You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Composing a tree using a lockfile and matched commit of the manifest.yaml from the same previously cached RPM files should generate a deterministic/reproducible ostree commit. Currently it does not because Python modules byte compile automatically on first use, and Python byte compilation isn't deterministic.
Expected:
The same ostree commit hash every time.
Steps to reproduce it
Pick a config with a manifest.yaml.
Set SOURCE_DATE_EPOCH to a fixed value
Precache all your RPMs in a separate OStree using --dry-run and --cachedir
Save the lockfile as well
Compose the tree, and take note of the ostree commit hash.
pull-local the commit into a separate archive ostree repo, and add a reference for it
Remove the previously tree and prune.
Re-compose, using the same lockfile and arguments.
Take note of the ostree commit hash
pull-local the commit into the same separate archive ostree repo as Step 6, and add a reference for it
Notice the hashes in step 5 and 9 are different. Diff the ostree references in step 6 and 10 to see why.
Additional Data This existing issue talks about the source of the problem, which is Python modules. Python byte code still isn't reproducible even on Python 3.10 with SOURCE_DATE_EPOCH set to a value. Since SELinux uses Python tools, every rpm installation is running Python modules that get byte-compiled on first use during policy updates and file relabeling. Additionally, some RPMs will use Python scripts in their Install-time scriptlets, which causes further byte-compilation of modules in the system.
The consensus, led heavily by nixpkgs, is that until a Python version is released that can actually have reproducible byte-compiled modules, the only way to really deal with it is to wipe all byte-compiled caches. In nix's case this is before and after builds, but in the rpm-ostree case this is likely as an automatic compose postprocess step.
Would you like to work on the issue?
I can try, but I'm not experienced in Rust or the convoluted cross-calling between the C++ and Rust code.
The solution seems to be to add a new function to the tasks list in the compose_postprocess_final()here, which will find all __pycache__ folders in /usr and remove them.
Though arguably this might actually need to occur after user-specified post-process and post-process-script treefile scripts that might also make use of Python modules instead. If it's not after treefile-specified post-processes, it should at least be documented that any post-process scripts and/or post-process-script files need to remove __pycache__ directories themselves if they make use Python.
The text was updated successfully, but these errors were encountered:
Host system details
Fedora 37, podman 4.3.1, running via a coreos-assembler container image.
Expected vs actual behavior
Actual calls made to coreos-assembler
Calls made to
rpm-ostree
on my behalf:Composing a tree using a lockfile and matched commit of the manifest.yaml from the same previously cached RPM files should generate a deterministic/reproducible ostree commit. Currently it does not because Python modules byte compile automatically on first use, and Python byte compilation isn't deterministic.
Expected:
The same ostree commit hash every time.
Steps to reproduce it
SOURCE_DATE_EPOCH
to a fixed value--dry-run
and--cachedir
pull-local
the commit into a separate archive ostree repo, and add a reference for itpull-local
the commit into the same separate archive ostree repo as Step 6, and add a reference for itNotice the hashes in step 5 and 9 are different. Diff the ostree references in step 6 and 10 to see why.
Additional Data
This existing issue talks about the source of the problem, which is Python modules. Python byte code still isn't reproducible even on Python 3.10 with
SOURCE_DATE_EPOCH
set to a value. Since SELinux uses Python tools, every rpm installation is running Python modules that get byte-compiled on first use during policy updates and file relabeling. Additionally, some RPMs will use Python scripts in their Install-time scriptlets, which causes further byte-compilation of modules in the system.The consensus, led heavily by nixpkgs, is that until a Python version is released that can actually have reproducible byte-compiled modules, the only way to really deal with it is to wipe all byte-compiled caches. In nix's case this is before and after builds, but in the rpm-ostree case this is likely as an automatic
compose postprocess
step.Would you like to work on the issue?
I can try, but I'm not experienced in Rust or the convoluted cross-calling between the C++ and Rust code.
The solution seems to be to add a new function to the
tasks
list in thecompose_postprocess_final()
here, which will find all__pycache__
folders in/usr
and remove them.Though arguably this might actually need to occur after user-specified
post-process
andpost-process-script
treefile scripts that might also make use of Python modules instead. If it's not after treefile-specified post-processes, it should at least be documented that anypost-process
scripts and/orpost-process-script
files need to remove__pycache__
directories themselves if they make use Python.The text was updated successfully, but these errors were encountered: