OCI exporter: file owner name strings depend on `/etc/{passwd,group}` on the buildkit daemon host

[AkihiroSuda]

Dockerfile:

FROM alpine
RUN touch /foo && chown 1001:1001 /foo

FROM scratch
COPY --from=0 /foo /foo

When an OCI archive is built using the local daemon, the file owner name strings are resolved using the /etc/{passwd,group} on the host:

$ buildctl build --frontend dockerfile.v0 --local dockerfile=. --local context=. --output type=oci,dest=/tmp/out,tar=false,buildinfo=false

$ tar tzvf /tmp/out/blobs/sha256/a677e56063fa735ea4ff1f53536d175d1de004aed3ae6919087c98f0888973d3
-rw-r--r-- suda/suda         0 2023-03-07 20:12 foo

$ grep ^suda /etc/passwd
suda:x:1001:1001::/home/suda:/bin/bash

$ grep ^suda /etc/group
suda:x:1001:

When an OCI archive is built using a remote daemon (docker-container://bk), the strings are resolved using /etc/{passwd,group} in docker-container://bk:

$ buildctl --addr=docker-container://bk build --frontend dockerfile.v0 --local dockerfile=. --local context=. --output type=oci,dest=/tmp/out,tar=false,buildinfo=false

$ tar tzvf /tmp/out/blobs/sha256/69d8221812263e60bf25fa453c1ba768b67e2bcbd38c52b840d7c88f02d12df0
-rw-r--r-- 1001/1001         0 2023-03-07 20:13 foo

This issue affects build reproducibility.

Tested version: 80291e6 (not a regression in this commit)

[AkihiroSuda]

Can we just eliminate the name strings, or do we need to propagate the names from /etc/{passwd,group} in the executor container rootfs?

[AkihiroSuda]

PR:

• archive: disable looking up usernames and groupnames on the host containerd/containerd#8220