New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docker: improve reproducibility of layers #24947
Conversation
@timclassic, thanks for your PR! By analyzing the history of the files in this pull request, we identified @adnelson, @lethalman and @puffnfresh to be potential reviewers. |
@@ -209,7 +209,7 @@ rec { | |||
|
|||
postMount = '' | |||
echo "Packing raw image..." | |||
tar -C mnt --mtime=0 -cf $out . | |||
tar -C mnt --mtime='@1' -cf $out . |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think technically @0
is the unix epoch, but as long as it's consistent this ought to be fine
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not familiar with this notation; I think a comment explaining it would be helpful.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I chose '@1'
since I duplicated the method found at nixos/lib/make-system-tarball.sh line 57. I have nothing against using '@0'
if desired.
Perhaps I didn't go far enough and should have also included --sort=name
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
how about using SOURCE_DATE_EPOCH
instead of setting the value?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm testing with SOURCE_DATE_EPOCH
now. I'll push a new patch if all looks well.
I failed to mention that these changes don't affect the ownership of files that originate from outside of the Nix store (e.g files created using the I believe this is the desired behavior, as it allows me to create files owned by other users in |
This patch fixes file modification times to $SOURCE_DATE_EPOCH, and ensures that files originating from the store are owned by root:root. Both changes improve reproducibility, and the latter allows proper building on a host where the store is owned by a non-root user.
b72e3e4
to
5ca1646
Compare
This patch fixes file modification times to the UNIX epoch, and
ensures that files originating from the store are owned by root. Both
changes improve reproducibility, and the latter allows proper building
on a host where the store is owned by a non-root user.
Motivation for this change
I was building Docker images on a Debian box where the Nix store is owned by my user. I noticed that many files had my UID:GID instead of root:root.
While playing with the fix, I also noticed that the mtimes were not reliable within the generated tarballs. Once I fixed the timestamps, I started getting reproducible builds all the way the Docker image IDs.
Things done
(nix.useSandbox on NixOS,
or option
build-use-sandbox
innix.conf
on non-NixOS)
nix-shell -p nox --run "nox-review wip"
./result/bin/
)