Downgrade go-fips base image to ubi8 (!5040) · Merge requests · GitLab.org / gitlab-runner

Axel von Bertoldi requested to merge avonbertoldi/38034/go-fips-image-downgrade into main Sep 26, 2024

In GitLab Runner 17.4.0-fips glibc failure (#38034 - closed) running the go-fips binary on amazonlinux:2 fails with the following error:

/usr/bin/gitlab-runner: /lib64/libc.so.6: version `GLIBC_2.32' not found (required by /usr/bin/gitlab-runner)
/usr/bin/gitlab-runner: /lib64/libc.so.6: version `GLIBC_2.34' not found (required by /usr/bin/gitlab-runner)

When we changed the ubi-fips base image from ubi8 to ubi9, we inadvertently bumped the minimum compatible glibc version required to run gitlab-runner-fips.

Downgrading the go-fips base image only to ubi8 will restore the glibc compatibility. Note that the downgrade only applies to the image used to build the fips-enables runner/helper binaries, and not the production ubi-fips images. Those will remain at ubi9.

Testing

Download the runner and helper binaries produced by the CI pipeline into an amazonlinux:2 image and try running them. The should run:

Fixes GitLab Runner 17.4.0-fips glibc failure (#38034 - closed)

Edited Sep 26, 2024 by Axel von Bertoldi

Downgrade go-fips base image to ubi8

Testing

Merge request reports