kubernetes-1.24.0 reproducible builds: kubelet binary varies

[bmwiedemann]

What happened?

While working on reproducible builds for openSUSE, I found that our kubernetes1.24 package stopped to produce bit-identical results on 2 fresh builds.

--- strings RPMS.1/usr/bin/kubelet1.24
+++ strings RPMS.2/usr/bin/kubelet1.24
@@ -1,6 +1,6 @@
 /lib64/ld-linux-x86-64.so.2
-D/iB)
-YwVWBSSdZpPsrO9TM081/7CBb1fZOvPOFshzvo1cu/UKVjqzDsSfvmOjrwnpZv/UooIAWPloG5fXOlWD0oC
+rc{.
+tPfq4us5qtj6n5wGE3lh/7CBb1fZOvPOFshzvo1cu/UKVjqzDsSfvmOjrwnpZv/5Y18rAlngXbjuDxH_BT5
 _Z!#YH+
 o&43b
 =#jv
@@ -1456855,7 +1456855,7 @@
 /usr/lib64/go/1.18/src/net/tcpsockopt_unix.go
 /usr/lib64/go/1.18/src/net/udpsock_posix.go
 /usr/lib64/go/1.18/src/net/unixsock_posix.go
-/tmp/go-build1406627905/b050/_cgo_gotypes.go
+/tmp/go-build3558486601/b050/_cgo_gotypes.go
 /usr/lib64/go/1.18/src/net/cgo_resnew.go
 /usr/lib64/go/1.18/src/net/cgo_unix.go
 /usr/lib64/go/1.18/src/net/cgo_socknew.go
@@ -1457086,7 +1457086,7 @@
 vendor/k8s.io/klog/v2/internal/serialize/keyvalues.go
 /usr/lib64/go/1.18/src/os/user/lookup.go
 /usr/lib64/go/1.18/src/os/user/user.go
-/tmp/go-build1908184651/b122/_cgo_gotypes.go
+/tmp/go-build1410760062/b122/_cgo_gotypes.go
 /usr/lib64/go/1.18/src/os/user/cgo_lookup_unix.go
 vendor/k8s.io/klog/v2/exit.go
 vendor/k8s.io/klog/v2/klog.go
@@ -1460325,7 +1460325,7 @@
 vendor/github.com/google/cadvisor/utils/cpuload/cpuload.go
 vendor/github.com/docker/go-units/size.go
 vendor/github.com/docker/go-units/ulimit.go
-/tmp/go-build1382031104/b1017/_cgo_gotypes.go
+/tmp/go-build2774399619/b1017/_cgo_gotypes.go
 vendor/github.com/mindprince/gonvml/bindings.go
 vendor/github.com/google/cadvisor/accelerators/nvidia.go
 vendor/github.com/google/cadvisor/nvm/machine_no_libipmctl.go

The first chunk is likely just the hash of the remainder, so can be ignored.
The other chunks indicate that a random build temporary path is used for _cgo_gotypes.go

What did you expect to happen?

Sources should be able to reproduce bit-identical binaries e.g. for SLSA level4

How can we reproduce it (as minimally and precisely as possible)?

On Debian or openSUSE do

osc co openSUSE:Factory/kubernetes1.24 && cd $_
for i in 1 2 ; do
  osc build --clean --noservice --keep-pkg=RPMS.$i \
  --define='%source_date_epoch_from_changelog Y' \
  --define="%_buildhost reproducible" \
  --define='%clamp_mtime_to_source_date_epoch Y' \
  --define='%use_source_date_epoch_as_buildtime Y'
done
sha256sum RPMS.*/kubernetes1.24-kubelet-1*.rpm

Anything else we need to know?

No response

Kubernetes version

$ kubectl version

WARNING: This version information is deprecated and will be replaced with the output from kubectl version --short. Use --output=yaml|json to get the full version.
Client Version: version.Info{Major:"1", Minor:"24", GitVersion:"v1.24.0", GitCommit:"4ce5a8954017644c5420bae81d72b09b735c21f0", GitTreeState:"clean", BuildDate:"2022-05-05T00:00:00Z", GoVersion:"go1.18.3", Compiler:"gc", Platform:"linux/amd64"}
Kustomize Version: v4.5.4

</details>


### Cloud provider

<details>

</details>


### OS version

<details>

```console
# On Linux:
$ cat /etc/os-release

NAME="openSUSE Tumbleweed"

VERSION="20220701"

ID="opensuse-tumbleweed"
ID_LIKE="opensuse suse"
VERSION_ID="20220701"
PRETTY_NAME="openSUSE Tumbleweed"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:opensuse:tumbleweed:20220701"
BUG_REPORT_URL="https://bugs.opensuse.org"
HOME_URL="https://www.opensuse.org/"
DOCUMENTATION_URL="https://en.opensuse.org/Portal:Tumbleweed"
LOGO="distributor-logo-Tumbleweed"

$ uname -a
Linux bmwiedemann-factory 5.18.6-1-default #1 SMP PREEMPT_DYNAMIC Thu Jun 23 05:46:18 UTC 2022 (5aa0763) x86_64 x86_64 x86_64 GNU/Linux

Install tools

go1.18

Container runtime (CRI) and version (if applicable)

Related plugins (CNI, CSI, ...) and versions (if applicable)

[k8s-ci-robot]

@bmwiedemann: This issue is currently awaiting triage.

If a SIG or subproject determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[bmwiedemann]

/sig release
/area build-release

[dims]

@bmwiedemann can you please post a link to the full logs from the build?

[dims]

@saschagrunert any news on this? Haven't heard from @bmwiedemann (context: we worked to fix this a couple of times in #70131)

[saschagrunert]

Unfortunately not, @bmwiedemann is this something we can fix on the OBS side? If the go build timestamp (go-build3558486601) is the main issue here then we can approach a fix in our build pipeline.

[bmwiedemann]

It would be good if /tmp/go-build$int would not be embedded in the first place. It might be possible to replace it somehow in our builds, but all other people wanting reproducible builds, would need to replicate that.

[bmwiedemann]

@dims full logs from the build: https://rb.zq1.de/temp/kubernetes1.24-build-log.txt
from kubernetes-1.24.3 built 2022-08-18

[dims]

@bmwiedemann can you please try setting GOCACHE=off when you run the build?

I am suspecting that the temp directory is being generated here:
https://github.com/golang/go/blob/6d8ec893039a39f495c8139012e47754e4518b70/src/cmd/go/internal/cache/default.go#L77-L80

(or add an export in hack/lib/golang.sh for that env var)

[bmwiedemann]

I added export GOCACHE=off to our .spec file but still got these diffs.

[dims]

So i built golang from source, peppered it with changes to track down where this is getting created and found that it is coming from:
https://github.com/golang/go/blob/c318f191e45e3496f8afe0a456337e9f76d7f7b4/src/cmd/go/internal/work/action.go#L268

I don't know yet how to fix it. will dig more when i can (travelling for the next few days)

[saschagrunert]

Would it work to override the GOGCCFLAGS, I see that they use the -fdebug-prefix-map=/tmp/go-build823405942=/tmp/go-build:

> go env GOGCCFLAGS
-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build2616882006=/tmp/go-build -gno-record-gcc-switches

Ref: https://reproducible-builds.org/docs/build-path/

Edit: Probably not, we may make it configurable in golang 🤔

[dims]

this is so tricky @saschagrunert :( will dig more when i get back from my event this week

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Reopen this issue with /reopen
• Mark this issue as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

[k8s-ci-robot]

@k8s-triage-robot: Closing this issue, marking it as "Not Planned".

In response to this:

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Reopen this issue with /reopen
• Mark this issue as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.