Drop non-determinism from default templates

Some files are created in non-reproducible way, including including random data explicitly (/etc/machine-id), timestamps (fontconfig cache, ldconfig aux-cache, certs cache), or entries in random order (groups, systemd catalog, package list). Fix this by either making the files reproducible, or removing them. (cherry picked from commit fa2158c7a9)
2018-10-06 18:34:40 +02:00 · 2018-10-06 18:34:40 +02:00 · e2366fd0c0
parent df5f67e690
commit e2366fd0c0
2 changed files with 24 additions and 1 deletions
--- a/share/templates.d/99-generic/runtime-cleanup.tmpl
+++ b/share/templates.d/99-generic/runtime-cleanup.tmpl
@ -362,3 +362,19 @@ removepkg cdparanoia-libs opus libtheora libvisual flac-libs gsm avahi-glib avah

 ## metacity requires libvorbis and libvorbisfile, but enc/dec are no longer needed
 removefrom libvorbis --allbut /usr/${libdir}/libvorbisfile.* /usr/${libdir}/libvorbis.*
+
+## make the image more reproducible
+
+## make machine-id empty but present to avoid systemd populating /etc with
+## preset settings
+remove /etc/machine-id
+append /etc/machine-id ""
+## journalctl message catalog, non-deterministic
+remove /var/lib/systemd/catalog/database
+## non-reproducible caches
+remove /var/cache/ldconfig/aux-cache
+remove /etc/pki/ca-trust/extracted/java/cacerts
+
+## sort groups
+runcmd chroot ${root} /bin/sh -c "LC_ALL=C sort /etc/group > /etc/group- && mv /etc/group- /etc/group"
+runcmd chroot ${root} /bin/sh -c "LC_ALL=C sort /etc/gshadow > /etc/gshadow- && mv /etc/gshadow- /etc/gschadow"
--- a/share/templates.d/99-generic/runtime-postinstall.tmpl
+++ b/share/templates.d/99-generic/runtime-postinstall.tmpl
@ -5,6 +5,8 @@
 <%
 stubs = ("list-harddrives", "raidstart", "raidstop")
 configdir = configdir + "/common"
+import os, time
+SOURCE_DATE_EPOCH = os.environ.get('SOURCE_DATE_EPOCH', str(int(time.time())))
 %>

 ## move_stubs()
@ -120,6 +122,11 @@ append etc/lvm/lvm.conf "global {\n\tuse_lvmetad = 1\n}\n"
 ## rpm initializes nss, which requires /dev/urandom to be present, hence the mknod
 runcmd chroot ${root} /usr/bin/mknod -m 666 /dev/random c 1 8
 runcmd chroot ${root} /usr/bin/mknod -m 666 /dev/urandom c 1 9
-runcmd chroot ${root} /usr/bin/rpm -qa --pipe "tee /root/lorax-packages.log"
+runcmd chroot ${root} /usr/bin/rpm -qa --pipe "sort | tee /root/lorax-packages.log"

 ## TODO: we could run prelink here if we wanted?
+
+## fix fonconfig cache containing timestamps
+runcmd chroot ${root} /usr/bin/find /usr/share/fonts /usr/share/X11/fonts -newermt "@${SOURCE_DATE_EPOCH}" -exec \
+    touch --no-dereference --date="@${SOURCE_DATE_EPOCH}" {} +
+runcmd chroot ${root} /usr/bin/fc-cache -f