Are Guix-generated Docker images reproducible?

Are Guix-generated Docker images reproducible?

[Konrad Hinsen]

Hi everyone,

Suppose you do

  guix time-machine --channels=channels.scm -- \
          pack --format=docker --manifest=manifest.scm

You keep a copy of channels.scm and manifest.scm, and run the same
command a few months (and "guix pull"s) later, can you expect to get the
exact same Docker image file, bit for bit? If not, why not?

Cheers,
  Konrad.

Re: Are Guix-generated Docker images reproducible?

[Ignas Lapėnas]

Hi,

Most packages are reproducable, and should get you the exact same docker
image file. 

https://qa.guix.gnu.org/reproducible-builds

As far as I know, it is possible, that source code is no longer
available and unreachable (There might be something already for long
term storage, but that I do not know), then the image might not
build. Or there might be tests that depend on time for some reason.

Hope that helps.

Konrad Hinsen <konrad.hinsen@fastmail.net> writes:

> Hi everyone,
>
> Suppose you do
>
>   guix time-machine --channels=channels.scm -- \
>           pack --format=docker --manifest=manifest.scm
>
> You keep a copy of channels.scm and manifest.scm, and run the same
> command a few months (and "guix pull"s) later, can you expect to get the
> exact same Docker image file, bit for bit? If not, why not?
>
> Cheers,
>   Konrad.

-- 
Best Regards,
Ignas Lapėnas

Re: Are Guix-generated Docker images reproducible?

[Suhail Singh]

Konrad Hinsen <konrad.hinsen@fastmail.net> writes:

> Suppose you do
>
>   guix time-machine --channels=channels.scm -- \
>           pack --format=docker --manifest=manifest.scm
>
> You keep a copy of channels.scm and manifest.scm, and run the same
> command a few months (and "guix pull"s) later, can you expect to get the
> exact same Docker image file, bit for bit? If not, why not?

Based on what I have observed, I know that you can get the same docker
image (as identified by the image ID hash) in some instances.  A
necessary condition, I imagine, would have to be for the build results
to be deterministic (i.e., the derivations to be "reproducible").

-- 
Suhail

Re: Are Guix-generated Docker images reproducible?

[Konrad Hinsen]

Hi Ignas and Suhail,

Thanks for your comments!

As you may have guessed, the reason for my question was that I
encountered a non-reproducible Docker image build. And as both of you
point out, the packages entering into the images must be
reproducible. That's something I had actually checked for my specific
case. I was looking for other possible causes.

In the meantime, I found the explanation for my case: the packages in my
image are reproducible, but the profile composed from them is not, due
to a non-deterministic step in profile generation.

For the details: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=73295

Cheers,
  Konrad.

Re: Are Guix-generated Docker images reproducible?

[Suhail Singh]

Konrad Hinsen <konrad.hinsen@fastmail.net> writes:

> As you may have guessed, the reason for my question was that I
> encountered a non-reproducible Docker image build. And as both of you
> point out, the packages entering into the images must be
> reproducible.

Right, that's necessary, but as you observed, not sufficient.

> In the meantime, I found the explanation for my case: the packages in my
> image are reproducible, but the profile composed from them is not, due
> to a non-deterministic step in profile generation.

Good catch!  It would be nice if profile generation preserved
reproducibility.

> For the details: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=73295

Thanks for the reference.

-- 
Suhail