From 031787c5f5914ba0a07741a8d853bd21ff5caeed Mon Sep 17 00:00:00 2001
From: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
Date: Sat, 28 Dec 2024 16:10:53 +1300
Subject: [PATCH 1/8] chore/remove-nsswitch-hosts

---
 .docker/Dockerfile-alpine  | 4 ----
 .docker/Dockerfile-scratch | 4 ----
 2 files changed, 8 deletions(-)

diff --git a/.docker/Dockerfile-alpine b/.docker/Dockerfile-alpine
index 075a1a75328..e8d26f999bc 100644
--- a/.docker/Dockerfile-alpine
+++ b/.docker/Dockerfile-alpine
@@ -7,10 +7,6 @@ RUN addgroup -S ory; \
 
 COPY hydra /usr/bin/hydra
 
-# set up nsswitch.conf for Go's "netgo" implementation
-# - https://github.com/golang/go/blob/go1.9.1/src/net/conf.go#L194-L275
-RUN echo 'hosts: files dns' > /etc/nsswitch.conf
-
 # By creating the sqlite folder as the ory user, the mounted volume will be owned by ory:ory, which
 # is required for read/write of SQLite.
 RUN mkdir -p /var/lib/sqlite && \
diff --git a/.docker/Dockerfile-scratch b/.docker/Dockerfile-scratch
index f262b7c6338..e9798de37e5 100644
--- a/.docker/Dockerfile-scratch
+++ b/.docker/Dockerfile-scratch
@@ -3,10 +3,6 @@ FROM alpine:3.20
 RUN apk upgrade --no-cache && \
     apk add --no-cache --upgrade ca-certificates
 
-# set up nsswitch.conf for Go's "netgo" implementation
-# - https://github.com/golang/go/blob/go1.9.1/src/net/conf.go#L194-L275
-RUN [ ! -e /etc/nsswitch.conf ] && echo 'hosts: files dns' > /etc/nsswitch.conf
-
 RUN addgroup -S ory; \
     adduser -S ory -G ory -D  -h /home/ory -s /bin/nologin;
 

From 04fa48be7835f19c5f9c3027ae49973166d93693 Mon Sep 17 00:00:00 2001
From: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
Date: Sat, 28 Dec 2024 16:39:16 +1300
Subject: [PATCH 2/8] chore: Revise scratch image

---
 .docker/Dockerfile-scratch | 30 +++++++++++++++++++-----------
 1 file changed, 19 insertions(+), 11 deletions(-)

diff --git a/.docker/Dockerfile-scratch b/.docker/Dockerfile-scratch
index e9798de37e5..1ab2f8b3a45 100644
--- a/.docker/Dockerfile-scratch
+++ b/.docker/Dockerfile-scratch
@@ -1,20 +1,28 @@
-FROM alpine:3.20
+FROM alpine:3.20 AS base-files
 
-RUN apk upgrade --no-cache && \
+RUN <<HEREDOC
+    apk upgrade --no-cache
     apk add --no-cache --upgrade ca-certificates
 
-RUN addgroup -S ory; \
-    adduser -S ory -G ory -D  -h /home/ory -s /bin/nologin;
+    # Add a user/group for Ory with a stable UID + GID:
+    addgroup --system --gid 500 ory
+    adduser --system --uid 500 \
+      --gecos "Ory User" \
+      --home /home/ory \
+      --ingroup ory \
+      --shell /sbin/nologin \
+      ory
 
-RUN mkdir -p /var/lib/sqlite && \
-    chown -R ory:ory /var/lib/sqlite
+    # Create the sqlite directory with ownership to that user and group:
+    install --owner ory --group ory --directory /var/lib/sqlite
+HEREDOC
 
 FROM scratch
-
-COPY --from=0 /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
-COPY --from=0 /etc/nsswitch.conf /etc/nsswitch.conf
-COPY --from=0 /etc/passwd /etc/passwd
-COPY --from=0 /var/lib/sqlite /var/lib/sqlite
+COPY --from=base-files /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+COPY --from=base-files /etc/nsswitch.conf /etc/nsswitch.conf
+# NOTE: /etc/group and /etc/shadow were not copied over, only user lookup is valid for `USER`:
+COPY --from=base-files /etc/passwd /etc/passwd
+COPY --from=base-files /var/lib/sqlite /var/lib/sqlite
 
 COPY hydra /usr/bin/hydra
 

From 8ed5090b49b03014021283f498dfde3d8c00a5ff Mon Sep 17 00:00:00 2001
From: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
Date: Sat, 28 Dec 2024 17:00:53 +1300
Subject: [PATCH 3/8] chore: Revise alpine images

---
 .docker/Dockerfile-alpine  | 24 ++++++++++++++++--------
 .docker/Dockerfile-scratch |  5 +++--
 .docker/Dockerfile-sqlite  | 28 +++++++++++++++++-----------
 3 files changed, 36 insertions(+), 21 deletions(-)

diff --git a/.docker/Dockerfile-alpine b/.docker/Dockerfile-alpine
index e8d26f999bc..1c5bd3c14ff 100644
--- a/.docker/Dockerfile-alpine
+++ b/.docker/Dockerfile-alpine
@@ -1,16 +1,24 @@
 FROM alpine:3.20
 
-RUN addgroup -S ory; \
-    adduser -S ory -G ory -D -H -s /bin/nologin && \
-    apk upgrade --no-cache && \
+RUN <<HEREDOC
+    apk upgrade --no-cache
     apk add --no-cache --upgrade ca-certificates
 
-COPY hydra /usr/bin/hydra
+    # Add a user/group for Ory with a stable UID + GID:
+    addgroup --system --gid 500 ory
+    adduser --system --uid 500 \
+      --gecos "Ory User" \
+      --home /home/ory \
+      --ingroup ory \
+      --shell /sbin/nologin \
+      ory
+
+    # Create the sqlite directory with ownership to that user and group:
+    # NOTE: This is required for read/write by SQLite.
+    install --owner ory --group ory --directory /var/lib/sqlite
+HEREDOC
 
-# By creating the sqlite folder as the ory user, the mounted volume will be owned by ory:ory, which
-# is required for read/write of SQLite.
-RUN mkdir -p /var/lib/sqlite && \
-    chown ory:ory /var/lib/sqlite
+COPY hydra /usr/bin/hydra
 
 USER ory
 
diff --git a/.docker/Dockerfile-scratch b/.docker/Dockerfile-scratch
index 1ab2f8b3a45..5b86124ee71 100644
--- a/.docker/Dockerfile-scratch
+++ b/.docker/Dockerfile-scratch
@@ -14,6 +14,7 @@ RUN <<HEREDOC
       ory
 
     # Create the sqlite directory with ownership to that user and group:
+    # NOTE: This is required for read/write by SQLite.
     install --owner ory --group ory --directory /var/lib/sqlite
 HEREDOC
 
@@ -22,11 +23,11 @@ COPY --from=base-files /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
 COPY --from=base-files /etc/nsswitch.conf /etc/nsswitch.conf
 # NOTE: /etc/group and /etc/shadow were not copied over, only user lookup is valid for `USER`:
 COPY --from=base-files /etc/passwd /etc/passwd
+# NOTE: This COPY defaults to 0:0 for ownership, voiding the requirement conveyed above
 COPY --from=base-files /var/lib/sqlite /var/lib/sqlite
 
 COPY hydra /usr/bin/hydra
 
-USER ory
-
 ENTRYPOINT ["hydra"]
 CMD ["serve", "all"]
+USER ory
diff --git a/.docker/Dockerfile-sqlite b/.docker/Dockerfile-sqlite
index a6813a197e5..dbfb1399d82 100644
--- a/.docker/Dockerfile-sqlite
+++ b/.docker/Dockerfile-sqlite
@@ -7,21 +7,28 @@ FROM alpine:3.20
 #
 #   /home/ory/sqlite/some-file.
 
-RUN addgroup -S ory; \
-    adduser -S ory -G ory -D  -h /home/ory -s /bin/nologin; \
-    chown -R ory:ory /home/ory && \
-    apk upgrade --no-cache && \
+RUN <<HEREDOC
+    apk upgrade --no-cache
     apk add --no-cache --upgrade --latest ca-certificates sqlite
 
+    # Add a user/group for Ory with a stable UID + GID:
+    addgroup --system --gid 500 ory
+    adduser --system --uid 500 \
+      --gecos "Ory User" \
+      --home /home/ory \
+      --ingroup ory \
+      --shell /sbin/nologin \
+      ory
+
+    # Create the sqlite directory with ownership to that user and group:
+    # NOTE: This is required for read/write by SQLite.
+    install --owner ory --group ory --directory /var/lib/sqlite
+HEREDOC
+
 WORKDIR /home/ory
 
 COPY hydra /usr/bin/hydra
 
-# By creating the sqlite folder as the ory user, the mounted volume will be owned by ory:ory, which
-# is required for read/write of SQLite.
-RUN mkdir -p /var/lib/sqlite && \
-    chown ory:ory /var/lib/sqlite
-
 VOLUME /var/lib/sqlite
 
 # Exposing the ory home directory
@@ -30,7 +37,6 @@ VOLUME /home/ory
 # Declare the standard ports used by Hydra (4444 for public service endpoint, 4445 for admin service endpoint)
 EXPOSE 4444 4445
 
-USER ory
-
 ENTRYPOINT ["hydra"]
 CMD ["serve"]
+USER ory

From f6126857014c9ab763ad609c734e47d3248a7366 Mon Sep 17 00:00:00 2001
From: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
Date: Sat, 28 Dec 2024 17:25:31 +1300
Subject: [PATCH 4/8] chore: Use the same busybox commands with distroless

---
 .docker/Dockerfile-hsm | 31 +++++++++++++++++++++----------
 1 file changed, 21 insertions(+), 10 deletions(-)

diff --git a/.docker/Dockerfile-hsm b/.docker/Dockerfile-hsm
index c4199fe87e4..f2c1c3130a7 100644
--- a/.docker/Dockerfile-hsm
+++ b/.docker/Dockerfile-hsm
@@ -53,21 +53,33 @@ ENV HSM_LIBRARY=/usr/lib/softhsm/libsofthsm2.so
 ENV HSM_TOKEN_LABEL=hydra
 ENV HSM_PIN=1234
 
+# NOTE: This is broken already. Even though this image provides a shell, you'd need to configure it with
+# `SHELL ["/busybox/sh", "-c"]`, however `apt-get` does not exist either in a distroless image.
+# This was original an Alpine image, the refactoring was not verified properly in this commit:
+# https://github.com/ory/hydra/commit/c1e1a569621d88365dceee7372ca49ecd119f939#diff-ae54bef08e3587b28ad8e93eb253a9a5cd9ea6f4251977e35b88dc6b42329e25L31
 RUN apt-get -y install softhsm opensc &&\
     pkcs11-tool --module "$HSM_LIBRARY" --slot 0 --init-token --so-pin 0000 --init-pin --pin "$HSM_PIN" --label "$HSM_TOKEN_LABEL"
 
-RUN addgroup -S ory; \
-    adduser -S ory -G ory -D  -h /home/ory -s /bin/nologin; \
-    chown -R ory:ory /home/ory; \
+RUN <<HEREDOC
+    # Add a user/group for Ory with a stable UID + GID:
+    addgroup --system --gid 500 ory
+    adduser --system --uid 500 \
+        --gecos "Ory User" \
+        --home /home/ory \
+        --ingroup ory \
+        --shell /sbin/nologin \
+        ory
+
+    # Create the sqlite directory with ownership to that user and group:
+    # NOTE: This is required for read/write by SQLite.
+    install --owner ory --group ory --directory /var/lib/sqlite
+
+    # NOTE: Presumably this was already created by the prior RUN directive
     chown -R ory:ory /var/lib/softhsm/tokens
+HEREDOC
 
 COPY --from=build-hydra /usr/bin/hydra /usr/bin/hydra
 
-# By creating the sqlite folder as the ory user, the mounted volume will be owned by ory:ory, which
-# is required for read/write of SQLite.
-RUN mkdir -p /var/lib/sqlite && \
-    chown ory:ory /var/lib/sqlite
-
 VOLUME /var/lib/sqlite
 
 # Exposing the ory home directory
@@ -76,7 +88,6 @@ VOLUME /home/ory
 # Declare the standard ports used by hydra (4444 for public service endpoint, 4445 for admin service endpoint)
 EXPOSE 4444 4445
 
-USER ory
-
 ENTRYPOINT ["hydra"]
 CMD ["serve"]
+USER ory

From 51fc7177b9ba52a392b65db9f482358a0ea208c5 Mon Sep 17 00:00:00 2001
From: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
Date: Sat, 28 Dec 2024 17:28:43 +1300
Subject: [PATCH 5/8] chore: Remove redundant `VOLUME` directives

