cgo/boringssl builds not working in golang 3.19
Description
Golang projects that use cgo and boringssl appear to have regressed from alpine 3.18 to 3.19 - builds that worked successfully before now appear to provide the following linking error:
# command-line-arguments
/usr/local/go/pkg/tool/linux_amd64/link: running gcc failed: exit status 1
/usr/lib/gcc/x86_64-alpine-linux-musl/13.2.1/../../../../x86_64-alpine-linux-musl/bin/ld: /tmp/go-link-2280080120/000032.o: in function `BIO_new_file':
(.text+0xcb1dc): undefined reference to `fopen64'
/usr/lib/gcc/x86_64-alpine-linux-musl/13.2.1/../../../../x86_64-alpine-linux-musl/bin/ld: /tmp/go-link-2280080120/000032.o: in function `BIO_rw_filename':
(.text+0xcb60d): undefined reference to `fopen64'
collect2: error: ld returned 1 exit status
Significance
This issue is significant, because we believe that this is required for anyone using boringssl cryptography for FIPS compliance.
Reproduction
I was able to reproduce this using a minimal dockerfile - the example provided below should fail to build with the above error message:
FROM alpine:3.19
RUN mkdir -p /go/src/example
WORKDIR /go/src/example
RUN apk add go gcc musl-dev libc6-compat
RUN wget -O main.go https://raw.githubusercontent.com/kubernetes/client-go/master/examples/out-of-cluster-client-configuration/main.go
RUN go mod init example && go mod tidy
RUN GOEXPERIMENT=boringcrypto CGO_ENABLED=1 go build main.go
Attempting to build this docker file results in the linker error that I quoted above. Changing the version tag from alpine3.19
to alpine3.18
causes the build to complete successfully.
Additional Context
We believe this may be due to the removal of libc6-compat from Alpine 3.19. The fopen64
symbol appears to be present on alpine 3.18 but not on alpine 3.19:
ashish@localhost ~ $ docker run --rm -it alpine:3.18 find /lib -exec grep fopen {} +
/lib/libc.musl-x86_64.so.1:fopen
/lib/libc.musl-x86_64.so.1:fopen64
/lib/libc.musl-x86_64.so.1:fopencookie
/lib/ld-musl-x86_64.so.1:fopen
/lib/ld-musl-x86_64.so.1:fopen64
/lib/ld-musl-x86_64.so.1:fopencookie
/lib/libapk.so.2.14.0:fopen
/lib/libcrypto.so.3:fopen
/lib/libcrypto.so.3:bad fopen mode
/lib/libcrypto.so.3:calling fopen(%s, %s)
ashish@localhost ~ $ docker run --rm -it alpine:3.19 find /lib -exec grep fopen {} +
Unable to find image 'alpine:3.19' locally
3.19: Pulling from library/alpine
661ff4d9561e: Already exists
Digest: sha256:51b67269f354137895d43f3b3d810bfacd3945438e94dc5ac55fdac340352f48
Status: Downloaded newer image for alpine:3.19
/lib/libc.musl-x86_64.so.1:fopen
/lib/libc.musl-x86_64.so.1:fopencookie
/lib/libc.musl-x86_64.so.1:fopen
/lib/ld-musl-x86_64.so.1:fopen
/lib/ld-musl-x86_64.so.1:fopencookie
/lib/ld-musl-x86_64.so.1:fopen
/lib/libapk.so.2.14.0:fopen
/lib/libcrypto.so.3:fopen
/lib/libcrypto.so.3:bad fopen mode
/lib/libcrypto.so.3:calling fopen(%s, %s)