app-emulation/docker: build reproducibly

The docker client and engine both include a 'BuildTime' variable set in their build scripts. Overriding that to a consistent value is sufficient for them to build reproducibly as best I can tell. This CLI's build scripts have a mechanism for doing this. The engine has an upstream patch (included starting with 17.07) that allows doing the same. This modifies the build to apply the above build patch, and set a build time for both. It's expected that the build time will be set by the ebuild author each time the ebuild is modified, thus turning the 'build time' output to really be the 'package created time', which I think is a reasonable difference.
2025-08-21 22:41:09 +02:00 · 2017-09-03 17:17:56 -07:00 · 2017-09-03 17:17:56 -07:00 · dfde9c44af
commit dfde9c44af
parent 59a7befbbf
4 changed files with 46 additions and 2 deletions
--- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-17.06.1-r1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-17.06.1-r1.ebuild
--- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/docker-9999.ebuild
@ -20,9 +20,14 @@ else
 		MY_PV="$PV-ce"
 	fi
 	DOCKER_GITCOMMIT="874a737"
+	# Unix timestamp to use for this build. Set to `date +%s` each time an ebuild
+	# is edited.
+	# This is required for a reproducible build
+	DOCKER_BUILD_DATE="1504482497"
 	SRC_URI="https://${COREOS_GO_PACKAGE}/archive/v${MY_PV}.tar.gz -> ${P}.tar.gz"
 	KEYWORDS="amd64 arm64"
 	[ "$DOCKER_GITCOMMIT" ] || die "DOCKER_GITCOMMIT must be added manually for each bump!"
+	[ "$DOCKER_BUILD_DATE" ] || die "DOCKER_BUILD_DATE must be added manually for each bump!"
 fi
 inherit bash-completion-r1 coreos-go-depend linux-info systemd udev user

@ -74,6 +79,10 @@ RESTRICT="installsources strip"

 S="${WORKDIR}/${P}/src/${COREOS_GO_PACKAGE}"

+PATCHES=(
+	"${FILESDIR}/allow-override-build-date.patch"
+)
+
 # see "contrib/check-config.sh" from upstream's sources
 CONFIG_CHECK="
 	~NAMESPACES ~NET_NS ~PID_NS ~IPC_NS ~UTS_NS
@ -205,6 +214,7 @@ src_unpack() {
 	else
 		git-r3_src_unpack
 		DOCKER_GITCOMMIT=$(git -C "${S}" rev-parse HEAD | head -c 7)
+		DOCKER_BUILD_DATE=$(git -C "${S}" log -1 --format="%ct")
 	fi
 }

@ -248,14 +258,18 @@ src_compile() {
 	fi

 	# build daemon
-	./hack/make.sh dynbinary || die 'dynbinary failed'
+	SOURCE_DATE_EPOCH="${DOCKER_BUILD_DATE}" ./hack/make.sh dynbinary || die 'dynbinary failed'

 	popd || die # components/engine

 	pushd components/cli || die

+
+	# Imitating https://github.com/docker/docker-ce/blob/v17.06.1-ce/components/cli/scripts/build/.variables#L7
+	CLI_BUILDTIME="$(date -d "@${DOCKER_BUILD_DATE}" --utc --rfc-3339 ns 2> /dev/null | sed -e 's/ /T/')"
 	# build cli
 	emake \
+		BUILDTIME="${CLI_BUILDTIME}" \
 		LDFLAGS="$(usex hardened "-extldflags \"-fno-PIC $LDFLAGS\"" '')" \
 		VERSION="$(cat ../../VERSION)" \
 		GITCOMMIT="${DOCKER_GITCOMMIT}" \
--- a/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/allow-override-build-date.patch
+++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/docker/files/allow-override-build-date.patch
@ -0,0 +1,30 @@
+From 336f19edea1f15d9a96ebee604f160df43653503 Mon Sep 17 00:00:00 2001
+From: "Bernhard M. Wiedemann" <bwiedemann@suse.de>
+Date: Wed, 19 Jul 2017 06:17:19 +0200
+Subject: [PATCH] Allow to override build date
+
+in order to make builds reproducible.
+See https://reproducible-builds.org/ for why this is good
+and https://reproducible-builds.org/specs/source-date-epoch/
+for the definition of this variable.
+
+Signed-off-by: Bernhard M. Wiedemann <bwiedemann@suse.de>
+Upstream-commit: 760763e9957840f1983a5006f4e66d6920ec496e
+Component: engine
+---
+ components/engine/hack/make.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/components/engine/hack/make.sh b/components/engine/hack/make.sh
+index b7d59ba94a..7d18d649b5 100755
+--- a/components/engine/hack/make.sh
+++ b/components/engine/hack/make.sh
+@@ -68,7 +68,7 @@ DEFAULT_BUNDLES=(
+ )
+ 
+ VERSION=$(< ./VERSION)
+-! BUILDTIME=$(date --rfc-3339 ns 2> /dev/null | sed -e 's/ /T/')
+! BUILDTIME=$(date -u -d "@${SOURCE_DATE_EPOCH:-$(date +%s)}" --rfc-3339 ns 2> /dev/null | sed -e 's/ /T/')
+ if [ "$DOCKER_GITCOMMIT" ]; then
+ 	GITCOMMIT="$DOCKER_GITCOMMIT"
+ elif command -v git &> /dev/null && [ -d .git ] && git rev-parse &> /dev/null; then
--- a/sdk_container/src/third_party/coreos-overlay/app-torcx/docker/docker-17.06.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/app-torcx/docker/docker-17.06.ebuild
@ -11,7 +11,7 @@ KEYWORDS="amd64 arm64"

 # Explicitly list all packages that will be built into the image.
 RDEPEND="
-	=app-emulation/docker-17.06.1
+	=app-emulation/docker-17.06.1-r1
 	=app-emulation/containerd-0.2.9_p7
 	=app-emulation/docker-proxy-0.8.0_p20170410-r1
 	=app-emulation/docker-runc-1.0.0_rc3_p53