[Bug] MinIO no longer releases new docker builds, and minio/minio:latest has a known vulnerability

[miangraham]

Is there an existing issue for this?

• Yes, I have searched the existing issues and none of them match my problem.

Product Variant

Self-Hosted

Current Behavior

minio/minio:latest has an unpatched disclosed vulnerability with no updates planned.

See:
https://github.com/minio/minio?tab=readme-ov-file#source-only-distribution
minio/minio#21647

I'm not sure what your official instance at rxresu.me is doing, but at the very least the self-hosting docs at https://docs.rxresu.me/product-guides/self-hosting-reactive-resume-using-docker which recommend image: minio/minio:latest at "9000:9000" will result in publicly exposed vulnerable instances if placed anywhere without an external firewall in front of them. I guess you also can't easily block the port as-is since it's used for direct downloads from the browser.

Expected Behavior

Given how MinIO maintainership has been behaving of late I think you'd probably be best served migrating to another compatible S3-like storage server. Failing that, maybe keep an eye out for community-built MinIO image repositories, or consider building your own from source.

It would probably also be a good idea to add a note to the self-hosting docs to make Really Extra Sure that the MinIO port is only exposed to private networks until the problem is well-solved.

[miangraham]

In case there's anyone else out there cleaning this up on NixOS, it was pretty easy to migrate MinIO from container to services.minio with near-default settings. Example over here:

https://codeberg.org/mian/nixos-config/src/commit/6d94cf0d9217dc917570f161d264144be56be4c3/box/makoto/rxresume.nix#L82-L87

I'm also looking into Garage and SeaweedFS to see if they're easy to swap in as replacements.

[AmruthPillai]

Let me know how it goes with using Garage as a possible alternative. If it works, then it should be good to hot-swap any minio references in the code. The code should work with any S3 compatible API, I myself make use of Digital Ocean Spaces on production, but minio was just provided a easy installation step.

[pdlozano]

I just tested it out and it works. I started fresh so I don't know what to suggest to anyone wanting to migrate. But for those who need a new instance, it's a bit more work. First is to use the compose:

garage:
  image: dxflrs/garage:v2.1.0
  volumes:
    - ./garage.toml:/etc/garage.toml:ro
    - ./meta:/var/lib/garage/meta
    - ./data:/var/lib/garage/data
  restart: unless-stopped

Then, make sure garage is up first by running docker compose exec up -d garage. Then you need to run the following:

# TAKE NOTE OF THE nodeid HERE
docker compose exec garage /garage status
docker compose exec garage /garage layout assign -z dc1 -c 1G <nodeid>
docker compose exec garage /garage layout apply --version 1
docker compose exec garage /garage bucket create rxresume

# TAKE NOTE OF THE KEY HERE
docker compose exec garage /garage key create rxresume-key
docker compose exec garage /garage bucket allow --read --write rxresume --key rxresume-key

Then, you can replace the environment variables in the RXResume Compose:

environment:
  STORAGE_URL: http://garage:3900
  STORAGE_ENDPOINT: garage
  STORAGE_PORT: 3900
  STORAGE_REGION: garage
  STORAGE_BUCKET: rxresume
  STORAGE_ACCESS_KEY: [ACCESS KEY]
  STORAGE_SECRET_KEY: [SECRET KEY]
  STORAGE_USE_SSL: false
  STORAGE_SKIP_BUCKET_CHECK: false

Someone please tell me there was actually an easier way to set this up. If it's not possible to use this due to the complicated nature, I suggest at least showing how to use a generic S3 bucket in the configuration.

Maybe it's also possible to provide the one time bash script to set it up?

[miangraham]

@pdlozano Yep, I'm pretty sure that's the shortest path. Confirmed that it works here too.

Sadly it looks like Garage isn't quite a drop-in replacement because it doesn't do anonymous access (yet?), so you can get files stored but redirecting to them in-browser doesn't work as is without credentials.

https://git.deuxfleurs.fr/Deuxfleurs/garage/issues/263

Actually, they have a non-API web access thing that might work with some more fiddling. Haven't tried it yet.

https://garagehq.deuxfleurs.fr/documentation/reference-manual/configuration/#web_bind_addr

[ArjonBu]

I am using Backblaze, which is cheap. Works if you use a hosted solution