fix: improve docker set up

.docker/Dockerfile-alpine

@@ -1,22 +1,22 @@
 FROM alpine:3.20
 
-RUN addgroup -S ory; \
-    adduser -S ory -G ory -D -H -s /bin/nologin && \
-    apk upgrade --no-cache && \
+RUN <<HEREDOC
     apk add --no-cache --upgrade ca-certificates
 
-COPY hydra /usr/bin/hydra
-
-# set up nsswitch.conf for Go's "netgo" implementation
-# - https://github.com/golang/go/blob/go1.9.1/src/net/conf.go#L194-L275
-RUN echo 'hosts: files dns' > /etc/nsswitch.conf
+    # Add a user/group for nonroot with a stable UID + GID. Values are from nonroot from distroless
+    # for interoperability with other containers.
+    addgroup --system --gid 65532 nonroot
+    adduser --system --uid 65532 \
+      --gecos "nonroot User" \
+      --home /home/nonroot \
+      --ingroup nonroot \
+      --shell /sbin/nologin \
+      nonroot
+HEREDOC
 
-# By creating the sqlite folder as the ory user, the mounted volume will be owned by ory:ory, which
-# is required for read/write of SQLite.
-RUN mkdir -p /var/lib/sqlite && \
-    chown ory:ory /var/lib/sqlite
+COPY hydra /usr/bin/hydra
 
-USER ory
+USER nonroot
 
 ENTRYPOINT ["hydra"]
 CMD ["serve", "all"]

.docker/Dockerfile-build → .docker/Dockerfile-local-build

@@ -3,7 +3,6 @@ FROM golang:1.22 AS builder
 WORKDIR /go/src/github.com/ory/hydra
 
 RUN apt-get update && apt-get upgrade -y &&\
-    mkdir -p /var/lib/sqlite &&\
     mkdir -p ./internal/httpclient
 
 COPY go.mod go.sum ./
@@ -18,13 +17,10 @@ RUN go build -ldflags="-extldflags=-static" -tags sqlite,sqlite_omit_load_extens
 
 #########################
 
-FROM gcr.io/distroless/static-debian12:nonroot AS runner
+FROM gcr.io/distroless/static-debian12:debug-nonroot AS runner
 
-COPY --from=builder --chown=nonroot:nonroot /var/lib/sqlite /var/lib/sqlite
 COPY --from=builder /usr/bin/hydra /usr/bin/hydra
 
-VOLUME /var/lib/sqlite
-
 # Declare the standard ports used by hydra (4444 for public service endpoint, 4445 for admin service endpoint)
 EXPOSE 4444 4445
 

.docker/Dockerfile-test-hsm

@@ -0,0 +1,32 @@
+FROM golang:1.23-alpine3.21 AS builder
+
+RUN apk add --no-cache build-base git gcc bash
+
+WORKDIR /go/src/github.com/ory/hydra
+RUN mkdir -p ./internal/httpclient
+
+COPY go.mod go.sum ./
+COPY internal/httpclient/go.* ./internal/httpclient
+
+ENV CGO_ENABLED 1
+
+RUN go mod download
+COPY . .
+
+RUN go build -tags sqlite,hsm -o /usr/bin/hydra
+
+ENV HSM_ENABLED=true
+ENV HSM_LIBRARY=/usr/lib/softhsm/libsofthsm2.so
+ENV HSM_TOKEN_LABEL=hydra
+ENV HSM_PIN=1234
+
+RUN apk add --no-cache softhsm opensc
+RUN pkcs11-tool --module "$HSM_LIBRARY" --slot 0 --init-token --so-pin 0000 --init-pin --pin "$HSM_PIN" --label "$HSM_TOKEN_LABEL"
+
+FROM builder as test-hsm
+
+RUN go test -p 1 -failfast -short -tags=sqlite,hsm ./...
+
+FROM builder AS test-refresh-hsm
+
+RUN UPDATE_SNAPSHOTS=true go test -p 1 -failfast -short -tags=sqlite,hsm,refresh ./...

.docker/README.md

@@ -0,0 +1,6 @@
+This directory contains Dockerfiles for various targets:
+
+- `Dockerfile-distroless` and `Dockerfile-alpine` are published to Docker Hub
+  via GoReleaser.
+- The other `Dockerfile` variants are intended only for local development and
+  tests.

