Reproducible build support docker image (#8039)
when build docker image, we need a base image. now base image is specified by tag. we can use sha256 to specify docker image.
This commit is contained in:
parent
70c619c9b6
commit
4b3b4c0ce1
42
scripts/docker_version_control.sh
Executable file
42
scripts/docker_version_control.sh
Executable file
@ -0,0 +1,42 @@
|
|||||||
|
# This script is for reproducible build.
|
||||||
|
# Reproducible build for docker enabled: Before build docker image, this script will change image:tag to image:sha256 in DOCKERFILE.
|
||||||
|
# And record image sha256 to a target file.
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
IMAGENAME=$1
|
||||||
|
DOCKERFILE=$2
|
||||||
|
ARCH=$3
|
||||||
|
DOCKERFILE_TARGE=$4
|
||||||
|
DISTRO=$5
|
||||||
|
|
||||||
|
version_file=files/build/versions/default/versions-docker
|
||||||
|
new_version_file=target/versions/default/versions-docker
|
||||||
|
mkdir -p target/versions/default
|
||||||
|
|
||||||
|
. src/sonic-build-hooks/buildinfo/config/buildinfo.config
|
||||||
|
|
||||||
|
image_tag=`grep "^FROM " $DOCKERFILE | awk '{print$2}'`
|
||||||
|
image=`echo $image_tag | cut -f1 -d:`
|
||||||
|
tag=`echo $image_tag | cut -f2 -d:`
|
||||||
|
|
||||||
|
# if docker image not in white list, exit
|
||||||
|
if [[ "$IMAGENAME" != sonic-slave-* ]] && [[ "$IMAGENAME" != docker-base* ]];then
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [[ ",$SONIC_VERSION_CONTROL_COMPONENTS," == *,all,* ]] || [[ ",$SONIC_VERSION_CONTROL_COMPONENTS," == *,docker,* ]]; then
|
||||||
|
if [ -f $version_file ];then
|
||||||
|
hash_value=`grep "${ARCH}:${image_tag}" $version_file | awk -F== '{print$2}'`
|
||||||
|
fi
|
||||||
|
if [ -z $hash_value ];then
|
||||||
|
hash_value=unknown
|
||||||
|
fi
|
||||||
|
oldimage=${image_tag//\//\\/}
|
||||||
|
newimage="${oldimage}@$hash_value"
|
||||||
|
sed -i "s/$oldimage/$newimage/" $DOCKERFILE
|
||||||
|
else
|
||||||
|
hash_value=`docker pull $image_tag | grep Digest | awk '{print$2}'`
|
||||||
|
fi
|
||||||
|
if [[ "$hash_value" != "unknown" ]];then
|
||||||
|
echo -e "${ARCH}:${image_tag}==$hash_value" >> $new_version_file
|
||||||
|
fi
|
@ -22,7 +22,10 @@ if [ -z "$DISTRO" ]; then
|
|||||||
[ -z "$DISTRO" ] && DISTRO=jessie
|
[ -z "$DISTRO" ] && DISTRO=jessie
|
||||||
fi
|
fi
|
||||||
|
|
||||||
DOCKERFILE_PRE_SCRIPT='# Auto-Generated for buildinfo
|
# add script for reproducible build. using sha256 instead of tag for docker base image.
|
||||||
|
scripts/docker_version_control.sh $@
|
||||||
|
|
||||||
|
DOCKERFILE_PRE_SCRIPT='# Auto-Generated for buildinfo
|
||||||
COPY ["buildinfo", "/usr/local/share/buildinfo"]
|
COPY ["buildinfo", "/usr/local/share/buildinfo"]
|
||||||
RUN dpkg -i /usr/local/share/buildinfo/sonic-build-hooks_1.0_all.deb
|
RUN dpkg -i /usr/local/share/buildinfo/sonic-build-hooks_1.0_all.deb
|
||||||
RUN pre_run_buildinfo'
|
RUN pre_run_buildinfo'
|
||||||
|
@ -374,10 +374,12 @@ class VersionBuild:
|
|||||||
def load_from_target(self):
|
def load_from_target(self):
|
||||||
dockers_path = os.path.join(self.target_path, 'versions/dockers')
|
dockers_path = os.path.join(self.target_path, 'versions/dockers')
|
||||||
build_path = os.path.join(self.target_path, 'versions/build')
|
build_path = os.path.join(self.target_path, 'versions/build')
|
||||||
|
default_path = os.path.join(self.target_path, 'versions/default')
|
||||||
modules = {}
|
modules = {}
|
||||||
self.modules = modules
|
self.modules = modules
|
||||||
file_paths = glob.glob(dockers_path + '/*')
|
file_paths = glob.glob(dockers_path + '/*')
|
||||||
file_paths += glob.glob(build_path + '/build-*')
|
file_paths += glob.glob(build_path + '/build-*')
|
||||||
|
file_paths += glob.glob(default_path)
|
||||||
file_paths.append(os.path.join(self.target_path, 'versions/host-image'))
|
file_paths.append(os.path.join(self.target_path, 'versions/host-image'))
|
||||||
file_paths.append(os.path.join(self.target_path, 'versions/host-base-image'))
|
file_paths.append(os.path.join(self.target_path, 'versions/host-base-image'))
|
||||||
for file_path in file_paths:
|
for file_path in file_paths:
|
||||||
|
Loading…
Reference in New Issue
Block a user