SlideShare a Scribd company logo

[DockerCon 2023] Reproducible builds with BuildKit for software supply chain security

A
Akihiro Suda

Images maintained by a reputable organization or an individual are often considered to be trustworthy; however, it is hard to deny the possibility that they might have silently injected malicious codes that are not present in the source repo. Also, even if they have no malicious intent, their images can still be compromised on an accidental leakage of registry credentials. The latest release of BuildKit solves this supply chain security concern with reproducible builds. Reproducible builds is a technique to ensure that a bit-for-bit identical image can be reproduced from its source code, by anybody, at any time. When multiple actors can attest to an image's reproducibility, it signifies that the image contains no code of a secret origin. Audiences of this talk will learn how they can and how sometimes they cannot make their images reproducible to improve their trust.

1 of 45
Download to read offline
Reproducible builds with BuildKit for software supply chain security Akihiro Suda Software Engineer | NTT
2 Background • Security assessment has been hard for Docker images, due to lack of verifiability in the software supply chain • Even when the source code (Dockerfile) is public, and the source code appears to be harmless, it is hard to prove that the image is actually buildable from the source code • Reproducible builds help proving it (But whether the source code is harmless is another topic)
3 What are Reproducible Builds? • Same source, same binary • Attestable by anybody • Attestable at anytime Build FROM debian RUN apt-get install -y gcc make ... COPY . . RUN make sha256:6ea7098583cb6c9470570df28c154 cfec58e122188382cd4a7ceab8a9a79cb67 sha256:6ea7098583cb6c9470570df28c154 cfec58e122188382cd4a7ceab8a9a79cb67 sha256:6ea7098583cb6c9470570df28c154 cfec58e122188382cd4a7ceab8a9a79cb67
4 Why do we need reproducible builds? Because non-reproducible builds cannot be proved to be buildable from harmless sources
5 Why do we need reproducible builds? sha256:AAAAA… Upstream build docker pull some-image Pull Because non-reproducible builds cannot be proved to be buildable from harmless sources
6 Because non-reproducible builds cannot be proved to be buildable from harmless sources Why do we need reproducible builds? FROM debian RUN apt-get install -y gcc make ... COPY . . RUN make sha256:AAAAA… Upstream build docker pull some-image Pull Find the source repo
7 Why do we need reproducible builds? Build FROM debian RUN apt-get install -y gcc make ... COPY . . RUN make sha256:AAAAA… sha256:BBBBB… Upstream build docker pull some-image Pull Find the source repo Because non-reproducible builds cannot be proved to be buildable from harmless sources Your own build (Non-reproducible)
8 Why do we need reproducible builds? Build FROM debian RUN apt-get install -y gcc make ... COPY . . RUN make sha256:AAAAA… sha256:BBBBB… Upstream build docker pull some-image Pull Find the source repo Your own build (Non-reproducible) Is this image really buildable from the source repo? Because non-reproducible builds cannot be proved to be buildable from harmless sources
9 Why do we need reproducible builds? Build FROM debian RUN apt-get install -y gcc make ... COPY . . RUN make sha256:AAAAA… sha256:AAAAA… Upstream build docker pull some-image Pull Find the source repo Proved to be buildable from the source Because non-reproducible builds cannot be proved to be buildable from harmless sources Your own build (Reproducible)
10 Why do we need reproducible builds? • Reproducibility per se doesn’t prove any harmlessness • Non-reproducibility doesn’t prove any harmfulness, either
11 Why do we need reproducible builds? • Reproducibility proves that the image is actually buildable from its source • The source still has to be reviewed • The source may still be malicious • But at least the image contains no secret code that you can never review
12 Docker Hub images are actually reproducible?
13 Docker Hub images are actually reproducible? • No, mostly
14 Docker Hub images are actually reproducible? $ docker pull golang:1.21.1-alpine@ sha256:96634e55b363cb93d39f78fb18aa64abc7f96d372c176660d7b8b6118939d97b $ DOCKER_BUILDKIT=0 docker build -t my-golang "https://github.com/docker-library/golang.git# 585c8c1e705a7a458455f0629922a4f90628ce08:1.21/alpine3.18” $ go install github.com/reproducible-containers/diffoci/cmd/diffoci@latest $ diffoci diff docker://golang:1.21.1-alpine docker://my-golang
15 Docker Hub images are actually reproducible? $ docker pull golang:1.21.1-alpine@ sha256:96634e55b363cb93d39f78fb18aa64abc7f96d372c176660d7b8b6118939d97b $ DOCKER_BUILDKIT=0 docker build -t my-golang "https://github.com/docker-library/golang.git# 585c8c1e705a7a458455f0629922a4f90628ce08:1.21/alpine3.18” $ go install github.com/reproducible-containers/diffoci/cmd/diffoci@latest $ diffoci diff docker://golang:1.21.1-alpine docker://my-golang DOCKER_BUILDKIT=0 with Docker 20.10.23 corresponds to the current Docker Hub image (Will change in the future)
16 Docker Hub images are actually reproducible? $ docker pull golang:1.21.1-alpine@ sha256:96634e55b363cb93d39f78fb18aa64abc7f96d372c176660d7b8b6118939d97b $ DOCKER_BUILDKIT=0 docker build -t my-golang "https://github.com/docker-library/golang.git# 585c8c1e705a7a458455f0629922a4f90628ce08:1.21/alpine3.18” $ go install github.com/reproducible-containers/diffoci/cmd/diffoci@latest $ diffoci diff docker://golang:1.21.1-alpine docker://my-golang DiffOCI: diff for Open Container Initiative (OCI) images https://github.com/reproducible-containers/diffoci
17 Docker Hub images are actually reproducible? $ diffoci diff docker://golang:1.21.1-alpine docker://my-golang TYPE NAME INPUT-0 INPUT-1 Desc application/vnd.docker.distribution.manifest.v2+json b25862... 3c4eca0... ... File etc/ssl/certs/3e45d192.0 2023-08-09 03:36:47 +0000 UTC 2023-09-21 08:35:31 +0000 UTC ... (More than 14,000 lines) ... File go/ 2023-09-06 18:31:40 +0000 UTC 2023-09-21 08:35:45 +0000 UTC
18 Docker Hub images are actually reproducible? $ diffoci --semantic diff docker://golang:1.21.1-alpine docker://my-golang TYPE NAME INPUT-0 INPUT-1 Layer ctx:/layers-1/layer length mismatch (457 vs 454) Layer ctx:/layers-1/layer name "usr/local/share/ca-certificates/.wh..wh..opq" only appears in input 0 Layer ctx:/layers-1/layer name "etc/ca-certificates/.wh..wh..opq" only appears in input 0 Layer ctx:/layers-1/layer name "usr/share/ca-certificates/.wh..wh..opq" only appears in input 0 File lib/apk/db/scripts.tar eef110e... e9bfe18... Layer ctx:/layers-2/layer length mismatch (13939 vs 13938) Layer ctx:/layers-2/layer name "usr/local/go/.wh..wh..opq" only appears in input 0 File lib/apk/db/scripts.tar 60e22bb... 67f2648... Layer ctx:/layers-3/layer length mismatch (4 vs 3) Layer ctx:/layers-3/layer name "go/.wh..wh..opq" only appears in input 0 The “--semantic” flag ignores ”boring” differences (timestamps, file ordering, etc.)
19 Docker Hub images are actually reproducible? $ diffoci --semantic diff docker://golang:1.21.1-alpine docker://my-golang TYPE NAME INPUT-0 INPUT-1 Layer ctx:/layers-1/layer length mismatch (457 vs 454) Layer ctx:/layers-1/layer name "usr/local/share/ca-certificates/.wh..wh..opq" only appears in input 0 Layer ctx:/layers-1/layer name "etc/ca-certificates/.wh..wh..opq" only appears in input 0 Layer ctx:/layers-1/layer name "usr/share/ca-certificates/.wh..wh..opq" only appears in input 0 File lib/apk/db/scripts.tar eef110e... e9bfe18... Layer ctx:/layers-2/layer length mismatch (13939 vs 13938) Layer ctx:/layers-2/layer name "usr/local/go/.wh..wh..opq" only appears in input 0 File lib/apk/db/scripts.tar 60e22bb... 67f2648... Layer ctx:/layers-3/layer length mismatch (4 vs 3) Layer ctx:/layers-3/layer name "go/.wh..wh..opq" only appears in input 0 “.wh..wh..opq” (AUFS whiteouts) are missing due to the filesystem difference The “--semantic” flag ignores ”boring” differences (timestamps, file ordering, etc.)
20 Docker Hub images are actually reproducible? $ diffoci --semantic diff docker://golang:1.21.1-alpine docker://my-golang TYPE NAME INPUT-0 INPUT-1 Layer ctx:/layers-1/layer length mismatch (457 vs 454) Layer ctx:/layers-1/layer name "usr/local/share/ca-certificates/.wh..wh..opq" only appears in input 0 Layer ctx:/layers-1/layer name "etc/ca-certificates/.wh..wh..opq" only appears in input 0 Layer ctx:/layers-1/layer name "usr/share/ca-certificates/.wh..wh..opq" only appears in input 0 File lib/apk/db/scripts.tar eef110e... e9bfe18... Layer ctx:/layers-2/layer length mismatch (13939 vs 13938) Layer ctx:/layers-2/layer name "usr/local/go/.wh..wh..opq" only appears in input 0 File lib/apk/db/scripts.tar 60e22bb... 67f2648... Layer ctx:/layers-3/layer length mismatch (4 vs 3) Layer ctx:/layers-3/layer name "go/.wh..wh..opq" only appears in input 0 “.wh..wh..opq” (AUFS whiteouts) are missing due to the filesystem difference lib/apk/db/scripts.tar differ due to the timestamp information inside scripts.tar (the “--semantic” flag isn’t still clever enough to ignore this “boring” difference”) The “--semantic” flag ignores ”boring” differences (timestamps, file ordering, etc.)
21 Docker Hub images are actually reproducible? $ diffoci --semantic diff docker://golang:1.21.1-alpine docker://my-golang TYPE NAME INPUT-0 INPUT-1 Layer ctx:/layers-1/layer length mismatch (457 vs 454) Layer ctx:/layers-1/layer name "usr/local/share/ca-certificates/.wh..wh..opq" only appears in input 0 Layer ctx:/layers-1/layer name "etc/ca-certificates/.wh..wh..opq" only appears in input 0 Layer ctx:/layers-1/layer name "usr/share/ca-certificates/.wh..wh..opq" only appears in input 0 File lib/apk/db/scripts.tar eef110e... e9bfe18... Layer ctx:/layers-2/layer length mismatch (13939 vs 13938) Layer ctx:/layers-2/layer name "usr/local/go/.wh..wh..opq" only appears in input 0 File lib/apk/db/scripts.tar 60e22bb... 67f2648... Layer ctx:/layers-3/layer length mismatch (4 vs 3) Layer ctx:/layers-3/layer name "go/.wh..wh..opq" only appears in input 0 “.wh..wh..opq” (AUFS whiteouts) are missing due to the filesystem difference lib/apk/db/scripts.tar differ due to the timestamp information inside scripts.tar (the “--semantic” flag isn’t still clever enough to ignore this “boring” difference”) This image is not fully reproducible, but its non-reproducibility is explainable (So, this image appears to be actually buildable from the public Dockerfile) The “--semantic” flag ignores ”boring” differences (timestamps, file ordering, etc.)
22 Why are images not reproducible? • Timestamps • Version of the base image (“FROM” images in Dockerfiles) • Versions of the packages (apt-get, pip, etc.) • Others: - Filesystem characteristics (e.g., OverlayFS) - Ordering of files - Randomized mktemp, etc.
23 Timestamps • The images have timestamps in: - the “created” property in the OCI Image Config - the “history” property in the OCI Image Config - the “org.opencontainers.image.created” annotation in the OCI Index - the timestamps of the files in the image layers OCI = Open Container Initiative
24 Timestamps • The images have timestamps in: - the “created” property in the OCI Image Config - the “history” property in the OCI Image Config - the “org.opencontainers.image.created” annotation in the OCI Index - the timestamps of the files in the image layers OCI = Open Container Initiative
25 Timestamps • BuildKit (since v0.11) supports rewriting the timestamps for OCI Image Config and OCI Index • Support was incomplete in v0.11 and v0.12; using v0.13 [beta] is recommended (see the next couple of slides) OCI = Open Container Initiative buildctl build --opt build-arg:SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct) docker buildx build --build-arg SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct) Unix epoch (int64, seconds from 1970-01-01 00:00:00 UTC)
26 Timestamps • The images have timestamps in: - the “created” property in the OCI Image Config - the “history” property in the OCI Image Config - the “org.opencontainers.image.created” annotation in the OCI Index - the timestamps of the files in the image layers OCI = Open Container Initiative
27 Timestamps • BuildKit v0.13 [beta] supports rewriting the timestamps in the OCI image layers too • Docs: https://github.com/moby/buildkit/blob/master/docs/build-repro.md OCI = Open Container Initiative buildctl build --opt build-arg:SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct) --output type=image,name=example.com/image,push=true,rewrite-timestamp=true docker buildx build --build-arg SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct) --output type=image,name=example.com/image,push=true,rewrite-timestamp=true BuildKit v0.13 is still beta and its CLI is still subject to change until its GA
28 Timestamps • The SOURCE_DATE_EPOCH arg is also propagated to ”RUN” containers as an environment variable • The SOURCE_DATE_EPOCH env var is recognized by gcc, clang, cmake, and a bunch of other tools to make application binaries reproducible: https://reproducible-builds.org/docs/source-date-epoch/
29 Pinning the base image FROM debian
30 Pinning the base image FROM debian:bookworm FROM debian
31 Pinning the base image FROM debian:bookworm-20230904 FROM debian:bookworm FROM debian
32 Pinning the base image FROM debian:bookworm-20230904@sha256:b4042f895d5d1f8df415caebe7c416f9dbcf0dc8867abb225955006de50b21f3 FROM debian:bookworm-20230904 FROM debian:bookworm FROM debian
33 Pinning the base image FROM debian:bookworm-20230904@sha256:b4042f895d5d1f8df415caebe7c416f9dbcf0dc8867abb225955006de50b21f3 FROM debian:bookworm-20230904 FROM debian:bookworm FROM debian apt-get on bookworm-20230904 still installs the latest packages, not the past packages (So, not reproducible)
34 Pinning packages: Debian and Ubuntu FROM debian:bookworm-20230904-slim RUN rm -rf /etc/apt/sources.list* && echo 'deb [check-valid-until=no] http://snapshot.debian.org/archive/debian/20230904T000000Z bookworm main' >/etc/apt/sources.list && echo 'deb [check-valid-until=no] http://snapshot.debian.org/archive/debian-security/20230904T000000Z bookworm-security main' >>/etc/apt/sources.list && echo 'deb [check-valid-until=no] http://snapshot.debian.org/archive/debian/20230904T000000Z bookworm-updates main' >>/etc/apt/sources.list && apt-get update && apt-get install -y gcc snapshot.debian.org and snapshot.ubuntu.com keep old packages
35 Pinning packages: Debian and Ubuntu FROM debian:bookworm-20230904-slim ADD --chmod=0755 https://raw.githubusercontent.com/reproducible-containers/repro-sources-list.sh/v0.1.0/repro-sources-list.sh /usr/local/bin/repro-sources-list.sh RUN --mount=type=cache,target=/var/cache/apt repro-sources-list.sh && apt-get update && apt-get install -y gcc More examples at: https://github.com/reproducible-containers/repro-sources-list.sh repro-sources-list.sh simplifies the Dockerfile, and enables caching dpkg files Caching is practically necessary, as snapshot servers are slow
36 Pinning packages: Debian and Ubuntu • RUN --mount=type=cache,target=/var/cache/apt can be saved on GitHub Actions using: https://github.com/reproducible-containers/buildkit-cache-dance steps: - uses: actions/cache@v3 with: path: var-cache-apt key: var-cache-apt-${{ hashFiles('Dockerfile') }} - uses: reproducible-containers/buildkit-cache-dance@v2.1.2 with: cache-source: var-cache-apt cache-target: /var/cache/apt
37 Pinning packages: Debian and Ubuntu • The (checksums of the) packages on snapshot.debian.org are signed by Debian, just like regular apt-get repositories • The signatures are fetched and verified against the package metadata checksums on running apt-get update (Not on apt-get install) • If /var/lib/apt (metadata) is compromised, apt-get update will fail • If /var/cache/apt (dpkg files) is compromised, apt-get install will fail • The situation is same for snapshot.ubuntu.com (signed by Canonical)
38 Pinning packages: Debian and Ubuntu • If you don’t trust the latest package signatures, you can reproduce the most of the packages by yourself: https://wiki.debian.org/ReproducibleBuilds/Howto
39 https://tests.reproducible-builds.org/debian/bookworm/index_suite_amd64_stats.html (Captured on 2023-09-24) Reproducibility rate: 95.3%
40 Pinning packages: NixOS • Repro build is much easier with NixOS (although NixOS per se is often considered to be hard to learn) • The flake.lock file contains the checksums of the sources • If the binary is present on cache.nixos.org, the cached binary is used; otherwise the package is built from the source, with very good reproducibility (99.77% for nixos.iso_minimal.x86_64-linux installation, according to https://r13y.com/)
41 Pinning packages: Alpine, Rocky, Alma, etc. • These distros do not provide snapshot servers like snapshot.debian.org • You have to preserve /etc/apk/cache , /var/cache/dnf, etc. by yourself • Examples can be found at: https://github.com/reproducible-containers/repro-pkg-cache • In the long term, BuildKit frontends may have features to help pinning packages: https://github.com/moby/buildkit/issues/4259
42 Future work (Help wanted) • Proposal to make well-known images reproducible (at least for Debian-based ones) • ”Single-click” platform for attesting reproducibility and sharing the result
43 Recap • Repro builds prove that an image is actually buildable from its source • Whether the source is harmless or not is another topic • Ideally, every image should be bit-for-bit reproducible • Practically, subtle differences can be allowed, when they are explainable (e.g., timestamps)
44 Recap Tools and examples: https://github.com/reproducible-containers • diffoci: diff for OCI images, to analyze non-reproducible builds • repro-sources-list.sh: reproducibility helper for Debian, Ubuntu, etc. • repro-pkg-cache: reproducibility helper for Alpine, Alma, Rocky, etc. • buildkit-cache-dance: apt-get cache for GitHub Actions BuildKit docs: https://github.com/moby/buildkit/blob/master/docs/build-repro.md OCI = Open Container Initiative
45 Recap • Slides will be uploaded to https://github.com/AkihiroSuda (README → “Presentation slides”)

Recommended

EnrootとPyxisで快適コンテナ生活
EnrootとPyxisで快適コンテナ生活EnrootとPyxisで快適コンテナ生活
EnrootとPyxisで快適コンテナ生活
Kuninobu SaSaki
 
eStargzイメージとlazy pullingによる高速なコンテナ起動
eStargzイメージとlazy pullingによる高速なコンテナ起動eStargzイメージとlazy pullingによる高速なコンテナ起動
eStargzイメージとlazy pullingによる高速なコンテナ起動
Kohei Tokunaga
 
containerdの概要と最近の機能
containerdの概要と最近の機能containerdの概要と最近の機能
containerdの概要と最近の機能
Kohei Tokunaga
 
tcpdumpとtcpreplayとtcprewriteと他。
tcpdumpとtcpreplayとtcprewriteと他。tcpdumpとtcpreplayとtcprewriteと他。
tcpdumpとtcpreplayとtcprewriteと他。(^-^) togakushi
 
Faster Container Image Distribution on a Variety of Tools with Lazy Pulling
Faster Container Image Distribution on a Variety of Tools with Lazy PullingFaster Container Image Distribution on a Variety of Tools with Lazy Pulling
Faster Container Image Distribution on a Variety of Tools with Lazy Pulling
Kohei Tokunaga
 
ELFの動的リンク
ELFの動的リンクELFの動的リンク
ELFの動的リンク
7shi
 
今話題のいろいろなコンテナランタイムを比較してみた
今話題のいろいろなコンテナランタイムを比較してみた今話題のいろいろなコンテナランタイムを比較してみた
今話題のいろいろなコンテナランタイムを比較してみた
Kohei Tokunaga
 
BuildKitによる高速でセキュアなイメージビルド
BuildKitによる高速でセキュアなイメージビルドBuildKitによる高速でセキュアなイメージビルド
BuildKitによる高速でセキュアなイメージビルド
Akihiro Suda
 

Recommended

EnrootとPyxisで快適コンテナ生活
EnrootとPyxisで快適コンテナ生活EnrootとPyxisで快適コンテナ生活
EnrootとPyxisで快適コンテナ生活
Kuninobu SaSaki
 
eStargzイメージとlazy pullingによる高速なコンテナ起動
eStargzイメージとlazy pullingによる高速なコンテナ起動eStargzイメージとlazy pullingによる高速なコンテナ起動
eStargzイメージとlazy pullingによる高速なコンテナ起動
Kohei Tokunaga
 
containerdの概要と最近の機能
containerdの概要と最近の機能containerdの概要と最近の機能
containerdの概要と最近の機能
Kohei Tokunaga
 
tcpdumpとtcpreplayとtcprewriteと他。
tcpdumpとtcpreplayとtcprewriteと他。tcpdumpとtcpreplayとtcprewriteと他。
tcpdumpとtcpreplayとtcprewriteと他。(^-^) togakushi
 
Faster Container Image Distribution on a Variety of Tools with Lazy Pulling
Faster Container Image Distribution on a Variety of Tools with Lazy PullingFaster Container Image Distribution on a Variety of Tools with Lazy Pulling
Faster Container Image Distribution on a Variety of Tools with Lazy Pulling
Kohei Tokunaga
 
ELFの動的リンク
ELFの動的リンクELFの動的リンク
ELFの動的リンク
7shi
 
今話題のいろいろなコンテナランタイムを比較してみた
今話題のいろいろなコンテナランタイムを比較してみた今話題のいろいろなコンテナランタイムを比較してみた
今話題のいろいろなコンテナランタイムを比較してみた
Kohei Tokunaga
 
BuildKitによる高速でセキュアなイメージビルド
BuildKitによる高速でセキュアなイメージビルドBuildKitによる高速でセキュアなイメージビルド
BuildKitによる高速でセキュアなイメージビルド
Akihiro Suda
 
続・PFN のオンプレML基盤の取り組み / オンプレML基盤 on Kubernetes 〜PFN、ヤフー〜 #2
続・PFN のオンプレML基盤の取り組み / オンプレML基盤 on Kubernetes 〜PFN、ヤフー〜 #2続・PFN のオンプレML基盤の取り組み / オンプレML基盤 on Kubernetes 〜PFN、ヤフー〜 #2
続・PFN のオンプレML基盤の取り組み / オンプレML基盤 on Kubernetes 〜PFN、ヤフー〜 #2
Preferred Networks
 
ContainerとName Space Isolation
ContainerとName Space IsolationContainerとName Space Isolation
ContainerとName Space Isolation
maruyama097
 
Dockerからcontainerdへの移行
Dockerからcontainerdへの移行Dockerからcontainerdへの移行
Dockerからcontainerdへの移行
Kohei Tokunaga
 
20180729 Preferred Networksの機械学習クラスタを支える技術
20180729 Preferred Networksの機械学習クラスタを支える技術20180729 Preferred Networksの機械学習クラスタを支える技術
20180729 Preferred Networksの機械学習クラスタを支える技術
Preferred Networks
 
Docker道場「Dockerの基本概念」0825インフラ勉強会資料
Docker道場「Dockerの基本概念」0825インフラ勉強会資料Docker道場「Dockerの基本概念」0825インフラ勉強会資料
Docker道場「Dockerの基本概念」0825インフラ勉強会資料
Masahito Zembutsu
 
一人でもはじめるGitでバージョン管理
一人でもはじめるGitでバージョン管理一人でもはじめるGitでバージョン管理
一人でもはじめるGitでバージョン管理
Takafumi Yoshida
 
実践 Git - 低レベルに知る Git
実践 Git - 低レベルに知る Git実践 Git - 低レベルに知る Git
実践 Git - 低レベルに知る Git
Youhei Nitta
 
LinuxのFull ticklessを試してみた
LinuxのFull ticklessを試してみたLinuxのFull ticklessを試してみた
LinuxのFull ticklessを試してみた
Hiraku Toyooka
 
Prometheus入門から運用まで徹底解説
Prometheus入門から運用まで徹底解説Prometheus入門から運用まで徹底解説
Prometheus入門から運用まで徹底解説
貴仁 大和屋
 
Docker Compose入門~今日から始めるComposeの初歩からswarm mode対応まで
Docker Compose入門~今日から始めるComposeの初歩からswarm mode対応までDocker Compose入門~今日から始めるComposeの初歩からswarm mode対応まで
Docker Compose入門~今日から始めるComposeの初歩からswarm mode対応まで
Masahito Zembutsu
 
KubeCon + CloudNativeCon Europe 2022 Recap - Batch/HPCの潮流とScheduler拡張事例 / Kub...
KubeCon + CloudNativeCon Europe 2022 Recap - Batch/HPCの潮流とScheduler拡張事例 / Kub...KubeCon + CloudNativeCon Europe 2022 Recap - Batch/HPCの潮流とScheduler拡張事例 / Kub...
KubeCon + CloudNativeCon Europe 2022 Recap - Batch/HPCの潮流とScheduler拡張事例 / Kub...
Preferred Networks
 
How to Schedule Machine Learning Workloads Nicely In Kubernetes #CNDT2020 / C...
How to Schedule Machine Learning Workloads Nicely In Kubernetes #CNDT2020 / C...How to Schedule Machine Learning Workloads Nicely In Kubernetes #CNDT2020 / C...
How to Schedule Machine Learning Workloads Nicely In Kubernetes #CNDT2020 / C...
Preferred Networks
 
DockerとKubernetesをかけめぐる
DockerとKubernetesをかけめぐるDockerとKubernetesをかけめぐる
DockerとKubernetesをかけめぐる
Kohei Tokunaga
 
Yocto bspを作ってみた
Yocto bspを作ってみたYocto bspを作ってみた
Yocto bspを作ってみた
wata2ki
 
10分で分かるLinuxブロックレイヤ
10分で分かるLinuxブロックレイヤ10分で分かるLinuxブロックレイヤ
10分で分かるLinuxブロックレイヤTakashi Hoshino
 
OCIv2?!軽量高速なイケてる次世代イメージ仕様の最新動向を抑えよう!
OCIv2?!軽量高速なイケてる次世代イメージ仕様の最新動向を抑えよう!OCIv2?!軽量高速なイケてる次世代イメージ仕様の最新動向を抑えよう!
OCIv2?!軽量高速なイケてる次世代イメージ仕様の最新動向を抑えよう!
Kohei Tokunaga
 
Composer bin plugin / ツールの依存管理から解放される
Composer bin plugin / ツールの依存管理から解放されるComposer bin plugin / ツールの依存管理から解放される
Composer bin plugin / ツールの依存管理から解放される
Kentarou Takeda
 
5分で分かるgitのrefspec
5分で分かるgitのrefspec5分で分かるgitのrefspec
5分で分かるgitのrefspec
ikdysfm
 
Logicadの秒間16万リクエストをさばく広告入札システムにおける、gRPCの活用事例
Logicadの秒間16万リクエストをさばく広告入札システムにおける、gRPCの活用事例Logicadの秒間16万リクエストをさばく広告入札システムにおける、gRPCの活用事例
Logicadの秒間16万リクエストをさばく広告入札システムにおける、gRPCの活用事例
Hironobu Isoda
 
GoらしいAPIを求める旅路 (Go Conference 2018 Spring)
GoらしいAPIを求める旅路 (Go Conference 2018 Spring)GoらしいAPIを求める旅路 (Go Conference 2018 Spring)
GoらしいAPIを求める旅路 (Go Conference 2018 Spring)
lestrrat
 
Docker security
Docker securityDocker security
Docker security
Janos Suto
 
Dependencies Managers in C/C++. Using stdcpp 2014
Dependencies Managers in C/C++. Using stdcpp 2014Dependencies Managers in C/C++. Using stdcpp 2014
Dependencies Managers in C/C++. Using stdcpp 2014
biicode
 

More Related Content

What's hot

続・PFN のオンプレML基盤の取り組み / オンプレML基盤 on Kubernetes 〜PFN、ヤフー〜 #2
続・PFN のオンプレML基盤の取り組み / オンプレML基盤 on Kubernetes 〜PFN、ヤフー〜 #2続・PFN のオンプレML基盤の取り組み / オンプレML基盤 on Kubernetes 〜PFN、ヤフー〜 #2
続・PFN のオンプレML基盤の取り組み / オンプレML基盤 on Kubernetes 〜PFN、ヤフー〜 #2
Preferred Networks
 
ContainerとName Space Isolation
ContainerとName Space IsolationContainerとName Space Isolation
ContainerとName Space Isolation
maruyama097
 
Dockerからcontainerdへの移行
Dockerからcontainerdへの移行Dockerからcontainerdへの移行
Dockerからcontainerdへの移行
Kohei Tokunaga
 
20180729 Preferred Networksの機械学習クラスタを支える技術
20180729 Preferred Networksの機械学習クラスタを支える技術20180729 Preferred Networksの機械学習クラスタを支える技術
20180729 Preferred Networksの機械学習クラスタを支える技術
Preferred Networks
 
Docker道場「Dockerの基本概念」0825インフラ勉強会資料
Docker道場「Dockerの基本概念」0825インフラ勉強会資料Docker道場「Dockerの基本概念」0825インフラ勉強会資料
Docker道場「Dockerの基本概念」0825インフラ勉強会資料
Masahito Zembutsu
 
一人でもはじめるGitでバージョン管理
一人でもはじめるGitでバージョン管理一人でもはじめるGitでバージョン管理
一人でもはじめるGitでバージョン管理
Takafumi Yoshida
 
実践 Git - 低レベルに知る Git
実践 Git - 低レベルに知る Git実践 Git - 低レベルに知る Git
実践 Git - 低レベルに知る Git
Youhei Nitta
 
LinuxのFull ticklessを試してみた
LinuxのFull ticklessを試してみたLinuxのFull ticklessを試してみた
LinuxのFull ticklessを試してみた
Hiraku Toyooka
 
Prometheus入門から運用まで徹底解説
Prometheus入門から運用まで徹底解説Prometheus入門から運用まで徹底解説
Prometheus入門から運用まで徹底解説
貴仁 大和屋
 
Docker Compose入門~今日から始めるComposeの初歩からswarm mode対応まで
Docker Compose入門~今日から始めるComposeの初歩からswarm mode対応までDocker Compose入門~今日から始めるComposeの初歩からswarm mode対応まで
Docker Compose入門~今日から始めるComposeの初歩からswarm mode対応まで
Masahito Zembutsu
 
KubeCon + CloudNativeCon Europe 2022 Recap - Batch/HPCの潮流とScheduler拡張事例 / Kub...
KubeCon + CloudNativeCon Europe 2022 Recap - Batch/HPCの潮流とScheduler拡張事例 / Kub...KubeCon + CloudNativeCon Europe 2022 Recap - Batch/HPCの潮流とScheduler拡張事例 / Kub...
KubeCon + CloudNativeCon Europe 2022 Recap - Batch/HPCの潮流とScheduler拡張事例 / Kub...
Preferred Networks
 
How to Schedule Machine Learning Workloads Nicely In Kubernetes #CNDT2020 / C...
How to Schedule Machine Learning Workloads Nicely In Kubernetes #CNDT2020 / C...How to Schedule Machine Learning Workloads Nicely In Kubernetes #CNDT2020 / C...
How to Schedule Machine Learning Workloads Nicely In Kubernetes #CNDT2020 / C...
Preferred Networks
 
DockerとKubernetesをかけめぐる
DockerとKubernetesをかけめぐるDockerとKubernetesをかけめぐる
DockerとKubernetesをかけめぐる
Kohei Tokunaga
 
Yocto bspを作ってみた
Yocto bspを作ってみたYocto bspを作ってみた
Yocto bspを作ってみた
wata2ki
 
10分で分かるLinuxブロックレイヤ
10分で分かるLinuxブロックレイヤ10分で分かるLinuxブロックレイヤ
10分で分かるLinuxブロックレイヤTakashi Hoshino
 
OCIv2?!軽量高速なイケてる次世代イメージ仕様の最新動向を抑えよう!
OCIv2?!軽量高速なイケてる次世代イメージ仕様の最新動向を抑えよう!OCIv2?!軽量高速なイケてる次世代イメージ仕様の最新動向を抑えよう!
OCIv2?!軽量高速なイケてる次世代イメージ仕様の最新動向を抑えよう!
Kohei Tokunaga
 
Composer bin plugin / ツールの依存管理から解放される
Composer bin plugin / ツールの依存管理から解放されるComposer bin plugin / ツールの依存管理から解放される
Composer bin plugin / ツールの依存管理から解放される
Kentarou Takeda
 
5分で分かるgitのrefspec
5分で分かるgitのrefspec5分で分かるgitのrefspec
5分で分かるgitのrefspec
ikdysfm
 
Logicadの秒間16万リクエストをさばく広告入札システムにおける、gRPCの活用事例
Logicadの秒間16万リクエストをさばく広告入札システムにおける、gRPCの活用事例Logicadの秒間16万リクエストをさばく広告入札システムにおける、gRPCの活用事例
Logicadの秒間16万リクエストをさばく広告入札システムにおける、gRPCの活用事例
Hironobu Isoda
 
GoらしいAPIを求める旅路 (Go Conference 2018 Spring)
GoらしいAPIを求める旅路 (Go Conference 2018 Spring)GoらしいAPIを求める旅路 (Go Conference 2018 Spring)
GoらしいAPIを求める旅路 (Go Conference 2018 Spring)
lestrrat
 

What's hot (20)

続・PFN のオンプレML基盤の取り組み / オンプレML基盤 on Kubernetes 〜PFN、ヤフー〜 #2
続・PFN のオンプレML基盤の取り組み / オンプレML基盤 on Kubernetes 〜PFN、ヤフー〜 #2続・PFN のオンプレML基盤の取り組み / オンプレML基盤 on Kubernetes 〜PFN、ヤフー〜 #2
続・PFN のオンプレML基盤の取り組み / オンプレML基盤 on Kubernetes 〜PFN、ヤフー〜 #2
 
ContainerとName Space Isolation
ContainerとName Space IsolationContainerとName Space Isolation
ContainerとName Space Isolation
 
Dockerからcontainerdへの移行
Dockerからcontainerdへの移行Dockerからcontainerdへの移行
Dockerからcontainerdへの移行
 
20180729 Preferred Networksの機械学習クラスタを支える技術
20180729 Preferred Networksの機械学習クラスタを支える技術20180729 Preferred Networksの機械学習クラスタを支える技術
20180729 Preferred Networksの機械学習クラスタを支える技術
 
Docker道場「Dockerの基本概念」0825インフラ勉強会資料
Docker道場「Dockerの基本概念」0825インフラ勉強会資料Docker道場「Dockerの基本概念」0825インフラ勉強会資料
Docker道場「Dockerの基本概念」0825インフラ勉強会資料
 
一人でもはじめるGitでバージョン管理
一人でもはじめるGitでバージョン管理一人でもはじめるGitでバージョン管理
一人でもはじめるGitでバージョン管理
 
実践 Git - 低レベルに知る Git
実践 Git - 低レベルに知る Git実践 Git - 低レベルに知る Git
実践 Git - 低レベルに知る Git
 
LinuxのFull ticklessを試してみた
LinuxのFull ticklessを試してみたLinuxのFull ticklessを試してみた
LinuxのFull ticklessを試してみた
 
Prometheus入門から運用まで徹底解説
Prometheus入門から運用まで徹底解説Prometheus入門から運用まで徹底解説
Prometheus入門から運用まで徹底解説
 
Docker Compose入門~今日から始めるComposeの初歩からswarm mode対応まで
Docker Compose入門~今日から始めるComposeの初歩からswarm mode対応までDocker Compose入門~今日から始めるComposeの初歩からswarm mode対応まで
Docker Compose入門~今日から始めるComposeの初歩からswarm mode対応まで
 
KubeCon + CloudNativeCon Europe 2022 Recap - Batch/HPCの潮流とScheduler拡張事例 / Kub...
KubeCon + CloudNativeCon Europe 2022 Recap - Batch/HPCの潮流とScheduler拡張事例 / Kub...KubeCon + CloudNativeCon Europe 2022 Recap - Batch/HPCの潮流とScheduler拡張事例 / Kub...
KubeCon + CloudNativeCon Europe 2022 Recap - Batch/HPCの潮流とScheduler拡張事例 / Kub...
 
How to Schedule Machine Learning Workloads Nicely In Kubernetes #CNDT2020 / C...
How to Schedule Machine Learning Workloads Nicely In Kubernetes #CNDT2020 / C...How to Schedule Machine Learning Workloads Nicely In Kubernetes #CNDT2020 / C...
How to Schedule Machine Learning Workloads Nicely In Kubernetes #CNDT2020 / C...
 
DockerとKubernetesをかけめぐる
DockerとKubernetesをかけめぐるDockerとKubernetesをかけめぐる
DockerとKubernetesをかけめぐる
 
Yocto bspを作ってみた
Yocto bspを作ってみたYocto bspを作ってみた
Yocto bspを作ってみた
 
10分で分かるLinuxブロックレイヤ
10分で分かるLinuxブロックレイヤ10分で分かるLinuxブロックレイヤ
10分で分かるLinuxブロックレイヤ
 
OCIv2?!軽量高速なイケてる次世代イメージ仕様の最新動向を抑えよう!
OCIv2?!軽量高速なイケてる次世代イメージ仕様の最新動向を抑えよう!OCIv2?!軽量高速なイケてる次世代イメージ仕様の最新動向を抑えよう!
OCIv2?!軽量高速なイケてる次世代イメージ仕様の最新動向を抑えよう!
 
Composer bin plugin / ツールの依存管理から解放される
Composer bin plugin / ツールの依存管理から解放されるComposer bin plugin / ツールの依存管理から解放される
Composer bin plugin / ツールの依存管理から解放される
 
5分で分かるgitのrefspec
5分で分かるgitのrefspec5分で分かるgitのrefspec
5分で分かるgitのrefspec
 
Logicadの秒間16万リクエストをさばく広告入札システムにおける、gRPCの活用事例
Logicadの秒間16万リクエストをさばく広告入札システムにおける、gRPCの活用事例Logicadの秒間16万リクエストをさばく広告入札システムにおける、gRPCの活用事例
Logicadの秒間16万リクエストをさばく広告入札システムにおける、gRPCの活用事例
 
GoらしいAPIを求める旅路 (Go Conference 2018 Spring)
GoらしいAPIを求める旅路 (Go Conference 2018 Spring)GoらしいAPIを求める旅路 (Go Conference 2018 Spring)
GoらしいAPIを求める旅路 (Go Conference 2018 Spring)
 

Similar to [DockerCon 2023] Reproducible builds with BuildKit for software supply chain security

Docker security
Docker securityDocker security
Docker security
Janos Suto
 
Dependencies Managers in C/C++. Using stdcpp 2014
Dependencies Managers in C/C++. Using stdcpp 2014Dependencies Managers in C/C++. Using stdcpp 2014
Dependencies Managers in C/C++. Using stdcpp 2014
biicode
 
Introduction to Docker - Learning containerization XP conference 2016
Introduction to Docker - Learning containerization XP conference 2016Introduction to Docker - Learning containerization XP conference 2016
Introduction to Docker - Learning containerization XP conference 2016
XP Conference India
 
Docker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in PragueDocker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in Prague
tomasbart
 
Docker 1.5
Docker 1.5Docker 1.5
Docker 1.5
rajdeep
 
Docker.io
Docker.ioDocker.io
Docker.io
Ladislav Prskavec
 
Very Early Review - Rocket(CoreOS)
Very Early Review - Rocket(CoreOS)Very Early Review - Rocket(CoreOS)
Very Early Review - Rocket(CoreOS)
충섭 김
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slides
Docker, Inc.
 
Preparation study of_docker - (MOSG)
Preparation study of_docker - (MOSG)Preparation study of_docker - (MOSG)
Preparation study of_docker - (MOSG)
Soshi Nemoto
 
Настройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'aНастройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'a
corehard_by
 
[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile
[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile
[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile
Akihiro Suda
 
Docker 1.11 Presentation
Docker 1.11 PresentationDocker 1.11 Presentation
Docker 1.11 Presentation
Sreenivas Makam
 
Docker Introductory workshop
Docker Introductory workshopDocker Introductory workshop
Docker Introductory workshop
Runcy Oommen
 
JDO 2019: Tips and Tricks from Docker Captain - Łukasz Lach
JDO 2019: Tips and Tricks from Docker Captain - Łukasz LachJDO 2019: Tips and Tricks from Docker Captain - Łukasz Lach
JDO 2019: Tips and Tricks from Docker Captain - Łukasz Lach
PROIDEA
 
Docker as an every day work tool
Docker as an every day work toolDocker as an every day work tool
Docker as an every day work tool
Przemyslaw Koltermann
 
Build and Run Containers With Lazy Pulling - Adoption status of containerd St...
Build and Run Containers With Lazy Pulling - Adoption status of containerd St...Build and Run Containers With Lazy Pulling - Adoption status of containerd St...
Build and Run Containers With Lazy Pulling - Adoption status of containerd St...
Kohei Tokunaga
 
DCSF 19 Building Your Development Pipeline
DCSF 19 Building Your Development Pipeline DCSF 19 Building Your Development Pipeline
DCSF 19 Building Your Development Pipeline
Docker, Inc.
 
Cloud Foundry V2 | Intermediate Deep Dive
Cloud Foundry V2 | Intermediate Deep DiveCloud Foundry V2 | Intermediate Deep Dive
Cloud Foundry V2 | Intermediate Deep DiveKazuto Kusama
 
ABCs of docker
ABCs of dockerABCs of docker
ABCs of docker
Sabyrzhan Tynybayev
 
Introduction to InSpec and 1.0 release update
Introduction to InSpec and 1.0 release updateIntroduction to InSpec and 1.0 release update
Introduction to InSpec and 1.0 release update
Alex Pop
 

Similar to [DockerCon 2023] Reproducible builds with BuildKit for software supply chain security (20)

Docker security
Docker securityDocker security
Docker security
 
Dependencies Managers in C/C++. Using stdcpp 2014
Dependencies Managers in C/C++. Using stdcpp 2014Dependencies Managers in C/C++. Using stdcpp 2014
Dependencies Managers in C/C++. Using stdcpp 2014
 
Introduction to Docker - Learning containerization XP conference 2016
Introduction to Docker - Learning containerization XP conference 2016Introduction to Docker - Learning containerization XP conference 2016
Introduction to Docker - Learning containerization XP conference 2016
 
Docker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in PragueDocker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in Prague
 
Docker 1.5
Docker 1.5Docker 1.5
Docker 1.5
 
Docker.io
Docker.ioDocker.io
Docker.io
 
Very Early Review - Rocket(CoreOS)
Very Early Review - Rocket(CoreOS)Very Early Review - Rocket(CoreOS)
Very Early Review - Rocket(CoreOS)
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slides
 
Preparation study of_docker - (MOSG)
Preparation study of_docker - (MOSG)Preparation study of_docker - (MOSG)
Preparation study of_docker - (MOSG)
 
Настройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'aНастройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'a
 
[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile
[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile
[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile
 
Docker 1.11 Presentation
Docker 1.11 PresentationDocker 1.11 Presentation
Docker 1.11 Presentation
 
Docker Introductory workshop
Docker Introductory workshopDocker Introductory workshop
Docker Introductory workshop
 
JDO 2019: Tips and Tricks from Docker Captain - Łukasz Lach
JDO 2019: Tips and Tricks from Docker Captain - Łukasz LachJDO 2019: Tips and Tricks from Docker Captain - Łukasz Lach
JDO 2019: Tips and Tricks from Docker Captain - Łukasz Lach
 
Docker as an every day work tool
Docker as an every day work toolDocker as an every day work tool
Docker as an every day work tool
 
Build and Run Containers With Lazy Pulling - Adoption status of containerd St...
Build and Run Containers With Lazy Pulling - Adoption status of containerd St...Build and Run Containers With Lazy Pulling - Adoption status of containerd St...
Build and Run Containers With Lazy Pulling - Adoption status of containerd St...
 
DCSF 19 Building Your Development Pipeline
DCSF 19 Building Your Development Pipeline DCSF 19 Building Your Development Pipeline
DCSF 19 Building Your Development Pipeline
 
Cloud Foundry V2 | Intermediate Deep Dive
Cloud Foundry V2 | Intermediate Deep DiveCloud Foundry V2 | Intermediate Deep Dive
Cloud Foundry V2 | Intermediate Deep Dive
 
ABCs of docker
ABCs of dockerABCs of docker
ABCs of docker
 
Introduction to InSpec and 1.0 release update
Introduction to InSpec and 1.0 release updateIntroduction to InSpec and 1.0 release update
Introduction to InSpec and 1.0 release update
 

More from Akihiro Suda

20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
Akihiro Suda
 
20240321 [KubeCon EU Pavilion] Lima.pdf_
20240321 [KubeCon EU Pavilion] Lima.pdf_20240321 [KubeCon EU Pavilion] Lima.pdf_
20240321 [KubeCon EU Pavilion] Lima.pdf_
Akihiro Suda
 
20240320 [KubeCon EU Pavilion] containerd.pdf
20240320 [KubeCon EU Pavilion] containerd.pdf20240320 [KubeCon EU Pavilion] containerd.pdf
20240320 [KubeCon EU Pavilion] containerd.pdf
Akihiro Suda
 
20240201 [HPC Containers] Rootless Containers.pdf
20240201 [HPC Containers] Rootless Containers.pdf20240201 [HPC Containers] Rootless Containers.pdf
20240201 [HPC Containers] Rootless Containers.pdf
Akihiro Suda
 
[Podman Special Event] Kubernetes in Rootless Podman
[Podman Special Event] Kubernetes in Rootless Podman[Podman Special Event] Kubernetes in Rootless Podman
[Podman Special Event] Kubernetes in Rootless Podman
Akihiro Suda
 
[KubeConNA2023] Lima pavilion
[KubeConNA2023] Lima pavilion[KubeConNA2023] Lima pavilion
[KubeConNA2023] Lima pavilion
Akihiro Suda
 
[KubeConNA2023] containerd pavilion
[KubeConNA2023] containerd pavilion[KubeConNA2023] containerd pavilion
[KubeConNA2023] containerd pavilion
Akihiro Suda
 
[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf
[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf
[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf
Akihiro Suda
 
[CNCF TAG-Runtime] Usernetes Gen2
[CNCF TAG-Runtime] Usernetes Gen2[CNCF TAG-Runtime] Usernetes Gen2
[CNCF TAG-Runtime] Usernetes Gen2
Akihiro Suda
 
The internals and the latest trends of container runtimes
The internals and the latest trends of container runtimesThe internals and the latest trends of container runtimes
The internals and the latest trends of container runtimes
Akihiro Suda
 
[KubeConEU2023] Lima pavilion
[KubeConEU2023] Lima pavilion[KubeConEU2023] Lima pavilion
[KubeConEU2023] Lima pavilion
Akihiro Suda
 
[KubeConEU2023] containerd pavilion
[KubeConEU2023] containerd pavilion[KubeConEU2023] containerd pavilion
[KubeConEU2023] containerd pavilion
Akihiro Suda
 
[Container Plumbing Days 2023] Why was nerdctl made?
[Container Plumbing Days 2023] Why was nerdctl made?[Container Plumbing Days 2023] Why was nerdctl made?
[Container Plumbing Days 2023] Why was nerdctl made?
Akihiro Suda
 
[CNCF TAG-Runtime 2022-10-06] Lima
[CNCF TAG-Runtime 2022-10-06] Lima[CNCF TAG-Runtime 2022-10-06] Lima
[CNCF TAG-Runtime 2022-10-06] Lima
Akihiro Suda
 
[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOS[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOS
Akihiro Suda
 
Dockerからcontainerdへの移行
Dockerからcontainerdへの移行Dockerからcontainerdへの移行
Dockerからcontainerdへの移行
Akihiro Suda
 
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...
Akihiro Suda
 
[Docker Tokyo #35] Docker 20.10
[Docker Tokyo #35] Docker 20.10[Docker Tokyo #35] Docker 20.10
[Docker Tokyo #35] Docker 20.10
Akihiro Suda
 
[KubeCon EU 2021] Introduction and Deep Dive Into Containerd
[KubeCon EU 2021] Introduction and Deep Dive Into Containerd[KubeCon EU 2021] Introduction and Deep Dive Into Containerd
[KubeCon EU 2021] Introduction and Deep Dive Into Containerd
Akihiro Suda
 
DockerとPodmanの比較
DockerとPodmanの比較DockerとPodmanの比較
DockerとPodmanの比較
Akihiro Suda
 

More from Akihiro Suda (20)

20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
 
20240321 [KubeCon EU Pavilion] Lima.pdf_
20240321 [KubeCon EU Pavilion] Lima.pdf_20240321 [KubeCon EU Pavilion] Lima.pdf_
20240321 [KubeCon EU Pavilion] Lima.pdf_
 
20240320 [KubeCon EU Pavilion] containerd.pdf
20240320 [KubeCon EU Pavilion] containerd.pdf20240320 [KubeCon EU Pavilion] containerd.pdf
20240320 [KubeCon EU Pavilion] containerd.pdf
 
20240201 [HPC Containers] Rootless Containers.pdf
20240201 [HPC Containers] Rootless Containers.pdf20240201 [HPC Containers] Rootless Containers.pdf
20240201 [HPC Containers] Rootless Containers.pdf
 
[Podman Special Event] Kubernetes in Rootless Podman
[Podman Special Event] Kubernetes in Rootless Podman[Podman Special Event] Kubernetes in Rootless Podman
[Podman Special Event] Kubernetes in Rootless Podman
 
[KubeConNA2023] Lima pavilion
[KubeConNA2023] Lima pavilion[KubeConNA2023] Lima pavilion
[KubeConNA2023] Lima pavilion
 
[KubeConNA2023] containerd pavilion
[KubeConNA2023] containerd pavilion[KubeConNA2023] containerd pavilion
[KubeConNA2023] containerd pavilion
 
[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf
[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf
[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf
 
[CNCF TAG-Runtime] Usernetes Gen2
[CNCF TAG-Runtime] Usernetes Gen2[CNCF TAG-Runtime] Usernetes Gen2
[CNCF TAG-Runtime] Usernetes Gen2
 
The internals and the latest trends of container runtimes
The internals and the latest trends of container runtimesThe internals and the latest trends of container runtimes
The internals and the latest trends of container runtimes
 
[KubeConEU2023] Lima pavilion
[KubeConEU2023] Lima pavilion[KubeConEU2023] Lima pavilion
[KubeConEU2023] Lima pavilion
 
[KubeConEU2023] containerd pavilion
[KubeConEU2023] containerd pavilion[KubeConEU2023] containerd pavilion
[KubeConEU2023] containerd pavilion
 
[Container Plumbing Days 2023] Why was nerdctl made?
[Container Plumbing Days 2023] Why was nerdctl made?[Container Plumbing Days 2023] Why was nerdctl made?
[Container Plumbing Days 2023] Why was nerdctl made?
 
[CNCF TAG-Runtime 2022-10-06] Lima
[CNCF TAG-Runtime 2022-10-06] Lima[CNCF TAG-Runtime 2022-10-06] Lima
[CNCF TAG-Runtime 2022-10-06] Lima
 
[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOS[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOS
 
Dockerからcontainerdへの移行
Dockerからcontainerdへの移行Dockerからcontainerdへの移行
Dockerからcontainerdへの移行
 
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...
[Paris Container Day 2021] nerdctl: yet another Docker & Docker Compose imple...
 
[Docker Tokyo #35] Docker 20.10
[Docker Tokyo #35] Docker 20.10[Docker Tokyo #35] Docker 20.10
[Docker Tokyo #35] Docker 20.10
 
[KubeCon EU 2021] Introduction and Deep Dive Into Containerd
[KubeCon EU 2021] Introduction and Deep Dive Into Containerd[KubeCon EU 2021] Introduction and Deep Dive Into Containerd
[KubeCon EU 2021] Introduction and Deep Dive Into Containerd
 
DockerとPodmanの比較
DockerとPodmanの比較DockerとPodmanの比較
DockerとPodmanの比較
 

Recently uploaded

Pro Unity Game Development with C-sharp Book
Pro Unity Game Development with C-sharp BookPro Unity Game Development with C-sharp Book
Pro Unity Game Development with C-sharp Book
abdulrafaychaudhry
 
Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
Matt Welsh
 
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissancesAtelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Neo4j
 
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of CodeA Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
Aftab Hussain
 
Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604
Fermin Galan
 
OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024
OpenMetadata
 
BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024
Ortus Solutions, Corp
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
Paco van Beckhoven
 
APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)
Boni García
 
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOMLORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
lorraineandreiamcidl
 
Graspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code AnalysisGraspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code Analysis
Aftab Hussain
 
GraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph TechnologyGraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph Technology
Neo4j
 
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Łukasz Chruściel
 
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Mind IT Systems
 
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
Łukasz Chruściel
 
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus
 
Nidhi Software Price. Fact , Costs, Tips
Nidhi Software Price. Fact , Costs, TipsNidhi Software Price. Fact , Costs, Tips
Nidhi Software Price. Fact , Costs, Tips
vrstrong314
 
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisProviding Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Globus
 
Vitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdfVitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke
 
Empowering Growth with Best Software Development Company in Noida - Deuglo
Empowering Growth with Best Software Development Company in Noida - DeugloEmpowering Growth with Best Software Development Company in Noida - Deuglo
Empowering Growth with Best Software Development Company in Noida - Deuglo
Deuglo Infosystem Pvt Ltd
 

Recently uploaded (20)

Pro Unity Game Development with C-sharp Book
Pro Unity Game Development with C-sharp BookPro Unity Game Development with C-sharp Book
Pro Unity Game Development with C-sharp Book
 
Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
 
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissancesAtelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissances
 
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of CodeA Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
 
Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604
 
OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024
 
BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
 
APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)
 
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOMLORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
 
Graspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code AnalysisGraspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code Analysis
 
GraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph TechnologyGraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph Technology
 
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
 
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
 
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
 
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024
 
Nidhi Software Price. Fact , Costs, Tips
Nidhi Software Price. Fact , Costs, TipsNidhi Software Price. Fact , Costs, Tips
Nidhi Software Price. Fact , Costs, Tips
 
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisProviding Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
 
Vitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdfVitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdf
 
Empowering Growth with Best Software Development Company in Noida - Deuglo
Empowering Growth with Best Software Development Company in Noida - DeugloEmpowering Growth with Best Software Development Company in Noida - Deuglo
Empowering Growth with Best Software Development Company in Noida - Deuglo
 

[DockerCon 2023] Reproducible builds with BuildKit for software supply chain security

  • 1. Reproducible builds with BuildKit for software supply chain security Akihiro Suda Software Engineer | NTT
  • 2. 2 Background • Security assessment has been hard for Docker images, due to lack of verifiability in the software supply chain • Even when the source code (Dockerfile) is public, and the source code appears to be harmless, it is hard to prove that the image is actually buildable from the source code • Reproducible builds help proving it (But whether the source code is harmless is another topic)
  • 3. 3 What are Reproducible Builds? • Same source, same binary • Attestable by anybody • Attestable at anytime Build FROM debian RUN apt-get install -y gcc make ... COPY . . RUN make sha256:6ea7098583cb6c9470570df28c154 cfec58e122188382cd4a7ceab8a9a79cb67 sha256:6ea7098583cb6c9470570df28c154 cfec58e122188382cd4a7ceab8a9a79cb67 sha256:6ea7098583cb6c9470570df28c154 cfec58e122188382cd4a7ceab8a9a79cb67
  • 4. 4 Why do we need reproducible builds? Because non-reproducible builds cannot be proved to be buildable from harmless sources
  • 5. 5 Why do we need reproducible builds? sha256:AAAAA… Upstream build docker pull some-image Pull Because non-reproducible builds cannot be proved to be buildable from harmless sources
  • 6. 6 Because non-reproducible builds cannot be proved to be buildable from harmless sources Why do we need reproducible builds? FROM debian RUN apt-get install -y gcc make ... COPY . . RUN make sha256:AAAAA… Upstream build docker pull some-image Pull Find the source repo
  • 7. 7 Why do we need reproducible builds? Build FROM debian RUN apt-get install -y gcc make ... COPY . . RUN make sha256:AAAAA… sha256:BBBBB… Upstream build docker pull some-image Pull Find the source repo Because non-reproducible builds cannot be proved to be buildable from harmless sources Your own build (Non-reproducible)
  • 8. 8 Why do we need reproducible builds? Build FROM debian RUN apt-get install -y gcc make ... COPY . . RUN make sha256:AAAAA… sha256:BBBBB… Upstream build docker pull some-image Pull Find the source repo Your own build (Non-reproducible) Is this image really buildable from the source repo? Because non-reproducible builds cannot be proved to be buildable from harmless sources
  • 9. 9 Why do we need reproducible builds? Build FROM debian RUN apt-get install -y gcc make ... COPY . . RUN make sha256:AAAAA… sha256:AAAAA… Upstream build docker pull some-image Pull Find the source repo Proved to be buildable from the source Because non-reproducible builds cannot be proved to be buildable from harmless sources Your own build (Reproducible)
  • 10. 10 Why do we need reproducible builds? • Reproducibility per se doesn’t prove any harmlessness • Non-reproducibility doesn’t prove any harmfulness, either
  • 11. 11 Why do we need reproducible builds? • Reproducibility proves that the image is actually buildable from its source • The source still has to be reviewed • The source may still be malicious • But at least the image contains no secret code that you can never review
  • 12. 12 Docker Hub images are actually reproducible?
  • 13. 13 Docker Hub images are actually reproducible? • No, mostly
  • 14. 14 Docker Hub images are actually reproducible? $ docker pull golang:1.21.1-alpine@ sha256:96634e55b363cb93d39f78fb18aa64abc7f96d372c176660d7b8b6118939d97b $ DOCKER_BUILDKIT=0 docker build -t my-golang "https://github.com/docker-library/golang.git# 585c8c1e705a7a458455f0629922a4f90628ce08:1.21/alpine3.18” $ go install github.com/reproducible-containers/diffoci/cmd/diffoci@latest $ diffoci diff docker://golang:1.21.1-alpine docker://my-golang
  • 15. 15 Docker Hub images are actually reproducible? $ docker pull golang:1.21.1-alpine@ sha256:96634e55b363cb93d39f78fb18aa64abc7f96d372c176660d7b8b6118939d97b $ DOCKER_BUILDKIT=0 docker build -t my-golang "https://github.com/docker-library/golang.git# 585c8c1e705a7a458455f0629922a4f90628ce08:1.21/alpine3.18” $ go install github.com/reproducible-containers/diffoci/cmd/diffoci@latest $ diffoci diff docker://golang:1.21.1-alpine docker://my-golang DOCKER_BUILDKIT=0 with Docker 20.10.23 corresponds to the current Docker Hub image (Will change in the future)
  • 16. 16 Docker Hub images are actually reproducible? $ docker pull golang:1.21.1-alpine@ sha256:96634e55b363cb93d39f78fb18aa64abc7f96d372c176660d7b8b6118939d97b $ DOCKER_BUILDKIT=0 docker build -t my-golang "https://github.com/docker-library/golang.git# 585c8c1e705a7a458455f0629922a4f90628ce08:1.21/alpine3.18” $ go install github.com/reproducible-containers/diffoci/cmd/diffoci@latest $ diffoci diff docker://golang:1.21.1-alpine docker://my-golang DiffOCI: diff for Open Container Initiative (OCI) images https://github.com/reproducible-containers/diffoci
  • 17. 17 Docker Hub images are actually reproducible? $ diffoci diff docker://golang:1.21.1-alpine docker://my-golang TYPE NAME INPUT-0 INPUT-1 Desc application/vnd.docker.distribution.manifest.v2+json b25862... 3c4eca0... ... File etc/ssl/certs/3e45d192.0 2023-08-09 03:36:47 +0000 UTC 2023-09-21 08:35:31 +0000 UTC ... (More than 14,000 lines) ... File go/ 2023-09-06 18:31:40 +0000 UTC 2023-09-21 08:35:45 +0000 UTC
  • 18. 18 Docker Hub images are actually reproducible? $ diffoci --semantic diff docker://golang:1.21.1-alpine docker://my-golang TYPE NAME INPUT-0 INPUT-1 Layer ctx:/layers-1/layer length mismatch (457 vs 454) Layer ctx:/layers-1/layer name "usr/local/share/ca-certificates/.wh..wh..opq" only appears in input 0 Layer ctx:/layers-1/layer name "etc/ca-certificates/.wh..wh..opq" only appears in input 0 Layer ctx:/layers-1/layer name "usr/share/ca-certificates/.wh..wh..opq" only appears in input 0 File lib/apk/db/scripts.tar eef110e... e9bfe18... Layer ctx:/layers-2/layer length mismatch (13939 vs 13938) Layer ctx:/layers-2/layer name "usr/local/go/.wh..wh..opq" only appears in input 0 File lib/apk/db/scripts.tar 60e22bb... 67f2648... Layer ctx:/layers-3/layer length mismatch (4 vs 3) Layer ctx:/layers-3/layer name "go/.wh..wh..opq" only appears in input 0 The “--semantic” flag ignores ”boring” differences (timestamps, file ordering, etc.)
  • 19. 19 Docker Hub images are actually reproducible? $ diffoci --semantic diff docker://golang:1.21.1-alpine docker://my-golang TYPE NAME INPUT-0 INPUT-1 Layer ctx:/layers-1/layer length mismatch (457 vs 454) Layer ctx:/layers-1/layer name "usr/local/share/ca-certificates/.wh..wh..opq" only appears in input 0 Layer ctx:/layers-1/layer name "etc/ca-certificates/.wh..wh..opq" only appears in input 0 Layer ctx:/layers-1/layer name "usr/share/ca-certificates/.wh..wh..opq" only appears in input 0 File lib/apk/db/scripts.tar eef110e... e9bfe18... Layer ctx:/layers-2/layer length mismatch (13939 vs 13938) Layer ctx:/layers-2/layer name "usr/local/go/.wh..wh..opq" only appears in input 0 File lib/apk/db/scripts.tar 60e22bb... 67f2648... Layer ctx:/layers-3/layer length mismatch (4 vs 3) Layer ctx:/layers-3/layer name "go/.wh..wh..opq" only appears in input 0 “.wh..wh..opq” (AUFS whiteouts) are missing due to the filesystem difference The “--semantic” flag ignores ”boring” differences (timestamps, file ordering, etc.)
  • 20. 20 Docker Hub images are actually reproducible? $ diffoci --semantic diff docker://golang:1.21.1-alpine docker://my-golang TYPE NAME INPUT-0 INPUT-1 Layer ctx:/layers-1/layer length mismatch (457 vs 454) Layer ctx:/layers-1/layer name "usr/local/share/ca-certificates/.wh..wh..opq" only appears in input 0 Layer ctx:/layers-1/layer name "etc/ca-certificates/.wh..wh..opq" only appears in input 0 Layer ctx:/layers-1/layer name "usr/share/ca-certificates/.wh..wh..opq" only appears in input 0 File lib/apk/db/scripts.tar eef110e... e9bfe18... Layer ctx:/layers-2/layer length mismatch (13939 vs 13938) Layer ctx:/layers-2/layer name "usr/local/go/.wh..wh..opq" only appears in input 0 File lib/apk/db/scripts.tar 60e22bb... 67f2648... Layer ctx:/layers-3/layer length mismatch (4 vs 3) Layer ctx:/layers-3/layer name "go/.wh..wh..opq" only appears in input 0 “.wh..wh..opq” (AUFS whiteouts) are missing due to the filesystem difference lib/apk/db/scripts.tar differ due to the timestamp information inside scripts.tar (the “--semantic” flag isn’t still clever enough to ignore this “boring” difference”) The “--semantic” flag ignores ”boring” differences (timestamps, file ordering, etc.)
  • 21. 21 Docker Hub images are actually reproducible? $ diffoci --semantic diff docker://golang:1.21.1-alpine docker://my-golang TYPE NAME INPUT-0 INPUT-1 Layer ctx:/layers-1/layer length mismatch (457 vs 454) Layer ctx:/layers-1/layer name "usr/local/share/ca-certificates/.wh..wh..opq" only appears in input 0 Layer ctx:/layers-1/layer name "etc/ca-certificates/.wh..wh..opq" only appears in input 0 Layer ctx:/layers-1/layer name "usr/share/ca-certificates/.wh..wh..opq" only appears in input 0 File lib/apk/db/scripts.tar eef110e... e9bfe18... Layer ctx:/layers-2/layer length mismatch (13939 vs 13938) Layer ctx:/layers-2/layer name "usr/local/go/.wh..wh..opq" only appears in input 0 File lib/apk/db/scripts.tar 60e22bb... 67f2648... Layer ctx:/layers-3/layer length mismatch (4 vs 3) Layer ctx:/layers-3/layer name "go/.wh..wh..opq" only appears in input 0 “.wh..wh..opq” (AUFS whiteouts) are missing due to the filesystem difference lib/apk/db/scripts.tar differ due to the timestamp information inside scripts.tar (the “--semantic” flag isn’t still clever enough to ignore this “boring” difference”) This image is not fully reproducible, but its non-reproducibility is explainable (So, this image appears to be actually buildable from the public Dockerfile) The “--semantic” flag ignores ”boring” differences (timestamps, file ordering, etc.)
  • 22. 22 Why are images not reproducible? • Timestamps • Version of the base image (“FROM” images in Dockerfiles) • Versions of the packages (apt-get, pip, etc.) • Others: - Filesystem characteristics (e.g., OverlayFS) - Ordering of files - Randomized mktemp, etc.
  • 23. 23 Timestamps • The images have timestamps in: - the “created” property in the OCI Image Config - the “history” property in the OCI Image Config - the “org.opencontainers.image.created” annotation in the OCI Index - the timestamps of the files in the image layers OCI = Open Container Initiative
  • 24. 24 Timestamps • The images have timestamps in: - the “created” property in the OCI Image Config - the “history” property in the OCI Image Config - the “org.opencontainers.image.created” annotation in the OCI Index - the timestamps of the files in the image layers OCI = Open Container Initiative
  • 25. 25 Timestamps • BuildKit (since v0.11) supports rewriting the timestamps for OCI Image Config and OCI Index • Support was incomplete in v0.11 and v0.12; using v0.13 [beta] is recommended (see the next couple of slides) OCI = Open Container Initiative buildctl build --opt build-arg:SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct) docker buildx build --build-arg SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct) Unix epoch (int64, seconds from 1970-01-01 00:00:00 UTC)
  • 26. 26 Timestamps • The images have timestamps in: - the “created” property in the OCI Image Config - the “history” property in the OCI Image Config - the “org.opencontainers.image.created” annotation in the OCI Index - the timestamps of the files in the image layers OCI = Open Container Initiative
  • 27. 27 Timestamps • BuildKit v0.13 [beta] supports rewriting the timestamps in the OCI image layers too • Docs: https://github.com/moby/buildkit/blob/master/docs/build-repro.md OCI = Open Container Initiative buildctl build --opt build-arg:SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct) --output type=image,name=example.com/image,push=true,rewrite-timestamp=true docker buildx build --build-arg SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct) --output type=image,name=example.com/image,push=true,rewrite-timestamp=true BuildKit v0.13 is still beta and its CLI is still subject to change until its GA
  • 28. 28 Timestamps • The SOURCE_DATE_EPOCH arg is also propagated to ”RUN” containers as an environment variable • The SOURCE_DATE_EPOCH env var is recognized by gcc, clang, cmake, and a bunch of other tools to make application binaries reproducible: https://reproducible-builds.org/docs/source-date-epoch/
  • 29. 29 Pinning the base image FROM debian
  • 30. 30 Pinning the base image FROM debian:bookworm FROM debian
  • 31. 31 Pinning the base image FROM debian:bookworm-20230904 FROM debian:bookworm FROM debian
  • 32. 32 Pinning the base image FROM debian:bookworm-20230904@sha256:b4042f895d5d1f8df415caebe7c416f9dbcf0dc8867abb225955006de50b21f3 FROM debian:bookworm-20230904 FROM debian:bookworm FROM debian
  • 33. 33 Pinning the base image FROM debian:bookworm-20230904@sha256:b4042f895d5d1f8df415caebe7c416f9dbcf0dc8867abb225955006de50b21f3 FROM debian:bookworm-20230904 FROM debian:bookworm FROM debian apt-get on bookworm-20230904 still installs the latest packages, not the past packages (So, not reproducible)
  • 34. 34 Pinning packages: Debian and Ubuntu FROM debian:bookworm-20230904-slim RUN rm -rf /etc/apt/sources.list* && echo 'deb [check-valid-until=no] http://snapshot.debian.org/archive/debian/20230904T000000Z bookworm main' >/etc/apt/sources.list && echo 'deb [check-valid-until=no] http://snapshot.debian.org/archive/debian-security/20230904T000000Z bookworm-security main' >>/etc/apt/sources.list && echo 'deb [check-valid-until=no] http://snapshot.debian.org/archive/debian/20230904T000000Z bookworm-updates main' >>/etc/apt/sources.list && apt-get update && apt-get install -y gcc snapshot.debian.org and snapshot.ubuntu.com keep old packages
  • 35. 35 Pinning packages: Debian and Ubuntu FROM debian:bookworm-20230904-slim ADD --chmod=0755 https://raw.githubusercontent.com/reproducible-containers/repro-sources-list.sh/v0.1.0/repro-sources-list.sh /usr/local/bin/repro-sources-list.sh RUN --mount=type=cache,target=/var/cache/apt repro-sources-list.sh && apt-get update && apt-get install -y gcc More examples at: https://github.com/reproducible-containers/repro-sources-list.sh repro-sources-list.sh simplifies the Dockerfile, and enables caching dpkg files Caching is practically necessary, as snapshot servers are slow
  • 36. 36 Pinning packages: Debian and Ubuntu • RUN --mount=type=cache,target=/var/cache/apt can be saved on GitHub Actions using: https://github.com/reproducible-containers/buildkit-cache-dance steps: - uses: actions/cache@v3 with: path: var-cache-apt key: var-cache-apt-${{ hashFiles('Dockerfile') }} - uses: reproducible-containers/buildkit-cache-dance@v2.1.2 with: cache-source: var-cache-apt cache-target: /var/cache/apt
  • 37. 37 Pinning packages: Debian and Ubuntu • The (checksums of the) packages on snapshot.debian.org are signed by Debian, just like regular apt-get repositories • The signatures are fetched and verified against the package metadata checksums on running apt-get update (Not on apt-get install) • If /var/lib/apt (metadata) is compromised, apt-get update will fail • If /var/cache/apt (dpkg files) is compromised, apt-get install will fail • The situation is same for snapshot.ubuntu.com (signed by Canonical)
  • 38. 38 Pinning packages: Debian and Ubuntu • If you don’t trust the latest package signatures, you can reproduce the most of the packages by yourself: https://wiki.debian.org/ReproducibleBuilds/Howto
  • 40. 40 Pinning packages: NixOS • Repro build is much easier with NixOS (although NixOS per se is often considered to be hard to learn) • The flake.lock file contains the checksums of the sources • If the binary is present on cache.nixos.org, the cached binary is used; otherwise the package is built from the source, with very good reproducibility (99.77% for nixos.iso_minimal.x86_64-linux installation, according to https://r13y.com/)
  • 41. 41 Pinning packages: Alpine, Rocky, Alma, etc. • These distros do not provide snapshot servers like snapshot.debian.org • You have to preserve /etc/apk/cache , /var/cache/dnf, etc. by yourself • Examples can be found at: https://github.com/reproducible-containers/repro-pkg-cache • In the long term, BuildKit frontends may have features to help pinning packages: https://github.com/moby/buildkit/issues/4259
  • 42. 42 Future work (Help wanted) • Proposal to make well-known images reproducible (at least for Debian-based ones) • ”Single-click” platform for attesting reproducibility and sharing the result
  • 43. 43 Recap • Repro builds prove that an image is actually buildable from its source • Whether the source is harmless or not is another topic • Ideally, every image should be bit-for-bit reproducible • Practically, subtle differences can be allowed, when they are explainable (e.g., timestamps)
  • 44. 44 Recap Tools and examples: https://github.com/reproducible-containers • diffoci: diff for OCI images, to analyze non-reproducible builds • repro-sources-list.sh: reproducibility helper for Debian, Ubuntu, etc. • repro-pkg-cache: reproducibility helper for Alpine, Alma, Rocky, etc. • buildkit-cache-dance: apt-get cache for GitHub Actions BuildKit docs: https://github.com/moby/buildkit/blob/master/docs/build-repro.md OCI = Open Container Initiative
  • 45. 45 Recap • Slides will be uploaded to https://github.com/AkihiroSuda (README → “Presentation slides”)