From d28d6f9479e958e3fd509d6533aebffa0db8ca66 Mon Sep 17 00:00:00 2001 From: sudoforge Date: Sat, 29 Mar 2025 22:23:37 -0700 Subject: [PATCH] Use an image digest to improve container image determinism 66600f32dc7c4f45638dbcd7a450bb5707f9f9cd introduced various improvements to the determinism of the container image in this repository. This change builds on this effort by introducing support for a container image digest. Image digests are immutable references, unlike tags, which are mutable (except when optionally configured as immutable in certain container registries, but not `docker.io`). --- Dockerfile | 7 ++++--- Dockerfile.env | 2 ++ Dockerfile.in | 3 ++- docs/developer/reproducibility.md | 1 + 4 files changed, 9 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index 8975a40..3a0a965 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,8 +3,9 @@ # docs/developer/reproducibility.md. ARG DEBIAN_IMAGE_DATE=20250224 +ARG DEBIAN_IMAGE_DIGEST=sha256:12c396bd585df7ec21d5679bb6a83d4878bc4415ce926c9e5ea6426d23c60bdc -FROM debian:bookworm-${DEBIAN_IMAGE_DATE}-slim AS dangerzone-image +FROM debian:bookworm-${DEBIAN_IMAGE_DATE}-slim@${DEBIAN_IMAGE_DIGEST} AS dangerzone-image ARG GVISOR_ARCHIVE_DATE=20250217 ARG DEBIAN_ARCHIVE_DATE=20250226 @@ -185,8 +186,8 @@ RUN mkdir -p \ # Copy the /etc and /var directories under the new root directory. Also, # copy /etc/, /opt, and /usr to the Dangerzone image rootfs. # -# NOTE: We also have to remove the resolv.conf file, in order to not leak any DNS -# servers added there during image build time. +# NOTE: We also have to remove the resolv.conf file, in order to not leak any +# DNS servers added there during image build time. RUN cp -r /etc /var /new_root/ \ && rm /new_root/etc/resolv.conf RUN cp -r /etc /opt /usr /new_root/home/dangerzone/dangerzone-image/rootfs \ diff --git a/Dockerfile.env b/Dockerfile.env index ac3fcd1..9bde3cf 100644 --- a/Dockerfile.env +++ b/Dockerfile.env @@ -1,5 +1,7 @@ # Can be bumped to the latest date in https://hub.docker.com/_/debian/tags?name=bookworm- DEBIAN_IMAGE_DATE=20250224 +# Should be the INDEX DIGEST for the tag with the selected build date +DEBIAN_IMAGE_DIGEST=sha256:12c396bd585df7ec21d5679bb6a83d4878bc4415ce926c9e5ea6426d23c60bdc # Can be bumped to today's date DEBIAN_ARCHIVE_DATE=20250226 # Can be bumped to the latest date in https://github.com/google/gvisor/tags diff --git a/Dockerfile.in b/Dockerfile.in index 050cd2a..14bf7af 100644 --- a/Dockerfile.in +++ b/Dockerfile.in @@ -3,8 +3,9 @@ # docs/developer/reproducibility.md. ARG DEBIAN_IMAGE_DATE={{DEBIAN_IMAGE_DATE}} +ARG DEBIAN_IMAGE_DIGEST={{DEBIAN_IMAGE_DIGEST}} -FROM debian:bookworm-${DEBIAN_IMAGE_DATE}-slim AS dangerzone-image +FROM debian:bookworm-${DEBIAN_IMAGE_DATE}-slim@${DEBIAN_IMAGE_DIGEST} AS dangerzone-image ARG GVISOR_ARCHIVE_DATE={{GVISOR_ARCHIVE_DATE}} ARG DEBIAN_ARCHIVE_DATE={{DEBIAN_ARCHIVE_DATE}} diff --git a/docs/developer/reproducibility.md b/docs/developer/reproducibility.md index 934e5a6..f18f198 100644 --- a/docs/developer/reproducibility.md +++ b/docs/developer/reproducibility.md @@ -28,6 +28,7 @@ This means that rebuilding the image without updating our Dockerfile will Here are the necessary variables that make up our image in the `Dockerfile.env` file: * `DEBIAN_IMAGE_DATE`: The date that the Debian container image was released +* `DEBIAN_IMAGE_DIGEST`: The date that the Debian container image was released * `DEBIAN_ARCHIVE_DATE`: The Debian snapshot repo that we want to use * `GVISOR_ARCHIVE_DATE`: The gVisor APT repo that we want to use * `H2ORESTART_CHECKSUM`: The SHA-256 checksum of the H2ORestart plugin