exporter/containerimage: new option: rewrite-timestamp (Apply SOURCE_DATE_EPOCH to file timestamps)

[AkihiroSuda]

rewrite-timestamp rewrites timestamps in layers for reproducible builds.

When a layer is rewritten, an annotation buildkit/rewritten-timestamp=<INT64> is set to the layer.

Example:

buildctl build
  --frontend dockerfile.v0 \
  --opt build-arg:SOURCE_DATE_EPOCH=${SOURCE_DATE_EPOCH} \
  --output type=oci,dest=dest.tar,rewrite-timestamp=true \
  ...

Alternative to:

• [Moved to #4057] Apply SOURCE_DATE_EPOCH to the files and the whiteouts inside OCI tar layers #3560

---

With this commit, the following workarounds mentioned in docs/build-repro.md are no longer needed for reproducible builds:

# Limit the timestamp upper bound to SOURCE_DATE_EPOCH.
# Workaround for https://github.com/moby/buildkit/issues/3180
ARG SOURCE_DATE_EPOCH
RUN find $( ls / | grep -E -v "^(dev|mnt|proc|sys)$" ) -newermt "@${SOURCE_DATE_EPOCH}" -writable -xdev | xargs touch --date="@${SOURCE_DATE_EPOCH}" --no-dereference

# Squash the entire stage for resetting the whiteout timestamps.
# Workaround for https://github.com/moby/buildkit/issues/3168
FROM scratch
COPY --from=0 / /

Backup

39c3a49 : Abandoned version, contaminates cache

[AkihiroSuda]

@tonistiigi
Does this look better than:

• [Moved to #4057] Apply SOURCE_DATE_EPOCH to the files and the whiteouts inside OCI tar layers #3560

?

[tonistiigi]

@AkihiroSuda I think until we figure out how this will work with cache-to/from we need to make sure that if rewrite-epoch is set then these blobs will never be 1) exported with cache, also meaning inline-cache would probably need to be incompatible 2) reused in any subsequent build that doesn't set rewrite-epoch to the same value (this is contrary to the compression behavior atm where existing compression is reused).

[AkihiroSuda]

@AkihiroSuda I think until we figure out how this will work with cache-to/from we need to make sure that if rewrite-epoch is set then these blobs will never be 1) exported with cache, also meaning inline-cache would probably need to be incompatible 2) reused in any subsequent build that doesn't set rewrite-epoch to the same value (this is contrary to the compression behavior atm where existing compression is reused).

I guess the entire logic should be just decoupled from cache/, and the layer blobs should be just patched in exporter/containerimage/writer.go:commitDistributionManifest() ?

(So, the epoch will be applied to the base layers as well)

[AkihiroSuda]

Updated as above.

The rewrite-epoch option no longer touches the cache.
The blobs are converted right before pushing, in exporter/containerimage/writer.go:commitDistributionManifest().

[felixdesouza]

I'm really excited for this to arrive! This will save us a lot of time spent doing the docker save -> strip timestamps -> docker load` pipeline. I had a go earlier today on a toy example, and for the most part it worked great. I did run into one issue however:

If I have this Dockerfile:

FROM alpine:latest
ARG SOURCE_DATE_EPOCH

RUN echo felix > asdf.txt

The last layer is not a valid tar file. Namely because it's small enough to be missing padding. In addition does not have the tar end marker, although that could be an implementation detail of tar (I am on macOS). However, without the rewrite, this works as normal and produces a tar file that's readable by macOS tar, so in a way it is a bit of a regression.

Below is the fq output of the stripped tar that's too small:

Below is the fq output of the same layer but without any epoch rewriting:

I haven't attached, but in the non epoch rewritten tar, there's also the end_marker padding that's 1024 bytes long. This obviously doesn't exist in the epoch rewritten tar given that an individual file within the tar is missing the padding block.

Not entirely sure whether this is the right place for this issue, but just wanted to flag.

[AkihiroSuda]

@felixdesouza Thanks, fixed in the latest commit. (the tar writer was not flushed)

[felixdesouza]

Ah, beat me to it! I think there's one last flush missing, at the end of the archive, we'll get an io.error.EOF, which is the point in which the archive should be closed to write the padding + footer: https://pkg.go.dev/archive/tar#Writer.Close. But I think we'll also miss that without an error check.

[AkihiroSuda]

Should be fixed in the latest commit

[wiktor-k]

Great to see this being worked on, thanks!

I wonder one thing: would it be beneficial to also add test cases that'd check if the digest does not change? Having reproducible images is super great but I'm worried some other contributor will break it by accident in the future.

[tonistiigi]

can be follow-up: This New pattern doesn't work with function anymore and should probably return a struct/interface.

[AkihiroSuda]

Why not work?

[tonistiigi]

New implies a new instance of a struct.

[AkihiroSuda]

New implies a new instance of a struct.

I'm not sure.
I thought it can return any.

[tonistiigi]

Should we change this function so that it takes Result[Remote] as parameter. This can be follow-up but I do think we should implement it and not error. Same for push.

[AkihiroSuda]

Sorry, not sure how it relates to this PR

[tonistiigi]

There are new conditions now for unpack and push, instead of reusing the code-path. And unpack case errors.

[AkihiroSuda]

Got it, but let me defer that to a follow-up 🙏

[tonistiigi]

More follow-ups: when the layer conversion happens, we should show a progress line about it to the user.

[AkihiroSuda]

More follow-ups: when the layer conversion happens, we should show a progress line about it to the user.

done

[AkihiroSuda]

BTW, on the second thought, rewrite-epoch may sound weird as English?

rewrite-timestamp might be less confusing?
Or rewrite-layer-timestamp?

[AkihiroSuda]

Changed to rewrite-timestamp

(Backup: commit 0265bb7 (rewrite-epoch))