golang using glibc or musl

The upstream golang toolchain is not linking the created binaries with glibc or musl: system calls are issued by the Go Runtime instead of using a libc. We patch the upstream golang runtime to route all syscalls through libc. This means that one can, for example, intercept system calls in the libc interface.

Usage

We use this patched golang version

• to build native Go-based binaries, and
• these binaries can be patched in a second step to run confidential using the SCONE confidential computing platform.

Note that the compiled binaries are native binaries without any code related to confidential computing. The only difference is, as already mentioned, that the binaries are linked with a libc, i.e., glibc or musl. We demonstrate how to use this toolchain in repo caddy how to build and test a confidential variant of the Go program caddy within a CI/CD pipeline.

Versioning

Our objective is to release a new patched image within approximately 1 day. Our CI/CD pipeline runs once a day to check for new upstream images on https://hub.docker.com/_/golang and creates a patched version of the new images. We limit ourselves to new versions of Alpine and Debian, i.e., we will not support Debian and Alpine images that are end of life. However, we keep existing images in the container registry; that is, existing images are immutable.

We explain in the SCONE repo how to compile Go programs that can later run inside different Trusted Execution Environments (TEEs):

• Intel SGX enclaves,
• Intel TDX CVMs (Confidential VMs), or
• AMD SEV SNP CVMs.

Why use different Go images for confidential computing?

To minimize the TCB (Trusted Computing Base), we attest and isolate each microservice individually using either Intel SGX or some isolation mechanism within the CVM. In this way, we can keep the keys and data of the application secret, even against adversaries who have gained access to the (C)VM in which the application is running.

To isolate an application, we intercept system calls. To have reasonable performance, we intercept the system calls at the libc level. The Go compiler - unlike other programming languages like Java or Rust - issues system calls directly without using a libc. To solve this problem, we minimally patch the upstream Go compiler:

We use the original base images from Docker Hub and patch them to use glibc (for Debian/Ubuntu) or musl libraries (Alpine Linux) to issue system calls. The generated programs are otherwise identical to the programs generated by the original golang compiler.

We provide the following images (simple tags):

