GNU bug report logs -
#75090
Make 'guix pack -f docker' tarballs reproducible?
Previous Next
Full log
View this message in rfc822 format
[Message part 1 (text/plain, inline)]
Your message dated Sat, 25 Jan 2025 00:07:13 +0100
with message-id <87wmejbyla.fsf <at> gnu.org>
and subject line Re: [bug#75426] [PATCH] docker: Build tarballs reproducibly.
has caused the debbugs.gnu.org bug report #75090,
regarding Make 'guix pack -f docker' tarballs reproducible?
to be marked as done.
(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)
--
75090: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=75090
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems
[Message part 2 (message/rfc822, inline)]
[Message part 3 (text/plain, inline)]
Hi
I am creating docker archives using:
guix pack guix bash-minimal coreutils-minimal net-base --save-provenance -S /bin=bin -S /share=share -f docker --image-tag=guix --max-layers=8 --verbosity=2
To my surprise the output was not reproducible between re-runs.
The reason is because of the timestamp and ownership information in the
outer tarball. The internals are identical and reproducible. See
diffoscope output below.
I tried to work around it by wrapping either the 'guix pack' or
'guix-daemon' commands with this environment variable, which I suggest
for inspiration as additional parameters to tar:
TAR_OPTIONS="--owner=0 --group=0 --numeric-owner --sort=name --mode=go+u,go-w --mtime=@0"
I would prefer 'guix pack' produced reproducible archives by default.
Alternatively, provide a way to allow me as user to specify some
parameters for 'guix pack' to make that happen.
/Simon
jas <at> kaka:~/src/guix-container$ diffoscope stage1-docker-pack.tar.gz-1 stage1-docker-pack.tar.gz-2
--- stage1-docker-pack.tar.gz-1
+++ stage1-docker-pack.tar.gz-2
│ --- stage1-docker-pack.tar.gz-1-content
├── +++ stage1-docker-pack.tar.gz-2-content
│ ├── file list
│ │ @@ -1,10 +1,10 @@
│ │ --rw-r--r-- 0 nixbld (997) nixbld (999) 421457920 2024-12-25 16:31:15.000000 sha256:e69812bf459ea0fba42d1d6fd518410a4e588ddd4e4c007ddb4dd48c9c04293a/layer.tar
│ │ --rw-r--r-- 0 nixbld (997) nixbld (999) 56330240 2024-12-25 16:31:16.000000 sha256:45e67bf9fcad2f255f20dc614224b9e4260da1b63f2a361c2479e1ed64a9210a/layer.tar
│ │ --rw-r--r-- 0 nixbld (997) nixbld (999) 37632000 2024-12-25 16:31:16.000000 sha256:a8d1b46be57ba5a41051dedcf2d8d7bb2f13a9d58078729a962d04f5178274ba/layer.tar
│ │ --rw-r--r-- 0 nixbld (997) nixbld (999) 41523200 2024-12-25 16:31:16.000000 sha256:0756f500c123ba4f34cda21e5232932799fd36c15243f7fcb1ef38ff6ec7533d/layer.tar
│ │ --rw-r--r-- 0 nixbld (997) nixbld (999) 37806080 2024-12-25 16:31:17.000000 sha256:bf18d11d88b81af3f6fb49b7d4b092d479b7967ac8dc4980cc381170997c6ccf/layer.tar
│ │ --rw-r--r-- 0 nixbld (997) nixbld (999) 17582080 2024-12-25 16:31:17.000000 sha256:9263a9904763737f9e8bdf08ca52cede34c2fa9e99abe7f9ef273111752cb2ca/layer.tar
│ │ --rw-r--r-- 0 nixbld (997) nixbld (999) 147763200 2024-12-25 16:31:20.000000 sha256:3d9a70bc298db46d9fdd95badacd3ec5586f3965110bb85b748be6bcfc57b171/layer.tar
│ │ --rw-r--r-- 0 nixbld (997) nixbld (999) 10240 2024-12-25 16:31:14.000000 sha256:3fb6718bc797283e8283fe1b843596ace2e62db47d5b38d228a64a6bbb7c3564/layer.tar
│ │ --rw-r--r-- 0 nixbld (997) nixbld (999) 736 2024-12-25 16:31:21.000000 manifest.json
│ │ --rw-r--r-- 0 nixbld (997) nixbld (999) 842 2024-12-25 16:31:21.000000 config.json
│ │ +-rw-r--r-- 0 nixbld (997) nixbld (999) 421457920 2024-12-25 16:41:20.000000 sha256:e69812bf459ea0fba42d1d6fd518410a4e588ddd4e4c007ddb4dd48c9c04293a/layer.tar
│ │ +-rw-r--r-- 0 nixbld (997) nixbld (999) 56330240 2024-12-25 16:41:21.000000 sha256:45e67bf9fcad2f255f20dc614224b9e4260da1b63f2a361c2479e1ed64a9210a/layer.tar
│ │ +-rw-r--r-- 0 nixbld (997) nixbld (999) 37632000 2024-12-25 16:41:22.000000 sha256:a8d1b46be57ba5a41051dedcf2d8d7bb2f13a9d58078729a962d04f5178274ba/layer.tar
│ │ +-rw-r--r-- 0 nixbld (997) nixbld (999) 41523200 2024-12-25 16:41:22.000000 sha256:0756f500c123ba4f34cda21e5232932799fd36c15243f7fcb1ef38ff6ec7533d/layer.tar
│ │ +-rw-r--r-- 0 nixbld (997) nixbld (999) 37806080 2024-12-25 16:41:22.000000 sha256:bf18d11d88b81af3f6fb49b7d4b092d479b7967ac8dc4980cc381170997c6ccf/layer.tar
│ │ +-rw-r--r-- 0 nixbld (997) nixbld (999) 17582080 2024-12-25 16:41:23.000000 sha256:9263a9904763737f9e8bdf08ca52cede34c2fa9e99abe7f9ef273111752cb2ca/layer.tar
│ │ +-rw-r--r-- 0 nixbld (997) nixbld (999) 147763200 2024-12-25 16:41:25.000000 sha256:3d9a70bc298db46d9fdd95badacd3ec5586f3965110bb85b748be6bcfc57b171/layer.tar
│ │ +-rw-r--r-- 0 nixbld (997) nixbld (999) 10240 2024-12-25 16:41:19.000000 sha256:3fb6718bc797283e8283fe1b843596ace2e62db47d5b38d228a64a6bbb7c3564/layer.tar
│ │ +-rw-r--r-- 0 nixbld (997) nixbld (999) 736 2024-12-25 16:41:26.000000 manifest.json
│ │ +-rw-r--r-- 0 nixbld (997) nixbld (999) 842 2024-12-25 16:41:26.000000 config.json
jas <at> kaka:~/src/guix-container$
[signature.asc (application/pgp-signature, inline)]
[Message part 5 (message/rfc822, inline)]
Ludovic Courtès <ludo <at> gnu.org> skribis:
> Fixes <https://issues.guix.gnu.org/75090>.
>
> * guix/docker.scm (tar): New procedure.
> (create-empty-tar, build-docker-image): Use it instead of calling
> ‘invoke’ directly.
>
> Reported-by: Simon Josefsson <simon <at> josefsson.org>
> Change-Id: Ia899c43ed6a3809ff845de0953e3d38cccf24609
Pushed as 646202bf73f90de4f9b7cc66248b8f8e6e381014.
Ludo’.
This bug report was last modified 102 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.