apk's lib/apk/db/scripts.tar is date/time-dependent
The apk
command writes into the /lib/apk/db/scripts.tar
file. The way tar
works is that the resulting .tar archive takes into account not only the contents of the files packed but also their timestamps (and their order).
Why could this be a problem? If you run a build that produces e.g. a Docker image on top of the alpine image where you simply do RUN apk add curl
in the source Dockerfile, you get a different resulting image even though the curl
apk is the same and the base alpine image (FROM alpine:<tag>
) is the same. So, on the very same machine, with the same dependencies, but in a different moment in time, you get a different result.
This effectively means that apk doesn't act in a repeatable way (which may or may not be an intention from the creators of apk/alpine) but it is an issue when trying to make your builds reproducible. Please see https://reproducible-builds.org/docs/source-date-epoch/ (SOURCE_DATE_EPOCH) for some attempts how to address this. See also https://stackoverflow.com/questions/32997526/how-to-create-a-tar-file-that-omits-timestamps-for-its-contents how to avoid the time-sensitivity in the tar
tool.
Possible solutions:
- instruct tar not to take file timestamps into account (i.e. globally)
- add a cmdline argument to apk that will do the trick above (i.e. only when the user needs so)
- perhaps use the epoch env var mentioned above
For more details how to reproduce, please assume the below Dockerfile:
FROM alpine:<fixed_tag>
RUN apk update && apk add --no-cache curl
and see the resulting images/containers, and the differences:
# build the images
docker build -t tmp_alpine:1 .
docker build -t tmp_alpine:2 .
# create containers but don't run them
docker create --name="tmp_1" tmp_alpine:1
docker create --name="tmp_2" tmp_alpine:2
# export to a tar
docker export tmp_1 -o export_1.tar
docker export tmp_2 -o export_2.tar
# extract
mkdir tmp_1
mkdir tmp_2
tar -xvf export_1.tar -C tmp_1
tar -xvf export_2.tar -C tmp_2
# diff (btw this doesn't work on a Mac cmdline)
diff -r --no-dereference tmp_1 tmp_2
The difference will be in the scripts.tar
file - even though the files inside have the same contents, the .tar file itself has a different checksum:
~ tar -tvf tmp_1/layer/lib/apk/db/scripts.tar
-rwxr-xr-x 0 root root 131 Nov 24 19:06 busybox-1.33.1-r6.Q1dgtiXUOjvBmrjmjNI1P/d9kQxBw=.post-install
-rwxr-xr-x 0 root root 1056 Nov 24 19:06 busybox-1.33.1-r6.Q1dgtiXUOjvBmrjmjNI1P/d9kQxBw=.post-upgrade
-rwxr-xr-x 0 root root 546 Nov 24 19:06 busybox-1.33.1-r6.Q1dgtiXUOjvBmrjmjNI1P/d9kQxBw=.trigger
-rwxr-xr-x 0 root root 56 Nov 24 19:06 alpine-baselayout-3.2.0-r16.Q1UJtB9cNV4r+/VbxySkEei++qbho=.pre-install
-rwxr-xr-x 0 root root 983 Nov 24 19:06 alpine-baselayout-3.2.0-r16.Q1UJtB9cNV4r+/VbxySkEei++qbho=.post-install
-rwxr-xr-x 0 root root 706 Nov 24 19:06 alpine-baselayout-3.2.0-r16.Q1UJtB9cNV4r+/VbxySkEei++qbho=.pre-upgrade
-rwxr-xr-x 0 root root 983 Nov 24 19:06 alpine-baselayout-3.2.0-r16.Q1UJtB9cNV4r+/VbxySkEei++qbho=.post-upgrade
-rwxr-xr-x 0 root root 42 Nov 24 19:06 glibc-bin-2.33-r0.Q1nxKJj3cqOPuthsgXHKenUAGLhEM=.trigger
-rwxr-xr-x 0 root root 137 Nov 24 19:06 ca-certificates-20191127-r5.Q1+3SNr5R52GfBxkXj9gkEr6QAWZw=.post-deinstall
-rwxr-xr-x 0 root root 72 Nov 24 19:06 ca-certificates-20191127-r5.Q1+3SNr5R52GfBxkXj9gkEr6QAWZw=.trigger
~ tar -tvf tmp_2/layer/lib/apk/db/scripts.tar
-rwxr-xr-x 0 root root 131 Nov 24 19:10 busybox-1.33.1-r6.Q1dgtiXUOjvBmrjmjNI1P/d9kQxBw=.post-install
-rwxr-xr-x 0 root root 1056 Nov 24 19:10 busybox-1.33.1-r6.Q1dgtiXUOjvBmrjmjNI1P/d9kQxBw=.post-upgrade
-rwxr-xr-x 0 root root 546 Nov 24 19:10 busybox-1.33.1-r6.Q1dgtiXUOjvBmrjmjNI1P/d9kQxBw=.trigger
-rwxr-xr-x 0 root root 56 Nov 24 19:10 alpine-baselayout-3.2.0-r16.Q1UJtB9cNV4r+/VbxySkEei++qbho=.pre-install
-rwxr-xr-x 0 root root 983 Nov 24 19:10 alpine-baselayout-3.2.0-r16.Q1UJtB9cNV4r+/VbxySkEei++qbho=.post-install
-rwxr-xr-x 0 root root 706 Nov 24 19:10 alpine-baselayout-3.2.0-r16.Q1UJtB9cNV4r+/VbxySkEei++qbho=.pre-upgrade
-rwxr-xr-x 0 root root 983 Nov 24 19:10 alpine-baselayout-3.2.0-r16.Q1UJtB9cNV4r+/VbxySkEei++qbho=.post-upgrade
-rwxr-xr-x 0 root root 42 Nov 24 19:10 glibc-bin-2.33-r0.Q1nxKJj3cqOPuthsgXHKenUAGLhEM=.trigger
-rwxr-xr-x 0 root root 137 Nov 24 19:10 ca-certificates-20191127-r5.Q1+3SNr5R52GfBxkXj9gkEr6QAWZw=.post-deinstall
-rwxr-xr-x 0 root root 72 Nov 24 19:10 ca-certificates-20191127-r5.Q1+3SNr5R52GfBxkXj9gkEr6QAWZw=.trigger