Go is portable, until it isn't

Posted by khazit 12/7/2025

Go is portable, until it isn't(simpleobservability.com)

153 points | 129 comments

mmulet 2 days ago|

I ran into this issue when porting term.everything[0] from typescript to go. I had some c library dependencies that I did need to link, so I had to use cgo. My solution was to do the build process on alpine linux[1] and use static linking[2]. This way it statically links musl libc, which is much friendlier with static linking than glibc. Now, I have a static binary that runs in alpine, Debian, and even bare containers.

Since I have made the change, I have not had anyone open any issues saying they had problems running it on their machines. (Unlike when I was using AppImages, which caused much more trouble than I expected)

[0] https://github.com/mmulet/term.everything look at distribute.sh and the makefile to see how I did it.

[1]in a podman or docker container

[2] -ldflags '-extldflags "-static"'

jchw 2 days ago||

IMO this is the best approach, but it is worth noting that musl libc is not without its caveats. I'd say for most people it is best to tread carefully and make sure that differences between musl libc and glibc don't cause additional problems for the libraries you are linking to.

There is a decent list of known functional differences on the musl libc wiki:

https://wiki.musl-libc.org/functional-differences-from-glibc...

Overall, though, the vast majority of software works perfectly or near perfectly on musl libc, and that makes this a very compelling option indeed, especially since statically linking glibc is not supported and basically does not work. (And obviously, if you're already using library packages that are packaged for Alpine Linux in the first place, they will likely already have been tested on musl libc, and possibly even patched for better compatibility.)

nickcw 2 days ago|||

That is a nice approach. I'll have to give that a try with rclone. I tried lots of things in the past but not using Alpine which is a great idea

Another alternative is

https://github.com/ebitengine/purego

You can use this to dynamic load shared objects / DLLs so in the OP example they could disable systemd support if the systemd shared object did not load.

This technique is used in the cgofuse library ( https://github.com/winfsp/cgofuse ) rclone uses which means rclone can run even if you don't have libfuse/winfsp installed. However the rclone mount subcommand won't work.

The purego lib generalizes this idea. I haven't got round to trying this yet but it looks very promising.

kokada 2 days ago||

I am using purego indirectly in two pet projects of mine. While it has its own issues it definitely solves the issue of cross-compilation.

In this particular case it may be that they will need to write a wrapper to abstract differences between the systemd C API if it is not stable, but at least they still can compile a binary from macOS to Linux without issues.

The other issue as other said is to use journalctl and just parse the JSON format. Very likely that this would be way more stable, but not sure if it is performant enough.

johnisgood 2 days ago|||

I use `-ldflags '-extldflags "-static"` as well.

From the .go file, you just do `// #cgo LDFLAGS: -L. -lfoo`.

You definitely do not need Alpine Linux for this. I have done this on Arch Linux. I believe I did not even need musl libc for this, but I potentially could have used it.

I did not think I was doing something revolutionary!

In fact, let me show you a snippet of my build script:

  # Build the Go project with the static library
  if go build -o $PROG_NAME -ldflags '-extldflags "-static"'; then
    echo "Go project built with static library linkage"
  else
    echo "Error: Failed to build the Go project with static library"
    exit 1
  fi

  # Check if the executable is statically linked
  if nm ./$PROG_NAME | grep -q "U "; then
    echo "Error: The generated executable is dynamically linked"
    exit 1
  else
    echo "Successfully built and verified static executable '$PROG_NAME'"
  fi

And like I said, the .go file in question has this:

  // #cgo LDFLAGS: -L. -lfoo

It works perfectly, and should work on any Linux distribution.

mmulet 2 days ago||

I use alpine for this [1] reason, but I will admit that this is a premature-optimization. I haven’t actually ran into the problem myself.

——

Your code is great, I do basically the same thing (great minds think alike!). The only thing I want to add is that cgo supports pkg-config directly [2] via

  // #cgo pkg-config: $lib

So you don’t have to pass in linker flags manually. It’s incredibly convenient.

[1]https://stackoverflow.com/questions/57476533/why-is-statical...

[2]https://github.com/mmulet/term.everything/blob/def8c93a3db25...

pansa2 2 days ago|||

> do the build process on alpine linux and […] statically link musl libc

IIRC it used to be common to do builds on an old version of RHEL or CentOS and dynamically link an old version of glibc. Binaries would then work on newer systems because glibc is backwards compatible.

Does anyone still use that approach?

Xylakant 2 days ago||

If you need glibc for any kind of reason, that approach is still used. But that won’t save you if no glibc is available. And since the folks here want to produce a musl build anyways for alpine, the easier approach is to just go for musl all the way.

apitman 2 days ago|||

Note that you don't have to compile on an Alpine system to achieve this. These instructions should work on most distros:

https://www.arp242.net/static-go.html

nly 2 days ago|||

> and even bare containers.

Strange, i thought the whole point of containers was to solve this problem.

vrighter 9 hours ago|||

The whole point of containers is to ship almost the whole OS with the application (It is a technical implementation of the "works on my machine" concept). If the OS you put in your container (by just pulling in a prebuilt image from somewhere) doesn't have the necessary things, then the application would fail to work just the same as if you ran it on the bare operating system with the the same missing libraries.

jdub 2 days ago|||

Depends how much you care about the size and security footprint of your container images.

nly 15 minutes ago||

Static linking doesn't solve security issues either.

imcritic 2 days ago|||

What troubles did you have with AppImages?

mmulet 2 days ago||

List of troubles:

[1]https://github.com/mmulet/term.everything/issues/28

[2]https://github.com/mmulet/term.everything/issues/18 (although this issue later gets sidetracked to a build issue)

[3]https://github.com/mmulet/term.everything/issues/14

[4]https://github.com/mmulet/term.everything/issues/7

tasuki 2 days ago|||

Huh. Does term.everything just work, or are there some gotchas? This seems like it could be supremely useful!

mmulet 2 days ago||

It works so far! No major gotchas that I know of yet. From the perspective of the apps, they are just talking to a normal Wayland compositor, so everything works as expected. Just try it for your workflow, and if you run into any problems just open an issue and I’ll fix it.

cxr 2 days ago||

I didn't see an explanation in the README that part of what the first GIF[1] shows is an effect created by video editing software (and not a screencapture that's just demonstrating the program actually running). "Screen images simulated" are the words usually chosen to start off the disclaimers in fine print shown at the bottom of the screen when similar effects appear in commercials. I think that it would make sense to adopt a similar explanation wrt the effect used for the GIF.

1. <https://github.com/mmulet/term.everything/blob/main/resource...>

plufz 2 days ago|||

Why would an open source project need to have any disclaimer? They are not selling anything.

nofriend 2 days ago||

Because lying is wrong even when open source projects do it.

plufz 2 days ago|||

I think it is a big stretch calling this visual effect lying.

I don’t know if it is a cultural American thing or just difference in interpretation but I had no difficulty understanding that this was a visual effect. But in my country ads don’t come with disclaimers. Do you feel like these disclaimers are truly helpful?

cxr 2 days ago|||

I don't feel that the person I responded to is lying or being intentionally deceptive.

nebezb 2 days ago||||

> “in commercials where such effects appear”

Good thing this isn’t a commercial then.

hmans 2 days ago|||

[dead]

davvid 2 days ago||

> We did not want to spend time maintaining a backward compatible parser or doing code archaeology. So this option was discarded.

Considering all of the effort and hoop-jumping involved in the route that was chosen, perhaps this decision might be worth revisiting.

In hindsight, maintaining a parser might be easier and more maintainable when compared to the current problems that were overcome and the future problems that will arise if/when the systemd libraries decide to change their C API interfaces.

