SlideShare uma empresa Scribd logo

[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile

A
Akihiro Suda

https://fosdem.org/2023/schedule/event/container_reproducible_dockerfile/

Software
1 de 14
Baixar para ler offline
Bit-for-bit reproducible builds with Dockerfile Deterministic timestamps and deterministic apt-get Akihiro Suda, NTT Demo: https://github.com/reproducible-containers/repro-get/releases/tag/v0.3.0
What are reproducible builds? 2 FROM ubuntu RUN apt-get install -y gcc make ... RUN make Dockerfile sha256:6ea7098583cb6c9470570df28c154 cfec58e122188382cd4a7ceab8a9a79cb67 OCI Image sha256:6ea7098583cb6c9470570df28c154 cfec58e122188382cd4a7ceab8a9a79cb67 OCI Image sha256:6ea7098583cb6c9470570df28c154 cfec58e122188382cd4a7ceab8a9a79cb67 OCI Image OCI = Open Container Initiative Build • Same source, same binary • Attestable by anybody, at anytime But often needs a specific (virtual) machine
• Because we want to verify the actual source code of the binary, not the claimed source code • actual != claimed, when the build env is compromised, or when the developer is malicious • If the builds are reproducible, we can be sure that actual == claimed 3 Why do we need reproducible builds?
• Reproducibility has nothing to do with whether the source code is safe to use • The source code may still contain malicious codes • Reproducible builds make sense only when you review the source code 4 Not a panacea…
• Timestamps – Timestamps of the files in tar layers – Timestamps in OCI Image Spec JSONs (“org.opencontainers.image.created”, etc.) • “aptgettable” packages – The package version changes on every invocation of apt-get, dnf, etc. • Filesystem characteristics – Hardlinks, xattrs, … 5 Why couldn’t we make them reproducible?
• BuildKit: a modern image building framework made for Docker/Moby – Embedded in the Docker daemon since Docker 18.06 – Can be also used with Kubernetes, nerdctl, Podman, etc. • v0.11 (Jan 2023) contains built-in support for reproducing timestamps – Thanks to Tõnis Tiigi (Docker) for the large portion • Still needs very complex Dockerfile – v0.12 will require less complex Dockerfiles 6 BuildKit v0.11 supports reproducible builds! 🎉 https://github.com/moby/buildkit
• The SOURCE_DATE_EPOCH build arg can be used for specifying the UNIX epoch • Conforms to: https://reproducible-builds.org/specs/source-date-epoch/ • Usually set to $(git log -1 --pretty=%ct) • The build arg is exposed to the “RUN” containers as an env var • The build arg is also consumed by BuildKit itself for the timestamps in the OCI JSONs (but not for the file timestamps in the tar layers, in v0.11) 7 Reproducing timestamps $ buildctl build –-opt build-arg:SOURCE_DATE_EPOCH=<uint64> ... https://github.com/moby/buildkit/blob/v0.11/docs/build-repro.md
• The file timestamps in the tar layers need to be explicitly touch-ed • The layers have to be squashed to remove unreproducible overlayfs whiteouts • Mount points can be created only under /dev (tmpfs) • Hardlinks are not reproducible depending on the filesystem snapshotter 8 Caveats in v0.11 (Being resolved in PR #3560, targeted for v0.12) ARG SOURCE_DATE_EPOCH RUN find $( ls / | grep -E -v "^(dev|mnt|proc|sys)$" ) -newermt "@${SOURCE_DATE_EPOCH}" -writable -xdev | xargs touch --date="@${SOURCE_DATE_EPOCH}" --no-dereference FROM scratch COPY --from=0 / / RUN –-mount=type=cache,target=/dev/.cache ... https://github.com/moby/buildkit/blob/v0.11/docs/build-repro.md https://github.com/moby/buildkit/pull/3560
