Skip to content

Commit

Permalink
Support reproducible builds (except packages)
Browse files Browse the repository at this point in the history
See docker-library/official-images issue 16044

- `SOURCE_DATE_EPOCH` is added.
  The value is consumed by the build scripts to make the binary reproducible.

- For Debian, `/var/log/*` is removed as they contain timestamps

- For Debian, `/var/cache/ldconfig/aux-cache` is removed as they contain inode numbers, etc.

- For Alpine, virtual package versions are pinned to "0" to eliminate
  the timestamp-based version numbers that appear in `/etc/apk/world` and `/lib/apk/db/installed`

- For Alpine, `/var/cache/fontconfig` is removed

> [!NOTE]
> The following topics are NOT covered by this commit:
>
> - To reproduce file timestamps in layers, BuildKit has to be executed with
>   `--output type=<TYPE>,rewrite-timestamp=true`.
>   Needs BuildKit v0.13 or later.
>
> - To reproduce the base image by the hash, reproducers may:
>   - modify the `FROM` instruction in Dockerfile manually
>   - or, use the `CONVERT` action of source policies to replace the base image.
>     <https://github.com/moby/buildkit/blob/v0.13.2/docs/build-repro.md>
>
> - To reproduce packages, see the `RUN` instruction hook proposed in
>   moby/buildkit issue 4576

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
  • Loading branch information
AkihiroSuda committed Oct 20, 2024
1 parent c85650e commit c73b916
Show file tree
Hide file tree
Showing 22 changed files with 198 additions and 44 deletions.
20 changes: 15 additions & 5 deletions Dockerfile.template
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,10 @@
-}}
FROM php:{{ env.phpVersion }}-{{ env.variant }}

# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact.
# This is not propagated from --build-arg: https://github.com/moby/buildkit/issues/4576#issuecomment-2159501282
ENV SOURCE_DATE_EPOCH 0

{{ if env.version != "cli" then ( -}}
# persistent dependencies
{{ if is_alpine then ( -}}
Expand All @@ -15,15 +19,19 @@ RUN set -eux; \
ghostscript \
# Alpine package for "imagemagick" contains ~120 .so files, see: https://github.com/docker-library/wordpress/pull/497
imagemagick \
;
; \
# clean up for reproducibility
rm -rf /var/cache/fontconfig
{{ ) else ( -}}
RUN set -eux; \
apt-get update; \
apt-get install -y --no-install-recommends \
# Ghostscript is required for rendering PDF previews
ghostscript \
; \
rm -rf /var/lib/apt/lists/*
rm -rf /var/lib/apt/lists/* ; \
# clean up for reproducibility
rm -rf /var/log/* /var/cache/ldconfig/aux-cache
{{ ) end -}}
{{ ) else ( -}}
# install wp-cli dependencies
Expand All @@ -43,7 +51,7 @@ WORKDIR /var/www/html
RUN set -ex; \
\
{{ if is_alpine then ( -}}
apk add --no-cache --virtual .build-deps \
apk add --no-cache --virtual .build-deps=0 \
$PHPIZE_DEPS \
freetype-dev \
icu-dev \
Expand Down Expand Up @@ -123,7 +131,7 @@ RUN set -ex; \
| sort -u \
| awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
)"; \
apk add --no-network --virtual .wordpress-phpexts-rundeps $runDeps; \
apk add --no-network --virtual .wordpress-phpexts-rundeps=0 $runDeps; \
apk del --no-network .build-deps; \
{{ ) else ( -}}
# reset apt-mark's "manual" list so that "purge --auto-remove" will remove all build dependencies
Expand All @@ -139,6 +147,8 @@ RUN set -ex; \
\
apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
rm -rf /var/lib/apt/lists/*; \
# clean up for reproducibility
rm -rf /var/log/* /var/cache/ldconfig/aux-cache; \
{{ ) end -}}
\
! { ldd "$extDir"/*.so | grep 'not found'; }; \
Expand Down Expand Up @@ -247,7 +257,7 @@ ENV WORDPRESS_CLI_SHA512 {{ .sha512 }}

RUN set -ex; \
\
apk add --no-cache --virtual .fetch-deps \
apk add --no-cache --virtual .fetch-deps=0 \
gnupg \
; \
\
Expand Down
10 changes: 9 additions & 1 deletion beta/php8.1/apache/Dockerfile

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

12 changes: 9 additions & 3 deletions beta/php8.1/fpm-alpine/Dockerfile

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

10 changes: 9 additions & 1 deletion beta/php8.1/fpm/Dockerfile

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

10 changes: 9 additions & 1 deletion beta/php8.2/apache/Dockerfile

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

12 changes: 9 additions & 3 deletions beta/php8.2/fpm-alpine/Dockerfile

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

10 changes: 9 additions & 1 deletion beta/php8.2/fpm/Dockerfile

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

10 changes: 9 additions & 1 deletion beta/php8.3/apache/Dockerfile

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

12 changes: 9 additions & 3 deletions beta/php8.3/fpm-alpine/Dockerfile

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

10 changes: 9 additions & 1 deletion beta/php8.3/fpm/Dockerfile

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit c73b916

Please sign in to comment.