Merge 28e627f into f884dfb

ory · Jun 27, 2023 · d98bc9e · d98bc9e
2 parents f884dfb + 28e627f
commit d98bc9e
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 20 deletions.
diff --git a/.docker/Dockerfile-alpine b/.docker/Dockerfile-alpine
@@ -1,4 +1,4 @@
-FROM alpine:3.16
+FROM alpine:3.18
 
 # Because this image supports SQLite, we create /home/ory and /home/ory/sqlite which is owned by the ory user
 # and declare /home/ory/sqlite a volume.

diff --git a/.docker/Dockerfile-build b/.docker/Dockerfile-build
@@ -1,7 +1,9 @@
 # syntax = docker/dockerfile:1-experimental
-FROM golang:1.19-alpine3.18 AS base
+# Workaround for https://github.com/GoogleContainerTools/distroless/issues/1342
+FROM golang:1.19-bullseye AS builder
 
-RUN apk --update upgrade && apk --no-cache --update-cache --upgrade --latest add ca-certificates build-base gcc
+RUN apt-get update && apt-get upgrade -y &&\
+    mkdir -p /var/lib/sqlite
 
 WORKDIR /go/src/github.com/ory/kratos
 
@@ -26,28 +28,16 @@ RUN --mount=type=cache,target=/root/.cache/go-build go build -tags sqlite \
     -ldflags="-X 'github.com/ory/kratos/driver/config.Version=${VERSION}' -X 'github.com/ory/kratos/driver/config.Date=${BUILD_DATE}' -X 'github.com/ory/kratos/driver/config.Commit=${COMMIT}'" \
     -o /usr/bin/kratos
 
-FROM alpine:3.18
+#########################
+FROM gcr.io/distroless/base-nossl-debian11:nonroot AS runner
 
-RUN addgroup -S ory; \
-    adduser -S ory -G ory -D -u 10000 -h /home/ory -s /bin/nologin; \
-    chown -R ory:ory /home/ory
+COPY --from=builder --chown=nonroot:nonroot /var/lib/sqlite /var/lib/sqlite
+COPY --from=builder --chown=nonroot:nonroot /usr/bin/kratos /usr/bin/kratos
 
-COPY --from=base /usr/bin/kratos /usr/bin/kratos
-
-# By creating the sqlite folder as the ory user, the mounted volume will be owned by ory:ory, which
-# is required for read/write of SQLite.
-RUN mkdir -p /var/lib/sqlite
-RUN chown ory:ory /var/lib/sqlite
 VOLUME /var/lib/sqlite
 
-# Exposing the ory home directory to simplify passing in Kratos configuration (e.g. if the file $HOME/.kratos.yaml
-# exists, it will be automatically used as the configuration file).
-VOLUME /home/ory
-
 # Declare the standard ports used by Kratos (4433 for public service endpoint, 4434 for admin service endpoint)
 EXPOSE 4433 4434
 
-USER 10000
-
 ENTRYPOINT ["kratos"]
 CMD ["serve"]
diff --git a/.docker/Dockerfile-distroless-static b/.docker/Dockerfile-distroless-static
@@ -0,0 +1,7 @@
+FROM gcr.io/distroless/static-debian11:nonroot
+
+COPY kratos /usr/bin/kratos
+EXPOSE 4433 4434
+
+ENTRYPOINT ["kratos"]
+CMD ["serve"]
diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -8,7 +8,8 @@ variables:
   buildinfo_hash: "github.com/ory/kratos/driver/config.Commit"
   buildinfo_tag: "github.com/ory/kratos/driver/config.Version"
   buildinfo_date: "github.com/ory/kratos/driver/config.Date"
-  dockerfile: ".docker/Dockerfile-alpine"
+  dockerfile_alpine: ".docker/Dockerfile-alpine"
+  dockerfile_static: ".docker/Dockerfile-distroless-static"
 
 project_name: kratos