.github/workflows/ci.yaml

@@ -128,7 +128,7 @@ jobs:
           go-version: "1.22"
       - name: Setup HSM libs and packages
         run: |
-          sudo apt install -y softhsm opensc
+          sudo apt install -y softhsm2 opensc
           sudo rm -rf /var/lib/softhsm/tokens
           sudo mkdir -p /var/lib/softhsm/tokens
           sudo chmod -R a+rwx /var/lib/softhsm

.github/workflows/cve-scan.yaml

@@ -121,7 +121,7 @@ jobs:
         id: hadolint
         if: ${{ always() }}
         with:
-          dockerfile: .docker/Dockerfile-build
+          dockerfile: .docker/Dockerfile-local-build
           verbose: true
           format: "json"
           failure-threshold: "error"

.goreleaser.yml

@@ -1,3 +1,5 @@
+version: 2
+
 includes:
   - from_url:
       url: https://raw.githubusercontent.com/ory/xgoreleaser/master/build.tmpl.yml

Makefile

@@ -71,7 +71,8 @@ test-resetdb: node_modules
 # Build local docker images
 .PHONY: docker
 docker:
-	DOCKER_BUILDKIT=1 DOCKER_CONTENT_TRUST=1 docker build --progress=plain -f .docker/Dockerfile-build -t oryd/hydra:${IMAGE_TAG}-sqlite .
+	DOCKER_CONTENT_TRUST=1 docker build --progress=plain -f .docker/Dockerfile-local-build -t oryd/hydra:${IMAGE_TAG} .
+	echo "Local development image has been built."
 
 .PHONY: e2e
 e2e: node_modules test-resetdb
@@ -88,12 +89,12 @@ quicktest:
 
 .PHONY: quicktest-hsm
 quicktest-hsm:
-	DOCKER_BUILDKIT=1 DOCKER_CONTENT_TRUST=1 docker build --progress=plain -f .docker/Dockerfile-hsm --target test-hsm -t oryd/hydra:${IMAGE_TAG} --target test-hsm .
+	DOCKER_CONTENT_TRUST=1 docker build --progress=plain -f .docker/Dockerfile-test-hsm  --target test-hsm -t oryd/hydra:${IMAGE_TAG} --target test-hsm .
 
 .PHONY: test-refresh
 test-refresh:
 	UPDATE_SNAPSHOTS=true go test -failfast -short -tags sqlite,sqlite_omit_load_extension ./...
-	DOCKER_BUILDKIT=1 DOCKER_CONTENT_TRUST=1 docker build --progress=plain -f .docker/Dockerfile-hsm --target test-refresh-hsm -t oryd/hydra:${IMAGE_TAG} --target test-refresh-hsm .
+	DOCKER_CONTENT_TRUST=1 docker build --progress=plain -f .docker/Dockerfile-test-hsm  --target test-refresh-hsm -t oryd/hydra:${IMAGE_TAG} --target test-refresh-hsm .
 
 authors:  # updates the AUTHORS file
 	curl https://raw.githubusercontent.com/ory/ci/master/authors/authors.sh | env PRODUCT="Ory Hydra" bash

README.md

@@ -609,7 +609,7 @@ that your company deserves a spot here, reach out to
                 </picture>
             </td>
             <td><a href="https://pinniped.dev/">pinniped.dev</a></td>
-        </tr>         
+        </tr>
         <tr>
             <td>Adopter *</td>
             <td>Pvotal</td>
@@ -835,7 +835,9 @@ make quicktest
 
 # regular tests
 make test
-test-resetdb
+
+# updates all snapshots
+make test-refresh
 
 # end-to-end tests
 make e2e
@@ -977,10 +979,15 @@ If you wish to check your code changes against any of the docker-compose
 quickstart files, run:
 
 ```shell script
-make docker
-docker compose -f quickstart.yml up # ....
+docker compose -f quickstart.yml up --build # ....
 ```
 
+> [!WARNING] If you already have a production image (e.g. `oryd/hydra:v2.2.0`)
+> pulled, the above `make docker` command will replace it with a local build of
+> the image that is more equivalent to the `-distroless` variant on Docker Hub.
+>
+> You can pull the production image any time using `docker pull`
+
 #### Add a new migration
 
 1. `mkdir persistence/sql/src/YYYYMMDD000001_migration_name/`

go.mod

@@ -234,7 +234,7 @@ require (
 	go.opentelemetry.io/proto/otlp v1.3.1 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	golang.org/x/mod v0.19.0 // indirect
-	golang.org/x/net v0.30.0 // indirect
+	golang.org/x/net v0.33.0 // indirect
 	golang.org/x/sys v0.28.0 // indirect
 	golang.org/x/text v0.21.0 // indirect
 	golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect

go.sum

@@ -597,8 +597,8 @@ golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
 golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
-golang.org/x/net v0.30.0 h1:AcW1SDZMkb8IpzCdQUaIq2sP4sZ4zw+55h6ynffypl4=
-golang.org/x/net v0.30.0/go.mod h1:2wGyMJ5iFasEhkwi13ChkO/t1ECNC4X4eBKkVFyYFlU=
+golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
+golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
 golang.org/x/oauth2 v0.23.0 h1:PbgcYx2W7i4LvjJWEbf0ngHV6qJYr86PkAV3bXdLEbs=
 golang.org/x/oauth2 v0.23.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=