SlideShare a Scribd company logo

[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile

A
Akihiro Suda

This document discusses techniques for making container builds reproducible, including: - Using BuildKit v0.11 which supports deterministic timestamps through SOURCE_DATE_EPOCH - Using repro-get to cryptographically lock package versions to ensure reproducible package installation - Future work including simplifying Dockerfiles, caching packages locally, and integrating with provenance standards

Software
1 of 14
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
Bit-for-bit reproducible builds with Dockerfile Deterministic timestamps and deterministic apt-get Akihiro Suda, NTT Demo: https://github.com/reproducible-containers/repro-get/releases/tag/v0.3.0
What are reproducible builds? 2 FROM ubuntu RUN apt-get install -y gcc make ... RUN make Dockerfile sha256:6ea7098583cb6c9470570df28c154 cfec58e122188382cd4a7ceab8a9a79cb67 OCI Image sha256:6ea7098583cb6c9470570df28c154 cfec58e122188382cd4a7ceab8a9a79cb67 OCI Image sha256:6ea7098583cb6c9470570df28c154 cfec58e122188382cd4a7ceab8a9a79cb67 OCI Image OCI = Open Container Initiative Build • Same source, same binary • Attestable by anybody, at anytime But often needs a specific (virtual) machine
• Because we want to verify the actual source code of the binary, not the claimed source code • actual != claimed, when the build env is compromised, or when the developer is malicious • If the builds are reproducible, we can be sure that actual == claimed 3 Why do we need reproducible builds?
• Reproducibility has nothing to do with whether the source code is safe to use • The source code may still contain malicious codes • Reproducible builds make sense only when you review the source code 4 Not a panacea…
• Timestamps – Timestamps of the files in tar layers – Timestamps in OCI Image Spec JSONs (“org.opencontainers.image.created”, etc.) • “aptgettable” packages – The package version changes on every invocation of apt-get, dnf, etc. • Filesystem characteristics – Hardlinks, xattrs, … 5 Why couldn’t we make them reproducible?
• BuildKit: a modern image building framework made for Docker/Moby – Embedded in the Docker daemon since Docker 18.06 – Can be also used with Kubernetes, nerdctl, Podman, etc. • v0.11 (Jan 2023) contains built-in support for reproducing timestamps – Thanks to Tõnis Tiigi (Docker) for the large portion • Still needs very complex Dockerfile – v0.12 will require less complex Dockerfiles 6 BuildKit v0.11 supports reproducible builds! 🎉 https://github.com/moby/buildkit
• The SOURCE_DATE_EPOCH build arg can be used for specifying the UNIX epoch • Conforms to: https://reproducible-builds.org/specs/source-date-epoch/ • Usually set to $(git log -1 --pretty=%ct) • The build arg is exposed to the “RUN” containers as an env var • The build arg is also consumed by BuildKit itself for the timestamps in the OCI JSONs (but not for the file timestamps in the tar layers, in v0.11) 7 Reproducing timestamps $ buildctl build –-opt build-arg:SOURCE_DATE_EPOCH=<uint64> ... https://github.com/moby/buildkit/blob/v0.11/docs/build-repro.md
