From 54352136b837c2e06e221840d7ae65b531ed4896 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Fri, 5 Oct 2018 01:02:49 +0200 Subject: [PATCH] lorax-templates-qubes: strip various non-determinisms from installer image Remove various caches not really needed. Sort group files and packages list. Strip timestamps from gconf file. Clamp mtime in fontconfig cache to SOURCE_DATE_EPOCH. --- lorax-templates-qubes/templates/efi.tmpl | 4 ++++ .../templates/runtime-cleanup.tmpl | 13 +++++++++++++ .../templates/runtime-postinstall.tmpl | 18 +++++++++++++++++- 3 files changed, 34 insertions(+), 1 deletion(-) diff --git a/lorax-templates-qubes/templates/efi.tmpl b/lorax-templates-qubes/templates/efi.tmpl index f384e04..4c436c8 100644 --- a/lorax-templates-qubes/templates/efi.tmpl +++ b/lorax-templates-qubes/templates/efi.tmpl @@ -4,6 +4,8 @@ EFIARCH_LOWER=efiarch.lower() EFIBOOTDIR="EFI/BOOT" APPLE_EFI_ICON=inroot+"/usr/share/pixmaps/bootloader/fedora.icns" APPLE_EFI_DISKNAME=inroot+"/usr/share/pixmaps/bootloader/fedora-media.vol" +import os, time +SOURCE_DATE_EPOCH = os.environ.get('SOURCE_DATE_EPOCH', str(int(time.time()))) %> mkdir ${EFIBOOTDIR} @@ -62,6 +64,8 @@ install boot/efi/EFI/*/fonts/unicode.pf2 ${EFIBOOTDIR}/fonts/ runcmd mount ${outroot}/${img} ${outroot}/${EFIBOOTDIR} -o loop mkdir "${EFIBOOTDIR}/System Volume Information" install "${configdir}/System Volume Information/*" "${EFIBOOTDIR}/System Volume Information/" + runcmd find ${outroot}/${EFIBOOTDIR} -newermt "@${SOURCE_DATE_EPOCH}" -exec \ + touch --no-dereference --date="@${SOURCE_DATE_EPOCH}" {} + runcmd umount ${outroot}/${img} # verify if the image is under 32MB (max size of boot image on iso9660) runcmd sh -x -c '[ $(stat -c %s ${outroot}/${img}) -le 33554432 ]' diff --git a/lorax-templates-qubes/templates/runtime-cleanup.tmpl b/lorax-templates-qubes/templates/runtime-cleanup.tmpl index 6f89765..cfdb60e 100644 --- a/lorax-templates-qubes/templates/runtime-cleanup.tmpl +++ b/lorax-templates-qubes/templates/runtime-cleanup.tmpl @@ -357,3 +357,16 @@ removepkg cdparanoia-libs opus libtheora libvisual flac-libs gsm avahi-glib avah ## metacity requires libvorbis and libvorbisfile, but enc/dec are no longer needed removefrom libvorbis --allbut /usr/${libdir}/libvorbisfile.* /usr/${libdir}/libvorbis.* + +## make the image more reproducible + +## make machine-id empty but present to avoid systemd populating /etc with +## preset settings +runcmd truncate -s 0 ${root}/etc/machine-id +## journalctl message catalog, non-deterministic +remove /var/lib/systemd/catalog/database +## non-reproducible ldconfig cache +remove /var/cache/ldconfig/aux-cache +remove /etc/pki/ca-trust/extracted/java/cacerts +remove /etc/group- +remove /etc/gshadow- diff --git a/lorax-templates-qubes/templates/runtime-postinstall.tmpl b/lorax-templates-qubes/templates/runtime-postinstall.tmpl index c2e277f..6dae1cc 100644 --- a/lorax-templates-qubes/templates/runtime-postinstall.tmpl +++ b/lorax-templates-qubes/templates/runtime-postinstall.tmpl @@ -6,6 +6,8 @@ PYTHONDIR = sorted(glob("usr/"+libdir+"/python?.?"))[0] stubs = ("list-harddrives", "raidstart", "raidstop") configdir = configdir + "/common" +import os, time +SOURCE_DATE_EPOCH = os.environ.get('SOURCE_DATE_EPOCH', str(int(time.time()))) %> ## move_stubs() @@ -134,6 +136,20 @@ runcmd mknod ${root}/dev/null c 1 3 runcmd mknod ${root}/dev/urandom c 1 9 ## Record the package versions used to create the image -runcmd chroot ${root} /bin/rpm -qa --pipe "tee /root/lorax-packages.log" +runcmd chroot ${root} /bin/rpm -qa --pipe "sort | tee /root/lorax-packages.log" + +## fix fonconfig cache containing timestamps +runcmd chroot ${root} /usr/bin/find /usr/share/fonts /usr/share/X11/fonts -newermt "@${SOURCE_DATE_EPOCH}" -exec \ + touch --no-dereference --date="@${SOURCE_DATE_EPOCH}" {} + +runcmd chroot ${root} /usr/bin/fc-cache -f + +## drop timestamp from gconf.xml +runcmd sed -i -e 's/mtime="[0-9]*" //' ${root}/etc/gconf/gconf.xml.defaults/desktop/gnome/interface/%gconf.xml + +## sort groups +runcmd chroot ${root} /bin/sh -c "LC_ALL=C sort /etc/group > /etc/group.new && mv /etc/group.new /etc/group" +runcmd chroot ${root} /bin/sh -c "LC_ALL=C sort /etc/gshadow > /etc/gshadow.new && mv /etc/gshadow.new /etc/gschadow" +chmod /etc/gshadow 0700 + ## TODO: we could run prelink here if we wanted?