opa: linux binary (0.29.0+) depends on glibc, won't run on alpine as-is
Expected Behavior
./opa-v0.29.1 version
Version: 0.29.1
Build Commit: 3155647
Build Timestamp: 2021-05-27T20:48:51Z
Build Hostname: df4767d358f5
Go Version: go1.16.3
WebAssembly: available
root@9f838d2f1a0f:/# uname -a
Linux 9f838d2f1a0f 5.10.25-linuxkit #1 SMP Tue Mar 23 09:27:39 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
Actual Behavior
/bin/sh: ./opa-v0.29.1: not found
Steps to Reproduce the Problem
docker run -it alpine:3.13.2
curl -L -o opa-v0.29.1 https://openpolicyagent.org/downloads/v0.29.1/opa_linux_amd64
chmod +x opa-v0.29.1
Additional Info
Works fine in latest Ubuntu for example
docker run -it ubuntu
root@9f838d2f1a0f:/# apt update
root@9f838d2f1a0f:/# apt upgrade
root@9f838d2f1a0f:/# apt install curl
root@9f838d2f1a0f:/# curl -L -o opa-v0.29.1 https://openpolicyagent.org/downloads/v0.29.1/opa_linux_amd64
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 81 100 81 0 0 100 0 --:--:-- --:--:-- --:--:-- 100
100 621 100 621 0 0 466 0 0:00:01 0:00:01 --:--:-- 4085
100 49.4M 100 49.4M 0 0 13.8M 0 0:00:03 0:00:03 --:--:-- 28.1M
root@9f838d2f1a0f:/# chmod +x opa-v0.29.1
root@9f838d2f1a0f:/# ./opa-v0.29.1 version
Version: 0.29.1
Build Commit: 3155647
Build Timestamp: 2021-05-27T20:48:51Z
Build Hostname: df4767d358f5
Go Version: go1.16.3
WebAssembly: available
root@9f838d2f1a0f:/# uname -a
Linux 9f838d2f1a0f 5.10.25-linuxkit #1 SMP Tue Mar 23 09:27:39 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Comments: 16 (16 by maintainers)
Commits related to this issue
- build: add static (wasm-disabled) linux build Fixes #3499. Signed-off-by: Stephan Renatus <stephan.renatus@gmail.com> — committed to srenatus/opa by srenatus 3 years ago
- build: add static (wasm-disabled) linux build (#3511) * build: add static (wasm-disabled) linux build Fixes #3499. Also: * build: deprecate 'release' and 'release-local' targets that aren't ... — committed to open-policy-agent/opa by srenatus 3 years ago
Considering the price of a beer in Oslo, that’s an extremely generous offer @johanneslarsson 😆
@srenatus I see that I forgot to answer the image question, without going into details, let’s say that it would be more work than replacing the
FROMin the Dockerfile.So, I think the only sweet spot is building the OPA binary with musl linked in. It’ll run on any linux system (🤞), and we can still keep wasm enabled. A prerequisite is musl support in wasmtime and wasmtime-go. I’m looking into that… 🔍
Since I haven’t got the sales pitch for WASM, (yet). I would just say: https://www.youtube.com/watch?v=LNBjMRvOB5M&ab_channel=PetShopBoysParlophone
👉 https://github.com/bytecodealliance/wasmtime-go/issues/21
So, here’s a cross road:
North: Wait for wasmtime to build a musl version, and use that for extra musl binaries (stretch: do the same thing ourselves) East: Disable wasm for the linux binaries West: Publish extra linux binaries without wasm
@johanneslarsson this is probably a problem for a few folks, but since you’ve come across it first: How strongly are you attached to using the alpine image? The one we’re using to build the docker container is pretty slim, too:
gcr.io/distroless/cc.There seems to be an alpine-glibc image, too, as another workaround: