Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

image: unset password reset date to ensure reprodicibility #3466

Merged
merged 3 commits into from
Nov 4, 2024
Merged

image: unset password reset date to ensure reprodicibility #3466

merged 3 commits into from
Nov 4, 2024

Conversation

burgerdev
Copy link
Contributor

@burgerdev burgerdev commented Oct 30, 2024
edited
Loading

Context

As part of our mkosi build, we add a system user etcd using the systemctl-sysusers mechanism. The tool should understand SOURCE_DATE_EPOCH, but does not apply it for some reason (maybe missing env propagation in mkosi).

Proposed change(s)

  • Manually reset the "last changed" date in a finalize step.

Related issue

Additional info

Checklist

  • Run the E2E tests that are relevant to this PR's changes
  • Add labels (e.g., for changelog category)
  • Is PR title adequate for changelog?
  • Link to Milestone

@burgerdev burgerdev added the bug fix Fixing a bug label Oct 30, 2024
@burgerdev burgerdev added this to the v2.20.0 milestone Oct 30, 2024
@burgerdev burgerdev requested a review from 3u13r October 30, 2024 15:32
@burgerdev burgerdev requested a review from msanft as a code owner October 30, 2024 15:32
@netlify Netlify
Copy link

netlify bot commented Oct 30, 2024
edited
Loading

Deploy Preview for constellation-docs canceled.

Name Link
🔨 Latest commit 4fdbb19
🔍 Latest deploy log https://app.netlify.com/sites/constellation-docs/deploys/6722833cf3ca7400081a4e47

@burgerdev
fixup! image: unset password reset date
a9ce1c1 
unset instead of hard-code
msanft
msanft approved these changes Oct 30, 2024
View reviewed changes
Copy link
Contributor

@msanft msanft left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, we might want to add a TODO to this indicating that SOURCE_DATE_EPOCH is not propagated correctly, so that we can at least report it to mkosi some day.

@3u13r
Copy link
Member

3u13r commented Oct 30, 2024
edited
Loading

Upsteam qemu-vtpm debug image (build by the CI this branch in https://github.com/edgelesssys/constellation/actions/runs/11608302241):

$ sha256sum image.raw
79b8b664334e21492c1b13b0975dba28a37a5e593114f02b471dfde0f08f8dd5  image.raw

$ sudo -E ./measured-boot-precalc image.raw outout
[sudo] password for euler: 
EFI Boot Stages:
  Stage 1 - Unified Kernel Image (UKI): 179750f819842a49da5e9292e5e85a5949c751480b3802b72ac3694afbfb2bea
  Stage 2 - Linux                     : 5232e888e2c6e9a0d241f6a55b7dea4794857285f8030d458af7d9260efe4040
Linux LOAD_FILE2 protocol:
  cmdline: "roothash=8d5475fb4e08011fb9f7690f393580c3fe4dd64d8f87d4a1848e7442c3e3e82d preempt=full rd.shell=0 rd.emergency=reboot loglevel=8 selinux=1 enforcing=0 audit=0 constellation.console constellation.debug console=ttyS0 constel.csp=qemu mitigations=auto,nosmt constel.attestation-variant=qemu-vtpm\x00"
  initrd (digest d871e33c9c723d06a0a758762e044e4a0eb0a08a4408f006ef8959a0fff6048a)
UKI sections:
  Section  1 - .linux   (  15589360 bytes):     0da293e37ad5511c59be47993769aacb91b243f7d010288e118dc90e95aaef5a, 05f09569ac63ef17e4ab241f4a82db20b40f488983b017fbaff710d91aba8c2b
  Section  2 - .osrel   (       737 bytes):     3fb9e4e3cc810d4326b5c13cef18aee1f9df8c5f4f7f5b96665724fa3b846e08, a65be491c42d929f7d5a0483aa06142a5837f386806a32200ac24b0b45c7902d
  Section  3 - .cmdline (       293 bytes):     461203a89f23e36c3a4dc817f905b00484d2cf7e7d9376f13df91c41d84abe46, 2e875c86d63b9bdb43894ae0c2489481308eaedbf2eb4262445ae31f8a6ce8d4
  Section  4 - .initrd  ( 269517360 bytes):     15ee37e75f1e8d42080e91fdbbd2560780918c81fe3687ae6d15c472bbdaac75, d871e33c9c723d06a0a758762e044e4a0eb0a08a4408f006ef8959a0fff6048a
  Section  5 - .uname   (        36 bytes):     da7a6d941caa9d28b8a3665c4865c143db8f99400ac88d883370ae3021636c30, a1a96faf5b8967c3d19de5aa9e9616b8734ff9df500efc18ebe610103f1629a1
  Section  6 - .sbat    (       315 bytes):     ff552fd255be18a3d61c0da88976fc71559d13aad12d1dfe1708cf950cc4b74c, 7b0756da32531190c03b332f1bd38da29cbf7bab81731a93a8c9af56f6688990
  Section  7 - .data   :        not measured
  Section  8 - .reloc  :        not measured
  Section  9 - .rodata :        not measured
  Section 10 - .sdmagic:        not measured
  Section 11 - .text   :        not measured
PCR[ 4]: 0074c5b17297d008f2dd301774a9805c7967969c4334459985e01be47aff6b82
PCR[ 9]: bf6de25a182c57e1634103de3aa7f9e2b6b4c37d045b886193af3ce16a3a3b74
PCR[11]: 68115f21874925dacb8cca7f44cc801c798893b1c16cf3ec815c7ab4fd34b24b
PCR[12]: 0000000000000000000000000000000000000000000000000000000000000000
PCR[13]: 0000000000000000000000000000000000000000000000000000000000000000
PCR[15]: 0000000000000000000000000000000000000000000000000000000000000000

local image:

$ bazel build //image/system:qemu_qemu-vtpm_debug
...

