The docker images contain a fixed /etc/machine-id

[Tuxdude]

I noticed that the debian 11.2-slim and possibly other docker images contain a static /etc/machine-id file.

The current one I see in 11.2 and 11.2-slim is the following.

$ docker run --rm -it debian:11.2-slim cat /etc/machine-id
88544b92092430bc5d3fbbffc12a2f04

$ docker run --rm -it debian:11.2 cat /etc/machine-id
88544b92092430bc5d3fbbffc12a2f04

A different value seems to be in 11.1 for example which indicates the ID in the rootfs that is used here is the ID coming from the machine where the rootfs tarballs get generated.

$ docker run --rm -it debian:11.1 cat /etc/machine-id
85f94e57ab75f80918cab17d001eac85

Instead, I feel there should be a 0-byte file which seems to be the norm to indicate there is no valid machine ID currently.

[tianon]

Ah, good catch -- it's not entirely static; it's generated from a checksum of the timestamp which generated the image (so it's deterministic for an individual build, but different for each updated build): https://github.com/debuerreotype/debuerreotype/blob/32f390b0eff8eeb01fdec135ddc6eab06850c826/scripts/debuerreotype-init#L182-L185

Looking at the spec for machine-id (https://www.freedesktop.org/software/systemd/man/machine-id.html), I think it should probably not exist at all (but that or an empty file would both be more "correct" than our current value, I think).

I guess ultimately it would probably make sense for Docker, et al to be injecting an appropriate machine-id into the container (based on the container ID or something) but I think that ship has sailed a bit. :disappointed:

I wonder how common it is for software to be reading/using this file inside containers -- I would hope it's not very common, but I'd love to have a better gauge of potential breakage if we remove it from such a common base image than just my own gut. :see_no_evil: