mafredri
commented
2 months ago The conclusion from this PoC is that:
- It is possible to repeatedly produce the same final image hash without actually extracting cache layers and executing commands
- This requires enabling reproducible builds in Kaniko (https://github.com/coder/envbuilder/pull/213)
- Kaniko reproducible builds modify the layers in the final image to remove timestamps and changes the compression algorithm (fixed in https://github.com/coder/kaniko/pull/12)
- With a few changes, Kaniko can report the hash for directives in the Dockerfile
- Example: A directive like
COPY ./file /fileconsists of two hashes, the actual directive (COPY ./file /file) and the hash of the./file. The hash we're referring to is a combination of these two.
- Example: A directive like
The 1. solution is fairly straight forward and has been demonstrated in #213.
The 2. solution can be more flexible (doesn't require reproducible builds), but would need to develop a way to map hash + hash + hash -> final image. This would means tagging the image with a custom tag (perhaps a combination of all build layer hashes).
This issue tracks the implementation of a PoC to validate the path forward for #128.
To support #185, we must be able to figure out if a cached layer image is valid, given the state of files relevant to building the container (think contents of
Dockerfile,devcontainer.json, and hashes of any files pulled in viaCOPY-directive).In this PoC, we will implement this logic (files -> layer) as a subcommand of envbulider. This will require parsing and understanding of
Dockerfileto understand if a change modifies the outcome, and which layers remain intact.