RFE: Make toolbox-init-container a fully static binary or disable CGO to avoid compatibility issues with container's glibc

[travier]

Is your feature request related to a problem? Please describe.
This is an RFE to solves issues such as #821 (comment #821 (comment)) and add support for non-glibc toolboxes.

Describe the solution you'd like
Convert toolbox-init-container as a standalone static binary.

Describe alternatives you've considered
N/A

Additional context
This is required to avoid breaking toolbox every time the host is newer than the containers.

[IridiumXOR]

Please can you fix it? Toolbox is completely useless without the support for previous Fedora version on Fedora 35...

[travier]

The post at https://debarshiray.wordpress.com/2022/10/02/toolbx-running-the-same-binary-on-arch-linux-fedora-ubuntu-etc-containers/ has a good explanation about the current setup and why this option is not ideal so I'll close this issue.

[debarshiray]

Thanks, @travier

One of the reasons for writing that blog post was to have a single reference for issues and discussions like this one. Thanks for doing the triage for me!

[debarshiray]

One thing that came up recently in the context of the newly added --preserve-fds option, is that we would need a C constructor function (ie., __attribute__((constructor))) to validate the file descriptors. See containers/podman#7125 for the discussion around the same check in Podman.

We don't do this at the moment, but we should, if we want to have a better error message.

I know this issue was about a static binary, but disabling the use of C (or CGO) is often brought up together with that. So, I thought I'd use the same issue to track both. I took the liberty to update the title to reflect that.

[debarshiray]

We are now using CGO to check the presence of subordinate user and group IDs using libsubid.so instead of looking at /etc/subuid and /etc/subgid, to support subordinate IDs provided by SSSD on enterprise FreeIPA set-ups.