From: "Ludovic Courtès" <ludo@gnu.org>
To: 75426@debbugs.gnu.org
Cc: "Simon Josefsson" <simon@josefsson.org>,
"Ludovic Courtès" <ludo@gnu.org>,
"Christopher Baines" <guix@cbaines.net>,
"Josselin Poiret" <dev@jpoiret.xyz>,
"Ludovic Courtès" <ludo@gnu.org>,
"Mathieu Othacehe" <othacehe@gnu.org>,
"Simon Tournier" <zimon.toutoune@gmail.com>,
"Tobias Geerinckx-Rice" <me@tobias.gr>
Subject: [bug#75426] [PATCH] docker: Build tarballs reproducibly.
Date: Tue, 7 Jan 2025 23:55:33 +0100 [thread overview]
Message-ID: <ab1044307c88a61032be563b73e325eb9cf339ba.1736290435.git.ludo@gnu.org> (raw)
Fixes <https://issues.guix.gnu.org/75090>.
* guix/docker.scm (tar): New procedure.
(create-empty-tar, build-docker-image): Use it instead of calling
‘invoke’ directly.
Reported-by: Simon Josefsson <simon@josefsson.org>
Change-Id: Ia899c43ed6a3809ff845de0953e3d38cccf24609
---
guix/docker.scm | 25 ++++++++++++++++---------
1 file changed, 16 insertions(+), 9 deletions(-)
diff --git a/guix/docker.scm b/guix/docker.scm
index b33c5824dd..d9764f61fb 100644
--- a/guix/docker.scm
+++ b/guix/docker.scm
@@ -1,6 +1,6 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2017 Ricardo Wurmus <rekado@elephly.net>
-;;; Copyright © 2017, 2018, 2019, 2021 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2017-2019, 2021, 2025 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2018 Chris Marusich <cmmarusich@gmail.com>
;;; Copyright © 2021 Maxim Cournoyer <maxim.cournoyer@gmail.com>
;;; Copyright © 2023 Oleg Pykhalov <go.wigust@gmail.com>
@@ -170,8 +170,15 @@ (define (size-sorted-store-items items max-layers)
(1- items-length)))))
(list head tail)))
+(define (tar . arguments)
+ "Invoke 'tar' with the given ARGUMENTS together with options to build
+tarballs in a reproducible fashion."
+ (apply invoke "tar" "--mtime=@1"
+ "--owner=0" "--group=0" "--numeric-owner"
+ "--sort=name" "--mode=go+u,go-w" arguments))
+
(define (create-empty-tar file)
- (invoke "tar" "-cf" file "--files-from" "/dev/null"))
+ (tar "-cf" file "--files-from" "/dev/null"))
(define* (build-docker-image image paths prefix
#:key
@@ -255,7 +262,7 @@ (define* (build-docker-image image paths prefix
(file-name (string-append file-hash "/layer.tar")))
(mkdir file-hash)
(rename-file "layer.tar" file-name)
- (invoke "tar" "-rf" "image.tar" file-name)
+ (tar "-rf" "image.tar" file-name)
(delete-file file-name)
file-hash))
(define layers-hashes
@@ -268,20 +275,20 @@ (define* (build-docker-image image paths prefix
(let* ((head-layers
(map
(lambda (file)
- (invoke "tar" "cf" "layer.tar" file)
+ (tar "cf" "layer.tar" file)
(seal-layer))
head))
(tail-layer
(begin
(create-empty-tar "layer.tar")
(for-each (lambda (file)
- (invoke "tar" "-rf" "layer.tar" file))
+ (tar "-rf" "layer.tar" file))
tail)
(let* ((file-hash (layer-diff-id "layer.tar"))
(file-name (string-append file-hash "/layer.tar")))
(mkdir file-hash)
(rename-file "layer.tar" file-name)
- (invoke "tar" "-rf" "image.tar" file-name)
+ (tar "-rf" "image.tar" file-name)
(delete-file file-name)
file-hash)))
(customization-layer
@@ -290,7 +297,7 @@ (define* (build-docker-image image paths prefix
(file-name (string-append file-hash "/layer.tar")))
(mkdir file-hash)
(rename-file file-id file-name)
- (invoke "tar" "-rf" "image.tar" file-name)
+ (tar "-rf" "image.tar" file-name)
file-hash))
(all-layers
(append head-layers (list tail-layer customization-layer))))
@@ -300,7 +307,7 @@ (define* (build-docker-image image paths prefix
(map (cut string-append <> "/layer.tar")
all-layers)
repository))))
- (invoke "tar" "-rf" "image.tar" "manifest.json")
+ (tar "-rf" "image.tar" "manifest.json")
all-layers))))
(let* ((directory "/tmp/docker-image") ;temporary working directory
(id (docker-id prefix))
@@ -388,7 +395,7 @@ (define* (build-docker-image image paths prefix
#:entry-point entry-point))))
(if max-layers
(begin
- (invoke "tar" "-rf" "image.tar" "config.json")
+ (tar "-rf" "image.tar" "config.json")
(if compressor
(begin
(apply invoke `(,@compressor "image.tar"))
base-commit: eeb019eb595bbb29f83389deb2fc823ed6402dd5
--
2.47.1
reply other threads:[~2025-01-07 22:57 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ab1044307c88a61032be563b73e325eb9cf339ba.1736290435.git.ludo@gnu.org \
--to=ludo@gnu.org \
--cc=75426@debbugs.gnu.org \
--cc=dev@jpoiret.xyz \
--cc=guix@cbaines.net \
--cc=me@tobias.gr \
--cc=othacehe@gnu.org \
--cc=simon@josefsson.org \
--cc=zimon.toutoune@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).