Closed anjalshireesh closed 2 weeks ago
@dvaldivia I think we should fix this for both AIStor and MinIO. Will we remove subnet support for MinIO when AIStor is released or will we keep supporting customers that want to stay on upstream MinIO?
I did some investigation and I found that this only happens when not running in development mode. It looks like the license verification code tries to download the public key that is used for license key verification. It does fallback to a hardcoded offline key, if it cannot contact subnet.min.io
.
I think we should disable downloading Subnet's public verification key. The code always uses the hardcoded license key. If we rotate the private key for some reason, then new licenses should use a new release. We may want to allow overriding the hardcoded key, by specifying an environment variable that holds the base64 encoded public key. Users can set that environment variable if they insist on using an older version with a rotated license key.
I noticed that MinIO also contacts https://dl.min.io/server/minio/release/linux-amd64/minio.sha256sum
during start-up, unless MINIO_UPDATE
is set explicitly to off
. We also may want to disable fetching an updated license key if this flag is set.
@harshavardhana @dvaldivia How do you want to proceed with this?
For aistor
, there is a new miniohq/license
package that doesn't talk to subnet during license verification. eos
itself exposes an api for license info and console shouldn't have to do any license verification itself.
For upstream, I think we can remove license related code in console. Might be better to confirm with @abperiasamy once.
All new licenses will be issued for AIStor. I guess it would be fine to stop downloading an updated license verification key. I'll remove it from the code, so we'll keep the license check in, but without contacting subnet.
Should we also set MINIO_UPDATE=off
in AIStor operator? I think the current version will still try to contact the MinIO download server to check for updates.
Expected: console should not talk to SUBNET on startup Actual: console communicates with SUBNET on startup
How to reproduce?
ncat -l -p 443
127.0.0.1 subnet.min.io
to/etc/hosts
You will observe communication with
subnet.min.io
This does not happen if you start minio after setting
MINIO_BROWSER=off