From e2366fd0c0acb7c98575b001d056ef252b400966 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Sat, 6 Oct 2018 18:34:40 +0200 Subject: [PATCH] Drop non-determinism from default templates Some files are created in non-reproducible way, including including random data explicitly (/etc/machine-id), timestamps (fontconfig cache, ldconfig aux-cache, certs cache), or entries in random order (groups, systemd catalog, package list). Fix this by either making the files reproducible, or removing them. (cherry picked from commit fa2158c7a9d0b3aa519fe85be9dc526c609484f6) --- .../templates.d/99-generic/runtime-cleanup.tmpl | 16 ++++++++++++++++ .../99-generic/runtime-postinstall.tmpl | 9 ++++++++- 2 files changed, 24 insertions(+), 1 deletion(-) diff --git a/share/templates.d/99-generic/runtime-cleanup.tmpl b/share/templates.d/99-generic/runtime-cleanup.tmpl index 78699abf..7ac4255c 100644 --- a/share/templates.d/99-generic/runtime-cleanup.tmpl +++ b/share/templates.d/99-generic/runtime-cleanup.tmpl @@ -362,3 +362,19 @@ removepkg cdparanoia-libs opus libtheora libvisual flac-libs gsm avahi-glib avah ## metacity requires libvorbis and libvorbisfile, but enc/dec are no longer needed removefrom libvorbis --allbut /usr/${libdir}/libvorbisfile.* /usr/${libdir}/libvorbis.* + +## make the image more reproducible + +## make machine-id empty but present to avoid systemd populating /etc with +## preset settings +remove /etc/machine-id +append /etc/machine-id "" +## journalctl message catalog, non-deterministic +remove /var/lib/systemd/catalog/database +## non-reproducible caches +remove /var/cache/ldconfig/aux-cache +remove /etc/pki/ca-trust/extracted/java/cacerts + +## sort groups +runcmd chroot ${root} /bin/sh -c "LC_ALL=C sort /etc/group > /etc/group- && mv /etc/group- /etc/group" +runcmd chroot ${root} /bin/sh -c "LC_ALL=C sort /etc/gshadow > /etc/gshadow- && mv /etc/gshadow- /etc/gschadow" diff --git a/share/templates.d/99-generic/runtime-postinstall.tmpl b/share/templates.d/99-generic/runtime-postinstall.tmpl index 535e5b18..24cd82e4 100644 --- a/share/templates.d/99-generic/runtime-postinstall.tmpl +++ b/share/templates.d/99-generic/runtime-postinstall.tmpl @@ -5,6 +5,8 @@ <% stubs = ("list-harddrives", "raidstart", "raidstop") configdir = configdir + "/common" +import os, time +SOURCE_DATE_EPOCH = os.environ.get('SOURCE_DATE_EPOCH', str(int(time.time()))) %> ## move_stubs() @@ -120,6 +122,11 @@ append etc/lvm/lvm.conf "global {\n\tuse_lvmetad = 1\n}\n" ## rpm initializes nss, which requires /dev/urandom to be present, hence the mknod runcmd chroot ${root} /usr/bin/mknod -m 666 /dev/random c 1 8 runcmd chroot ${root} /usr/bin/mknod -m 666 /dev/urandom c 1 9 -runcmd chroot ${root} /usr/bin/rpm -qa --pipe "tee /root/lorax-packages.log" +runcmd chroot ${root} /usr/bin/rpm -qa --pipe "sort | tee /root/lorax-packages.log" ## TODO: we could run prelink here if we wanted? + +## fix fonconfig cache containing timestamps +runcmd chroot ${root} /usr/bin/find /usr/share/fonts /usr/share/X11/fonts -newermt "@${SOURCE_DATE_EPOCH}" -exec \ + touch --no-dereference --date="@${SOURCE_DATE_EPOCH}" {} + +runcmd chroot ${root} /usr/bin/fc-cache -f