From d686795eedc1b2f1cb7fc9eae21abe37b8658f43 Mon Sep 17 00:00:00 2001 From: Arne Luenser Date: Thu, 29 Aug 2024 16:03:14 +0200 Subject: [PATCH] chore: compile a static binary in Docker to move from distroless/static-debian12 to distroless/base-nossl-debian12 to get fewer CVE alerts Uses the technique described in https://www.arp242.net/static-go.html --- .docker/Dockerfile-build | 7 +++---- .github/workflows/ci.yaml | 2 +- Makefile | 12 ++++++------ scripts/db-diff.sh | 2 +- 4 files changed, 11 insertions(+), 12 deletions(-) diff --git a/.docker/Dockerfile-build b/.docker/Dockerfile-build index e4915ff88b..b16af1d27a 100644 --- a/.docker/Dockerfile-build +++ b/.docker/Dockerfile-build @@ -9,17 +9,16 @@ RUN apt-get update && apt-get upgrade -y &&\ COPY go.mod go.sum ./ COPY internal/httpclient/go.* ./internal/httpclient/ -ENV GO111MODULE on -ENV CGO_ENABLED 1 +ENV CGO_ENABLED=1 RUN go mod download COPY . . -RUN go build -tags sqlite,json1 -o /usr/bin/hydra +RUN go build -ldflags="-extldflags=-static" -tags sqlite,json1,sqlite_omit_load_extension -o /usr/bin/hydra ######################### -FROM gcr.io/distroless/base-nossl-debian12:nonroot AS runner +FROM gcr.io/distroless/static-debian12:nonroot AS runner COPY --from=builder --chown=nonroot:nonroot /var/lib/sqlite /var/lib/sqlite COPY --from=builder /usr/bin/hydra /usr/bin/hydra diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 11a6ad19d3..326e043709 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -99,7 +99,7 @@ jobs: - name: Run go-acc (tests) run: | make .bin/go-acc - .bin/go-acc -o coverage.out ./... -- -failfast -timeout=20m -tags sqlite,json1 + .bin/go-acc -o coverage.out ./... -- -failfast -timeout=20m -tags sqlite,json1,sqlite_omit_load_extension - name: Submit to Codecov run: | bash <(curl -s https://codecov.io/bash) diff --git a/Makefile b/Makefile index 7345fe30c7..aa6ff60103 100644 --- a/Makefile +++ b/Makefile @@ -53,7 +53,7 @@ lint: .bin/golangci-lint-$(GOLANGCI_LINT_VERSION) .PHONY: test test: .bin/go-acc make test-resetdb - source scripts/test-env.sh && go-acc ./... -- -failfast -timeout=20m -tags sqlite,json1 + source scripts/test-env.sh && go-acc ./... -- -failfast -timeout=20m -tags sqlite,json1,sqlite_omit_load_extension docker rm -f hydra_test_database_mysql docker rm -f hydra_test_database_postgres docker rm -f hydra_test_database_cockroach @@ -84,7 +84,7 @@ e2e: node_modules test-resetdb # Runs tests in short mode, without database adapters .PHONY: quicktest quicktest: - go test -failfast -short -tags sqlite,json1 ./... + go test -failfast -short -tags sqlite,json1,sqlite_omit_load_extension ./... .PHONY: quicktest-hsm quicktest-hsm: @@ -92,7 +92,7 @@ quicktest-hsm: .PHONY: refresh refresh: - UPDATE_SNAPSHOTS=true go test -failfast -short -tags sqlite,json1 ./... + UPDATE_SNAPSHOTS=true go test -failfast -short -tags sqlite,json1,sqlite_omit_load_extension ./... authors: # updates the AUTHORS file curl https://raw.githubusercontent.com/ory/ci/master/authors/authors.sh | env PRODUCT="Ory Hydra" bash @@ -177,15 +177,15 @@ $(MIGRATIONS_DST_DIR:%/=%-clean): $(MIGRATION_CLEAN_TARGETS) install-stable: HYDRA_LATEST=$$(git describe --abbrev=0 --tags) git checkout $$HYDRA_LATEST - GO111MODULE=on go install \ - -tags sqlite,json1 \ + go install \ + -tags sqlite,json1,sqlite_omit_load_extension \ -ldflags "-X github.com/ory/hydra/v2/driver/config.Version=$$HYDRA_LATEST -X github.com/ory/hydra/v2/driver/config.Date=`TZ=UTC date -u '+%Y-%m-%dT%H:%M:%SZ'` -X github.com/ory/hydra/v2/driver/config.Commit=`git rev-parse HEAD`" \ . git checkout master .PHONY: install install: - GO111MODULE=on go install -tags sqlite,json1 . + go install -tags sqlite,json1,sqlite_omit_load_extension . .PHONY: post-release post-release: .bin/yq diff --git a/scripts/db-diff.sh b/scripts/db-diff.sh index 151a023cd8..987a718ef7 100755 --- a/scripts/db-diff.sh +++ b/scripts/db-diff.sh @@ -107,7 +107,7 @@ function dump_sqlite { hydra::util::ensure-sqlite rm "$SQLITE_PATH" > /dev/null 2>&1 || true - go run -tags sqlite,json1 . migrate sql "sqlite://$SQLITE_PATH?_fk=true" --yes > /dev/null 2>&1 || true + go run -tags sqlite,json1,sqlite_omit_load_extension . migrate sql "sqlite://$SQLITE_PATH?_fk=true" --yes > /dev/null 2>&1 || true echo '.dump' | sqlite3 "$SQLITE_PATH" }