Revert "fix: improve docker set up"

.docker/Dockerfile-alpine

@@ -1,22 +1,22 @@
 FROM alpine:3.20
 
-RUN <<HEREDOC
+RUN addgroup -S ory; \
+    adduser -S ory -G ory -D -H -s /bin/nologin && \
+    apk upgrade --no-cache && \
     apk add --no-cache --upgrade ca-certificates
 
-    # Add a user/group for nonroot with a stable UID + GID. Values are from nonroot from distroless
-    # for interoperability with other containers.
-    addgroup --system --gid 65532 nonroot
-    adduser --system --uid 65532 \
-      --gecos "nonroot User" \
-      --home /home/nonroot \
-      --ingroup nonroot \
-      --shell /sbin/nologin \
-      nonroot
-HEREDOC
-
 COPY hydra /usr/bin/hydra
 
-USER nonroot
+# set up nsswitch.conf for Go's "netgo" implementation
+# - https://github.com/golang/go/blob/go1.9.1/src/net/conf.go#L194-L275
+RUN echo 'hosts: files dns' > /etc/nsswitch.conf
+
+# By creating the sqlite folder as the ory user, the mounted volume will be owned by ory:ory, which
+# is required for read/write of SQLite.
+RUN mkdir -p /var/lib/sqlite && \
+    chown ory:ory /var/lib/sqlite
+
+USER ory
 
 ENTRYPOINT ["hydra"]
 CMD ["serve", "all"]

.docker/Dockerfile-local-build → .docker/Dockerfile-build

@@ -3,6 +3,7 @@ FROM golang:1.22 AS builder
 WORKDIR /go/src/github.com/ory/hydra
 
 RUN apt-get update && apt-get upgrade -y &&\
+    mkdir -p /var/lib/sqlite &&\
     mkdir -p ./internal/httpclient
 
 COPY go.mod go.sum ./
@@ -17,10 +18,13 @@ RUN go build -ldflags="-extldflags=-static" -tags sqlite,sqlite_omit_load_extens
 
 #########################
 
-FROM gcr.io/distroless/static-debian12:debug-nonroot AS runner
+FROM gcr.io/distroless/static-debian12:nonroot AS runner
 
+COPY --from=builder --chown=nonroot:nonroot /var/lib/sqlite /var/lib/sqlite
 COPY --from=builder /usr/bin/hydra /usr/bin/hydra
 
+VOLUME /var/lib/sqlite
+
 # Declare the standard ports used by hydra (4444 for public service endpoint, 4445 for admin service endpoint)
 EXPOSE 4444 4445
 

.docker/Dockerfile-hsm

@@ -0,0 +1,82 @@
+FROM golang:1.22 AS builder
+
+WORKDIR /go/src/github.com/ory/hydra
+
+RUN apt-get update && apt-get upgrade -y &&\
+    mkdir -p /var/lib/sqlite &&\
+    mkdir -p ./internal/httpclient
+
+COPY go.mod go.sum ./
+COPY internal/httpclient/go.* ./internal/httpclient
+
+ENV GO111MODULE on
+ENV CGO_ENABLED 1
+
+RUN go mod download
+COPY . .
+
+###############################
+
+FROM builder AS build-hydra
+RUN go build -tags sqlite,hsm -o /usr/bin/hydra
+
+###############################
+
+FROM builder AS test-hsm
+ENV HSM_ENABLED=true
+ENV HSM_LIBRARY=/usr/lib/softhsm/libsofthsm2.so
+ENV HSM_TOKEN_LABEL=hydra
+ENV HSM_PIN=1234
+
+RUN apt-get -y install softhsm opensc
+RUN pkcs11-tool --module "$HSM_LIBRARY" --slot 0 --init-token --so-pin 0000 --init-pin --pin "$HSM_PIN" --label "$HSM_TOKEN_LABEL"
+RUN go test -p 1 -failfast -short -tags=sqlite,hsm ./...
+
+
+FROM builder AS test-refresh-hsm
+ENV HSM_ENABLED=true
+ENV HSM_LIBRARY=/usr/lib/softhsm/libsofthsm2.so
+ENV HSM_TOKEN_LABEL=hydra
+ENV HSM_PIN=1234
+ENV UPDATE_SNAPSHOTS=true
+
+RUN apt-get -y install softhsm opensc
+RUN pkcs11-tool --module "$HSM_LIBRARY" --slot 0 --init-token --so-pin 0000 --init-pin --pin "$HSM_PIN" --label "$HSM_TOKEN_LABEL"
+RUN go test -p 1 -failfast -short -tags=sqlite,hsm,refresh ./...
+
+###############################
+
+FROM gcr.io/distroless/base-nossl-debian12:debug-nonroot AS runner
+
+ENV HSM_ENABLED=true
+ENV HSM_LIBRARY=/usr/lib/softhsm/libsofthsm2.so
+ENV HSM_TOKEN_LABEL=hydra
+ENV HSM_PIN=1234
+
+RUN apt-get -y install softhsm opensc &&\
+    pkcs11-tool --module "$HSM_LIBRARY" --slot 0 --init-token --so-pin 0000 --init-pin --pin "$HSM_PIN" --label "$HSM_TOKEN_LABEL"
+
+RUN addgroup -S ory; \
+    adduser -S ory -G ory -D  -h /home/ory -s /bin/nologin; \
+    chown -R ory:ory /home/ory; \
+    chown -R ory:ory /var/lib/softhsm/tokens
+
+COPY --from=build-hydra /usr/bin/hydra /usr/bin/hydra
+
+# By creating the sqlite folder as the ory user, the mounted volume will be owned by ory:ory, which
+# is required for read/write of SQLite.
+RUN mkdir -p /var/lib/sqlite && \
+    chown ory:ory /var/lib/sqlite
+
+VOLUME /var/lib/sqlite
+
+# Exposing the ory home directory
+VOLUME /home/ory
+
+# Declare the standard ports used by hydra (4444 for public service endpoint, 4445 for admin service endpoint)
+EXPOSE 4444 4445
+
+USER ory
+
+ENTRYPOINT ["hydra"]
+CMD ["serve"]

.docker/Dockerfile-scratch

@@ -0,0 +1,28 @@
+FROM alpine:3.20
+
+RUN apk upgrade --no-cache && \
+    apk add --no-cache --upgrade ca-certificates
+
+# set up nsswitch.conf for Go's "netgo" implementation
+# - https://github.com/golang/go/blob/go1.9.1/src/net/conf.go#L194-L275
+RUN [ ! -e /etc/nsswitch.conf ] && echo 'hosts: files dns' > /etc/nsswitch.conf
+
+RUN addgroup -S ory; \
+    adduser -S ory -G ory -D  -h /home/ory -s /bin/nologin;
+
+RUN mkdir -p /var/lib/sqlite && \
+    chown -R ory:ory /var/lib/sqlite
+
+FROM scratch
+
+COPY --from=0 /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+COPY --from=0 /etc/nsswitch.conf /etc/nsswitch.conf
+COPY --from=0 /etc/passwd /etc/passwd
+COPY --from=0 /var/lib/sqlite /var/lib/sqlite
+
+COPY hydra /usr/bin/hydra
+
+USER ory
+
+ENTRYPOINT ["hydra"]
+CMD ["serve", "all"]

.docker/Dockerfile-sqlite

@@ -0,0 +1,36 @@
+FROM alpine:3.20
+
+# Because this image is built for SQLite, we create /home/ory and /home/ory/sqlite which is owned by the ory user
+# and declare /home/ory/sqlite a volume.
+#
+# To get SQLite and Docker Volumes working with this image, mount the volume where SQLite should be written to at:
+#
+#   /home/ory/sqlite/some-file.
+
+RUN addgroup -S ory; \
+    adduser -S ory -G ory -D  -h /home/ory -s /bin/nologin; \
+    chown -R ory:ory /home/ory && \
+    apk upgrade --no-cache && \
+    apk add --no-cache --upgrade --latest ca-certificates sqlite
+
+WORKDIR /home/ory
+
+COPY hydra /usr/bin/hydra
+
+# By creating the sqlite folder as the ory user, the mounted volume will be owned by ory:ory, which
+# is required for read/write of SQLite.
+RUN mkdir -p /var/lib/sqlite && \
+    chown ory:ory /var/lib/sqlite
+
+VOLUME /var/lib/sqlite
+
+# Exposing the ory home directory
+VOLUME /home/ory
+
+# Declare the standard ports used by Hydra (4444 for public service endpoint, 4445 for admin service endpoint)
+EXPOSE 4444 4445
+
+USER ory
+
+ENTRYPOINT ["hydra"]
+CMD ["serve"]

.github/workflows/ci.yaml

@@ -128,7 +128,7 @@ jobs:
           go-version: "1.22"
       - name: Setup HSM libs and packages
         run: |
-          sudo apt install -y softhsm2 opensc
+          sudo apt install -y softhsm opensc
           sudo rm -rf /var/lib/softhsm/tokens
           sudo mkdir -p /var/lib/softhsm/tokens
           sudo chmod -R a+rwx /var/lib/softhsm

.github/workflows/cve-scan.yaml

@@ -121,7 +121,7 @@ jobs:
         id: hadolint
         if: ${{ always() }}
         with:
-          dockerfile: .docker/Dockerfile-local-build
+          dockerfile: .docker/Dockerfile-build
           verbose: true
           format: "json"
           failure-threshold: "error"

.goreleaser.yml

@@ -1,5 +1,3 @@
-version: 2
-
 includes:
   - from_url:
       url: https://raw.githubusercontent.com/ory/xgoreleaser/master/build.tmpl.yml

Makefile

@@ -71,8 +71,7 @@ test-resetdb: node_modules
 # Build local docker images
 .PHONY: docker
 docker:
-	DOCKER_CONTENT_TRUST=1 docker build --progress=plain -f .docker/Dockerfile-local-build -t oryd/hydra:${IMAGE_TAG} .
-	echo "Local development image has been built."
+	DOCKER_BUILDKIT=1 DOCKER_CONTENT_TRUST=1 docker build --progress=plain -f .docker/Dockerfile-build -t oryd/hydra:${IMAGE_TAG}-sqlite .
 
 .PHONY: e2e
 e2e: node_modules test-resetdb
@@ -89,12 +88,12 @@ quicktest:
 
 .PHONY: quicktest-hsm
 quicktest-hsm:
-	DOCKER_CONTENT_TRUST=1 docker build --progress=plain -f .docker/Dockerfile-test-hsm  --target test-hsm -t oryd/hydra:${IMAGE_TAG} --target test-hsm .
+	DOCKER_BUILDKIT=1 DOCKER_CONTENT_TRUST=1 docker build --progress=plain -f .docker/Dockerfile-hsm --target test-hsm -t oryd/hydra:${IMAGE_TAG} --target test-hsm .
 
 .PHONY: test-refresh
 test-refresh:
 	UPDATE_SNAPSHOTS=true go test -failfast -short -tags sqlite,sqlite_omit_load_extension ./...
-	DOCKER_CONTENT_TRUST=1 docker build --progress=plain -f .docker/Dockerfile-test-hsm  --target test-refresh-hsm -t oryd/hydra:${IMAGE_TAG} --target test-refresh-hsm .
+	DOCKER_BUILDKIT=1 DOCKER_CONTENT_TRUST=1 docker build --progress=plain -f .docker/Dockerfile-hsm --target test-refresh-hsm -t oryd/hydra:${IMAGE_TAG} --target test-refresh-hsm .
 
 authors:  # updates the AUTHORS file
 	curl https://raw.githubusercontent.com/ory/ci/master/authors/authors.sh | env PRODUCT="Ory Hydra" bash

README.md

@@ -609,7 +609,7 @@ that your company deserves a spot here, reach out to
                 </picture>
             </td>
             <td><a href="https://pinniped.dev/">pinniped.dev</a></td>
-        </tr>
+        </tr>         
         <tr>
             <td>Adopter *</td>
             <td>Pvotal</td>
@@ -835,9 +835,7 @@ make quicktest
 
 # regular tests
 make test
-
-# updates all snapshots
-make test-refresh
+test-resetdb
 
 # end-to-end tests
 make e2e
@@ -979,15 +977,10 @@ If you wish to check your code changes against any of the docker-compose
 quickstart files, run:
 
 ```shell script
-docker compose -f quickstart.yml up --build # ....
+make docker
+docker compose -f quickstart.yml up # ....
 ```
 
-> [!WARNING] If you already have a production image (e.g. `oryd/hydra:v2.2.0`)
-> pulled, the above `make docker` command will replace it with a local build of
-> the image that is more equivalent to the `-distroless` variant on Docker Hub.
->
-> You can pull the production image any time using `docker pull`
-
 #### Add a new migration
 
 1. `mkdir persistence/sql/src/YYYYMMDD000001_migration_name/`

go.mod

@@ -234,7 +234,7 @@ require (
 	go.opentelemetry.io/proto/otlp v1.3.1 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	golang.org/x/mod v0.19.0 // indirect
-	golang.org/x/net v0.33.0 // indirect
+	golang.org/x/net v0.30.0 // indirect
 	golang.org/x/sys v0.28.0 // indirect
 	golang.org/x/text v0.21.0 // indirect
 	golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect

go.sum

@@ -597,8 +597,8 @@ golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
 golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
-golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
-golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
+golang.org/x/net v0.30.0 h1:AcW1SDZMkb8IpzCdQUaIq2sP4sZ4zw+55h6ynffypl4=
+golang.org/x/net v0.30.0/go.mod h1:2wGyMJ5iFasEhkwi13ChkO/t1ECNC4X4eBKkVFyYFlU=
 golang.org/x/oauth2 v0.23.0 h1:PbgcYx2W7i4LvjJWEbf0ngHV6qJYr86PkAV3bXdLEbs=
 golang.org/x/oauth2 v0.23.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=