From a78de203e8d105794b4563f30955883e62c58bf5 Mon Sep 17 00:00:00 2001 From: Adrian Date: Thu, 31 Mar 2022 22:25:53 +0200 Subject: [PATCH 1/5] refactor: Updated Dockerfiles --- .docker/Dockerfile-build | 13 +++++++------ .docker/Dockerfile-hsm | 18 +++++++++--------- .docker/Dockerfile-scratch | 2 +- .docker/Dockerfile-sqlite | 9 +++++---- test/conformance/hydra/Dockerfile | 19 ++++++++++--------- 5 files changed, 32 insertions(+), 29 deletions(-) diff --git a/.docker/Dockerfile-build b/.docker/Dockerfile-build index 33cd65c644a..a399c496b16 100644 --- a/.docker/Dockerfile-build +++ b/.docker/Dockerfile-build @@ -4,15 +4,13 @@ RUN apk -U --no-cache add build-base git gcc bash WORKDIR /go/src/github.com/ory/hydra -ADD go.mod go.mod -ADD go.sum go.sum - +COPY go.mod go.sum ./ ENV GO111MODULE on ENV CGO_ENABLED 1 RUN go mod download -ADD . . +COPY . . RUN go build -tags sqlite -o /usr/bin/hydra @@ -26,8 +24,9 @@ COPY --from=builder /usr/bin/hydra /usr/bin/hydra # By creating the sqlite folder as the ory user, the mounted volume will be owned by ory:ory, which # is required for read/write of SQLite. -RUN mkdir -p /var/lib/sqlite -RUN chown ory:ory /var/lib/sqlite +RUN mkdir -p /var/lib/sqlite && \ + chown ory:ory /var/lib/sqlite + VOLUME /var/lib/sqlite # Exposing the ory home directory @@ -40,3 +39,5 @@ USER ory ENTRYPOINT ["hydra"] CMD ["serve"] + + diff --git a/.docker/Dockerfile-hsm b/.docker/Dockerfile-hsm index ebcf045818c..ab579f5795f 100644 --- a/.docker/Dockerfile-hsm +++ b/.docker/Dockerfile-hsm @@ -1,18 +1,17 @@ -FROM golang:1.16-alpine AS builder +FROM golang:1.18-alpine AS builder -RUN apk --no-cache --update-cache --upgrade --latest add build-base git gcc bash +RUN apk --no-cache add build-base git gcc bash WORKDIR /go/src/github.com/ory/hydra -ADD go.mod go.mod -ADD go.sum go.sum +COPY go.mod go.sum ./ ENV GO111MODULE on ENV CGO_ENABLED 1 RUN go mod download -ADD . . +COPY . . FROM builder as build-hydra RUN go build -tags=sqlite,hsm -o /usr/bin/hydra @@ -23,13 +22,13 @@ ENV HSM_LIBRARY=/usr/lib/softhsm/libsofthsm2.so ENV HSM_TOKEN_LABEL=hydra ENV HSM_PIN=1234 -RUN apk --no-cache --update-cache --upgrade --latest add softhsm opensc; \ +RUN apk --no-cache add softhsm opensc; \ pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so --slot 0 --init-token --so-pin 0000 --init-pin --pin 1234 --label hydra; \ go test -p 1 -v -failfast -short -tags=sqlite,hsm ./... FROM alpine:3.15.1 -RUN apk --no-cache --update-cache --upgrade --latest add softhsm opensc; \ +RUN apk --no-cache add softhsm opensc; \ pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so --slot 0 --init-token --so-pin 0000 --init-pin --pin 1234 --label hydra RUN addgroup -S ory; \ @@ -41,8 +40,9 @@ COPY --from=build-hydra /usr/bin/hydra /usr/bin/hydra # By creating the sqlite folder as the ory user, the mounted volume will be owned by ory:ory, which # is required for read/write of SQLite. -RUN mkdir -p /var/lib/sqlite -RUN chown ory:ory /var/lib/sqlite +RUN mkdir -p /var/lib/sqlite && \ + chown ory:ory /var/lib/sqlite + VOLUME /var/lib/sqlite # Exposing the ory home directory diff --git a/.docker/Dockerfile-scratch b/.docker/Dockerfile-scratch index 5ba402dbd07..fad6d4e1858 100644 --- a/.docker/Dockerfile-scratch +++ b/.docker/Dockerfile-scratch @@ -1,6 +1,6 @@ FROM alpine:3.15.1 -RUN apk --no-cache --update-cache --upgrade --latest add ca-certificates +RUN apk --no-cache add ca-certificates # set up nsswitch.conf for Go's "netgo" implementation # - https://github.com/golang/go/blob/go1.9.1/src/net/conf.go#L194-L275 diff --git a/.docker/Dockerfile-sqlite b/.docker/Dockerfile-sqlite index b46fb3613c0..06e8f316d20 100644 --- a/.docker/Dockerfile-sqlite +++ b/.docker/Dockerfile-sqlite @@ -9,8 +9,8 @@ FROM alpine:3.15.1 RUN addgroup -S ory; \ adduser -S ory -G ory -D -h /home/ory -s /bin/nologin; \ - chown -R ory:ory /home/ory -RUN apk --no-cache --update-cache --upgrade --latest add ca-certificates + chown -R ory:ory /home/ory && \ + apk --no-cache --update-cache --upgrade --latest add ca-certificates WORKDIR /home/ory @@ -18,8 +18,9 @@ COPY hydra /usr/bin/hydra # By creating the sqlite folder as the ory user, the mounted volume will be owned by ory:ory, which # is required for read/write of SQLite. -RUN mkdir -p /var/lib/sqlite -RUN chown ory:ory /var/lib/sqlite +RUN mkdir -p /var/lib/sqlite && \ + chown ory:ory /var/lib/sqlite + VOLUME /var/lib/sqlite # Exposing the ory home directory diff --git a/test/conformance/hydra/Dockerfile b/test/conformance/hydra/Dockerfile index d39ff8b33c1..9562d81c939 100644 --- a/test/conformance/hydra/Dockerfile +++ b/test/conformance/hydra/Dockerfile @@ -1,19 +1,20 @@ -FROM golang:1.17-buster AS builder +FROM golang:1.18-buster AS builder RUN apt-get update && \ - apt-get install -y git gcc bash ssl-cert ca-certificates + apt-get install --no-install-recommends -y \ + git gcc bash ssl-cert ca-certificates && \ + rm -rf /var/lib/apt/lists/* WORKDIR /go/src/github.com/ory/hydra -ADD go.mod go.mod -ADD go.sum go.sum +COPY go.mod go.sum ./ ENV GO111MODULE on ENV CGO_ENABLED 1 RUN go mod download -ADD . . +COPY . . RUN go build -tags sqlite -o /usr/bin/hydra @@ -25,10 +26,10 @@ VOLUME /home/ory # Declare the standard ports used by hydra (4444 for public service endpoint, 4445 for admin service endpoint) EXPOSE 4444 4445 -RUN mv test/conformance/ssl/ory-ca.* /etc/ssl/certs/ -RUN mv test/conformance/ssl/ory-conformity.crt /etc/ssl/certs/ -RUN mv test/conformance/ssl/ory-conformity.key /etc/ssl/private/ -RUN update-ca-certificates +RUN mv test/conformance/ssl/ory-ca.* /etc/ssl/certs/ && \ + mv test/conformance/ssl/ory-conformity.crt /etc/ssl/certs/ && \ + mv test/conformance/ssl/ory-conformity.key /etc/ssl/private/ && \ + update-ca-certificates ENTRYPOINT ["hydra"] CMD ["serve"] From dad10b49d3f12e67c512d1a7accae43eebe38b4f Mon Sep 17 00:00:00 2001 From: hackerman <3372410+aeneasr@users.noreply.github.com> Date: Fri, 1 Apr 2022 15:13:37 +0200 Subject: [PATCH 2/5] Update test/conformance/hydra/Dockerfile --- test/conformance/hydra/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/conformance/hydra/Dockerfile b/test/conformance/hydra/Dockerfile index 9562d81c939..c707d59a373 100644 --- a/test/conformance/hydra/Dockerfile +++ b/test/conformance/hydra/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.18-buster AS builder +FROM golang:1.17-buster AS builder RUN apt-get update && \ apt-get install --no-install-recommends -y \ From 03b927c88f3be402c9f4f1950785a5d8927e7c86 Mon Sep 17 00:00:00 2001 From: Adrian Date: Fri, 1 Apr 2022 19:08:40 +0200 Subject: [PATCH 3/5] repaired CVE issue in images --- .docker/Dockerfile-alpine | 2 +- .docker/Dockerfile-build | 2 +- .docker/Dockerfile-hsm | 6 +++--- .docker/Dockerfile-scratch | 2 +- .docker/Dockerfile-sqlite | 2 +- 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.docker/Dockerfile-alpine b/.docker/Dockerfile-alpine index 777b28325f0..1a362605951 100644 --- a/.docker/Dockerfile-alpine +++ b/.docker/Dockerfile-alpine @@ -2,7 +2,7 @@ FROM alpine:3.15.1 RUN addgroup -S ory; \ adduser -S ory -G ory -D -H -s /bin/nologin -RUN apk --no-cache --update-cache --upgrade --latest add ca-certificates +RUN apk --no-cache --upgrade --latest add ca-certificates COPY hydra /usr/bin/hydra diff --git a/.docker/Dockerfile-build b/.docker/Dockerfile-build index a399c496b16..b12fa8867fa 100644 --- a/.docker/Dockerfile-build +++ b/.docker/Dockerfile-build @@ -1,6 +1,6 @@ FROM golang:1.17-alpine3.15 AS builder -RUN apk -U --no-cache add build-base git gcc bash +RUN apk -U --no-cache --upgrade --latest add build-base git gcc bash WORKDIR /go/src/github.com/ory/hydra diff --git a/.docker/Dockerfile-hsm b/.docker/Dockerfile-hsm index ab579f5795f..97ccfeeec04 100644 --- a/.docker/Dockerfile-hsm +++ b/.docker/Dockerfile-hsm @@ -1,6 +1,6 @@ FROM golang:1.18-alpine AS builder -RUN apk --no-cache add build-base git gcc bash +RUN apk --no-cache add --upgrade --latest build-base git gcc bash WORKDIR /go/src/github.com/ory/hydra @@ -22,13 +22,13 @@ ENV HSM_LIBRARY=/usr/lib/softhsm/libsofthsm2.so ENV HSM_TOKEN_LABEL=hydra ENV HSM_PIN=1234 -RUN apk --no-cache add softhsm opensc; \ +RUN apk --no-cache --upgrade --latest add softhsm opensc; \ pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so --slot 0 --init-token --so-pin 0000 --init-pin --pin 1234 --label hydra; \ go test -p 1 -v -failfast -short -tags=sqlite,hsm ./... FROM alpine:3.15.1 -RUN apk --no-cache add softhsm opensc; \ +RUN apk --no-cache --upgrade --latest add softhsm opensc; \ pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so --slot 0 --init-token --so-pin 0000 --init-pin --pin 1234 --label hydra RUN addgroup -S ory; \ diff --git a/.docker/Dockerfile-scratch b/.docker/Dockerfile-scratch index fad6d4e1858..cd96caeea3e 100644 --- a/.docker/Dockerfile-scratch +++ b/.docker/Dockerfile-scratch @@ -1,6 +1,6 @@ FROM alpine:3.15.1 -RUN apk --no-cache add ca-certificates +RUN apk --no-cache --upgrade --latest add ca-certificates # set up nsswitch.conf for Go's "netgo" implementation # - https://github.com/golang/go/blob/go1.9.1/src/net/conf.go#L194-L275 diff --git a/.docker/Dockerfile-sqlite b/.docker/Dockerfile-sqlite index 06e8f316d20..14955909c9f 100644 --- a/.docker/Dockerfile-sqlite +++ b/.docker/Dockerfile-sqlite @@ -10,7 +10,7 @@ FROM alpine:3.15.1 RUN addgroup -S ory; \ adduser -S ory -G ory -D -h /home/ory -s /bin/nologin; \ chown -R ory:ory /home/ory && \ - apk --no-cache --update-cache --upgrade --latest add ca-certificates + apk --no-cache --upgrade --latest add ca-certificates WORKDIR /home/ory From 261a5df937ec029d81926cbc86b560f7eb85835d Mon Sep 17 00:00:00 2001 From: Adrian Date: Fri, 1 Apr 2022 19:17:51 +0200 Subject: [PATCH 4/5] condensed RUN commands --- test/conformance/Dockerfile | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/test/conformance/Dockerfile b/test/conformance/Dockerfile index 6ec033673fc..52fd2eb95e6 100644 --- a/test/conformance/Dockerfile +++ b/test/conformance/Dockerfile @@ -8,8 +8,10 @@ RUN wget https://gitlab.com/openid/conformance-suite/-/archive/release-v4.1.4/co find conformance-suite-release-v4.1.4 -maxdepth 1 -mindepth 1 -exec mv {} . \; && \ rmdir conformance-suite-release-v4.1.4 -RUN mvn -B clean package -DskipTests -RUN apt-get update && apt-get install -y redir ca-certificates +RUN mvn -B clean package -DskipTests && \ + apt-get update && apt-get install --no-install-recommends -y \ + redir ca-certificates && \ + rm -rf /var/lib/apt/lists/* COPY ssl/ory-conformity.crt /etc/ssl/certs/ COPY ssl/ory-conformity.key /etc/ssl/private/ From f6dcf064bd31fe57d118d59a30718e8f7e33f495 Mon Sep 17 00:00:00 2001 From: Adrian Date: Fri, 1 Apr 2022 19:54:50 +0200 Subject: [PATCH 5/5] passing tests... --- .docker/Dockerfile-alpine | 2 +- .docker/Dockerfile-build | 2 +- .docker/Dockerfile-hsm | 2 +- .docker/Dockerfile-scratch | 2 +- .docker/Dockerfile-sqlite | 2 +- test/conformance/Dockerfile | 3 +-- 6 files changed, 6 insertions(+), 7 deletions(-) diff --git a/.docker/Dockerfile-alpine b/.docker/Dockerfile-alpine index 1a362605951..dbfd0ca9644 100644 --- a/.docker/Dockerfile-alpine +++ b/.docker/Dockerfile-alpine @@ -1,4 +1,4 @@ -FROM alpine:3.15.1 +FROM alpine:3.15 RUN addgroup -S ory; \ adduser -S ory -G ory -D -H -s /bin/nologin diff --git a/.docker/Dockerfile-build b/.docker/Dockerfile-build index b12fa8867fa..064da78afee 100644 --- a/.docker/Dockerfile-build +++ b/.docker/Dockerfile-build @@ -14,7 +14,7 @@ COPY . . RUN go build -tags sqlite -o /usr/bin/hydra -FROM alpine:3.15.1 +FROM alpine:3.15 RUN addgroup -S ory; \ adduser -S ory -G ory -D -h /home/ory -s /bin/nologin; \ diff --git a/.docker/Dockerfile-hsm b/.docker/Dockerfile-hsm index 97ccfeeec04..a88b8eecccf 100644 --- a/.docker/Dockerfile-hsm +++ b/.docker/Dockerfile-hsm @@ -26,7 +26,7 @@ RUN apk --no-cache --upgrade --latest add softhsm opensc; \ pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so --slot 0 --init-token --so-pin 0000 --init-pin --pin 1234 --label hydra; \ go test -p 1 -v -failfast -short -tags=sqlite,hsm ./... -FROM alpine:3.15.1 +FROM alpine:3.15 RUN apk --no-cache --upgrade --latest add softhsm opensc; \ pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so --slot 0 --init-token --so-pin 0000 --init-pin --pin 1234 --label hydra diff --git a/.docker/Dockerfile-scratch b/.docker/Dockerfile-scratch index cd96caeea3e..88ac38de0b3 100644 --- a/.docker/Dockerfile-scratch +++ b/.docker/Dockerfile-scratch @@ -1,4 +1,4 @@ -FROM alpine:3.15.1 +FROM alpine:3.15 RUN apk --no-cache --upgrade --latest add ca-certificates diff --git a/.docker/Dockerfile-sqlite b/.docker/Dockerfile-sqlite index 14955909c9f..5c5647159cc 100644 --- a/.docker/Dockerfile-sqlite +++ b/.docker/Dockerfile-sqlite @@ -1,4 +1,4 @@ -FROM alpine:3.15.1 +FROM alpine:3.15 # Because this image is built for SQLite, we create /home/ory and /home/ory/sqlite which is owned by the ory user # and declare /home/ory/sqlite a volume. diff --git a/test/conformance/Dockerfile b/test/conformance/Dockerfile index 52fd2eb95e6..fcb1130a8ad 100644 --- a/test/conformance/Dockerfile +++ b/test/conformance/Dockerfile @@ -9,9 +9,8 @@ RUN wget https://gitlab.com/openid/conformance-suite/-/archive/release-v4.1.4/co rmdir conformance-suite-release-v4.1.4 RUN mvn -B clean package -DskipTests && \ - apt-get update && apt-get install --no-install-recommends -y \ + apt-get update && apt-get install -y \ redir ca-certificates && \ - rm -rf /var/lib/apt/lists/* COPY ssl/ory-conformity.crt /etc/ssl/certs/ COPY ssl/ory-conformity.key /etc/ssl/private/