From 4e3eb659ea1fc9ac5cc6db9c3ef460b67627721c Mon Sep 17 00:00:00 2001 From: Akihiro Suda Date: Fri, 16 Aug 2024 18:05:12 +0900 Subject: [PATCH] Support reproducible builds (except packages) See docker-library/official-images issue 16044 - For Debian, `/var/log/*` is removed as they contain timestamps - For Debian, `/var/cache/ldconfig/aux-cache` is removed as they contain inode numbers, etc. - For Alpine, virtual package versions are pinned to "0" to eliminate the timestamp-based version numbers that appear in `/etc/apk/world` and `/lib/apk/db/installed` > [!NOTE] > The following topics are NOT covered by this commit: > > - To reproduce file timestamps in layers, BuildKit has to be executed with > `--output type=,rewrite-timestamp=true`. > Needs BuildKit v0.13 or later. > > - To reproduce the base image by the hash, reproducers may: > - modify the `FROM` instruction in Dockerfile manually > - or, use the `CONVERT` action of source policies to replace the base image. > > > - To reproduce packages, see the `RUN` instruction hook proposed in > moby/buildkit#4576 Signed-off-by: Akihiro Suda --- 1.22/alpine3.19/Dockerfile | 2 +- 1.22/alpine3.20/Dockerfile | 2 +- 1.22/bookworm/Dockerfile | 4 +++- 1.22/bullseye/Dockerfile | 4 +++- 1.23/alpine3.19/Dockerfile | 2 +- 1.23/alpine3.20/Dockerfile | 2 +- 1.23/bookworm/Dockerfile | 4 +++- 1.23/bullseye/Dockerfile | 4 +++- Dockerfile-linux.template | 6 ++++-- 9 files changed, 20 insertions(+), 10 deletions(-) diff --git a/1.22/alpine3.19/Dockerfile b/1.22/alpine3.19/Dockerfile index fc1ab5ed..1dff956f 100644 --- a/1.22/alpine3.19/Dockerfile +++ b/1.22/alpine3.19/Dockerfile @@ -12,7 +12,7 @@ ENV GOLANG_VERSION 1.22.8 RUN set -eux; \ now="$(date '+%s')"; \ - apk add --no-cache --virtual .fetch-deps \ + apk add --no-cache --virtual .fetch-deps=0 \ ca-certificates \ gnupg \ # busybox's "tar" doesn't handle directory mtime correctly, so our SOURCE_DATE_EPOCH lookup doesn't work (the mtime of "/usr/local/go" always ends up being the extraction timestamp) diff --git a/1.22/alpine3.20/Dockerfile b/1.22/alpine3.20/Dockerfile index 09e68c3d..3254c1dc 100644 --- a/1.22/alpine3.20/Dockerfile +++ b/1.22/alpine3.20/Dockerfile @@ -12,7 +12,7 @@ ENV GOLANG_VERSION 1.22.8 RUN set -eux; \ now="$(date '+%s')"; \ - apk add --no-cache --virtual .fetch-deps \ + apk add --no-cache --virtual .fetch-deps=0 \ ca-certificates \ gnupg \ # busybox's "tar" doesn't handle directory mtime correctly, so our SOURCE_DATE_EPOCH lookup doesn't work (the mtime of "/usr/local/go" always ends up being the extraction timestamp) diff --git a/1.22/bookworm/Dockerfile b/1.22/bookworm/Dockerfile index 30267c29..68d342f3 100644 --- a/1.22/bookworm/Dockerfile +++ b/1.22/bookworm/Dockerfile @@ -114,7 +114,9 @@ RUN set -eux; \ make \ pkg-config \ ; \ - rm -rf /var/lib/apt/lists/* + rm -rf /var/lib/apt/lists/* ; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ENV GOLANG_VERSION 1.22.8 diff --git a/1.22/bullseye/Dockerfile