---
 .docker/Dockerfile-alpine | 3 +--
 .docker/Dockerfile-build  | 2 --
 .docker/Dockerfile-hsm    | 5 -----
 .docker/Dockerfile-sqlite | 7 -------
 4 files changed, 1 insertion(+), 16 deletions(-)

diff --git a/.docker/Dockerfile-alpine b/.docker/Dockerfile-alpine
index 1c5bd3c14ff..91174b9d19a 100644
--- a/.docker/Dockerfile-alpine
+++ b/.docker/Dockerfile-alpine
@@ -20,7 +20,6 @@ HEREDOC
 
 COPY hydra /usr/bin/hydra
 
-USER ory
-
 ENTRYPOINT ["hydra"]
 CMD ["serve", "all"]
+USER ory
diff --git a/.docker/Dockerfile-build b/.docker/Dockerfile-build
index 18cc454fba9..0c858feaeb3 100644
--- a/.docker/Dockerfile-build
+++ b/.docker/Dockerfile-build
@@ -23,8 +23,6 @@ FROM gcr.io/distroless/static-debian12:nonroot AS runner
 COPY --from=builder --chown=nonroot:nonroot /var/lib/sqlite /var/lib/sqlite
 COPY --from=builder /usr/bin/hydra /usr/bin/hydra
 
-VOLUME /var/lib/sqlite
-
 # Declare the standard ports used by hydra (4444 for public service endpoint, 4445 for admin service endpoint)
 EXPOSE 4444 4445
 
diff --git a/.docker/Dockerfile-hsm b/.docker/Dockerfile-hsm
index f2c1c3130a7..8c51e3fcdac 100644
--- a/.docker/Dockerfile-hsm
+++ b/.docker/Dockerfile-hsm
@@ -80,11 +80,6 @@ HEREDOC
 
 COPY --from=build-hydra /usr/bin/hydra /usr/bin/hydra
 
-VOLUME /var/lib/sqlite
-
-# Exposing the ory home directory
-VOLUME /home/ory
-
 # Declare the standard ports used by hydra (4444 for public service endpoint, 4445 for admin service endpoint)
 EXPOSE 4444 4445
 
diff --git a/.docker/Dockerfile-sqlite b/.docker/Dockerfile-sqlite
index dbfb1399d82..82d678bb9ed 100644
--- a/.docker/Dockerfile-sqlite
+++ b/.docker/Dockerfile-sqlite
@@ -25,15 +25,8 @@ RUN <<HEREDOC
     install --owner ory --group ory --directory /var/lib/sqlite
 HEREDOC
 
-WORKDIR /home/ory
-
 COPY hydra /usr/bin/hydra
 
-VOLUME /var/lib/sqlite
-
-# Exposing the ory home directory
-VOLUME /home/ory
-
 # Declare the standard ports used by Hydra (4444 for public service endpoint, 4445 for admin service endpoint)
 EXPOSE 4444 4445
 

From ed85d9a8dbf1f18275ff9b01df7a58d5eb29bc74 Mon Sep 17 00:00:00 2001
From: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
Date: Mon, 6 Jan 2025 11:25:24 +1300
Subject: [PATCH 6/8] chore: `Dockerfile-scratch` - Add commentary

---
 .docker/Dockerfile-scratch | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/.docker/Dockerfile-scratch b/.docker/Dockerfile-scratch
index 5b86124ee71..2ada6f06eb6 100644
--- a/.docker/Dockerfile-scratch
+++ b/.docker/Dockerfile-scratch
@@ -1,3 +1,8 @@
+# TODO: Remove this file in favor of distroless-static variant:
+# https://github.com/ory/hydra/blob/master/.docker/Dockerfile-distroless-static
+# However if published to any registry, continue to publish the variant tag but as an alias to `-distroless` tags:
+# https://github.com/ory/hydra/pull/3914#pullrequestreview-2527315326
+
 FROM alpine:3.20 AS base-files
 
 RUN <<HEREDOC
@@ -5,6 +10,7 @@ RUN <<HEREDOC
     apk add --no-cache --upgrade ca-certificates
 
