github.com/minio/minio@v0.0.0-20240328213742-3f72439b8a27/docs/hotfixes.md (about) 1 # Introduction 2 3 This document outlines how to make hotfix binaries and containers for MinIO?. The main focus in this article is about how to backport patches to a specific branch and finally building binaries/containers. 4 5 ## Pre-pre requisite 6 7 - A working knowledge of MinIO codebase and its various components. 8 - A working knowledge of AWS S3 API behaviors and corner cases. 9 10 ## Pre-requisite for backporting any fixes 11 12 Fixes that are allowed a backport must satisfy any of the following criteria's: 13 14 - A fix must not be a feature, for example. 15 16 ``` 17 commit faf013ec84051b92ae0f420a658b8d35bb7bb000 18 Author: Klaus Post <klauspost@gmail.com> 19 Date: Thu Nov 18 12:15:22 2021 -0800 20 21 Improve performance on multiple versions (#13573) 22 ``` 23 24 - A fix must be a valid fix that was reproduced and seen in a customer environment, for example. 25 26 ``` 27 commit 886262e58af77ebc7c836ef587c08544e9a0c271 28 Author: Harshavardhana <harsha@minio.io> 29 Date: Wed Nov 17 15:49:12 2021 -0800 30 31 heal legacy objects when versioning is enabled after upgrade (#13671) 32 ``` 33 34 - A security fix must be backported if a customer is affected by it, we have a mechanism in SUBNET to send out notifications to affected customers in such situations, this is a mandatory requirement. 35 36 ``` 37 commit 99bf4d0c429f04dbd013ba98840d07b759ae1702 (tag: RELEASE.2019-06-15T23-07-18Z) 38 Author: Harshavardhana <harsha@minio.io> 39 Date: Sat Jun 15 11:27:17 2019 -0700 40 41 [security] Match ${aws:username} exactly instead of prefix match (#7791) 42 43 This PR fixes a security issue where an IAM user based 44 on his policy is granted more privileges than restricted 45 by the users IAM policy. 46 47 This is due to an issue of prefix based Matcher() function 48 which was incorrectly matching prefix based on resource 49 prefixes instead of exact match. 50 ``` 51 52 - There is always a possibility of a fix that is new, it is advised that the developer must make sure that the fix is sent upstream, reviewed and merged to the master branch. 53 54 ## Creating a hotfix branch 55 56 Customers in MinIO are allowed LTS on any release they choose to standardize. Production setups seldom change and require maintenance. Hotfix branches are such maintenance branches that allow customers to operate a production cluster without drastic changes to their deployment. 57 58 ## Backporting a fix 59 60 Developer is advised to clone the MinIO source and checkout the MinIO release tag customer is currently on. 61 62 ``` 63 λ git checkout RELEASE.2021-04-22T15-44-28Z 64 ``` 65 66 Create a branch and proceed to push the branch **upstream** 67 > (upstream here points to git@github.com:minio/minio.git) 68 69 ``` 70 λ git branch -m RELEASE.2021-04-22T15-44-28Z.hotfix 71 λ git push -u upstream RELEASE.2021-04-22T15-44-28Z.hotfix 72 ``` 73 74 Pick the relevant commit-id say for example commit-id from the master branch 75 76 ``` 77 commit 4f3317effea38c203c358af9cb5ce3c0e4173976 78 Author: Klaus Post <klauspost@gmail.com> 79 Date: Mon Nov 8 08:41:27 2021 -0800 80 81 Close stream on panic (#13605) 82 83 Always close streamHTTPResponse on panic on main thread to avoid 84 write/flush after response handler has returned. 85 ``` 86 87 ``` 88 λ git cherry-pick 4f3317effea38c203c358af9cb5ce3c0e4173976 89 ``` 90 91 *A self contained **patch** usually applies fine on the hotfix branch during backports as long it is self contained. There are situations however this may lead to conflicts and the patch will not cleanly apply. Conflicts might be trivial which can be resolved easily, when conflicts seem to be non-trivial or touches the part of the code-base the developer is not confident - to get additional clarity reach out to #hack on MinIOHQ slack channel. Hasty changes must be avoided, minor fixes and logs may be added to hotfix branches but this should not be followed as practice.* 92 93 Once the **patch** is successfully applied, developer must run tests to validate the fix that was backported by running following tests, locally. 94 95 Unit tests 96 97 ``` 98 λ make test 99 ``` 100 101 Verify different type of MinIO deployments work 102 103 ``` 104 λ make verify 105 ``` 106 107 Verify if healing and replacing a drive works 108 109 ``` 110 λ make verify-healing 111 ``` 112 113 At this point in time the backport is ready to be submitted as a pull request to the relevant branch. A pull request is recommended to ensure [mint](http://github.com/minio/mint) tests are validated. Pull request also ensures code-reviews for the backports in case of any unforeseen regressions. 114 115 ### Building a hotfix binary and container 116 117 To add a hotfix tag to the binary version and embed the relevant `commit-id` following build helpers are available 118 119 #### Builds the hotfix binary and uploads to https;//dl.min.io 120 121 ``` 122 λ CRED_DIR=/media/builder/minio make hotfix-push 123 ``` 124 125 #### Builds the hotfix container and pushes to docker.io/minio/minio 126 127 ``` 128 λ CRED_DIR=/media/builder/minio make docker-hotfix-push 129 ``` 130 131 #### Builds the hotfix container and pushes to registry.min.dev/<customer>/minio 132 133 ``` 134 λ REPO="registry.min.dev/<customer>" CRED_DIR=/media/builder/minio make docker-hotfix-push 135 ``` 136 137 Once this has been provided to the customer relevant binary will be uploaded from our *release server* securely, directly to <https://dl.minio.io/server/minio/hotfixes/archive/>