[go: nahoru, domu]
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to update to latest Minio, incompatible signature algorithm #913

Closed
braunsonm opened this issue Nov 30, 2021 · 8 comments
Closed

Unable to update to latest Minio, incompatible signature algorithm #913

braunsonm opened this issue Nov 30, 2021 · 8 comments
Assignees
@harshavardhana

Comments

@braunsonm
Copy link
braunsonm commented Nov 30, 2021
edited
Loading

Expected Behavior

I should be able to update the Minio version of my tenant to the latest version of Minio.

Current Behavior

The operator reports errors and the tenant gets stuck in an "updating" state.

[main-controller.go:577] error syncing 'minio/tenant': Tenant 'tenant' MinIO update failed with Incompatible signature algorithm

Steps to Reproduce (for bugs)

  1. Create a tenant with version RELEASE.2021-11-09T03-21-45Z
  2. Upgrade the tenant to version RELEASE.2021-11-24T23-19-33Z
  3. Notice operator errors: Tenant 'tenant' MinIO update failed with Incompatible signature algorithm

Context

There is no alternate solutions, there is no way to update to the latest Minio using the operator as of now.

Regression

Yes

Your Environment

  • Version used (minio-operator): 4.3.5
  • Environment name and version (e.g. kubernetes v1.17.2): 1.21.5
@harshavardhana
Copy link
Member

I have seen this and reproduced. Looks like a bug in operator

@harshavardhana
Copy link
Member

You can however manually upgrade the statefulset directly as a workaround.

@harshavardhana harshavardhana self-assigned this Nov 30, 2021
@harshavardhana
Copy link
Member

Upstream library broke the signature algorithm support due to some pre-hashing techniques added.

jedisct1/go-minisign#8

We will be making a new MinIO release that would resolve this problem, for existing deployments however you can remove the MINIO_UPDATE_MINISIGN_PUBKEY environment variable that would disable signature verification - that will only do sha256sum verification (this should be enough for now)

harshavardhana added a commit to harshavardhana/minio that referenced this issue Dec 15, 2021
@harshavardhana
update selfupdate dependency to signature verification failure
dad6bf0 
minisign v0.10.0 tool broke compatibility to leading
to our library failing to parse the newer signatures.

This PR
fixes - minio/operator#913
fixes - minio#13824

A workaround for users facing this problem is to unset

```
MINIO_UPDATE_MINISIGN_PUBKEY
```

or set it to `empty` string then signature verification
is skipped automatically.
@harshavardhana harshavardhana mentioned this issue Dec 15, 2021
Merged
7 tasks
harshavardhana added a commit to harshavardhana/minio that referenced this issue Dec 15, 2021
@harshavardhana
update selfupdate dependency to signature verification failure
952ec57 
minisign v0.10.0 tool broke compatibility to leading
to our library failing to parse the newer signatures.

This PR
fixes - minio/operator#913
fixes - minio#13824

A workaround for users facing this problem is to unset

```
MINIO_UPDATE_MINISIGN_PUBKEY
```

or set it to `empty` string then signature verification
is skipped automatically.
harshavardhana added a commit to harshavardhana/minio that referenced this issue Dec 15, 2021
@harshavardhana
update selfupdate dependency to fix signature verification
05eb7ad 
minisign v0.10.0 tool broke compatibility, that leads
to our library failing to parse the newer signatures.

This PR
fixes - minio/operator#913
fixes - minio#13824

A workaround for users facing this problem is to unset

```
MINIO_UPDATE_MINISIGN_PUBKEY
```

or set it to `empty` string then signature verification
is skipped automatically.
harshavardhana added a commit to harshavardhana/minio that referenced this issue Dec 15, 2021
@harshavardhana
update selfupdate dependency to fix signature verification
3f71834 
minisign v0.10.0 tool broke compatibility, that leads
to our library failing to parse the newer signatures.

This PR
fixes - minio/operator#913
fixes - minio#13824

A workaround for users facing this problem is to unset

```
MINIO_UPDATE_MINISIGN_PUBKEY
```

or set it to `empty` string then signature verification
is skipped automatically.
harshavardhana added a commit to harshavardhana/minio that referenced this issue Dec 15, 2021
@harshavardhana
update selfupdate dependency to fix signature verification
066dbc9 
minisign v0.10.0 tool broke compatibility, that leads
to our library failing to parse the newer signatures.

This PR
fixes - minio/operator#913
fixes - minio#13824

A workaround for users facing this problem is to unset

```
MINIO_UPDATE_MINISIGN_PUBKEY
```

or set it to `empty` string then signature verification
is skipped automatically.
@mshanmu
Copy link
Contributor
mshanmu commented Dec 15, 2021

Upstream library broke the signature algorithm support due to some pre-hashing techniques added.

jedisct1/go-minisign#8

We will be making a new MinIO release that would resolve this problem, for existing deployments however you can remove the MINIO_UPDATE_MINISIGN_PUBKEY environment variable that would disable signature verification - that will only do sha256sum verification (this should be enough for now)

Just curious here, I just upgraded the MinIO from RELEASE.2021-10-13T00-23-17Z to RELEASE.2021-12-10T23-03-39Z, using v4.3.7 operator (upgraded from v4.3.1). I thought the upgrade will fail with the above error, instead it went fine. So, What am I missing here?

Btw, it did have the MINIO_UPDATE_MINISIGN_PUBKEY environment variable set.

@harshavardhana
Copy link
Member

Just curious here, I just upgraded the MinIO from RELEASE.2021-10-13T00-23-17Z to RELEASE.2021-12-10T23-03-39Z, using v4.3.7 operator (upgraded from v4.3.1). I thought the upgrade will fail with the above error, instead it went fine. So, What am I missing here?

Well, it will go fine even if it failed in the operator since - operator decides to apply the statefulset changes by rolling the pods. @mshanmu

It is not working for a specific situations where Operator does in-place updates.

@mshanmu
Copy link
Contributor
mshanmu commented Dec 15, 2021

@harshavardhana Thanks for the explanation

harshavardhana added a commit to minio/minio that referenced this issue Dec 15, 2021
@harshavardhana
update selfupdate dependency to fix signature verification (#13919)
da540cc 
minisign v0.10.0 tool broke compatibility, that leads
to our library failing to parse the newer signatures.

This PR
fixes - minio/operator#913
fixes - #13824

A workaround for users facing this problem is to unset

```
MINIO_UPDATE_MINISIGN_PUBKEY
```

or set it to `empty` string then signature verification
is skipped automatically.
@braunsonm
Copy link
Author

@harshavardhana This issue remains on minio version RELEASE.2021-12-18T04-42-33Z. Is there an operator update we need first?

@harshavardhana
Copy link
Member

@harshavardhana This issue remains on minio version RELEASE.2021-12-18T04-42-33Z. Is there an operator update we need first?

This will only be fixed after you update to this release.

i.e you update to this release first and then you can update the normal way in future.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@harshavardhana harshavardhana

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@harshavardhana @braunsonm @mshanmu