From cd11b0a501d27de49e679555dfa0ea55fb7ca048 Mon Sep 17 00:00:00 2001 From: Akihiro Suda Date: Fri, 16 Aug 2024 18:05:12 +0900 Subject: [PATCH] Support reproducible builds (except packages) See docker-library/official-images issue 16044 - For Debian, `/var/log/*` is removed as they contain timestamps - For Debian, `/var/cache/ldconfig/aux-cache` is removed as they contain inode numbers, etc. - For Alpine, virtual package versions are pinned to "0" to eliminate the timestamp-based version numbers that appear in `/etc/apk/world` and `/lib/apk/db/installed` > [!NOTE] > The following topics are NOT covered by this commit: > > - To reproduce file timestamps in layers, BuildKit has to be executed with > `--output type=,rewrite-timestamp=true`. > Needs BuildKit v0.13 or later. > > - To reproduce the base image by the hash, reproducers may: > - modify the `FROM` instruction in Dockerfile manually > - or, use the `CONVERT` action of source policies to replace the base image. > > > - To reproduce packages, see the `RUN` instruction hook proposed in > moby/buildkit#4576 Signed-off-by: Akihiro Suda --- 1.22/alpine3.19/Dockerfile | 2 +- 1.22/alpine3.20/Dockerfile | 2 +- 1.22/bookworm/Dockerfile | 4 +++- 1.22/bullseye/Dockerfile | 4 +++- 1.23/alpine3.19/Dockerfile | 2 +- 1.23/alpine3.20/Dockerfile | 2 +- 1.23/bookworm/Dockerfile | 4 +++- 1.23/bullseye/Dockerfile | 4 +++- Dockerfile-linux.template | 6 ++++-- 9 files changed, 20 insertions(+), 10 deletions(-) diff --git a/1.22/alpine3.19/Dockerfile b/1.22/alpine3.19/Dockerfile index fae06bf5..d7b85666 100644 --- a/1.22/alpine3.19/Dockerfile +++ b/1.22/alpine3.19/Dockerfile @@ -12,7 +12,7 @@ ENV GOLANG_VERSION 1.22.6 RUN set -eux; \ now="$(date '+%s')"; \ - apk add --no-cache --virtual .fetch-deps \ + apk add --no-cache --virtual .fetch-deps=0 \ ca-certificates \ gnupg \ # busybox's "tar" doesn't handle directory mtime correctly, so our SOURCE_DATE_EPOCH lookup doesn't work (the mtime of "/usr/local/go" always ends up being the extraction timestamp) diff --git a/1.22/alpine3.20/Dockerfile b/1.22/alpine3.20/Dockerfile index 735face7..7f0ae983 100644 --- a/1.22/alpine3.20/Dockerfile +++ b/1.22/alpine3.20/Dockerfile @@ -12,7 +12,7 @@ ENV GOLANG_VERSION 1.22.6 RUN set -eux; \ now="$(date '+%s')"; \ - apk add --no-cache --virtual .fetch-deps \ + apk add --no-cache --virtual .fetch-deps=0 \ ca-certificates \ gnupg \ # busybox's "tar" doesn't handle directory mtime correctly, so our SOURCE_DATE_EPOCH lookup doesn't work (the mtime of "/usr/local/go" always ends up being the extraction timestamp) diff --git a/1.22/bookworm/Dockerfile b/1.22/bookworm/Dockerfile index 2d159279..c448c2c9 100644 --- a/1.22/bookworm/Dockerfile +++ b/1.22/bookworm/Dockerfile @@ -114,7 +114,9 @@ RUN set -eux; \ make \ pkg-config \ ; \ - rm -rf /var/lib/apt/lists/* + rm -rf /var/lib/apt/lists/* ; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ENV GOLANG_VERSION 1.22.6 diff --git a/1.22/bullseye/Dockerfile b/1.22/bullseye/Dockerfile index c0ed1cf3..4edd8cb1 100644 --- a/1.22/bullseye/Dockerfile +++ b/1.22/bullseye/Dockerfile @@ -114,7 +114,9 @@ RUN set -eux; \ make \ pkg-config \ ; \ - rm -rf /var/lib/apt/lists/* + rm -rf /var/lib/apt/lists/* ; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ENV GOLANG_VERSION 1.22.6 diff --git a/1.23/alpine3.19/Dockerfile b/1.23/alpine3.19/Dockerfile index 593568af..a871ebe7 100644 --- a/1.23/alpine3.19/Dockerfile +++ b/1.23/alpine3.19/Dockerfile @@ -12,7 +12,7 @@ ENV GOLANG_VERSION 1.23.0 RUN set -eux; \ now="$(date '+%s')"; \ - apk add --no-cache --virtual .fetch-deps \ + apk add --no-cache --virtual .fetch-deps=0 \ ca-certificates \ gnupg \ # busybox's "tar" doesn't handle directory mtime correctly, so our SOURCE_DATE_EPOCH lookup doesn't work (the mtime of "/usr/local/go" always ends up being the extraction timestamp) diff --git a/1.23/alpine3.20/Dockerfile b/1.23/alpine3.20/Dockerfile index b5a1dc0a..7b4bf495 100644 --- a/1.23/alpine3.20/Dockerfile +++ b/1.23/alpine3.20/Dockerfile @@ -12,7 +12,7 @@ ENV GOLANG_VERSION 1.23.0 RUN set -eux; \ now="$(date '+%s')"; \ - apk add --no-cache --virtual .fetch-deps \ + apk add --no-cache --virtual .fetch-deps=0 \ ca-certificates \ gnupg \ # busybox's "tar" doesn't handle directory mtime correctly, so our SOURCE_DATE_EPOCH lookup doesn't work (the mtime of "/usr/local/go" always ends up being the extraction timestamp) diff --git a/1.23/bookworm/Dockerfile b/1.23/bookworm/Dockerfile index aa509652..d52de4e3 100644 --- a/1.23/bookworm/Dockerfile +++ b/1.23/bookworm/Dockerfile @@ -114,7 +114,9 @@ RUN set -eux; \ make \ pkg-config \ ; \ - rm -rf /var/lib/apt/lists/* + rm -rf /var/lib/apt/lists/* ; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ENV GOLANG_VERSION 1.23.0 diff --git a/1.23/bullseye/Dockerfile b/1.23/bullseye/Dockerfile index 50cb670d..82d86359 100644 --- a/1.23/bullseye/Dockerfile +++ b/1.23/bullseye/Dockerfile @@ -114,7 +114,9 @@ RUN set -eux; \ make \ pkg-config \ ; \ - rm -rf /var/lib/apt/lists/* + rm -rf /var/lib/apt/lists/* ; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ENV GOLANG_VERSION 1.23.0 diff --git a/Dockerfile-linux.template b/Dockerfile-linux.template index 9c2fb247..9de5bba9 100644 --- a/Dockerfile-linux.template +++ b/Dockerfile-linux.template @@ -53,7 +53,7 @@ ENV GOLANG_VERSION {{ .version }} RUN set -eux; \ now="$(date '+%s')"; \ {{ if is_alpine then ( -}} - apk add --no-cache --virtual .fetch-deps \ + apk add --no-cache --virtual .fetch-deps=0 \ ca-certificates \ gnupg \ # busybox's "tar" doesn't handle directory mtime correctly, so our SOURCE_DATE_EPOCH lookup doesn't work (the mtime of "/usr/local/go" always ends up being the extraction timestamp) @@ -163,7 +163,9 @@ RUN set -eux; \ make \ pkg-config \ ; \ - rm -rf /var/lib/apt/lists/* + rm -rf /var/lib/apt/lists/* ; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache {{ ) end -}} ENV GOLANG_VERSION {{ .version }}