minio/dockerscripts/docker-entrypoint.sh

#!/bin/sh
#

# If command starts with an option, prepend minio.
if [ "${1}" != "minio" ]; then
    if [ -n "${1}" ]; then
        set -- minio "$@"
    fi
fi

## look for specific a `config.env` file to load all the
## minio settings from
docker_minio_env() {
    if [ -f "$MINIO_CONFIG_ENV_FILE" ]; then
        config_env_file="${MINIO_CONFIG_ENV_FILE}"
    else
        config_env_file="/run/secrets/${MINIO_CONFIG_ENV_FILE}"
    fi
    if [ -f "$config_env_file" ]; then
        # shellcheck source=/dev/null
        . "${config_env_file}"
    fi
}

## Look for docker secrets at given absolute path or in default documented location.
docker_secrets_env_old() {
    if [ -f "$MINIO_ACCESS_KEY_FILE" ]; then
        ACCESS_KEY_FILE="$MINIO_ACCESS_KEY_FILE"
    else
        ACCESS_KEY_FILE="/run/secrets/$MINIO_ACCESS_KEY_FILE"
    fi
    if [ -f "$MINIO_SECRET_KEY_FILE" ]; then
        SECRET_KEY_FILE="$MINIO_SECRET_KEY_FILE"
    else
        SECRET_KEY_FILE="/run/secrets/$MINIO_SECRET_KEY_FILE"
    fi

    if [ -f "$ACCESS_KEY_FILE" ] && [ -f "$SECRET_KEY_FILE" ]; then
        if [ -f "$ACCESS_KEY_FILE" ]; then
            MINIO_ACCESS_KEY="$(cat "$ACCESS_KEY_FILE")"
            export MINIO_ACCESS_KEY
        fi
        if [ -f "$SECRET_KEY_FILE" ]; then
            MINIO_SECRET_KEY="$(cat "$SECRET_KEY_FILE")"
            export MINIO_SECRET_KEY
        fi
    fi
}

docker_secrets_env() {
    if [ -f "$MINIO_ROOT_USER_FILE" ]; then
        ROOT_USER_FILE="$MINIO_ROOT_USER_FILE"
    else
        ROOT_USER_FILE="/run/secrets/$MINIO_ROOT_USER_FILE"
    fi
    if [ -f "$MINIO_ROOT_PASSWORD_FILE" ]; then
        SECRET_KEY_FILE="$MINIO_ROOT_PASSWORD_FILE"
    else
        SECRET_KEY_FILE="/run/secrets/$MINIO_ROOT_PASSWORD_FILE"
    fi

    if [ -f "$ROOT_USER_FILE" ] && [ -f "$SECRET_KEY_FILE" ]; then
        if [ -f "$ROOT_USER_FILE" ]; then
            MINIO_ROOT_USER="$(cat "$ROOT_USER_FILE")"
            export MINIO_ROOT_USER
        fi
        if [ -f "$SECRET_KEY_FILE" ]; then
            MINIO_ROOT_PASSWORD="$(cat "$SECRET_KEY_FILE")"
            export MINIO_ROOT_PASSWORD
        fi
    fi
}

## Set KMS_SECRET_KEY from docker secrets if provided
docker_kms_secret_encryption_env() {
    if [ -f "$MINIO_KMS_SECRET_KEY_FILE" ]; then
        KMS_SECRET_KEY_FILE="$MINIO_KMS_SECRET_KEY_FILE"
    else
        KMS_SECRET_KEY_FILE="/run/secrets/$MINIO_KMS_SECRET_KEY_FILE"
    fi

    if [ -f "$KMS_SECRET_KEY_FILE" ]; then
        MINIO_KMS_SECRET_KEY="$(cat "$KMS_SECRET_KEY_FILE")"
        export MINIO_KMS_SECRET_KEY
    fi
}

# su-exec to requested user, if service cannot run exec will fail.
docker_switch_user() {
    if [ -n "${MINIO_USERNAME}" ] && [ -n "${MINIO_GROUPNAME}" ]; then
        if [ -n "${MINIO_UID}" ] && [ -n "${MINIO_GID}" ]; then
            groupadd -g "$MINIO_GID" "$MINIO_GROUPNAME" && \
                useradd -u "$MINIO_UID" -g "$MINIO_GROUPNAME" "$MINIO_USERNAME"
        else
            groupadd "$MINIO_GROUPNAME" && \
                useradd -g "$MINIO_GROUPNAME" "$MINIO_USERNAME"
        fi
        exec setpriv --reuid="${MINIO_USERNAME}" \
             --regid="${MINIO_GROUPNAME}" --keep-groups "$@"
    else
        exec "$@"
    fi
}

## Set access env from secrets if necessary. Legacy
docker_secrets_env_old

## Set access env from secrets if necessary. Override
docker_secrets_env

## Set kms encryption from secrets if necessary. Override
docker_kms_secret_encryption_env

## Set all config environment variables from 'config.env' if necessary.
## Overrides all previous settings and also overrides all
## environment values passed from 'podman run -e ENV=value'
docker_minio_env

## Switch to user if applicable.
docker_switch_user "$@"
docker: Support docker swarm secrets. (#3977) Fixes #3896 2017-04-08 04:43:40 -04:00			`#!/bin/sh`
			`#`

Add waiting on hosts in docker entrypoint for distributed setups. (#4244) Thanks to Remco Verhoef <remco@dutchcoders.io> for the script. Fixes #4225 2017-05-04 03:48:13 -04:00			`# If command starts with an option, prepend minio.`
docker: Support docker swarm secrets. (#3977) Fixes #3896 2017-04-08 04:43:40 -04:00			`if [ "${1}" != "minio" ]; then`
			`if [ -n "${1}" ]; then`
			`set -- minio "$@"`
			`fi`
			`fi`

Allow MinIO to load configurations from env file (#12706) docker-entrypoint.sh will load configuration values from 'config.env' file, this is useful when MinIO is deployed in Kubernetes environments and want to avoid reading secrets from environment variables Signed-off-by: Lenin Alevski <alevsk.8772@gmail.com> 2021-07-14 19:55:59 -04:00			## look for specific a `config.env` file to load all the
			`## minio settings from`
			`docker_minio_env() {`
			`if [ -f "$MINIO_CONFIG_ENV_FILE" ]; then`
			`config_env_file="${MINIO_CONFIG_ENV_FILE}"`
			`else`
			`config_env_file="/run/secrets/${MINIO_CONFIG_ENV_FILE}"`
			`fi`
			`if [ -f "$config_env_file" ]; then`
			`# shellcheck source=/dev/null`
			`. "${config_env_file}"`
			`fi`
			`}`

Revert "fix: remove deprecated MINIO_ACCESS_KEY, MINIO_SECRET_KEY envs (#12173)" This reverts commit b0baaeaa3ddee9573d3b1ac698e1182d2cc883fe. 2021-04-29 13:55:05 -04:00			`## Look for docker secrets at given absolute path or in default documented location.`
			`docker_secrets_env_old() {`
			`if [ -f "$MINIO_ACCESS_KEY_FILE" ]; then`
			`ACCESS_KEY_FILE="$MINIO_ACCESS_KEY_FILE"`
			`else`
			`ACCESS_KEY_FILE="/run/secrets/$MINIO_ACCESS_KEY_FILE"`
			`fi`
			`if [ -f "$MINIO_SECRET_KEY_FILE" ]; then`
			`SECRET_KEY_FILE="$MINIO_SECRET_KEY_FILE"`
			`else`
			`SECRET_KEY_FILE="/run/secrets/$MINIO_SECRET_KEY_FILE"`
			`fi`

			`if [ -f "$ACCESS_KEY_FILE" ] && [ -f "$SECRET_KEY_FILE" ]; then`
			`if [ -f "$ACCESS_KEY_FILE" ]; then`
			`MINIO_ACCESS_KEY="$(cat "$ACCESS_KEY_FILE")"`
			`export MINIO_ACCESS_KEY`
			`fi`
			`if [ -f "$SECRET_KEY_FILE" ]; then`
			`MINIO_SECRET_KEY="$(cat "$SECRET_KEY_FILE")"`
			`export MINIO_SECRET_KEY`
			`fi`
			`fi`
			`}`

feat: migrate to ROOT_USER/PASSWORD from ACCESS/SECRET_KEY (#11185) 2021-01-05 13:22:57 -05:00			`docker_secrets_env() {`
			`if [ -f "$MINIO_ROOT_USER_FILE" ]; then`
			`ROOT_USER_FILE="$MINIO_ROOT_USER_FILE"`
			`else`
			`ROOT_USER_FILE="/run/secrets/$MINIO_ROOT_USER_FILE"`
			`fi`
			`if [ -f "$MINIO_ROOT_PASSWORD_FILE" ]; then`
			`SECRET_KEY_FILE="$MINIO_ROOT_PASSWORD_FILE"`
			`else`
			`SECRET_KEY_FILE="/run/secrets/$MINIO_ROOT_PASSWORD_FILE"`
			`fi`

