Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make dockerTools.buildImageWithNixDb reproducible #289840

Merged
merged 1 commit into from
Feb 29, 2024
Merged

Make dockerTools.buildImageWithNixDb reproducible #289840

merged 1 commit into from
Feb 29, 2024

Conversation

PigeonF
Copy link
Contributor

@PigeonF PigeonF commented Feb 18, 2024

Description of changes

The loaded database loaded by dockerTools.buildImageWithNixDb contains timestamps of when the nix paths were registered. Depending on the host store, these can differ between runs. Resetting them to a well known value ensures that the produced image is reproducible.

Related to #289813.

I don't know how to add a test for this. The only thing I can think of is to add a test to https://github.com/NixOS/nixpkgs/blob/master/nixos/tests/docker-tools.nix that reads out the registrationTime rows from the database and asserts they are whatever SOURCE_DATE_EPOCH gets set to?

P.S.: I tried running nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD" to test the change, but it seems to overload my local nix VM, so I couldn't test this locally. Since this is my first contribution to nixpkgs, I don't really know what to do about this 😅

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 24.05 Release Notes (or backporting 23.05 and 23.11 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

@PigeonF
nixos/dockerTools: make buildImageWithNixDb reproducible
2cea1dc 
The loaded database contains timestamps of when the nix paths were
registered. Depending on the host store, these can differ between runs.
Resetting them to a well known values ensures that the produced image is
reproducible.
@PigeonF PigeonF requested a review from roberth as a code owner February 18, 2024 20:53
@NixOSInfra NixOSInfra added the 12. first-time contribution This PR is the author's first one; please be gentle! label Feb 18, 2024
@ofborg ofborg bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux labels Feb 18, 2024
@roberth
Copy link
Member

roberth commented Feb 18, 2024

[nixpkgs-review] seems to overload my local nix VM

You can skip nixpkgs-review. The relevant test here is nix-build -A nixosTests.docker-tools aka nixos/tests/docker-tools.nix and its support file pkgs/build-support/docker/examples.nix.
Do you have nested virtualisation - ie hardware virtualization extensions available within the VM?
Alternatively, if you're on macOS, you could rebase onto #282401 for a bit so that you can cut out the intermediate VM and run the test driver on macOS natively.

@PigeonF
Copy link
Contributor Author

PigeonF commented Feb 29, 2024

I was able to dust off an old laptop and run the tests there (i.e. running nix-build -A nixosTests.docker-tools succeeded). Is there something else I need to do, or do I just wait for someone to merge this?

@roberth
Copy link
Member

roberth commented Feb 29, 2024

Oh, I thought you wanted to add a test case or assertion.
I'd be okay to merge this without one, because nothing critical depends on it, and it wouldn't "prove" reproducibility anyway.
The most realistic failure mode, a change to the store db format and/or schema, would already be caught by the test suite, so I'm not too concerned.

@drupol drupol merged commit 2bf7ff4 into NixOS:master Feb 29, 2024
22 checks passed
@the-sun-will-rise-tomorrow the-sun-will-rise-tomorrow mentioned this pull request Jul 3, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@roberth roberth roberth approved these changes

Assignees
No one assigned
Labels
6.topic: reproducible builds 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux 12. first-time contribution This PR is the author's first one; please be gentle!
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@PigeonF @roberth @drupol @NixOSInfra