From 491cca63415707dc89e1674083be18ad2f98c15b Mon Sep 17 00:00:00 2001 From: sudoforge Date: Sat, 29 Mar 2025 22:23:37 -0700 Subject: [PATCH] Use a digest for the debian base image 66600f32dc7c4f45638dbcd7a450bb5707f9f9cd introduced various improvements to the determinism of the container image in this repository. This change builds on this effort by ensuring that the base image is pulled by digest. Image digests are immutable references, unlike tags, which are mutable (except when optionally configured as immutable in certain container registries, but not `docker.io`). --- CHANGELOG.md | 5 +++++ Dockerfile | 8 ++++---- Dockerfile.env | 7 +++++-- Dockerfile.in | 4 ++-- docs/developer/reproducibility.md | 2 +- 5 files changed, 17 insertions(+), 9 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 194d30b..904333d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -25,6 +25,11 @@ since 0.4.1, and this project adheres to [Semantic Versioning](https://semver.or but enables you to chose which one you want to use, independently of your platform. ([#925](https://github.com/freedomofpress/dangerzone/issues/925)) +### Changed + +- The `debian` base image is now fetched by digest. As a result, your local + container storage will no longer show a tag for this dependency. + ## [0.8.1](https://github.com/freedomofpress/dangerzone/compare/v0.8.1...0.8.0) - Update the container image diff --git a/Dockerfile b/Dockerfile index 8975a40..f459a42 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,9 +2,9 @@ # Dockerfile args below. For more info about this file, read # docs/developer/reproducibility.md. -ARG DEBIAN_IMAGE_DATE=20250224 +ARG DEBIAN_IMAGE_DIGEST=sha256:12c396bd585df7ec21d5679bb6a83d4878bc4415ce926c9e5ea6426d23c60bdc -FROM debian:bookworm-${DEBIAN_IMAGE_DATE}-slim AS dangerzone-image +FROM debian@${DEBIAN_IMAGE_DIGEST} AS dangerzone-image ARG GVISOR_ARCHIVE_DATE=20250217 ARG DEBIAN_ARCHIVE_DATE=20250226 @@ -185,8 +185,8 @@ RUN mkdir -p \ # Copy the /etc and /var directories under the new root directory. Also, # copy /etc/, /opt, and /usr to the Dangerzone image rootfs. # -# NOTE: We also have to remove the resolv.conf file, in order to not leak any DNS -# servers added there during image build time. +# NOTE: We also have to remove the resolv.conf file, in order to not leak any +# DNS servers added there during image build time. RUN cp -r /etc /var /new_root/ \ && rm /new_root/etc/resolv.conf RUN cp -r /etc /opt /usr /new_root/home/dangerzone/dangerzone-image/rootfs \ diff --git a/Dockerfile.env b/Dockerfile.env index ac3fcd1..a229ae3 100644 --- a/Dockerfile.env +++ b/Dockerfile.env @@ -1,5 +1,8 @@ -# Can be bumped to the latest date in https://hub.docker.com/_/debian/tags?name=bookworm- -DEBIAN_IMAGE_DATE=20250224 +# Should be the INDEX DIGEST from an image tagged `bookworm--slim`: +# https://hub.docker.com/_/debian/tags?name=bookworm- +# +# Tag for this digest: bookworm-20250224-slim +DEBIAN_IMAGE_DIGEST=sha256:12c396bd585df7ec21d5679bb6a83d4878bc4415ce926c9e5ea6426d23c60bdc # Can be bumped to today's date DEBIAN_ARCHIVE_DATE=20250226 # Can be bumped to the latest date in https://github.com/google/gvisor/tags diff --git a/Dockerfile.in b/Dockerfile.in index 050cd2a..bb8f8fc 100644 --- a/Dockerfile.in +++ b/Dockerfile.in @@ -2,9 +2,9 @@ # Dockerfile args below. For more info about this file, read # docs/developer/reproducibility.md. -ARG DEBIAN_IMAGE_DATE={{DEBIAN_IMAGE_DATE}} +ARG DEBIAN_IMAGE_DIGEST={{DEBIAN_IMAGE_DIGEST}} -FROM debian:bookworm-${DEBIAN_IMAGE_DATE}-slim AS dangerzone-image +FROM debian@${DEBIAN_IMAGE_DIGEST} AS dangerzone-image ARG GVISOR_ARCHIVE_DATE={{GVISOR_ARCHIVE_DATE}} ARG DEBIAN_ARCHIVE_DATE={{DEBIAN_ARCHIVE_DATE}} diff --git a/docs/developer/reproducibility.md b/docs/developer/reproducibility.md index 934e5a6..947a5bc 100644 --- a/docs/developer/reproducibility.md +++ b/docs/developer/reproducibility.md @@ -27,7 +27,7 @@ This means that rebuilding the image without updating our Dockerfile will Here are the necessary variables that make up our image in the `Dockerfile.env` file: -* `DEBIAN_IMAGE_DATE`: The date that the Debian container image was released +* `DEBIAN_IMAGE_DIGEST`: The index digest for the Debian container image * `DEBIAN_ARCHIVE_DATE`: The Debian snapshot repo that we want to use * `GVISOR_ARCHIVE_DATE`: The gVisor APT repo that we want to use * `H2ORESTART_CHECKSUM`: The SHA-256 checksum of the H2ORestart plugin