From 39d51ce84513a45061906bda087b2443bc712522 Mon Sep 17 00:00:00 2001 From: Harshavardhana Date: Thu, 9 Sep 2021 22:19:11 -0700 Subject: [PATCH] fix: add Dockerfile.release* /opt/bin writable --- Dockerfile.release | 12 +++++++----- Dockerfile.release.fips | 12 +++++++----- Dockerfile.scratch | 5 +++++ dockerscripts/verify-minio.sh | 6 +++--- 4 files changed, 22 insertions(+), 13 deletions(-) create mode 100644 Dockerfile.scratch diff --git a/Dockerfile.release b/Dockerfile.release index e1d63e9ac..9579922c0 100644 --- a/Dockerfile.release +++ b/Dockerfile.release @@ -18,7 +18,8 @@ ENV MINIO_ACCESS_KEY_FILE=access_key \ MINIO_ROOT_PASSWORD_FILE=secret_key \ MINIO_KMS_SECRET_KEY_FILE=kms_master_key \ MINIO_UPDATE_MINISIGN_PUBKEY="RWTx5Zr1tiHQLwG9keckT0c45M3AGeHD6IvimQHpyRywVWGbP1aVSGav" \ - MINIO_CONFIG_ENV_FILE=config.env + MINIO_CONFIG_ENV_FILE=config.env \ + PATH=$PATH:/opt/bin COPY dockerscripts/verify-minio.sh /usr/bin/verify-minio.sh COPY dockerscripts/docker-entrypoint.sh /usr/bin/docker-entrypoint.sh @@ -30,11 +31,12 @@ RUN \ microdnf install curl ca-certificates shadow-utils util-linux iproute iputils --nodocs && \ rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm && \ microdnf install minisign --nodocs && \ - curl -s -q https://dl.min.io/server/minio/release/linux-${TARGETARCH}/archive/minio.${RELEASE} -o /usr/bin/minio && \ - curl -s -q https://dl.min.io/server/minio/release/linux-${TARGETARCH}/archive/minio.${RELEASE}.sha256sum -o /usr/bin/minio.sha256sum && \ - curl -s -q https://dl.min.io/server/minio/release/linux-${TARGETARCH}/archive/minio.${RELEASE}.minisig -o /usr/bin/minio.minisig && \ + mkdir -p /opt/bin && chmod -R 777 /opt/bin && \ + curl -s -q https://dl.min.io/server/minio/release/linux-${TARGETARCH}/archive/minio.${RELEASE} -o /opt/bin/minio && \ + curl -s -q https://dl.min.io/server/minio/release/linux-${TARGETARCH}/archive/minio.${RELEASE}.sha256sum -o /opt/bin/minio.sha256sum && \ + curl -s -q https://dl.min.io/server/minio/release/linux-${TARGETARCH}/archive/minio.${RELEASE}.minisig -o /opt/bin/minio.minisig && \ microdnf clean all && \ - chmod +x /usr/bin/minio && \ + chmod +x /opt/bin/minio && \ chmod +x /usr/bin/docker-entrypoint.sh && \ chmod +x /usr/bin/verify-minio.sh && \ /usr/bin/verify-minio.sh diff --git a/Dockerfile.release.fips b/Dockerfile.release.fips index ec3a640a7..c29942ecd 100644 --- a/Dockerfile.release.fips +++ b/Dockerfile.release.fips @@ -18,7 +18,8 @@ ENV MINIO_ACCESS_KEY_FILE=access_key \ MINIO_ROOT_PASSWORD_FILE=secret_key \ MINIO_KMS_SECRET_KEY_FILE=kms_master_key \ MINIO_UPDATE_MINISIGN_PUBKEY="RWTx5Zr1tiHQLwG9keckT0c45M3AGeHD6IvimQHpyRywVWGbP1aVSGav" \ - MINIO_CONFIG_ENV_FILE=config.env + MINIO_CONFIG_ENV_FILE=config.env \ + PATH=$PATH:/opt/bin COPY dockerscripts/verify-minio.sh /usr/bin/verify-minio.sh COPY dockerscripts/docker-entrypoint.sh /usr/bin/docker-entrypoint.sh @@ -30,11 +31,12 @@ RUN \ microdnf install curl ca-certificates shadow-utils util-linux iproute iputils --nodocs && \ rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm && \ microdnf install minisign --nodocs && \ - curl -s -q https://dl.min.io/server/minio/release/linux-${TARGETARCH}/archive/minio.${RELEASE}.fips -o /usr/bin/minio && \ - curl -s -q https://dl.min.io/server/minio/release/linux-${TARGETARCH}/archive/minio.${RELEASE}.fips.sha256sum -o /usr/bin/minio.sha256sum && \ - curl -s -q https://dl.min.io/server/minio/release/linux-${TARGETARCH}/archive/minio.${RELEASE}.fips.minisig -o /usr/bin/minio.minisig && \ + mkdir -p /opt/bin && chmod -R 777 /opt/bin && \ + curl -s -q https://dl.min.io/server/minio/release/linux-${TARGETARCH}/archive/minio.${RELEASE}.fips -o /opt/bin/minio && \ + curl -s -q https://dl.min.io/server/minio/release/linux-${TARGETARCH}/archive/minio.${RELEASE}.fips.sha256sum -o /opt/bin/minio.sha256sum && \ + curl -s -q https://dl.min.io/server/minio/release/linux-${TARGETARCH}/archive/minio.${RELEASE}.fips.minisig -o /opt/bin/minio.minisig && \ microdnf clean all && \ - chmod +x /usr/bin/minio && \ + chmod +x /opt/bin/minio && \ chmod +x /usr/bin/docker-entrypoint.sh && \ chmod +x /usr/bin/verify-minio.sh && \ /usr/bin/verify-minio.sh diff --git a/Dockerfile.scratch b/Dockerfile.scratch new file mode 100644 index 000000000..8074aa15c --- /dev/null +++ b/Dockerfile.scratch @@ -0,0 +1,5 @@ +FROM scratch + +COPY minio /minio + +CMD ["/minio"] diff --git a/dockerscripts/verify-minio.sh b/dockerscripts/verify-minio.sh index 528ecb515..aa26143c3 100755 --- a/dockerscripts/verify-minio.sh +++ b/dockerscripts/verify-minio.sh @@ -3,14 +3,14 @@ set -e -if [ ! -x "/usr/bin/minio" ]; then +if [ ! -x "/opt/bin/minio" ]; then echo "minio executable binary not found refusing to proceed" exit 1 fi verify_sha256sum() { echo "verifying binary checksum" - echo "$(awk '{print $1}' /usr/bin/minio.sha256sum) /usr/bin/minio" | sha256sum -c + echo "$(awk '{print $1}' /opt/bin/minio.sha256sum) /opt/bin/minio" | sha256sum -c } verify_signature() { @@ -19,7 +19,7 @@ verify_signature() { return fi echo "verifying binary signature" - minisign -VQm /usr/bin/minio -P RWTx5Zr1tiHQLwG9keckT0c45M3AGeHD6IvimQHpyRywVWGbP1aVSGav + minisign -VQm /opt/bin/minio -P RWTx5Zr1tiHQLwG9keckT0c45M3AGeHD6IvimQHpyRywVWGbP1aVSGav } main() {