Build release Linux binaries without cgo for Alpine compatibility?

[AnthonyMastrean]

I have a simple Dockerfile that uses the binary from GitHub.

Dockerfile

FROM alpine

WORKDIR /root

RUN set -ex \
    && wget -q -O mkcert https://github.com/FiloSottile/mkcert/releases/download/v1.3.0/mkcert-v1.3.0-linux-arm \
    && chmod +x mkcert \
    && ./mkcert -install \
    && ./mkcert localhost

When I build this locally, everything is OK.

$ docker image build --pull --tag example .
Sending build context to Docker daemon  75.26kB
Step 1/3 : FROM alpine
latest: Pulling from library/alpine
Digest: sha256:ca1c944a4f8486a153024d9965aafbe24f5723c1d5c02f4964c045a16d19dc54
Status: Image is up to date for alpine:latest
 ---> 4d90542f0623
Step 2/3 : WORKDIR /root
 ---> Using cache
 ---> f1df3106650a
Step 3/3 : RUN set -ex     && wget -q -O mkcert https://github.com/FiloSottile/mkcert/releases/download/v1.3.0/mkcert-v1.3.0-linux-arm     && chmod +x mkcert     && ./mkcert -install     && ./mkcert localhost
 ---> Running in 7dce34e8bf2a
+ wget -q -O mkcert https://github.com/FiloSottile/mkcert/releases/download/v1.3.0/mkcert-v1.3.0-linux-arm
+ chmod +x mkcert
+ ./mkcert -install
Created a new local CA at "/root/.local/share/mkcert" �
Installing to the system store is not yet supported on this Linux � but Firefox and/or Chrome/Chromium will still work.
You can also manually install the root certificate at "/root/.local/share/mkcert/rootCA.pem".

+ ./mkcert localhost
Using the local CA at "/root/.local/share/mkcert" ✨
Warning: the local CA is not installed in the system trust store! ⚠️
Run "mkcert -install" to avoid verification errors ‼️

Created a new certificate valid for the following names �
 - "localhost"

The certificate is at "./localhost.pem" and the key at "./localhost-key.pem" ✅

Removing intermediate container 7dce34e8bf2a
 ---> 8f5c4f5e7940
Successfully built 8f5c4f5e7940
Successfully tagged example:latest

But, when I run the same in a GitLab pipeline (uses Docker-in-Docker), it goes haywire!

.gitlab-ci.yml

image: docker:stable

services:
    - docker:stable-dind

build:
    stage: build
    script:
        - docker image build --pull --tag example .

Pipeline log

Running with gitlab-runner 12.0.0-rc1 (58d8360f)
  on docker-auto-scale 0277ea0f
Using Docker executor with image docker:stable ...
Starting service docker:stable-dind ...
Pulling docker image docker:stable-dind ...
Using docker image sha256:12adad4e12e25288e665131d5235d98a8edf2a39d26679dabbe2728442729e26 for docker:stable-dind ...
Waiting for services to be up and running...
Pulling docker image docker:stable ...
Using docker image sha256:805bea199b249bfed61cdcd7cdbfe240ee998d51f59bbf365674a15b619f5a86 for docker:stable ...
Running on runner-0277ea0f-project-13015620-concurrent-0 via runner-0277ea0f-srm-1561404020-8e640368...
Fetching changes with git depth set to 50...
Initialized empty Git repository in /builds/anthonymastrean/mkcert-example/.git/
Created fresh repository.
From https://gitlab.com/anthonymastrean/mkcert-example
 * [new branch]      master     -> origin/master
Checking out 61c5932f as master...

Skipping Git submodules setup
$ docker image build --pull --tag example .
Sending build context to Docker daemon  47.62kB

Step 1/3 : FROM alpine
latest: Pulling from library/alpine
921b31ab772b: Pulling fs layer
921b31ab772b: Verifying Checksum
921b31ab772b: Download complete
921b31ab772b: Pull complete
Digest: sha256:ca1c944a4f8486a153024d9965aafbe24f5723c1d5c02f4964c045a16d19dc54
Status: Downloaded newer image for alpine:latest
 ---> 4d90542f0623
Step 2/3 : WORKDIR /root
 ---> Running in 104eadb1c574
Removing intermediate container 104eadb1c574
 ---> 4de722b6deac
Step 3/3 : RUN set -ex     && wget -q -O mkcert https://github.com/FiloSottile/mkcert/releases/download/v1.3.0/mkcert-v1.3.0-linux-arm     && chmod +x mkcert     && ./mkcert -install     && ./mkcert localhost
 ---> Running in 6c027ecfa62a
+ wget -q -O mkcert https://github.com/FiloSottile/mkcert/releases/download/v1.3.0/mkcert-v1.3.0-linux-arm
+ chmod +x mkcert
+ ./mkcert -install
/bin/sh: ./mkcert: not found
The command '/bin/sh -c set -ex     && wget -q -O mkcert https://github.com/FiloSottile/mkcert/releases/download/v1.3.0/mkcert-v1.3.0-linux-arm     && chmod +x mkcert     && ./mkcert -install     && ./mkcert localhost' returned a non-zero code: 127
ERROR: Job failed: exit code 127

Does anyone have any ideas?

[larzza]

Could it be that you are using the linux ARM binary of mkcert? Have you tried the amd64 version?

[AnthonyMastrean]

I only just noticed that I used the arm URL. I didn't mean to, must have mistakenly copied the wrong one. But, uh-oh, it gets worse when I try to use the amd64 URL. It now fails in my local console, too!

$ docker image build --pull --tag example .
Sending build context to Docker daemon  88.06kB
Step 1/3 : FROM alpine
latest: Pulling from library/alpine
Digest: sha256:ca1c944a4f8486a153024d9965aafbe24f5723c1d5c02f4964c045a16d19dc54
Status: Image is up to date for alpine:latest
 ---> 4d90542f0623
Step 2/3 : WORKDIR /root
 ---> Using cache
 ---> e4f0e3f4ce86
Step 3/3 : RUN set -ex     && wget -q -O mkcert https://github.com/FiloSottile/mkcert/releases/download/v1.3.0/mkcert-v1.3.0-linux-amd64     && chmod +x mkcert     && ./mkcert -install     && ./mkcert localhost
 ---> Running in 1dde813753d5
+ wget -q -O mkcert https://github.com/FiloSottile/mkcert/releases/download/v1.3.0/mkcert-v1.3.0-linux-amd64
+ chmod +x mkcert
+ ./mkcert -install
/bin/sh: ./mkcert: not found
The command '/bin/sh -c set -ex     && wget -q -O mkcert https://github.com/FiloSottile/mkcert/releases/download/v1.3.0/mkcert-v1.3.0-linux-amd64     && chmod +x mkcert
    && ./mkcert -install     && ./mkcert localhost' returned a non-zero code: 127

If I enter the image interactively and run the same commands (as best I know how... I imagine this is not entirely safe for complex Dockerfiles)... it fails the same way. And its very confusing because I see the file here and it's executable.

$ docker run --rm -it alpine
/ # cd /root
~ # set -ex \
>     && wget -q -O mkcert https://github.com/FiloSottile/mkcert/releases/download/v1.3.0/mkcert-v1.3.0-linux-amd64 \
>     && chmod +x mkcert \
>     && ./mkcert -install \
>     && ./mkcert localhost
+ wget -q -O mkcert https://github.com/FiloSottile/mkcert/releases/download/v1.3.0/mkcert-v1.3.0-linux-amd64
+ chmod +x mkcert
+ ./mkcert -install
/bin/sh: ./mkcert: not found
~ # ls -l
+ ls -l
total 4392
-rwxr-xr-x    1 root     root       4494004 Jun 24 19:55 mkcert

[AnthonyMastrean]

Why would this work with the arm binary on my local machine anyway? I was running inside the same Docker base image (alpine). The only difference is the host (GitLab runners are CoreOS and I'm on Windows).

[AnthonyMastrean]

OK, so it seems like I'm just in regular "Go on Alpine" territory and should probably try something like this https://stackoverflow.com/a/52057474/3619

[FiloSottile]

If the binary was built on a glibc system, it will fail on Alpine (which is musl libc based) with a "not found" error. You can try turning cgo off.

[larzza]

@FiloSottile I think @AnthonyMastrean uses a released mkcert binary... are those built with cgo on?

[AnthonyMastrean]

@larzza yeah, I was trying to use the prebuilt binaries from the releases tab on GitHub... I'm not super interested in

• using go get to build from HEAD of master
• or figuring out how to temporarily install golang on my runtime image (using apk --virtual tricks)
• or using a multistage build and a temporary golang:alpine image

🤗

[larzza]

😊 And I thought that your aproach should work , at least with amd64... have you tried with building the image with for example debian:stretch-slim instead?

[AnthonyMastrean]

Not yet, although that's probably my next step. I'm just starting to explore self-signed certs for some of our Docker development workflows. I know... I should be generating these on the actual Docker host and using VOLUME / -v. I'll get there next, promise!

[FiloSottile]

Yeah, the releases are linked against glibc, I believe. Dropping cgo would make os/user name detection worse, but maybe it's worth it. I'll think about it. In the meantime, what you listed are the options indeed.

[larzza]

@AnthonyMastrean If you add this to your dockerfile it should work with alpine... i.e install glibc.

https://gist.github.com/larzza/0f070a1b61c1d6a699653c9a792294be

[kklepper]

https://hub.docker.com/repository/docker/kklepper/mkcert_a

[franz-josef-kaiser]

@kklepper 🥇