Docker container at ghcr.io is missing libraries - dynamically linked kubeaudit binary

[robinelfrink]

ISSUE TYPE

• Bug Report
• Feature Idea

BUG REPORT

SUMMARY

The Docker container at ghcr.io contains a dynamically built /kubebuilder binary, and is missing the required libraries.

ENVIRONMENT

• Kubeaudit version: v1.22.1
• Kubeaudit install method: Docker

STEPS TO REPRODUCE

$ docker run --rm -it ghcr.io/shopify/kubeaudit:v0.22.1
Unable to find image 'ghcr.io/shopify/kubeaudit:v0.22.1' locally
v0.22.1: Pulling from shopify/kubeaudit
101c9df49e74: Pull complete
71fe3c5e2ea4: Pull complete
68a54f5edd32: Pull complete
0535d98c5e23: Pull complete
Digest: sha256:7be7b5c5f4fc4eef074212489f725df2ba3f934cb4b91497e48d106a932d0a41
Status: Downloaded newer image for ghcr.io/shopify/kubeaudit:v0.22.1
exec /kubeaudit: no such file or directory

EXPECTED RESULTS

The /kubeaudit binary actually starts.

ACTUAL RESULTS

The /kubeaudit binary cannot be started.

ADDITIONAL INFORMATION

Inspection of the container shows that the binary is dynamically linked, and the required binaries are missing:

$ docker create --name kubeaudit-v0.22.1 ghcr.io/shopify/kubeaudit:v0.22.1
124365d372e7f28fecab07e33fdf55d574c1621ea7ffa604448c30b738d6f03f
$ mkdir tmp
$ docker export kubeaudit-v0.22.1 | tar xf - -C tmp/
$ ldd tmp/kubeaudit
	linux-vdso.so.1 (0x00007ffe21ed4000)
	libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f99f8fee000)
	libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f99f8e0d000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f99f9007000)
$ find tmp/ -type f \( -name linux-vdso.so.1 -o -name libpthread.so.0 -o -name libc.so.6 -o -name ld-linux-x86-64.so.2 \)
$

As goreleaser uses goreleaser.Dockerfile, and that has no code to build the binary, my guess is that it adds the regular binary-build instead of a static one:

$ wget https://github.com/Shopify/kubeaudit/releases/download/v0.22.1/kubeaudit_0.22.1_linux_amd64.tar.gz
[...]
$ tar xzf kubeaudit_0.22.1_linux_amd64.tar.gz
$ ldd kubeaudit
	linux-vdso.so.1 (0x00007ffe04784000)
	libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fcabdea3000)
	libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fcabdcc2000)
	/lib64/ld-linux-x86-64.so.2 (0x00007fcabdebc000)

Building the container using Dockerfile results in a working, static /kubeaudit:

$ docker build --tag kubeaudit:local .
[...]
$ docker export kubeaudit-local | tar xf - -C tmp/
$ ldd tmp/kubeaudit
	not a dynamic executable

FEATURE IDEA

• If the maintainers agree with the feature as described here, I intend to submit a Pull Request myself.¹

Proposal:

Use Dockerfile with goreleaser, or even better: have goreleaser build the separate binaries as static as well.

[github-actions]

Thanks for opening your first issue here! Be sure to follow the issue template!