Add support for reproducible images/bundles

NVIDIA · Apr 4, 2020 · 1e075ef · 1e075ef
1 parent 5c34a33
commit 1e075ef
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 4 deletions.
diff --git a/src/docker.sh b/src/docker.sh
@@ -235,7 +235,7 @@ docker::configure() {
 docker::import() (
     local -r uri="$1"
     local filename="$2" arch="$3"
-    local layers=() config= image= registry= tag= user= tmpdir=
+    local layers=() config= image= registry= tag= user= tmpdir= timestamp=()
 
     common::checkcmd curl grep awk jq parallel tar "${ENROOT_GZIP_PROGRAM}" find mksquashfs zstd
 
@@ -308,11 +308,15 @@ docker::import() (
     zstd -q -d -o config "${ENROOT_CACHE_PATH}/${config}"
     docker::configure "${PWD}/0" config "${arch}"
 
+    if [ -n "${SOURCE_DATE_EPOCH-}" ]; then
+        timestamp=("-mkfs-time" "${SOURCE_DATE_EPOCH}" "-all-time" "${SOURCE_DATE_EPOCH}")
+    fi
+
     # Create the final squashfs filesystem by overlaying all the layers.
     common::log INFO "Creating squashfs filesystem..." NL
     mkdir rootfs
     MOUNTPOINT="${PWD}/rootfs" \
-    enroot-mksquashovlfs "0:$(seq -s: 1 "${#layers[@]}")" "${filename}" -all-root ${TTY_OFF+-no-progress} -processors "${ENROOT_MAX_PROCESSORS}" ${ENROOT_SQUASH_OPTIONS} >&2
+    enroot-mksquashovlfs "0:$(seq -s: 1 "${#layers[@]}")" "${filename}" ${timestamp[@]+"${timestamp[@]}"} -all-root ${TTY_OFF+-no-progress} -processors "${ENROOT_MAX_PROCESSORS}" ${ENROOT_SQUASH_OPTIONS} >&2
 )
 
 docker::daemon::import() (

diff --git a/src/runtime.sh b/src/runtime.sh
@@ -559,7 +559,7 @@ runtime::remove() {
 
 runtime::bundle() (
     local image="$1" filename="$2" target="$3" desc="$4"
-    local super= tmpdir= compress=
+    local super= tmpdir= compress= timestamp=
 
     common::checkcmd unsquashfs find awk grep
 
@@ -625,8 +625,12 @@ runtime::bundle() (
         [ -d "${environ_dirs[1]}" ] && cp -Lpr "${environ_dirs[1]}" "${tmpdir}${bundle_usrconf_dir}"
     fi
 
+    if [ -n "${SOURCE_DATE_EPOCH-}" ]; then
+        timestamp="--mtime=@${SOURCE_DATE_EPOCH}"
+    fi
+
     # Make a self-extracting archive with the entrypoint being our bundle script.
-    enroot-makeself --tar-quietly --tar-extra '--numeric-owner --owner=0 --group=0 --ignore-failed-read' \
+    enroot-makeself --tar-quietly --tar-extra "--numeric-owner --owner=0 --group=0 --ignore-failed-read ${timestamp}" \
       --nomd5 --nocrc ${ENROOT_BUNDLE_CHECKSUM:+--sha256} --header "${ENROOT_LIBRARY_PATH}/bundle.sh" "${compress}" \
       --target "${target}" "${tmpdir}" "${filename}" "${desc}" -- \
       "${bundle_bin_dir}" "${bundle_lib_dir}" "${bundle_envconf}" "${bundle_sysconf_dir}" "${bundle_usrconf_dir}" >&2