From: roberto.foglietta@linuxteam.org
To: isar-users@googlegroups.com
Cc: roberto.foglietta@gmail.com
Subject: [PATCH v6] suggested changes for reproducibility patchset v6
Date: Sun, 15 Jan 2023 22:53:10 +0100 [thread overview]
Message-ID: <20230115215310.732295-1-roberto.foglietta@linuxteam.org> (raw)
From: "Roberto A. Foglietta" <roberto.foglietta@gmail.com>
suggested changes for reproducibility patchset
WARNING: eval-image-1.0-r0 do_rootfs_finalize: modified timestamp (1673628837) of 3 files for image reproducibly
List of files modified could be found here: ./build/tmp/deploy/images/debx86/files.modified_timestamps
v.2: rebased on current ilbers:next
v.3: new script added: wic-extract-rootfs-partition.sh [image.wic]
v.4: example with for epoch generation from git
v.5: reverted the example and rework some few code
v.6: the 1st part of the warning shows up each time the epoch is used
while the 2nd line appears only when some files has been touched
This allows the user to know the current situation aboat epoch.
Signed-off-by: Roberto A. Foglietta <roberto.foglietta@gmail.com>
---
meta-isar/conf/local.conf.sample | 2 +-
meta/classes/image-account-extension.bbclass | 6 +--
meta/classes/image.bbclass | 20 ++++----
meta/classes/initramfs.bbclass | 4 +-
| 52 ++++++++++++++++++++
5 files changed, 69 insertions(+), 15 deletions(-)
create mode 100755 wic-extract-rootfs-partition.sh
diff --git a/meta-isar/conf/local.conf.sample b/meta-isar/conf/local.conf.sample
index 6208623e..1d7e178a 100644
--- a/meta-isar/conf/local.conf.sample
+++ b/meta-isar/conf/local.conf.sample
@@ -257,4 +257,4 @@ USER_isar[flags] += "clear-text-password"
# Non git repository users can use value from 'stat -c%Y ChangeLog'
# To know more details about this variable and how to set the value refer below
# https://reproducible-builds.org/docs/source-date-epoch/
-#SOURCE_DATE_EPOCH =
+#SOURCE_DATE_EPOCH = ""
diff --git a/meta/classes/image-account-extension.bbclass b/meta/classes/image-account-extension.bbclass
index bb173b14..1d49054c 100644
--- a/meta/classes/image-account-extension.bbclass
+++ b/meta/classes/image-account-extension.bbclass
@@ -256,11 +256,11 @@ image_postprocess_accounts() {
# chpasswd adds a random salt when running against a clear-text password.
# For reproducible images, we manually generate the password and use the
# SOURCE_DATE_EPOCH to generate the salt in a deterministic way.
- if [ -z "${SOURCE_DATE_EPOCH}"]; then
+ if [ -z "${SOURCE_DATE_EPOCH}" ]; then
chpasswd_args=""
else
- salt="$(echo "${SOURCE_DATE_EPOCH}" | sha256sum -z | cut -c 1-15)"
- password="$(openssl passwd -6 -salt $salt "$password")"
+ salt="$(echo ${SOURCE_DATE_EPOCH} | sha256sum -z | cut -c 1-15)"
+ password="$(openssl passwd -6 -salt $salt $password)"
fi
fi
printf '%s:%s' "$name" "$password" | sudo chroot '${ROOTFSDIR}' \
diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass
index 063b9a3b..bf3dfea8 100644
--- a/meta/classes/image.bbclass
+++ b/meta/classes/image.bbclass
@@ -310,8 +310,8 @@ python() {
# invalidate the SSTATE entries for most packages, even if they don't use the
# global SOURCE_DATE_EPOCH variable.
rootfs_install_pkgs_install_prepend() {
- if [ ! -z "${SOURCE_DATE_EPOCH}" ]; then
- export SOURCE_DATE_EPOCH="${SOURCE_DATE_EPOCH}"
+ if [ -n "${SOURCE_DATE_EPOCH}" ]; then
+ export SOURCE_DATE_EPOCH
fi
}
@@ -443,13 +443,15 @@ EOSUDO
# Set same time-stamps to the newly generated file/folders in the
# rootfs image for the purpose of reproducible builds.
- test ! -z "${SOURCE_DATE_EPOCH}" && \
- sudo find ${ROOTFSDIR} -newermt \
- "$(date -d@${SOURCE_DATE_EPOCH} '+%Y-%m-%d %H:%M:%S')" \
- -printf "%y %p\n" \
- -exec touch '{}' -h -d@${SOURCE_DATE_EPOCH} ';' > ${DEPLOY_DIR_IMAGE}/files.modified_timestamps && \
- bbwarn "$(grep ^f ${DEPLOY_DIR_IMAGE}/files.modified_timestamps) \nModified above file timestamps to build image reproducibly"
-
+ if [ -n "${SOURCE_DATE_EPOCH}" ]; then
+ msg=""
+ fn="${DEPLOY_DIR_IMAGE}/files.modified_timestamps"
+ if sudo find ${ROOTFSDIR} -newermt "$(date -d@${SOURCE_DATE_EPOCH} '+%Y-%m-%d %H:%M:%S')" \
+ -printf "%y %p\n" -exec touch '{}' -h -d@${SOURCE_DATE_EPOCH} ';' >"$fn"; then
+ msg="\n List of files modified could be found here: .${DEPLOY_DIR_IMAGE}/files.modified_timestamps"
+ fi
+ bbwarn "Modified timestamp (${SOURCE_DATE_EPOCH}) of $(egrep ^f '$fn' | wc -l) files for image reproducibly.$msg"
+ fi
}
addtask rootfs_finalize before do_rootfs after do_rootfs_postprocess
diff --git a/meta/classes/initramfs.bbclass b/meta/classes/initramfs.bbclass
index db283347..1b98bc06 100644
--- a/meta/classes/initramfs.bbclass
+++ b/meta/classes/initramfs.bbclass
@@ -33,8 +33,8 @@ do_generate_initramfs() {
rootfs_do_qemu
# generate reproducible initrd if requested
- if [ ! -z "${SOURCE_DATE_EPOCH}" ]; then
- export SOURCE_DATE_EPOCH="${SOURCE_DATE_EPOCH}"
+ if [ -n "${SOURCE_DATE_EPOCH}" ]; then
+ export SOURCE_DATE_EPOCH
fi
sudo -E chroot "${INITRAMFS_ROOTFS}" \
--git a/wic-extract-rootfs-partition.sh b/wic-extract-rootfs-partition.sh
new file mode 100755
index 00000000..48de0d3a
--- /dev/null
+++ b/wic-extract-rootfs-partition.sh
@@ -0,0 +1,52 @@
+#!/bin/bash
+#
+# Copyright (c) Roberto A. Foglietta, 2023
+#
+# Authors:
+# Roberto A. Foglietta <roberto.foglietta@gmail.com>
+#
+# SPDX-License-Identifier: MIT
+#
+#set -ex
+
+if [ "$(whoami)" != "root" ]; then
+ echo
+ echo "WARNING: this script should run as root, sudo!"
+ sudo -E $0 "$@"
+ exit $?
+fi
+
+if [ -e "$1" ]; then
+ fimg=$(readlink -e $1)
+fi
+
+cd $(dirname $0)
+
+if [ ! -n "$1" -a ! -e "$fimg" ]; then
+ fimg=$(ls -1 build/tmp/deploy/images/*/*.wic)
+ n=( $fimg )
+ if [ ${#n[@]} -gt 1 ]; then
+ echo
+ echo "WARNING: more than one image found, choose one:"
+ echo
+ echo "$fimg"
+ echo
+ exit 1
+ fi
+fi
+
+if [ ! -e "$fimg" ]; then
+ echo
+ echo "ERROR: no any image or block device ${1:+'$1' }found, abort!"
+ echo
+ exit 1
+fi
+
+wicf=$fimg
+losetup -Pf $wicf
+ldev=$(losetup -j $wicf | cut -d: -f1 | tail -n1)
+echo loopdev:$ldev
+dd if=${ldev}p2 bs=1M of=${wicf/.wic/.rootfs} status=progress
+chown $(id -u).$(id -g) ${wicf/.wic/.rootfs}
+du -ms ${wicf/.wic/.rootfs}
+losetup -d $ldev
--
2.34.1
next reply other threads:[~2023-01-15 21:53 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-15 21:53 roberto.foglietta [this message]
2023-01-15 22:01 ` Roberto A. Foglietta
2023-01-15 22:31 ` Florian Bezdeka
2023-01-15 22:46 ` Roberto A. Foglietta
2023-01-17 11:53 ` Florian Bezdeka
2023-01-17 13:10 ` Roberto A. Foglietta
2023-01-25 16:38 ` Roberto A. Foglietta
2023-01-16 2:55 ` Moessbauer, Felix
2023-01-16 9:36 ` Roberto A. Foglietta
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230115215310.732295-1-roberto.foglietta@linuxteam.org \
--to=roberto.foglietta@linuxteam.org \
--cc=isar-users@googlegroups.com \
--cc=roberto.foglietta@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox