feat: use apt --snapshot for reproducibility

cartesi · Sep 27, 2024 · 6cd957b · 6cd957b
1 parent f50f90c
commit 6cd957b
Show file tree

Hide file tree

Showing 7 changed files with 215 additions and 86 deletions.
diff --git a/cpp-low-level/Dockerfile b/cpp-low-level/Dockerfile
@@ -1,21 +1,35 @@
 # syntax=docker.io/docker/dockerfile:1
-FROM --platform=linux/riscv64 ubuntu:24.04 AS base
 
-RUN apt-get update
+# This enforces that the packages downloaded from the repositories are the same
+# for the defined date, no matter when the image is built.
+ARG UBUNTU_TAG=noble-20240827.1
+ARG APT_UPDATE_SNAPSHOT=20240827T030400Z
 
+################################################################################
+# riscv64 base stage
+FROM --platform=linux/riscv64 ubuntu:${UBUNTU_TAG} AS base
+
+ARG APT_UPDATE_SNAPSHOT
+ARG DEBIAN_FRONTEND=noninteractive
+RUN <<EOF
+set -eu
+apt update
+apt install -y --no-install-recommends ca-certificates curl
+apt update --snapshot=${APT_UPDATE_SNAPSHOT}
+EOF
+
+################################################################################
+# riscv64 builder stage
 FROM base AS builder
 
 ARG DEBIAN_FRONTEND=noninteractive
 RUN <<EOF
 set -e
 apt-get install -y --no-install-recommends \
-  autoconf=2.71-3 \
-  automake=1:1.16.5-1.3ubuntu1 \
-  build-essential=12.10ubuntu1 \
-  ca-certificates=20240203 \
-  curl=8.5.0-2ubuntu10.3 \
-  libtool=2.4.7-7build1 \
-  wget=1.21.4-1ubuntu4.1
+  autoconf \
+  automake \
+  build-essential \
+  libtool
 rm -rf /var/lib/apt/lists/*
 EOF
 
@@ -24,6 +38,8 @@ WORKDIR /opt/cartesi/dapp
 COPY . .
 RUN make
 
+################################################################################
+# runtime stage: produces final image that will be executed
 FROM base
 
 ARG MACHINE_EMULATOR_TOOLS_VERSION=0.14.1
@@ -38,7 +54,7 @@ ARG DEBIAN_FRONTEND=noninteractive
 RUN <<EOF
 set -e
 apt-get install -y --no-install-recommends \
-  busybox-static=1:1.36.1-6ubuntu3.1
+  busybox-static
 rm -rf /var/lib/apt/lists/* /var/log/* /var/cache/*
 useradd --create-home --user-group dapp
 EOF

diff --git a/cpp/3rdparty/Makefile b/cpp/3rdparty/Makefile
@@ -3,13 +3,13 @@
 all: cpp-httplib picojson
 
 cpp-httplib:
-	wget https://github.com/yhirose/cpp-httplib/archive/refs/tags/v0.10.4.tar.gz && \
+	curl -fsSL -O https://github.com/yhirose/cpp-httplib/archive/refs/tags/v0.10.4.tar.gz && \
   tar xvf v0.10.4.tar.gz && \
   rm v0.10.4.tar.gz && \
   mv cpp-httplib-0.10.4 cpp-httplib
 
 picojson:
-	wget https://github.com/kazuho/picojson/archive/refs/tags/v1.3.0.tar.gz && \
+	curl -fsSL -O https://github.com/kazuho/picojson/archive/refs/tags/v1.3.0.tar.gz && \
   tar xvf v1.3.0.tar.gz && \
   rm v1.3.0.tar.gz && \
   mv picojson-1.3.0 picojson

diff --git a/cpp/Dockerfile b/cpp/Dockerfile
@@ -1,28 +1,44 @@
 # syntax=docker.io/docker/dockerfile:1
-FROM --platform=linux/riscv64 ubuntu:24.04 AS base
 
-RUN apt-get update
+# This enforces that the packages downloaded from the repositories are the same
+# for the defined date, no matter when the image is built.
+ARG UBUNTU_TAG=noble-20240827.1
+ARG APT_UPDATE_SNAPSHOT=20240827T030400Z
 
+################################################################################
+# riscv64 base stage
+FROM --platform=linux/riscv64 ubuntu:${UBUNTU_TAG} AS base
+
+ARG APT_UPDATE_SNAPSHOT
+ARG DEBIAN_FRONTEND=noninteractive
+RUN <<EOF
+set -eu
+apt update
+apt install -y --no-install-recommends ca-certificates curl
+apt update --snapshot=${APT_UPDATE_SNAPSHOT}
+EOF
+
+################################################################################
+# riscv64 builder stage
 FROM base AS builder
 
 ARG DEBIAN_FRONTEND=noninteractive
 RUN <<EOF
 set -e
 apt-get install -y --no-install-recommends \
-  autoconf=2.71-3 \
-  automake=1:1.16.5-1.3ubuntu1 \
-  build-essential=12.10ubuntu1 \
-  ca-certificates=20240203 \
-  curl=8.5.0-2ubuntu10.3 \
-  libtool=2.4.7-7build1 \
-  wget=1.21.4-1ubuntu4.1
+  autoconf \
+  automake \
+  build-essential \
+  libtool
 rm -rf /var/lib/apt/lists/*
 EOF
 
 WORKDIR /opt/cartesi/dapp
 COPY . .
 RUN make
 
+################################################################################
+# runtime stage: produces final image that will be executed
 FROM base
 
 ARG MACHINE_EMULATOR_TOOLS_VERSION=0.14.1
@@ -37,7 +53,7 @@ ARG DEBIAN_FRONTEND=noninteractive
 RUN <<EOF
 set -e
 apt-get install -y --no-install-recommends \
-  busybox-static=1:1.36.1-6ubuntu3.1
+  busybox-static
 rm -rf /var/lib/apt/lists/* /var/log/* /var/cache/*
 useradd --create-home --user-group dapp
 EOF

diff --git a/go/Dockerfile b/go/Dockerfile
@@ -1,23 +1,55 @@
 # syntax=docker.io/docker/dockerfile:1
-FROM ubuntu:24.04 AS build-stage
 
+# This enforces that the packages downloaded from the repositories are the same
+# for the defined date, no matter when the image is built.
+ARG UBUNTU_TAG=noble-20240827.1
+ARG APT_UPDATE_SNAPSHOT=20240827T030400Z
+
+################################################################################
+# riscv64 base stage
+FROM --platform=linux/riscv64 ubuntu:${UBUNTU_TAG} AS base-riscv64
+
+ARG APT_UPDATE_SNAPSHOT
 ARG DEBIAN_FRONTEND=noninteractive
 RUN <<EOF
-set -e
+set -eu
+apt update
+apt install -y --no-install-recommends ca-certificates curl
+apt update --snapshot=${APT_UPDATE_SNAPSHOT}
+EOF
+
+################################################################################
+# cross base stage
+FROM --platform=$BUILDPLATFORM ubuntu:${UBUNTU_TAG} AS base-cross
+
+ARG APT_UPDATE_SNAPSHOT
+ARG DEBIAN_FRONTEND=noninteractive
+RUN <<EOF
+set -eu
 apt update
+apt install -y --no-install-recommends ca-certificates curl
+apt update --snapshot=${APT_UPDATE_SNAPSHOT}
+EOF
+
+################################################################################
+# cross build stage
+FROM base-cross AS cross-build-stage
+
+ARG DEBIAN_FRONTEND=noninteractive
+RUN <<EOF
+set -e
 apt install -y --no-install-recommends \
-    build-essential=12.10ubuntu1 \
-    ca-certificates=20240203 \
-    g++-riscv64-linux-gnu=4:13.2.0-7ubuntu1 \
-    wget=1.21.4-1ubuntu4.1
+    build-essential \
+    ca-certificates \
+    g++-riscv64-linux-gnu
 EOF
 
 ARG GOVERSION=1.23.1
 
 WORKDIR /opt/build
 
-RUN wget https://go.dev/dl/go${GOVERSION}.linux-$(dpkg --print-architecture).tar.gz && \
-  tar -C /usr/local -xzf go${GOVERSION}.linux-$(dpkg --print-architecture).tar.gz
+RUN curl -fsSL https://go.dev/dl/go${GOVERSION}.linux-$(dpkg --print-architecture).tar.gz | \
+  tar -C /usr/local -xzf -
 
 ENV GOOS=linux
 ENV GOARCH=riscv64
@@ -29,12 +61,9 @@ COPY src .
 
 RUN make
 
+################################################################################
 # runtime stage: produces final image that will be executed
-FROM --platform=linux/riscv64 ubuntu:24.04 AS base
-
-RUN apt-get update
-
-FROM base
+FROM base-riscv64
 
 ARG MACHINE_EMULATOR_TOOLS_VERSION=0.14.1
 ADD https://github.com/cartesi/machine-emulator-tools/releases/download/v${MACHINE_EMULATOR_TOOLS_VERSION}/machine-emulator-tools-v${MACHINE_EMULATOR_TOOLS_VERSION}.deb /
@@ -48,15 +77,15 @@ ARG DEBIAN_FRONTEND=noninteractive
 RUN <<EOF
 set -e
 apt-get install -y --no-install-recommends \
-  busybox-static=1:1.36.1-6ubuntu3.1
+  busybox-static
 rm -rf /var/lib/apt/lists/* /var/log/* /var/cache/*
 useradd --create-home --user-group dapp
 EOF
 
 ENV PATH="/opt/cartesi/bin:${PATH}"
 
 WORKDIR /opt/cartesi/dapp
-COPY --from=build-stage /opt/build/dapp .
+COPY --from=cross-build-stage /opt/build/dapp .
 
