docker: improve reproducibility of layers

This patch fixes file modification times to $SOURCE_DATE_EPOCH, and ensures that files originating from the store are owned by root:root. Both changes improve reproducibility, and the latter allows proper building on a host where the store is owned by a non-root user. (cherry picked from commit 5ca1646)
NixOS · Apr 18, 2017 · ea2d55d · ea2d55d
1 parent 40a5498
commit ea2d55d
Showing 1 changed file with 8 additions and 7 deletions.
diff --git a/pkgs/build-support/docker/default.nix b/pkgs/build-support/docker/default.nix
@@ -209,7 +209,7 @@ rec {
 
       postMount = ''
         echo "Packing raw image..."
-        tar -C mnt --mtime=0 -cf $out .
+        tar -C mnt --mtime="@$SOURCE_DATE_EPOCH" -cf $out .
       '';
     };
 
@@ -247,7 +247,7 @@ rec {
         echo "Adding contents..."
         for item in $contents; do
           echo "Adding $item"
-          rsync -ak $item/ layer/
+          rsync -ak --chown=0:0 $item/ layer/
         done
       else
         echo "No contents to add to layer."
@@ -260,7 +260,7 @@ rec {
       # Tar up the layer and throw it into 'layer.tar'.
       echo "Packing layer..."
       mkdir $out
-      tar -C layer --mtime=0 -cf $out/layer.tar .
+      tar -C layer --mtime="@$SOURCE_DATE_EPOCH" -cf $out/layer.tar .
 
       # Compute a checksum of the tarball.
       echo "Computing layer checksum..."
@@ -310,7 +310,7 @@ rec {
         echo "Adding contents..."
         for item in ${toString contents}; do
           echo "Adding $item..."
-          rsync -ak $item/ layer/
+          rsync -ak --chown=0:0 $item/ layer/
         done
       '';
 
@@ -340,7 +340,7 @@ rec {
 
         echo "Packing layer..."
         mkdir $out
-        tar -C layer --mtime=0 -cf $out/layer.tar .
+        tar -C layer --mtime="@$SOURCE_DATE_EPOCH" -cf $out/layer.tar .
 
         # Compute the tar checksum and add it to the output json.
         echo "Computing checksum..."
@@ -467,7 +467,8 @@ rec {
         comm <(sort -n baseFiles|uniq) \
              <(sort -n layerFiles|uniq|grep -v ${layer}) -1 -3 > newFiles
         # Append the new files to the layer.
-        tar -rpf temp/layer.tar --mtime=0 --no-recursion --files-from newFiles
+        tar -rpf temp/layer.tar --mtime="@$SOURCE_DATE_EPOCH" \
+          --owner=0 --group=0 --no-recursion --files-from newFiles
 
         echo "Adding meta..."
 
@@ -496,7 +497,7 @@ rec {
         chmod -R a-w image
 
         echo "Cooking the image..."
-        tar -C image --mtime=0 -c . | pigz -nT > $out
+        tar -C image --mtime="@$SOURCE_DATE_EPOCH" -c . | pigz -nT > $out
 
         echo "Finished."
       '';