Fixes #2356: Minimal base image (#2375)

Signed-off-by: AbstractionFactory <179820029+abstractionfactory@users.noreply.github.com>

.goreleaser.yaml

@@ -89,6 +89,25 @@ dockers:
     image_templates:
       - "ghcr.io/opentofu/opentofu:{{ .Version }}-amd64"
 
+  - use: buildx
+    goarch: amd64
+    dockerfile: Dockerfile.minimal
+    build_flag_templates:
+      - "--pull"
+      - "--platform=linux/amd64"
+      - "--label=org.opencontainers.image.title={{ .ProjectName }}"
+      - "--label=org.opencontainers.image.vendor=OpenTofu"
+      - "--label=org.opencontainers.image.description=OpenTofu {{ .Version }}"
+      - "--label=org.opencontainers.image.url=https://github.com/opentofu/opentofu"
+      - "--label=org.opencontainers.image.documentation=https://github.com/opentofu/opentofu/blob/main/README.md"
+      - "--label=org.opencontainers.image.source=https://github.com/opentofu/opentofu"
+      - "--label=org.opencontainers.image.licenses=MPL-2.0"
+      - "--label=org.opencontainers.image.version={{ .Version }}"
+      - "--label=org.opencontainers.image.revision={{ .FullCommit }}"
+      - "--label=org.opencontainers.image.created={{ time \"2006-01-02T15:04:05Z07:00\" }}"
+    image_templates:
+      - "ghcr.io/opentofu/opentofu:{{ .Version }}-minimal-amd64"
+
   - use: buildx
     goarch: arm64
     build_flag_templates:
@@ -107,6 +126,25 @@ dockers:
     image_templates:
       - "ghcr.io/opentofu/opentofu:{{ .Version }}-arm64"
 
+  - use: buildx
+    goarch: arm64
+    dockerfile: Dockerfile.minimal
+    build_flag_templates:
+      - "--pull"
+      - "--platform=linux/arm64"
+      - "--label=org.opencontainers.image.title={{ .ProjectName }}"
+      - "--label=org.opencontainers.image.vendor=OpenTofu"
+      - "--label=org.opencontainers.image.description=OpenTofu {{ .Version }}"
+      - "--label=org.opencontainers.image.url=https://github.com/opentofu/opentofu"
+      - "--label=org.opencontainers.image.documentation=https://github.com/opentofu/opentofu/blob/main/README.md"
+      - "--label=org.opencontainers.image.source=https://github.com/opentofu/opentofu"
+      - "--label=org.opencontainers.image.licenses=MPL-2.0"
+      - "--label=org.opencontainers.image.version={{ .Version }}"
+      - "--label=org.opencontainers.image.revision={{ .FullCommit }}"
+      - "--label=org.opencontainers.image.created={{ time \"2006-01-02T15:04:05Z07:00\" }}"
+    image_templates:
+      - "ghcr.io/opentofu/opentofu:{{ .Version }}-minimal-arm64"
+
   - use: buildx
     goarch: arm
     build_flag_templates:
@@ -125,6 +163,25 @@ dockers:
     image_templates:
       - "ghcr.io/opentofu/opentofu:{{ .Version }}-arm"
 
+  - use: buildx
+    goarch: arm
+    dockerfile: Dockerfile.minimal
+    build_flag_templates:
+      - "--pull"
+      - "--platform=linux/arm"
+      - "--label=org.opencontainers.image.title={{ .ProjectName }}"
+      - "--label=org.opencontainers.image.vendor=OpenTofu"
+      - "--label=org.opencontainers.image.description=OpenTofu {{ .Version }}"
+      - "--label=org.opencontainers.image.url=https://github.com/opentofu/opentofu"
+      - "--label=org.opencontainers.image.documentation=https://github.com/opentofu/opentofu/blob/main/README.md"
+      - "--label=org.opencontainers.image.source=https://github.com/opentofu/opentofu"
+      - "--label=org.opencontainers.image.licenses=MPL-2.0"
+      - "--label=org.opencontainers.image.version={{ .Version }}"
+      - "--label=org.opencontainers.image.revision={{ .FullCommit }}"
+      - "--label=org.opencontainers.image.created={{ time \"2006-01-02T15:04:05Z07:00\" }}"
+    image_templates:
+      - "ghcr.io/opentofu/opentofu:{{ .Version }}-minimal-arm"
+
   - use: buildx
     goarch: "386"
     build_flag_templates:
@@ -143,6 +200,25 @@ dockers:
     image_templates:
       - "ghcr.io/opentofu/opentofu:{{ .Version }}-386"
 
+  - use: buildx
+    goarch: "386"
+    dockerfile: Dockerfile.minimal
+    build_flag_templates:
+      - "--pull"
+      - "--platform=linux/386"
+      - "--label=org.opencontainers.image.title={{ .ProjectName }}"
+      - "--label=org.opencontainers.image.vendor=OpenTofu"
+      - "--label=org.opencontainers.image.description=OpenTofu {{ .Version }}"
+      - "--label=org.opencontainers.image.url=https://github.com/opentofu/opentofu"
+      - "--label=org.opencontainers.image.documentation=https://github.com/opentofu/opentofu/blob/main/README.md"
+      - "--label=org.opencontainers.image.source=https://github.com/opentofu/opentofu"
+      - "--label=org.opencontainers.image.licenses=MPL-2.0"
+      - "--label=org.opencontainers.image.version={{ .Version }}"
+      - "--label=org.opencontainers.image.revision={{ .FullCommit }}"
+      - "--label=org.opencontainers.image.created={{ time \"2006-01-02T15:04:05Z07:00\" }}"
+    image_templates:
+      - "ghcr.io/opentofu/opentofu:{{ .Version }}-minimal-386"
+
 docker_manifests:
   - name_template: ghcr.io/opentofu/opentofu:{{ .Version }}
     image_templates:
@@ -151,6 +227,13 @@ docker_manifests:
       - ghcr.io/opentofu/opentofu:{{ .Version }}-arm
       - ghcr.io/opentofu/opentofu:{{ .Version }}-386
 
+  - name_template: ghcr.io/opentofu/opentofu:{{ .Version }}-minimal
+    image_templates:
+      - ghcr.io/opentofu/opentofu:{{ .Version }}-minimal-amd64
+      - ghcr.io/opentofu/opentofu:{{ .Version }}-minimal-arm64
+      - ghcr.io/opentofu/opentofu:{{ .Version }}-minimal-arm
+      - ghcr.io/opentofu/opentofu:{{ .Version }}-minimal-386
+
   - name_template: ghcr.io/opentofu/opentofu:{{ .Major }}.{{ .Minor }}
     image_templates:
       - ghcr.io/opentofu/opentofu:{{ .Version }}-amd64
@@ -159,6 +242,14 @@ docker_manifests:
       - ghcr.io/opentofu/opentofu:{{ .Version }}-386
     skip_push: auto # Skips the push on pre-release versions, like 1.6.1-alpha1. See https://goreleaser.com/customization/docker_manifest/#customization
 
+  - name_template: ghcr.io/opentofu/opentofu:{{ .Major }}.{{ .Minor }}-minimal
+    image_templates:
+      - ghcr.io/opentofu/opentofu:{{ .Version }}-minimal-amd64
+      - ghcr.io/opentofu/opentofu:{{ .Version }}-minimal-arm64
+      - ghcr.io/opentofu/opentofu:{{ .Version }}-minimal-arm
+      - ghcr.io/opentofu/opentofu:{{ .Version }}-minimal-386
+    skip_push: auto # Skips the push on pre-release versions, like 1.6.1-alpha1. See https://goreleaser.com/customization/docker_manifest/#customization
+
   - name_template: ghcr.io/opentofu/opentofu:{{ .Major }}
     image_templates:
       - ghcr.io/opentofu/opentofu:{{ .Version }}-amd64
@@ -167,6 +258,14 @@ docker_manifests:
       - ghcr.io/opentofu/opentofu:{{ .Version }}-386
     skip_push: auto # Skips the push on pre-release versions, like 1.6.1-alpha1. See https://goreleaser.com/customization/docker_manifest/#customization
 
+  - name_template: ghcr.io/opentofu/opentofu:{{ .Major }}-minimal
+    image_templates:
+      - ghcr.io/opentofu/opentofu:{{ .Version }}-minimal-amd64
+      - ghcr.io/opentofu/opentofu:{{ .Version }}-minimal-arm64
+      - ghcr.io/opentofu/opentofu:{{ .Version }}-minimal-arm
+      - ghcr.io/opentofu/opentofu:{{ .Version }}-minimal-386
+    skip_push: auto # Skips the push on pre-release versions, like 1.6.1-alpha1. See https://goreleaser.com/customization/docker_manifest/#customization
+
   - name_template: ghcr.io/opentofu/opentofu:latest
     image_templates:
       - ghcr.io/opentofu/opentofu:{{ .Version }}-amd64
@@ -175,6 +274,14 @@ docker_manifests:
       - ghcr.io/opentofu/opentofu:{{ .Version }}-386
     skip_push: auto # Skips the push on pre-release versions, like 1.6.1-alpha1. See https://goreleaser.com/customization/docker_manifest/#customization
 
+  - name_template: ghcr.io/opentofu/opentofu:minimal
+    image_templates:
+      - ghcr.io/opentofu/opentofu:{{ .Version }}-minimal-amd64
+      - ghcr.io/opentofu/opentofu:{{ .Version }}-minimal-arm64
+      - ghcr.io/opentofu/opentofu:{{ .Version }}-minimal-arm
+      - ghcr.io/opentofu/opentofu:{{ .Version }}-minimal-386
+    skip_push: auto # Skips the push on pre-release versions, like 1.6.1-alpha1. See https://goreleaser.com/customization/docker_manifest/#customization
+
 nfpms:
   - file_name_template: '{{ .ProjectName }}_{{ .Version }}_{{ .Arch }}'
     maintainer: 'https://github.com/orgs/opentofu/teams/opentofu-core-team'

Dockerfile.minimal

@@ -0,0 +1,12 @@
+# Copyright (c) The OpenTofu Authors
+# SPDX-License-Identifier: MPL-2.0
+# Copyright (c) 2023 HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+FROM scratch
+
+LABEL maintainer="OpenTofu Core Team <core@opentofu.org>"
+
+COPY tofu /usr/local/bin/tofu
+
+ENTRYPOINT ["/usr/local/bin/tofu"]

website/docs/intro/install/docker.mdx

@@ -26,16 +26,24 @@ Instead, follow the [instructions below to build your own OpenTofu image](#build
 Images are hosted as packages in the OpenTofu GitHub organization. See the list
 of available versions [here](https://github.com/opentofu/opentofu/pkgs/container/opentofu/versions?filters%5Bversion_type%5D=tagged).
 
-The multi platform images are available using the following tags:
+The multi-platform images are available using the following tags:
 
 - `latest`: latest overall version of OpenTofu,
 - `Major`: a specific major version of OpenTofu,
 - `Major`.`Minor`: a specific minor version of OpenTofu,
-- `Major`.`Minor`.`Patch`: a specific patch version of OpenTofu.
+- `Major`.`Minor`.`Patch`: a specific patch version of OpenTofu,
+
+Additionally, we make the following minimal tags available for [building a custom image](#building-your-own-image) starting with OpenTofu version 1.9.1:
+
+- `minimal`: minimal image containing only the OpenTofu binary at `/usr/local/bin/tofu`
+- `Major-minimal`: minimal image of a specific major version of OpenTofu,
+- `Major.Minor-minimal`: minimal image of a specific minor version of OpenTofu,
+- `Major.Minor.Patch-minimal`: minimal image of a specific patch version of OpenTofu.
 
 To pull platform-specific images (`amd64`, `arm`, `arm64`, `386`) use:
 
 - `<Version>`-`<Platform>`: a platform specific version of OpenTofu.
+- `<Version>`-`minimal`-`<Platform>`: a platform specific minimal version of OpenTofu.
 
 ## Usage
 
@@ -61,16 +69,40 @@ To run OpenTofu as a Docker container:
 ## Building your own image
 
 The OCI image published by OpenTofu is intended as a basic command line tool. If you need additional tools in the image
-or want to build services on top of OpenTofu, you will need to build your own image. This section outlines how to
-accomplish that.
+or want to build services on top of OpenTofu, you will need to build your own image. You can do this in two ways:
 
-### Step 1: Obtaining the installation script
+1. Base your image on a minimal image (`ghcr.io/opentofu/opentofu:minimal` or similar) and use a multi-stage build to copy the `tofu` binary to your image.
+2. Use the standalone installation script to install `tofu` into your container image.
+
+### Method 1: using a multi-stage build
+
+Assuming you want to use Alpine Linux, your `Dockerfile`/`Containerfile` could look like this:
+
+```Dockerfile
+FROM ghcr.io/opentofu/opentofu:minimal AS tofu
+
+FROM alpine
+
+COPY --from=tofu /usr/local/bin/tofu /usr/local/bin/tofu
+
+# Your other build instructions
+```
+
+:::note
+
+Consider locking down the version to a specific layer SHA hash and update only when needed in order to get the benefit of integrity verification.
+
+:::
+
+### Method 2: Using the installation script
+
+#### Step 1: Obtaining the installation script
 
 OpenTofu publishes POSIX/Powershell installation scripts. You can use these scripts to safely install OpenTofu in your
 container image. Please follow the [standalone installation instructions](standalone.mdx) to obtain the installation
 script and place it next to your `Dockerfile`/`Containerfile`.
 
-### Step 2: Creating a stage for installation
+#### Step 2: Creating a stage for installation
 
 Next, you can start creating a download stage in your `Dockerfile`/`Containerfile`. For details on multi-stage builds
 please read the [Docker documentation](https://docs.docker.com/build/building/multi-stage/).
@@ -84,7 +116,7 @@ RUN apk add gpg
 RUN ./install-opentofu.sh --install-method standalone --install-path / --symlink-path -
 ```
 
-## Step 3: Creating your own image
+#### Step 3: Creating your own image
 
 Now you can add your image below the installation stage and copy the `tofu` binary into it: