New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Improvement] Reproducible builds #3439
Comments
|
please find here a reproducer which highlights the problem. Ideally we should get only one line with the same MD5 repeated 100 times. |
|
Hi Andrea, thanks for opening this issue! Having the build scripts produce reproducible output seems reasonable to me (and might actually prevent cargo from thinking it has to recompile things all the time). Would you be interested in working on this issue? I suppose the first step would be to replace the Best, |
|
Sure I can work on this. I was thinking about using an |
This doesn't help with preventing cargo from recompiling the filters. That is already done by the build script, which watches and only reruns seccompiler if the JSON files have changed. Also, is this the only thing that prevents Firecracker from having reproducible builds? I tend to doubt it. Firecracker will move in version 2.0 to using the seccompiler from rust-vmm: https://github.com/rust-vmm/seccompiler, and there's an old branch for it with the work (needs rebasing): https://github.com/firecracker-microvm/firecracker/tree/feature/rust_vmm_adoption Striving for reproducible builds seems reasonable to me too, but if you make those changes now in Firecracker, beware that they'll get overwritten sometime in the future. |
I tested it with #3445 and it produces bit-reproducible binaries in openSUSE. With the 2.0 version, we will just need to re-test and maybe re-fix. |
Great!
You'd need to re-fix in a different place, in the seccompiler repo |
Feature Request
while packaging the software, we noticed that two subsequent builds sometimes produce a slightly different binary. This is probably related to the
seccompilerthat reads BPF filters definition fromresources/seccomp/*.jsonfile and uses anHashMapto store BPF data into aseccomp_filter.bpfblob that gets included in the target.Describe the desired solution
We suggest using a data structure that preserves the order of insertion, so in the final binary we always get map keys in the same order, enabling to get identical binaries in the build.
The text was updated successfully, but these errors were encountered: