minio / console

Simple UI for MinIO Object Storage :abacus:
https://min.io/docs/minio/linux/index.html
GNU Affero General Public License v3.0
852 stars 282 forks source link

console tries to communicate with SUBNET on startup #3456

Closed anjalshireesh closed 2 weeks ago

anjalshireesh commented 1 month ago

Expected: console should not talk to SUBNET on startup Actual: console communicates with SUBNET on startup

How to reproduce?

You will observe communication with subnet.min.io

This does not happen if you start minio after setting MINIO_BROWSER=off

ramondeklein commented 1 month ago

@dvaldivia I think we should fix this for both AIStor and MinIO. Will we remove subnet support for MinIO when AIStor is released or will we keep supporting customers that want to stay on upstream MinIO?

ramondeklein commented 1 month ago

I did some investigation and I found that this only happens when not running in development mode. It looks like the license verification code tries to download the public key that is used for license key verification. It does fallback to a hardcoded offline key, if it cannot contact subnet.min.io.

I think we should disable downloading Subnet's public verification key. The code always uses the hardcoded license key. If we rotate the private key for some reason, then new licenses should use a new release. We may want to allow overriding the hardcoded key, by specifying an environment variable that holds the base64 encoded public key. Users can set that environment variable if they insist on using an older version with a rotated license key.

ramondeklein commented 1 month ago

I noticed that MinIO also contacts https://dl.min.io/server/minio/release/linux-amd64/minio.sha256sum during start-up, unless MINIO_UPDATE is set explicitly to off. We also may want to disable fetching an updated license key if this flag is set.

ramondeklein commented 1 month ago

@harshavardhana @dvaldivia How do you want to proceed with this?

anjalshireesh commented 1 month ago

For aistor, there is a new miniohq/license package that doesn't talk to subnet during license verification. eos itself exposes an api for license info and console shouldn't have to do any license verification itself.

For upstream, I think we can remove license related code in console. Might be better to confirm with @abperiasamy once.

ramondeklein commented 1 month ago

All new licenses will be issued for AIStor. I guess it would be fine to stop downloading an updated license verification key. I'll remove it from the code, so we'll keep the license check in, but without contacting subnet.

Should we also set MINIO_UPDATE=off in AIStor operator? I think the current version will still try to contact the MinIO download server to check for updates.