One benefit of a freestanding parser is that it could be made into a reusable library that others can use and help maintain.

khazit 2 days ago||

There is an existing pure Go library [1] written by someone else. The issue is that we weren’t confident we could ship a reliable parser. We even included an excerpt from the systemd documentation, which didn’t exactly reassure us:

> Note that the actual implementation in the systemd codebase is the only ultimately authoritative description of the format, so if this document and the code disagree, the code is right

This required a lot of extra effort and hoop-jumping, but at least it’s on our side rather than something users have to deal with at deploy time.

[1]: https://github.com/Velocidex/go-journalctl

bb88 2 days ago||

That's what I was thinking too. A go native library is 10 times better in the go ecosystem than a c library linked to a go executable.

Also in the age of AI it seems possible to have it do the rewrite for you, for which you can iterate on further.

bitbasher 2 days ago||

Once you use CGO, portability is gone. Your binary is no longer staticly compiled.

This can happen subtley without you knowing it. If you use a function in the standard library that happens to call into a CGO function, you are no longer static.

This happens with things like os.UserHomeDir or some networking things like DNS lookups.

You can "force" go to do static compiling by disabling CGO, but that means you can't use _any_ CGO. Which may not work if you require it for certain things like sqlite.

swills 2 days ago||

You can definitely use CGO and still build statically, but you do need to set ldflags to include -static.

tptacek 2 days ago||

You can even cross-compile doing that.

swills 2 days ago||

Yes, indeed, I do.

hiAndrewQuinn 2 days ago|||

You don't need CGO for SQLite in most cases; I did a deep dive into it here.

https://til.andrew-quinn.me/posts/you-don-t-need-cgo-to-use-...

PunchyHamster 2 days ago|||

> Which may not work if you require it for certain things like sqlite.

there is cgo-less sqlite implementation https://github.com/glebarez/go-sqlite it seems to not be maintained much tho

IceWreck 2 days ago||

You're linking to a different version - this is the one that most people use https://github.com/modernc-org/sqlite

debugnik 2 days ago||

Yes and no, the package above is a popular `database/sql` driver for the same SQLite port you linked.

silverwind 2 days ago|||

> This happens with things like os.UserHomeDir or some networking things like DNS lookups.

The docs do not mention this CGO dependency, are you sure?

https://pkg.go.dev/os#UserHomeDir

purpleidea 2 days ago||

I was surprised too, that I had to check the docs, so I assume the user was misinformed.

bitbasher 2 days ago||

Perhaps I misremembered or things changed? For instance, the os/user results in a dynamicly linked executable: https://play.golang.com/p/7QsmcjJI4H5

There are multiple standard library functions that do it.. I recall some in "net" and some in "os".

telotortium 2 days ago||

os.UserHomeDir is specified to read the HOME environment variable, so it doesn’t require CGo. os/user does, but only to support NSS and LDAP, which are provided by libc. That’s also why net requires CGo- for getaddrinfo using resolv.conf

ncruces 2 days ago||

There are at least a couple of ways to run SQLite without CGO.

tptacek 2 days ago||

I think the standard answer here is modernc.org/sqlite.

apitman 2 days ago||

Careful, you're responding to the author of a wasm-based alternative.

ncruces 2 days ago||

No need to be careful. I won't bite. ;)

combiBean 2 days ago||

Was there not a third option: Calling the journalctl CLI as a child process and consume the parsed logs from the standard output? This might have avoided both the requirement to use CGO and also to write a custom parser. But I guess I am missing something.

tkone 1 day ago||

Ironically this is EXACTLY what the journald receiver for OpenTelemetry does, which, as they noted, is written in go.

Specifically because you're only supposed to use that OR the c bindings by design because they want the ability to change in the internal format when it's necessary.

redrove 2 days ago|||

Yeah looks like they missed the forest for the trees.

I see this kind of thing in our industry quite often; some Rube Goldberg machine being invented and kept on life support for years because of some reason like this, where someone clearly didn’t do the obvious thing and everyone now just assumes it’s the only solution and they’re married to it.

