docker: improve reproducibility of layers #24947
Conversation
|
@timclassic, thanks for your PR! By analyzing the history of the files in this pull request, we identified @adnelson, @lethalman and @puffnfresh to be potential reviewers. |
| @@ -209,7 +209,7 @@ rec { | |||
|
|
|||
| postMount = '' | |||
| echo "Packing raw image..." | |||
| tar -C mnt --mtime=0 -cf $out . | |||
| tar -C mnt --mtime='@1' -cf $out . | |||
There was a problem hiding this comment.
I think technically @0 is the unix epoch, but as long as it's consistent this ought to be fine
There was a problem hiding this comment.
I'm not familiar with this notation; I think a comment explaining it would be helpful.
There was a problem hiding this comment.
There was a problem hiding this comment.
I chose '@1' since I duplicated the method found at nixos/lib/make-system-tarball.sh line 57. I have nothing against using '@0' if desired.
Perhaps I didn't go far enough and should have also included --sort=name?
There was a problem hiding this comment.
how about using SOURCE_DATE_EPOCH instead of setting the value?
There was a problem hiding this comment.
I'm testing with SOURCE_DATE_EPOCH now. I'll push a new patch if all looks well.
|
I failed to mention that these changes don't affect the ownership of files that originate from outside of the Nix store (e.g files created using the I believe this is the desired behavior, as it allows me to create files owned by other users in |
This patch fixes file modification times to $SOURCE_DATE_EPOCH, and ensures that files originating from the store are owned by root:root. Both changes improve reproducibility, and the latter allows proper building on a host where the store is owned by a non-root user.
timclassic
force-pushed
the
docker-repro
branch
from
b72e3e4
to
5ca1646
Compare
This patch fixes file modification times to the UNIX epoch, and
ensures that files originating from the store are owned by root. Both
changes improve reproducibility, and the latter allows proper building
on a host where the store is owned by a non-root user.
Motivation for this change
I was building Docker images on a Debian box where the Nix store is owned by my user. I noticed that many files had my UID:GID instead of root:root.
While playing with the fix, I also noticed that the mtimes were not reliable within the generated tarballs. Once I fixed the timestamps, I started getting reproducible builds all the way the Docker image IDs.
Things done
(nix.useSandbox on NixOS,
or option
build-use-sandboxinnix.confon non-NixOS)
nix-shell -p nox --run "nox-review wip"./result/bin/)