b/1.22/bullseye/Dockerfile index 72f51f24..b7b77bfa 100644 --- a/1.22/bullseye/Dockerfile +++ b/1.22/bullseye/Dockerfile @@ -114,7 +114,9 @@ RUN set -eux; \ make \ pkg-config \ ; \ - rm -rf /var/lib/apt/lists/* + rm -rf /var/lib/apt/lists/* ; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ENV GOLANG_VERSION 1.22.8 diff --git a/1.23/alpine3.19/Dockerfile b/1.23/alpine3.19/Dockerfile index 80e254d4..db038448 100644 --- a/1.23/alpine3.19/Dockerfile +++ b/1.23/alpine3.19/Dockerfile @@ -12,7 +12,7 @@ ENV GOLANG_VERSION 1.23.2 RUN set -eux; \ now="$(date '+%s')"; \ - apk add --no-cache --virtual .fetch-deps \ + apk add --no-cache --virtual .fetch-deps=0 \ ca-certificates \ gnupg \ # busybox's "tar" doesn't handle directory mtime correctly, so our SOURCE_DATE_EPOCH lookup doesn't work (the mtime of "/usr/local/go" always ends up being the extraction timestamp) diff --git a/1.23/alpine3.20/Dockerfile b/1.23/alpine3.20/Dockerfile index cb9c4baf..c338d2b1 100644 --- a/1.23/alpine3.20/Dockerfile +++ b/1.23/alpine3.20/Dockerfile @@ -12,7 +12,7 @@ ENV GOLANG_VERSION 1.23.2 RUN set -eux; \ now="$(date '+%s')"; \ - apk add --no-cache --virtual .fetch-deps \ + apk add --no-cache --virtual .fetch-deps=0 \ ca-certificates \ gnupg \ # busybox's "tar" doesn't handle directory mtime correctly, so our SOURCE_DATE_EPOCH lookup doesn't work (the mtime of "/usr/local/go" always ends up being the extraction timestamp) diff --git a/1.23/bookworm/Dockerfile b/1.23/bookworm/Dockerfile index 41fc7d20..85081cb6 100644 --- a/1.23/bookworm/Dockerfile +++ b/1.23/bookworm/Dockerfile @@ -114,7 +114,9 @@ RUN set -eux; \ make \ pkg-config \ ; \ - rm -rf /var/lib/apt/lists/* + rm -rf /var/lib/apt/lists/* ; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ENV GOLANG_VERSION 1.23.2 diff --git a/1.23/bullseye/Dockerfile b/1.23/bullseye/Dockerfile index 9213c18b..39779e0c 100644 --- a/1.23/bullseye/Dockerfile +++ b/1.23/bullseye/Dockerfile @@ -114,7 +114,9 @@ RUN set -eux; \ make \ pkg-config \ ; \ - rm -rf /var/lib/apt/lists/* + rm -rf /var/lib/apt/lists/* ; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ENV GOLANG_VERSION 1.23.2 diff --git a/Dockerfile-linux.template b/Dockerfile-linux.template index 9c2fb247..9de5bba9 100644 --- a/Dockerfile-linux.template +++ b/Dockerfile-linux.template @@ -53,7 +53,7 @@ ENV GOLANG_VERSION {{ .version }} RUN set -eux; \ now="$(date '+%s')"; \ {{ if is_alpine then ( -}} - apk add --no-cache --virtual .fetch-deps \ + apk add --no-cache --virtual .fetch-deps=0 \ ca-certificates \ gnupg \ # busybox's "tar" doesn't handle directory mtime correctly, so our SOURCE_DATE_EPOCH lookup doesn't work (the mtime of "/usr/local/go" always ends up being the extraction timestamp) @@ -163,7 +163,9 @@ RUN set -eux; \ make \ pkg-config \ ; \ - rm -rf /var/lib/apt/lists/* + rm -rf /var/lib/apt/lists/* ; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache {{ ) end -}} ENV GOLANG_VERSION {{ .version }}