-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Jib core] Tar archives with same contents are not reproducible #3158
Comments
…s are not reproducible
Thanks for the PR! So a "tar image" is just a local archive (for whatever purpose), simply grabbing necessary files (such as image layer tars, container config JSON, etc) that can constitute a complete image when thought conceptually. AFAIK, there's no standard about how one should create this archive. I believe this is out of the scope of Docker or OCI specifications, because it's simply irrelevant to them. All that matters in the end is how an image can actually be stored in a registry or a Docker daemon; it's irrelevant how one can temporarily carry necessary files from one machine to another until you finally store them in a registry. IMO, it's debatable whether Jib should force a specific timestamp (e.g., epoch) for file entries when creating a "tar image" archive. For building a reproducible container image (not a "tar image"), it's unfortunate that file timestamps in a container image affect reproducibilty according to the current Docker and OCI specifications, and that tools (including Jib) have to make a painful compromise to force a specific timestamp for files inside a container; there's no other choice, and you can't achieve image reproducibilty otherwise. If the specifications had a way to achieve reproducibility without resetting file timestamps in a container image, we (and all other tools) would certainly have kept original file timestamps. OTOH, for a "tar image" archive, nothing forces us to reset timestamps of tar entries; why erase useful information (i.e., timestamp, which many people think is important) for no good reason? However, I know the Bazel philosophy where ensuring reproducibility of every build artifact is so fundamental to the build system, so I understand where this is coming from. AFAIK, for example, when you create a zip file in Bazel (using the general But I think it's not unreasonable to reset timestamps of tar entries when creating a "tar image." I don't think people will complain if we do so. |
… contents are not reproducible" This reverts commit 562e2b8
…s are not reproducible
…s are not reproducible
…s are not reproducible
…s are not reproducible
…s are not reproducible
…s are not reproducible
…s are not reproducible
…s are not reproducible
…le (#3159) * #3158 - [Jib core] Tar archives with same contents are not reproducible * Revert "#3158 - [Jib core] Tar archives with same contents are not reproducible" This reverts commit 562e2b8 * #3158 - [Jib core] Tar archives with same contents are not reproducible * Update jib-core/src/main/java/com/google/cloud/tools/jib/image/ImageTarball.java Co-authored-by: Chanseok Oh <chanseok@google.com> * Update jib-core/src/test/java/com/google/cloud/tools/jib/tar/TarStreamBuilderTest.java Co-authored-by: Chanseok Oh <chanseok@google.com> * Update jib-core/src/test/java/com/google/cloud/tools/jib/tar/TarStreamBuilderTest.java Co-authored-by: Chanseok Oh <chanseok@google.com> * Update jib-core/src/main/java/com/google/cloud/tools/jib/tar/TarStreamBuilder.java Co-authored-by: Chanseok Oh <chanseok@google.com> * Update jib-core/src/main/java/com/google/cloud/tools/jib/tar/TarStreamBuilder.java Co-authored-by: Chanseok Oh <chanseok@google.com> * #3158 - [Jib core] Tar archives with same contents are not reproducible * #3158 - [Jib core] Tar archives with same contents are not reproducible * #3158 - [Jib core] Tar archives with same contents are not reproducible * #3158 - [Jib core] Tar archives with same contents are not reproducible * #3158 - [Jib core] Tar archives with same contents are not reproducible * #3158 - [Jib core] Tar archives with same contents are not reproducible * #3158 - [Jib core] Tar archives with same contents are not reproducible Co-authored-by: Chanseok Oh <chanseok@google.com>
@davidtron thanks again for your contribution! Jib-Core 0.19.0 has been release your fix (#3158). |
Environment:
Description of the issue:
I create a tar file from a registry image.
Jib.from(RegistryImage.named(image)).containerize(Containerizer.to(TarImage.at(outputPath).named(image)));
This is being executed as part of a bazel genrule, with the tar file as the output. We discovered that if this is rerun, the tar file created is different when using the same inputs, run on the same machine but at a later time.
Expected behavior:
We expect the tar file to be identical if the inputs have not changed.
Steps to reproduce:
Additional Information:
The issue is due to TarStreamBuilder creating blobs using new TarArchiveEntry(name)
By default this sets the mod time of the blob to be current time, thus making the resulting Tar image not reproducible.
this.modTime = new Date().getTime() / MILLIS_PER_SECOND;
#3159 3159
The text was updated successfully, but these errors were encountered: