diff options
| author | Tim Stewart <tim@stoo.org> | 2017-04-16 02:39:02 -0400 |
|---|---|---|
| committer | Tim Stewart <tim@stoo.org> | 2017-04-16 22:46:24 -0400 |
| commit | 5ca1646bb0404a21dcfc4b3842f0651c1d19b3cc (patch) | |
| tree | 4fbdfe68a9cc3cc4168d5d99a774bfc90a1be522 /pkgs/build-support | |
| parent | a7d2be1471bb31bb047027aa0d3f06370926e0b8 (diff) | |
| download | nixlib-5ca1646bb0404a21dcfc4b3842f0651c1d19b3cc.tar nixlib-5ca1646bb0404a21dcfc4b3842f0651c1d19b3cc.tar.gz nixlib-5ca1646bb0404a21dcfc4b3842f0651c1d19b3cc.tar.bz2 nixlib-5ca1646bb0404a21dcfc4b3842f0651c1d19b3cc.tar.lz nixlib-5ca1646bb0404a21dcfc4b3842f0651c1d19b3cc.tar.xz nixlib-5ca1646bb0404a21dcfc4b3842f0651c1d19b3cc.tar.zst nixlib-5ca1646bb0404a21dcfc4b3842f0651c1d19b3cc.zip | |
docker: improve reproducibility of layers
This patch fixes file modification times to $SOURCE_DATE_EPOCH, and ensures that files originating from the store are owned by root:root. Both changes improve reproducibility, and the latter allows proper building on a host where the store is owned by a non-root user.
Diffstat (limited to 'pkgs/build-support')
| -rw-r--r-- | pkgs/build-support/docker/default.nix | 15 |
1 files changed, 8 insertions, 7 deletions
diff --git a/pkgs/build-support/docker/default.nix b/pkgs/build-support/docker/default.nix index 27575053954f..7f63664dadd0 100644 --- a/pkgs/build-support/docker/default.nix +++ b/pkgs/build-support/docker/default.nix @@ -209,7 +209,7 @@ rec { postMount = '' echo "Packing raw image..." - tar -C mnt --mtime=0 -cf $out . + tar -C mnt --mtime="@$SOURCE_DATE_EPOCH" -cf $out . ''; }; @@ -247,7 +247,7 @@ rec { echo "Adding contents..." for item in $contents; do echo "Adding $item" - rsync -ak $item/ layer/ + rsync -ak --chown=0:0 $item/ layer/ done else echo "No contents to add to layer." @@ -260,7 +260,7 @@ rec { # Tar up the layer and throw it into 'layer.tar'. echo "Packing layer..." mkdir $out - tar -C layer --mtime=0 -cf $out/layer.tar . + tar -C layer --mtime="@$SOURCE_DATE_EPOCH" -cf $out/layer.tar . # Compute a checksum of the tarball. echo "Computing layer checksum..." @@ -310,7 +310,7 @@ rec { echo "Adding contents..." for item in ${toString contents}; do echo "Adding $item..." - rsync -ak $item/ layer/ + rsync -ak --chown=0:0 $item/ layer/ done ''; @@ -340,7 +340,7 @@ rec { echo "Packing layer..." mkdir $out - tar -C layer --mtime=0 -cf $out/layer.tar . + tar -C layer --mtime="@$SOURCE_DATE_EPOCH" -cf $out/layer.tar . # Compute the tar checksum and add it to the output json. echo "Computing checksum..." @@ -467,7 +467,8 @@ rec { comm <(sort -n baseFiles|uniq) \ <(sort -n layerFiles|uniq|grep -v ${layer}) -1 -3 > newFiles # Append the new files to the layer. - tar -rpf temp/layer.tar --mtime=0 --no-recursion --files-from newFiles + tar -rpf temp/layer.tar --mtime="@$SOURCE_DATE_EPOCH" \ + --owner=0 --group=0 --no-recursion --files-from newFiles echo "Adding meta..." @@ -496,7 +497,7 @@ rec { chmod -R a-w image echo "Cooking the image..." - tar -C image --mtime=0 -c . | pigz -nT > $out + tar -C image --mtime="@$SOURCE_DATE_EPOCH" -c . | pigz -nT > $out echo "Finished." ''; |