Reproducible build support docker image (#8039)

when build docker image, we need a base image. now base image is specified by tag. we can use sha256 to specify docker image.
This commit is contained in:
Shilong Liu 2021-07-09 14:30:26 +08:00 committed by GitHub
parent 70c619c9b6
commit 4b3b4c0ce1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 48 additions and 1 deletions

View File

@ -0,0 +1,42 @@
# This script is for reproducible build.
# Reproducible build for docker enabled: Before build docker image, this script will change image:tag to image:sha256 in DOCKERFILE.
# And record image sha256 to a target file.
#!/bin/bash
IMAGENAME=$1
DOCKERFILE=$2
ARCH=$3
DOCKERFILE_TARGE=$4
DISTRO=$5
version_file=files/build/versions/default/versions-docker
new_version_file=target/versions/default/versions-docker
mkdir -p target/versions/default
. src/sonic-build-hooks/buildinfo/config/buildinfo.config
image_tag=`grep "^FROM " $DOCKERFILE | awk '{print$2}'`
image=`echo $image_tag | cut -f1 -d:`
tag=`echo $image_tag | cut -f2 -d:`
# if docker image not in white list, exit
if [[ "$IMAGENAME" != sonic-slave-* ]] && [[ "$IMAGENAME" != docker-base* ]];then
exit 0
fi
if [[ ",$SONIC_VERSION_CONTROL_COMPONENTS," == *,all,* ]] || [[ ",$SONIC_VERSION_CONTROL_COMPONENTS," == *,docker,* ]]; then
if [ -f $version_file ];then
hash_value=`grep "${ARCH}:${image_tag}" $version_file | awk -F== '{print$2}'`
fi
if [ -z $hash_value ];then
hash_value=unknown
fi
oldimage=${image_tag//\//\\/}
newimage="${oldimage}@$hash_value"
sed -i "s/$oldimage/$newimage/" $DOCKERFILE
else
hash_value=`docker pull $image_tag | grep Digest | awk '{print$2}'`
fi
if [[ "$hash_value" != "unknown" ]];then
echo -e "${ARCH}:${image_tag}==$hash_value" >> $new_version_file
fi

View File

@ -22,7 +22,10 @@ if [ -z "$DISTRO" ]; then
[ -z "$DISTRO" ] && DISTRO=jessie [ -z "$DISTRO" ] && DISTRO=jessie
fi fi
DOCKERFILE_PRE_SCRIPT='# Auto-Generated for buildinfo # add script for reproducible build. using sha256 instead of tag for docker base image.
scripts/docker_version_control.sh $@
DOCKERFILE_PRE_SCRIPT='# Auto-Generated for buildinfo
COPY ["buildinfo", "/usr/local/share/buildinfo"] COPY ["buildinfo", "/usr/local/share/buildinfo"]
RUN dpkg -i /usr/local/share/buildinfo/sonic-build-hooks_1.0_all.deb RUN dpkg -i /usr/local/share/buildinfo/sonic-build-hooks_1.0_all.deb
RUN pre_run_buildinfo' RUN pre_run_buildinfo'

View File

@ -374,10 +374,12 @@ class VersionBuild:
def load_from_target(self): def load_from_target(self):
dockers_path = os.path.join(self.target_path, 'versions/dockers') dockers_path = os.path.join(self.target_path, 'versions/dockers')
build_path = os.path.join(self.target_path, 'versions/build') build_path = os.path.join(self.target_path, 'versions/build')
default_path = os.path.join(self.target_path, 'versions/default')
modules = {} modules = {}
self.modules = modules self.modules = modules
file_paths = glob.glob(dockers_path + '/*') file_paths = glob.glob(dockers_path + '/*')
file_paths += glob.glob(build_path + '/build-*') file_paths += glob.glob(build_path + '/build-*')
file_paths += glob.glob(default_path)
file_paths.append(os.path.join(self.target_path, 'versions/host-image')) file_paths.append(os.path.join(self.target_path, 'versions/host-image'))
file_paths.append(os.path.join(self.target_path, 'versions/host-base-image')) file_paths.append(os.path.join(self.target_path, 'versions/host-base-image'))
for file_path in file_paths: for file_path in file_paths: