diff --git a/.docker/Dockerfile-alpine b/.docker/Dockerfile-alpine index 075a1a75328..b852646e583 100644 --- a/.docker/Dockerfile-alpine +++ b/.docker/Dockerfile-alpine @@ -1,22 +1,22 @@ FROM alpine:3.20 -RUN addgroup -S ory; \ - adduser -S ory -G ory -D -H -s /bin/nologin && \ - apk upgrade --no-cache && \ +RUN < /etc/nsswitch.conf + # Add a user/group for nonroot with a stable UID + GID. Values are from nonroot from distroless + # for interoperability with other containers. + addgroup --system --gid 65532 nonroot + adduser --system --uid 65532 \ + --gecos "nonroot User" \ + --home /home/nonroot \ + --ingroup nonroot \ + --shell /sbin/nologin \ + nonroot +HEREDOC -# By creating the sqlite folder as the ory user, the mounted volume will be owned by ory:ory, which -# is required for read/write of SQLite. -RUN mkdir -p /var/lib/sqlite && \ - chown ory:ory /var/lib/sqlite +COPY hydra /usr/bin/hydra -USER ory +USER nonroot ENTRYPOINT ["hydra"] CMD ["serve", "all"] diff --git a/.docker/Dockerfile-hsm b/.docker/Dockerfile-hsm deleted file mode 100644 index c4199fe87e4..00000000000 --- a/.docker/Dockerfile-hsm +++ /dev/null @@ -1,82 +0,0 @@ -FROM golang:1.22 AS builder - -WORKDIR /go/src/github.com/ory/hydra - -RUN apt-get update && apt-get upgrade -y &&\ - mkdir -p /var/lib/sqlite &&\ - mkdir -p ./internal/httpclient - -COPY go.mod go.sum ./ -COPY internal/httpclient/go.* ./internal/httpclient - -ENV GO111MODULE on -ENV CGO_ENABLED 1 - -RUN go mod download -COPY . . - -############################### - -FROM builder AS build-hydra -RUN go build -tags sqlite,hsm -o /usr/bin/hydra - -############################### - -FROM builder AS test-hsm -ENV HSM_ENABLED=true -ENV HSM_LIBRARY=/usr/lib/softhsm/libsofthsm2.so -ENV HSM_TOKEN_LABEL=hydra -ENV HSM_PIN=1234 - -RUN apt-get -y install softhsm opensc -RUN pkcs11-tool --module "$HSM_LIBRARY" --slot 0 --init-token --so-pin 0000 --init-pin --pin "$HSM_PIN" --label "$HSM_TOKEN_LABEL" -RUN go test -p 1 -failfast -short -tags=sqlite,hsm ./... - - -FROM builder AS test-refresh-hsm -ENV HSM_ENABLED=true -ENV HSM_LIBRARY=/usr/lib/softhsm/libsofthsm2.so -ENV HSM_TOKEN_LABEL=hydra -ENV HSM_PIN=1234 -ENV UPDATE_SNAPSHOTS=true - -RUN apt-get -y install softhsm opensc -RUN pkcs11-tool --module "$HSM_LIBRARY" --slot 0 --init-token --so-pin 0000 --init-pin --pin "$HSM_PIN" --label "$HSM_TOKEN_LABEL" -RUN go test -p 1 -failfast -short -tags=sqlite,hsm,refresh ./... - -############################### - -FROM gcr.io/distroless/base-nossl-debian12:debug-nonroot AS runner - -ENV HSM_ENABLED=true -ENV HSM_LIBRARY=/usr/lib/softhsm/libsofthsm2.so -ENV HSM_TOKEN_LABEL=hydra -ENV HSM_PIN=1234 - -RUN apt-get -y install softhsm opensc &&\ - pkcs11-tool --module "$HSM_LIBRARY" --slot 0 --init-token --so-pin 0000 --init-pin --pin "$HSM_PIN" --label "$HSM_TOKEN_LABEL" - -RUN addgroup -S ory; \ - adduser -S ory -G ory -D -h /home/ory -s /bin/nologin; \ - chown -R ory:ory /home/ory; \ - chown -R ory:ory /var/lib/softhsm/tokens - -COPY --from=build-hydra /usr/bin/hydra /usr/bin/hydra - -# By creating the sqlite folder as the ory user, the mounted volume will be owned by ory:ory, which -# is required for read/write of SQLite. -RUN mkdir -p /var/lib/sqlite && \ - chown ory:ory /var/lib/sqlite - -VOLUME /var/lib/sqlite - -# Exposing the ory home directory -VOLUME /home/ory - -# Declare the standard ports used by hydra (4444 for public service endpoint, 4445 for admin service endpoint) -EXPOSE 4444 4445 - -USER ory - -ENTRYPOINT ["hydra"] -CMD ["serve"] diff --git a/.docker/Dockerfile-build b/.docker/Dockerfile-local-build similarity index 76% rename from .docker/Dockerfile-build rename to .docker/Dockerfile-local-build index 18cc454fba9..bc4c001cbdb 100644 --- a/.docker/Dockerfile-build +++ b/.docker/Dockerfile-local-build @@ -3,7 +3,6 @@ FROM golang:1.22 AS builder WORKDIR /go/src/github.com/ory/hydra RUN apt-get update && apt-get upgrade -y &&\ - mkdir -p /var/lib/sqlite &&\ mkdir -p ./internal/httpclient COPY go.mod go.sum ./ @@ -18,13 +17,10 @@ RUN go build -ldflags="-extldflags=-static" -tags sqlite,sqlite_omit_load_extens ######################### -FROM gcr.io/distroless/static-debian12:nonroot AS runner +FROM gcr.io/distroless/static-debian12:debug-nonroot AS runner -COPY --from=builder --chown=nonroot:nonroot /var/lib/sqlite /var/lib/sqlite COPY --from=builder /usr/bin/hydra /usr/bin/hydra -VOLUME /var/lib/sqlite - # Declare the standard ports used by hydra (4444 for public service endpoint, 4445 for admin service endpoint) EXPOSE 4444 4445 diff --git a/.docker/Dockerfile-scratch b/.docker/Dockerfile-scratch deleted file mode 100644 index f262b7c6338..00000000000 --- a/.docker/Dockerfile-scratch +++ /dev/null @@ -1,28 +0,0 @@ -FROM alpine:3.20 - -RUN apk upgrade --no-cache && \ - apk add --no-cache --upgrade ca-certificates - -# set up nsswitch.conf for Go's "netgo" implementation -# - https://github.com/golang/go/blob/go1.9.1/src/net/conf.go#L194-L275 -RUN [ ! -e /etc/nsswitch.conf ] && echo 'hosts: files dns' > /etc/nsswitch.conf - -RUN addgroup -S ory; \ - adduser -S ory -G ory -D -h /home/ory -s /bin/nologin; - -RUN mkdir -p /var/lib/sqlite && \ - chown -R ory:ory /var/lib/sqlite - -FROM scratch - -COPY --from=0 /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ -COPY --from=0 /etc/nsswitch.conf /etc/nsswitch.conf -COPY --from=0 /etc/passwd /etc/passwd -COPY --from=0 /var/lib/sqlite /var/lib/sqlite - -COPY hydra /usr/bin/hydra - -USER ory - -ENTRYPOINT ["hydra"] -CMD ["serve", "all"] diff --git a/.docker/Dockerfile-sqlite b/.docker/Dockerfile-sqlite deleted file mode 100644 index a6813a197e5..00000000000 --- a/.docker/Dockerfile-sqlite +++ /dev/null @@ -1,36 +0,0 @@ -FROM alpine:3.20 - -# Because this image is built for SQLite, we create /home/ory and /home/ory/sqlite which is owned by the ory user -# and declare /home/ory/sqlite a volume. -# -# To get SQLite and Docker Volumes working with this image, mount the volume where SQLite should be written to at: -# -# /home/ory/sqlite/some-file. - -RUN addgroup -S ory; \ - adduser -S ory -G ory -D -h /home/ory -s /bin/nologin; \ - chown -R ory:ory /home/ory && \ - apk upgrade --no-cache && \ - apk add --no-cache --upgrade --latest ca-certificates sqlite - -WORKDIR /home/ory - -COPY hydra /usr/bin/hydra - -# By creating the sqlite folder as the ory user, the mounted volume will be owned by ory:ory, which -# is required for read/write of SQLite. -RUN mkdir -p /var/lib/sqlite && \ - chown ory:ory /var/lib/sqlite - -VOLUME /var/lib/sqlite - -# Exposing the ory home directory -VOLUME /home/ory - -# Declare the standard ports used by Hydra (4444 for public service endpoint, 4445 for admin service endpoint) -EXPOSE 4444 4445 - -USER ory - -ENTRYPOINT ["hydra"] -CMD ["serve"] diff --git a/.docker/Dockerfile-test-hsm b/.docker/Dockerfile-test-hsm new file mode 100644 index 00000000000..8bc9d29991c --- /dev/null +++ b/.docker/Dockerfile-test-hsm @@ -0,0 +1,32 @@ +FROM golang:1.23-alpine3.21 AS builder + +RUN apk add --no-cache build-base git gcc bash + +WORKDIR /go/src/github.com/ory/hydra +RUN mkdir -p ./internal/httpclient + +COPY go.mod go.sum ./ +COPY internal/httpclient/go.