Skip to content

Commit

Permalink
Correct non-deterministic files in base image.
Browse files Browse the repository at this point in the history 
With this change and ee846a7 the
contents of the base image are hopefully reproducible. The tarball
itself is still non-deterministic due to the inclusion of timestamps.

Changes to the base image:

```
@@ -109,7 +109,7 @@
 -rw-r--r-- 0/0             120 etc/logrotate.d/alternatives
 -rw-r--r-- 0/0             173 etc/logrotate.d/apt
 -rw-r--r-- 0/0             112 etc/logrotate.d/dpkg
--r--r--r-- 0/0              33 etc/machine-id
+-r--r--r-- 0/0               0 etc/machine-id
 -rw-r--r-- 0/0             782 etc/mke2fs.conf
 drwxr-xr-x 0/0               0 etc/modules-load.d/
 lrwxrwxrwx 0/0               0 etc/modules-load.d/modules.conf -> ../modules
@@ -137,7 +137,6 @@
 -rw-r--r-- 0/0            2259 etc/pam.d/su
 -rw-r--r-- 0/0             137 etc/pam.d/su-l
 -rw-r--r-- 0/0             965 etc/passwd
--rw-r--r-- 0/0             912 etc/passwd-
 -rw-r--r-- 0/0             769 etc/profile
 drwxr-xr-x 0/0               0 etc/profile.d/
 drwxr-xr-x 0/0               0 etc/rc0.d/
@@ -176,7 +175,6 @@
 drwxr-xr-x 0/0               0 etc/selinux/
 -rw-r--r-- 0/0            2065 etc/selinux/semanage.conf
 -rw-r----- 0/42            530 etc/shadow
--rw-r----- 0/42            505 etc/shadow-
 -rw-r--r-- 0/0             116 etc/shells
 drwxr-xr-x 0/0               0 etc/skel/
 -rw-r--r-- 0/0             220 etc/skel/.bash_logout
@@ -5283,7 +5281,6 @@
 -rw-r--r-- 0/0          751371 var/cache/debconf/templates.dat
 -rw-r--r-- 0/0          711721 var/cache/debconf/templates.dat-old
 drwx------ 0/0               0 var/cache/ldconfig/
--rw------- 0/0            5385 var/cache/ldconfig/aux-cache
 drwx------ 0/0               0 var/cache/private/
 drwxr-xr-x 0/0               0 var/lib/
 drwxr-xr-x 0/0               0 var/lib/apt/
@@ -5293,7 +5290,7 @@
 drwxr-xr-x 0/0               0 var/lib/apt/mirrors/partial/
 drwxr-xr-x 0/0               0 var/lib/apt/periodic/
 drwxr-xr-x 0/0               0 var/lib/dbus/
--rw-r--r-- 0/0              33 var/lib/dbus/machine-id
+lrwxrwxrwx 0/0               0 var/lib/dbus/machine-id -> /etc/machine-id
 drwxr-xr-x 0/0               0 var/lib/dpkg/
 drwxr-xr-x 0/0               0 var/lib/dpkg/alternatives/
 -rw-r--r-- 0/0             207 var/lib/dpkg/alternatives/awk
@@ -5871,13 +5868,13 @@
 lrwxrwxrwx 0/0               0 var/lock -> /run/lock
 drwxr-xr-x 0/0               0 var/log/
 lrwxrwxrwx 0/0               0 var/log/README -> ../../usr/share/doc/systemd/README.logs
--rw-r--r-- 0/0             174 var/log/alternatives.log
+-rw-r--r-- 0/0               0 var/log/alternatives.log
 drwxr-xr-x 0/0               0 var/log/apt/
--rw-r--r-- 0/0            5340 var/log/apt/eipp.log.xz
--rw-r--r-- 0/0            1656 var/log/apt/history.log
--rw-r----- 0/4           14334 var/log/apt/term.log
+-rw-r--r-- 0/0               0 var/log/apt/eipp.log.xz
+-rw-r--r-- 0/0               0 var/log/apt/history.log
+-rw-r----- 0/4               0 var/log/apt/term.log
 -rw-rw---- 0/43              0 var/log/btmp
--rw-r--r-- 0/0           18582 var/log/dpkg.log
+-rw-r--r-- 0/0               0 var/log/dpkg.log
 -rw-r--r-- 0/0               0 var/log/faillog
 drwxr-sr-x 0/999             0 var/log/journal/
 -rw-rw-r-- 0/43              0 var/log/lastlog
```

Changes to /etc/shadow:

```
@@ -16,5 +16,5 @@
 irc:*:19541:0:99999:7:::
 _apt:*:19541:0:99999:7:::
 nobody:*:19541:0:99999:7:::
-systemd-network:!*:19830::::::
-messagebus:!:19830::::::
+systemd-network:!*:19541::::::
+messagebus:!:19541::::::
```

Bug: 332535604
Change-Id: I9ed8b3739e8cfe5941561972ec1e118ebc91d1f3
  • Loading branch information
@bmclarnon @jblebrun
bmclarnon authored and jblebrun committed Apr 18, 2024
1 parent 58dd373 commit 01a7f5f
Showing 1 changed file with 16 additions and 2 deletions.
18 changes: 16 additions & 2 deletions oak_containers_system_image/base_image.Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,8 +18,22 @@ RUN apt-get --yes update \
&& apt-get clean \
&& rm --recursive --force /var/lib/apt/lists/*

# Clean up some stuff we don't need
RUN rm -rf /usr/share/doc /usr/share/info /usr/share/man
# Clean up several non-deterministic and unneeded files:
# * /etc/shadow contains the date passwords were generated; set to the same
# age as root
# * passwd and shadow backup files can be removed
# * /var/lib/dbus/machine-id can be a symlink to /etc/machine-id
# * /etc/machine-id should be missing or empty so that it's generated on boot
# * various log files can be empty
# * doc/info/man pages aren't needed
# * /var/cache/ldconfig/aux-cache can be removed; this is safe for all files
# in /var/cache
RUN (LAST_DAY="$(awk -F: '$1=="root"{print $3}' /etc/shadow)"; \
chage -d "$LAST_DAY" messagebus && chage -d "$LAST_DAY" systemd-network) \
&& rm -f /etc/{passwd,shadow}- \
&& ln -sf /etc/machine-id /var/lib/dbus/machine-id \
&& find /etc/machine-id /var/log -type f -execdir truncate -s 0 '{}' '+' \
&& rm -rf /usr/share/{doc,info,man} /var/cache/ldconfig/aux-cache

# Copy config files
COPY files /
Expand Down

0 comments on commit 01a7f5f

Please sign in to comment.