Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adjust tarball creation to be reproducible #188

Merged
merged 2 commits into from
Mar 1, 2024

Conversation

tianon
Copy link
Member

@tianon tianon commented Jan 18, 2024

No description provided.

@tianon
Copy link
Member Author

tianon commented Jan 18, 2024

Oh https://manpages.debian.org/buster/tar/tar.1.en.html#:~:text=on%20each%20checkpoint.-,%2D%2Dclamp%2Dmtime,-Only%20set%20time

That's probably better / more maintainable than my hacky script.

@tianon tianon force-pushed the reproducible-rootfs branch 2 times, most recently from 34f9a53 to 7783809 Compare January 18, 2024 22:29
@tianon
Copy link
Member Author

tianon commented Jan 18, 2024

https://github.com/docker-library/busybox/actions/runs/7576748973/job/20636236993?pr=188#step:5:4479 👀

a2a69ef5efbb70454c06535193e330ec9b50f7f6e3b67fe1a69d78e50a40db06 is the same latest/musl/busybox.tar.xz checksum I got locally 😄

@tianon tianon force-pushed the reproducible-rootfs branch from 7783809 to e2aca1d Compare January 18, 2024 22:46
@tianon
Copy link
Member Author

tianon commented Jan 18, 2024

Nice, the simpler approach using tar --mtime ... --clamp-mtime also works and generates the same checksum: https://github.com/docker-library/busybox/actions/runs/7576892648/job/20636653568?pr=188#step:5:3622

@tianon
Copy link
Member Author

tianon commented Jan 18, 2024

I guess this is good by itself, but my end goal is actually to go all the way to oci-import (because a reproducible tar is otherwise not super interesting here given how much Docker/BuildKit munge it on the round-trip through ADD tar /).

@tianon tianon force-pushed the reproducible-rootfs branch from e2aca1d to 644ee1a Compare February 22, 2024 23:53
@tianon tianon marked this pull request as ready for review February 22, 2024 23:53
@tianon
Copy link
Member Author

tianon commented Feb 22, 2024

Here's an example library/busybox file generated from this change (hacked to use our fork):

# this file is generated via https://github.com/infosiftr/busybox/blob/5aade3a1527f3dddc69ea149d040768941b34664/generate-stackbrew-library.sh

Maintainers: Tianon Gravi <admwiggin@gmail.com> (@tianon),
             Joseph Ferguson <yosifkit@gmail.com> (@yosifkit)
GitRepo: https://github.com/infosiftr/busybox.git
GitCommit: 5aade3a1527f3dddc69ea149d040768941b34664
Builder: oci-import
File: index.json
# https://github.com/infosiftr/busybox/tree/dist-amd64
amd64-GitFetch: refs/heads/dist-amd64
amd64-GitCommit: 668d52e6f0596e0fd0b1be1d8267c4b9240dc2b3
# https://github.com/infosiftr/busybox/tree/dist-arm32v6
arm32v6-GitFetch: refs/heads/dist-arm32v6
arm32v6-GitCommit: c479d660005ac7073e97509575668b794cdbc5f5

Tags: 1.36.1-glibc, 1.36-glibc, 1-glibc, stable-glibc, glibc
Architectures: amd64
amd64-Directory: latest/glibc/amd64

Tags: 1.36.1-uclibc, 1.36-uclibc, 1-uclibc, stable-uclibc, uclibc
Architectures: amd64
amd64-Directory: latest/uclibc/amd64

Tags: 1.36.1-musl, 1.36-musl, 1-musl, stable-musl, musl
Architectures: amd64, arm32v6
amd64-Directory: latest/musl/amd64
arm32v6-Directory: latest/musl/arm32v6

Tags: 1.36.1, 1.36, 1, stable, latest
Architectures: amd64, arm32v6
amd64-Directory: latest/glibc/amd64
arm32v6-Directory: latest/musl/arm32v6

Tags: 1.35.0-glibc, 1.35-glibc
Architectures: amd64
amd64-Directory: latest-1/glibc/amd64

Tags: 1.35.0-uclibc, 1.35-uclibc
Architectures: amd64
amd64-Directory: latest-1/uclibc/amd64

Tags: 1.35.0-musl, 1.35-musl
Architectures: amd64, arm32v6
amd64-Directory: latest-1/musl/amd64
arm32v6-Directory: latest-1/musl/arm32v6

Tags: 1.35.0, 1.35
Architectures: amd64, arm32v6
amd64-Directory: latest-1/glibc/amd64
arm32v6-Directory: latest-1/musl/arm32v6

@tianon
Copy link
Member Author

tianon commented Feb 22, 2024

Notably, this actually commits all but the tarballs directly in the master branch of this repository. The theory here is that with reproducible tarballs, that becomes a lot more interesting (we can meaningfully track their change over time, for example).

The main concern I would've had with this is having multiple build jobs all trying to push to the same branch (and resolving merge conflicts between them as we rebase / re-push over and over), but with each architecture using a dedicated directory, that should be mostly reasonable (and these don't run on an automated trigger either, so there's not really a very high chance of changes in the way things build happening while a build is in progress).

@tianon tianon force-pushed the reproducible-rootfs branch 3 times, most recently from da01e4f to 8283da6 Compare February 23, 2024 00:07
@tianon
Copy link
Member Author

tianon commented Feb 23, 2024

It's going to be a bit more complex to fix our explicit debian:unstable builds to work correctly now that I'm using docker buildx build explicitly in build.sh, so I need to spend a bit more time thinking about the best way to inject that correctly. 🤔

(probably just a sed instead of a pull+tag, TBH)

@tianon tianon force-pushed the reproducible-rootfs branch 5 times, most recently from 4f05b89 to 77471be Compare February 23, 2024 01:04
@tianon
Copy link
Member Author

tianon commented Feb 23, 2024

This also now makes our CI verify the reproducibility. 👀

@tianon tianon force-pushed the reproducible-rootfs branch from 77471be to 03186f9 Compare February 23, 2024 01:19
@tianon
Copy link
Member Author

tianon commented Feb 23, 2024

(So it's written down somewhere explicitly: one end goal of this is to have something with lower stakes / less DOI child images than Ubuntu to test docker-library/meta-scripts#20 against 👀)

{
generated_warning
gawk -f "$jqt" Dockerfile-builder.template
} > "$version/$variant/Dockerfile.builder"

cp Dockerfile.template "$version/$variant/Dockerfile"
ln -svfT amd64/rootfs.tar.gz "$version/$variant/busybox.tar.gz"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If each dist branch has to make this symlink for their respective architecture anyway, we should probably just leave it off of the main branch.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, that's fair -- done!

@tianon tianon force-pushed the reproducible-rootfs branch from 03186f9 to 088bdc4 Compare February 28, 2024 00:43
@tianon tianon force-pushed the reproducible-rootfs branch from 088bdc4 to 7e39d61 Compare February 28, 2024 00:44
@tianon tianon merged commit 6ded0a4 into docker-library:master Mar 1, 2024
14 checks passed
@tianon tianon deleted the reproducible-rootfs branch March 1, 2024 23:37
@tianon
Copy link
Member Author

tianon commented Mar 1, 2024

e177f73 (meta-arm32v6) 👀

830066c (dist-arm32v6) 👀

docker-library-bot added a commit to docker-library-bot/official-images that referenced this pull request Mar 2, 2024
Changes:

- docker-library/busybox@6ded0a4: Merge pull request docker-library/busybox#188 from infosiftr/reproducible-rootfs
- docker-library/busybox@7e39d61: Initial `Builder: oci-import` support
- docker-library/busybox@644ee1a: Adjust tarball creation to be reproducible
docker-library-bot added a commit to docker-library-bot/official-images that referenced this pull request Mar 2, 2024
Changes:

- docker-library/busybox@6ded0a4: Merge pull request docker-library/busybox#188 from infosiftr/reproducible-rootfs
- docker-library/busybox@7e39d61: Initial `Builder: oci-import` support
- docker-library/busybox@644ee1a: Adjust tarball creation to be reproducible
docker-library-bot added a commit to docker-library-bot/official-images that referenced this pull request Mar 4, 2024
Changes:

- docker-library/busybox@6ded0a4: Merge pull request docker-library/busybox#188 from infosiftr/reproducible-rootfs
- docker-library/busybox@7e39d61: Initial `Builder: oci-import` support
- docker-library/busybox@644ee1a: Adjust tarball creation to be reproducible
@tianon tianon mentioned this pull request Mar 5, 2024
docker-library-bot added a commit to docker-library-bot/official-images that referenced this pull request Mar 5, 2024
Changes:

- docker-library/busybox@6ded0a4: Merge pull request docker-library/busybox#188 from infosiftr/reproducible-rootfs
- docker-library/busybox@7e39d61: Initial `Builder: oci-import` support
- docker-library/busybox@644ee1a: Adjust tarball creation to be reproducible
docker-library-bot added a commit to docker-library-bot/official-images that referenced this pull request Mar 5, 2024
Changes:

- docker-library/busybox@0fd3015: Stop `latest` aliases on riscv64 from pointing to anything but uclibc (for now)
- docker-library/busybox@6ded0a4: Merge pull request docker-library/busybox#188 from infosiftr/reproducible-rootfs
- docker-library/busybox@7e39d61: Initial `Builder: oci-import` support
- docker-library/busybox@644ee1a: Adjust tarball creation to be reproducible
docker-library-bot added a commit to docker-library-bot/official-images that referenced this pull request Mar 5, 2024
Changes:

- docker-library/busybox@a20bcbd: Merge pull request docker-library/busybox#191 from infosiftr/cherry-meta
- docker-library/busybox@0fd3015: Stop `latest` aliases on riscv64 from pointing to anything but uclibc (for now)
- docker-library/busybox@69f51a1: Update metadata for s390x
- docker-library/busybox@f29b4e0: Update metadata for ppc64le
- docker-library/busybox@8d72643: Update metadata for mips64le
- docker-library/busybox@51977e5: Update metadata for i386
- docker-library/busybox@b52155f: Update metadata for arm64v8
- docker-library/busybox@2568e26: Update metadata for arm32v7
- docker-library/busybox@a6e074f: Update metadata for arm32v6
- docker-library/busybox@884455c: Update metadata for arm32v5
- docker-library/busybox@6ded0a4: Merge pull request docker-library/busybox#188 from infosiftr/reproducible-rootfs
- docker-library/busybox@7e39d61: Initial `Builder: oci-import` support
- docker-library/busybox@644ee1a: Adjust tarball creation to be reproducible
martin-g pushed a commit to martin-g/docker-official-images that referenced this pull request Apr 3, 2024
Changes:

- docker-library/busybox@a20bcbd: Merge pull request docker-library/busybox#191 from infosiftr/cherry-meta
- docker-library/busybox@0fd3015: Stop `latest` aliases on riscv64 from pointing to anything but uclibc (for now)
- docker-library/busybox@69f51a1: Update metadata for s390x
- docker-library/busybox@f29b4e0: Update metadata for ppc64le
- docker-library/busybox@8d72643: Update metadata for mips64le
- docker-library/busybox@51977e5: Update metadata for i386
- docker-library/busybox@b52155f: Update metadata for arm64v8
- docker-library/busybox@2568e26: Update metadata for arm32v7
- docker-library/busybox@a6e074f: Update metadata for arm32v6
- docker-library/busybox@884455c: Update metadata for arm32v5
- docker-library/busybox@6ded0a4: Merge pull request docker-library/busybox#188 from infosiftr/reproducible-rootfs
- docker-library/busybox@7e39d61: Initial `Builder: oci-import` support
- docker-library/busybox@644ee1a: Adjust tarball creation to be reproducible
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants