Skip to content
This repository has been archived by the owner on Oct 30, 2024. It is now read-only.
This repository has been archived by the owner on Oct 30, 2024. It is now read-only.

Docker container at ghcr.io is missing libraries - dynamically linked kubeaudit binary #579

Open
#592
#580
Open
Docker container at ghcr.io is missing libraries - dynamically linked kubeaudit binary#579
#592
#580
@robinelfrink

Description

@robinelfrink
robinelfrink
opened on Feb 2, 2024
ISSUE TYPE
  • Bug Report
  • Feature Idea

BUG REPORT

SUMMARY

The Docker container at ghcr.io contains a dynamically built /kubebuilder binary, and is missing the required libraries.

ENVIRONMENT
  • Kubeaudit version: v1.22.1
  • Kubeaudit install method: Docker
STEPS TO REPRODUCE
$ docker run --rm -it ghcr.io/shopify/kubeaudit:v0.22.1
Unable to find image 'ghcr.io/shopify/kubeaudit:v0.22.1' locally
v0.22.1: Pulling from shopify/kubeaudit
101c9df49e74: Pull complete
71fe3c5e2ea4: Pull complete
68a54f5edd32: Pull complete
0535d98c5e23: Pull complete
Digest: sha256:7be7b5c5f4fc4eef074212489f725df2ba3f934cb4b91497e48d106a932d0a41
Status: Downloaded newer image for ghcr.io/shopify/kubeaudit:v0.22.1
exec /kubeaudit: no such file or directory
EXPECTED RESULTS

The /kubeaudit binary actually starts.

ACTUAL RESULTS

The /kubeaudit binary cannot be started.

ADDITIONAL INFORMATION

Inspection of the container shows that the binary is dynamically linked, and the required binaries are missing:

$ docker create --name kubeaudit-v0.22.1 ghcr.io/shopify/kubeaudit:v0.22.1
124365d372e7f28fecab07e33fdf55d574c1621ea7ffa604448c30b738d6f03f
$ mkdir tmp
$ docker export kubeaudit-v0.22.1 | tar xf - -C tmp/
$ ldd tmp/kubeaudit
	linux-vdso.so.1 (0x00007ffe21ed4000)
	libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f99f8fee000)
	libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f99f8e0d000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f99f9007000)
$ find tmp/ -type f \( -name linux-vdso.so.1 -o -name libpthread.so.0 -o -name libc.so.6 -o -name ld-linux-x86-64.so.2 \)
$

As goreleaser uses goreleaser.Dockerfile, and that has no code to build the binary, my guess is that it adds the regular binary-build instead of a static one:

$ wget https://github.com/Shopify/kubeaudit/releases/download/v0.22.1/kubeaudit_0.22.1_linux_amd64.tar.gz
[...]
$ tar xzf kubeaudit_0.22.1_linux_amd64.tar.gz
$ ldd kubeaudit
	linux-vdso.so.1 (0x00007ffe04784000)
	libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fcabdea3000)
	libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fcabdcc2000)
	/lib64/ld-linux-x86-64.so.2 (0x00007fcabdebc000)

Building the container using Dockerfile results in a working, static /kubeaudit:

$ docker build --tag kubeaudit:local .
[...]
$ docker export kubeaudit-local | tar xf - -C tmp/
$ ldd tmp/kubeaudit
	not a dynamic executable

FEATURE IDEA

  • If the maintainers agree with the feature as described here, I intend to submit a Pull Request myself.1

Proposal:

Use Dockerfile with goreleaser, or even better: have goreleaser build the separate binaries as static as well.

Activity

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions