Merge pull request #2741 from euank/reproducible-docker

app-emulation/docker: build reproducibly

sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild

@@ -20,9 +20,14 @@ else
 		MY_PV="$PV-ce"
 	fi
 	DOCKER_GITCOMMIT="874a737"
+	# Unix timestamp to use for this build. Set to `date +%s` each time an ebuild
+	# is edited.
+	# This is required for a reproducible build
+	DOCKER_BUILD_DATE="1504482497"
 	SRC_URI="https://${COREOS_GO_PACKAGE}/archive/v${MY_PV}.tar.gz -> ${P}.tar.gz"
 	KEYWORDS="amd64 arm64"
 	[ "$DOCKER_GITCOMMIT" ] || die "DOCKER_GITCOMMIT must be added manually for each bump!"
+	[ "$DOCKER_BUILD_DATE" ] || die "DOCKER_BUILD_DATE must be added manually for each bump!"
 fi
 inherit bash-completion-r1 coreos-go-depend linux-info systemd udev user
 
@@ -74,6 +79,10 @@ RESTRICT="installsources strip"
 
 S="${WORKDIR}/${P}/src/${COREOS_GO_PACKAGE}"
 
+PATCHES=(
+	"${FILESDIR}/allow-override-build-date.patch"
+)
+
 # see "contrib/check-config.sh" from upstream's sources
 CONFIG_CHECK="
 	~NAMESPACES ~NET_NS ~PID_NS ~IPC_NS ~UTS_NS
@@ -205,6 +214,7 @@ src_unpack() {
 	else
 		git-r3_src_unpack
 		DOCKER_GITCOMMIT=$(git -C "${S}" rev-parse HEAD | head -c 7)
+		DOCKER_BUILD_DATE=$(git -C "${S}" log -1 --format="%ct")
 	fi
 }
 
@@ -248,14 +258,18 @@ src_compile() {
 	fi
 
 	# build daemon
-	./hack/make.sh dynbinary || die 'dynbinary failed'
+	SOURCE_DATE_EPOCH="${DOCKER_BUILD_DATE}" ./hack/make.sh dynbinary || die 'dynbinary failed'
 
 	popd || die # components/engine
 
 	pushd components/cli || die
 
+
+	# Imitating https://github.com/docker/docker-ce/blob/v17.06.1-ce/components/cli/scripts/build/.variables#L7
+	CLI_BUILDTIME="$(date -d "@${DOCKER_BUILD_DATE}" --utc --rfc-3339 ns 2> /dev/null | sed -e 's/ /T/')"
 	# build cli
 	emake \
+		BUILDTIME="${CLI_BUILDTIME}" \
 		LDFLAGS="$(usex hardened "-extldflags \"-fno-PIC $LDFLAGS\"" '')" \
 		VERSION="$(cat ../../VERSION)" \
 		GITCOMMIT="${DOCKER_GITCOMMIT}" \

sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/allow-override-build-date.patch

@@ -0,0 +1,30 @@
+From 336f19edea1f15d9a96ebee604f160df43653503 Mon Sep 17 00:00:00 2001
+From: "Bernhard M. Wiedemann" <bwiedemann@suse.de>
+Date: Wed, 19 Jul 2017 06:17:19 +0200
+Subject: [PATCH] Allow to override build date
+
+in order to make builds reproducible.
+See https://reproducible-builds.org/ for why this is good
+and https://reproducible-builds.org/specs/source-date-epoch/
+for the definition of this variable.
+
+Signed-off-by: Bernhard M. Wiedemann <bwiedemann@suse.de>
+Upstream-commit: 760763e9957840f1983a5006f4e66d6920ec496e
+Component: engine
+---
+ components/engine/hack/make.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/components/engine/hack/make.sh b/components/engine/hack/make.sh
+index b7d59ba94a..7d18d649b5 100755
+--- a/components/engine/hack/make.sh
++++ b/components/engine/hack/make.sh
+@@ -68,7 +68,7 @@ DEFAULT_BUNDLES=(
+ )
+ 
+ VERSION=$(< ./VERSION)
+-! BUILDTIME=$(date --rfc-3339 ns 2> /dev/null | sed -e 's/ /T/')
++! BUILDTIME=$(date -u -d "@${SOURCE_DATE_EPOCH:-$(date +%s)}" --rfc-3339 ns 2> /dev/null | sed -e 's/ /T/')
+ if [ "$DOCKER_GITCOMMIT" ]; then
+ 	GITCOMMIT="$DOCKER_GITCOMMIT"
+ elif command -v git &> /dev/null && [ -d .git ] && git rev-parse &> /dev/null; then

sdk_container/src/third_party/coreos-overlay/app-torcx/docker/docker-17.06.ebuild

@@ -11,7 +11,7 @@ KEYWORDS="amd64 arm64"
 
 # Explicitly list all packages that will be built into the image.
 RDEPEND="
-	=app-emulation/docker-17.06.1
+	=app-emulation/docker-17.06.1-r1
 	=app-emulation/containerd-0.2.9_p7
 	=app-emulation/docker-proxy-0.8.0_p20170410-r1
 	=app-emulation/docker-runc-1.0.0_rc3_p53