From 96567017ddf3893e68c8a782ef941982784d9568 Mon Sep 17 00:00:00 2001 From: Akihiro Suda Date: Thu, 2 May 2024 15:35:36 +0900 Subject: [PATCH] Support reproducible builds (except packages) See docker-library/official-images issue 16044 - `SOURCE_DATE_EPOCH` is added. The value is consumed by the build scripts to make the binary reproducible. - For Debian, `/var/log/*` is removed as they contain timestamps - For Debian, `/var/cache/ldconfig/aux-cache` is removed as they contain inode numbers, etc. - For Alpine, virtual package versions are pinned to "0" to eliminate the timestamp-based version numbers that appear in `/etc/apk/world` and `/lib/apk/db/installed` > [!NOTE] > The following topics are NOT covered by this commit: > > - To reproduce file timestamps in layers, BuildKit has to be executed with > `--output type=,rewrite-timestamp=true`. > Needs BuildKit v0.13 or later. > > - To reproduce the base image by the hash, reproducers may: > - modify the `FROM` instruction in Dockerfile manually > - or, use the `CONVERT` action of source policies to replace the base image. > > > - To reproduce packages, see the `RUN` instruction hook proposed in > moby/buildkit issue 4576 Also, Alpine-based images still have the following diff: ```diff diff -ur /tmp/foo/diff/input-0/layers-3/lib/apk/db/installed /tmp/foo/diff/input-1/layers-3/lib/apk/db/installed --- /tmp/foo/diff/input-0/layers-3/lib/apk/db/installed 2024-04-26 07:07:33.000000000 +0900 +++ /tmp/foo/diff/input-1/layers-3/lib/apk/db/installed 2024-04-26 07:07:33.000000000 +0900 @@ -1,4 +1,4 @@ -C:Q1z4Lv7mwS00FpNJwDUHdH70eM2ic= +C:Q1gHSJHNX/rtq0yNsVTKaNb96s8Mk= P:.ruby-rundeps V:0 A:noarch ``` Signed-off-by: Akihiro Suda --- 3.1/alpine3.19/Dockerfile | 15 ++++++++++++--- 3.1/alpine3.20/Dockerfile | 15 ++++++++++++--- 3.1/bookworm/Dockerfile | 12 ++++++++++++ 3.1/bullseye/Dockerfile | 12 ++++++++++++ 3.1/slim-bookworm/Dockerfile | 16 +++++++++++++++- 3.1/slim-bullseye/Dockerfile | 16 +++++++++++++++- 3.2/alpine3.19/Dockerfile | 15 ++++++++++++--- 3.2/alpine3.20/Dockerfile | 15 ++++++++++++--- 3.2/bookworm/Dockerfile | 12 ++++++++++++ 3.2/bullseye/Dockerfile | 12 ++++++++++++ 3.2/slim-bookworm/Dockerfile | 16 +++++++++++++++- 3.2/slim-bullseye/Dockerfile | 16 +++++++++++++++- 3.3/alpine3.19/Dockerfile | 15 ++++++++++++--- 3.3/alpine3.20/Dockerfile | 15 ++++++++++++--- 3.3/bookworm/Dockerfile | 12 ++++++++++++ 3.3/bullseye/Dockerfile | 12 ++++++++++++ 3.3/slim-bookworm/Dockerfile | 16 +++++++++++++++- 3.3/slim-bullseye/Dockerfile | 16 +++++++++++++++- 3.4-rc/alpine3.19/Dockerfile | 15 ++++++++++++--- 3.4-rc/alpine3.20/Dockerfile | 15 ++++++++++++--- 3.4-rc/bookworm/Dockerfile | 12 ++++++++++++ 3.4-rc/bullseye/Dockerfile | 12 ++++++++++++ 3.4-rc/slim-bookworm/Dockerfile | 16 +++++++++++++++- 3.4-rc/slim-bullseye/Dockerfile | 16 +++++++++++++++- Dockerfile.template | 23 +++++++++++++++++++---- 25 files changed, 331 insertions(+), 36 deletions(-) diff --git a/3.1/alpine3.19/Dockerfile b/3.1/alpine3.19/Dockerfile index b35693036..16ad58ad8 100644 --- a/3.1/alpine3.19/Dockerfile +++ b/3.1/alpine3.19/Dockerfile @@ -6,6 +6,10 @@ FROM alpine:3.19 +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact. +# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282 +ENV SOURCE_DATE_EPOCH 0 + RUN set -eux; \ apk add --no-cache \ bzip2 \ @@ -36,7 +40,7 @@ ENV RUBY_DOWNLOAD_SHA256 597bd1849f252d8a6863cb5d38014ac54152b508c36dca156f6356a # we purge system ruby later to make sure our final image uses what we just built RUN set -eux; \ \ - apk add --no-cache --virtual .ruby-builddeps \ + apk add --no-cache --virtual .ruby-builddeps=0 \ autoconf \ bison \ bzip2 \ @@ -79,14 +83,19 @@ RUN set -eux; \ # https://github.com/docker-library/ruby/issues/196 # https://bugs.ruby-lang.org/issues/14387#note-13 (patch source) # https://bugs.ruby-lang.org/issues/14387#note-16 ("Therefore ncopa's patch looks good for me in general." -- only breaks glibc which doesn't matter here) +# patch: --force is set for reproducing timestamps wget -O 'thread-stack-fix.patch' 'https://bugs.ruby-lang.org/attachments/download/7081/0001-thread_pthread.c-make-get_main_stack-portable-on-lin.patch'; \ echo '3ab628a51d92fdf0d2b5835e93564857aea73e0c1de00313864a94a6255cb645 *thread-stack-fix.patch' | sha256sum --check --strict; \ - patch -p1 -i thread-stack-fix.patch; \ + patch --set-utc --force -p1 -i thread-stack-fix.patch; \ rm thread-stack-fix.patch; \ \ # the configure script does not detect isnan/isinf as macros export ac_cv_func_isnan=yes ac_cv_func_isinf=yes; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -112,7 +121,7 @@ RUN set -eux; \ | sort -u \ | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \ )"; \ - apk add --no-network --virtual .ruby-rundeps $runDeps; \ + apk add --no-network --virtual .ruby-rundeps=0 $runDeps; \ apk del --no-network .ruby-builddeps; \ \ cd /; \ diff --git a/3.1/alpine3.20/Dockerfile b/3.1/alpine3.20/Dockerfile index fd1ce5075..8e4f34baa 100644 --- a/3.1/alpine3.20/Dockerfile +++ b/3.1/alpine3.20/Dockerfile @@ -6,6 +6,10 @@ FROM alpine:3.20 +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact. +# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282 +ENV SOURCE_DATE_EPOCH 0 + RUN set -eux; \ apk add --no-cache \ bzip2 \ @@ -36,7 +40,7 @@ ENV RUBY_DOWNLOAD_SHA256 597bd1849f252d8a6863cb5d38014ac54152b508c36dca156f6356a # we purge system ruby later to make sure our final image uses what we just built RUN set -eux; \ \ - apk add --no-cache --virtual .ruby-builddeps \ + apk add --no-cache --virtual .ruby-builddeps=0 \ autoconf \ bison \ bzip2 \ @@ -79,14 +83,19 @@ RUN set -eux; \ # https://github.com/docker-library/ruby/issues/196 # https://bugs.ruby-lang.org/issues/14387#note-13 (patch source) # https://bugs.ruby-lang.org/issues/14387#note-16 ("Therefore ncopa's patch looks good for me in general." -- only breaks glibc which doesn't matter here) +# patch: --force is set for reproducing timestamps wget -O 'thread-stack-fix.patch' 'https://bugs.ruby-lang.org/attachments/download/7081/0001-thread_pthread.c-make-get_main_stack-portable-on-lin.patch'; \ echo '3ab628a51d92fdf0d2b5835e93564857aea73e0c1de00313864a94a6255cb645 *thread-stack-fix.patch' | sha256sum --check --strict; \ - patch -p1 -i thread-stack-fix.patch; \ + patch --set-utc --force -p1 -i thread-stack-fix.patch; \ rm thread-stack-fix.patch; \ \ # the configure script does not detect isnan/isinf as macros export ac_cv_func_isnan=yes ac_cv_func_isinf=yes; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -112,7 +121,7 @@ RUN set -eux; \ | sort -u \ | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \ )"; \ - apk add --no-network --virtual .ruby-rundeps $runDeps; \ + apk add --no-network --virtual .ruby-rundeps=0 $runDeps; \ apk del --no-network .ruby-builddeps; \ \ cd /; \ diff --git a/3.1/bookworm/Dockerfile b/3.1/bookworm/Dockerfile index 384052911..dc0767774 100644 --- a/3.1/bookworm/Dockerfile +++ b/3.1/bookworm/Dockerfile @@ -6,6 +6,10 @@ FROM buildpack-deps:bookworm +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact. +# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282 +ENV SOURCE_DATE_EPOCH 0 + # skip installing gem documentation RUN set -eux; \ mkdir -p /usr/local/etc; \ @@ -34,6 +38,8 @@ RUN set -eux; \ ruby \ ; \ rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ wget -O ruby.tar.xz "$RUBY_DOWNLOAD_URL"; \ echo "$RUBY_DOWNLOAD_SHA256 *ruby.tar.xz" | sha256sum --check --strict; \ @@ -44,6 +50,10 @@ RUN set -eux; \ \ cd /usr/src/ruby; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -74,6 +84,8 @@ RUN set -eux; \ | xargs -r apt-mark manual \ ; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ cd /; \ rm -r /usr/src/ruby; \ diff --git a/3.1/bullseye/Dockerfile b/3.1/bullseye/Dockerfile index 8b6e39e87..a8bc7acd4 100644 --- a/3.1/bullseye/Dockerfile +++ b/3.1/bullseye/Dockerfile @@ -6,6 +6,10 @@ FROM buildpack-deps:bullseye +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact. +# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282 +ENV SOURCE_DATE_EPOCH 0 + # skip installing gem documentation RUN set -eux; \ mkdir -p /usr/local/etc; \ @@ -34,6 +38,8 @@ RUN set -eux; \ ruby \ ; \ rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ wget -O ruby.tar.xz "$RUBY_DOWNLOAD_URL"; \ echo "$RUBY_DOWNLOAD_SHA256 *ruby.tar.xz" | sha256sum --check --strict; \ @@ -44,6 +50,10 @@ RUN set -eux; \ \ cd /usr/src/ruby; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -74,6 +84,8 @@ RUN set -eux; \ | xargs -r apt-mark manual \ ; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ cd /; \ rm -r /usr/src/ruby; \ diff --git a/3.1/slim-bookworm/Dockerfile b/3.1/slim-bookworm/Dockerfile index 626c5bab4..aed4de526 100644 --- a/3.1/slim-bookworm/Dockerfile +++ b/3.1/slim-bookworm/Dockerfile @@ -6,6 +6,10 @@ FROM debian:bookworm-slim +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact. +# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282 +ENV SOURCE_DATE_EPOCH 0 + RUN set -eux; \ apt-get update; \ apt-get install -y --no-install-recommends \ @@ -18,7 +22,9 @@ RUN set -eux; \ procps \ zlib1g-dev \ ; \ - rm -rf /var/lib/apt/lists/* + rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache # skip installing gem documentation