Fixes #1931: Dockerfile update / base image deprecation (#1993)

Signed-off-by: Janos <179820029+abstractionfactory@users.noreply.github.com>

.goreleaser.yaml

@@ -159,6 +159,14 @@ docker_manifests:
       - ghcr.io/opentofu/opentofu:{{ .Version }}-386
     skip_push: auto # Skips the push on pre-release versions, like 1.6.1-alpha1. See https://goreleaser.com/customization/docker_manifest/#customization
 
+  - name_template: ghcr.io/opentofu/opentofu:{{ .Major }}
+    image_templates:
+      - ghcr.io/opentofu/opentofu:{{ .Version }}-amd64
+      - ghcr.io/opentofu/opentofu:{{ .Version }}-arm64
+      - ghcr.io/opentofu/opentofu:{{ .Version }}-arm
+      - ghcr.io/opentofu/opentofu:{{ .Version }}-386
+    skip_push: auto # Skips the push on pre-release versions, like 1.6.1-alpha1. See https://goreleaser.com/customization/docker_manifest/#customization
+
   - name_template: ghcr.io/opentofu/opentofu:latest
     image_templates:
       - ghcr.io/opentofu/opentofu:{{ .Version }}-amd64

CHANGELOG.md

@@ -2,6 +2,8 @@
 
 UPGRADE NOTES:
 
+* Using the `ghcr.io/opentofu/opentofu` image as a base image for custom images is deprecated and this will be removed in OpenTofu 1.10. Please see https://opentofu.org/docs/intro/install/docker/ for instructions on building your own image.
+
 NEW FEATURES:
 
 ENHANCEMENTS:

Dockerfile

@@ -3,7 +3,7 @@
 # Copyright (c) 2023 HashiCorp, Inc.
 # SPDX-License-Identifier: MPL-2.0
 
-FROM alpine:3.18
+FROM alpine:3.20
 
 LABEL maintainer="OpenTofu Core Team <core@opentofu.org>"
 
@@ -11,4 +11,34 @@ RUN apk add --no-cache git bash openssh
 
 COPY tofu /usr/local/bin/tofu
 
+ONBUILD RUN echo -e "\033[1;33mWARNING! PLEASE READ!\033[0m" >&2 \
+            && echo -e "\033[1;33mPlease read carefully: you are using the OpenTofu image as a base image\033[0m" >&2 \
+            && echo -e "\033[1;33mfor your own builds. This image is only intended as a command line tool\033[0m" >&2 \
+            && echo -e "\033[1;33mand not as general-purpose base image. It is not safe to use to build\033[0m" >&2 \
+            && echo -e "\033[1;33mservices on top of because we don't regularly ship updates to all\033[0m" >&2 \
+            && echo -e "\033[1;33mpackages in this image, which would be required for a secure base\033[0m" >&2 \
+            && echo -e "\033[1;33mimage.\033[0m" >&2 \
+            && echo -e "\033[1;33m\033[0m" >&2 \
+            && echo -e "\033[1;33mStarting with OpenTofu 1.10, this image will refuse to build if used\033[0m" >&2 \
+            && echo -e "\033[1;33mas a base image. Please follow the instructions at\033[0m" >&2 \
+            && echo -e "\033[1;33m https://opentofu.org/docs/intro/install/docker/ to build your own\033[0m" >&2 \
+            && echo -e "\033[1;33mimage. See https://github.com/opentofu/opentofu/issues/1931 for details\033[0m" >&2 \
+            && echo -e "\033[1;33mon this decision.\033[0m" >&2
+
+ONBUILD RUN # WARNING! PLEASE READ!
+ONBUILD RUN # Please read carefully: you are using the OpenTofu image as a base image
+ONBUILD RUN # for your own builds. This image is only intended as a command line tool
+ONBUILD RUN # and not as general-purpose base image. It is not safe to use to build
+ONBUILD RUN # services on top of because we don't regularly ship updates to all
+ONBUILD RUN # packages in this image, which would be required for a secure base
+ONBUILD RUN # image.
+ONBUILD RUN # Starting with OpenTofu 1.10, this image will refuse to build if used
+ONBUILD RUN # as a base image. Please follow the instructions at
+ONBUILD RUN # https://opentofu.org/docs/intro/install/docker/ to build your own
+ONBUILD RUN # image. See https://github.com/opentofu/opentofu/issues/1931 for details
+ONBUILD RUN # on this decision.
+
+# This sleep is here to hopefully catch people's attention due to increased build times.
+ONBUILD RUN sleep 120
+
 ENTRYPOINT ["/usr/local/bin/tofu"]

website/docs/intro/install/docker.mdx

@@ -14,6 +14,13 @@ import DockerRunScript from '!!raw-loader!./examples/docker-run.sh'
 OpenTofu is available as [OCI container images](https://github.com/opentofu/opentofu/pkgs/container/opentofu),
 and distributed via public GitHub Packages registry.
 
+:::warning Warning!
+
+Do not use the OCI container image as a base image. This is not supported and will stop working with OpenTofu 1.10.
+Instead, follow the [instructions below to build your own OpenTofu image](#building-your-own-image).
+
+:::
+
 ## Versions
 
 Images are hosted as packages in the OpenTofu GitHub organization. See the list
@@ -50,3 +57,48 @@ To pull the image from GitHub Packages registry:
 To run OpenTofu as a Docker container:
 
 <CodeBlock language="bash">{DockerRunScript}</CodeBlock>
+
+## Building your own image
+
+The OCI image published by OpenTofu is intended as a basic command line tool. If you need additional tools in the image
+or want to build services on top of OpenTofu, you will need to build your own image. This section outlines how to
+accomplish that.
+
+### Step 1: Obtaining the installation script
+
+OpenTofu publishes POSIX/Powershell installation scripts. You can use these scripts to safely install OpenTofu in your
+container image. Please follow the [standalone installation instructions](standalone.mdx) to obtain the installation
+script and place it next to your `Dockerfile`/`Containerfile`.
+
+### Step 2: Creating a stage for installation
+
+Next, you can start creating a download stage in your `Dockerfile`/`Containerfile`. For details on multi-stage builds
+please read the [Docker documentation](https://docs.docker.com/build/building/multi-stage/).
+
+```Dockerfile
+FROM alpine:3.20 AS tofu
+
+ADD install-opentofu.sh /install-opentofu.sh
+RUN chmod +x /install-opentofu.sh
+RUN apk add gpg
+RUN ./install-opentofu.sh --install-method standalone --install-path / --symlink-path -
+```
+
+## Step 3: Creating your own image
+
+Now you can add your image below the installation stage and copy the `tofu` binary into it:
+
+```Dockerfile
+FROM alpine:3.20 AS tofu
+
+ADD install-opentofu.sh /install-opentofu.sh
+RUN chmod +x /install-opentofu.sh
+RUN apk add gpg
+RUN ./install-opentofu.sh --install-method standalone --install-path / --symlink-path -
+
+## This is your stage:
+FROM ubuntu
+COPY --from=tofu /tofu /usr/local/bin/tofu
+
+# Add your commands here
+```