[GH-ISSUE #169] Build release Linux binaries without cgo for Alpine compatibility?

kerem commented

2026-02-25 22:32:37 +03:00

Owner

Originally created by @AnthonyMastrean on GitHub (Jun 24, 2019).
Original GitHub issue: https://github.com/FiloSottile/mkcert/issues/169

I have a simple Dockerfile that uses the binary from GitHub.

Dockerfile

FROM alpine

WORKDIR /root

RUN set -ex \
    && wget -q -O mkcert https://github.com/FiloSottile/mkcert/releases/download/v1.3.0/mkcert-v1.3.0-linux-arm \
    && chmod +x mkcert \
    && ./mkcert -install \
    && ./mkcert localhost

When I build this locally, everything is OK.

$ docker image build --pull --tag example .
Sending build context to Docker daemon  75.26kB
Step 1/3 : FROM alpine
latest: Pulling from library/alpine
Digest: sha256:ca1c944a4f8486a153024d9965aafbe24f5723c1d5c02f4964c045a16d19dc54
Status: Image is up to date for alpine:latest
 ---> 4d90542f0623
Step 2/3 : WORKDIR /root
 ---> Using cache
 ---> f1df3106650a
Step 3/3 : RUN set -ex     && wget -q -O mkcert https://github.com/FiloSottile/mkcert/releases/download/v1.3.0/mkcert-v1.3.0-linux-arm     && chmod +x mkcert     && ./mkcert -install     && ./mkcert localhost
 ---> Running in 7dce34e8bf2a
+ wget -q -O mkcert https://github.com/FiloSottile/mkcert/releases/download/v1.3.0/mkcert-v1.3.0-linux-arm
+ chmod +x mkcert
+ ./mkcert -install
Created a new local CA at "/root/.local/share/mkcert" �
Installing to the system store is not yet supported on this Linux � but Firefox and/or Chrome/Chromium will still work.
You can also manually install the root certificate at "/root/.local/share/mkcert/rootCA.pem".

+ ./mkcert localhost
Using the local CA at "/root/.local/share/mkcert" ✨
Warning: the local CA is not installed in the system trust store! ⚠️
Run "mkcert -install" to avoid verification errors ‼️

Created a new certificate valid for the following names �
 - "localhost"

The certificate is at "./localhost.pem" and the key at "./localhost-key.pem" ✅

Removing intermediate container 7dce34e8bf2a
 ---> 8f5c4f5e7940
Successfully built 8f5c4f5e7940
Successfully tagged example:latest

But, when I run the same in a GitLab pipeline (uses Docker-in-Docker), it goes haywire!

.gitlab-ci.yml

image: docker:stable

services:
    - docker:stable-dind

build:
    stage: build
    script:
        - docker image build --pull --tag example .

Pipeline log

Running with gitlab-runner 12.0.0-rc1 (58d8360f)
  on docker-auto-scale 0277ea0f
Using Docker executor with image docker:stable ...
Starting service docker:stable-dind ...
Pulling docker image docker:stable-dind ...
Using docker image sha256:12adad4e12e25288e665131d5235d98a8edf2a39d26679dabbe2728442729e26 for docker:stable-dind ...
Waiting for services to be up and running...
Pulling docker image docker:stable ...
Using docker image sha256:805bea199b249bfed61cdcd7cdbfe240ee998d51f59bbf365674a15b619f5a86 for docker:stable ...
Running on runner-0277ea0f-project-13015620-concurrent-0 via runner-0277ea0f-srm-1561404020-8e640368...
Fetching changes with git depth set to 50...
Initialized empty Git repository in /builds/anthonymastrean/mkcert-example/.git/
Created fresh repository.
From https://gitlab.com/anthonymastrean/mkcert-example
 * [new branch]      master     -> origin/master
Checking out 61c5932f as master...

Skipping Git submodules setup
$ docker image build --pull --tag example .
Sending build context to Docker daemon  47.62kB

Step 1/3 : FROM alpine
latest: Pulling from library/alpine
921b31ab772b: Pulling fs layer
921b31ab772b: Verifying Checksum
921b31ab772b: Download complete
921b31ab772b: Pull complete
Digest: sha256:ca1c944a4f8486a153024d9965aafbe24f5723c1d5c02f4964c045a16d19dc54
Status: Downloaded newer image for alpine:latest
 ---> 4d90542f0623
Step 2/3 : WORKDIR /root
 ---> Running in 104eadb1c574
Removing intermediate container 104eadb1c574
 ---> 4de722b6deac
Step 3/3 : RUN set -ex     && wget -q -O mkcert https://github.com/FiloSottile/mkcert/releases/download/v1.3.0/mkcert-v1.3.0-linux-arm     && chmod +x mkcert     && ./mkcert -install     && ./mkcert localhost
 ---> Running in 6c027ecfa62a
+ wget -q -O mkcert https://github.com/FiloSottile/mkcert/releases/download/v1.3.0/mkcert-v1.3.0-linux-arm
+ chmod +x mkcert
+ ./mkcert -install
/bin/sh: ./mkcert: not found
The command '/bin/sh -c set -ex     && wget -q -O mkcert https://github.com/FiloSottile/mkcert/releases/download/v1.3.0/mkcert-v1.3.0-linux-arm     && chmod +x mkcert     && ./mkcert -install     && ./mkcert localhost' returned a non-zero code: 127
ERROR: Job failed: exit code 127

Does anyone have any ideas?

Originally created by @AnthonyMastrean on GitHub (Jun 24, 2019). Original GitHub issue: https://github.com/FiloSottile/mkcert/issues/169 I have a simple Dockerfile that uses the binary from GitHub. **[Dockerfile](https://gitlab.com/anthonymastrean/mkcert-example/blob/master/Dockerfile)** ```dockerfile FROM alpine WORKDIR /root RUN set -ex \ && wget -q -O mkcert https://github.com/FiloSottile/mkcert/releases/download/v1.3.0/mkcert-v1.3.0-linux-arm \ && chmod +x mkcert \ && ./mkcert -install \ && ./mkcert localhost ``` When I build this locally, everything is OK. ``` $ docker image build --pull --tag example . Sending build context to Docker daemon 75.26kB Step 1/3 : FROM alpine latest: Pulling from library/alpine Digest: sha256:ca1c944a4f8486a153024d9965aafbe24f5723c1d5c02f4964c045a16d19dc54 Status: Image is up to date for alpine:latest ---> 4d90542f0623 Step 2/3 : WORKDIR /root ---> Using cache ---> f1df3106650a Step 3/3 : RUN set -ex && wget -q -O mkcert https://github.com/FiloSottile/mkcert/releases/download/v1.3.0/mkcert-v1.3.0-linux-arm && chmod +x mkcert && ./mkcert -install && ./mkcert localhost ---> Running in 7dce34e8bf2a + wget -q -O mkcert https://github.com/FiloSottile/mkcert/releases/download/v1.3.0/mkcert-v1.3.0-linux-arm + chmod +x mkcert + ./mkcert -install Created a new local CA at "/root/.local/share/mkcert" � Installing to the system store is not yet supported on this Linux � but Firefox and/or Chrome/Chromium will still work. You can also manually install the root certificate at "/root/.local/share/mkcert/rootCA.pem". + ./mkcert localhost Using the local CA at "/root/.local/share/mkcert" ✨ Warning: the local CA is not installed in the system trust store! ⚠️ Run "mkcert -install" to avoid verification errors ‼️ Created a new certificate valid for the following names � - "localhost" The certificate is at "./localhost.pem" and the key at "./localhost-key.pem" ✅ Removing intermediate container 7dce34e8bf2a ---> 8f5c4f5e7940 Successfully built 8f5c4f5e7940 Successfully tagged example:latest ``` But, when I run the same in a GitLab pipeline (uses Docker-in-Docker), it goes haywire! **[.gitlab-ci.yml](https://gitlab.com/anthonymastrean/mkcert-example/blob/master/.gitlab-ci.yml)** ```yml image: docker:stable services: - docker:stable-dind build: stage: build script: - docker image build --pull --tag example . ``` **[Pipeline log](https://gitlab.com/anthonymastrean/mkcert-example/-/jobs/239053212)** ``` Running with gitlab-runner 12.0.0-rc1 (58d8360f) on docker-auto-scale 0277ea0f Using Docker executor with image docker:stable ... Starting service docker:stable-dind ... Pulling docker image docker:stable-dind ... Using docker image sha256:12adad4e12e25288e665131d5235d98a8edf2a39d26679dabbe2728442729e26 for docker:stable-dind ... Waiting for services to be up and running... Pulling docker image docker:stable ... Using docker image sha256:805bea199b249bfed61cdcd7cdbfe240ee998d51f59bbf365674a15b619f5a86 for docker:stable ... Running on runner-0277ea0f-project-13015620-concurrent-0 via runner-0277ea0f-srm-1561404020-8e640368... Fetching changes with git depth set to 50... Initialized empty Git repository in /builds/anthonymastrean/mkcert-example/.git/ Created fresh repository. From https://gitlab.com/anthonymastrean/mkcert-example * [new branch] master -> origin/master Checking out 61c5932f as master... Skipping Git submodules setup $ docker image build --pull --tag example . Sending build context to Docker daemon 47.62kB Step 1/3 : FROM alpine latest: Pulling from library/alpine 921b31ab772b: Pulling fs layer 921b31ab772b: Verifying Checksum 921b31ab772b: Download complete 921b31ab772b: Pull complete Digest: sha256:ca1c944a4f8486a153024d9965aafbe24f5723c1d5c02f4964c045a16d19dc54 Status: Downloaded newer image for alpine:latest ---> 4d90542f0623 Step 2/3 : WORKDIR /root ---> Running in 104eadb1c574 Removing intermediate container 104eadb1c574 ---> 4de722b6deac Step 3/3 : RUN set -ex && wget -q -O mkcert https://github.com/FiloSottile/mkcert/releases/download/v1.3.0/mkcert-v1.3.0-linux-arm && chmod +x mkcert && ./mkcert -install && ./mkcert localhost ---> Running in 6c027ecfa62a + wget -q -O mkcert https://github.com/FiloSottile/mkcert/releases/download/v1.3.0/mkcert-v1.3.0-linux-arm + chmod +x mkcert + ./mkcert -install /bin/sh: ./mkcert: not found The command '/bin/sh -c set -ex && wget -q -O mkcert https://github.com/FiloSottile/mkcert/releases/download/v1.3.0/mkcert-v1.3.0-linux-arm && chmod +x mkcert && ./mkcert -install && ./mkcert localhost' returned a non-zero code: 127 ERROR: Job failed: exit code 127 ``` Does anyone have any ideas?

kerem closed this issue

2026-02-25 22:32:37 +03:00

kerem commented

2026-02-25 22:32:37 +03:00

Author

Owner

@larzza commented on GitHub (Jun 24, 2019):

Could it be that you are using the linux ARM binary of mkcert? Have you tried the amd64 version?

@larzza commented on GitHub (Jun 24, 2019): Could it be that you are using the linux ARM binary of mkcert? Have you tried the amd64 version?

kerem commented

2026-02-25 22:32:37 +03:00

Author

Owner

@AnthonyMastrean commented on GitHub (Jun 24, 2019):

I only just noticed that I used the arm URL. I didn't mean to, must have mistakenly copied the wrong one. But, uh-oh, it gets worse when I try to use the amd64 URL. It now fails in my local console, too!

$ docker image build --pull --tag example .
Sending build context to Docker daemon  88.06kB
Step 1/3 : FROM alpine
latest: Pulling from library/alpine
Digest: sha256:ca1c944a4f8486a153024d9965aafbe24f5723c1d5c02f4964c045a16d19dc54
Status: Image is up to date for alpine:latest
 ---> 4d90542f0623
Step 2/3 : WORKDIR /root
 ---> Using cache
 ---> e4f0e3f4ce86
Step 3/3 : RUN set -ex     && wget -q -O mkcert https://github.com/FiloSottile/mkcert/releases/download/v1.3.0/mkcert-v1.3.0-linux-amd64     && chmod +x mkcert     && ./mkcert -install     && ./mkcert localhost
 ---> Running in 1dde813753d5
+ wget -q -O mkcert https://github.com/FiloSottile/mkcert/releases/download/v1.3.0/mkcert-v1.3.0-linux-amd64
+ chmod +x mkcert
+ ./mkcert -install
/bin/sh: ./mkcert: not found
The command '/bin/sh -c set -ex     && wget -q -O mkcert https://github.com/FiloSottile/mkcert/releases/download/v1.3.0/mkcert-v1.3.0-linux-amd64     && chmod +x mkcert
    && ./mkcert -install     && ./mkcert localhost' returned a non-zero code: 127

If I enter the image interactively and run the same commands (as best I know how... I imagine this is not entirely safe for complex Dockerfiles)... it fails the same way. And its very confusing because I see the file here and it's executable.

$ docker run --rm -it alpine
/ # cd /root
~ # set -ex \
>     && wget -q -O mkcert https://github.com/FiloSottile/mkcert/releases/download/v1.3.0/mkcert-v1.3.0-linux-amd64 \
>     && chmod +x mkcert \
>     && ./mkcert -install \
>     && ./mkcert localhost
+ wget -q -O mkcert https://github.com/FiloSottile/mkcert/releases/download/v1.3.0/mkcert-v1.3.0-linux-amd64
+ chmod +x mkcert
+ ./mkcert -install
/bin/sh: ./mkcert: not found
~ # ls -l
+ ls -l
total 4392
-rwxr-xr-x    1 root     root       4494004 Jun 24 19:55 mkcert

@AnthonyMastrean commented on GitHub (Jun 24, 2019): I only _just_ noticed that I used the `arm` URL. I didn't mean to, must have mistakenly copied the wrong one. But, uh-oh, it gets worse when I try to use the `amd64` URL. It now fails in my local console, too! ``` $ docker image build --pull --tag example . Sending build context to Docker daemon 88.06kB Step 1/3 : FROM alpine latest: Pulling from library/alpine Digest: sha256:ca1c944a4f8486a153024d9965aafbe24f5723c1d5c02f4964c045a16d19dc54 Status: Image is up to date for alpine:latest ---> 4d90542f0623 Step 2/3 : WORKDIR /root ---> Using cache ---> e4f0e3f4ce86 Step 3/3 : RUN set -ex && wget -q -O mkcert https://github.com/FiloSottile/mkcert/releases/download/v1.3.0/mkcert-v1.3.0-linux-amd64 && chmod +x mkcert && ./mkcert -install && ./mkcert localhost ---> Running in 1dde813753d5 + wget -q -O mkcert https://github.com/FiloSottile/mkcert/releases/download/v1.3.0/mkcert-v1.3.0-linux-amd64 + chmod +x mkcert + ./mkcert -install /bin/sh: ./mkcert: not found The command '/bin/sh -c set -ex && wget -q -O mkcert https://github.com/FiloSottile/mkcert/releases/download/v1.3.0/mkcert-v1.3.0-linux-amd64 && chmod +x mkcert && ./mkcert -install && ./mkcert localhost' returned a non-zero code: 127 ``` If I enter the image interactively and run the same commands (as best I know how... I imagine this is not entirely safe for complex Dockerfiles)... it fails the same way. And its very confusing because I see the file here and it's executable. ``` $ docker run --rm -it alpine / # cd /root ~ # set -ex \ > && wget -q -O mkcert https://github.com/FiloSottile/mkcert/releases/download/v1.3.0/mkcert-v1.3.0-linux-amd64 \ > && chmod +x mkcert \ > && ./mkcert -install \ > && ./mkcert localhost + wget -q -O mkcert https://github.com/FiloSottile/mkcert/releases/download/v1.3.0/mkcert-v1.3.0-linux-amd64 + chmod +x mkcert + ./mkcert -install /bin/sh: ./mkcert: not found ~ # ls -l + ls -l total 4392 -rwxr-xr-x 1 root root 4494004 Jun 24 19:55 mkcert ```

kerem commented

2026-02-25 22:32:37 +03:00

Author

Owner

@AnthonyMastrean commented on GitHub (Jun 24, 2019):

Why would this work with the arm binary on my local machine anyway? I was running inside the same Docker base image (alpine). The only difference is the host (GitLab runners are CoreOS and I'm on Windows).

@AnthonyMastrean commented on GitHub (Jun 24, 2019): Why would this work with the `arm` binary on my local machine anyway? I was running _inside_ the same Docker base image (`alpine`). The only difference is the host ([GitLab runners](https://docs.gitlab.com/ee/user/gitlab_com/#shared-runners) are CoreOS and I'm on Windows).

kerem commented

2026-02-25 22:32:37 +03:00

Author

Owner

@AnthonyMastrean commented on GitHub (Jun 24, 2019):

OK, so it seems like I'm just in regular "Go on Alpine" territory and should probably try something like this https://stackoverflow.com/a/52057474/3619

@AnthonyMastrean commented on GitHub (Jun 24, 2019): OK, so it seems like I'm just in regular "Go on Alpine" territory and should probably try something like this https://stackoverflow.com/a/52057474/3619

kerem commented

2026-02-25 22:32:37 +03:00

Author

Owner

@FiloSottile commented on GitHub (Jun 24, 2019):

If the binary was built on a glibc system, it will fail on Alpine (which is musl libc based) with a "not found" error. You can try turning cgo off.

@FiloSottile commented on GitHub (Jun 24, 2019): If the binary was built on a glibc system, it will fail on Alpine (which is musl libc based) with a "not found" error. You can try turning cgo off.

kerem commented

2026-02-25 22:32:37 +03:00

Author

Owner

@larzza commented on GitHub (Jun 24, 2019):

@FiloSottile I think @AnthonyMastrean uses a released mkcert binary... are those built with cgo on?

@larzza commented on GitHub (Jun 24, 2019): @FiloSottile I think @AnthonyMastrean uses a released mkcert binary... are those built with cgo on?

kerem commented

2026-02-25 22:32:37 +03:00

Author

Owner

@AnthonyMastrean commented on GitHub (Jun 24, 2019):

@larzza yeah, I was trying to use the prebuilt binaries from the releases tab on GitHub... I'm not super interested in

using go get to build from HEAD of master
or figuring out how to temporarily install golang on my runtime image (using apk --virtual tricks)
or using a multistage build and a temporary golang:alpine image

🤗

@AnthonyMastrean commented on GitHub (Jun 24, 2019): @larzza yeah, I was _trying_ to use the prebuilt binaries from the releases tab on GitHub... I'm not super interested in * using `go get` to build from HEAD of master * or figuring out how to temporarily install `golang` on my runtime image (using `apk --virtual` tricks) * or using a multistage build and a temporary `golang:alpine` image 🤗

kerem commented

2026-02-25 22:32:37 +03:00

Author

Owner

@larzza commented on GitHub (Jun 24, 2019):

😊 And I thought that your aproach should work , at least with amd64... have you tried with building the image with for example debian:stretch-slim instead?

@larzza commented on GitHub (Jun 24, 2019): 😊 And I thought that your aproach should work , at least with amd64... have you tried with building the image with for example debian:stretch-slim instead?

kerem commented

2026-02-25 22:32:37 +03:00

Author

Owner

@AnthonyMastrean commented on GitHub (Jun 24, 2019):

Not yet, although that's probably my next step. I'm just starting to explore self-signed certs for some of our Docker development workflows. I know... I should be generating these on the actual Docker host and using VOLUME / -v. I'll get there next, promise!

@AnthonyMastrean commented on GitHub (Jun 24, 2019): Not yet, although that's probably my next step. I'm just starting to explore self-signed certs for some of our Docker development workflows. I know... I _should_ be generating these on the actual Docker _host_ and using `VOLUME` / `-v`. I'll get there next, promise!

kerem commented

2026-02-25 22:32:37 +03:00

Author

Owner

@FiloSottile commented on GitHub (Jun 24, 2019):

Yeah, the releases are linked against glibc, I believe. Dropping cgo would make os/user name detection worse, but maybe it's worth it. I'll think about it. In the meantime, what you listed are the options indeed.

@FiloSottile commented on GitHub (Jun 24, 2019): Yeah, the releases are linked against glibc, I believe. Dropping cgo would make os/user name detection worse, but maybe it's worth it. I'll think about it. In the meantime, what you listed are the options indeed.

kerem commented

2026-02-25 22:32:37 +03:00

Author

Owner

@larzza commented on GitHub (Jun 24, 2019):

@AnthonyMastrean If you add this to your dockerfile it should work with alpine... i.e install glibc.

https://gist.github.com/larzza/0f070a1b61c1d6a699653c9a792294be

@larzza commented on GitHub (Jun 24, 2019): @AnthonyMastrean If you add this to your dockerfile it should work with alpine... i.e install glibc. https://gist.github.com/larzza/0f070a1b61c1d6a699653c9a792294be

kerem commented

2026-02-25 22:32:37 +03:00

Author

Owner

@kklepper commented on GitHub (Mar 20, 2020):

https://hub.docker.com/repository/docker/kklepper/mkcert_a

@kklepper commented on GitHub (Mar 20, 2020): https://hub.docker.com/repository/docker/kklepper/mkcert_a

kerem commented

2026-02-25 22:32:37 +03:00

Author

Owner

@franz-josef-kaiser commented on GitHub (Jan 11, 2021):

@kklepper 🥇

@franz-josef-kaiser commented on GitHub (Jan 11, 2021): @kklepper 🥇

Rows
Columns

[GH-ISSUE #169] Build release Linux binaries without cgo for Alpine compatibility? #106