• The file timestamps in the tar layers need to be explicitly touch-ed • The layers have to be squashed to remove unreproducible overlayfs whiteouts • Mount points can be created only under /dev (tmpfs) • Hardlinks are not reproducible depending on the filesystem snapshotter 8 Caveats in v0.11 (Being resolved in PR #3560, targeted for v0.12) ARG SOURCE_DATE_EPOCH RUN find $( ls / | grep -E -v "^(dev|mnt|proc|sys)$" ) -newermt "@${SOURCE_DATE_EPOCH}" -writable -xdev | xargs touch --date="@${SOURCE_DATE_EPOCH}" --no-dereference FROM scratch COPY --from=0 / / RUN –-mount=type=cache,target=/dev/.cache ... https://github.com/moby/buildkit/blob/v0.11/docs/build-repro.md https://github.com/moby/buildkit/pull/3560
• “aptgettable” package versions are hard to reproduce • Most distros do not retain old packages • Debian retains old packages (thank you!), but not mirrored widely – Too much load on the central snapshot.debian.org – Can’t be used in CI practically, due to slowness and flakiness • The situation is similar for Fedora and ArchLinux 9 Reproducing packages deb http://snapshot.debian.org/archive/debian/20230101T091029Z/ bullseye main /etc/apt/sources.list
• Cryptographically locks the package versions with SHA256SUMS • Blobs can be fetched from several places to avoid overloading • Supports Debian, Ubuntu, Fedora, Alpine, and ArchLinux 10 repro-get: decentralized & reproducible apt/dnf/apk/pacman… 35b1508eeee9c1dfba798c4c04304ef0f266990f936a51f165571edf53325cbc pool/main/h/hello/hello_2.10-2_amd64.deb SHA256SUMS-amd64 https://github.com/reproducible-containers/repro-get http://deb.debian.org/debian/{{.Name}} (Fast, ephemeral) http://debian.notset.fr/snapshot/by-hash/SHA256/{{.SHA256}} (Slow, persistent) oci://example.com/oras-image@sha256:{{.SHA256}} http://ipfs.io/ipfs/{{.CID}}
11 repro-get: decentralized & reproducible apt/dnf/apk/pacman… https://github.com/reproducible-containers/repro-get $ repro-get hash generate >SHA256SUMS-amd64.old $ apt-get install -y hello $ repro-get hash generate --dedupe=SHA256SUMS-amd64.old >SHA256SUMS-amd64 $ cat SHA256SUMS-amd64 35b1508eeee9c1dfba798c4c04304ef0f266990f936a51f165571edf53325cbc pool/main/h/hello/hello_2.10-2_amd64.deb $ repro-get install SHA256SUMS-amd64 (001/001) hello_2.10-2_amd64.deb Downloading from http://debian.notset.fr/snapshot/by-hash/SHA256/35b1508eeee9c1dfba798c4c04304ef0f266990f936a51f165571edf53325cbc ... Preparing to unpack .../35b1508eeee9c1dfba798c4c04304ef0f266990f936a51f165571edf53325cbc ... Unpacking hello (2.10-2) ... Setting up hello (2.10-2) ...
12 Demo https://twitter.com/_AkihiroSuda_/status/1614401664009789440 https://github.com/reproducible-containers/repro-get/releases/tag/v0.3.0 $ docker run -d --name buildkitd --privileged moby/buildkit:v0.11.0 $ docker cp buildkitd:/usr/bin/buildctl /usr/local/bin/buildctl $ export BUILDKIT_HOST=docker-container://buildkitd $ ./hack/test-dockerfile-repro.sh examples/gcc ... 0a3bcfebc67c85cac40e9c2cadee7b2b2b5077dc5ff985d8c396f008df818690 /.../0-oci.tar 0a3bcfebc67c85cac40e9c2cadee7b2b2b5077dc5ff985d8c396f008df818690 /.../1-oci.tar BuildKit version MUST be pinned The filesystem (ext4) and the OS version (Ubuntu 22.04) SHOULD be pinned too
• Simplify Dockerfile • Find an easier way to cache old packages locally • Interoperability with xx-apt and xx-apk for cross-compilation • Interoperability with SLSA Provenances • Single-click attestation of reproducibility 13 Future works
• Reproducible build helps attesting the true origin of the binary • Challenges: non-deterministic timestamps, package versions, etc. • BuildKit v0.11 adds preliminary support for SOURCE_DATE_EPOCH • repro-get reproduces the package versions with SHA256SUMS 14 Wrap-up https://github.com/moby/buildkit/blob/v0.11/docs/build-repro.md https://github.com/reproducible-containers/repro-get

More Related Content

What's hot (16)

PDF
Haiku OS Presentation
laawrence
 
PDF
Gestion de la mobilité et de la Qos chez un opérateur de téléphonie mobile:UMTS
MkMk Kachallah
 
PPTX
4th generation computer
Sohag Babu
 
PDF
XRDPで怠惰な日々を送る
monochrojazz
 
PPTX
いまどきの組込みOSの​ ZephyrRTOSと​ OpenThreadを​ Arduino環境で遊んでみる
裕士 常田
 
PPTX
Ict 9 module 3, lesson 2.4.2 installing operating system (windows 7)
Yonel Cadapan
 
PDF
Squid
Franck SIMON
 
PDF
Introduction to TensorFlow Lite
Koan-Sin Tan
 
PDF
Pacemaker + PostgreSQL レプリケーション構成(PG-REX)のフェイルオーバー高速化
kazuhcurry
 
PDF
OpenStack超入門シリーズ いまさら聞けないNeutronの使い方
Toru Makabe
 
PDF
超激安WinタブレットにLinux、*BSDを入れて 賢く経済的にリサイクルしよう in OSC東京2018 #osc18tk
Netwalker lab kapper
 
PDF
History of computers.pdf
sakshamkarki1
 
PDF
Docker infiniband
Syoyo Fujita
 
PPTX
nftables: the Next Generation Firewall in Linux
Tomofumi Hayashi
 
PDF
Xenalyze
The Linux Foundation
 
PDF
Compte rendu : Le routage dynamique RIP V1
Soumia Elyakote HERMA
 
Haiku OS Presentation
laawrence
 
Gestion de la mobilité et de la Qos chez un opérateur de téléphonie mobile:UMTS
MkMk Kachallah
 
4th generation computer
Sohag Babu
 
XRDPで怠惰な日々を送る
monochrojazz
 
いまどきの組込みOSの​ ZephyrRTOSと​ OpenThreadを​ Arduino環境で遊んでみる
裕士 常田
 
Ict 9 module 3, lesson 2.4.2 installing operating system (windows 7)
Yonel Cadapan
 
Squid
Franck SIMON
 
Introduction to TensorFlow Lite
Koan-Sin Tan
 
Pacemaker + PostgreSQL レプリケーション構成(PG-REX)のフェイルオーバー高速化
kazuhcurry
 
OpenStack超入門シリーズ いまさら聞けないNeutronの使い方
Toru Makabe
 
超激安WinタブレットにLinux、*BSDを入れて 賢く経済的にリサイクルしよう in OSC東京2018 #osc18tk
Netwalker lab kapper
 
History of computers.pdf
sakshamkarki1
 
Docker infiniband
Syoyo Fujita
 
nftables: the Next Generation Firewall in Linux
Tomofumi Hayashi
 
Xenalyze
The Linux Foundation
 
Compte rendu : Le routage dynamique RIP V1
Soumia Elyakote HERMA
 

Similar to [FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile (20)

PPTX
runC – Open Container Initiative
Jeeva Chelladhurai
 
PDF
Docker and friends at Linux Days 2014 in Prague
tomasbart
 
PDF
Docker 102 - Immutable Infrastructure
Adrian Otto
 
PDF
[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...
Akihiro Suda
 
PDF
Meetup C++ Floripa - Conan.io
Uilian Ries
 
PDF
Docker as an every day work tool
Przemyslaw Koltermann
 
PDF
Использование Docker в CI / Александр Акбашев (HERE Technologies)
Ontico
 
PDF
[KubeCon NA 2020] containerd: Rootless Containers 2020
Akihiro Suda
 
PDF
Présentation de Docker
Proto204
 
PDF
Continuous Integration and DevOps with Open Build Service(OBS)
Ralf Dannert
 
PDF
codemotion-docker-2014
Carlo Bonamico
 
PDF
Kayobe_desc
ssuser8fea38
 
PDF
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
Codemotion
 
PPTX
Pod Sandbox workflow creation from Dockershim
Victor Morales
 
PDF
Lab docker
Bruno Cornec
 
PDF
Check the version with fixes. Link in description
Przemyslaw Koltermann
 
PPTX
Real World Experience of Running Docker in Development and Production
Ben Hall
 
PPTX
Docker workshop
Evans Ye
 
PDF
Docker: ao vivo e a cores
Pedro Arthur Duarte
 
PDF
stackconf 2022: Cluster Management: Heterogeneous, Lightweight, Safe. Pick Three
NETWAYS
 
runC – Open Container Initiative
Jeeva Chelladhurai
 
Docker and friends at Linux Days 2014 in Prague
tomasbart
 
Docker 102 - Immutable Infrastructure
Adrian Otto
 
[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...
Akihiro Suda
 
Meetup C++ Floripa - Conan.io
Uilian Ries
 
Docker as an every day work tool
Przemyslaw Koltermann
 
Использование Docker в CI / Александр Акбашев (HERE Technologies)
Ontico
 
[KubeCon NA 2020] containerd: Rootless Containers 2020
Akihiro Suda
 
Présentation de Docker
Proto204
 
Continuous Integration and DevOps with Open Build Service(OBS)
Ralf Dannert
 
codemotion-docker-2014
Carlo Bonamico
 
Kayobe_desc
ssuser8fea38
 
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
Codemotion
 
Pod Sandbox workflow creation from Dockershim
Victor Morales
 
Lab docker
Bruno Cornec
 
Check the version with fixes. Link in description
Przemyslaw Koltermann
 
Real World Experience of Running Docker in Development and Production
Ben Hall
 
Docker workshop
Evans Ye
 
Docker: ao vivo e a cores
Pedro Arthur Duarte
 
stackconf 2022: Cluster Management: Heterogeneous, Lightweight, Safe. Pick Three
NETWAYS
 
Ad

More from Akihiro Suda (20)

PDF
20250617 [KubeCon JP 2025] containerd - Project Update and Deep Dive.pdf
Akihiro Suda
 
PDF
20250616 [KubeCon JP 2025] VexLLM - Silence Negligible CVE Alerts Using LLM.pdf
Akihiro Suda
 
PDF
20250403 [KubeCon EU] containerd - Project Update and Deep Dive.pdf
Akihiro Suda
 
PDF
20250403 [KubeCon EU Pavilion] containerd.pdf
Akihiro Suda
 
PDF
20250402 [KubeCon EU Pavilion] Lima.pdf_
Akihiro Suda
 
PDF
20241115 [KubeCon NA Pavilion] Lima.pdf_
Akihiro Suda
 
PDF
20241113 [KubeCon NA Pavilion] containerd.pdf
Akihiro Suda
 
PDF
【情報科学若手の会 (2024/09/14】なぜオープンソースソフトウェアにコントリビュートすべきなのか
Akihiro Suda
 
PDF
【Vuls祭り#10 (2024/08/20)】 VexLLM: LLMを用いたVEX自動生成ツール
Akihiro Suda
 
PDF
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
Akihiro Suda
 
PDF
20240321 [KubeCon EU Pavilion] Lima.pdf_
Akihiro Suda
 
PDF
20240320 [KubeCon EU Pavilion] containerd.pdf
Akihiro Suda
 
PDF
20240201 [HPC Containers] Rootless Containers.pdf
Akihiro Suda
 
PDF
[Podman Special Event] Kubernetes in Rootless Podman
Akihiro Suda
 
PDF
[KubeConNA2023] Lima pavilion
Akihiro Suda
 
PDF
[KubeConNA2023] containerd pavilion
Akihiro Suda
 
PDF
[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf
Akihiro Suda
 
PDF
[CNCF TAG-Runtime] Usernetes Gen2
Akihiro Suda
 
PDF
The internals and the latest trends of container runtimes
Akihiro Suda
 
PDF
[KubeConEU2023] Lima pavilion
Akihiro Suda
 
20250617 [KubeCon JP 2025] containerd - Project Update and Deep Dive.pdf
Akihiro Suda
 
20250616 [KubeCon JP 2025] VexLLM - Silence Negligible CVE Alerts Using LLM.pdf
Akihiro Suda
 
20250403 [KubeCon EU] containerd - Project Update and Deep Dive.pdf
Akihiro Suda
 
20250403 [KubeCon EU Pavilion] containerd.pdf
Akihiro Suda
 
20250402 [KubeCon EU Pavilion] Lima.pdf_
Akihiro Suda
 
20241115 [KubeCon NA Pavilion] Lima.pdf_
Akihiro Suda
 
20241113 [KubeCon NA Pavilion] containerd.pdf
Akihiro Suda
 
【情報科学若手の会 (2024/09/14】なぜオープンソースソフトウェアにコントリビュートすべきなのか
Akihiro Suda
 
【Vuls祭り#10 (2024/08/20)】 VexLLM: LLMを用いたVEX自動生成ツール
Akihiro Suda
 
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
Akihiro Suda
 
20240321 [KubeCon EU Pavilion] Lima.pdf_
Akihiro Suda
 
20240320 [KubeCon EU Pavilion] containerd.pdf
Akihiro Suda
 
20240201 [HPC Containers] Rootless Containers.pdf
Akihiro Suda
 
[Podman Special Event] Kubernetes in Rootless Podman
Akihiro Suda
 
[KubeConNA2023] Lima pavilion
Akihiro Suda
 
[KubeConNA2023] containerd pavilion
Akihiro Suda
 
[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf
Akihiro Suda
 
[CNCF TAG-Runtime] Usernetes Gen2
Akihiro Suda
 
The internals and the latest trends of container runtimes
Akihiro Suda
 
[KubeConEU2023] Lima pavilion
Akihiro Suda
 
Ad

Recently uploaded (20)

PDF
Build It, Buy It, or Already Got It? Make Smarter Martech Decisions
bbedford2
 
PPTX
Homogeneity of Variance Test Options IBM SPSS Statistics Version 31.pptx
Version 1 Analytics
 
PDF
Technical-Careers-Roadmap-in-Software-Market.pdf
Hussein Ali
 
PPTX
Comprehensive Risk Assessment Module for Smarter Risk Management
EHA Soft Solutions
 
PDF
Open Chain Q2 Steering Committee Meeting - 2025-06-25
Shane Coughlan
 
PPTX
Customise Your Correlation Table in IBM SPSS Statistics.pptx
Version 1 Analytics
 
PPTX
Coefficient of Variance in IBM SPSS Statistics Version 31.pptx
Version 1 Analytics
 
PPTX
In From the Cold: Open Source as Part of Mainstream Software Asset Management
Shane Coughlan
 
PDF
SciPy 2025 - Packaging a Scientific Python Project
Henry Schreiner
 
PDF
AI + DevOps = Smart Automation with devseccops.ai.pdf
Devseccops.ai
 
PDF
How to Hire AI Developers_ Step-by-Step Guide in 2025.pdf
DianApps Technologies
 
PDF
IDM Crack with Internet Download Manager 6.42 Build 43 with Patch Latest 2025
bashirkhan333g
 
PPTX
Milwaukee Marketo User Group - Summer Road Trip: Mapping and Personalizing Yo...
bbedford2
 
PPTX
Tally software_Introduction_Presentation
AditiBansal54083
 
PDF
NEW-Viral>Wondershare Filmora 14.5.18.12900 Crack Free
sherryg1122g
 
PDF
Automate Cybersecurity Tasks with Python
VICTOR MAESTRE RAMIREZ
 
PDF
TheFutureIsDynamic-BoxLang witch Luis Majano.pdf
Ortus Solutions, Corp
 
PPTX
Tally_Basic_Operations_Presentation.pptx
AditiBansal54083
 
PDF
Digger Solo: Semantic search and maps for your local files
seanpedersen96
 
PDF
SAP Firmaya İade ABAB Kodları - ABAB ile yazılmıl hazır kod örneği
Salih Küçük
 
Build It, Buy It, or Already Got It? Make Smarter Martech Decisions
bbedford2
 
Homogeneity of Variance Test Options IBM SPSS Statistics Version 31.pptx
Version 1 Analytics
 
Technical-Careers-Roadmap-in-Software-Market.pdf
Hussein Ali
 
Comprehensive Risk Assessment Module for Smarter Risk Management
EHA Soft Solutions
 
Open Chain Q2 Steering Committee Meeting - 2025-06-25
Shane Coughlan
 
Customise Your Correlation Table in IBM SPSS Statistics.pptx
Version 1 Analytics
 
Coefficient of Variance in IBM SPSS Statistics Version 31.pptx
Version 1 Analytics
 
In From the Cold: Open Source as Part of Mainstream Software Asset Management
Shane Coughlan
 
SciPy 2025 - Packaging a Scientific Python Project
Henry Schreiner
 
AI + DevOps = Smart Automation with devseccops.ai.pdf
Devseccops.ai
 
How to Hire AI Developers_ Step-by-Step Guide in 2025.pdf
DianApps Technologies
 
IDM Crack with Internet Download Manager 6.42 Build 43 with Patch Latest 2025
bashirkhan333g
 