But I’m too grumpy, work me is leaking into weekend me. I had debates around crap like this all week and I now see it everywhere.

cookiengineer 2 days ago|||

Also there is a --json (or -o json) flag for journalctl which will output line based json log entries. And it can simply be called with a Command as you pointed out.

IshKebab 2 days ago|||

It's generally less robust to run CLI tools and scrape the output. Usually it isn't intended to be machine readable, and you have to handle extra failure modes, like incompatible tool versions, missing tools, incorrect parsers, etc.

It's the lazy-but-bad solution.

1718627440 22 hours ago|||

> Usually it isn't intended to be machine readable

It usually is, because that is the UNIX philosophy and programs that intermingle output with layout often stop doing that, when they don't write to a terminal.

jeremyjh 2 days ago||||

journalctl is designed for these use cases and has options to solve those issues. The lazy part here is you not doing any research about this tool before dismissing it as "not best practice", which is exactly what the fuckups who wrote this article did.

khazit 2 days ago||

We dismissed using journalctl at the very start. We’ve had similar experiences with other CLI tools: the moment you start embedding them inside a program, you introduce a whole new class of problems. What if journalctl exits? What if it outputs an error? What if it hangs? On top of that, you have to manage the subprocess lifecycle yourself. It’s not as easy as it may seem.

You can also argue that sd_journal (the C API) exists for this exact reason, rather than shelling out to journalctl. These are technical trade-offs, doesn't mean we're fuckups

mxey 1 day ago|||

> You can also argue that sd_journal (the C API) exists for this exact reason, rather than shelling out to journalctl.

Quoting from https://systemd.io/JOURNAL_FILE_FORMAT/

> If you need access to the raw journal data in serialized stream form without C API our recommendation is to make use of the Journal Export Format, which you can get via journalctl -o export or via systemd-journal-gatewayd.

Certainly sounds like running journalctl, or using the gateway, is a supported option.

jeremyjh 1 day ago|||

Does Go really not have any libraries capable of supervising an external program? If you'd considered journalctl, why didn't you mention it in the article? As many have pointed out here, it is the obvious and intended way to do this, and the path you chose was harder for reasons that seemed to surprise you but were entirely foreseeable.

mxey 1 day ago||

JFTR, of course it has a library for it https://pkg.go.dev/os/exec

zbentley 2 days ago||||

I think a lot is riding on that “generally”. You’re right that the default approach/majority of cases should avoid shelling out wherever possible, but there are a large minority of situations where doing that does make sense, including:

Calling a CLI tool which will be present everywhere your program might reasonably be installed (e.g. if your program is a MySQL extension, it can probably safely assume the existence of mysqld).

The CLI tool you want to call is vendored into or downloaded by your wrapper program, reducing installation requirements overhead (this is not always a good idea for other reasons, but it does address a frequently cited reason not to shell out).

The CLI tool’s functionality is both disjoint with the rest of your program and something that you have a frequent need to hard-kill. (Forking is much more error prone than running a discrete subprocess; you can run your own program as a subprocess too, but in that case the functionality is probably not disjointed).

Talking to POSIX CLI tools in a POSIX compatible way (granted most things those tools do are easier/faster in a language’s stdlib).

mxey 1 day ago||

I recently wrote some Go code for running containers and chose to use the docker CLI instead of an API client. The CLI is more well known and better documented, and this is what replacements like Podman support. When there’s a problem, it’s easier to reproduce it by running the same CLI command. It also meant I wouldn’t need a whole lot of dependencies, and we needed the docker CLI anyway.

Obviously you shouldn’t try to parse human-readable output.

sigwinch 2 days ago|||

journalctl with -o export produces a binary interchange format. Would you rather have bugs or API rot from that, or in an internal tool?

dardeaup 2 days ago||

This was the first thought that occurred to me too when I saw this post.

orochimaaru 2 days ago||

So you can’t pull in c libraries built for different distributions and expect this to work.

If you use pure go, things are portable. The moment you use C API, that portability doesn’t exist. This should be apparent.

jeremyjh 2 days ago|

My assumption was that they were using a C API just from reading the headline. I don't use Go but these sorts of problems are common to any project doing that in just about any language.

larusso 2 days ago||

I think this is true for nearly all compiled languages. I had the same fun with rust and openSSL and glibC. OP didn’t mentioned the fun with glib-c when compiling on a fairly recent distro and trying it to run on an older one. There is the “many Linux” project which provides docker images with a minimum glib c version installed so it’s compatible with newer ones. The switch to a newer open ssl version on Debian/Ubuntu created some issues for my tool. I replaced it with rust tls to remove the dynamic linked library. I prefer complete statically linked binaries though. But that is really hard to do and damn near impossible on Apple systems.

nunez 2 days ago||

You hit this real quick when trying to build container images from the scratch. Theoretically you can drop a Go binary into a blank rootfs and it will run. This works most of the time, but anything that depends on Go's Postgres client requires libpq which requires libc. Queue EFILE runtime errors after running the container.

nateb2022 2 days ago|

> anything that depends on Go's Postgres client requires libpq which requires libc

Try https://github.com/lib/pq

AlbinoDrought 2 days ago|||

I've also seen https://github.com/jackc/pgx used in many projects

mxey 2 days ago|||

> For users that require new features or reliable resolution of reported bugs, we recommend using pgx which is under active development.

regularfry 2 days ago||

All of this, every last bit of complexity and breakage and sweat, is downstream of this:

> Journal logs are not stored in plain text. They use a binary format

And it was entirely predictable and predicted that this sort of problem would be the result when that choice was made.

dwattttt 1 day ago||

That's why I hexify all binary files, to make it easier to understand them.

valbaca 2 days ago||

Unix philosophy strikes again

pjmlp 2 days ago||

And a set of people rediscovered why cross compiling only works up to certain extent, regardless of the marketing on the tin.

The point one needs to touch APIs that only exists on the target system, the fun starts, regardless of the programming language.

Go, Zig, whatever.

dwattttt 2 days ago|

You're thinking of cross platform codebases. There's nothing about cross compilation that stops the toolchain from knowing what APIs are present & not present on a target system.

pjmlp 2 days ago||

Cross compilation and cross platform are synonymous in compiled languages, in regards of many issues that one needs to care about.

Cross platform goes beyond in regards to UI, direction locations, user interactions,...

Yeah, if you happen to have systemd Linux libraries on macOS to facilitate cross compilation into a compatible GNU/Linux system than it works, that is how embedded development has worked for ages.

What doesn't work is pretending that isn't something to care about.

IshKebab 2 days ago||

> Cross compilation and cross platform are synonymous in compiled languages

Err, no. Cross-platform means the code can be compiled natively on each platform. Cross-compilation is when you compile the binaries on one platform for a different platform.

pjmlp 2 days ago||

Not at all, cross platform means executing the same application in many platforms, regardless of the hardware and OS specific features of each platform.

Cross-compilation is useless if you don't actually get to executed the created binaries in the target platform.

Now, how do you intend to compile from GNU/Linux into z/OS, so that we can execute the generated binary out from the C compiler ingesting the code written in GNU/Linux platform, in the z/OS language environment inside an enclave, not configured in POSIX mode?

Using z/OS, if you're feeling more modern, it can be UWP sandboxed application with identity in Windows.

IshKebab 2 days ago||

> cross platform means executing the same application in many platforms, regardless of the hardware and OS specific features of each platform.

That is a better definition yes. But it's still not synonymous with cross-compilation, obviously. Most cross-platform apps are not cross-compiled because it's usually such a pain.

colonwqbang 2 days ago|

Has nothing to do with go. You added a dependency which is not portable. It is well known that systemd project only targets Linux.

Vendorise systemd and compile only the journal parts, if they are portable and can be isolated from the rest. Otherwise just shell out to journalctl.

More comments...