scripts/build/binary: disable pkcs11 on static builds with CGO_ENABLED=1

[thaJeztah]

• follow-up to scripts/build: make sure osusergo is set for static with CGO enabled #3490
• static check is failing, similar to [master] static-linux: verify that binaries are static docker-ce-packaging#430
• possibly can be fixed through / similar to changes in Switch to GitHub Actions docker-credential-helpers#209

pkcs11 cannot be compiled statically if CGO is enabled (and glibc is used)
see

cli/vendor/github.com/miekg/pkcs11/pkcs11.go

Line 75 in 3897c3f

c->handle = dlopen(module, RTLD_LAZY);

see #3490 (comment)

When trying to do otherwise, warnings are printed (and shouldn't be ignored,
similar to the osusergo build-tag):

#32 [linux/amd64->s390x build 2/2] RUN --mount=type=bind,target=.,ro     --mount=type=cache,target=/root/.cache     --mount=from=dockercore/golang-cross:xx-sdk-extras,target=/xx-sdk,src=/xx-sdk     --mount=type=tmpfs,target=cli/winresources     xx-go --wrap &&     TARGET=/out ./scripts/build/binary &&     xx-verify $([ "static" = "static" ] && echo "--static") /out/docker
#32 467.0 # github.com/docker/cli/cmd/docker
#32 467.0 /usr/bin/s390x-linux-gnu-ld: /tmp/go-link-900380651/000018.o: in function `New':
#32 467.0 /go/src/github.com/docker/cli/vendor/github.com/miekg/pkcs11/pkcs11.go:75: warning: Using 'dlopen' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
#32 467.0 /usr/bin/s390x-linux-gnu-ld: /tmp/go-link-900380651/000004.o: in function `_cgo_26061493d47f_C2func_getaddrinfo':
#32 467.0 /tmp/go-build/cgo-gcc-prolog:58: warning: Using 'getaddrinfo' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking

Signed-off-by: Sebastiaan van Stijn [email protected]

- What I did

- How I did it

- How to verify it

- Description for the changelog

- A picture of a cute animal (not mandatory but encouraged)

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[thaJeztah]

Still need to look into this one. Reproduction steps;

docker run -it --rm golang:1.19.5-bullseye

go env CGO_ENABLED
1

git clone https://github.com/docker/cli /go/src/github.com/docker/cli
cd /go/src/github.com/docker/cli
git checkout v23.0.0
DISABLE_WARN_OUTSIDE_CONTAINER=1 make binary

Notice the warnings in the output;

./scripts/build/binary
Building static docker-linux-arm64
+ go build -o build/docker-linux-arm64 -tags  osusergo pkcs11 -ldflags  -X "github.com/docker/cli/cli/version.GitCommit=e92dd87c32" -X "github.com/docker/cli/cli/version.BuildTime=2023-02-06T10:53:47Z" -X "github.com/docker/cli/cli/version.Version=23.0.0" -extldflags -static -buildmode=pie github.com/docker/cli/cmd/docker
# github.com/docker/cli/cmd/docker
/usr/bin/ld: /tmp/go-link-1909522509/000020.o: in function `New':
/go/src/github.com/docker/cli/vendor/github.com/miekg/pkcs11/pkcs11.go:77: warning: Using 'dlopen' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/usr/bin/ld: /tmp/go-link-1909522509/000004.o: in function `_cgo_2ac87069779a_C2func_getaddrinfo':
/tmp/go-build/cgo-gcc-prolog:58: warning: Using 'getaddrinfo' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking

Note that the binary is statically linked though;

ldd ./build/docker-linux-arm64
	not a dynamic executable