SlideShare a Scribd company logo

[DockerCon 2023] Reproducible builds with BuildKit for software supply chain security

A
Akihiro Suda

Images maintained by a reputable organization or an individual are often considered to be trustworthy; however, it is hard to deny the possibility that they might have silently injected malicious codes that are not present in the source repo. Also, even if they have no malicious intent, their images can still be compromised on an accidental leakage of registry credentials. The latest release of BuildKit solves this supply chain security concern with reproducible builds. Reproducible builds is a technique to ensure that a bit-for-bit identical image can be reproduced from its source code, by anybody, at any time. When multiple actors can attest to an image's reproducibility, it signifies that the image contains no code of a secret origin. Audiences of this talk will learn how they can and how sometimes they cannot make their images reproducible to improve their trust.

1 of 45
Download to read offline
Reproducible builds with BuildKit for software supply chain security Akihiro Suda Software Engineer | NTT
2 Background • Security assessment has been hard for Docker images, due to lack of verifiability in the software supply chain • Even when the source code (Dockerfile) is public, and the source code appears to be harmless, it is hard to prove that the image is actually buildable from the source code • Reproducible builds help proving it (But whether the source code is harmless is another topic)
3 What are Reproducible Builds? • Same source, same binary • Attestable by anybody • Attestable at anytime Build FROM debian RUN apt-get install -y gcc make ... COPY . . RUN make sha256:6ea7098583cb6c9470570df28c154 cfec58e122188382cd4a7ceab8a9a79cb67 sha256:6ea7098583cb6c9470570df28c154 cfec58e122188382cd4a7ceab8a9a79cb67 sha256:6ea7098583cb6c9470570df28c154 cfec58e122188382cd4a7ceab8a9a79cb67
4 Why do we need reproducible builds? Because non-reproducible builds cannot be proved to be buildable from harmless sources
5 Why do we need reproducible builds? sha256:AAAAA… Upstream build docker pull some-image Pull Because non-reproducible builds cannot be proved to be buildable from harmless sources
6 Because non-reproducible builds cannot be proved to be buildable from harmless sources Why do we need reproducible builds? FROM debian RUN apt-get install -y gcc make ... COPY . . RUN make sha256:AAAAA… Upstream build docker pull some-image Pull Find the source repo
7 Why do we need reproducible builds? Build FROM debian RUN apt-get install -y gcc make ... COPY . . RUN make sha256:AAAAA… sha256:BBBBB… Upstream build docker pull some-image Pull Find the source repo Because non-reproducible builds cannot be proved to be buildable from harmless sources Your own build (Non-reproducible)
8 Why do we need reproducible builds? Build FROM debian RUN apt-get install -y gcc make ... COPY . . RUN make sha256:AAAAA… sha256:BBBBB… Upstream build docker pull some-image Pull Find the source repo Your own build (Non-reproducible) Is this image really buildable from the source repo? Because non-reproducible builds cannot be proved to be buildable from harmless sources
9 Why do we need reproducible builds? Build FROM debian RUN apt-get install -y gcc make ... COPY . . RUN make sha256:AAAAA… sha256:AAAAA… Upstream build docker pull some-image Pull Find the source repo Proved to be buildable from the source Because non-reproducible builds cannot be proved to be buildable from harmless sources Your own build (Reproducible)
10 Why do we need reproducible builds? • Reproducibility per se doesn’t prove any harmlessness • Non-reproducibility doesn’t prove any harmfulness, either
11 Why do we need reproducible builds? • Reproducibility proves that the image is actually buildable from its source • The source still has to be reviewed • The source may still be malicious • But at least the image contains no secret code that you can never review
12 Docker Hub images are actually reproducible?
13 Docker Hub images are actually reproducible? • No, mostly
14 Docker Hub images are actually reproducible? $ docker pull golang:1.21.1-alpine@ sha256:96634e55b363cb93d39f78fb18aa64abc7f96d372c176660d7b8b6118939d97b $ DOCKER_BUILDKIT=0 docker build -t my-golang "https://github.com/docker-library/golang.git# 585c8c1e705a7a458455f0629922a4f90628ce08:1.21/alpine3.18” $ go install github.com/reproducible-containers/diffoci/cmd/diffoci@latest $ diffoci diff docker://golang:1.21.1-alpine docker://my-golang
15 Docker Hub images are actually reproducible? $ docker pull golang:1.21.1-alpine@ sha256:96634e55b363cb93d39f78fb18aa64abc7f96d372c176660d7b8b6118939d97b $ DOCKER_BUILDKIT=0 docker build -t my-golang "https://github.com/docker-library/golang.git# 585c8c1e705a7a458455f0629922a4f90628ce08:1.21/alpine3.18” $ go install github.com/reproducible-containers/diffoci/cmd/diffoci@latest $ diffoci diff docker://golang:1.21.1-alpine docker://my-golang DOCKER_BUILDKIT=0 with Docker 20.10.23 corresponds to the current Docker Hub image (Will change in the future)
16 Docker Hub images are actually reproducible? $ docker pull golang:1.21.1-alpine@ sha256:96634e55b363cb93d39f78fb18aa64abc7f96d372c176660d7b8b6118939d97b $ DOCKER_BUILDKIT=0 docker build -t my-golang "https://github.com/docker-library/golang.git# 585c8c1e705a7a458455f0629922a4f90628ce08:1.21/alpine3.18” $ go install github.com/reproducible-containers/diffoci/cmd/diffoci@latest $ diffoci diff docker://golang:1.21.1-alpine docker://my-golang DiffOCI: diff for Open Container Initiative (OCI) images https://github.com/reproducible-containers/diffoci
17 Docker Hub images are actually reproducible? $ diffoci diff docker://golang:1.21.1-alpine docker://my-golang TYPE NAME INPUT-0 INPUT-1 Desc application/vnd.docker.distribution.manifest.v2+json b25862... 3c4eca0... ... File etc/ssl/certs/3e45d192.0 2023-08-09 03:36:47 +0000 UTC 2023-09-21 08:35:31 +0000 UTC ... (More than 14,000 lines) ... File go/ 2023-09-06 18:31:40 +0000 UTC 2023-09-21 08:35:45 +0000 UTC
18 Docker Hub images are actually reproducible? $ diffoci --semantic diff docker://golang:1.21.1-alpine docker://my-golang TYPE NAME INPUT-0 INPUT-1 Layer ctx:/layers-1/layer length mismatch (457 vs 454) Layer ctx:/layers-1/layer name "usr/local/share/ca-certificates/.wh..wh..opq" only appears in input 0 Layer ctx:/layers-1/layer name "etc/ca-certificates/.wh..wh..opq" only appears in input 0 Layer ctx:/layers-1/layer name "usr/share/ca-certificates/.wh..wh..opq" only appears in input 0 File lib/apk/db/scripts.tar eef110e... e9bfe18... Layer ctx:/layers-2/layer length mismatch (13939 vs 13938) Layer ctx:/layers-2/layer name "usr/local/go/.wh..wh..opq" only appears in input 0 File lib/apk/db/scripts.tar 60e22bb... 67f2648... Layer ctx:/layers-3/layer length mismatch (4 vs 3) Layer ctx:/layers-3/layer name "go/.wh..wh..opq" only appears in input 0 The “--semantic” flag ignores ”boring” differences (timestamps, file ordering, etc.)
19 Docker Hub images are actually reproducible? $ diffoci --semantic diff docker://golang:1.21.1-alpine docker://my-golang TYPE NAME INPUT-0 INPUT-1 Layer ctx:/layers-1/layer length mismatch (457 vs 454) Layer ctx:/layers-1/layer name "usr/local/share/ca-certificates/.wh..wh..opq" only appears in input 0 Layer ctx:/layers-1/layer name "etc/ca-certificates/.wh..wh..opq" only appears in input 0 Layer ctx:/layers-1/layer name "usr/share/ca-certificates/.wh..wh..opq" only appears in input 0 File lib/apk/db/scripts.tar eef110e... e9bfe18... Layer ctx:/layers-2/layer length mismatch (13939 vs 13938) Layer ctx:/layers-2/layer name "usr/local/go/.wh..wh..opq" only appears in input 0 File lib/apk/db/scripts.tar 60e22bb... 67f2648... Layer ctx:/layers-3/layer length mismatch (4 vs 3) Layer ctx:/layers-3/layer name "go/.wh..wh..opq" only appears in input 0 “.wh..wh..opq” (AUFS whiteouts) are missing due to the filesystem difference The “--semantic” flag ignores ”boring” differences (timestamps, file ordering, etc.)
