MinIO stops distributing free Docker images
I'll let docker's security team know that an insecure, obsolete docker image is being served and the maintainers have officially acknowledged they will no longer support it.
Best to get insecure and vulnerable software out of the hands of those who may not be familiar with this CVE or their change in policy that has not gotten a press release in any way.
Keep in mind this is the same project that removed all useful functionality from the included web UI in the community edition with the excuse that it was too much effort to maintain.
This is another case of VC-funded companies pulling up the ladder behind themselves.
It's an Open Source project - I don't understand what people are complaining about. Noone is entitled to receive free Docker images. I'm sure if there is enough demand, someone else who is trustworthy will step up and automate building them.
What I'd like to complain about instead is the pricing page on the Min.io webpage - it doesn't list any pricing. Looking at https://cloudian.com/blog/minios-ui-removal-leaves-organizat... it seems the prices are not cheap at all (minimum of $96,000 per year). Note that Cloudian is a competitor offering a closed-source product.
Not a full replacement but there is Garage, which was quite well received in other HN threads.
What makes me sad is that, as mentioned in other threads, this destruction in reputation could've totally been avoidable. If MinIO had took the time to give out warnings months in advance and help community members (or even other companies) to host the Docker builds somewhere else, there would've be close to none backlash. Yet they've decided to make it such an abrupt transition and especially when a CVE is involved.
The title of the HN submission might look a bit misleading. It's easy to misinterpret it and think MinIO stops being open source (which would be a bigger deal IMHO).
I think this would be better: "MinIO stops distributing free Docker images"
---
See also the relevant README section: https://github.com/minio/minio?tab=readme-ov-file#source-onl...
We [0] use MinIO with for our clients so we've just thrown together a nightly build process. Use/fork as you wish:
https://github.com/golithus/minio-builds
Example use:
docker run -p 9000:9000 -p 9001:9001 ghcr.io/golithus/minio:latest
I think both sides of this argument are correct:
1. MinIO is a business and they don't owe anything to anyone for free. 2. People using the OSS version also are free to express their dissatisfaction.
This is not contract law though. This is about using OSS as a marketing gimmick to get mindshare, penetrate the market and then do a bait and switch.
From one hand, it is within their right to do whatever they want as marketing. From the other hand, we as the community should be more aware of OSS as marketing vs OSS as we would like to see it.
There is a damage to the community however: this erodes trust in OSS companies, so just like "content marketing" or "influencers" or any other type of marketing, after a while it loses its effectiveness, to the detriment of real "content", real "influence" and real "OSS".
We're working on a binary build process now. We hope to have something up at https://github.com/golithus soon.
We use MinIO (community edition) a fair amount. And while we like it, it is also becoming increasingly clear that our days of deploying are numbered.
We want to start experimenting with Garage for smaller deployments, and would be interesting to hear of any production experiences there. (Anyone done multi-PiB deployments?)
Other than that we're going to start looking at Ceph/Rook for larger deployments.
I don't think this is really a big deal. Plenty of others already maintain public OCI images of Minio (Bitnami is one example). So long as that's the case, there are options. I'm not familiar with Minio's licensing terms, so maybe they can put an end to that practice if they want to, but I suspect there are drop-in replacements other than the official Minio Docker Hub image.
What Minio is doing wrong here is thinking too highly of themselves. Their product is a fine implementation of S3-compatible object storage. It has some features that make it attractive for selfhosting. It's far from the only solution, though. The harder they make it to use, the more people are going to switch to easier alternatives.
A lot of companies try to lock down their popular open source/free products once they have a large market share. It always backfires.
Hashicorp did this. There's no reason to use Terraform anymore; OpenTofu is a drop-in replacement that is just as good for almost everyone, and all the community support will shift to it such that it will inevitably be far superior to Terraform.
Redis became Valkey. MySQL became MariaDB. OwnCloud became Nextcloud.
There are countless examples. Yeah, the commercial entities continue to exist. For companies that need support and contracts, there will still be a market. But they are destroying their pipeline for new customers. Why would anyone use a closed commercial project with no community contribution when there's a free, open source option that's either a 100% compatible drop-in replacement or a low-effort pivot to a functionally-equivalent solution without vendor lock-in and burdensome restrictions?
Minio is shooting themselves in the foot. Most people don't give a crap what's backing their object storage, so long as it works.
Ceph is an open source project run by a foundation. Minio is a company backed by VCs looking for a return. There is also seaweedfs, powerscale, openstack swift and hyperstore. The S3 compatible space is crowded.
Looking at the change to the README last week[1], it looks like MinIO went from "MinIO has no planned or scheduled releases for this repository" and " While a new release may be cut at any time, there is no timeline for when a subsequent release may occur." to "The MinIO community edition is now distributed as source code only".
Based on promises alone, I think that means they un-dropped the open source project but still only distribute the binaries to their customers.
[1]: https://github.com/minio/minio/commit/9e49d5e7a648f00e26f224...
It's absolutely stunning that people actually defend this behaviour!
The community is having an outrage - and rightfully so - about a silently discontinued artifact delivery at a very critical time. Which is their opinion and every human being is entitled to have their own opinion and state it openly.
It is also perfectly fine to expect a standardised behaviour to continue.
However, what is most important is that is perfectly fine to shame an open source product for pulling features and money grabbing people after years of gathering community and locking them in.
I haven't used minio in years, and when I did I only fiddled around with it, but my recollection of it is that it's about the simplest build chain imaginable. Install modern golang, build minio, get single binary.
Anyone relying on an opensource tool like minio, needs to look at:
* organization supporting it
* the license
* the build chain
* who else uses it?
* the distribution artifact needed for production.
If the org behind it ever decides to rugpull/elastic you, what're you gonna do? At least with something like minio, if they're still distributing the source it's trivial to build (and if you can't build it you should evaluate if you're in a position to rely on it).
Let's look at other cool open source things like SigNoz which distribute only docker artifacts (as far as I remember, anyhow) -- if they were to rugpull that people relying on it would be totally lost at sea.
This isn't to say that this isn't poor behavior on minio's part, but I feel like they've been signaling us for a while that they're looking to repay their VC patrons.
`docker build` is free, and faster to type than the fake outrage in the github issues and the dicator-calling below in this thread.
Hey Mike Donovan here. I work at Docker and help with the Docker Official Image (DOI) program. If you're interested in a DOI being created to support the MinIO community chime in here: https://github.com/minio/minio/discussions/21655
I am also so confused as to what MinIO is now. All I see on the website is AIStor - have they dropped the "S3 Alternative" Marketing and went full AI?
So, basically, MinIO is dead.
Time to move on, folks. Dead horse is dead. Kicking it will release toxic decomposition sludge.
I thought one day in the hn TOP-5 was more than enough for MinIO.
I'm even starting to wonder, should we also drop Docker builds to get the same amount of PR for our open-source project.
Time to switch to Garage for dev environments and reconsider minio for prod. This is not how to do open source.
Am I getting this right - someone has been providing things for free for a long time and now people are complaining that they are relying on getting things for free and the "someone" cannot just change this?
https://github.com/coollabsio/minio
I was reading the github discussion and found out that coollabs has taken on the decision to make docker images for these.
https://github.com/coollabsio/minio
https://github.com/minio/minio/issues/21647#issuecomment-342...
>Until we (the community) figure out something, I made an automated docker image version here: https://github.com/coollabsio/minio
The latest release is already available on ghcr and on dockerhub for amd and arm.
Well they have locked the discussion right now it seems but hope the community does something since my brother once asked for how to store audio and I thought that something like S3 could be perfect for it and wanted him to use minio or check it out.
Idk what I will recommend now? Garage? Seaweedfs?
I wonder how many people only use Minio as a localdev S3 alternative.
At least that's all we use it for really
Maintaining docker builds isn’t that huge of a burden (and likely very useful for them too), and they’re delegating hosting to a third party… I don’t get what they’re trying to achieve here.
On one hand, MinIO isn't obligated to anyone... on the other hand, there's a lot of people who now feel obligated to not use MinIO anymore. Given that MinIO won't patch their container images, are obligated in many cases. A Dockerfile that actually builds instead of copying binary blobs should be as simple as one that executes `go build`. So a fork that just adds that one step seems inevitable. Seems such a waste on many levels.
I'm glad to have migrated to garage in time. This is quite unfortunate though as a lot of open source projects, like plane.so, used minio via container images for s3 with docker compose.
While not notifying of the change earlier is annoying, I also don't see anywhere stated that they're obligated to provide services in addition to just providing me the source. Moreover the build-instructions don't seem complicated at all, anyone already extracting value from this should be capable of pulling the source and keep on running with it.
We moved to Seaweedfs around one year ago and I couldn't be happier. It also fixed all of the performance problems we had on MinIO.
It is unfortunate, but somewhere you need to draw the line, if you are planning to stop releases. If they fix this, how about the next? Why fix this one but not the next CVE? Is the reaction same next time and they end up fixing endlessly?
Lots of people in this thread keep repeating the idea that, "Nobody owes anybody anything".
Sure, just like nobody owes minio goodwill or business. People sour on these kinds of things because they feel sneaky and backhanded. It tells you something about the kind of people you're working with.
Imagine if a food kitchen suddenly started charging for the food, without notice. Or they started charging to use changing rooms in clothing stores. Etc, etc. You'd, rightly, expect a negative reaction, even if the "food kitchen doesn't owe anybody anything".
The biggest misstep in these situations is the corporations avoiding being honest and communicative about why the changes are suddenly necessary. We all know, intuitively, that in most cases its because it's not for a good reason. It's because they are greedy or otherwise feel pressured to show infinite growth.
I don't see the problem here in theory - if I want to trust something fully I'll build it myself in my own pipeline, often with additional hardening as needed. It only needs scripting out the build process to fit alongside my other code. I even do this for Linux apps like Signal because I want a clean binary that matches the Git tag, packaged exactly right for my system, built with the libraries already in place locally.
What's not cool is not pushing a fresh Docker image to secure the CVE, leaving anyone using Docker hanging. Regardless of the new policy, they should have followed through and made the fix public on all distribution channels. Leaving a known unsafe version as the last release is irresponsible.
What are folks doing who were just using it for CI/test/dev environments? Just build the image yourself? Use Garage as some have suggested? I'm curious what people see as the pros and cons.
Just use Garage. https://git.deuxfleurs.fr/Deuxfleurs/garage
This reminds me about the bitnami containers. They pulled the docker images so everyone migrated away because they fear they will also pull the artifacts building the project. They never said that. They seem to be continuing to updating the projects and providing access to the artifacts. It is very easy to build the dockers... it is just a dockerfile really... There is really no upside to stop updating the projects, it is free marketing...
This is interesting. I've recently been doing quite a bit of research into what my "future stack" is going to be for backend. MinIO regularly came onto my radar but one heuristic (among many) I use to determine which software is TRULY open source and which is far less likely to remain open source is whether they even provide a link to their Github page and prominently display it on their website. MinIO was triggering my "not really open source" radar for this reason.
I'm still dabbling but have kind of latched onto the idea of using Ceph. To my understanding they were acquired by RedHat, and the project has all the signs of real open source, including the fact that it originated as a doctoral research project at the University of California, Santa Cruz, with initial funding from the U.S. Department of Energy.
I was not familiar with MinIO until this post and I see now 694+ upvotes!
Can anyone give me some background on why MinIO is/was so used? So many people want to self-host S3 compatible software? Just asking, very curious about the whole thing!
Full disclosure: I work for Cloudian.
While I understand the frustration with MinIO’s approach here, I want to be upfront about what Cloudian HyperStore is and isn’t - it is designed for multi-node, multi-site deployments (think 3+ nodes minimum) and performs best on bare metal or dedicated infrastructure rather than containerized environments.
It’s a very mature S3 and offers IAM, SQS and STS endpoints as well.
If you’re running MinIO at scale in production and looking at migration options, I’m happy to connect you with our team who can discuss whether HyperStore makes sense for your use case. That said, for single-node dev environments or lightweight deployments that many here are using MinIO for, the community alternatives mentioned in this thread are probably better fits. Different tools for different scales. Happy to answer any technical questions about HyperStore’s architecture if helpful.
It seems like they've pivoted from being a FOSS alternative to AWS S3 to whatever AIStore[1] is.
this sucks because now im forced to make seaweedfs and ceph work haha
seriously, minio sucks perf wise but they really did a good job making it easy to deploy with docker
Just make a fork and release built images via github actions with ghcr. Then ask people to switch to it.
The great thing about open src is the ability to walk away. removed features in new release? fork and put it back. quit complaining and be the change the world needs you to be
Quite a downward spiral for them. Wow. I mean I get the yearning for turning a profit, but this is yikes. This is the type of thing that guarantees most people using your open source / free variant never return.
Getting it from source is as easy as `go install github.com/minio/minio@latest` if you have a recent Go.
In addition your favorite Linux distribution probably has it as from-source builds already.
For a container image you could try making one from Alpine or Wolfi.
I regret recommending using at in our team.
This move can’t be anything else other than malicious.
MinIO was already before tricky because their interpretation of the AGPL is way to broad.
It's sad to see a company that built itself using (and yes I purposely choose the word using) the community abandon the community in pursuit of maximal profit.
