These depend on the build environment, but differences
don't show up inside the docker image as docker sets the
content of these files when starting a container.
We can put static values in the files to stop the image
layers differing without affecting the running containers
in any way.
This wasn't caught by the reproducibility check as the values
will be pretty static when built on the same host. (hostname
will be fixed, and resolv.conf will only change if the networking
configration changes enough, and that is unlikely to happen)
The builds were reproducible provided they were done on the same day.
However if they were done on different days they had different dates
in /etc/shadow and so changed. This meant that the images were
updated every day, and sometimes the reproducibility check would
fail if the day ticked over between the builds.
When this happens in travis the intermediate images
aren't pushed, so you have to rebuild locally.
The dockerdiff output may be large, but that's more useful
than having to try and reproduce locally.
Tweak the tests so that they use default-mysql-server
on newer dists as it replaced the mysql-server package.
Also add explicit import of the buster signing key
as the Travis agent doesn't have it available.
Thanks to Filippo Giunchedi (@filippog) for the initial
work on this.
* Decode key value
The docker content trust repository key is base64-encoded, so let's decode it before dumping it to a file
* decode option is `-d` in Linux
We found this issue in the travis build:
```
refusing to load key from /tmp/tmp.7IS3P9lCpg/key: private key file /tmp/tmp.7IS3P9lCpg/key must not be readable or writable by others
```
Making the file readable by the running user should fix the proble
The code tries to avoid the contents to be printed in the output in case the shell tracing is enabled at some point, but that implementation also makes the `tmpdir` variable not to be accessible in that context.
It's an essential package designed for exactly this.
It's pretty small, so not a huge cost to putting it back in.
The problem is pervasive enough, and it's unlikely that
users will know how to fix it, that it's worth us solving
it in the base image.
Change the mkimage script so that the produced image is
reproducible. This involves:
- removing the ldconfig aux-cache as it changes on every build.
- set the mtimes of the files to a specific date so that the
resulting tar file will have the same contents.
- The `strings` guard around the unsafe-io tweak seems to be
non-deterministic. It was sometimes not adding the tweak
for the same file. Remove it as we don't care about older
than jessie.
- Importing the image by constructing a docker image with
a specific timestamp and doing `docker load`.
Also change the buildall script to build each image twice and
confirm that the same tarball is produced, and that results
in the layers in the imported images matching.
Add a dockerdiff script that checks that two images are equivalent,
and tries to show the differences if not. This is useful when the
build script reports differences, as it can point to what the
differences are.
James Westby