Skip to content

Commit 8ca6cbd

Browse files
aeneasraeneasr
authored
fix: improve docker set up (#3924)
Improves the docker set up and removes some unused files. Closes #3914 Closes #3916 Closes #3685 Closes #3683
1 parent a9930c0 commit 8ca6cbd

File tree

16 files changed

+96
-188
lines changed

16 files changed

+96
-188
lines changed

.docker/Dockerfile-alpine

Lines changed: 13 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -1,22 +1,22 @@
11
FROM alpine:3.20
22

3-
RUN addgroup -S ory; \
4-
adduser -S ory -G ory -D -H -s /bin/nologin && \
5-
apk upgrade --no-cache && \
3+
RUN <<HEREDOC
64
apk add --no-cache --upgrade ca-certificates
75

8-
COPY hydra /usr/bin/hydra
9-
10-
# set up nsswitch.conf for Go's "netgo" implementation
11-
# - https://github.com/golang/go/blob/go1.9.1/src/net/conf.go#L194-L275
12-
RUN echo 'hosts: files dns' > /etc/nsswitch.conf
6+
# Add a user/group for nonroot with a stable UID + GID. Values are from nonroot from distroless
7+
# for interoperability with other containers.
8+
addgroup --system --gid 65532 nonroot
9+
adduser --system --uid 65532 \
10+
--gecos "nonroot User" \
11+
--home /home/nonroot \
12+
--ingroup nonroot \
13+
--shell /sbin/nologin \
14+
nonroot
15+
HEREDOC
1316

14-
# By creating the sqlite folder as the ory user, the mounted volume will be owned by ory:ory, which
15-
# is required for read/write of SQLite.
16-
RUN mkdir -p /var/lib/sqlite && \
17-
chown ory:ory /var/lib/sqlite
17+
COPY hydra /usr/bin/hydra
1818

19-
USER ory
19+
USER nonroot
2020

2121
ENTRYPOINT ["hydra"]
2222
CMD ["serve", "all"]

.docker/Dockerfile-hsm

Lines changed: 0 additions & 82 deletions
This file was deleted.

.docker/Dockerfile-build renamed to .docker/Dockerfile-local-build

Lines changed: 1 addition & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,6 @@ FROM golang:1.22 AS builder
33
WORKDIR /go/src/github.com/ory/hydra
44

55
RUN apt-get update && apt-get upgrade -y &&\
6-
mkdir -p /var/lib/sqlite &&\
76
mkdir -p ./internal/httpclient
87

98
COPY go.mod go.sum ./
@@ -18,13 +17,10 @@ RUN go build -ldflags="-extldflags=-static" -tags sqlite,sqlite_omit_load_extens
1817

1918
#########################
2019

21-
FROM gcr.io/distroless/static-debian12:nonroot AS runner
20+
FROM gcr.io/distroless/static-debian12:debug-nonroot AS runner
2221

23-
COPY --from=builder --chown=nonroot:nonroot /var/lib/sqlite /var/lib/sqlite
2422
COPY --from=builder /usr/bin/hydra /usr/bin/hydra
2523

26-
VOLUME /var/lib/sqlite
27-
2824
# Declare the standard ports used by hydra (4444 for public service endpoint, 4445 for admin service endpoint)
2925
EXPOSE 4444 4445
3026

.docker/Dockerfile-scratch

Lines changed: 0 additions & 28 deletions
This file was deleted.

.docker/Dockerfile-sqlite

Lines changed: 0 additions & 36 deletions
This file was deleted.

.docker/Dockerfile-test-hsm

Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,32 @@
1+
FROM golang:1.23-alpine3.21 AS builder
2+
3+
RUN apk add --no-cache build-base git gcc bash
4+
5+
WORKDIR /go/src/github.com/ory/hydra
6+
RUN mkdir -p ./internal/httpclient
7+
8+
COPY go.mod go.sum ./
9+
COPY internal/httpclient/go.* ./internal/httpclient
10+
11+
ENV CGO_ENABLED 1
12+
13+
RUN go mod download
14+
COPY . .
15+
16+
RUN go build -tags sqlite,hsm -o /usr/bin/hydra
17+
18+
ENV HSM_ENABLED=true
19+
ENV HSM_LIBRARY=/usr/lib/softhsm/libsofthsm2.so
20+
ENV HSM_TOKEN_LABEL=hydra
21+
ENV HSM_PIN=1234
22+
23+
RUN apk add --no-cache softhsm opensc
24+
RUN pkcs11-tool --module "$HSM_LIBRARY" --slot 0 --init-token --so-pin 0000 --init-pin --pin "$HSM_PIN" --label "$HSM_TOKEN_LABEL"
25+
26+
FROM builder as test-hsm
27+
28+
RUN go test -p 1 -failfast -short -tags=sqlite,hsm ./...
29+
30+
FROM builder AS test-refresh-hsm
31+
32+
RUN UPDATE_SNAPSHOTS=true go test -p 1 -failfast -short -tags=sqlite,hsm,refresh ./...

.docker/README.md

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
This directory contains Dockerfiles for various targets:
2+
3+
- `Dockerfile-distroless` and `Dockerfile-alpine` are published to Docker Hub
4+
via GoReleaser.
5+
- The other `Dockerfile` variants are intended only for local development and
6+
tests.

.github/workflows/ci.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -128,7 +128,7 @@ jobs:
128128
go-version: "1.22"
129129
- name: Setup HSM libs and packages
130130
run: |
131-
sudo apt install -y softhsm opensc
131+
sudo apt install -y softhsm2 opensc
132132
sudo rm -rf /var/lib/softhsm/tokens
133133
sudo mkdir -p /var/lib/softhsm/tokens
134134
sudo chmod -R a+rwx /var/lib/softhsm

.github/workflows/cve-scan.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -121,7 +121,7 @@ jobs:
121121
id: hadolint
122122
if: ${{ always() }}
123123
with:
124-
dockerfile: .docker/Dockerfile-build
124+
dockerfile: .docker/Dockerfile-local-build
125125
verbose: true
126126
format: "json"
127127
failure-threshold: "error"

.goreleaser.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,5 @@
1+
version: 2
2+
13
includes:
24
- from_url:
35
url: https://raw.githubusercontent.com/ory/xgoreleaser/master/build.tmpl.yml

0 commit comments

Comments
 (0)