* ./internal/httpclient + +ENV CGO_ENABLED 1 + +RUN go mod download +COPY . . + +RUN go build -tags sqlite,hsm -o /usr/bin/hydra + +ENV HSM_ENABLED=true +ENV HSM_LIBRARY=/usr/lib/softhsm/libsofthsm2.so +ENV HSM_TOKEN_LABEL=hydra +ENV HSM_PIN=1234 + +RUN apk add --no-cache softhsm opensc +RUN pkcs11-tool --module "$HSM_LIBRARY" --slot 0 --init-token --so-pin 0000 --init-pin --pin "$HSM_PIN" --label "$HSM_TOKEN_LABEL" + +FROM builder as test-hsm + +RUN go test -p 1 -failfast -short -tags=sqlite,hsm ./... + +FROM builder AS test-refresh-hsm + +RUN UPDATE_SNAPSHOTS=true go test -p 1 -failfast -short -tags=sqlite,hsm,refresh ./... diff --git a/.docker/README.md b/.docker/README.md new file mode 100644 index 00000000000..04d148002f5 --- /dev/null +++ b/.docker/README.md @@ -0,0 +1,6 @@ +This directory contains Dockerfiles for various targets: + +- `Dockerfile-distroless` and `Dockerfile-alpine` are published to Docker Hub + via GoReleaser. +- The other `Dockerfile` variants are intended only for local development and + tests. diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index fd87edb8c50..c1a4b8bed1f 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -128,7 +128,7 @@ jobs: go-version: "1.22" - name: Setup HSM libs and packages run: | - sudo apt install -y softhsm opensc + sudo apt install -y softhsm2 opensc sudo rm -rf /var/lib/softhsm/tokens sudo mkdir -p /var/lib/softhsm/tokens sudo chmod -R a+rwx /var/lib/softhsm diff --git a/.github/workflows/cve-scan.yaml b/.github/workflows/cve-scan.yaml index 70e5a28e937..9e7e11f3735 100644 --- a/.github/workflows/cve-scan.yaml +++ b/.github/workflows/cve-scan.yaml @@ -121,7 +121,7 @@ jobs: id: hadolint if: ${{ always() }} with: - dockerfile: .docker/Dockerfile-build + dockerfile: .docker/Dockerfile-local-build verbose: true format: "json" failure-threshold: "error" diff --git a/.goreleaser.yml b/.goreleaser.yml index 8be207b170b..d9e1a65edbc 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -1,3 +1,5 @@ +version: 2 + includes: - from_url: url: https://raw.githubusercontent.com/ory/xgoreleaser/master/build.tmpl.yml diff --git a/Makefile b/Makefile index 49c66ec5a71..971a72e9902 100644 --- a/Makefile +++ b/Makefile @@ -71,7 +71,8 @@ test-resetdb: node_modules # Build local docker images .PHONY: docker docker: - DOCKER_BUILDKIT=1 DOCKER_CONTENT_TRUST=1 docker build --progress=plain -f .docker/Dockerfile-build -t oryd/hydra:${IMAGE_TAG}-sqlite . + DOCKER_CONTENT_TRUST=1 docker build --progress=plain -f .docker/Dockerfile-local-build -t oryd/hydra:${IMAGE_TAG} . + echo "Local development image has been built." .PHONY: e2e e2e: node_modules test-resetdb @@ -88,12 +89,12 @@ quicktest: .PHONY: quicktest-hsm quicktest-hsm: - DOCKER_BUILDKIT=1 DOCKER_CONTENT_TRUST=1 docker build --progress=plain -f .docker/Dockerfile-hsm --target test-hsm -t oryd/hydra:${IMAGE_TAG} --target test-hsm . + DOCKER_CONTENT_TRUST=1 docker build --progress=plain -f .docker/Dockerfile-test-hsm --target test-hsm -t oryd/hydra:${IMAGE_TAG} --target test-hsm . .PHONY: test-refresh test-refresh: UPDATE_SNAPSHOTS=true go test -failfast -short -tags sqlite,sqlite_omit_load_extension ./... - DOCKER_BUILDKIT=1 DOCKER_CONTENT_TRUST=1 docker build --progress=plain -f .docker/Dockerfile-hsm --target test-refresh-hsm -t oryd/hydra:${IMAGE_TAG} --target test-refresh-hsm . + DOCKER_CONTENT_TRUST=1 docker build --progress=plain -f .docker/Dockerfile-test-hsm --target test-refresh-hsm -t oryd/hydra:${IMAGE_TAG} --target test-refresh-hsm . authors: # updates the AUTHORS file curl https://raw.githubusercontent.com/ory/ci/master/authors/authors.sh | env PRODUCT="Ory Hydra" bash diff --git a/README.md b/README.md index 5e41be64e22..52c2cf6c01c 100644 --- a/README.md +++ b/README.md @@ -609,7 +609,7 @@ that your company deserves a spot here, reach out to pinniped.dev - + Adopter * Pvotal @@ -835,7 +835,9 @@ make quicktest # regular tests make test -test-resetdb + +# updates all snapshots +make test-refresh # end-to-end tests make e2e @@ -977,10 +979,15 @@ If you wish to check your code changes against any of the docker-compose quickstart files, run: ```shell script -make docker -docker compose -f quickstart.yml up # .... +docker compose -f quickstart.yml up --build # .... ``` +> [!WARNING] If you already have a production image (e.g. `oryd/hydra:v2.2.0`) +> pulled, the above `make docker` command will replace it with a local build of +> the image that is more equivalent to the `-distroless` variant on Docker Hub. +> +> You can pull the production image any time using `docker pull` + #### Add a new migration 1. `mkdir persistence/sql/src/YYYYMMDD000001_migration_name/` diff --git a/go.mod b/go.mod index fbf5626ba9c..06714a3dc32 100644 --- a/go.mod +++ b/go.mod @@ -234,7 +234,7 @@ require ( go.opentelemetry.io/proto/otlp v1.3.1 // indirect go.uber.org/multierr v1.11.0 // indirect golang.org/x/mod v0.19.0 // indirect - golang.org/x/net v0.30.0 // indirect + golang.org/x/net v0.33.0 // indirect golang.org/x/sys v0.28.0 // indirect golang.org/x/text v0.21.0 // indirect golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect diff --git a/go.sum b/go.sum index a98230b2896..bad2adc7cee 100644 --- a/go.sum +++ b/go.sum @@ -597,8 +597,8 @@ golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns= golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= -golang.org/x/net v0.30.0 h1:AcW1SDZMkb8IpzCdQUaIq2sP4sZ4zw+55h6ynffypl4= -golang.org/x/net v0.30.0/go.mod h1:2wGyMJ5iFasEhkwi13ChkO/t1ECNC4X4eBKkVFyYFlU= +golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I= +golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4= golang.org/x/oauth2 v0.23.0 h1:PbgcYx2W7i4LvjJWEbf0ngHV6qJYr86PkAV3bXdLEbs= golang.org/x/oauth2 v0.23.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= diff --git a/quickstart.yml b/quickstart.yml index c521a273f9d..1d7cc0e23bf 100644 --- a/quickstart.yml +++ b/quickstart.yml @@ -10,44 +10,54 @@ # # ########################################################################### services: + sqlite: + image: busybox + volumes: + - hydra-sqlite:/mnt/sqlite + command: "chmod -R 777 /mnt/sqlite" hydra: image: oryd/hydra:v2.2.0 + build: + context: . + dockerfile: .docker/Dockerfile-local-build ports: - "4444:4444" # Public port - "4445:4445" # Admin port - "5555:5555" # Port for hydra token user command: serve -c /etc/config/hydra/hydra.yml all --dev volumes: - - type: volume - source: hydra-sqlite - target: /var/lib/sqlite - read_only: false + - hydra-sqlite:/mnt/sqlite:rw - type: bind source: ./contrib/quickstart/5-min target: /etc/config/hydra + pull_policy: missing environment: - - DSN=sqlite:///var/lib/sqlite/db.sqlite?_fk=true + - DSN=sqlite:///mnt/sqlite/db.sqlite?_fk=true&mode=rwc restart: unless-stopped depends_on: - hydra-migrate + - sqlite networks: - intranet hydra-migrate: image: oryd/hydra:v2.2.0 + build: + context: . + dockerfile: .docker/Dockerfile-local-build environment: - - DSN=sqlite:///var/lib/sqlite/db.sqlite?_fk=true - command: migrate -c /etc/config/hydra/hydra.yml sql -e --yes + - DSN=sqlite:///mnt/sqlite/db.sqlite?_fk=true&mode=rwc + command: migrate -c /etc/config/hydra/hydra.yml sql up -e --yes + pull_policy: missing volumes: - - type: volume - source: hydra-sqlite - target: /var/lib/sqlite - read_only: false + - hydra-sqlite:/mnt/sqlite:rw - type: bind source: ./contrib/quickstart/5-min target: /etc/config/hydra restart: on-failure networks: - intranet + depends_on: + - sqlite consent: environment: - HYDRA_ADMIN_URL=http://hydra:4445 diff --git a/test/conformance/hydra/Dockerfile b/test/conformance/hydra/Dockerfile index 71449925947..9dbc02d348a 100644 --- a/test/conformance/hydra/Dockerfile +++ b/test/conformance/hydra/Dockerfile @@ -20,7 +20,7 @@ COPY . . RUN go build -tags sqlite -o /usr/bin/hydra -VOLUME /var/lib/sqlite +VOLUME /mnt/sqlite # Exposing the ory home directory VOLUME /home/ory