Make dockerTools.buildImageWithNixDb reproducible

[PigeonF]

Description of changes

The loaded database loaded by dockerTools.buildImageWithNixDb contains timestamps of when the nix paths were registered. Depending on the host store, these can differ between runs. Resetting them to a well known value ensures that the produced image is reproducible.

Related to #289813.

I don't know how to add a test for this. The only thing I can think of is to add a test to https://github.com/NixOS/nixpkgs/blob/master/nixos/tests/docker-tools.nix that reads out the registrationTime rows from the database and asserts they are whatever SOURCE_DATE_EPOCH gets set to?

P.S.: I tried running nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD" to test the change, but it seems to overload my local nix VM, so I couldn't test this locally. Since this is my first contribution to nixpkgs, I don't really know what to do about this 😅

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 24.05 Release Notes (or backporting 23.05 and 23.11 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

---

Add a 👍 reaction to pull requests you find important.

[roberth]

[nixpkgs-review] seems to overload my local nix VM

You can skip nixpkgs-review. The relevant test here is nix-build -A nixosTests.docker-tools aka nixos/tests/docker-tools.nix and its support file pkgs/build-support/docker/examples.nix.
Do you have nested virtualisation - ie hardware virtualization extensions available within the VM?
Alternatively, if you're on macOS, you could rebase onto #282401 for a bit so that you can cut out the intermediate VM and run the test driver on macOS natively.

[PigeonF]

I was able to dust off an old laptop and run the tests there (i.e. running nix-build -A nixosTests.docker-tools succeeded). Is there something else I need to do, or do I just wait for someone to merge this?

[roberth]

Oh, I thought you wanted to add a test case or assertion.
I'd be okay to merge this without one, because nothing critical depends on it, and it wouldn't "prove" reproducibility anyway.
The most realistic failure mode, a change to the store db format and/or schema, would already be caught by the test suite, so I'm not too concerned.