-
Notifications
You must be signed in to change notification settings - Fork 179
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make our Dangerzone image reproducible #1049
base: main
Are you sure you want to change the base?
Conversation
Move container-only build context - currently just the entrypoint script - from `dangerzone/gvisor_wrapper` to `dangerzone/container`. Update the rest of the scripts to use this location as well.
Remove the need to copy the Dangerzone container image (used by the inner container) within a wrapper gVisor image (used by the outer container). Instead, use the root of the container filesystem for both containers. We can do this safely because we don't mount any secrets to the container, and because gVisor offers a read-only view of the underlying filesystem Fixes #1048
Download and copy the following artifacts that will be used for building a Debian-based Dangerzone container image in the subsequent commits: * The APT key for the gVisor repo [1] * A helper script for building reproducible Debian images [2] [1] https://gvisor.dev/archive.key [2] https://github.com/reproducible-containers/repro-sources-list.sh/blob/d15cf12b26395b857b24fba223b108aff1c91b26/repro-sources-list.sh
Remove all the scaffolding in our `build-image.py` script for using the `poetry.lock` file, now that we install PyMuPDF from the Debian repos.
Remove our suggestions for not using the container cache, which stemmed from the fact that our Dangerzone image was not reproducible. Now that we have switched to Debian Stable and the Dockerfile is all we need to reproducibly build the exact same container image, we can just use the cache to speed up builds.
Add jinja2-cli as a package dependency, since it will be used to create the Dockerfile from some user parameters and a template.
Allow updating the Dockerfile from a template and some envs, so that it's easier to bump the dates in it.
Allow setting a tag for the container image, when building it with the `build-image.py` script. This should be used for development purposes only, since the proper image name should be dictated by the script.
Add a dev script for Linux platforms that verifies that a source image can be reproducibly built from the current Git commit. The reproducibility check is enforced by the `diffoci` tool, which is downloaded as part of running the script.
Add a CI job that uses the `reproduce.py` dev script to enforce image reproducibility, for every PR that we send to the repo. Fixes #1047
5cea5e1
to
279322b
Compare
c1f5d75
to
e02dbfd
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice work on this!
I added a few comments here and there, and will probably come back to it once I've run it on my laptop. It's pretty neat!
Co-authored-by: Alexis Métaireau <[email protected]>
Co-authored-by: Alexis Métaireau <[email protected]>
Co-authored-by: Alexis Métaireau <[email protected]>
@@ -0,0 +1,103 @@ | |||
#!/bin/bash | |||
# |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We also had a discussion about this file, and if it should be included in this repository or not (the other option would be to download it on the fly, which could be done by the build-image.py
script.).
We didn't came up with a conclusion on this one just yet. It feels odd to have it included here, but might work on the short run.
Rename the `vendor-pymupdf.py` script to `debian-vendor-pymupdf.py`, since it's used only when building Debian packages.
…pers
dd9fea5
to
5bb37ef
Compare
Add some CVEs in our ignore list, which are present in the new Debian image. These CVEs are marked as "wont-fix" by the Debian Security team.
296d8df
to
37b4fe4
Compare
eaf3de9
to
cbb7ed9
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've checked-out your branch and used it locally. I'm glad to report that it works well! 🎉
I've added a few other questions / remarks, the main one being about ARM64 support for reproducibility.
parser.add_argument( | ||
"--source", | ||
required=True, | ||
help="The source image name that you want to reproduce (in diffoci format)", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I found it useful to have the doc handy to run reproduce.py
, especially for the arguments to pass to --source
. Having an example defined here might help users of the script.
def parse_args(): | ||
parser = argparse.ArgumentParser( | ||
prog=sys.argv[0], | ||
description="Dev script for verifying container image reproducibility", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We might want to point people to the documentation for more info.
(Also happy to report that the size of the image dropped from 577 MB to 445 MB with the changes in this branch) |
This PR makes our container image reproducible, and enforces it with a CI job on every commit. To do so, we also change our base image from Alpine Linux to Debian Stable, and we use some prior art and tooling from the work that @AkihiroSuda has done on reproducible containers.
Fixes #1046
Fixes #1047
Fixes #1048