• “aptgettable” package versions are hard to reproduce • Most distros do not retain old packages • Debian retains old packages (thank you!), but not mirrored widely – Too much load on the central snapshot.debian.org – Can’t be used in CI practically, due to slowness and flakiness • The situation is similar for Fedora and ArchLinux 9 Reproducing packages deb http://snapshot.debian.org/archive/debian/20230101T091029Z/ bullseye main /etc/apt/sources.list
• Cryptographically locks the package versions with SHA256SUMS • Blobs can be fetched from several places to avoid overloading • Supports Debian, Ubuntu, Fedora, Alpine, and ArchLinux 10 repro-get: decentralized & reproducible apt/dnf/apk/pacman… 35b1508eeee9c1dfba798c4c04304ef0f266990f936a51f165571edf53325cbc pool/main/h/hello/hello_2.10-2_amd64.deb SHA256SUMS-amd64 https://github.com/reproducible-containers/repro-get http://deb.debian.org/debian/{{.Name}} (Fast, ephemeral) http://debian.notset.fr/snapshot/by-hash/SHA256/{{.SHA256}} (Slow, persistent) oci://example.com/oras-image@sha256:{{.SHA256}} http://ipfs.io/ipfs/{{.CID}}
11 repro-get: decentralized & reproducible apt/dnf/apk/pacman… https://github.com/reproducible-containers/repro-get $ repro-get hash generate >SHA256SUMS-amd64.old $ apt-get install -y hello $ repro-get hash generate --dedupe=SHA256SUMS-amd64.old >SHA256SUMS-amd64 $ cat SHA256SUMS-amd64 35b1508eeee9c1dfba798c4c04304ef0f266990f936a51f165571edf53325cbc pool/main/h/hello/hello_2.10-2_amd64.deb $ repro-get install SHA256SUMS-amd64 (001/001) hello_2.10-2_amd64.deb Downloading from http://debian.notset.fr/snapshot/by-hash/SHA256/35b1508eeee9c1dfba798c4c04304ef0f266990f936a51f165571edf53325cbc ... Preparing to unpack .../35b1508eeee9c1dfba798c4c04304ef0f266990f936a51f165571edf53325cbc ... Unpacking hello (2.10-2) ... Setting up hello (2.10-2) ...
12 Demo https://twitter.com/_AkihiroSuda_/status/1614401664009789440 https://github.com/reproducible-containers/repro-get/releases/tag/v0.3.0 $ docker run -d --name buildkitd --privileged moby/buildkit:v0.11.0 $ docker cp buildkitd:/usr/bin/buildctl /usr/local/bin/buildctl $ export BUILDKIT_HOST=docker-container://buildkitd $ ./hack/test-dockerfile-repro.sh examples/gcc ... 0a3bcfebc67c85cac40e9c2cadee7b2b2b5077dc5ff985d8c396f008df818690 /.../0-oci.tar 0a3bcfebc67c85cac40e9c2cadee7b2b2b5077dc5ff985d8c396f008df818690 /.../1-oci.tar BuildKit version MUST be pinned The filesystem (ext4) and the OS version (Ubuntu 22.04) SHOULD be pinned too
• Simplify Dockerfile • Find an easier way to cache old packages locally • Interoperability with xx-apt and xx-apk for cross-compilation • Interoperability with SLSA Provenances • Single-click attestation of reproducibility 13 Future works
• Reproducible build helps attesting the true origin of the binary • Challenges: non-deterministic timestamps, package versions, etc. • BuildKit v0.11 adds preliminary support for SOURCE_DATE_EPOCH • repro-get reproduces the package versions with SHA256SUMS 14 Wrap-up https://github.com/moby/buildkit/blob/v0.11/docs/build-repro.md https://github.com/reproducible-containers/repro-get

Recomendados

runC – Open Container Initiative
runC – Open Container InitiativerunC – Open Container Initiative
runC – Open Container Initiative
Jeeva Chelladhurai
 
Docker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in PragueDocker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in Prague
tomasbart
 
Docker 102 - Immutable Infrastructure
Docker 102 - Immutable InfrastructureDocker 102 - Immutable Infrastructure
Docker 102 - Immutable Infrastructure
Adrian Otto
 
[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...
[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...
[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...
Akihiro Suda
 
Meetup C++ Floripa - Conan.io
Meetup C++ Floripa - Conan.ioMeetup C++ Floripa - Conan.io
Meetup C++ Floripa - Conan.io
Uilian Ries
 
Docker as an every day work tool
Docker as an every day work toolDocker as an every day work tool
Docker as an every day work tool
Przemyslaw Koltermann
 
Использование Docker в CI / Александр Акбашев (HERE Technologies)
Использование Docker в CI / Александр Акбашев (HERE Technologies)Использование Docker в CI / Александр Акбашев (HERE Technologies)
Использование Docker в CI / Александр Акбашев (HERE Technologies)
Ontico
 
[KubeCon NA 2020] containerd: Rootless Containers 2020
[KubeCon NA 2020] containerd: Rootless Containers 2020[KubeCon NA 2020] containerd: Rootless Containers 2020
[KubeCon NA 2020] containerd: Rootless Containers 2020
Akihiro Suda
 

Recomendados

runC – Open Container Initiative
runC – Open Container InitiativerunC – Open Container Initiative
runC – Open Container Initiative
Jeeva Chelladhurai
 
Docker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in PragueDocker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in Prague
tomasbart
 
Docker 102 - Immutable Infrastructure
Docker 102 - Immutable InfrastructureDocker 102 - Immutable Infrastructure
Docker 102 - Immutable Infrastructure
Adrian Otto
 
[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...
[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...
[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...
Akihiro Suda
 
Meetup C++ Floripa - Conan.io
Meetup C++ Floripa - Conan.ioMeetup C++ Floripa - Conan.io
Meetup C++ Floripa - Conan.io
Uilian Ries
 
Docker as an every day work tool
Docker as an every day work toolDocker as an every day work tool
Docker as an every day work tool
Przemyslaw Koltermann
 
Использование Docker в CI / Александр Акбашев (HERE Technologies)
Использование Docker в CI / Александр Акбашев (HERE Technologies)Использование Docker в CI / Александр Акбашев (HERE Technologies)
Использование Docker в CI / Александр Акбашев (HERE Technologies)
Ontico
 
[KubeCon NA 2020] containerd: Rootless Containers 2020
[KubeCon NA 2020] containerd: Rootless Containers 2020[KubeCon NA 2020] containerd: Rootless Containers 2020
[KubeCon NA 2020] containerd: Rootless Containers 2020
Akihiro Suda
 
Présentation de Docker
Présentation de DockerPrésentation de Docker
Présentation de Docker
Proto204
 
Continuous Integration and DevOps with Open Build Service(OBS)
Continuous Integration and DevOps with Open Build Service(OBS)Continuous Integration and DevOps with Open Build Service(OBS)
Continuous Integration and DevOps with Open Build Service(OBS)
Ralf Dannert
 
codemotion-docker-2014
codemotion-docker-2014codemotion-docker-2014
codemotion-docker-2014
Carlo Bonamico
 
Kayobe_desc
Kayobe_descKayobe_desc
Kayobe_desc
ssuser8fea38
 
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
Codemotion
 
Pod Sandbox workflow creation from Dockershim
Pod Sandbox workflow creation from DockershimPod Sandbox workflow creation from Dockershim
Pod Sandbox workflow creation from Dockershim
Victor Morales
 
Lab docker
Lab dockerLab docker
Lab docker
Bruno Cornec
 
Check the version with fixes. Link in description
Check the version with fixes. Link in descriptionCheck the version with fixes. Link in description
Check the version with fixes. Link in description
Przemyslaw Koltermann
 
Real World Experience of Running Docker in Development and Production
Real World Experience of Running Docker in Development and ProductionReal World Experience of Running Docker in Development and Production
Real World Experience of Running Docker in Development and Production
Ben Hall
 
Docker workshop
Docker workshopDocker workshop
Docker workshop
Evans Ye
 
Docker: ao vivo e a cores
Docker: ao vivo e a coresDocker: ao vivo e a cores
Docker: ao vivo e a cores
Pedro Arthur Duarte
 
stackconf 2022: Cluster Management: Heterogeneous, Lightweight, Safe. Pick Three
stackconf 2022: Cluster Management: Heterogeneous, Lightweight, Safe. Pick Threestackconf 2022: Cluster Management: Heterogeneous, Lightweight, Safe. Pick Three
stackconf 2022: Cluster Management: Heterogeneous, Lightweight, Safe. Pick Three
NETWAYS
 
Learning Docker with Thomas
Learning Docker with ThomasLearning Docker with Thomas
Learning Docker with Thomas
Thomas Tong, FRM, PMP
 
Streamline your development environment with docker
Streamline your development environment with dockerStreamline your development environment with docker
Streamline your development environment with docker
Giacomo Bagnoli
 
The Docker "Gauntlet" - Introduction, Ecosystem, Deployment, Orchestration
The Docker "Gauntlet" - Introduction, Ecosystem, Deployment, OrchestrationThe Docker "Gauntlet" - Introduction, Ecosystem, Deployment, Orchestration
The Docker "Gauntlet" - Introduction, Ecosystem, Deployment, Orchestration
Erica Windisch
 
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...
Akihiro Suda
 
Hitchhikers guide to open stack toolchains
Hitchhikers guide to open stack toolchainsHitchhikers guide to open stack toolchains
Hitchhikers guide to open stack toolchains
stagr_lee
 
Docker San Francisco Meetup April 2015 - The Docker Orchestration Ecosystem o...
Docker San Francisco Meetup April 2015 - The Docker Orchestration Ecosystem o...Docker San Francisco Meetup April 2015 - The Docker Orchestration Ecosystem o...
Docker San Francisco Meetup April 2015 - The Docker Orchestration Ecosystem o...
Patrick Chanezon
 
Introducing Docker
Introducing DockerIntroducing Docker
Introducing Docker
Francesco Pantano
 
Scaling Development Environments with Docker
Scaling Development Environments with DockerScaling Development Environments with Docker
Scaling Development Environments with Docker
Docker, Inc.
 
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
Akihiro Suda
 
20240321 [KubeCon EU Pavilion] Lima.pdf_
20240321 [KubeCon EU Pavilion] Lima.pdf_20240321 [KubeCon EU Pavilion] Lima.pdf_
20240321 [KubeCon EU Pavilion] Lima.pdf_
Akihiro Suda
 

Mais conteúdo relacionado

Semelhante a [FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile

Docker workshop
Docker workshopDocker workshop
Docker workshop
Evans Ye
 
Docker: ao vivo e a cores
Docker: ao vivo e a coresDocker: ao vivo e a cores
Docker: ao vivo e a cores
Pedro Arthur Duarte
 
Hitchhikers guide to open stack toolchains
Hitchhikers guide to open stack toolchainsHitchhikers guide to open stack toolchains
Hitchhikers guide to open stack toolchains
stagr_lee
 
Scaling Development Environments with Docker
Scaling Development Environments with DockerScaling Development Environments with Docker
Scaling Development Environments with Docker
Docker, Inc.
 

Semelhante a [FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile (20)

Présentation de Docker
Présentation de DockerPrésentation de Docker
Présentation de Docker
 
Continuous Integration and DevOps with Open Build Service(OBS)
Continuous Integration and DevOps with Open Build Service(OBS)Continuous Integration and DevOps with Open Build Service(OBS)
Continuous Integration and DevOps with Open Build Service(OBS)
 
codemotion-docker-2014
codemotion-docker-2014codemotion-docker-2014
codemotion-docker-2014
 
Kayobe_desc
Kayobe_descKayobe_desc
Kayobe_desc
 
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
 
Pod Sandbox workflow creation from Dockershim
Pod Sandbox workflow creation from DockershimPod Sandbox workflow creation from Dockershim
Pod Sandbox workflow creation from Dockershim
 
Lab docker
Lab dockerLab docker
Lab docker
 
Check the version with fixes. Link in description
Check the version with fixes. Link in descriptionCheck the version with fixes. Link in description
Check the version with fixes. Link in description
 
Real World Experience of Running Docker in Development and Production
Real World Experience of Running Docker in Development and ProductionReal World Experience of Running Docker in Development and Production
Real World Experience of Running Docker in Development and Production
 
Docker workshop
Docker workshopDocker workshop
Docker workshop
 
Docker: ao vivo e a cores
Docker: ao vivo e a coresDocker: ao vivo e a cores
Docker: ao vivo e a cores
 
stackconf 2022: Cluster Management: Heterogeneous, Lightweight, Safe. Pick Three
stackconf 2022: Cluster Management: Heterogeneous, Lightweight, Safe. Pick Threestackconf 2022: Cluster Management: Heterogeneous, Lightweight, Safe. Pick Three
stackconf 2022: Cluster Management: Heterogeneous, Lightweight, Safe. Pick Three
 
Learning Docker with Thomas
Learning Docker with ThomasLearning Docker with Thomas
Learning Docker with Thomas
 
Streamline your development environment with docker
Streamline your development environment with dockerStreamline your development environment with docker
Streamline your development environment with docker
 
The Docker "Gauntlet" - Introduction, Ecosystem, Deployment, Orchestration
The Docker "Gauntlet" - Introduction, Ecosystem, Deployment, OrchestrationThe Docker "Gauntlet" - Introduction, Ecosystem, Deployment, Orchestration
The Docker "Gauntlet" - Introduction, Ecosystem, Deployment, Orchestration
 
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...
 
Hitchhikers guide to open stack toolchains
Hitchhikers guide to open stack toolchainsHitchhikers guide to open stack toolchains
Hitchhikers guide to open stack toolchains
 
Docker San Francisco Meetup April 2015 - The Docker Orchestration Ecosystem o...
Docker San Francisco Meetup April 2015 - The Docker Orchestration Ecosystem o...Docker San Francisco Meetup April 2015 - The Docker Orchestration Ecosystem o...
Docker San Francisco Meetup April 2015 - The Docker Orchestration Ecosystem o...
 
Introducing Docker
Introducing DockerIntroducing Docker
Introducing Docker
 
Scaling Development Environments with Docker
Scaling Development Environments with DockerScaling Development Environments with Docker
Scaling Development Environments with Docker
 

Mais de Akihiro Suda

20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
Akihiro Suda
 
[Container Plumbing Days 2023] Why was nerdctl made?
[Container Plumbing Days 2023] Why was nerdctl made?[Container Plumbing Days 2023] Why was nerdctl made?
[Container Plumbing Days 2023] Why was nerdctl made?
Akihiro Suda
 
[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOS[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOS
Akihiro Suda
 
[KubeCon EU 2021] Introduction and Deep Dive Into Containerd
[KubeCon EU 2021] Introduction and Deep Dive Into Containerd[KubeCon EU 2021] Introduction and Deep Dive Into Containerd
[KubeCon EU 2021] Introduction and Deep Dive Into Containerd
Akihiro Suda
 

Mais de Akihiro Suda (20)

20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
 
20240321 [KubeCon EU Pavilion] Lima.pdf_
20240321 [KubeCon EU Pavilion] Lima.pdf_20240321 [KubeCon EU Pavilion] Lima.pdf_
20240321 [KubeCon EU Pavilion] Lima.pdf_
 
20240320 [KubeCon EU Pavilion] containerd.pdf
20240320 [KubeCon EU Pavilion] containerd.pdf20240320 [KubeCon EU Pavilion] containerd.pdf
20240320 [KubeCon EU Pavilion] containerd.pdf
 
20240201 [HPC Containers] Rootless Containers.pdf
20240201 [HPC Containers] Rootless Containers.pdf20240201 [HPC Containers] Rootless Containers.pdf
20240201 [HPC Containers] Rootless Containers.pdf
 
[Podman Special Event] Kubernetes in Rootless Podman
[Podman Special Event] Kubernetes in Rootless Podman[Podman Special Event] Kubernetes in Rootless Podman
[Podman Special Event] Kubernetes in Rootless Podman
 
[KubeConNA2023] Lima pavilion
[KubeConNA2023] Lima pavilion[KubeConNA2023] Lima pavilion
[KubeConNA2023] Lima pavilion
 
[KubeConNA2023] containerd pavilion
[KubeConNA2023] containerd pavilion[KubeConNA2023] containerd pavilion
[KubeConNA2023] containerd pavilion
 
[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf
[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf
[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf
 
[CNCF TAG-Runtime] Usernetes Gen2
[CNCF TAG-Runtime] Usernetes Gen2[CNCF TAG-Runtime] Usernetes Gen2
[CNCF TAG-Runtime] Usernetes Gen2
 
The internals and the latest trends of container runtimes
The internals and the latest trends of container runtimesThe internals and the latest trends of container runtimes
The internals and the latest trends of container runtimes
 
[KubeConEU2023] Lima pavilion
[KubeConEU2023] Lima pavilion[KubeConEU2023] Lima pavilion
[KubeConEU2023] Lima pavilion
 
[KubeConEU2023] containerd pavilion
[KubeConEU2023] containerd pavilion[KubeConEU2023] containerd pavilion
[KubeConEU2023] containerd pavilion
 
[Container Plumbing Days 2023] Why was nerdctl made?
[Container Plumbing Days 2023] Why was nerdctl made?[Container Plumbing Days 2023] Why was nerdctl made?
[Container Plumbing Days 2023] Why was nerdctl made?
 
[CNCF TAG-Runtime 2022-10-06] Lima
[CNCF TAG-Runtime 2022-10-06] Lima[CNCF TAG-Runtime 2022-10-06] Lima
[CNCF TAG-Runtime 2022-10-06] Lima
 
[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOS[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOS
 
Dockerからcontainerdへの移行
Dockerからcontainerdへの移行Dockerからcontainerdへの移行
Dockerからcontainerdへの移行
 
[Docker Tokyo #35] Docker 20.10
[Docker Tokyo #35] Docker 20.10[Docker Tokyo #35] Docker 20.10
[Docker Tokyo #35] Docker 20.10
 
[KubeCon EU 2021] Introduction and Deep Dive Into Containerd
[KubeCon EU 2021] Introduction and Deep Dive Into Containerd[KubeCon EU 2021] Introduction and Deep Dive Into Containerd
[KubeCon EU 2021] Introduction and Deep Dive Into Containerd
 
DockerとPodmanの比較
DockerとPodmanの比較DockerとPodmanの比較
DockerとPodmanの比較
 
[KubeCon EU 2020] containerd Deep Dive
[KubeCon EU 2020] containerd Deep Dive[KubeCon EU 2020] containerd Deep Dive
[KubeCon EU 2020] containerd Deep Dive
 

Último

%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
masabamasaba
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
panagenda
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
Presentation.STUDIO
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
masabamasaba
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
OnePlan Solutions
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
VictoriaMetrics
 

Último (20)

%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
 
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With SimplicityWSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
 
%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfPayment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
 
%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?
 
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
 

[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile

  • 1. Bit-for-bit reproducible builds with Dockerfile Deterministic timestamps and deterministic apt-get Akihiro Suda, NTT Demo: https://github.com/reproducible-containers/repro-get/releases/tag/v0.3.0
  • 2. What are reproducible builds? 2 FROM ubuntu RUN apt-get install -y gcc make ... RUN make Dockerfile sha256:6ea7098583cb6c9470570df28c154 cfec58e122188382cd4a7ceab8a9a79cb67 OCI Image sha256:6ea7098583cb6c9470570df28c154 cfec58e122188382cd4a7ceab8a9a79cb67 OCI Image sha256:6ea7098583cb6c9470570df28c154 cfec58e122188382cd4a7ceab8a9a79cb67 OCI Image OCI = Open Container Initiative Build • Same source, same binary • Attestable by anybody, at anytime But often needs a specific (virtual) machine
  • 3. • Because we want to verify the actual source code of the binary, not the claimed source code • actual != claimed, when the build env is compromised, or when the developer is malicious • If the builds are reproducible, we can be sure that actual == claimed 3 Why do we need reproducible builds?
  • 4. • Reproducibility has nothing to do with whether the source code is safe to use • The source code may still contain malicious codes • Reproducible builds make sense only when you review the source code 4 Not a panacea…
  • 5. • Timestamps – Timestamps of the files in tar layers – Timestamps in OCI Image Spec JSONs (“org.opencontainers.image.created”, etc.) • “aptgettable” packages – The package version changes on every invocation of apt-get, dnf, etc. • Filesystem characteristics – Hardlinks, xattrs, … 5 Why couldn’t we make them reproducible?
  • 6. • BuildKit: a modern image building framework made for Docker/Moby – Embedded in the Docker daemon since Docker 18.06 – Can be also used with Kubernetes, nerdctl, Podman, etc. • v0.11 (Jan 2023) contains built-in support for reproducing timestamps – Thanks to Tõnis Tiigi (Docker) for the large portion • Still needs very complex Dockerfile – v0.12 will require less complex Dockerfiles 6 BuildKit v0.11 supports reproducible builds! 🎉 https://github.com/moby/buildkit
  • 7. • The SOURCE_DATE_EPOCH build arg can be used for specifying the UNIX epoch • Conforms to: https://reproducible-builds.org/specs/source-date-epoch/ • Usually set to $(git log -1 --pretty=%ct) • The build arg is exposed to the “RUN” containers as an env var • The build arg is also consumed by BuildKit itself for the timestamps in the OCI JSONs (but not for the file timestamps in the tar layers, in v0.11) 7 Reproducing timestamps $ buildctl build –-opt build-arg:SOURCE_DATE_EPOCH=<uint64> ... https://github.com/moby/buildkit/blob/v0.11/docs/build-repro.md
  • 8. • The file timestamps in the tar layers need to be explicitly touch-ed • The layers have to be squashed to remove unreproducible overlayfs whiteouts • Mount points can be created only under /dev (tmpfs) • Hardlinks are not reproducible depending on the filesystem snapshotter 8 Caveats in v0.11 (Being resolved in PR #3560, targeted for v0.12) ARG SOURCE_DATE_EPOCH RUN find $( ls / | grep -E -v "^(dev|mnt|proc|sys)$" ) -newermt "@${SOURCE_DATE_EPOCH}" -writable -xdev | xargs touch --date="@${SOURCE_DATE_EPOCH}" --no-dereference FROM scratch COPY --from=0 / / RUN –-mount=type=cache,target=/dev/.cache ... https://github.com/moby/buildkit/blob/v0.11/docs/build-repro.md https://github.com/moby/buildkit/pull/3560
  • 9. • “aptgettable” package versions are hard to reproduce • Most distros do not retain old packages • Debian retains old packages (thank you!), but not mirrored widely – Too much load on the central snapshot.debian.org – Can’t be used in CI practically, due to slowness and flakiness • The situation is similar for Fedora and ArchLinux 9 Reproducing packages deb http://snapshot.debian.org/archive/debian/20230101T091029Z/ bullseye main /etc/apt/sources.list
  • 10. • Cryptographically locks the package versions with SHA256SUMS • Blobs can be fetched from several places to avoid overloading • Supports Debian, Ubuntu, Fedora, Alpine, and ArchLinux 10 repro-get: decentralized & reproducible apt/dnf/apk/pacman… 35b1508eeee9c1dfba798c4c04304ef0f266990f936a51f165571edf53325cbc pool/main/h/hello/hello_2.10-2_amd64.deb SHA256SUMS-amd64 https://github.com/reproducible-containers/repro-get http://deb.debian.org/debian/{{.Name}} (Fast, ephemeral) http://debian.notset.fr/snapshot/by-hash/SHA256/{{.SHA256}} (Slow, persistent) oci://example.com/oras-image@sha256:{{.SHA256}} http://ipfs.io/ipfs/{{.CID}}
  • 11. 11 repro-get: decentralized & reproducible apt/dnf/apk/pacman… https://github.com/reproducible-containers/repro-get $ repro-get hash generate >SHA256SUMS-amd64.old $ apt-get install -y hello $ repro-get hash generate --dedupe=SHA256SUMS-amd64.old >SHA256SUMS-amd64 $ cat SHA256SUMS-amd64 35b1508eeee9c1dfba798c4c04304ef0f266990f936a51f165571edf53325cbc pool/main/h/hello/hello_2.10-2_amd64.deb $ repro-get install SHA256SUMS-amd64 (001/001) hello_2.10-2_amd64.deb Downloading from http://debian.notset.fr/snapshot/by-hash/SHA256/35b1508eeee9c1dfba798c4c04304ef0f266990f936a51f165571edf53325cbc ... Preparing to unpack .../35b1508eeee9c1dfba798c4c04304ef0f266990f936a51f165571edf53325cbc ... Unpacking hello (2.10-2) ... Setting up hello (2.10-2) ...
  • 12. 12 Demo https://twitter.com/_AkihiroSuda_/status/1614401664009789440 https://github.com/reproducible-containers/repro-get/releases/tag/v0.3.0 $ docker run -d --name buildkitd --privileged moby/buildkit:v0.11.0 $ docker cp buildkitd:/usr/bin/buildctl /usr/local/bin/buildctl $ export BUILDKIT_HOST=docker-container://buildkitd $ ./hack/test-dockerfile-repro.sh examples/gcc ... 0a3bcfebc67c85cac40e9c2cadee7b2b2b5077dc5ff985d8c396f008df818690 /.../0-oci.tar 0a3bcfebc67c85cac40e9c2cadee7b2b2b5077dc5ff985d8c396f008df818690 /.../1-oci.tar BuildKit version MUST be pinned The filesystem (ext4) and the OS version (Ubuntu 22.04) SHOULD be pinned too
  • 13. • Simplify Dockerfile • Find an easier way to cache old packages locally • Interoperability with xx-apt and xx-apk for cross-compilation • Interoperability with SLSA Provenances • Single-click attestation of reproducibility 13 Future works
  • 14. • Reproducible build helps attesting the true origin of the binary • Challenges: non-deterministic timestamps, package versions, etc. • BuildKit v0.11 adds preliminary support for SOURCE_DATE_EPOCH • repro-get reproduces the package versions with SHA256SUMS 14 Wrap-up https://github.com/moby/buildkit/blob/v0.11/docs/build-repro.md https://github.com/reproducible-containers/repro-get