almalinux/lorax
13
0
Fork 0
Code Issues Pull Requests Releases Activity

Drop non-determinism from default templates

Browse Source 
Some files are created in non-reproducible way, including including
random data explicitly (/etc/machine-id), timestamps (fontconfig cache,
ldconfig aux-cache, certs cache), or entries in random order (groups,
systemd catalog, package list).
Fix this by either making the files reproducible, or removing them.

(cherry picked from commit fa2158c7a9)
This commit is contained in:
Marek Marczykowski-Górecki 2018-10-06 18:34:40 +02:00 committed by Brian C. Lane
parent df5f67e690
commit e2366fd0c0
2 changed files with 24 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
share/templates.d/99-generic/runtime-cleanup.tmpl
View File

@ -362,3 +362,19 @@ removepkg cdparanoia-libs opus libtheora libvisual flac-libs gsm avahi-glib avah
## metacity requires libvorbis and libvorbisfile, but enc/dec are no longer needed ## metacity requires libvorbis and libvorbisfile, but enc/dec are no longer needed
removefrom libvorbis --allbut /usr/${libdir}/libvorbisfile.* /usr/${libdir}/libvorbis.* removefrom libvorbis --allbut /usr/${libdir}/libvorbisfile.* /usr/${libdir}/libvorbis.*
## make the image more reproducible
## make machine-id empty but present to avoid systemd populating /etc with
## preset settings
remove /etc/machine-id
append /etc/machine-id ""
## journalctl message catalog, non-deterministic
remove /var/lib/systemd/catalog/database
## non-reproducible caches
remove /var/cache/ldconfig/aux-cache
remove /etc/pki/ca-trust/extracted/java/cacerts
## sort groups
runcmd chroot ${root} /bin/sh -c "LC_ALL=C sort /etc/group > /etc/group- && mv /etc/group- /etc/group"
runcmd chroot ${root} /bin/sh -c "LC_ALL=C sort /etc/gshadow > /etc/gshadow- && mv /etc/gshadow- /etc/gschadow"

9
share/templates.d/99-generic/runtime-postinstall.tmpl
View File

@ -5,6 +5,8 @@
<% <%
stubs = ("list-harddrives", "raidstart", "raidstop") stubs = ("list-harddrives", "raidstart", "raidstop")
configdir = configdir + "/common" configdir = configdir + "/common"
import os, time
SOURCE_DATE_EPOCH = os.environ.get('SOURCE_DATE_EPOCH', str(int(time.time())))
%> %>
## move_stubs() ## move_stubs()
@ -120,6 +122,11 @@ append etc/lvm/lvm.conf "global {\n\tuse_lvmetad = 1\n}\n"
## rpm initializes nss, which requires /dev/urandom to be present, hence the mknod ## rpm initializes nss, which requires /dev/urandom to be present, hence the mknod
runcmd chroot ${root} /usr/bin/mknod -m 666 /dev/random c 1 8 runcmd chroot ${root} /usr/bin/mknod -m 666 /dev/random c 1 8
runcmd chroot ${root} /usr/bin/mknod -m 666 /dev/urandom c 1 9 runcmd chroot ${root} /usr/bin/mknod -m 666 /dev/urandom c 1 9
runcmd chroot ${root} /usr/bin/rpm -qa --pipe "tee /root/lorax-packages.log" runcmd chroot ${root} /usr/bin/rpm -qa --pipe "sort | tee /root/lorax-packages.log"
## TODO: we could run prelink here if we wanted? ## TODO: we could run prelink here if we wanted?
## fix fonconfig cache containing timestamps
runcmd chroot ${root} /usr/bin/find /usr/share/fonts /usr/share/X11/fonts -newermt "@${SOURCE_DATE_EPOCH}" -exec \
touch --no-dereference --date="@${SOURCE_DATE_EPOCH}" {} +
runcmd chroot ${root} /usr/bin/fc-cache -f