			`if [ -f "$ROOT_USER_FILE" ] && [ -f "$SECRET_KEY_FILE" ]; then`
			`if [ -f "$ROOT_USER_FILE" ]; then`
			`MINIO_ROOT_USER="$(cat "$ROOT_USER_FILE")"`
			`export MINIO_ROOT_USER`
			`fi`
			`if [ -f "$SECRET_KEY_FILE" ]; then`
			`MINIO_ROOT_PASSWORD="$(cat "$SECRET_KEY_FILE")"`
			`export MINIO_ROOT_PASSWORD`
			`fi`
			`fi`
			`}`

do not pass master_key to secret_key 2021-05-05 18:20:02 -04:00			`## Set KMS_SECRET_KEY from docker secrets if provided`
			`docker_kms_secret_encryption_env() {`
kms: encrypt IAM/config data with the KMS (#12041) This commit changes the config/IAM encryption process. Instead of encrypting config data (users, policies etc.) with the root credentials MinIO now encrypts this data with a KMS - if configured. Therefore, this PR moves the MinIO-KMS configuration (via env. variables) to a "top-level" configuration. The KMS configuration cannot be stored in the config file since it is used to decrypt the config file in the first place. As a consequence, this commit also removes support for Hashicorp Vault - which has been deprecated anyway. Signed-off-by: Andreas Auernhammer <aead@mail.de> 2021-04-22 11:45:30 -04:00			`if [ -f "$MINIO_KMS_SECRET_KEY_FILE" ]; then`
			`KMS_SECRET_KEY_FILE="$MINIO_KMS_SECRET_KEY_FILE"`
Support custom paths for secret files in docker-entrypoint.sh (#10344) 2020-08-28 17:04:29 -04:00			`else`
kms: encrypt IAM/config data with the KMS (#12041) This commit changes the config/IAM encryption process. Instead of encrypting config data (users, policies etc.) with the root credentials MinIO now encrypts this data with a KMS - if configured. Therefore, this PR moves the MinIO-KMS configuration (via env. variables) to a "top-level" configuration. The KMS configuration cannot be stored in the config file since it is used to decrypt the config file in the first place. As a consequence, this commit also removes support for Hashicorp Vault - which has been deprecated anyway. Signed-off-by: Andreas Auernhammer <aead@mail.de> 2021-04-22 11:45:30 -04:00			`KMS_SECRET_KEY_FILE="/run/secrets/$MINIO_KMS_SECRET_KEY_FILE"`
Support custom paths for secret files in docker-entrypoint.sh (#10344) 2020-08-28 17:04:29 -04:00			`fi`
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing. 2019-10-23 01:59:13 -04:00
kms: encrypt IAM/config data with the KMS (#12041) This commit changes the config/IAM encryption process. Instead of encrypting config data (users, policies etc.) with the root credentials MinIO now encrypts this data with a KMS - if configured. Therefore, this PR moves the MinIO-KMS configuration (via env. variables) to a "top-level" configuration. The KMS configuration cannot be stored in the config file since it is used to decrypt the config file in the first place. As a consequence, this commit also removes support for Hashicorp Vault - which has been deprecated anyway. Signed-off-by: Andreas Auernhammer <aead@mail.de> 2021-04-22 11:45:30 -04:00			`if [ -f "$KMS_SECRET_KEY_FILE" ]; then`
			`MINIO_KMS_SECRET_KEY="$(cat "$KMS_SECRET_KEY_FILE")"`
			`export MINIO_KMS_SECRET_KEY`
Migrate config to KV data format (#8392) - adding oauth support to MinIO browser (#8400) by @kanagaraj - supports multi-line get/set/del for all config fields - add support for comments, allow toggle - add extensive validation of config before saving - support MinIO browser to support proper claims, using STS tokens - env support for all config parameters, legacy envs are also supported with all documentation now pointing to latest ENVs - preserve accessKey/secretKey from FS mode setups - add history support implements three APIs - ClearHistory - RestoreHistory - ListHistory - add help command support for each config parameters - all the bug fixes after migration to KV, and other bug fixes encountered during testing. 2019-10-23 01:59:13 -04:00			`fi`
			`}`

Deprecate auto detection of container user (#7930) There is no reliable way to handle fallbacks for MinIO deployments, due to various command line options and multiple locations which require access inside container. Parsing command line options is tricky to figure out which is the backend disk etc, we did try to fix this in implementations of check-user.go but it wasn't complete and introduced more bugs. This PR simplifies the entire approach to rather than running Docker container as non-root by default always, it allows users to opt-in. Such that they are aware that that is what they are planning to do. In-fact there are other ways docker containers can be run as regular users, without modifying our internal behavior and adding more complexities. 2019-07-17 14:20:55 -04:00			`# su-exec to requested user, if service cannot run exec will fail.`
Add support for customizable user (#7569) 2019-06-10 10:57:42 -04:00			`docker_switch_user() {`
Allow MinIO to load configurations from env file (#12706) docker-entrypoint.sh will load configuration values from 'config.env' file, this is useful when MinIO is deployed in Kubernetes environments and want to avoid reading secrets from environment variables Signed-off-by: Lenin Alevski <alevsk.8772@gmail.com> 2021-07-14 19:55:59 -04:00			`if [ -n "${MINIO_USERNAME}" ] && [ -n "${MINIO_GROUPNAME}" ]; then`
			`if [ -n "${MINIO_UID}" ] && [ -n "${MINIO_GID}" ]; then`
Remove alpine based image in favour or RedHat UBI (#11006) 2020-12-08 14:14:06 -05:00			`groupadd -g "$MINIO_GID" "$MINIO_GROUPNAME" && \`
			`useradd -u "$MINIO_UID" -g "$MINIO_GROUPNAME" "$MINIO_USERNAME"`
			`else`
			`groupadd "$MINIO_GROUPNAME" && \`
			`useradd -g "$MINIO_GROUPNAME" "$MINIO_USERNAME"`
			`fi`
Allow MinIO to load configurations from env file (#12706) docker-entrypoint.sh will load configuration values from 'config.env' file, this is useful when MinIO is deployed in Kubernetes environments and want to avoid reading secrets from environment variables Signed-off-by: Lenin Alevski <alevsk.8772@gmail.com> 2021-07-14 19:55:59 -04:00			`exec setpriv --reuid="${MINIO_USERNAME}" \`
			`--regid="${MINIO_GROUPNAME}" --keep-groups "$@"`
Deprecate auto detection of container user (#7930) There is no reliable way to handle fallbacks for MinIO deployments, due to various command line options and multiple locations which require access inside container. Parsing command line options is tricky to figure out which is the backend disk etc, we did try to fix this in implementations of check-user.go but it wasn't complete and introduced more bugs. This PR simplifies the entire approach to rather than running Docker container as non-root by default always, it allows users to opt-in. Such that they are aware that that is what they are planning to do. In-fact there are other ways docker containers can be run as regular users, without modifying our internal behavior and adding more complexities. 2019-07-17 14:20:55 -04:00			`else`
			`exec "$@"`
Allow su-exec to fail when users explicity use --user (#7776) This allows MinIO containers to run properly without expecting higher privileges in situations where following restrictions on containers are used - docker run --user uid:gid - docker-compose up (with docker-compose.yml with user) ```yml ... user: "1001:1001" command: minio server /data ... ``` - All openshift containers Fixes #7773 2019-06-12 15:16:21 -04:00			`fi`
docker: Support docker swarm secrets. (#3977) Fixes #3896 2017-04-08 04:43:40 -04:00			`}`

do not pass master_key to secret_key 2021-05-05 18:20:02 -04:00			`## Set access env from secrets if necessary. Legacy`
Revert "fix: remove deprecated MINIO_ACCESS_KEY, MINIO_SECRET_KEY envs (#12173)" This reverts commit b0baaeaa3ddee9573d3b1ac698e1182d2cc883fe. 2021-04-29 13:55:05 -04:00			`docker_secrets_env_old`

do not pass master_key to secret_key 2021-05-05 18:20:02 -04:00			`## Set access env from secrets if necessary. Override`
Add waiting on hosts in docker entrypoint for distributed setups. (#4244) Thanks to Remco Verhoef <remco@dutchcoders.io> for the script. Fixes #4225 2017-05-04 03:48:13 -04:00			`docker_secrets_env`

do not pass master_key to secret_key 2021-05-05 18:20:02 -04:00			`## Set kms encryption from secrets if necessary. Override`
			`docker_kms_secret_encryption_env`
Add KMS master key from Docker secret (#7825) 2019-07-17 15:55:26 -04:00
Allow MinIO to load configurations from env file (#12706) docker-entrypoint.sh will load configuration values from 'config.env' file, this is useful when MinIO is deployed in Kubernetes environments and want to avoid reading secrets from environment variables Signed-off-by: Lenin Alevski <alevsk.8772@gmail.com> 2021-07-14 19:55:59 -04:00			`## Set all config environment variables from 'config.env' if necessary.`
			`## Overrides all previous settings and also overrides all`
			`## environment values passed from 'podman run -e ENV=value'`
			`docker_minio_env`

Add support for customizable user (#7569) 2019-06-10 10:57:42 -04:00			`## Switch to user if applicable.`
			`docker_switch_user "$@"`