Are Guix-generated Docker images reproducible?

Are Guix-generated Docker images reproducible?

[Konrad Hinsen]

Hi everyone,

Suppose you do

  guix time-machine --channels=channels.scm -- \
          pack --format=docker --manifest=manifest.scm

You keep a copy of channels.scm and manifest.scm, and run the same
command a few months (and "guix pull"s) later, can you expect to get the
exact same Docker image file, bit for bit? If not, why not?

Cheers,
  Konrad.

Re: Are Guix-generated Docker images reproducible?

[Suhail Singh]

Konrad Hinsen <konrad.hinsen@fastmail.net> writes:

> Suppose you do
>
>   guix time-machine --channels=channels.scm -- \
>           pack --format=docker --manifest=manifest.scm
>
> You keep a copy of channels.scm and manifest.scm, and run the same
> command a few months (and "guix pull"s) later, can you expect to get the
> exact same Docker image file, bit for bit? If not, why not?

Based on what I have observed, I know that you can get the same docker
image (as identified by the image ID hash) in some instances.  A
necessary condition, I imagine, would have to be for the build results
to be deterministic (i.e., the derivations to be "reproducible").

-- 
Suhail

Re: Are Guix-generated Docker images reproducible?

[Konrad Hinsen]

Hi Ignas and Suhail,

Thanks for your comments!

As you may have guessed, the reason for my question was that I
encountered a non-reproducible Docker image build. And as both of you
point out, the packages entering into the images must be
reproducible. That's something I had actually checked for my specific
case. I was looking for other possible causes.

In the meantime, I found the explanation for my case: the packages in my
image are reproducible, but the profile composed from them is not, due
to a non-deterministic step in profile generation.

For the details: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=73295

Cheers,
  Konrad.

Re: Are Guix-generated Docker images reproducible?

[Suhail Singh]

Konrad Hinsen <konrad.hinsen@fastmail.net> writes:

> As you may have guessed, the reason for my question was that I
> encountered a non-reproducible Docker image build. And as both of you
> point out, the packages entering into the images must be
> reproducible.

Right, that's necessary, but as you observed, not sufficient.

> In the meantime, I found the explanation for my case: the packages in my
> image are reproducible, but the profile composed from them is not, due
> to a non-deterministic step in profile generation.

Good catch!  It would be nice if profile generation preserved
reproducibility.

> For the details: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=73295

Thanks for the reference.

-- 
Suhail

Re: Are Guix-generated Docker images reproducible?

[Simon Tournier]

Hi Konrad,

On lun., 16 sept. 2024 at 13:27, Konrad Hinsen <konrad.hinsen@fastmail.net> wrote:

> Suppose you do
>
>   guix time-machine --channels=channels.scm -- \
>           pack --format=docker --manifest=manifest.scm
>
> You keep a copy of channels.scm and manifest.scm, and run the same
> command a few months (and "guix pull"s) later, can you expect to get the
> exact same Docker image file, bit for bit? If not, why not?

That’s the idea but as noticed in the thread, there is still some
roadblocks to have a bullet-proof machinery.

FWIW, we can go a bit further and ask: if the binary Docker image had
been produced by Guix, and that’s all we have, are we still able to know
exactly how it had been produced?  And thus rebuild it bit-to-bit?

One step in this direction is explained in this post:

  https://hpc.guix.info/blog/2021/10/when-docker-images-become-fixed-point/

And the other steps are the ones noticed. ;-)

Cheers,
simon