-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for SOURCE_DATE_EPOCH #2918
Conversation
3e881bb
to
c961e63
Compare
eb72e03
to
7f2c1a1
Compare
Can you update docs in https://github.com/moby/buildkit/blob/master/frontend/dockerfile/docs/syntax.md#built-in-build-args for |
Can we pass this into the RUN steps without defining an ARG in the Dockerfile? I.e. the same way we do for http proxy today? |
I think defining |
Since the user is running the build command, what if the forced |
It would, for example, mean that build-cache does not apply between builds that use epoch and ones that do not, even if the run steps make no use of the added argument. I don't think avoiding changes in Dockerfile is a goal (in fact, we are probably adding #epoch), especially if the behavior of the Dockerfile commands changes. Ultimately it is the Dockerfile author who knows if the process they use in |
7f2c1a1
to
a7bfde9
Compare
frontend/dockerfile/docs/syntax.md
Outdated
@@ -372,5 +372,6 @@ RUN --security=insecure cat /proc/self/status | grep CapEff | |||
* `BUILDKIT_MULTI_PLATFORM=<bool>` opt into determnistic output regardless of multi-platform output or not | |||
* `BUILDKIT_SANDBOX_HOSTNAME=<string>` set the hostname (default `buildkitsandbox`) | |||
* `BUILDKIT_SYNTAX=<image>` set frontend image | |||
* `SOURCE_DATE_EPOCH` set the UNIX timestamp for created image and layers. More info from [reproducible builds](https://reproducible-builds.org/docs/source-date-epoch/). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Probably better to clarify the syntax version (1.5, unreleased)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated
LGTM but a couple of nits. |
e78f77d
to
f9dc044
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
19907e4
to
0ccc9c7
Compare
@AkihiroSuda ok to merge? |
needs rebase, PTAL @AkihiroSuda |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM after rebase
Looks like this needs a rebase again |
OCI exporter needs to be fixed to reset "org.opencontainers.image.created" annotation buildkit/exporter/oci/export.go Line 131 in 092e977
|
Is this going to apply as well for whiteout files? |
And this timestamp is also non-reproducible buildkit/exporter/containerimage/export.go Lines 246 to 249 in 092e977
|
Needs: |
Allows reproducible timestamps for layer and image timestamps. Implemented as a frontend-opt because in the future same option could be detected by frontend for custom behavior and same value should also apply timestamps for FileOps. Signed-off-by: Tonis Tiigi <[email protected]>
For daemons that don’t support SOURCE_DATE_EPOCH on the exporter we can use these overrides on the frontend side. Signed-off-by: Tonis Tiigi <[email protected]>
Signed-off-by: Tonis Tiigi <[email protected]>
Signed-off-by: Tonis Tiigi <[email protected]>
Signed-off-by: Tonis Tiigi <[email protected]>
Signed-off-by: Tonis Tiigi <[email protected]>
0ccc9c7
to
3cbee1c
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks
My comments above can be addressed later
addresses #1058
Allows reproducible timestamps for layer and image timestamps.
Implemented as a frontend-opt because in the future, the same option could be detected by frontend for custom behavior
and the same value should also apply timestamps for FileOps. Definition for
SOURCE_DATE_EPOCH
can be found in https://reproducible-builds.org/docs/source-date-epoch/In local and tar exporter, setting the build-arg sets overwrites the timestamp for the output files.
There is also a secondary implementation inside the Dockerfile frontend. This allows getting reproducible image manifests even on old buildkit, by just defining
#syntax
to point to new Dockerfile image.In Dockerfiles the build-arg can also be exposed to inner processes by defining
ARG SOURCE_DATE_EPOCH
inside the stage.This is the first stop toward better reproducible builds support that can be followed up with:
COPY/ADD
in Dockerfiles dockerfile: add(ADD|COPY) --timestamp=<RFC3339Nano>
#2911 @AkihiroSuda#epoch=
. Frontend side of this is already implemented and the frontend can pass the epoch value to the exporter(it can not overwrite the value if it has already been set by the user).--build-arg SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct)