Has anyone successfully build reproducible Docker images wit Pants #general

Join Slack

Has anyone successfully build reproducible Docker ...

# general

full-nightfall-13189

01/14/2025, 1:51 AM

Has anyone successfully build reproducible Docker images with Pants? 🧵

full-nightfall-13189

01/14/2025, 1:56 AM

Some things I've tried: • In

pants.toml

, set:

Copy code

[docker]
use_buildx = true
build_args = ["SOURCE_DATE_EPOCH"]
env_vars = [
    "SOURCE_DATE_EPOCH",
]

• Create

.pants.bootstrap

with:

Copy code

export SOURCE_DATE_EPOCH=$(git log -1 --format='%at')

• Added the following to

docker_image()

target:

Copy code

output={
        "type": "docker", # Default output type.
        "rewrite-timestamp": "true"
    },

• Added the

SOURCE_DATE_EPOCH

to my Dockerfile.

full-nightfall-13189

01/14/2025, 1:56 AM

But for some reason, image IDs keep changing even though the layers are exactly the same in all images I make...

full-nightfall-13189

01/14/2025, 2:02 AM

I've also ran pants with

--docker-build-verbose

and I can see that it sets

SOURCE_DATE_EPOCH

correctly and it rewrites the timestamps as well.

full-nightfall-13189

01/14/2025, 8:41 PM

Would it make sense to create an issue for this?

fierce-truck-19259

01/14/2025, 11:52 PM

Does your build output produce consistent hashes pre-docker?

fierce-truck-19259

01/15/2025, 12:03 AM

If so, I would

docker inspect

the image across two runs to see what differs, probably metadata, if layer contents are the same

full-nightfall-13189

01/15/2025, 2:19 PM

"Does your build output produce consistent hashes pre-docker?" -> I don't know what this means?

full-nightfall-13189

01/15/2025, 2:20 PM

I'll double check the created images with

docker inspect

curved-manchester-66006

01/15/2025, 6:30 PM

There also may be some breadcrumbs at https://github.com/pantsbuild/pants/issues/20699

full-nightfall-13189

01/15/2025, 9:01 PM

Running the same test as https://github.com/pantsbuild/pants/issues/20699, I get indeed identical images... However, running this test with pants (with a

docker_image

target), results in an image with different IDs.

full-nightfall-13189

01/15/2025, 9:04 PM

Additionally, doing

docker inspect

on the images generated from https://github.com/pantsbuild/pants/issues/20699 shows that everything matches (except

Metadata.LastTagTime

but I guess this isn't used in the sha calculation). The images generated with pants only differ in

Id

RepoDigests1

LastTagTime

, nothing else...

full-nightfall-13189

01/16/2025, 6:39 PM

Found all the missing levers 🙂 I can produce reproducible Docker images with pants.

fierce-truck-19259

01/17/2025, 3:55 PM

Glad you solved it! For reference by > "Does your build output produce consistent hashes pre-docker?" I meant does the output of what you're building produce consistent output. So for example you may build pex-files, you could compare the output of

sha1sum your-pex-file.pex

across runs of

pants build

of those to make sure the input to the dockerfiles are not unstable in themselves

fierce-truck-19259

01/17/2025, 3:58 PM

Timestamps tend to be the reason why things become non-reproducible, because they tend to have to be "wiped out" for that in many cases. not only for docker, but many other build tools as well

fierce-truck-19259

01/17/2025, 4:07 PM

but I guess this isn't used in the sha calculation).

no but something else probably changed to affect the digest of the image

fierce-truck-19259

01/17/2025, 4:08 PM

Feel free to share your findings so that it is shared with others in the same spot 🙂

full-nightfall-13189

01/17/2025, 6:38 PM

Does it make my sense to add my findings to https://github.com/pantsbuild/pants/issues/20699?

fierce-truck-19259

01/17/2025, 6:47 PM

That seems reasonable to me 🙂

👍 1

3 Views

Open in Slack

Previous Next