fix: implement multi-architecture support for MinIO Client installation#352
fix: implement multi-architecture support for MinIO Client installation#352danielalves96 merged 1 commit intonextfrom
Conversation
There was a problem hiding this comment.
Pull request overview
This PR implements multi-architecture support for MinIO Client (mc) installation in Docker builds by replacing the hardcoded AMD64-only wget command with a dedicated shell script that detects the system architecture and downloads the appropriate binary.
Key Changes:
- Creates a new
install-mc.shscript with architecture detection and retry logic for downloading MinIO Client - Updates the Dockerfile to use the new script instead of a hardcoded wget command
- Adds support for both x86_64 (amd64) and aarch64/arm64 architectures
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| infra/install-mc.sh | New script that detects system architecture, downloads the appropriate MinIO Client binary with retry logic, and installs it to /usr/local/bin/mc |
| Dockerfile | Replaces hardcoded AMD64-only MinIO Client installation with the new multi-architecture installation script |
Comments suppressed due to low confidence (1)
infra/install-mc.sh:34
- The binary is downloaded without checksum verification, which poses a security risk. Consider adding SHA256 checksum verification similar to how package managers validate downloads. You can either:
- Download and verify against a published checksum file from MinIO
- Hardcode known checksums for specific versions (if versioning is added)
Example approach:
wget -O /tmp/mc.sha256sum "$DOWNLOAD_URL.sha256sum"
echo "$(cat /tmp/mc.sha256sum)" | sha256sum -c - if wget -O /tmp/mc "$DOWNLOAD_URL" 2>/dev/null; then
| echo "[BUILD] MinIO Client will not be available" | ||
| exit 1 |
There was a problem hiding this comment.
Inconsistent error handling compared to install-minio.sh. When an unsupported architecture is encountered, install-minio.sh exits with code 0 (allowing the build to continue with external S3 fallback), but this script exits with code 1 (failing the build).
For consistency and to allow builds on unsupported architectures to succeed (with reduced functionality), consider changing line 21 to exit 0 and updating the message to indicate fallback behavior, similar to install-minio.sh lines 21-22.
| echo "[BUILD] MinIO Client will not be available" | |
| exit 1 | |
| echo "[BUILD] MinIO Client will not be available. Build will continue and fallback to external S3." | |
| exit 0 |
| ;; | ||
| esac | ||
|
|
||
| DOWNLOAD_URL="https://dl.min.io/client/mc/release/${MC_ARCH}/mc" |
There was a problem hiding this comment.
Unlike install-minio.sh which pins a specific version (RELEASE.2024-10-13T13-34-11Z), this script downloads the latest MinIO Client release. This could lead to:
- Non-reproducible builds across different build times
- Potential breaking changes if MinIO updates their client
- Build failures if the latest release has issues
Consider adding a MC_VERSION variable at the top of the script (similar to line 7 in install-minio.sh) and using a versioned URL pattern like: https://dl.min.io/client/mc/release/${MC_ARCH}/archive/mc.${MC_VERSION}
|
|
||
| if [ $RETRY_COUNT -eq $MAX_RETRIES ]; then | ||
| echo "[BUILD] ✗ Failed to download MinIO Client after $MAX_RETRIES attempts" | ||
| exit 1 |
There was a problem hiding this comment.
Inconsistent error handling compared to install-minio.sh. When download fails after maximum retries, install-minio.sh exits with code 0 and allows fallback to external S3 (lines 46-48), but this script exits with code 1, failing the Docker build.
For consistency and to allow builds to succeed even if MinIO Client download fails (with reduced functionality), consider changing to exit 0 and adding a message indicating the system will work without the mc client, similar to the pattern in install-minio.sh.
| exit 1 | |
| echo "[BUILD] Proceeding without MinIO Client (mc). System will work with reduced functionality and fallback to external S3 if configured." | |
| exit 0 |
| if wget -O /tmp/mc "$DOWNLOAD_URL" 2>/dev/null; then | ||
| echo "[BUILD] ✓ Download successful" |
There was a problem hiding this comment.
The script downloads and executes a remote binary (wget -O /tmp/mc "$DOWNLOAD_URL") without any integrity or authenticity verification. An attacker who can perform TLS/DNS interception or compromise the download endpoint could supply a malicious mc binary, leading to code execution in the build and propagation into the image. Verify the download using a pinned SHA256 checksum or signature before installation, e.g.,
wget -O /tmp/mc "$DOWNLOAD_URL"
EXPECTED_SHA256="<pin exact hash from release>"
ACTUAL_SHA256=$(sha256sum /tmp/mc | awk '{print $1}')
if [ "$ACTUAL_SHA256" != "$EXPECTED_SHA256" ]; then
echo "[BUILD] Hash mismatch for mc; aborting"
exit 1
fi
chmod +x /tmp/mc && mv /tmp/mc /usr/local/bin/mc
No description provided.