useradd -g "$MINIO_GROUPNAME" "$MINIO_USERNAME"
+			echo "${MINIO_GROUPNAME}:x:1000" >>/etc/group
+			chroot --userspec=${MINIO_USERNAME}:${MINIO_GROUPNAME} / "$@"
 		fi
-		exec setpriv --reuid="${MINIO_USERNAME}" \
-			--regid="${MINIO_GROUPNAME}" --keep-groups "$@"
 	else
 		exec "$@"
 	fi
 }
 
-## Switch to user if applicable.
+## DEPRECATED and unsupported - switch to user if applicable.
 docker_switch_user "$@"

docs/orchestration/docker-compose/docker-compose.yaml

@@ -11,10 +11,10 @@ x-minio-common: &minio-common
     # MINIO_ROOT_USER: minioadmin
     # MINIO_ROOT_PASSWORD: minioadmin
   healthcheck:
-    test: ["CMD", "curl", "-f", "http://localhost:9000/minio/health/live"]
+    test: ["CMD", "mc", "ready", "local"]
-    interval: 30s
+    interval: 5s
-    timeout: 20s
+    timeout: 5s
-    retries: 3
+    retries: 5
 
 # starts 4 docker containers running minio server instances.
 # using nginx reverse proxy, load balancing, you can access