Update compose template to patch vulnerable minio service and include healthchecks

[ShadowArcanist]

Changes

• The image used for minio on docker compose template (image: "bitnami/minio:latest") is unmaintained and vulnerable to CVE-2025-62506 , so we will be using ghcr.io/coollabsio/minio which is Automated docker builds (by Coolify Team) using official minio source code.

• Added instructions (as comments) for using remote S3-compatible storage

• Added healthcheck to all services in the compose

---

Testing

• All service except media server are working fine. media server docker image is not published on ghcr.io so I couldn't pull the image to test it

---

Notes

• Official minio doesn't support custom API and Console ports like 3902 and 3903, so I have set them to default ports
• This PR supersedes fix: use minio/minio instead of bitnami/minio #1444 by providing a complete and correct implementation for minio.

Greptile Summary

This PR addresses a critical security vulnerability (CVE-2025-62506) by replacing the unmaintained bitnami/minio:latest image with ghcr.io/coollabsio/minio:RELEASE.2025-10-15T17-29-55Z. The changes also standardize MinIO to use default ports (9000 for API, 9001 for console), add comprehensive healthchecks to all services, and include helpful documentation for both local and remote S3 configuration options.

• Switched from vulnerable bitnami/minio to maintained coollabsio/minio build
• Updated MinIO API/Console ports from custom 3902/3903 to standard 9000/9001
• Added healthchecks to cap-web, ps-mysql, and minio services for better service monitoring
• Added detailed comments explaining S3 configuration for both remote (AWS S3, Cloudflare R2) and local MinIO setups
• Updated internal and public S3 endpoints to reflect new port configuration
• Simplified MinIO volume paths and environment variables to match official MinIO conventions

Issues identified:

• Two typos in comments that need correction
• MinIO healthcheck uses mc ready local command which may not be available in the specified image (needs verification or alternative HTTP-based healthcheck)

Confidence Score: 4/5

• This PR is safe to merge with minor corrections needed for typos and potential healthcheck verification
• The PR addresses a critical security vulnerability by replacing an unmaintained vulnerable MinIO image, includes well-designed healthchecks for service monitoring, and provides clear documentation. Two spelling errors and one potential healthcheck command compatibility issue were identified but are easy to fix. The port changes are well-documented and the configuration updates are consistent throughout the file.
• docker-compose.template.yml requires minor typo corrections and verification that the MinIO healthcheck command will work with the chosen image

Important Files Changed

Filename	Overview
docker-compose.template.yml	Replaced vulnerable bitnami/minio with ghcr.io/coollabsio/minio, updated ports from 3902/3903 to standard 9000/9001, added healthchecks to all services, and included S3 configuration documentation; minor typos and potential healthcheck issue identified

Sequence Diagram

sequenceDiagram
    participant Docker as Docker Engine
    participant Web as cap-web
    participant MySQL as ps-mysql
    participant MinIO as minio
    participant MediaServer as cap-media-server

    Note over Docker,MediaServer: Service Startup & Healthcheck Flow

    Docker->>MySQL: Start MySQL service
    activate MySQL
    MySQL-->>Docker: Service running
    
    loop Every 10s (after 20s start_period)
        Docker->>MySQL: mysqladmin ping -h localhost
        MySQL-->>Docker: pong (healthy)
    end

    Docker->>MinIO: Start MinIO service
    activate MinIO
    MinIO-->>Docker: Service running
    
    loop Every 10s (after 10s start_period)
        Docker->>MinIO: mc ready local
        MinIO-->>Docker: ready (healthy)
    end

    Docker->>Web: Start cap-web service
    activate Web
    Web->>MySQL: Connect to DATABASE_URL
    Web->>MinIO: Connect to S3_INTERNAL_ENDPOINT (http://minio:9000)
    Web-->>Docker: Service running
    
    loop Every 10s (after 10s start_period)
        Docker->>Web: wget --spider -q http://127.0.0.1:3000/
        Web-->>Docker: HTTP 200 (healthy)
    end

    Docker->>MediaServer: Start media-server service
    activate MediaServer
    MediaServer-->>Docker: Service running
    Note over MediaServer: No healthcheck (commented out)

Loading

[greptile-apps]

_{1 file reviewed, 3 comments}

_{Edit Code Review Agent Settings | Greptile}