Shameless plug: try Minimus! Minimalistic and always updated container images. We have the MinIO image and it is always up to date. https://www.minimus.io/
Incidentally there is a open source S3 project in rust that I have been following. About a year ago, I applied Garage images to replace some minio instances used in CI pipelines - lighter weight and faster to come up.
Item 15 of the license states:
THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM *"AS IS"* WITHOUT WARRANTY OF ANY KIND
I personally think this is a better option than migrating from an open source license to a source available and I would like more project adopt this approach from the beginning of their projects, to set people's expectation right.
In May, they pretty much said they will not maintain the "community version" anymore.
Exact quote: "it will remain as is, and will only receive security fixes if any”
https://jamesoclaire.com/2025/05/27/how-to-self-host-your-ow...
They've also tried to claim AGPLv3 will infect any networked client code too: "Combining MinIO software as part of a larger software stack triggers your GNU AGPL v3 obligations. The method of combining does not matter. When MinIO is linked to a larger software stack in any form, including statically, dynamically, pipes, or containerized and invoked remotely, the AGPL v3 applies to your use. What triggers the AGPL v3 obligations is the exchanging data between the larger stack and MinIO." -- they've since removed that, utterly unsupported, argument, but the lesson to take home is they're really trying to prevent any non-paid use.
It really is time to stop using Minio.
I think Minio is the only Go client for S3 API and S3-compatible APIs. I cannot say I liked using it, but I had no choice. Nowadays I run my own file storage with my own API, so I no longer care.
But if anyone wants to run their own file storage(so not a client), there is https://github.com/seaweedfs/seaweedfs
Just run `docker build` yourself. Why does this non-issue spawn dozens of comments? This isn't some impossible-to-build Windows C++ project.
minio is guilty of a lot worse sins than pulling a docker image -- hate them for those, not because it's more inconvenient to run.
Surprised by the entitlement of some people. This was FREE labor they were providing, it was never going to last forever.
I hadn't seen the news about MinIO yet.
For others that are surprised by this, it seems that there is a fork of the UI called OpenMaxIO
Recently adopted the Go MinIO SDK to abstract cloud-specific APIs. Really hoping the SDKs don't get a licensing change or yanked next
Render also pushes MinIO as their recommended equivalent to S3 for their customers (using docker), similar to Bucketeer on Heroku.
https://render.com/docs/deploy-minio
Hopefully this will finally push Render to build their own S3 wrapper.
To everyone who gets blocked by this: I prompted Haiku 4.5, Anthropic's cheapest current model, in Claude Code with "Read this github issue: https://github.com/minio/minio/issues/21647 I need a new docker image for the latest minio version. Make it so.". It wrote a Dockerfile, I asked it to build it (not only am I incapable of finding and downloading the Dockerfile from the repository myself, I'm even incapable of remembering how to "build" a "docker"file). It spew out an error which the cheapest model promptly fixed and gave me an image.
You need to be able to do this personally or you should not be running a durable storage cluster in-house. Just pay AWS. You need to add more value to your employer than you cost, and if Anthropic's cheapest model can beat you at such a task then it's not a good look.
garage and for the minio gateway (RIP) i use versitygw
I've switched to garage and it's been absolutely fantastic. I don't know if it has a UI yet, but it's been rock solid.
Garage for s3 emulation is a great tool. https://garagehq.deuxfleurs.fr/
A developer not offering builds themself is a common thing in package managers, like apt or pacman. I don't get why it should be any different for Docker images.
I've been testing the RustFS product for over a month now. While there are some minor bugs, Rust is very stable.
Why didn't YC invest in such a great product?
/me waiting for all complaining about lack of docker image to step up and start providing those images ]:->
Why? The maintainer in the link chooses to be a dick and refuses to explain literally any of the weird decisions they've been making. That would at least help people understand?
Open source is sick. Everyone wants it (both to maintain a successful project, and to use them) until you maintain a popular project for a reasonable time then your realise you're getting used for fuck all value.
We need a healthy way to support open source developers. This isn't working. Companies are taking advantage, and individuals are overwhelmed with choice and have delusional expectations.
No need to get mad or upset about this at all, MinIO is telling us exactly who they are:
They want to be a commercial software vendor, and they don't like open source.
As long as they aren't advertising their product as open source, I don't see an issue.
> We’ve started distributing our software for free
> nice
> We’ve stopped distributing our software for free
> How dare you!
Is there a fork already?
Reasonable.
That seems to be the key word.
One camp argues: Expect nothing. Move on.
The other: Could they - with very little effort (reasonable) - have choosen a more palatable route.
There must be a middle ground between the nihilists and the pampered.
More projects should do this.
I built my own S3-less Minio alternative few weeks ago, should I open source it?
It's built using Rust and React Router.
Just playing around with it
It's ok, just don't use them anymore if you don't like it. I will switch to something else.
Any recommendations for a simple S3 implementation for a local docker-compose development setup for mocking S3? Ideally with a nice UI to check/manipulate files.
Just build your damn image if you need it.
They don’t owe you anything.
Shame. Textbook OSS rug pull. These people love to rely on OSS, and claim how committed they are to contribute to the ecosystem and to their community, but as soon as people are drawn to the project, start relying on it and using it in the same spirit of OSS that they enjoy themselves (which their chosen license allows, mind you), then it becomes a financial burden, priorities shift to their commercial offering, there's no "bandwidth" to maintain and support the "community" edition, and so on.
STOP ABUSING OSS AS A MARKETING GIMMICK.
Or perhaps an advice to people who might actually listen: stop being attracted to open source projects because of the word "open", and because you can use it gratis. There are plenty of good proprietary and commercial software whose authors treat their users with more respect than these leeches of good will and abusers of trust.
I'm not against OSS being commercialized. In fact, I think that it's crucial for maintaining a healthy project in the long-term[1][2]. But this lingers on the developer having respect and equal regard for all their users, regardless of how much they're paying them. Yes, nobody working on software should be expected to work for free. But there is a philosophy behind this movement that goes beyond a financial transaction. It only works if everyone in the ecosystem is honest, and first and foremost has the intention of making the world a better place for everyone, by not only depending on others who have this mindset, but by adopting it themselves. Claiming to be part of the OSS community, but being hostile to your OSS users is dishonest at best, and worthy of all criticism.
what a terrible turn ... screw 'em
so what're you folks moving to? spinning up a local minio instance was what I always sprung for when doing local testing of s3 things...
Edit: 9.4k stars. Looks compelling. https://github.com/rustfs/rustfs
This is a clear Rugpull and Enshittification, no matter what perspective you have.
Once again people will find out that no software should be free.
I used MinIO for local dev. I can use S3 or R2 in some cases instead. Kinda crazy to find out that people use these Docker images in production. Why on earth would you do that?
Since the whole docker thing where people were complaining about having to pay 10USD, I am happy when OSS projects pull the rug, tech bros you're paid to solve your company's issues, nobody in OSS owes you anything, go earn your salary and build the docker image that fix the CVE, or stfu
We all know you don't care about loyalty correctness or anything, you just someone to do the work you're paid for
What did MinIO say to Wordpress? "hold my beer"
Imagine having to build LibreOffice from source to get it installed
e.g. on Windows
Not bad as long the scripts as there.
Still don't get why on earth anybody would run a Docker version of MinIO in production. And why is this even a problem. Not like you put a private storage service on the Internet? Or do you? The incompetence of the average HN user is just mind blowing.
[dead]
[dead]
[dead]
[flagged]
lmao
they dont learn anything after redis case are they????
I never understood Minio. Why not just use S3? Why not just use Ceph?
If you need just the interface for dev environment, I am sure Claude can cobble it together in 1 day.
This seems like a maneuver of a dying company.
They abandoned documentation (edit: for the open source codebase) a couple of weeks ago - that seems more significant.
From their Slack on Oct 10:
"The documentation sites at docs.min.io/community have been pulled of this morning and will redirect to the equivalent AIStor documentation where possible". [emphasis mine]
The minio/docs repository hasn't been updated in 2 weeks now, and the implication is that isn't going to be.
Even when I set up a minio cluster this February, it was both impressively easy and hard in a few small aspects. The most crucial installation tips - around 100Gb networking, Linux kernel tunables and fault-finding - were hung off comments on their github, talking about files that were deleted from the repository years ago.
I've built a cluster for a client that's being expanded to ≈100PB this year. The price of support comes in at at slightly less than the equivalent amount of S3 storage (not including the actual hosting costs!). The value of it just isn't that high to my client - so I guess we're just coasting on what we can get now, and will have to see what real community might form around the source.
I'm not a free software die-hard so I'm grateful for the work minio have put into the world, and the business it's enabling. But it seems super-clear they're stopping those contributions, and I'd bet the final open source release will happen in the next year.
If anyone else is hosting with minio & can't afford the support either :) please drop me a line and maybe we can get something going.