build static binaries with -tags osusergo

[thaJeztah]

When building a static binary, the osusergo build-tag
should be used so that a pure go implementation of the
os/user package is used.

relates to:

• os/user: add build tags to select cgo-vs-go implementation, like net package golang/go#23265 os/user: add build tags to select cgo-vs-go
  implementation, like net package
  • golang/go@62f0127
• os/user: LookupId panics on Linux+glibc static build golang/go#24787 os/user: LookupId panics on Linux+glibc static build
• cmd/go: build: add -static flag golang/go#26492 cmd/go: build: add -static flag
• cmd/go: #cgo pkg-config: add conditional --static flag to pkg-config golang/go#12058 cmd/go: #cgo pkg-config: add conditional --static flag to pkg-config
• homedir: add cgo or osusergo buildtag constraints for unix moby/moby#39994 homedir: add cgo or osusergo buildtag constraints for unix

- Description for the changelog

* Use pure Go implementation of os/user package for static binaries

[thaJeztah]

ping @kolyshkin @silvin-lubecki @tiborvass PTAL

[kolyshkin]

1. Since CGO is explicitly disabled here for a static build, technically this build tag is not needed. Doesn't hurt to have it, but it's essentially a no-op when CGO=0 is set.

2. If we still want to add this, we might also add netgo.

[kolyshkin]

So unless we want to try enabling cgo for a static build, i'd rather close this one

[kolyshkin]

IOW, if you're not having below errors, adding osusergo and netgo does not make sense.

# github.com/docker/cli/cmd/docker
/tmp/go-link-243080483/000024.o: In function `pluginOpen':
/build/go/parts/built/build/src/plugin/plugin_dlopen.go:19: warning: Using 'dlopen' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/tmp/go-link-243080483/000019.o: In function `mygetgrouplist':
/build/go/parts/built/build/src/os/user/getgrouplist_unix.go:16: warning: Using 'getgrouplist' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/tmp/go-link-243080483/000018.o: In function `mygetgrgid_r':
/build/go/parts/built/build/src/os/user/cgo_lookup_unix.go:38: warning: Using 'getgrgid_r' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/tmp/go-link-243080483/000018.o: In function `mygetgrnam_r':
/build/go/parts/built/build/src/os/user/cgo_lookup_unix.go:43: warning: Using 'getgrnam_r' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/tmp/go-link-243080483/000018.o: In function `mygetpwnam_r':
/build/go/parts/built/build/src/os/user/cgo_lookup_unix.go:33: warning: Using 'getpwnam_r' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/tmp/go-link-243080483/000018.o: In function `mygetpwuid_r':
/build/go/parts/built/build/src/os/user/cgo_lookup_unix.go:28: warning: Using 'getpwuid_r' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/tmp/go-link-243080483/000004.o: In function `_cgo_26061493d47f_C2func_getaddrinfo':
/tmp/go-build/cgo-gcc-prolog:58: warning: Using 'getaddrinfo' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking

[kolyshkin]

So, in case we would want to use CGO for static binary, we need to add osusergo but also netgo and static_build tags. IOW:

diff --git a/scripts/build/binary b/scripts/build/binary
index 41c4196cc..3440dfcf6 100755
--- a/scripts/build/binary
+++ b/scripts/build/binary
@@ -8,7 +8,8 @@ set -eu -o pipefail
 source ./scripts/build/.variables
 
 echo "Building statically linked $TARGET"
-export CGO_ENABLED=0
-go build -o "${TARGET}" --ldflags "${LDFLAGS}" "${SOURCE}"
+LDFLAGS="-extldflags -static $LDFLAGS"
+TAGS="-tags netgo,osusergo,static_build"
+go build -o "${TARGET}" ${TAGS} --ldflags "${LDFLAGS}" "${SOURCE}"
 
 ln -sf "$(basename "${TARGET}")" build/docker

but for now I don't see a reason to do that ([re-]enable CGO for static build)

[thaJeztah]

@kolyshkin this is in preparation of #2158. Where, because of moby/moby#39994, everything breaks if we don't set the osusergo tag

[thaJeztah]

we should probably wait for the outcome of moby/moby#40134

[thaJeztah]

This is no longer needed, now that moby/moby#40134 Revert "homedir: add cgo or osusergo buildtag constraints for unix" is merged

[kolyshkin]

OK since moby/moby#40134 is merged, I assume this one can be closed.

Yup it is already closed, I didn't see it