Cf-terraforming broken in nix-built docker container

jficz · January 12, 2025, 11:19pm

When I run the release binary of cf-terraforming on NixOS, it works as expected (same for the binary from cf-terraforming nix package).

If I run the very same binary in a docker container, it “forgets” nearly all of its command line flags. Not sure if this is a Go thing or if this is cf-terraform-specific issue.

In fact I have absolutely no idea what’s going on here, any tips or nudges welcome.

Situation: a container built using this flake:

{
  description = "Bash";

  inputs = {
    nixpkgs = {
      type = "github";
      owner = "NixOS";
      repo = "nixpkgs";
      ref = "nixos-24.11";
    };

  };

  outputs = { self, nixpkgs }: 
    let
      system = "x86_64-linux";
      pkgs = import nixpkgs { inherit system; };
    in
  {
    packages = {
      ${system} = {
          default = self.packages.containers.nix;
      };
    
      containers.nix = pkgs.dockerTools.buildLayeredImage {
        name = "bash";
        tag = "v1.0";
        contents = with pkgs; [
          bash
          coreutils
          # cf-terraforming
        ];
      };
    };
  };
}

run the binary on NixOS (does what it’s supposed to - complain that no zone id is set):

$ cd /tmp/repo
$ ./cf-terraforming generate --zone
Error: flag needs an argument: --zone
Usage:
  cf-terraforming generate [flags]

Flags:
  -h, --help   help for generate

Global Flags:
<...truncated...>
 -z, --zone string                         Target the provided zone ID for the command

ERRO[0000] flag needs an argument: --zone

run the binary in a container with a bind mount which contains the release binary:

$ podman run --mount type=bind,src=.,dst=/repo localhost/bash:v1.0
 /repo/cf-terraforming generate --zone
Error: unknown flag: --zone
Usage:
  cf-terraforming generate [flags]

Flags:
  -h, --help   help for generate

ERRO[0000] unknown flag: --zone

The same happens when I use the cf-terraforming package in the container’s contents instead of using the upstream release binary. The nix hash of the package is the same both on my NixOS and inside the container. In fact I only tried the release binary to rule out any possible problems with the nix-built package.

I tried starting the container with and without tty, interactive and non-interactive and the results are always the same (save for some cosmetics on podman output).

What I haven’t tried yet:

build the container using buildImage (I really want the layered image)
use a non-nix-built container (I’d really prefer not to use any upstream images)
strace or any other kind of low(er)-level debugging. I don’t know where to start yet
use docker instead of podman (Docker is not available in the environment where the image will be used)