Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve Docker image build reproducibility #36906

Merged
merged 2 commits into from Mar 21, 2018
Merged

Improve Docker image build reproducibility #36906

merged 2 commits into from Mar 21, 2018

Conversation

nlewo
Copy link
Member

@nlewo nlewo commented Mar 13, 2018
edited

Motivation for this change

Docker archives produced by our docker tools can differ even if the content is the same.

One of these patches dereferences hard links in the tar stream. I don't know how this can increase the size of produced images. On my images, I didn't observe a big difference.

@Profpatsch @kuznero

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option build-use-sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Fits CONTRIBUTING.md.

@nlewo
dockerTools: dereference hard links in tar archives
346996c 
This is to improve image creation reproducibility. Since the nar
format doesn't support hard link, the tar stream of a layer can be
different if a dependency of a layer has been built locally or if it
has been fetched from a binary cache.

If the dependency has been build locally, it can contain hard links
which are encoded in the tar stream. If the dependency has been
fetched from a binary cache, the tar stream doesn't contain any hard
link. So even if the content is the same, tar streams are different.
@nlewo
dockerTools: add --sort=name options on all tar calls
ac0c491 
This is to go to a reproducible image build.
Note without this options image are identical from the Docker point of
view but generated docker archives could have different hashes.
@nlewo
Copy link
Member Author

nlewo commented Mar 13, 2018

@GrahamcOfBorg test docker-tools

@GrahamcOfBorg
Copy link

No attempt on x86_64-linux

The following builds were skipped because they don't evaluate on x86_64-linux: tests.docker-tools

No log is available.

@GrahamcOfBorg
Copy link

Success on aarch64-linux (full log)

Attempted: tests.docker-tools

No log is available.

@nlewo nlewo merged commit ea6f55f into NixOS:master Mar 21, 2018
@nlewo
Copy link
Member Author

nlewo commented Mar 21, 2018

I backport it to 18.03.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@globin globin globin approved these changes

@Profpatsch Profpatsch Profpatsch approved these changes

Assignees
No one assigned
Labels
8.has: documentation 10.rebuild-darwin: 0 10.rebuild-linux: 0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@nlewo @GrahamcOfBorg @globin @Profpatsch