chore: update container images

- Updates the default container images to pass the `GO_VERSION` as a build argument.
- Adds a minimal Alpine-based image that can be used as runner image requested by the community.

Signed-off-by: Ryan Johnson <[email protected]>

Author: tenthirtyam

.goreleaser.yml

@@ -2,6 +2,10 @@
 version: 2
 project_name: govmomi
 
+env:
+  - GO_VERSION=1.24
+  - ALPINE_VERSION=3.21
+
 builds:
   - id: govc
     no_main_check: true
@@ -111,6 +115,30 @@ dockers:
       - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=org.opencontainers.image.url=https://github.com/vmware/govmomi"
       - "--platform=linux/amd64"
+      - "--build-arg=GO_VERSION={{.Env.GO_VERSION}}"
+
+  - image_templates:
+      - "vmware/govc:{{ .Tag }}-runner"
+      - "vmware/govc:alpine-{{ .Tag }}-runner"
+      - "vmware/govc:{{ .ShortCommit }}-runner"
+      - "vmware/govc:alpine-{{ .ShortCommit }}-runner"
+      - "vmware/govc:latest-runner"
+      - "vmware/govc:alpine-latest-runner"
+    dockerfile: Dockerfile.govc.runner
+    ids:
+      - govc
+    extra_files:
+      - scripts/runner/entrypoint.sh
+    build_flag_templates:
+      - "--pull"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.url=https://github.com/vmware/govmomi"
+      - "--platform=linux/amd64"
+      - "--build-arg=ALPINE_VERSION={{.Env.ALPINE_VERSION}}"
+
   - image_templates:
       - "vmware/vcsim:{{ .Tag }}"
       - "vmware/vcsim:{{ .ShortCommit }}"
@@ -126,3 +154,4 @@ dockers:
       - "--label=org.opencontainers.image.version={{.Version}}"
       - "--label=org.opencontainers.image.url=https://github.com/vmware/govmomi"
       - "--platform=linux/amd64"
+      - "--build-arg=GO_VERSION={{.Env.GO_VERSION}}"

Dockerfile.govc

@@ -1,12 +1,14 @@
-# Create a builder container
-# Reference: https://hub.docker.com/_/golang/tags
-# Note: Official Docker images for Go use Debian.
+# © Broadcom. All Rights Reserved.
+# The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
+# SPDX-License-Identifier: Apache-2.0
+
+# --- Builder Stage ---
+# Uses the official Go Docker image for the build.
+
 ARG GO_VERSION
-FROM golang:1.23.0 AS build
+FROM golang:${GO_VERSION} AS build
 WORKDIR /go/src/app
 
-# Create appuser to isolate potential vulnerabilities
-# Reference: https://stackoverflow.com/a/55757473/12429735
 ENV USER=appuser
 ENV UID=10001
 RUN adduser \
@@ -17,31 +19,23 @@ RUN adduser \
     --uid "${UID}" \
     "${USER}"
 
-# Create a new tmp directory so no bad actors can manipulate it
 RUN mkdir /temporary-tmp-directory && chmod 777 /temporary-tmp-directory
 
-###############################################################################
-# Final stage
+# --- Final Stage ---
+
 FROM scratch
 
-# Allow container to use latest TLS certificates
 COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
 
-# Copy over appuser to run as non-root
 COPY --from=build /etc/passwd /etc/passwd
 COPY --from=build /etc/group /etc/group
 
-# Copy over the /tmp directory for golang/os.TmpDir
 COPY --chown=appuser --from=build /temporary-tmp-directory /tmp
 
-# Copy application from external build
 COPY govc /govc
 
-# Run all commands as non-root
 USER appuser:appuser
 
-# session cache, etc
 ENV GOVMOMI_HOME=/tmp
 
-# Set CMD to application with container defaults
 CMD ["/govc"]

Dockerfile.govc.runner

@@ -0,0 +1,37 @@
+# © Broadcom. All Rights Reserved.
+# The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
+# SPDX-License-Identifier: Apache-2.0
+
+ARG ALPINE_VERSION
+FROM alpine:${ALPINE_VERSION}
+
+ENV USER=appuser
+ENV UID=10001
+
+RUN adduser \
+    --disabled-password \
+    --gecos "" \
+    --shell "/sbin/nologin" \
+    --no-create-home \
+    --uid "${UID}" \
+    "${USER}" && \
+    mkdir -p /home/${USER} /tmp && \
+    chown -R "${USER}:${USER}" /home/${USER} /tmp && \
+    apk --no-cache add --no-check-certificate ca-certificates && \
+    update-ca-certificates && \
+    rm -rf /var/cache/apk/*
+
+COPY govc /usr/local/bin/govc
+RUN chmod +x /usr/local/bin/govc
+
+COPY scripts/runner/entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
+
+USER "${USER}"
+
+ENV GOVMOMI_HOME=/tmp
+ENV PATH="$PATH:/usr/local/bin"
+
+ENTRYPOINT ["/entrypoint.sh"]
+
+WORKDIR /home/${USER}

Dockerfile.vcsim

@@ -1,49 +1,42 @@
-# Create a builder container
-# Reference: https://hub.docker.com/_/golang/tags
-# Note: Official Docker images for Go use Debian.
+# © Broadcom. All Rights Reserved.
+# The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
+# SPDX-License-Identifier: Apache-2.0
+
+# --- Builder Stage ---
+# Uses the official Go Docker image to for the build.
+
 ARG GO_VERSION
-FROM golang:1.23.0 AS build
+FROM golang:${GO_VERSION} AS build
 WORKDIR /go/src/app
 
-# Create appuser to isolate potential vulnerabilities
-# Reference: https://stackoverflow.com/a/55757473/12429735
 ENV USER=appuser
 ENV UID=10001
 RUN adduser \
     --disabled-password \
     --gecos "" \
-    --home "/nonexistent" \
     --shell "/sbin/nologin" \
     --no-create-home \
     --uid "${UID}" \
     "${USER}"
 
-# Create a new tmp directory so no bad actors can manipulate it
 RUN mkdir /temporary-tmp-directory && chmod 777 /temporary-tmp-directory
 
-###############################################################################
-# Final stage
+# --- Final Stage ---
 FROM scratch
 
-# Run all commands as non-root
 USER appuser:appuser
 
-# Allow container to use latest TLS certificates
 COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
 
-# Copy over appuser to run as non-root
 COPY --from=build /etc/passwd /etc/passwd
 COPY --from=build /etc/group /etc/group
 
-# Copy over the /tmp directory for golang/os.TmpDir
 COPY --chown=appuser --from=build /temporary-tmp-directory /tmp
 
-# Expose application port
 EXPOSE 8989
 
-# Copy application from external build
 COPY vcsim /vcsim
 
-# Set entrypoint to application with container defaults
 ENTRYPOINT [ "/vcsim" ]
+
 CMD ["-l", "0.0.0.0:8989"]