RUN set -eux; \ @@ -61,6 +67,8 @@ RUN set -eux; \ xz-utils \ ; \ rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ wget -O ruby.tar.xz "$RUBY_DOWNLOAD_URL"; \ echo "$RUBY_DOWNLOAD_SHA256 *ruby.tar.xz" | sha256sum --check --strict; \ @@ -71,6 +79,10 @@ RUN set -eux; \ \ cd /usr/src/ruby; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -101,6 +113,8 @@ RUN set -eux; \ | xargs -r apt-mark manual \ ; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ cd /; \ rm -r /usr/src/ruby; \ diff --git a/3.1/slim-bullseye/Dockerfile b/3.1/slim-bullseye/Dockerfile index 66594aec2..54ea33d9e 100644 --- a/3.1/slim-bullseye/Dockerfile +++ b/3.1/slim-bullseye/Dockerfile @@ -6,6 +6,10 @@ FROM debian:bullseye-slim +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact. +# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282 +ENV SOURCE_DATE_EPOCH 0 + RUN set -eux; \ apt-get update; \ apt-get install -y --no-install-recommends \ @@ -18,7 +22,9 @@ RUN set -eux; \ procps \ zlib1g-dev \ ; \ - rm -rf /var/lib/apt/lists/* + rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache # skip installing gem documentation RUN set -eux; \ @@ -61,6 +67,8 @@ RUN set -eux; \ xz-utils \ ; \ rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ wget -O ruby.tar.xz "$RUBY_DOWNLOAD_URL"; \ echo "$RUBY_DOWNLOAD_SHA256 *ruby.tar.xz" | sha256sum --check --strict; \ @@ -71,6 +79,10 @@ RUN set -eux; \ \ cd /usr/src/ruby; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -101,6 +113,8 @@ RUN set -eux; \ | xargs -r apt-mark manual \ ; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ cd /; \ rm -r /usr/src/ruby; \ diff --git a/3.2/alpine3.19/Dockerfile b/3.2/alpine3.19/Dockerfile index a8c92e9cf..388a248e1 100644 --- a/3.2/alpine3.19/Dockerfile +++ b/3.2/alpine3.19/Dockerfile @@ -6,6 +6,10 @@ FROM alpine:3.19 +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact. +# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282 +ENV SOURCE_DATE_EPOCH 0 + RUN set -eux; \ apk add --no-cache \ bzip2 \ @@ -36,7 +40,7 @@ ENV RUBY_DOWNLOAD_SHA256 e7f1653d653232ec433472489a91afbc7433c9f760cc822defe7437 # we purge system ruby later to make sure our final image uses what we just built RUN set -eux; \ \ - apk add --no-cache --virtual .ruby-builddeps \ + apk add --no-cache --virtual .ruby-builddeps=0 \ autoconf \ bison \ bzip2 \ @@ -101,14 +105,19 @@ RUN set -eux; \ # https://github.com/docker-library/ruby/issues/196 # https://bugs.ruby-lang.org/issues/14387#note-13 (patch source) # https://bugs.ruby-lang.org/issues/14387#note-16 ("Therefore ncopa's patch looks good for me in general." -- only breaks glibc which doesn't matter here) +# patch: --force is set for reproducing timestamps wget -O 'thread-stack-fix.patch' 'https://bugs.ruby-lang.org/attachments/download/7081/0001-thread_pthread.c-make-get_main_stack-portable-on-lin.patch'; \ echo '3ab628a51d92fdf0d2b5835e93564857aea73e0c1de00313864a94a6255cb645 *thread-stack-fix.patch' | sha256sum --check --strict; \ - patch -p1 -i thread-stack-fix.patch; \ + patch --set-utc --force -p1 -i thread-stack-fix.patch; \ rm thread-stack-fix.patch; \ \ # the configure script does not detect isnan/isinf as macros export ac_cv_func_isnan=yes ac_cv_func_isinf=yes; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -136,7 +145,7 @@ RUN set -eux; \ | sort -u \ | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \ )"; \ - apk add --no-network --virtual .ruby-rundeps $runDeps; \ + apk add --no-network --virtual .ruby-rundeps=0 $runDeps; \ apk del --no-network .ruby-builddeps; \ \ cd /; \ diff --git a/3.2/alpine3.20/Dockerfile b/3.2/alpine3.20/Dockerfile index acafda504..3e56b6605 100644 --- a/3.2/alpine3.20/Dockerfile +++ b/3.2/alpine3.20/Dockerfile @@ -6,6 +6,10 @@ FROM alpine:3.20 +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact. +# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282 +ENV SOURCE_DATE_EPOCH 0 + RUN set -eux; \ apk add --no-cache \ bzip2 \ @@ -36,7 +40,7 @@ ENV RUBY_DOWNLOAD_SHA256 e7f1653d653232ec433472489a91afbc7433c9f760cc822defe7437 # we purge system ruby later to make sure our final image uses what we just built RUN set -eux; \ \ - apk add --no-cache --virtual .ruby-builddeps \ + apk add --no-cache --virtual .ruby-builddeps=0 \ autoconf \ bison \ bzip2 \ @@ -101,14 +105,19 @@ RUN set -eux; \ # https://github.com/docker-library/ruby/issues/196 # https://bugs.ruby-lang.org/issues/14387#note-13 (patch source) # https://bugs.ruby-lang.org/issues/14387#note-16 ("Therefore ncopa's patch looks good for me in general." -- only breaks glibc which doesn't matter here) +# patch: --force is set for reproducing timestamps wget -O 'thread-stack-fix.patch' 'https://bugs.ruby-lang.org/attachments/download/7081/0001-thread_pthread.c-make-get_main_stack-portable-on-lin.patch'; \ echo '3ab628a51d92fdf0d2b5835e93564857aea73e0c1de00313864a94a6255cb645 *thread-stack-fix.patch' | sha256sum --check --strict; \ - patch -p1 -i thread-stack-fix.patch; \ + patch --set-utc --force -p1 -i thread-stack-fix.patch; \ rm thread-stack-fix.patch; \ \ # the configure script does not detect isnan/isinf as macros export ac_cv_func_isnan=yes ac_cv_func_isinf=yes; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -136,7 +145,7 @@ RUN set -eux; \ | sort -u \ | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \ )"; \ - apk add --no-network --virtual .ruby-rundeps $runDeps; \ + apk add --no-network --virtual .ruby-rundeps=0 $runDeps; \ apk del --no-network .ruby-builddeps; \ \ cd /; \ diff --git a/3.2/bookworm/Dockerfile b/3.2/bookworm/Dockerfile index 74ce1a0df..649820636 100644 --- a/3.2/bookworm/Dockerfile +++ b/3.2/bookworm/Dockerfile @@ -6,6 +6,10 @@ FROM buildpack-deps:bookworm +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact. +# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282 +ENV SOURCE_DATE_EPOCH 0 + # skip installing gem documentation RUN set -eux; \ mkdir -p /usr/local/etc; \ @@ -34,6 +38,8 @@ RUN set -eux; \ ruby \ ; \ rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ rustArch=; \ dpkgArch="$(dpkg --print-architecture)"; \ @@ -66,6 +72,10 @@ RUN set -eux; \ \ cd /usr/src/ruby; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -98,6 +108,8 @@ RUN set -eux; \ | xargs -r apt-mark manual \ ; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ cd /; \ rm -r /usr/src/ruby; \ diff --git a/3.2/bullseye/Dockerfile b/3.2/bullseye/Dockerfile index 2b070f6c2..2e8e26e57 100644 --- a/3.2/bullseye/Dockerfile +++ b/3.2/bullseye/Dockerfile @@ -6,6 +6,10 @@ FROM buildpack-deps:bullseye +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact. +# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282 +ENV SOURCE_DATE_EPOCH 0 + # skip installing gem documentation RUN set -eux; \ mkdir -p /usr/local/etc; \ @@ -34,6 +38,8 @@ RUN set -eux; \ ruby \ ; \ rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ rustArch=; \ dpkgArch="$(dpkg --print-architecture)"; \ @@ -66,6 +72,10 @@ RUN set -eux; \ \ cd /usr/src/ruby; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -98,6 +108,8 @@ RUN set -eux; \ | xargs -r apt-mark manual \ ; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ cd /; \ rm -r /usr/src/ruby; \ diff --git a/3.2/slim-bookworm/Dockerfile b/3.2/slim-bookworm/Dockerfile index bf66d8db0..8e0f92501 100644 --- a/3.2/slim-bookworm/Dockerfile +++ b/3.2/slim-bookworm/Dockerfile @@ -6,6 +6,10 @@ FROM debian:bookworm-slim +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact. +# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282 +ENV SOURCE_DATE_EPOCH 0 + RUN set -eux; \ apt-get update; \ apt-get install -y --no-install-recommends \ @@ -18,7 +22,9 @@ RUN set -eux; \ procps \ zlib1g-dev \ ; \ - rm -rf /var/lib/apt/lists/* + rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache # skip installing gem documentation RUN set -eux; \ @@ -61,6 +67,8 @@ RUN set -eux; \ xz-utils \ ; \ rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ rustArch=; \ dpkgArch="$(dpkg --print-architecture)"; \ @@ -93,6 +101,10 @@ RUN set -eux; \ \ cd /usr/src/ruby; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -125,6 +137,8 @@ RUN set -eux; \ | xargs -r apt-mark manual \ ; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ cd /; \ rm -r /usr/src/ruby; \ diff --git a/3.2/slim-bullseye/Dockerfile b/3.2/slim-bullseye/Dockerfile index 23897b7fa..e8fa2cd91 100644 --- a/3.2/slim-bullseye/Dockerfile +++ b/3.2/slim-bullseye/Dockerfile @@ -6,6 +6,10 @@ FROM debian:bullseye-slim +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact. +# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282 +ENV SOURCE_DATE_EPOCH 0 + RUN set -eux; \ apt-get update; \ apt-get install -y --no-install-recommends \ @@ -18,7 +22,9 @@ RUN set -eux; \ procps \ zlib1g-dev \ ; \ - rm -rf /var/lib/apt/lists/* + rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache # skip installing gem documentation RUN set -eux; \ @@ -61,6 +67,8 @@ RUN set -eux; \ xz-utils \ ; \ rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ rustArch=; \ dpkgArch="$(dpkg --print-architecture)"; \ @@ -93,6 +101,10 @@ RUN set -eux; \ \ cd /usr/src/ruby; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -125,6 +137,8 @@ RUN set -eux; \ | xargs -r apt-mark manual \ ; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ cd /; \ rm -r /usr/src/ruby; \ diff --git a/3.3/alpine3.19/Dockerfile b/3.3/alpine3.19/Dockerfile index 7e260e9f3..07bf8f51a 100644 --- a/3.3/alpine3.19/Dockerfile +++ b/3.3/alpine3.19/Dockerfile @@ -6,6 +6,10 @@ FROM alpine:3.19 +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact. +# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282 +ENV SOURCE_DATE_EPOCH 0 + RUN set -eux; \ apk add --no-cache \ bzip2 \ @@ -36,7 +40,7 @@ ENV RUBY_DOWNLOAD_SHA256 b5e8a8ed4a47cdd9a3358b5bdd998c37bd9e971ca63766a37d5ae59 # we purge system ruby later to make sure our final image uses what we just built RUN set -eux; \ \ - apk add --no-cache --virtual .ruby-builddeps \ + apk add --no-cache --virtual .ruby-builddeps=0 \ autoconf \ bzip2 \ bzip2-dev \ @@ -99,14 +103,19 @@ RUN set -eux; \ # https://github.com/docker-library/ruby/issues/196 # https://bugs.ruby-lang.org/issues/14387#note-13 (patch source) # https://bugs.ruby-lang.org/issues/14387#note-16 ("Therefore ncopa's patch looks good for me in general." -- only breaks glibc which doesn't matter here) +# patch: --force is set for reproducing timestamps wget -O 'thread-stack-fix.patch' 'https://bugs.ruby-lang.org/attachments/download/7081/0001-thread_pthread.c-make-get_main_stack-portable-on-lin.patch'; \ echo '3ab628a51d92fdf0d2b5835e93564857aea73e0c1de00313864a94a6255cb645 *thread-stack-fix.patch' | sha256sum --check --strict; \ - patch -p1 -i thread-stack-fix.patch; \ + patch --set-utc --force -p1 -i thread-stack-fix.patch; \ rm thread-stack-fix.patch; \ \ # the configure script does not detect isnan/isinf as macros export ac_cv_func_isnan=yes ac_cv_func_isinf=yes; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -134,7 +143,7 @@ RUN set -eux; \ | sort -u \ | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \ )"; \ - apk add --no-network --virtual .ruby-rundeps $runDeps; \ + apk add --no-network --virtual .ruby-rundeps=0 $runDeps; \ apk del --no-network .ruby-builddeps; \ \ cd /; \ diff --git a/3.3/alpine3.20/Dockerfile b/3.3/alpine3.20/Dockerfile index 87e5746f7..b1e05ece3 100644 --- a/3.3/alpine3.20/Dockerfile +++ b/3.3/alpine3.20/Dockerfile @@ -6,6 +6,10 @@ FROM alpine:3.20 +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact. +# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282 +ENV SOURCE_DATE_EPOCH 0 + RUN set -eux; \ apk add --no-cache \ bzip2 \ @@ -36,7 +40,7 @@ ENV RUBY_DOWNLOAD_SHA256 b5e8a8ed4a47cdd9a3358b5bdd998c37bd9e971ca63766a37d5ae59 # we purge system ruby later to make sure our final image uses what we just built RUN set -eux; \ \ - apk add --no-cache --virtual .ruby-builddeps \ + apk add --no-cache --virtual .ruby-builddeps=0 \ autoconf \ bzip2 \ bzip2-dev \ @@ -99,14 +103,19 @@ RUN set -eux; \ # https://github.com/docker-library/ruby/issues/196 # https://bugs.ruby-lang.org/issues/14387#note-13 (patch source) # https://bugs.ruby-lang.org/issues/14387#note-16 ("Therefore ncopa's patch looks good for me in general." -- only breaks glibc which doesn't matter here) +# patch: --force is set for reproducing timestamps wget -O 'thread-stack-fix.patch' 'https://bugs.ruby-lang.org/attachments/download/7081/0001-thread_pthread.c-make-get_main_stack-portable-on-lin.patch'; \ echo '3ab628a51d92fdf0d2b5835e93564857aea73e0c1de00313864a94a6255cb645 *thread-stack-fix.patch' | sha256sum --check --strict; \ - patch -p1 -i thread-stack-fix.patch; \ + patch --set-utc --force -p1 -i thread-stack-fix.patch; \ rm thread-stack-fix.patch; \ \ # the configure script does not detect isnan/isinf as macros export ac_cv_func_isnan=yes ac_cv_func_isinf=yes; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -134,7 +143,7 @@ RUN set -eux; \ | sort -u \ | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \ )"; \ - apk add --no-network --virtual .ruby-rundeps $runDeps; \ + apk add --no-network --virtual .ruby-rundeps=0 $runDeps; \ apk del --no-network .ruby-builddeps; \ \ cd /; \ diff --git a/3.3/bookworm/Dockerfile b/3.3/bookworm/Dockerfile index 8f68b3132..3395b5124 100644 --- a/3.3/bookworm/Dockerfile +++ b/3.3/bookworm/Dockerfile @@ -6,6 +6,10 @@ FROM buildpack-deps:bookworm +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact. +# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282 +ENV SOURCE_DATE_EPOCH 0 + # skip installing gem documentation RUN set -eux; \ mkdir -p /usr/local/etc; \ @@ -33,6 +37,8 @@ RUN set -eux; \ ruby \ ; \ rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ rustArch=; \ dpkgArch="$(dpkg --print-architecture)"; \ @@ -65,6 +71,10 @@ RUN set -eux; \ \ cd /usr/src/ruby; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -97,6 +107,8 @@ RUN set -eux; \ | xargs -r apt-mark manual \ ; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ cd /; \ rm -r /usr/src/ruby; \ diff --git a/3.3/bullseye/Dockerfile b/3.3/bullseye/Dockerfile index 1a5c62143..93cc72d06 100644 --- a/3.3/bullseye/Dockerfile +++ b/3.3/bullseye/Dockerfile @@ -6,6 +6,10 @@ FROM buildpack-deps:bullseye +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact. +# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282 +ENV SOURCE_DATE_EPOCH 0 + # skip installing gem documentation RUN set -eux; \ mkdir -p /usr/local/etc; \ @@ -33,6 +37,8 @@ RUN set -eux; \ ruby \ ; \ rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ rustArch=; \ dpkgArch="$(dpkg --print-architecture)"; \ @@ -65,6 +71,10 @@ RUN set -eux; \ \ cd /usr/src/ruby; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -97,6 +107,8 @@ RUN set -eux; \ | xargs -r apt-mark manual \ ; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ cd /; \ rm -r /usr/src/ruby; \ diff --git a/3.3/slim-bookworm/Dockerfile b/3.3/slim-bookworm/Dockerfile index ecb3ac6c4..3009f1252 100644 --- a/3.3/slim-bookworm/Dockerfile +++ b/3.3/slim-bookworm/Dockerfile @@ -6,6 +6,10 @@ FROM debian:bookworm-slim +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact. +# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282 +ENV SOURCE_DATE_EPOCH 0 + RUN set -eux; \ apt-get update; \ apt-get install -y --no-install-recommends \ @@ -18,7 +22,9 @@ RUN set -eux; \ procps \ zlib1g-dev \ ; \ - rm -rf /var/lib/apt/lists/* + rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache # skip installing gem documentation RUN set -eux; \ @@ -59,6 +65,8 @@ RUN set -eux; \ xz-utils \ ; \ rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ rustArch=; \ dpkgArch="$(dpkg --print-architecture)"; \ @@ -91,6 +99,10 @@ RUN set -eux; \ \ cd /usr/src/ruby; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -123,6 +135,8 @@ RUN set -eux; \ | xargs -r apt-mark manual \ ; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ cd /; \ rm -r /usr/src/ruby; \ diff --git a/3.3/slim-bullseye/Dockerfile b/3.3/slim-bullseye/Dockerfile index 1a04eb133..e3cf93b74 100644 --- a/3.3/slim-bullseye/Dockerfile +++ b/3.3/slim-bullseye/Dockerfile @@ -6,6 +6,10 @@ FROM debian:bullseye-slim +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact. +# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282 +ENV SOURCE_DATE_EPOCH 0 + RUN set -eux; \ apt-get update; \ apt-get install -y --no-install-recommends \ @@ -18,7 +22,9 @@ RUN set -eux; \ procps \ zlib1g-dev \ ; \ - rm -rf /var/lib/apt/lists/* + rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache # skip installing gem documentation RUN set -eux; \ @@ -59,6 +65,8 @@ RUN set -eux; \ xz-utils \ ; \ rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ rustArch=; \ dpkgArch="$(dpkg --print-architecture)"; \ @@ -91,6 +99,10 @@ RUN set -eux; \ \ cd /usr/src/ruby; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -123,6 +135,8 @@ RUN set -eux; \ | xargs -r apt-mark manual \ ; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ cd /; \ rm -r /usr/src/ruby; \ diff --git a/3.4-rc/alpine3.19/Dockerfile b/3.4-rc/alpine3.19/Dockerfile index 9eb48f142..b7584c176 100644 --- a/3.4-rc/alpine3.19/Dockerfile +++ b/3.4-rc/alpine3.19/Dockerfile @@ -6,6 +6,10 @@ FROM alpine:3.19 +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact. +# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282 +ENV SOURCE_DATE_EPOCH 0 + RUN set -eux; \ apk add --no-cache \ bzip2 \ @@ -36,7 +40,7 @@ ENV RUBY_DOWNLOAD_SHA256 4ee4ec44366050d4b2ee1d88034cc63e0b9174a1a6650285777f3d3 # we purge system ruby later to make sure our final image uses what we just built RUN set -eux; \ \ - apk add --no-cache --virtual .ruby-builddeps \ + apk add --no-cache --virtual .ruby-builddeps=0 \ autoconf \ bzip2 \ bzip2-dev \ @@ -99,14 +103,19 @@ RUN set -eux; \ # https://github.com/docker-library/ruby/issues/196 # https://bugs.ruby-lang.org/issues/14387#note-13 (patch source) # https://bugs.ruby-lang.org/issues/14387#note-16 ("Therefore ncopa's patch looks good for me in general." -- only breaks glibc which doesn't matter here) +# patch: --force is set for reproducing timestamps wget -O 'thread-stack-fix.patch' 'https://bugs.ruby-lang.org/attachments/download/7081/0001-thread_pthread.c-make-get_main_stack-portable-on-lin.patch'; \ echo '3ab628a51d92fdf0d2b5835e93564857aea73e0c1de00313864a94a6255cb645 *thread-stack-fix.patch' | sha256sum --check --strict; \ - patch -p1 -i thread-stack-fix.patch; \ + patch --set-utc --force -p1 -i thread-stack-fix.patch; \ rm thread-stack-fix.patch; \ \ # the configure script does not detect isnan/isinf as macros export ac_cv_func_isnan=yes ac_cv_func_isinf=yes; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -134,7 +143,7 @@ RUN set -eux; \ | sort -u \ | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \ )"; \ - apk add --no-network --virtual .ruby-rundeps $runDeps; \ + apk add --no-network --virtual .ruby-rundeps=0 $runDeps; \ apk del --no-network .ruby-builddeps; \ \ cd /; \ diff --git a/3.4-rc/alpine3.20/Dockerfile b/3.4-rc/alpine3.20/Dockerfile index 3417b89dc..19d3e09bf 100644 --- a/3.4-rc/alpine3.20/Dockerfile +++ b/3.4-rc/alpine3.20/Dockerfile @@ -6,6 +6,10 @@ FROM alpine:3.20 +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact. +# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282 +ENV SOURCE_DATE_EPOCH 0 + RUN set -eux; \ apk add --no-cache \ bzip2 \ @@ -36,7 +40,7 @@ ENV RUBY_DOWNLOAD_SHA256 4ee4ec44366050d4b2ee1d88034cc63e0b9174a1a6650285777f3d3 # we purge system ruby later to make sure our final image uses what we just built RUN set -eux; \ \ - apk add --no-cache --virtual .ruby-builddeps \ + apk add --no-cache --virtual .ruby-builddeps=0 \ autoconf \ bzip2 \ bzip2-dev \ @@ -99,14 +103,19 @@ RUN set -eux; \ # https://github.com/docker-library/ruby/issues/196 # https://bugs.ruby-lang.org/issues/14387#note-13 (patch source) # https://bugs.ruby-lang.org/issues/14387#note-16 ("Therefore ncopa's patch looks good for me in general." -- only breaks glibc which doesn't matter here) +# patch: --force is set for reproducing timestamps wget -O 'thread-stack-fix.patch' 'https://bugs.ruby-lang.org/attachments/download/7081/0001-thread_pthread.c-make-get_main_stack-portable-on-lin.patch'; \ echo '3ab628a51d92fdf0d2b5835e93564857aea73e0c1de00313864a94a6255cb645 *thread-stack-fix.patch' | sha256sum --check --strict; \ - patch -p1 -i thread-stack-fix.patch; \ + patch --set-utc --force -p1 -i thread-stack-fix.patch; \ rm thread-stack-fix.patch; \ \ # the configure script does not detect isnan/isinf as macros export ac_cv_func_isnan=yes ac_cv_func_isinf=yes; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -134,7 +143,7 @@ RUN set -eux; \ | sort -u \ | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \ )"; \ - apk add --no-network --virtual .ruby-rundeps $runDeps; \ + apk add --no-network --virtual .ruby-rundeps=0 $runDeps; \ apk del --no-network .ruby-builddeps; \ \ cd /; \ diff --git a/3.4-rc/bookworm/Dockerfile b/3.4-rc/bookworm/Dockerfile index 4b736cbbf..f0d0a0c10 100644 --- a/3.4-rc/bookworm/Dockerfile +++ b/3.4-rc/bookworm/Dockerfile @@ -6,6 +6,10 @@ FROM buildpack-deps:bookworm +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact. +# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282 +ENV SOURCE_DATE_EPOCH 0 + # skip installing gem documentation RUN set -eux; \ mkdir -p /usr/local/etc; \ @@ -33,6 +37,8 @@ RUN set -eux; \ ruby \ ; \ rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ rustArch=; \ dpkgArch="$(dpkg --print-architecture)"; \ @@ -65,6 +71,10 @@ RUN set -eux; \ \ cd /usr/src/ruby; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -97,6 +107,8 @@ RUN set -eux; \ | xargs -r apt-mark manual \ ; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ cd /; \ rm -r /usr/src/ruby; \ diff --git a/3.4-rc/bullseye/Dockerfile b/3.4-rc/bullseye/Dockerfile index bc900b2d0..7b3fc9916 100644 --- a/3.4-rc/bullseye/Dockerfile +++ b/3.4-rc/bullseye/Dockerfile @@ -6,6 +6,10 @@ FROM buildpack-deps:bullseye +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact. +# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282 +ENV SOURCE_DATE_EPOCH 0 + # skip installing gem documentation RUN set -eux; \ mkdir -p /usr/local/etc; \ @@ -33,6 +37,8 @@ RUN set -eux; \ ruby \ ; \ rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ rustArch=; \ dpkgArch="$(dpkg --print-architecture)"; \ @@ -65,6 +71,10 @@ RUN set -eux; \ \ cd /usr/src/ruby; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -97,6 +107,8 @@ RUN set -eux; \ | xargs -r apt-mark manual \ ; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ cd /; \ rm -r /usr/src/ruby; \ diff --git a/3.4-rc/slim-bookworm/Dockerfile b/3.4-rc/slim-bookworm/Dockerfile index b74c10f52..dc23454fb 100644 --- a/3.4-rc/slim-bookworm/Dockerfile +++ b/3.4-rc/slim-bookworm/Dockerfile @@ -6,6 +6,10 @@ FROM debian:bookworm-slim +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact. +# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282 +ENV SOURCE_DATE_EPOCH 0 + RUN set -eux; \ apt-get update; \ apt-get install -y --no-install-recommends \ @@ -18,7 +22,9 @@ RUN set -eux; \ procps \ zlib1g-dev \ ; \ - rm -rf /var/lib/apt/lists/* + rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache # skip installing gem documentation RUN set -eux; \ @@ -59,6 +65,8 @@ RUN set -eux; \ xz-utils \ ; \ rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ rustArch=; \ dpkgArch="$(dpkg --print-architecture)"; \ @@ -91,6 +99,10 @@ RUN set -eux; \ \ cd /usr/src/ruby; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -123,6 +135,8 @@ RUN set -eux; \ | xargs -r apt-mark manual \ ; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ cd /; \ rm -r /usr/src/ruby; \ diff --git a/3.4-rc/slim-bullseye/Dockerfile b/3.4-rc/slim-bullseye/Dockerfile index c7a484607..3de5704d5 100644 --- a/3.4-rc/slim-bullseye/Dockerfile +++ b/3.4-rc/slim-bullseye/Dockerfile @@ -6,6 +6,10 @@ FROM debian:bullseye-slim +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact. +# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282 +ENV SOURCE_DATE_EPOCH 0 + RUN set -eux; \ apt-get update; \ apt-get install -y --no-install-recommends \ @@ -18,7 +22,9 @@ RUN set -eux; \ procps \ zlib1g-dev \ ; \ - rm -rf /var/lib/apt/lists/* + rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache # skip installing gem documentation RUN set -eux; \ @@ -59,6 +65,8 @@ RUN set -eux; \ xz-utils \ ; \ rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ rustArch=; \ dpkgArch="$(dpkg --print-architecture)"; \ @@ -91,6 +99,10 @@ RUN set -eux; \ \ cd /usr/src/ruby; \ \ + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -123,6 +135,8 @@ RUN set -eux; \ | xargs -r apt-mark manual \ ; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ \ cd /; \ rm -r /usr/src/ruby; \ diff --git a/Dockerfile.template b/Dockerfile.template index 66466f944..754da3f16 100644 --- a/Dockerfile.template +++ b/Dockerfile.template @@ -13,6 +13,10 @@ FROM debian:{{ env.variant | ltrimstr("slim-") }}-slim FROM buildpack-deps:{{ env.variant }} {{ ) end -}} +# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact. +# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282 +ENV SOURCE_DATE_EPOCH 0 + {{ if is_alpine then ( -}} RUN set -eux; \ apk add --no-cache \ @@ -38,7 +42,9 @@ RUN set -eux; \ procps \ zlib1g-dev \ ; \ - rm -rf /var/lib/apt/lists/* + rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache {{ ) else "" end -}} # skip installing gem documentation @@ -61,7 +67,7 @@ ENV RUBY_DOWNLOAD_SHA256 {{ .sha256.xz }} RUN set -eux; \ \ {{ if is_alpine then ( -}} - apk add --no-cache --virtual .ruby-builddeps \ + apk add --no-cache --virtual .ruby-builddeps=0 \ autoconf \ {{ if [ "3.1", "3.2" ] | index(env.version | rtrimstr("-rc")) then ( -}} {{ # https://github.com/docker-library/ruby/pull/438 -}} @@ -126,6 +132,8 @@ RUN set -eux; \ {{ ) else "" end -}} ; \ rm -rf /var/lib/apt/lists/*; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ {{ ) end -}} {{ if .rust.version then ( -}} \ @@ -210,15 +218,20 @@ RUN set -eux; \ # https://github.com/docker-library/ruby/issues/196 # https://bugs.ruby-lang.org/issues/14387#note-13 (patch source) # https://bugs.ruby-lang.org/issues/14387#note-16 ("Therefore ncopa's patch looks good for me in general." -- only breaks glibc which doesn't matter here) +# patch: --force is set for reproducing timestamps wget -O 'thread-stack-fix.patch' 'https://bugs.ruby-lang.org/attachments/download/7081/0001-thread_pthread.c-make-get_main_stack-portable-on-lin.patch'; \ echo '3ab628a51d92fdf0d2b5835e93564857aea73e0c1de00313864a94a6255cb645 *thread-stack-fix.patch' | sha256sum --check --strict; \ - patch -p1 -i thread-stack-fix.patch; \ + patch --set-utc --force -p1 -i thread-stack-fix.patch; \ rm thread-stack-fix.patch; \ \ # the configure script does not detect isnan/isinf as macros export ac_cv_func_isnan=yes ac_cv_func_isinf=yes; \ \ {{ ) else "" end -}} + SOURCE_DATE_EPOCH="$(find . -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \ + export SOURCE_DATE_EPOCH; \ +# for logging validation/edification + date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \ # hack in "ENABLE_PATH_CHECK" disabling to suppress: # warning: Insecure world writable dir { \ @@ -251,7 +264,7 @@ RUN set -eux; \ | sort -u \ | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \ )"; \ - apk add --no-network --virtual .ruby-rundeps $runDeps; \ + apk add --no-network --virtual .ruby-rundeps=0 $runDeps; \ apk del --no-network .ruby-builddeps; \ {{ ) else ( -}} apt-mark auto '.*' > /dev/null; \ @@ -265,6 +278,8 @@ RUN set -eux; \ | xargs -r apt-mark manual \ ; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ +# clean up for reproducibility + rm -rf /var/log/* /var/cache/ldconfig/aux-cache ;\ {{ ) end -}} \ cd /; \