cmd/image/export: Allow generating deterministic tarballs

[mauriciovasquezbernal]

The build command now supports the SOURCE_DATE_EPOCH env variable[0] to allow reproducible builds. Also, the export command is changed to always sort the index to guarentee the exported tarball is deterministic.

Testing

Before

# IG_SOURCE_PATH is needed to build in-tree gadgets that contain a wasm module
$ export IG_SOURCE_PATH=<absolute path to IG source location>

$ cd gadgets/trace_open # any other gadget works as well

# multiple invocations of build produce an image with a different digest each time
$ sudo -E ig image build . -t trace_open:last
INFO[0000] Experimental features enabled
Successfully built ghcr.io/inspektor-gadget/gadget/trace_open:last@sha256:a00e322b2ad607cfb7051dbe241f976b96a189fe7618fc5f4a48e65ffa2fa518

$ sudo -E ig image build . -t trace_open:last
INFO[0000] Experimental features enabled
Successfully built ghcr.io/inspektor-gadget/gadget/trace_open:last@sha256:6c530558cb88a5bf3e6be89866477e819111d5af2e077d192c86e42fe05f7946

# exporting those images will for sure produce a tar file with changing digest a well.

After

# IG_SOURCE_PATH is needed to build in-tree gadgets that contain a wasm module
$ export IG_SOURCE_PATH=<absolute path to IG source location>

# the digest is constant when setting SOURCE_DATE_EPOCH

$ SOURCE_DATE_EPOCH=0 sudo -E ig image build . -t trace_open:latest
INFO[0000] Experimental features enabled
Pulling builder image ghcr.io/inspektor-gadget/ebpf-builder:latest
latest: Pulling from inspektor-gadget/ebpf-builder
Digest: sha256:aa544c4316d583ad7ac4a500b97b67cfbb22e7f3125f8a9a002a4eaedf7f45ef
Status: Image is up to date for ghcr.io/inspektor-gadget/ebpf-builder:latest
Successfully built ghcr.io/inspektor-gadget/gadget/trace_open:latest@sha256:faec585ef38bf306497bb3989753fe9657c05a0fc14d0fabd590ef5ec4aab0b3

$ SOURCE_DATE_EPOCH=0 sudo -E ig image build . -t trace_open:latest
INFO[0000] Experimental features enabled
Pulling builder image ghcr.io/inspektor-gadget/ebpf-builder:latest
latest: Pulling from inspektor-gadget/ebpf-builder
Digest: sha256:aa544c4316d583ad7ac4a500b97b67cfbb22e7f3125f8a9a002a4eaedf7f45ef
Status: Image is up to date for ghcr.io/inspektor-gadget/ebpf-builder:latest
Successfully built ghcr.io/inspektor-gadget/gadget/trace_open:latest@sha256:faec585ef38bf306497bb3989753fe9657c05a0fc14d0fabd590ef5ec4aab0b3

# the exported images are constant as well
$ SOURCE_DATE_EPOCH=0 sudo -E ig image build . -t trace_open:latest
INFO[0000] Experimental features enabled
Pulling builder image ghcr.io/inspektor-gadget/ebpf-builder:latest
latest: Pulling from inspektor-gadget/ebpf-builder
Digest: sha256:aa544c4316d583ad7ac4a500b97b67cfbb22e7f3125f8a9a002a4eaedf7f45ef
Status: Image is up to date for ghcr.io/inspektor-gadget/ebpf-builder:latest
Successfully built ghcr.io/inspektor-gadget/gadget/trace_open:latest@sha256:faec585ef38bf306497bb3989753fe9657c05a0fc14d0fabd590ef5ec4aab0b3
$ sudo -E ig image export trace_open:latest /tmp/image1.tar
INFO[0000] Experimental features enabled
Successfully exported images to /tmp/image1.tar

$ SOURCE_DATE_EPOCH=0 sudo -E ig image build . -t trace_open:latest
INFO[0000] Experimental features enabled
Pulling builder image ghcr.io/inspektor-gadget/ebpf-builder:latest
latest: Pulling from inspektor-gadget/ebpf-builder
Digest: sha256:aa544c4316d583ad7ac4a500b97b67cfbb22e7f3125f8a9a002a4eaedf7f45ef
Status: Image is up to date for ghcr.io/inspektor-gadget/ebpf-builder:latest
Successfully built ghcr.io/inspektor-gadget/gadget/trace_open:latest@sha256:faec585ef38bf306497bb3989753fe9657c05a0fc14d0fabd590ef5ec4aab0b3
$ sudo -E ig image export trace_open:latest /tmp/image2.tar
INFO[0000] Experimental features enabled
Successfully exported images to /tmp/image2.tar

$ sha256sum /tmp/image1.tar /tmp/image2.tar
c3d83221dbda9770558a82cd85c6d1e93891c9dc0e111f5fdd9cd1926459bc54  /tmp/image1.tar
c3d83221dbda9770558a82cd85c6d1e93891c9dc0e111f5fdd9cd1926459bc54  /tmp/image2.tar
mauriciov@mvb-desktop:~/.../trace_open$

This will be useful for #2853 and for tests artifacts generated in #2818

[alban]

Instead of disabling CreatedAt, could you pick the last mtime of the source files (gadget.yaml, program.bpf.c, etc.)?

cc @vbatts for https://github.com/vbatts/tar-split

[mauriciovasquezbernal]

Instead of disabling CreatedAt, could you pick the last mtime of the source files (gadget.yaml, program.bpf.c, etc.)?

Do you mean in all cases? Or only when --disable-created-at is passed?

(only issue I see in the future is understanding which file to use, there are going to be gadgets with program.bpf.c and program.go, etc. or any of them)

[vbatts]

[vbatts]

First off: neat. Reproducibility helps make things more predictable and usually has ripple benefits.

Question: just how deterministic to you want or need these archives to be?

The approach is likely "good enough" for some simple use cases, but any slightly more complicated use cases like changes within the versions of golang archive/tar, differences between golang vs libarchive vs gnu vs bsd implementations, etc. then this is not far enough for reproducibility.
Further sometimes even subtle issues like the xattr metadata is a key-value dictionary that is not order dependent, so sometimes with multiple xattrs like selinux or IMA hash or cap permissions, the order changes everytime, and the hashes of the tar will never be consistent.

So, it all depends on your use-cases

[mauriciovasquezbernal]

I'd like the export command to generate a deterministic tarball, so we only care about the implementation in golang and not other libraries. How does your library work? Is it just a matter of using github.com/vbatts/tar-split/archive/tar instead of archive/tar? or do I need to do something else?

[vbatts]

the tar-split library is a stream reader that you can put inline before you would use archive/tar, and it builds something like a reply-log so you can reassemble the exact tarball from what has been extracted.
It doesn't sound like it matches your use-case.
Perhaps what you've done is simple and good enough.

[mauriciovasquezbernal]

Instead of disabling CreatedAt, could you pick the last mtime of the source files (gadget.yaml, program.bpf.c, etc.)?

Updated the logic to use this when a --deterministic flag is passed.

[vbatts]

Also, I'll say I don't recall the particulars about filepath.Walk() logic. With just a couple of files it may not matter, but could also be a source of non-determinism. That may want a little investigation.

[mauriciovasquezbernal]

Documentation says:

The files are walked in lexical order, which makes the output deterministic but requires Walk to read an entire directory into memory before proceeding to walk that directory.

So I think we're fine or are you thinking about something else?

[eiffel-fl]

It really depends on what we are walking on.
If we walk only on the files of interest, they should not change between several build and should produce the same OCI images.
But, if we are walking all the files, then adding or removing one can have impact on the order of walking and act as a side effect.

In our specific case, I guess this is OK because the directory is temporary one and is used as OCI store, so it should only contains files of interest.

[eiffel-fl]

Hi!

I am not sure not understand the usage of EBPFSource.

Best regards.

[alban]

LGTM

---

Also, shouldn't it be the default?

I'm not sure. I think it's fine to have this disable by default so the created annotation is the time when the image was built.

I am also tempted to make it the default, but I don't have a strong opinion.

[mauriciovasquezbernal]

I'll mark this on hold for a bit, perhaps having the --deterministic flag on the build command is a bad idea. I'll check how it's done in docker.

[vbatts]

I would not add a flag, and if this is not breaking anything than I would roll forward with it.

[mauriciovasquezbernal]

I didn't find a way to remove the flag. Having this by default would imply that the org.opencontainers.image.created annotation is set to the the latest mod time of the source files, which I don't think is correct. So I'd rather stick to have a specific flag for it.

Btw, I checked and docker doesn't support reproducible builds (yet?).

[eiffel-fl]

Btw, I checked and docker doesn't support reproducible builds (yet?).

buildkit/buildx, which we use to bake the arm64 image, permits reproducible images:
https://github.com/moby/buildkit/blob/master/docs/build-repro.md
https://docs.docker.com/build/ci/github-actions/reproducible-builds/

[vbatts]

On 25/06/24 14:52 -0700, Mauricio Vásquez wrote: Btw, I checked and docker doesn't support reproducible builds (yet?).

no. Only reproducible once the image is pushed to a registry. The reproducibility is only when pulled, that it can again be pushed and not mutate.

[mauriciovasquezbernal]

buildkit/buildx, which we use to bake the arm64 image, permits reproducible images:
https://github.com/moby/buildkit/blob/master/docs/build-repro.md
https://docs.docker.com/build/ci/github-actions/reproducible-builds/

Thanks for the pointer. Now I understood the piece I was missing: https://reproducible-builds.org/docs/source-date-epoch/.

I updated the logic to use this variable, and now the --deterministic flag is gone.

@alban @eiffel-fl could you please check it again given that I did some changes?

(I also updated a missing piece of logic to iterate in order through a map, it was also causing the images to be not deterministic)

[eiffel-fl]

Hi!

I have one small comment with regard to time parsing.
Otherwise it looks good to me and I definitely think this is a great addition.

Best regards.

[eiffel-fl]

Should we rather use a time related function to parse this value?
Or since this is always seconds this is OK to use "simple" string conversion.

[mauriciovasquezbernal]

I think it's fine to use the string conversion as the goal is to convert from string to number. I don't think the time package provides any function that will take an unix time as a string.

Btw, this parsing code was taken from https://reproducible-builds.org/docs/source-date-epoch/.

[eiffel-fl]

It really depends on what we are walking on.
If we walk only on the files of interest, they should not change between several build and should produce the same OCI images.
But, if we are walking all the files, then adding or removing one can have impact on the order of walking and act as a side effect.

In our specific case, I guess this is OK because the directory is temporary one and is used as OCI store, so it should only contains files of interest.

[mauriciovasquezbernal]

Thanks for the review and all comments folks, I'll merge it now!