`Dockerfile`: Remove `VOLUME` instruction

[polarathene]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Describe your problem

Some of the Dockerfile files in this repo use the VOLUME instruction: https://github.com/ory/hydra/tree/master/.docker

Dockerfile references

hydra/.docker/Dockerfile-build

Line 27 in f9cee32

VOLUME /var/lib/sqlite

hydra/.docker/Dockerfile-hsm

Lines 54 to 62 in f9cee32

	# By creating the sqlite folder as the ory user, the mounted volume will be owned by ory:ory, which
	# is required for read/write of SQLite.
	RUN mkdir -p /var/lib/sqlite && \
	chown ory:ory /var/lib/sqlite
	VOLUME /var/lib/sqlite
	# Exposing the ory home directory
	VOLUME /home/ory

hydra/.docker/Dockerfile-sqlite

Lines 19 to 27 in f9cee32

	# By creating the sqlite folder as the ory user, the mounted volume will be owned by ory:ory, which
	# is required for read/write of SQLite.
	RUN mkdir -p /var/lib/sqlite && \
	chown ory:ory /var/lib/sqlite
	VOLUME /var/lib/sqlite
	# Exposing the ory home directory
	VOLUME /home/ory

PR that introduced VOLUME: #2129

---

VOLUME is not necessary:

• A container will persist it's internal state until it's destroyed (docker rm container_name, docker run --rm, docker compose down, etc). An anonymous volume is often mistakenly added despite being redundant.
• An implicit anonymous volume copies data from the image to the host per container instance created. This is wasteful and accumulates over runs.
• When persistence via a volume is actually necessary, it should be explicit (docker run --volume ./host/path/:container/path, or the volume key in compose.yaml, etc).
  • Anonymous (-v container/path):

    I want to persist the volume without a human-friendly name to reference

  • Named (-v my_data:container/path):

    I want a human-friendly name, but not easy access from the host filesystem, just persist my data externally from the container

  • Bind mount (-v host/path:container/path):

    I want to persist the data at a known location on the host filesystem that I can easily access directly

I also provided justification in 2022 for Caddy to do the same, citing various sources from other popular official images that likewise dropped VOLUME (which is effectively a legacy feature that causes more problems implicitly than benefits).

Describe your ideal solution

Remove VOLUME from the Dockerfile lines referenced (this would be applicable to other Ory projects too).

Workarounds or alternatives

• The redundant copy can be avoided.. if the user provides their own bind mount to the same mount point at runtime (anonymous & named volumes copy container content by default, bind mounts replace).
• Alternatively, the --rm option will remove the container on exit, additionally discarding the implicitly created anonymous volume. This doesn't prevent writing a copy of the volume data to disk, which if large slows startup.

Ideally though, without a real reason to keep VOLUME, it should just be removed from the Dockerfiles? 🤷‍♂️

Version

2.1.2