[bug#75426] [PATCH] docker: Build tarballs reproducibly.

unofficial mirror of guix-patches@gnu.org 
 help / color / mirror / code / Atom feed

* [bug#75426] [PATCH] docker: Build tarballs reproducibly.
@ 2025-01-07 22:55 Ludovic Courtès
  0 siblings, 0 replies; only message in thread
From: Ludovic Courtès @ 2025-01-07 22:55 UTC (permalink / raw)
  To: 75426
  Cc: Simon Josefsson, Ludovic Courtès, Christopher Baines,
	Josselin Poiret, Ludovic Courtès, Mathieu Othacehe,
	Simon Tournier, Tobias Geerinckx-Rice

Fixes <https://issues.guix.gnu.org/75090>.

* guix/docker.scm (tar): New procedure.
(create-empty-tar, build-docker-image): Use it instead of calling
‘invoke’ directly.

Reported-by: Simon Josefsson <simon@josefsson.org>
Change-Id: Ia899c43ed6a3809ff845de0953e3d38cccf24609
---
 guix/docker.scm | 25 ++++++++++++++++---------
 1 file changed, 16 insertions(+), 9 deletions(-)

diff --git a/guix/docker.scm b/guix/docker.scm
index b33c5824dd..d9764f61fb 100644
--- a/guix/docker.scm
+++ b/guix/docker.scm
@@ -1,6 +1,6 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2017 Ricardo Wurmus <rekado@elephly.net>
-;;; Copyright © 2017, 2018, 2019, 2021 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2017-2019, 2021, 2025 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2018 Chris Marusich <cmmarusich@gmail.com>
 ;;; Copyright © 2021 Maxim Cournoyer <maxim.cournoyer@gmail.com>
 ;;; Copyright © 2023 Oleg Pykhalov <go.wigust@gmail.com>
@@ -170,8 +170,15 @@ (define (size-sorted-store-items items max-layers)
                     (1- items-length)))))
     (list head tail)))
 
+(define (tar . arguments)
+  "Invoke 'tar' with the given ARGUMENTS together with options to build
+tarballs in a reproducible fashion."
+  (apply invoke "tar" "--mtime=@1"
+         "--owner=0" "--group=0" "--numeric-owner"
+         "--sort=name" "--mode=go+u,go-w" arguments))
+
 (define (create-empty-tar file)
-  (invoke "tar" "-cf" file "--files-from" "/dev/null"))
+  (tar "-cf" file "--files-from" "/dev/null"))
 
 (define* (build-docker-image image paths prefix
                              #:key
@@ -255,7 +262,7 @@ (define* (build-docker-image image paths prefix
            (file-name (string-append file-hash "/layer.tar")))
       (mkdir file-hash)
       (rename-file "layer.tar" file-name)
-      (invoke "tar" "-rf" "image.tar" file-name)
+      (tar "-rf" "image.tar" file-name)
       (delete-file file-name)
       file-hash))
   (define layers-hashes
@@ -268,20 +275,20 @@ (define* (build-docker-image image paths prefix
        (let* ((head-layers
                (map
                 (lambda (file)
-                  (invoke "tar" "cf" "layer.tar" file)
+                  (tar "cf" "layer.tar" file)
                   (seal-layer))
                 head))
               (tail-layer
                (begin
                  (create-empty-tar "layer.tar")
                  (for-each (lambda (file)
-                             (invoke "tar" "-rf" "layer.tar" file))
+                             (tar "-rf" "layer.tar" file))
                            tail)
                  (let* ((file-hash (layer-diff-id "layer.tar"))
                         (file-name (string-append file-hash "/layer.tar")))
                    (mkdir file-hash)
                    (rename-file "layer.tar" file-name)
-                   (invoke "tar" "-rf" "image.tar" file-name)
+                   (tar "-rf" "image.tar" file-name)
                    (delete-file file-name)
                    file-hash)))
               (customization-layer
@@ -290,7 +297,7 @@ (define* (build-docker-image image paths prefix
                       (file-name (string-append file-hash "/layer.tar")))
                  (mkdir file-hash)
                  (rename-file file-id file-name)
-                 (invoke "tar" "-rf" "image.tar" file-name)
+                 (tar "-rf" "image.tar" file-name)
                  file-hash))
               (all-layers
                (append head-layers (list tail-layer customization-layer))))
@@ -300,7 +307,7 @@ (define* (build-docker-image image paths prefix
                                   (map (cut string-append <> "/layer.tar")
                                        all-layers)
                                   repository))))
-         (invoke "tar" "-rf" "image.tar" "manifest.json")
+         (tar "-rf" "image.tar" "manifest.json")
          all-layers))))
   (let* ((directory "/tmp/docker-image") ;temporary working directory
          (id (docker-id prefix))
@@ -388,7 +395,7 @@ (define* (build-docker-image image paths prefix
                    #:entry-point entry-point))))
       (if max-layers
           (begin
-            (invoke "tar" "-rf" "image.tar" "config.json")
+            (tar "-rf" "image.tar" "config.json")
             (if compressor
                 (begin
                   (apply invoke `(,@compressor "image.tar"))

base-commit: eeb019eb595bbb29f83389deb2fc823ed6402dd5
-- 
2.47.1





^ permalink raw reply related	[flat|nested] only message in thread

only message in thread, other threads:[~2025-01-07 22:57 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-01-07 22:55 [bug#75426] [PATCH] docker: Build tarballs reproducibly Ludovic Courtès

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).