search

blablacar / dgr

Container build and runtime tool
Apache License 2.0
249 stars 21 forks source link

support for reproducible builds #225

Open mark-kubacki opened 7 years ago

mark-kubacki commented 7 years ago

This contribution implements support for reproducible builds with dgr.

That is, if the scripts and tools used within the builder and target environment (equals "build environment" in our case) allow for such builds, then using dgr will result in a reproducibly built ACI image.

dgr's function is that of a packager, hence its responsibilities are deterministically ordered content in said image, and pinned datetimes – especially modification datetimes. This requires us to upgrade tar to ≥1.29 for its new features, and to expose those arguments to templating of the aci-manifest.yml, which is the precursor of the APPC manifest. Everything else is already done by rkt.

The sole setting which the user needs to set is the build epoch (a fixed datetime), like this:

aci:
  annotations:
    - name: build-date
      value: '2016-12-15T20:00:00+01:00'

I have created a reproducible build as demonstration which you can try from here: https://github.com/Blitznote/baseimage Any two runs result in binary identical image.aci files.

mark-kubacki commented 7 years ago

Please note that Github displays my commits in a different order than git or submitted.

This is the output of two runs of the demo: reproducible-builds-for-rkt

I am sorry, but I will, categorically, not work around any false errors thrown by Travis, the CI system, due to Travis using an outdated or incomplete OS installation. (realpath is part of the Linux/GNU coreutils, and should not be missing.)

Please test on your local machine(s).

mark-kubacki commented 7 years ago

rebased, please mind the commit hashes

mark-kubacki commented 7 years ago

Another reproducible build as example and motivation for this feature: https://github.com/wmark/aci-avorion-server

n0rad commented 7 years ago

Sorry it's just that I don't have a lot of time this days. Will get back to it soon.

mark-kubacki commented 7 years ago

rebased, fixed an example which timed-out

Globegitter commented 7 years ago

Would be great to see support for this.

mark-kubacki commented 7 years ago

Thanks for your review. I'll address the issues tomorrow.

The result should ideally be independent of the building app (dgr), hence I've made exclude part of this.

mark-kubacki commented 7 years ago

I've begun splitting this in smaller chunks and filing as separate PR, and am waiting for #238 to be merged to rebase and proceed.

mark-kubacki commented 7 years ago

Waiting on #238 to rebase and move this forward.