     # Add a user/group for Ory with a stable UID + GID:
+    # NOTE: This only appears relevant for supporting hydra as non-root, otherwise unnecessary.
     addgroup --system --gid 500 ory
     adduser --system --uid 500 \
       --gecos "Ory User" \
@@ -15,6 +21,8 @@ RUN <<HEREDOC
 
     # Create the sqlite directory with ownership to that user and group:
     # NOTE: This is required for read/write by SQLite.
+    # - Path may be a default value somewhere, or only explicitly provided via DSN?
+    # - Owner/Group is only relevant to permissions allowing the hydra process to read/write to the location.
     install --owner ory --group ory --directory /var/lib/sqlite
 HEREDOC
 

From 4ada680d59716a2028e89571ac08e0de22900a21 Mon Sep 17 00:00:00 2001
From: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
Date: Mon, 6 Jan 2025 11:30:33 +1300
Subject: [PATCH 7/8] chore: `Dockerfile-sqlite` - Add commentary

---
 .docker/Dockerfile-sqlite | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/.docker/Dockerfile-sqlite b/.docker/Dockerfile-sqlite
index 82d678bb9ed..d537b202a9e 100644
--- a/.docker/Dockerfile-sqlite
+++ b/.docker/Dockerfile-sqlite
@@ -1,17 +1,16 @@
-FROM alpine:3.20
-
-# Because this image is built for SQLite, we create /home/ory and /home/ory/sqlite which is owned by the ory user
-# and declare /home/ory/sqlite a volume.
-#
-# To get SQLite and Docker Volumes working with this image, mount the volume where SQLite should be written to at:
-#
-#   /home/ory/sqlite/some-file.
+# TODO: Remove this file in favor of the main/default Alpine image. The sqlite package is no longer required:
+# https://github.com/ory/hydra/blob/master/.docker/Dockerfile-alpine
+# However if published to any registry, continue to publish the variant tag but as an alias to standard Alpine image tags:
+# https://github.com/ory/hydra/pull/3914#pullrequestreview-2527315326
 
+FROM alpine:3.20
 RUN <<HEREDOC
+    # NOTE: The sqlite package is not required when the later copied hydra binary is built with statically linked sqlite?
     apk upgrade --no-cache
     apk add --no-cache --upgrade --latest ca-certificates sqlite
 
     # Add a user/group for Ory with a stable UID + GID:
+    # NOTE: This only appears relevant for supporting hydra as non-root, otherwise unnecessary.
     addgroup --system --gid 500 ory
     adduser --system --uid 500 \
       --gecos "Ory User" \
@@ -22,6 +21,8 @@ RUN <<HEREDOC
 
     # Create the sqlite directory with ownership to that user and group:
     # NOTE: This is required for read/write by SQLite.
+    # - Path may be a default value somewhere, or only explicitly provided via DSN?
+    # - Owner/Group is only relevant to permissions allowing the hydra process to read/write to the location.
     install --owner ory --group ory --directory /var/lib/sqlite
 HEREDOC
 

From 90f25183e8b1a1150791fc4028e2f950a86ba9f5 Mon Sep 17 00:00:00 2001
From: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
Date: Mon, 6 Jan 2025 11:59:56 +1300
Subject: [PATCH 8/8] chore: `Dockerfile-alpine` - Add commentary

---
 .docker/Dockerfile-alpine | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.docker/Dockerfile-alpine b/.docker/Dockerfile-alpine
index 91174b9d19a..1cc14658cac 100644
--- a/.docker/Dockerfile-alpine
+++ b/.docker/Dockerfile-alpine
@@ -5,6 +5,7 @@ RUN <<HEREDOC
     apk add --no-cache --upgrade ca-certificates
 
     # Add a user/group for Ory with a stable UID + GID:
+    # NOTE: This only appears relevant for supporting hydra as non-root, otherwise unnecessary.
     addgroup --system --gid 500 ory
     adduser --system --uid 500 \
       --gecos "Ory User" \
@@ -15,6 +16,9 @@ RUN <<HEREDOC
 
     # Create the sqlite directory with ownership to that user and group:
     # NOTE: This is required for read/write by SQLite.
+    # - Path may be a default value somewhere, or only explicitly provided via DSN?
+    # - Owner/Group is only relevant to permissions allowing the hydra process to read/write to the location.
+    # - Bind mount volumes will replace the ownership with that of the host directory, requiring correction.
     install --owner ory --group ory --directory /var/lib/sqlite
 HEREDOC