JakeHillion/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

dockerTools: dereference hard links in tar archives

Browse Source 
This is to improve image creation reproducibility. Since the nar
format doesn't support hard link, the tar stream of a layer can be
different if a dependency of a layer has been built locally or if it
has been fetched from a binary cache.

If the dependency has been build locally, it can contain hard links
which are encoded in the tar stream. If the dependency has been
fetched from a binary cache, the tar stream doesn't contain any hard
link. So even if the content is the same, tar streams are different.
This commit is contained in:
Antoine Eiche 2018-03-12 17:06:21 +01:00
parent a682ba23d4
commit 346996ceec
1 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
pkgs/build-support/docker/default.nix
View File

@ -212,7 +212,7 @@ rec {
postMount = ''
echo "Packing raw image..."
tar -C mnt --mtime="@$SOURCE_DATE_EPOCH" -cf $out .
tar -C mnt --hard-dereference --mtime="@$SOURCE_DATE_EPOCH" -cf $out .
'';
};
@ -277,7 +277,7 @@ rec {
# Tar up the layer and throw it into 'layer.tar'.
echo "Packing layer..."
mkdir $out
tar -C layer --mtime="@$SOURCE_DATE_EPOCH" --owner=${toString uid} --group=${toString gid} -cf $out/layer.tar .
tar -C layer --hard-dereference --mtime="@$SOURCE_DATE_EPOCH" --owner=${toString uid} --group=${toString gid} -cf $out/layer.tar .
# Compute a checksum of the tarball.
echo "Computing layer checksum..."
@ -359,7 +359,7 @@ rec {
echo "Packing layer..."
mkdir $out
tar -C layer --mtime="@$SOURCE_DATE_EPOCH" -cf $out/layer.tar .
tar -C layer --hard-dereference --mtime="@$SOURCE_DATE_EPOCH" -cf $out/layer.tar .
# Compute the tar checksum and add it to the output json.
echo "Computing checksum..."
@ -489,7 +489,7 @@ rec {
comm <(sort -n baseFiles|uniq) \
<(sort -n layerFiles|uniq|grep -v ${layer}) -1 -3 > newFiles
# Append the new files to the layer.
tar -rpf temp/layer.tar --mtime="@$SOURCE_DATE_EPOCH" \
tar -rpf temp/layer.tar --hard-dereference --mtime="@$SOURCE_DATE_EPOCH" \
--owner=0 --group=0 --no-recursion --files-from newFiles
echo "Adding meta..."
@ -537,7 +537,7 @@ rec {
chmod -R a-w image
echo "Cooking the image..."
tar -C image --mtime="@$SOURCE_DATE_EPOCH" --owner=0 --group=0 --xform s:'./':: -c . | pigz -nT > $out
tar -C image --hard-dereference --mtime="@$SOURCE_DATE_EPOCH" --owner=0 --group=0 --xform s:'./':: -c . | pigz -nT > $out
echo "Finished."
'';