Repro build of Docker images is now much easier (BuildKit v0.13 beta1)

Akihiro Suda suda.kyoto at gmail.com
Tue Oct 24 18:09:58 UTC 2023


Hi, let me share the recent update of BuildKit (toolkit for building
Docker images):

BuildKit v0.13 beta1 added the support for rewriting the timestamps of
the files inside the image to `SOURCE_DATE_EPOCH`:
https://github.com/moby/buildkit/blob/v0.13.0-beta1/docs/build-repro.md#source_date_epoch
A preliminary support for `SOURCE_DATE_EPOCH` was already added in
BuildKit v0.11, but it was only applied to the metadata of the image.

Usage:
```bash
# Configure buildx to use BuildKit v0.13 beta1
docker buildx create --use --driver-opt image=moby/buildkit:v0.13.0-beta1

# Rewrite the timestamps in the image to the timestamp of the latest git commit
docker buildx build --build-arg SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct) \
  --output type=image,name=example.com/image,push=true,rewrite-timestamp=true
```

This update significantly simplifies reproducing Docker images.
Prior to this, a user had to rewrite the timestamps with `RUN find $(
ls / | grep -E -v "^(dev|mnt|proc|sys)$" ) -newermt
"@${SOURCE_DATE_EPOCH}" -writable -xdev | xargs touch
--date="@${SOURCE_DATE_EPOCH}" --no-dereference` .


Further details can be found in a recap of my talk “Reproducible
builds with BuildKit for software supply chain security” at DockerCon
(October 5th, 2023).
https://medium.com/nttlabs/dockercon-2023-reproducible-builds-with-buildkit-for-software-supply-chain-security-0e5aedd1aaa7
In the talk, I also introduced examples to use `snapshot.debian.org`
etc. in Docker images, with caching.

Regards,
Akihiro Suda


More information about the rb-general mailing list