https://pantsbuild.org/ logo
Join Slack
Powered by
I'm trying to make a plugin that makes a Docker-wr...
# plugins
c
I'm trying to make a plugin that makes a Docker-wrapped Pex deterministic. Pex will happily timestamp all the files inside the 
.pex
file from the 
SOURCE_DATE_EPOCH
envvar correctly. However, the timestamp of the 
.pex
file itself will always update. 
COPY
-ing it in a Dockerfile will therefore create a new sha every time, making it uncachable. I need to somehow fix up the timestamp of the 
.pex
file post-pex-build and pre-docker-build within the 
package
goal. My problem is that I don't even know how I'd approach this problem. Any ideas? (Convincing Pex to timestamp the file correctly would of course also fix the problem.)
g
output={"type":"docker","rewrite-timestamp":"true"}
in your BUILD file should resolve this if SOURCE_DATE_EPOCH is also set, as far as I know -- but I also see that you've visited that discussion already.
Maybe a small repro and differential to show that it works without involving Pants is useful. (I have no idea how to fix this via a plugin, to be clear.)
c
I don't think this directly helps and I'd love to get past https://github.com/docker/buildx/issues/2733 but we bind mount instead of COPYing in the Pex
c
@gorgeous-winter-99296 Thanks! I'm now trying to get it to work without Pants first. I didn't even think to try... It doesn't btw, not yet at least. The intricacies of 
buildx
vs 
buildctl
elude me for the moment. The metadata on the image changes to 0 but the files inside don't. Anyway, I'll keep at it at report back.
g
Great! Yeah, those differences are lost on me unfortunately, I abandoned the 
docker
ecosystem years ago (just about when docker-swarm became "old"). Though the same issues exist for other tooling... Just easier with pure OCI containers.
c
@gorgeous-winter-99296 Can I ask what you're using to build those pure OCI containers? And how did you convince Pants to use that tool?
g
c
So turns out that it's not a Pants problem indeed, and 
SOURCE_DATE_EPOCH
does indeed work correctly. But only when built with 
docker buildx build
with any non-integrated builder. It doesn't work with normal 
docker build
(which uses integrated buildkit in the current version, even without DOCKER_BUILDKIT=1). Neither does it work with 
docker buildx build
with the default builder. Only after doing 
docker buildx create --use --driver-opt image=moby/buildkit --name buildkit
and using that builder does it start working properly. Next week I'll see if I can add some illumination in some issues for other people that might run into this, with Pants specifically.
❤️ 1
g
Thanks for the follow-up! It sounds like something I've heard before. Not sure if there's anything practical Pants can do to make this work out of the box, but it'd be nice. Workflows that work for some users but not others is frustrating.
9 Views
Open in Slack
PreviousNext
Powered by