Milwaukee Marketo User Group - Summer Road Trip: Mapping and Personalizing Yo...
bbedford2
 
Tally software_Introduction_Presentation
AditiBansal54083
 
NEW-Viral>Wondershare Filmora 14.5.18.12900 Crack Free
sherryg1122g
 
Automate Cybersecurity Tasks with Python
VICTOR MAESTRE RAMIREZ
 
TheFutureIsDynamic-BoxLang witch Luis Majano.pdf
Ortus Solutions, Corp
 
Tally_Basic_Operations_Presentation.pptx
AditiBansal54083
 
Digger Solo: Semantic search and maps for your local files
seanpedersen96
 
SAP Firmaya İade ABAB Kodları - ABAB ile yazılmıl hazır kod örneği
Salih Küçük
 

[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile

  • 1. Bit-for-bit reproducible builds with Dockerfile Deterministic timestamps and deterministic apt-get Akihiro Suda, NTT Demo: https://github.com/reproducible-containers/repro-get/releases/tag/v0.3.0
  • 2. What are reproducible builds? 2 FROM ubuntu RUN apt-get install -y gcc make ... RUN make Dockerfile sha256:6ea7098583cb6c9470570df28c154 cfec58e122188382cd4a7ceab8a9a79cb67 OCI Image sha256:6ea7098583cb6c9470570df28c154 cfec58e122188382cd4a7ceab8a9a79cb67 OCI Image sha256:6ea7098583cb6c9470570df28c154 cfec58e122188382cd4a7ceab8a9a79cb67 OCI Image OCI = Open Container Initiative Build • Same source, same binary • Attestable by anybody, at anytime But often needs a specific (virtual) machine
  • 3. • Because we want to verify the actual source code of the binary, not the claimed source code • actual != claimed, when the build env is compromised, or when the developer is malicious • If the builds are reproducible, we can be sure that actual == claimed 3 Why do we need reproducible builds?
  • 4. • Reproducibility has nothing to do with whether the source code is safe to use • The source code may still contain malicious codes • Reproducible builds make sense only when you review the source code 4 Not a panacea…
  • 5. • Timestamps – Timestamps of the files in tar layers – Timestamps in OCI Image Spec JSONs (“org.opencontainers.image.created”, etc.) • “aptgettable” packages – The package version changes on every invocation of apt-get, dnf, etc. • Filesystem characteristics – Hardlinks, xattrs, … 5 Why couldn’t we make them reproducible?
  • 6. • BuildKit: a modern image building framework made for Docker/Moby – Embedded in the Docker daemon since Docker 18.06 – Can be also used with Kubernetes, nerdctl, Podman, etc. • v0.11 (Jan 2023) contains built-in support for reproducing timestamps – Thanks to Tõnis Tiigi (Docker) for the large portion • Still needs very complex Dockerfile – v0.12 will require less complex Dockerfiles 6 BuildKit v0.11 supports reproducible builds! 🎉 https://github.com/moby/buildkit
  • 7. • The SOURCE_DATE_EPOCH build arg can be used for specifying the UNIX epoch • Conforms to: https://reproducible-builds.org/specs/source-date-epoch/ • Usually set to $(git log -1 --pretty=%ct) • The build arg is exposed to the “RUN” containers as an env var • The build arg is also consumed by BuildKit itself for the timestamps in the OCI JSONs (but not for the file timestamps in the tar layers, in v0.11) 7 Reproducing timestamps $ buildctl build –-opt build-arg:SOURCE_DATE_EPOCH=<uint64> ... https://github.com/moby/buildkit/blob/v0.11/docs/build-repro.md
  • 8. • The file timestamps in the tar layers need to be explicitly touch-ed • The layers have to be squashed to remove unreproducible overlayfs whiteouts • Mount points can be created only under /dev (tmpfs) • Hardlinks are not reproducible depending on the filesystem snapshotter 8 Caveats in v0.11 (Being resolved in PR #3560, targeted for v0.12) ARG SOURCE_DATE_EPOCH RUN find $( ls / | grep -E -v "^(dev|mnt|proc|sys)$" ) -newermt "@${SOURCE_DATE_EPOCH}" -writable -xdev | xargs touch --date="@${SOURCE_DATE_EPOCH}" --no-dereference FROM scratch COPY --from=0 / / RUN –-mount=type=cache,target=/dev/.cache ... https://github.com/moby/buildkit/blob/v0.11/docs/build-repro.md https://github.com/moby/buildkit/pull/3560
  • 9. • “aptgettable” package versions are hard to reproduce • Most distros do not retain old packages • Debian retains old packages (thank you!), but not mirrored widely – Too much load on the central snapshot.debian.org – Can’t be used in CI practically, due to slowness and flakiness • The situation is similar for Fedora and ArchLinux 9 Reproducing packages deb http://snapshot.debian.org/archive/debian/20230101T091029Z/ bullseye main /etc/apt/sources.list
  • 10. • Cryptographically locks the package versions with SHA256SUMS • Blobs can be fetched from several places to avoid overloading • Supports Debian, Ubuntu, Fedora, Alpine, and ArchLinux 10 repro-get: decentralized & reproducible apt/dnf/apk/pacman… 35b1508eeee9c1dfba798c4c04304ef0f266990f936a51f165571edf53325cbc pool/main/h/hello/hello_2.10-2_amd64.deb SHA256SUMS-amd64 https://github.com/reproducible-containers/repro-get http://deb.debian.org/debian/{{.Name}} (Fast, ephemeral) http://debian.notset.fr/snapshot/by-hash/SHA256/{{.SHA256}} (Slow, persistent) oci://example.com/oras-image@sha256:{{.SHA256}} http://ipfs.io/ipfs/{{.CID}}
  • 11. 11 repro-get: decentralized & reproducible apt/dnf/apk/pacman… https://github.com/reproducible-containers/repro-get $ repro-get hash generate >SHA256SUMS-amd64.old $ apt-get install -y hello $ repro-get hash generate --dedupe=SHA256SUMS-amd64.old >SHA256SUMS-amd64 $ cat SHA256SUMS-amd64 35b1508eeee9c1dfba798c4c04304ef0f266990f936a51f165571edf53325cbc pool/main/h/hello/hello_2.10-2_amd64.deb $ repro-get install SHA256SUMS-amd64 (001/001) hello_2.10-2_amd64.deb Downloading from http://debian.notset.fr/snapshot/by-hash/SHA256/35b1508eeee9c1dfba798c4c04304ef0f266990f936a51f165571edf53325cbc ... Preparing to unpack .../35b1508eeee9c1dfba798c4c04304ef0f266990f936a51f165571edf53325cbc ... Unpacking hello (2.10-2) ... Setting up hello (2.10-2) ...
  • 12. 12 Demo https://twitter.com/_AkihiroSuda_/status/1614401664009789440 https://github.com/reproducible-containers/repro-get/releases/tag/v0.3.0 $ docker run -d --name buildkitd --privileged moby/buildkit:v0.11.0 $ docker cp buildkitd:/usr/bin/buildctl /usr/local/bin/buildctl $ export BUILDKIT_HOST=docker-container://buildkitd $ ./hack/test-dockerfile-repro.sh examples/gcc ... 0a3bcfebc67c85cac40e9c2cadee7b2b2b5077dc5ff985d8c396f008df818690 /.../0-oci.tar 0a3bcfebc67c85cac40e9c2cadee7b2b2b5077dc5ff985d8c396f008df818690 /.../1-oci.tar BuildKit version MUST be pinned The filesystem (ext4) and the OS version (Ubuntu 22.04) SHOULD be pinned too
  • 13. • Simplify Dockerfile • Find an easier way to cache old packages locally • Interoperability with xx-apt and xx-apk for cross-compilation • Interoperability with SLSA Provenances • Single-click attestation of reproducibility 13 Future works
  • 14. • Reproducible build helps attesting the true origin of the binary • Challenges: non-deterministic timestamps, package versions, etc. • BuildKit v0.11 adds preliminary support for SOURCE_DATE_EPOCH • repro-get reproduces the package versions with SHA256SUMS 14 Wrap-up https://github.com/moby/buildkit/blob/v0.11/docs/build-repro.md https://github.com/reproducible-containers/repro-get