$ sha256sum ../bazel-bin/image/system/qemu_qemu-vtpm_debug/constellation.raw
01f8c1dfffcb974af009c3c40951f5c778cdb8a933cb932ce51dd2b23940ad05  ../bazel-bin/image/system/qemu_qemu-vtpm_debug/constellation.raw


$ sudo -E ./measured-boot-precalc ../bazel-bin/image/system/qemu_qemu-vtpm_debug/constellation.raw outout
[sudo] password for euler: 
EFI Boot Stages:
  Stage 1 - Unified Kernel Image (UKI): 57e5f4d73d5898c38978d69f16b4e2b9c6b9917554a6d5af6fe2f06b8136dad6
  Stage 2 - Linux                     : 5232e888e2c6e9a0d241f6a55b7dea4794857285f8030d458af7d9260efe4040
Linux LOAD_FILE2 protocol:
  cmdline: "roothash=83fbac4ce19dfc515935f8877b9e81421507e4ec4f86d862e9025408adce3324 preempt=full rd.shell=0 rd.emergency=reboot loglevel=8 selinux=1 enforcing=0 audit=0 constellation.console constellation.debug console=ttyS0 constel.csp=qemu mitigations=auto,nosmt constel.attestation-variant=qemu-vtpm\x00"
  initrd (digest 766988fc8770776cdb5cea9777e8ade271e3fbd16c90b024243b5d085c994229)
UKI sections:
  Section  1 - .linux   (  15589360 bytes):     0da293e37ad5511c59be47993769aacb91b243f7d010288e118dc90e95aaef5a, 05f09569ac63ef17e4ab241f4a82db20b40f488983b017fbaff710d91aba8c2b
  Section  2 - .osrel   (       737 bytes):     3fb9e4e3cc810d4326b5c13cef18aee1f9df8c5f4f7f5b96665724fa3b846e08, 8cf8b92ad6873b258ab35afc0d097cacad7ac50ca7fcfe613a21eb229988ad32
  Section  3 - .cmdline (       293 bytes):     461203a89f23e36c3a4dc817f905b00484d2cf7e7d9376f13df91c41d84abe46, c1d6ba317720f9d98ebb503e5602837a03e5e3cde8c07d0b38bffc40809f26c1
  Section  4 - .initrd  ( 269517416 bytes):     15ee37e75f1e8d42080e91fdbbd2560780918c81fe3687ae6d15c472bbdaac75, 766988fc8770776cdb5cea9777e8ade271e3fbd16c90b024243b5d085c994229
  Section  5 - .uname   (        36 bytes):     da7a6d941caa9d28b8a3665c4865c143db8f99400ac88d883370ae3021636c30, a1a96faf5b8967c3d19de5aa9e9616b8734ff9df500efc18ebe610103f1629a1
  Section  6 - .sbat    (       315 bytes):     ff552fd255be18a3d61c0da88976fc71559d13aad12d1dfe1708cf950cc4b74c, 7b0756da32531190c03b332f1bd38da29cbf7bab81731a93a8c9af56f6688990
  Section  7 - .data   :        not measured
  Section  8 - .reloc  :        not measured
  Section  9 - .rodata :        not measured
  Section 10 - .sdmagic:        not measured
  Section 11 - .text   :        not measured
PCR[ 4]: b3f7da87f71cd90bbc5c093a318603dc03100e7287bee535aecae499ab6ddae1
PCR[ 9]: c24a88542c724e4849f6fa8fcb6aa34eab958a7ab4356ef02d19066d5bc31e04
PCR[11]: 3092336610521da40d01475654d9fa7672b3d8a7ccdf8d96a54b44ee64476f17
PCR[12]: 0000000000000000000000000000000000000000000000000000000000000000
PCR[13]: 0000000000000000000000000000000000000000000000000000000000000000
PCR[15]: 0000000000000000000000000000000000000000000000000000000000000000

@burgerdev
Copy link
Contributor Author

@3u13r: could you please describe in more detail what you are trying to reproduce? What is "Upsteam qemu-vtpm debug image"?

@3u13r
Copy link
Member

3u13r commented Oct 30, 2024
edited
Loading

"Upsteam qemu-vtpm debug image" simply refers to the image you started building in the CI. I've amended the info in the original comment.
I just wanted to give the data point that this PR is not enough to reproduce CI images on (my?) Ubuntu 22.04 machine.

@burgerdev
Copy link
Contributor Author

Note that the CI job ran on 4cc5e08, which is not the current HEAD - sorry for that.

@burgerdev
Copy link
Contributor Author

@3u13r: I started a new image build on current HEAD.

@msanft: I added an explanation - it seems like the issue is in our flake somewhere, mkosi from nixos-unstable does not have this issue.

@3u13r
Copy link
Member

3u13r commented Oct 31, 2024

I've updated my original comment with the new image build by the CI.

@burgerdev
Copy link
Contributor Author

The reproducibility issues @3u13r encountered are different and will be addressed in a follow-up PR.

@burgerdev burgerdev merged commit 960499a into main Nov 4, 2024
16 checks passed
@burgerdev burgerdev deleted the burgerdev/image-repro branch November 4, 2024 13:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@msanft msanft msanft approved these changes

@3u13r 3u13r Awaiting requested review from 3u13r

Assignees
No one assigned
Labels
bug fix Fixing a bug
Projects
None yet
Milestone
v2.20.0
Development

Successfully merging this pull request may close these issues.
3 participants
@burgerdev @3u13r @msanft