singularity-tools.buildImage: non-deterministic

[SomeoneSerge]

Steps To Reproduce

❯ nix build -f '<nixpkgs>' apptainer.tests.image-hello-cowsay --print-out-paths
/nix/store/yxznakyhiwzvy5w1v7yr8hmjih2c5dlx-apptainer-image-hello-cowsay.img
❯ nix build -f '<nixpkgs>' apptainer.tests.image-hello-cowsay --print-out-paths --rebuild
error: derivation '/nix/store/v5xq9nyw68f8l5dy1wj95psqpz3faf4i-apptainer-image-hello-cowsay.img.drv' may not be deterministic: output '/nix/store/yxznakyhiwzvy5w1v7yr8hmjih2c5dlx-apptainer-image-hello-cowsay.img' differs

Known impurities, assuming we've just run nix build .#apptainer.tests.image-hello-cowsay:

• The sif "header", observed by apptainer inspect ./result
• Labels inside the JSON.Generic "data" section, as seen via apptainer sif list ./result, apptainer sif dump 2 ./result

  ❯ read JSON_LAYER < <(apptainer sif list ./result | grep JSON | cut -d" " -f1)
  ❯ apptainer sif dump "$JSON_LAYER" ./result  | jq '.data.attributes.labels."org.label-schema.build-date"'
  

  • build-arch?
• .singularity.d/labels.json inside the squashfs section?
• One of the above did contain random UUIDs, iirc

Expected behavior

Identical hashes

Additional context

Add any other context about the problem here.

Notify maintainers

@ShamrockLee

Metadata

Please run nix-shell -p nix-info --run "nix-info -m" and paste the result.

❯ nix-shell -p nix-info --run "nix-info -m"
 - system: `"x86_64-linux"`
 - host os: `Linux 6.1.69, NixOS, 24.05 (Uakari), 24.05.20231224.5f64a12`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.19.2`
 - channels(ss): `"nixgl"`
 - channels(root): `"nixgl, nixos-21.05.2132.733682c3292"`
 - nixpkgs: `/nix/store/5acdh8xyry0kdvp6xla2hw7wf3zkphkl-source`

@ShamrockLee

---

Add a 👍 reaction to issues you find important.

[SomeoneSerge]

A prospective solution is to patch apptainer and/or sif-tool to clean out (conditionally) the impurities (UUIDs and timestamps). Note that spoofing the time isn't feasible because golang doesn't use libc