Revert "fix: improve docker set up"

This reverts commit 9378b07.

.docker/Dockerfile-alpine

@@ -24,7 +24,6 @@ HEREDOC
 
 COPY hydra /usr/bin/hydra
 
-USER ory
-
 ENTRYPOINT ["hydra"]
 CMD ["serve", "all"]
+USER ory

.docker/Dockerfile-hsm

@@ -0,0 +1,88 @@
+FROM golang:1.22 AS builder
+
+WORKDIR /go/src/github.com/ory/hydra
+
+RUN apt-get update && apt-get upgrade -y &&\
+    mkdir -p /var/lib/sqlite &&\
+    mkdir -p ./internal/httpclient
+
+COPY go.mod go.sum ./
+COPY internal/httpclient/go.* ./internal/httpclient
+
+ENV GO111MODULE on
+ENV CGO_ENABLED 1
+
+RUN go mod download
+COPY . .
+
+###############################
+
+FROM builder AS build-hydra
+RUN go build -tags sqlite,hsm -o /usr/bin/hydra
+
+###############################
+
+FROM builder AS test-hsm
+ENV HSM_ENABLED=true
+ENV HSM_LIBRARY=/usr/lib/softhsm/libsofthsm2.so
+ENV HSM_TOKEN_LABEL=hydra
+ENV HSM_PIN=1234
+
+RUN apt-get -y install softhsm opensc
+RUN pkcs11-tool --module "$HSM_LIBRARY" --slot 0 --init-token --so-pin 0000 --init-pin --pin "$HSM_PIN" --label "$HSM_TOKEN_LABEL"
+RUN go test -p 1 -failfast -short -tags=sqlite,hsm ./...
+
+
+FROM builder AS test-refresh-hsm
+ENV HSM_ENABLED=true
+ENV HSM_LIBRARY=/usr/lib/softhsm/libsofthsm2.so
+ENV HSM_TOKEN_LABEL=hydra
+ENV HSM_PIN=1234
+ENV UPDATE_SNAPSHOTS=true
+
+RUN apt-get -y install softhsm opensc
+RUN pkcs11-tool --module "$HSM_LIBRARY" --slot 0 --init-token --so-pin 0000 --init-pin --pin "$HSM_PIN" --label "$HSM_TOKEN_LABEL"
+RUN go test -p 1 -failfast -short -tags=sqlite,hsm,refresh ./...
+
+###############################
+
+FROM gcr.io/distroless/base-nossl-debian12:debug-nonroot AS runner
+
+ENV HSM_ENABLED=true
+ENV HSM_LIBRARY=/usr/lib/softhsm/libsofthsm2.so
+ENV HSM_TOKEN_LABEL=hydra
+ENV HSM_PIN=1234
+
+# NOTE: This is broken already. Even though this image provides a shell, you'd need to configure it with
+# `SHELL ["/busybox/sh", "-c"]`, however `apt-get` does not exist either in a distroless image.
+# This was original an Alpine image, the refactoring was not verified properly in this commit:
+# https://github.com/ory/hydra/commit/c1e1a569621d88365dceee7372ca49ecd119f939#diff-ae54bef08e3587b28ad8e93eb253a9a5cd9ea6f4251977e35b88dc6b42329e25L31
+RUN apt-get -y install softhsm opensc &&\
+    pkcs11-tool --module "$HSM_LIBRARY" --slot 0 --init-token --so-pin 0000 --init-pin --pin "$HSM_PIN" --label "$HSM_TOKEN_LABEL"
+
+RUN <<HEREDOC
+    # Add a user/group for Ory with a stable UID + GID:
+    addgroup --system --gid 500 ory
+    adduser --system --uid 500 \
+        --gecos "Ory User" \
+        --home /home/ory \
+        --ingroup ory \
+        --shell /sbin/nologin \
+        ory
+
+    # Create the sqlite directory with ownership to that user and group:
+    # NOTE: This is required for read/write by SQLite.
+    install --owner ory --group ory --directory /var/lib/sqlite
+
+    # NOTE: Presumably this was already created by the prior RUN directive
+    chown -R ory:ory /var/lib/softhsm/tokens
+HEREDOC
+
+COPY --from=build-hydra /usr/bin/hydra /usr/bin/hydra
+
+# Declare the standard ports used by hydra (4444 for public service endpoint, 4445 for admin service endpoint)
+EXPOSE 4444 4445
+
+ENTRYPOINT ["hydra"]
+CMD ["serve"]
+USER ory

.docker/Dockerfile-scratch

@@ -0,0 +1,41 @@
+# TODO: Remove this file in favor of distroless-static variant:
+# https://github.com/ory/hydra/blob/master/.docker/Dockerfile-distroless-static
+# However if published to any registry, continue to publish the variant tag but as an alias to `-distroless` tags:
+# https://github.com/ory/hydra/pull/3914#pullrequestreview-2527315326
+
+FROM alpine:3.20 AS base-files
+
+RUN <<HEREDOC
+    apk upgrade --no-cache
+    apk add --no-cache --upgrade ca-certificates
+
+    # Add a user/group for Ory with a stable UID + GID:
+    # NOTE: This only appears relevant for supporting hydra as non-root, otherwise unnecessary.
+    addgroup --system --gid 500 ory
+    adduser --system --uid 500 \
+      --gecos "Ory User" \
+      --home /home/ory \
+      --ingroup ory \
+      --shell /sbin/nologin \
+      ory
+
+    # Create the sqlite directory with ownership to that user and group:
+    # NOTE: This is required for read/write by SQLite.
+    # - Path may be a default value somewhere, or only explicitly provided via DSN?
+    # - Owner/Group is only relevant to permissions allowing the hydra process to read/write to the location.
+    install --owner ory --group ory --directory /var/lib/sqlite
+HEREDOC
+
+FROM scratch
+COPY --from=base-files /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+COPY --from=base-files /etc/nsswitch.conf /etc/nsswitch.conf
+# NOTE: /etc/group and /etc/shadow were not copied over, only user lookup is valid for `USER`:
+COPY --from=base-files /etc/passwd /etc/passwd
+# NOTE: This COPY defaults to 0:0 for ownership, voiding the requirement conveyed above
+COPY --from=base-files /var/lib/sqlite /var/lib/sqlite
+
+COPY hydra /usr/bin/hydra
+
+ENTRYPOINT ["hydra"]
+CMD ["serve", "all"]
+USER ory

.docker/Dockerfile-sqlite

@@ -0,0 +1,36 @@
+# TODO: Remove this file in favor of the main/default Alpine image. The sqlite package is no longer required:
+# https://github.com/ory/hydra/blob/master/.docker/Dockerfile-alpine
+# However if published to any registry, continue to publish the variant tag but as an alias to standard Alpine image tags:
+# https://github.com/ory/hydra/pull/3914#pullrequestreview-2527315326
+
+FROM alpine:3.20
+RUN <<HEREDOC
+    # NOTE: The sqlite package is not required when the later copied hydra binary is built with statically linked sqlite?
+    apk upgrade --no-cache
+    apk add --no-cache --upgrade --latest ca-certificates sqlite
+
+    # Add a user/group for Ory with a stable UID + GID:
+    # NOTE: This only appears relevant for supporting hydra as non-root, otherwise unnecessary.
+    addgroup --system --gid 500 ory
+    adduser --system --uid 500 \
+      --gecos "Ory User" \
+      --home /home/ory \
+      --ingroup ory \
+      --shell /sbin/nologin \
+      ory
+
+    # Create the sqlite directory with ownership to that user and group:
+    # NOTE: This is required for read/write by SQLite.
+    # - Path may be a default value somewhere, or only explicitly provided via DSN?
+    # - Owner/Group is only relevant to permissions allowing the hydra process to read/write to the location.
+    install --owner ory --group ory --directory /var/lib/sqlite
+HEREDOC
+
+COPY hydra /usr/bin/hydra
+
+# Declare the standard ports used by Hydra (4444 for public service endpoint, 4445 for admin service endpoint)
+EXPOSE 4444 4445
+
+ENTRYPOINT ["hydra"]
+CMD ["serve"]
+USER ory

Makefile

@@ -71,7 +71,7 @@ test-resetdb: node_modules
 # Build local docker images
 .PHONY: docker
 docker:
-	DOCKER_BUILDKIT=1 DOCKER_CONTENT_TRUST=1 docker build --progress=plain -f .docker/Dockerfile-build -t oryd/hydra:${IMAGE_TAG} .
+	DOCKER_BUILDKIT=1 DOCKER_CONTENT_TRUST=1 docker build --progress=plain -f .docker/Dockerfile-build -t oryd/hydra:${IMAGE_TAG}-sqlite .
 
 .PHONY: e2e
 e2e: node_modules test-resetdb
@@ -88,12 +88,12 @@ quicktest:
 
 .PHONY: quicktest-hsm
 quicktest-hsm:
-	DOCKER_BUILDKIT=1 DOCKER_CONTENT_TRUST=1 docker build --progress=plain -f .docker/Dockerfile-test-hsm  --target test-hsm -t oryd/hydra:${IMAGE_TAG} --target test-hsm .
+	DOCKER_BUILDKIT=1 DOCKER_CONTENT_TRUST=1 docker build --progress=plain -f .docker/Dockerfile-hsm --target test-hsm -t oryd/hydra:${IMAGE_TAG} --target test-hsm .
 
 .PHONY: test-refresh
 test-refresh:
 	UPDATE_SNAPSHOTS=true go test -failfast -short -tags sqlite,sqlite_omit_load_extension ./...
-	DOCKER_BUILDKIT=1 DOCKER_CONTENT_TRUST=1 docker build --progress=plain -f .docker/Dockerfile-test-hsm  --target test-refresh-hsm -t oryd/hydra:${IMAGE_TAG} --target test-refresh-hsm .
+	DOCKER_BUILDKIT=1 DOCKER_CONTENT_TRUST=1 docker build --progress=plain -f .docker/Dockerfile-hsm --target test-refresh-hsm -t oryd/hydra:${IMAGE_TAG} --target test-refresh-hsm .
 
 authors:  # updates the AUTHORS file
 	curl https://raw.githubusercontent.com/ory/ci/master/authors/authors.sh | env PRODUCT="Ory Hydra" bash

README.md

@@ -609,7 +609,7 @@ that your company deserves a spot here, reach out to
                 </picture>
             </td>
             <td><a href="https://pinniped.dev/">pinniped.dev</a></td>
-        </tr>
+        </tr>         
         <tr>
             <td>Adopter *</td>
             <td>Pvotal</td>
@@ -835,9 +835,7 @@ make quicktest
 
 # regular tests
 make test
-
-# updates all snapshots
-make test-refresh
+test-resetdb
 
 # end-to-end tests
 make e2e
@@ -979,12 +977,10 @@ If you wish to check your code changes against any of the docker-compose
 quickstart files, run:
 
 ```shell script
-docker compose -f quickstart.yml up --build # ....
+make docker
+docker compose -f quickstart.yml up # ....
 ```
 
-Warning, this will override your local image tag with the latest build and can
-lead to unexpected or confusing behavior.
-
 #### Add a new migration
 
 1. `mkdir persistence/sql/src/YYYYMMDD000001_migration_name/`

quickstart.yml

@@ -12,9 +12,6 @@
 services:
   hydra:
     image: oryd/hydra:v2.2.0
-    build:
-      context: .
-      dockerfile: .docker/Dockerfile-build
     ports:
       - "4444:4444" # Public port
       - "4445:4445" # Admin port
@@ -28,25 +25,18 @@ services:
       - type: bind
         source: ./contrib/quickstart/5-min
         target: /etc/config/hydra
-    pull_policy: missing
     environment:
       - DSN=sqlite:///var/lib/sqlite/db.sqlite?_fk=true
     restart: unless-stopped
-    user: 500:500
     depends_on:
       - hydra-migrate
     networks:
       - intranet
   hydra-migrate:
     image: oryd/hydra:v2.2.0
-    build:
-      context: .
-      dockerfile: .docker/Dockerfile-build
     environment:
       - DSN=sqlite:///var/lib/sqlite/db.sqlite?_fk=true
     command: migrate -c /etc/config/hydra/hydra.yml sql -e --yes
-    user: 500:500
-    pull_policy: missing
     volumes:
       - type: volume
         source: hydra-sqlite