[rb-general] Reproducible system images

Maria Marin marivalenm at gmail.com
Sun Jan 5 10:03:33 UTC 2020 

Hi,

On Sun, Dec 15, 2019 at 9:12 AM Lars Wirzenius <liw at liw.fi> wrote:
> A quick experiment with debootstrap, which creates the initial
> directory tree from with my software produces the disk image, isn't
> reproducible. The main difference is the etc/machine-id file is
> generates, which contains randomly generated content. The other
> differences are log files, cache files, and file mtime timestamps. All
> of those would be possible to work on to make them reproducible.

you might want to try out mmdebstrap which produces bit-by-bit
reproducible output by default and does not require superuser
privileges:

SOURCE_DATE_EPOCH=1578217697 mmdebstrap --variant=apt
--mode=fakechroot unstable chroot1.tar
SOURCE_DATE_EPOCH=1578217697 mmdebstrap --variant=apt
--mode=fakechroot unstable chroot2.tar
cmp chroot1.tar chroot2.tar

> vmdb2 could make machine-id be all zeroes, which would mean a new id
> gets generated upon first boot, and written to the file. I'm not
> entirely sure of the security and other implications this has.
>
> What do others on the list think? Is reproducible system images a goal
> worth pursuing?

It seems that it is not yet possible to have reproducible
ext2/ext3/ext4 images. But anyways, here is an example that does what
autopkgtest-build-qemu (which uses vmdb2) is doing without superuser
privileges in case you want to give mmdebstrap a spin:

    $ mmdebstrap --variant=important --include=linux-image-amd64 \
        --customize-hook='chroot "$1" passwd --delete root' \
        --customize-hook='chroot "$1" useradd --home-dir /home/user
--create-home user' \
        --customize-hook='chroot "$1" passwd --delete user' \
        --customize-hook='echo host > "$1/etc/hostname"' \
        --customize-hook='echo "127.0.0.1 localhost host" > "$1/etc/hosts"' \
        --customize-hook=/usr/share/autopkgtest/setup-commands/setup-testbed \
        unstable debian-unstable.tar
    $ cat << END > extlinux.conf
    > default linux
    > timeout 0
    >
    > label linux
    > kernel /vmlinuz
    > append initrd=/initrd.img root=/dev/vda1 rw console=ttyS0
    END
    $ guestfish -N debian-unstable.img=disk:2G -- \
        part-disk /dev/sda mbr : \
        part-set-bootable /dev/sda 1 true : \
        mkfs ext2 /dev/sda1 : mount /dev/sda1 / : \
        tar-in debian-unstable.tar / xattrs:true : \
        extlinux / : \
        copy-in extlinux.conf /
    $ qemu-img convert -O qcow2 debian-unstable.img debian-unstable.qcow2

The debian-unstable.tar from above is reproducible (if you prefix the
mmdebstrap command with a stable SOURCE_DATE_EPOCH value) but the
latter part fails because ext2 is not reproducible. So it seems the
"create a reproducible chroot" part is already done and the missing
part is "turn this into a reproducible system image".

Thanks!

cheers, akira

More information about the rb-general mailing list