ghcr.io/scontain/golang
1
1-alpine
1-alpine3.21
1-alpine3.22
1.20.5-alpine3.18
1.22.12-alpine3.21
1.22.12-bookworm
1.22.5-alpine3.20
1.22.5-bookworm
1.23.12-alpine3.21
1.23.12-alpine3.22
1.23.12-bookworm
1.23.8-alpine3.21
1.23.8-bookworm
1.24
1.24-alpine
1.24-alpine3.21
1.24-alpine3.22
1.24.10
1.24.10-alpine
1.24.10-alpine3.21
1.24.10-alpine3.22
1.24.10-bookworm
1.24.10-trixie
1.24.2-alpine3.21
1.24.2-bookworm
1.24.6
1.24.6-alpine
1.24.6-alpine3.21
1.24.6-alpine3.22
1.24.6-bookworm
1.24.6-trixie
1.24.7
1.24.7-alpine
1.24.7-alpine3.21
1.24.7-alpine3.22
1.24.7-bookworm
1.24.7-trixie
1.24.8
1.24.8-alpine
1.24.8-alpine3.21
1.24.8-alpine3.22
1.24.8-bookworm
1.24.8-trixie
1.24.9
1.24.9-alpine
1.24.9-alpine3.21
1.24.9-alpine3.22
1.24.9-bookworm
1.24.9-trixie
1.25
1.25-alpine
1.25-alpine3.21
1.25-alpine3.22
1.25.0
1.25.0-alpine
1.25.0-alpine3.21
1.25.0-alpine3.22
1.25.0-bookworm
1.25.0-trixie
1.25.1
1.25.1-alpine
1.25.1-alpine3.21
1.25.1-alpine3.22
1.25.1-bookworm
1.25.1-trixie
1.25.2
1.25.2-alpine
1.25.2-alpine3.21
1.25.2-alpine3.22
1.25.2-bookworm
1.25.2-trixie
1.25.3
1.25.3-alpine
1.25.3-alpine3.21
1.25.3-alpine3.22
1.25.3-bookworm
1.25.3-trixie
1.25.4
1.25.4-alpine
1.25.4-alpine3.21
1.25.4-alpine3.22
1.25.4-bookworm
1.25.4-trixie
1.25rc3-alpine3.21
1.25rc3-alpine3.22
1.25rc3-bookworm
alpine
alpine3.21
alpine3.22
latest
sha256-0050f633ff26b5a5ab44cb2cdf36ede790fd648dae91feced0ba5a7e9e0ada22
sha256-008659c23b9f341f482e39dceb904f5c34845c12404633140f8f2719834d5718
sha256-01ea29b645baf12b29424cee4a4fff5cd2fd7224776447cb9aa01c73e470e691
sha256-02d8d3a65acca01f4ab1053447e750dee67e710a7c3f3d813cf0bcf7bc8898bd
sha256-06599e194facdaa84f281d229fdfa7ccb159b2109766bf21196095f9ac5518f1
sha256-069d057a5ccc33b23422d7c95125afb757588c73681bff45568271ab38a6288c
sha256-07e3617ab750b0da52ed48106931dbb4090b76803e3a75386c93b7a12f2a5471
sha256-09a35858dc48074d063e3d00d67cc06069a1e0d71678213d0f09ba0e5ebc929b
sha256-0a98d2feda235eaf5b57c91234f1b227283244e936eeda3f1704efbfa0463694
sha256-0e90090723c95e942a35ebfac242a08a26c240ef585c4a27b808e747ba4da72a
sha256-0e929c29de13e8818896eb252f2b72325e928fae0ccdb247e3e1f733b07e676a
sha256-0f7b6a47616316bd5f77d8ca27da6933a85d2134a63db95a19f1aa65b5ad144e
sha256-11704f43c806574c2c9d41746f14c6dc42ac5a8f9637843b0029c673b6367e0f
sha256-12626de7d050e7a936eaf950e9e3cb5bcfee8079ca0bf528936d7f99c4435a1b
sha256-157df7929628587abdd5c2c8137670501e6011d60884f2cc49e328ee44f034ca
sha256-17f51cf99cd05d96819dd204649b1055f11bc16f53c959b7175044ccd350e989
sha256-188fcdc42facde20c725f6fe4afa1635d8bac15b4bff6b2b6aba74cde96fb6ce
sha256-1996ef50fdc9f792d51ed48ee1dccf38b9805480351ead89886952f96802c28c
sha256-1a1a5bed7126b943a21f2ca857f10e54c71751f265723e24d02b360d45bd1cfe
sha256-1cc222fe7846e978e0415d85c1a540bd3623d5e8c1e54fd6d97edf1733696376
sha256-1e690d1c4c95a88b9318415007f36d6998c70b2af4588f6ca3520e5c1786bb4a
sha256-1f1340d671cc000db3ec3cef9d7e05d0e9b7e6c9a0015727476d9a95b1c7281d
sha256-210a0019bd178377f92352c29537ca817094a49611e90e981926ce75142aa42a
sha256-23e68eb65fbaef9bebde78c7a0da4aa6e7245f4dc623b7d996da80cf79eadf89
sha256-275b3fe423f90af4a408061968d4cc022d86d677646256ecc4513c874d3617fc
sha256-2790ed739d3ea9305b4fdfd01c88391ab45c306de56654890f7aac3b87605274
sha256-29728f8440c3baa31cff6d6f2ee578f844c61ea9d3da91cebeab9c1bda8819b7
sha256-2a9125be8bd2af2d62425571a7636054b94f1d46b0c4bc43bd3b60396cebadc9
sha256-2b1199b1f656ed62867ece27d41d1019fe57da263edc0015e3dadb1ba83ab895
sha256-2d2e337cf247a42d0e1d99fa2bcd307350869535e340d8868d4ae70e379e2ba7
sha256-2ed9e022c2f07df691a1c843e474e12e909f7993e557fe8de4487f326b05725d
sha256-30a43b4784965b2f8086baad0ca4ecab51aae61db07a83723e5dc007c9d422fa
sha256-37ade78b65108c53a03fdef0ef0dda67b2f980ebae929bf605bd28cf69ff0ed7
sha256-3a6d6ecbac051bc04c61c78bc0bffe1d5427a039ee96a2633c210a6b8b032bcf
sha256-3eedd6b28e5d13abff823aeb08471b09f5e369b23bde501b2d6b5241290cbbdf
sha256-41714858cda8a28f0fbf0acc6fdffa78711aba7932e641cc1ce41accdd46f39a
sha256-41818e8af871f719667275278f035090513837f3b9cac2d91558901fbbe7cecf
sha256-41f0d2b248e3f2781a9289a07af4098d316ac6f7dc87ebcb0e93bb2922f8847e
sha256-4236e163ade0cc551b815db08d6557466a2356ec0c6bd63b7d34999c8bf26b46
sha256-4352589d1a50263bb14e95ba33dddde1ccf50dbc02c9d20fa2a7ee322f992074
sha256-4485733a450e23697622ec16fd7795f68ac2011f4a1adb2d96a03a6f9a9eb973
sha256-465438b7c70a1a69cbd96a858d3dfef6f020f25614f7205326178bd2490b7a73
sha256-46db770502ad6343316a4a13c3f314aa87154bc5e91486ede8acf79ac0f038ec
sha256-485e5fb58a386f1c9385bc7c22d051b4c5fa7673f5d66af5cea7a9b14d8986db
sha256-495082f85479501ca8fee86b5521bde1f8326e7f4194e1564a80e919dbe682c0
sha256-505e90ed95ea011d3896ee6cf488c98205a29fa858faaea5347f77223a7bc7a3
sha256-50b8f597ebc67a91f3ec92f9957242a73691e05e19013f0c29526b3536f9d22c
sha256-5169ffbacf12d7db233cc353480730fb490df2782dc9a7593d1956311a342648
sha256-53f3b5b885c7535ea21d615207f1ca519f3370768ccb9971775fe6c477752cec
sha256-54693ce075e6b5b0bfd3bbc498c002504a379a619128119dda0c77b25dafafae
sha256-56689b60ea070d855916834306427afa8046366ff4183312c1a705a7ed284622
sha256-5a3f6a740f8bdc5cfc04f254d82d8a4742803736f9a36a78f0081f68f91142d6
sha256-5ad344307d45b50bd754aa4760bb2468221473432134be6ce7137beb6b5334a1
sha256-5b03733dda14a16ae62168604c389ed6f831d07ee4eefd9f664df13cfa04e3b8
sha256-5b828bca4a7f98e6dcc1748bffbc95d8a43e88210b8a776d3a13d3bdd4473200
sha256-5b9d6eb3002519fe82f41376c1f56e5e16442fc79ee21156dced2d2635c81459
sha256-60fb0fb9bdf90bcc3294b5401956c943859e18f6c140576320a0fe09cd3663b3
sha256-614bae09243fd6b8cef1fbcaef135bbd975668636ca4ca38b51b6313cea7624e
sha256-62fbf68818b2e6e78620cf586371e512b61be71edd72e3c7f1499a78257e6e08
sha256-63b8446de8fd394af0e2aa5823f98e02a535f78c4a2e4a7db88719d0713b7640
sha256-63ea04827e07796ba3684b3e0a5dedd0df768545608d704511904404cc5d5c74
sha256-6709f80be364959eafff345d57188bb9f9d0911745d48667ee25c428fa045b41
sha256-678f94e172e2943a0925e9a9ef31cdc98cd3510e7269eeb4c7d12bfc79185922
sha256-67dc9d7667423e77e8d161551e6f1437294480a862dd7c2139aee52874718fac
sha256-6846ce0e162e0440b62cae261d13ee1d95af3f88c3eba201295afb1a8fa9f185
sha256-6bad5d3634f2410e885a125d28385426370385bc9adf1f17e79959dd7344c803
sha256-6bbc86abfc708dc573f42746d17ebd4cd1fec7fb7441a2aaa7165e960270292d
sha256-6c01905e1f6533691977eb1e28ead54b274d99a0ce83e5186484ea27a351359c
sha256-6c1788f30dcb1df7cd609025d264c75cc00484d31800cb8b48457a2b46efc54f
sha256-6e7c5263a5e612efe36302d6e73c208d7be79ce6f23b0f5d53048ddc5f6e95cf
sha256-6f06e932990ead72f2ab69d2b8f7d9048c5fd728eb77937130f2cd9ed5a04aa8
sha256-708678c27559f5c3e1824fa3ef6649b05f532e326a0eb0cd04dfb9520bb21cdf
sha256-70e554a5c756ac0c73b86560ec74770fa58a04e9c0377f363a22e201831f6be7
sha256-717c9171769aa7ba10bc6bb11d14383aff244038f424bc598c52991f181c32bd
sha256-72a7f845600f9fbe448c5cd3f16595c4f8318615b95d660152893cf58c3baf55
sha256-73a5733717ef271aed4805266f175adf011114d111d836f61b964359fd30b164
sha256-73b489b95cdd9ce5d6a7365bb28fee01462becc716e96bd93f9486c9e99208b4
sha256-740eac2f49a4467c07be9a9c92ead8f6f5f715219fa2783237bf509210af4d18
sha256-78ee401cd25ddda9d6e53b94842023012c8997ce6db91cc33df1afb953bbb961
sha256-7aa802ac5491bb189a7e9a8f96d86244983f8a4d566a02c86cfbba379d9dec3e
sha256-7aaa16db7fa479176353664eed5a86827130ca26e192f40916bdf4cb96a81e08
sha256-7b87beb109e24ed24dedaccdaf770306f46afbfad5ee59b08cc48cf4b66f9d48
sha256-7bc6850c6a18a18558200bd96570653cc3c3c74e2e112ff4c8f3377aa694b74d
sha256-7bfe730e8437f81ea6031070d12f1cdeeed5a22b12117a3cb1a47e4a1913a13c
sha256-7dadccaa9926e15b73ef045b2ea80d7a0f0c41e0c5ec11357336bd5cf5fae7be
sha256-7f48f2cc72f941c313df150e08304a9a12e9c2e6cd2b7f18248a67620ff63b2c
sha256-7f7d709ad91a48203db2622db37fc6fc8afc0084d8404b07c824c281115c7c89
sha256-809bbdac1c087d17ed1d9de5713c3ef11aeceb647983406f6a8d06fbd081f914
sha256-817402d1cef50953ef721ef253574e3693c90ecaa68b15fa4aedbf6c9d35260e
sha256-84680f48de7e522ae90c900925124587e5a2c8df1fd3ffa6975e56980809a557
sha256-8498826f482ddfa3259bf0762186822fb37e6b86cc5d5f00d4928fc854e040a7
sha256-84ee840cce34f54b4cf5f5d3561ac0bb7404b22337cae6af84d6dca51b8eae24
sha256-8a3e9a46ae129c5404421ed831de3b411bbf693be87861a405388614e44aebd9
sha256-8b9db1a474c3824b9c4c9ecf0d8c405ea75e7606959675e5731eb5726fc06200
sha256-8c352e3b1fc8a120ff1659de5bf83fe1f6a34178fe9135af721f0a28596278eb
sha256-8da5e2bdee023cd9a46189b42ba4e6d2eb53af089d31276020b7c465a2bedc3e
sha256-8ede5c41ad2eeaef21e83a0a4134d46a1cea7b5e9b695eccd6b9da3c956a607c
sha256-90356015924f9db8ac1715d849943c4e621eada92f3c281e6f5f607378f3c374
sha256-90c16c82da0b248babf3b3cac32a2434ae1a898d48c77c862725014d234d1a7a
sha256-92608098adb7ac5b15b35d65c330559f962b3880b893a4a5af6bb115a43ceaa5
sha256-92b119ca8e7ae70e931bdb43b8c4a0d7780d4d69952008456cb599958cab4817
sha256-93ceafdc6a9d1619f97ea223a96fee647b304a74dbf52b589dc67671b1fe0c26
sha256-94d06d4aedb7a451868210cb69a8c708bd0177a84d4d059dfc97c70ad219baf9
sha256-9665b9279960ffe258d0c23c75a38f533d771d645c06418cc72b4818c939dc96
sha256-97c58645449ad2a5976a560b1ca9668017f10faa2f7afaa3230eef46ecef8e0e
sha256-97da9a3417aa504f3026fb81e9ca1859ac2ff50d5d63c1bb3f5e6c9d5958a7c2
sha256-9b92fd082fb627959c12dcb88680298f60340b78d157bea401470b377492da1c
sha256-9c180d82c78328611d5218ee87b955f5699ebbe24a70a05c402331a46eb0dee3
sha256-9d505b5c9fca5b08b87a7cedca313cb87464a140b1491162b21cb1d487c1afdf
sha256-9db9720480264b42bd8beb57c94dcc3408abaa3cbe8f62dbecd9e580f45bc002
sha256-9f29d1f5611418449d09086489a4a881febcbe258f7a5a4f726a27f68e9c905f
sha256-a169fe350ba9d4fcef629d00f6d130cf12dbc0890cdae625df3ed3ff650ba631
sha256-a1ab282c2eb54ee1690bb219583c0f4d6d549fa1dd176bd5546f2d7522dfe401
sha256-a4769d559413f87f7a19aa7122e48ffe26d9107b57115eb07ce5ca5bbe3ebd9b
sha256-a8d0ade81c747fe7befa3964af0a5d4a1e6ef370695a9e490f137a7de57df120
sha256-aa9ef486401eea4782ce0b8309d719d3ac2fc9eba2b47870218e473a0233bbcb
sha256-aad1d9cf5b8bbe5ccb049a0d7d29fc0343950f50d124c00a3bec5d084372563c
sha256-ab80921fef0b62a82811acd911b012c5485d34ab16bf21ada12e8992ccb1e9cb
sha256-ab840f038aefc16e20f1fcf9ff4fc97053472572435acb440bce4dbb5e1cf335
sha256-ac328f7f82b744f7beaf2ce9a285496c798c5278e6b7b9f7fb5b367b7c38df51
sha256-aec7e732835c305d79e548cd7fdfec9137ddf0fbf62906188530d8cab148be25
sha256-af6e264ab74cfe8a8c8858cd22f9cbc19126b2d6a5dae4cb10e0156b00e224d6
sha256-afacc91667ebd984d36c2507cd36dd95d77f030427c55fc316f5137909421941
sha256-b2787463543ece72db39735bfddef6195e20f446753598fd115e6632c61b4963
sha256-b6ea334bdaa7fd4817992411dfe1ecad401f4949633ca0a56abeeeaf14a96eca
sha256-bbd748577342fb3d7fc0e6aa0fa4a630a9ccdbbf45e84e6fd191df33443e7912
sha256-be153caad1a2df7bcf4e27df80c083bbe99aea5c4eb92c37c342955e77c87e58
sha256-be68293e8dbf38340351a90b3252521ef00ad491e281ec70306a237d7c9458cb
sha256-bf0a013f6306f646f3926089551ab6b86a64a912ff3ae32426b40de765d5da09
sha256-c0e2b238f46fc23ee95c71de5af1798474f754c5ace297d9716519ac5331e0a0
sha256-c143542f54fee643c1c44526cd30bba75f2dd00fff6c236820edb50c066f2325
sha256-c22f25b8fe8ef626a6130fa99373e1358b86ef706ec749e313130b00f3a19970
sha256-c908b959cc6055721abf0ca7c9a81bc224fd494a5f4c07d7ed5d3b45697e0093
sha256-cdc8c0df0b652a51721a2ebbd40c450df673504973187596b940116618e5558b
sha256-cdd6450cdbd47c7c250b161a52998f2b1a6e40e6ed9fa05a8652eddf603abdad
sha256-cf6463c6e5551e2568d1b62d1ac1e0be3854621bdacf26c4734b3aaf89159be9
sha256-d0385d148e06a07141c9618e9739f17abf98491e0fb354c376bcca9eaf7cff28
sha256-d06a1b50f8a36c1260f186b70880112bbb2f9e55c80b336aafe27d990e534a4e
sha256-d3606e08bc434ef161c493d6c19066eddb897c667291e768fad5b2a487f3def2
sha256-d8284d00bd71d7be5d6d3d9f461b7db8b0ee64419b7fd5f25a044dedc5c8b9a6
sha256-d88d5500968277ac73d2d4df8cc2f2f792e4b335903010b1899516a7863628c3
sha256-d98f474e1a2a96b36ad16f37156e7eed49c3554b512fd43af7036a0dfbce6ecd
sha256-da15a676bf7f173a044ab044075fa1eb6ef1cac7e6d27e85dc35653fa26bcc11
sha256-dac1bfc0edf3f7b2bc89c2be2d9321d7a2ff102816dc1173e34452c8bf87e691
sha256-dc09a8db54c7840162b396301f18135fd9698fc506b1ab4c8c9e4584741ce433
sha256-dc1d8ed4e8f08bef148e593c38d9b6414772bb2426f3ca172cfebcf29c3f6964
sha256-dd0003084783c4fe0e4fd249fa8eaad1d73c9d19434cfe89cb23b44cecb251f1
sha256-de5970bca737744c5479016d782ea8d6db7002cac41814de9eaa1e3a171b431e
sha256-e098cdc504627bfc21adeb37b9fbd93865473c5fbfeb448d2397e1b689a3543d
sha256-e0d41af48fe00df5d41fab50c51ad8ee3dbdaf8d28b97698baee4f1945a53735
sha256-e16b630edffe6113c2c3d71fd515674981ea263f5a2251ed9e7d4732cfb3ed5d
sha256-ea624869101b90c308ce3c8ac16c58ea35266a6b229cbcb937e448ba4b45b260
sha256-ea84162a440c951d448836fdda4e73eef9e4f436849cb79cbcca928b12e2af2e
sha256-ed1806f083fe9f1696b704357c1c822c6cc9361ddab66240c627384920373ce2
sha256-ee49125fc3fe6e58f5572d6579e7ba0395477732531e8ea25ddb47fac4bbe17d
sha256-f24d0603310eaf642b4c317fd6b6a8416e1103faf2aa1abc2167c0ba227419e5
sha256-f24dc531b07ebcb374fcdc6488f4415510ff6a934a7f69797e08d0d4117b4143
sha256-f52b71bd161ff946ef098876a2e053f9859e8d93ad55dd83f8813797d192bbb3
sha256-f56146779a447be2dcde7b4d44e45161b2ac48593978bfccc4141efa81cf8671
sha256-f5aab7da070908ef26f002f51b41bdf1608f142101d5e65bda2c9e2db4246e04
sha256-f70c4b87dea385a9d95b3d35f04254d45242e8de7a27530e989986001efbf8b7
sha256-fa842c3deeb6ccb3ef13f3b4f1d7f8fc51d1b41d01323c33767b3724c265eb35
sha256-ffe61479eca5a8c146a40b966dd04f15b4bcc3d653aa20750fc55e26b25bad85

Shared Tags

As the upstream golang images, we maintain shared tags. The shared tags are updated whenever new versions of golang are released: see shared tags table

Image Signatures

All images are signed and the images can be verified with cosign using the following key:

-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAErLf0HT8xZlLaoX5jNN8aVL1Yrs+P
wS7K6tXeRlWLlUX1GeEtTdcuhZMKb5VUNaWEJW2ZU0YIF91D93dCZbUYpw==
-----END PUBLIC KEY-----

The remainder of this README is an adaptation of this page: https://hub.docker.com/_/golang

What is Go?

Go (a.k.a. Golang) is a programming language first developed at Google. It is a statically-typed language with syntax loosely derived from C, but with additional features such as garbage collection, type safety, some dynamic-typing capabilities, additional built-in types (e.g., variable-length arrays and key-value maps), and a large standard library. For more details, please see wikipedia.

How to use the Go images

The images can be used in exactly the same way as the original images on Docker Hub. Hence, the remainder of this documentation is a copy of https://hub.docker.com/_/golang

Note: /go is world-writable to allow flexibility in the user which runs the container (for example, in a container started with --user 1000:1000, running go get github.com/example/... into the default $GOPATH will succeed). While the 777 directory would be insecure on a regular host setup, there are not typically other processes or users inside the container, so this is equivalent to 700 for Docker usage, but allowing for --user flexibility.

Start a Go instance in your app

The most straightforward way to use this image is to use a Go container as both the build and runtime environment. In your Dockerfile, writing something along the lines of the following will compile and run your project (assuming it uses go.mod for dependency management):

cd go-example

cat > Dockerfile <<EOF
FROM ghcr.io/scontain/golang:1.24

WORKDIR /usr/src/app

# pre-copy/cache go.mod for pre-downloading dependencies and only redownloading them in subsequent builds if they change
COPY go.mod go.sum ./
RUN go mod download

COPY . .
RUN go build -v -o /usr/local/bin/app ./...

CMD ["app"]
EOF

You can then build and run the Docker image:

docker build -f Dockerfile -t my-golang-app .
docker run -it --rm --name my-running-app my-golang-app

Compile your app inside the Docker container

There may be occasions where it is not appropriate to run your app inside a container. To compile, but not run your app inside the Docker instance, you can write something like:

docker run --rm -v "$PWD":/usr/src/myapp -w /usr/src/myapp ghcr.io/scontain/golang:1.24 go build -v

This will add your current directory as a volume to the container, set the working directory to the volume, and run the command go build which will tell go to compile the project in the working directory and output the executable to myapp. Alternatively, if you have a Makefile, you can run the make command inside your container.

docker run --rm -v "$PWD":/usr/src/myapp -w /usr/src/myapp ghcr.io/scontain/golang:1.24 make build

Cross-compile your app inside the Docker container If you need to compile your application for a platform other than linux/amd64 (such as windows/386):

docker run --rm -v "$PWD":/usr/src/myapp -w /usr/src/myapp -e GOOS=windows -e GOARCH=386 ghcr.io/scontain/golang:1.24 go build -v

Alternatively, you can build for multiple platforms at once:

mkdir -p bin
docker run --rm -it -v "$PWD":/usr/src/myapp -w /usr/src/myapp ghcr.io/scontain/golang:1.24 bash -lc '\
	    set -euo pipefail; \
	    for GOOS in linux; do \
	      for GOARCH in 386 amd64; do \
	        out="bin/go-args-env-file-${GOOS}-${GOARCH}"; \
	        GOOS=$GOOS GOARCH=$GOARCH /usr/local/go/bin/go build -v -o "$out" .; \
	      done; \
	    done'

Git LFS

If downloading your dependencies results in an error like "checksum mismatch", you should check whether they are using Git LFS⁠ (and thus need it installed for downloading them and calculating correct go.sum values).

Image Variants

The golang images come in many flavors, each designed for a specific use case.

ghcr.io/scontain/golang:<version>

This is the defacto image. If you are unsure about what your needs are, you probably want to use this one. It is designed to be used both as a throw away container (mount your source code and start the container to start your app), as well as the base to build other images off of.

Some of these tags may have names like bookworm or bullseye in them. These are the suite code names for releases of Debian⁠ and indicate which release the image is based on. If your image needs to install any additional packages beyond what comes with the image, you'll likely want to specify one of these explicitly to minimize breakage when there are new releases of Debian.

ghcr.io/scontain/golang:<version>-alpine

This image is based on the popular Alpine Linux project⁠, available in the alpine official image. Alpine Linux is much smaller than most distribution base images (~5MB), and thus leads to much slimmer images in general.

This variant is highly experimental, and not officially supported by the Go project (see golang/go#19938⁠ for details).

The main caveat to note is that it does use musl libc⁠ instead of glibc and friends⁠, which can lead to unexpected behavior. See this Hacker News comment thread⁠ for more discussion of the issues that might arise and some pro/con comparisons of using Alpine-based images.

To minimize image size, additional related tools (such as git, gcc, or bash) are not included in Alpine-based images. Using this image as a base, add the things you need in your own Dockerfile (see the alpine image description for examples of how to install packages if you are unfamiliar). See also docker-library/golang#250 (comment)⁠ for a longer explanation.

License

View license information⁠ for the software contained in this image.

As with all Docker images, these likely also contain other software which may be under other licenses (such as Bash, musl, or glibc, etc from the base distribution, along with any direct or indirect dependencies of the primary software being contained).

Some additional license information which was able to be auto-detected might be found in the repo-info repository's golang/ directory⁠.

As for any pre-built image usage, it is the image user's responsibility to ensure that any use of this image complies with any relevant licenses for all software contained within.