 ENV ROLLUP_HTTP_SERVER_URL="http://127.0.0.1:5004"
 

diff --git a/lua/Dockerfile b/lua/Dockerfile
@@ -1,24 +1,43 @@
 # syntax=docker.io/docker/dockerfile:1
-FROM --platform=linux/riscv64 ubuntu:24.04 AS base
 
-RUN apt-get update
+# This enforces that the packages downloaded from the repositories are the same
+# for the defined date, no matter when the image is built.
+ARG UBUNTU_TAG=noble-20240827.1
+ARG APT_UPDATE_SNAPSHOT=20240827T030400Z
 
+################################################################################
+# riscv64 base stage
+FROM --platform=linux/riscv64 ubuntu:${UBUNTU_TAG} AS base
+
+ARG APT_UPDATE_SNAPSHOT
+ARG DEBIAN_FRONTEND=noninteractive
+RUN <<EOF
+set -eu
+apt update
+apt install -y --no-install-recommends ca-certificates
+apt update --snapshot=${APT_UPDATE_SNAPSHOT}
+EOF
+
+################################################################################
+# riscv64 builder stage
 FROM base AS builder
 
 ARG DEBIAN_FRONTEND=noninteractive
 RUN <<EOF
 set -e
 apt-get install -y --no-install-recommends \
-  build-essential=12.10ubuntu1 \
-  liblua5.4-dev=5.4.6-3build2 \
-  lua5.4=5.4.6-3build2 \
-  luarocks=3.8.0+dfsg1-1
+  build-essential \
+  liblua5.4-dev \
+  lua5.4 \
+  luarocks
 rm -rf /var/lib/apt/lists/*
 
 luarocks install --lua-version=5.4 luasocket 3.1.0-1
 luarocks install --lua-version=5.4 dkjson 2.6-1
 EOF
 
+################################################################################
+# riscv64 final stage
 FROM base
 
 ARG MACHINE_EMULATOR_TOOLS_VERSION=0.14.1
@@ -32,11 +51,10 @@ LABEL io.cartesi.rollups.ram_size=128Mi
 ARG DEBIAN_FRONTEND=noninteractive
 RUN <<EOF
 set -e
-apt-get update
 apt-get install -y --no-install-recommends \
-  busybox-static=1:1.36.1-6ubuntu3.1 \
-  liblua5.4-dev=5.4.6-3build2 \
-  lua5.4=5.4.6-3build2
+  busybox-static \
+  liblua5.4-dev \
+  lua5.4
 rm -rf /var/lib/apt/lists/* /var/log/* /var/cache/*
 useradd --create-home --user-group dapp
 EOF

diff --git a/ruby/Dockerfile b/ruby/Dockerfile
@@ -1,17 +1,34 @@
 # syntax=docker.io/docker/dockerfile:1
-FROM --platform=linux/riscv64 ubuntu:24.04 AS base
 
-RUN apt-get update
+# This enforces that the packages downloaded from the repositories are the same
+# for the defined date, no matter when the image is built.
+ARG UBUNTU_TAG=noble-20240827.1
+ARG APT_UPDATE_SNAPSHOT=20240827T030400Z
 
+################################################################################
+# riscv64 base stage
+FROM --platform=linux/riscv64 ubuntu:${UBUNTU_TAG} AS base
+
+ARG APT_UPDATE_SNAPSHOT
+ARG DEBIAN_FRONTEND=noninteractive
+RUN <<EOF
+set -eu
+apt update
+apt install -y --no-install-recommends ca-certificates curl
+apt update --snapshot=${APT_UPDATE_SNAPSHOT}
+EOF
+
+################################################################################
+# riscv64 builder stage
 FROM base AS builder
 
 ARG DEBIAN_FRONTEND=noninteractive
 RUN <<EOF
 set -e
 apt-get install -y --no-install-recommends \
-  build-essential=12.10ubuntu1 \
-  ruby-dev="1:3.2~ubuntu1" \
-  ruby="1:3.2~ubuntu1"
+  build-essential \
+  ruby-dev \
+  ruby
 rm -rf /var/apt/lists/*
 gem install bundler --no-document
 EOF
@@ -24,6 +41,8 @@ bundle config set --without 'development test'
 bundle install --jobs=3 --retry=3
 EOF
 
+################################################################################
+# runtime stage: produces final image that will be executed
 FROM base
 
 ARG MACHINE_EMULATOR_TOOLS_VERSION=0.14.1
@@ -38,8 +57,8 @@ ARG DEBIAN_FRONTEND=noninteractive
 RUN <<EOF
 set -e
 apt-get install -y --no-install-recommends \
-  busybox-static=1:1.36.1-6ubuntu3.1 \
-  ruby="1:3.2~ubuntu1"
+  busybox-static \
+  ruby
 rm -rf /var/lib/apt/lists/* /var/log/* /var/cache/*
 useradd --create-home --user-group dapp
 EOF