20 Docker Hub images are actually reproducible? $ diffoci --semantic diff docker://golang:1.21.1-alpine docker://my-golang TYPE NAME INPUT-0 INPUT-1 Layer ctx:/layers-1/layer length mismatch (457 vs 454) Layer ctx:/layers-1/layer name "usr/local/share/ca-certificates/.wh..wh..opq" only appears in input 0 Layer ctx:/layers-1/layer name "etc/ca-certificates/.wh..wh..opq" only appears in input 0 Layer ctx:/layers-1/layer name "usr/share/ca-certificates/.wh..wh..opq" only appears in input 0 File lib/apk/db/scripts.tar eef110e... e9bfe18... Layer ctx:/layers-2/layer length mismatch (13939 vs 13938) Layer ctx:/layers-2/layer name "usr/local/go/.wh..wh..opq" only appears in input 0 File lib/apk/db/scripts.tar 60e22bb... 67f2648... Layer ctx:/layers-3/layer length mismatch (4 vs 3) Layer ctx:/layers-3/layer name "go/.wh..wh..opq" only appears in input 0 “.wh..wh..opq” (AUFS whiteouts) are missing due to the filesystem difference lib/apk/db/scripts.tar differ due to the timestamp information inside scripts.tar (the “--semantic” flag isn’t still clever enough to ignore this “boring” difference”) The “--semantic” flag ignores ”boring” differences (timestamps, file ordering, etc.)
21 Docker Hub images are actually reproducible? $ diffoci --semantic diff docker://golang:1.21.1-alpine docker://my-golang TYPE NAME INPUT-0 INPUT-1 Layer ctx:/layers-1/layer length mismatch (457 vs 454) Layer ctx:/layers-1/layer name "usr/local/share/ca-certificates/.wh..wh..opq" only appears in input 0 Layer ctx:/layers-1/layer name "etc/ca-certificates/.wh..wh..opq" only appears in input 0 Layer ctx:/layers-1/layer name "usr/share/ca-certificates/.wh..wh..opq" only appears in input 0 File lib/apk/db/scripts.tar eef110e... e9bfe18... Layer ctx:/layers-2/layer length mismatch (13939 vs 13938) Layer ctx:/layers-2/layer name "usr/local/go/.wh..wh..opq" only appears in input 0 File lib/apk/db/scripts.tar 60e22bb... 67f2648... Layer ctx:/layers-3/layer length mismatch (4 vs 3) Layer ctx:/layers-3/layer name "go/.wh..wh..opq" only appears in input 0 “.wh..wh..opq” (AUFS whiteouts) are missing due to the filesystem difference lib/apk/db/scripts.tar differ due to the timestamp information inside scripts.tar (the “--semantic” flag isn’t still clever enough to ignore this “boring” difference”) This image is not fully reproducible, but its non-reproducibility is explainable (So, this image appears to be actually buildable from the public Dockerfile) The “--semantic” flag ignores ”boring” differences (timestamps, file ordering, etc.)
22 Why are images not reproducible? • Timestamps • Version of the base image (“FROM” images in Dockerfiles) • Versions of the packages (apt-get, pip, etc.) • Others: - Filesystem characteristics (e.g., OverlayFS) - Ordering of files - Randomized mktemp, etc.
23 Timestamps • The images have timestamps in: - the “created” property in the OCI Image Config - the “history” property in the OCI Image Config - the “org.opencontainers.image.created” annotation in the OCI Index - the timestamps of the files in the image layers OCI = Open Container Initiative
24 Timestamps • The images have timestamps in: - the “created” property in the OCI Image Config - the “history” property in the OCI Image Config - the “org.opencontainers.image.created” annotation in the OCI Index - the timestamps of the files in the image layers OCI = Open Container Initiative
25 Timestamps • BuildKit (since v0.11) supports rewriting the timestamps for OCI Image Config and OCI Index • Support was incomplete in v0.11 and v0.12; using v0.13 [beta] is recommended (see the next couple of slides) OCI = Open Container Initiative buildctl build --opt build-arg:SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct) docker buildx build --build-arg SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct) Unix epoch (int64, seconds from 1970-01-01 00:00:00 UTC)
26 Timestamps • The images have timestamps in: - the “created” property in the OCI Image Config - the “history” property in the OCI Image Config - the “org.opencontainers.image.created” annotation in the OCI Index - the timestamps of the files in the image layers OCI = Open Container Initiative
27 Timestamps • BuildKit v0.13 [beta] supports rewriting the timestamps in the OCI image layers too • Docs: https://github.com/moby/buildkit/blob/master/docs/build-repro.md OCI = Open Container Initiative buildctl build --opt build-arg:SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct) --output type=image,name=example.com/image,push=true,rewrite-timestamp=true docker buildx build --build-arg SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct) --output type=image,name=example.com/image,push=true,rewrite-timestamp=true BuildKit v0.13 is still beta and its CLI is still subject to change until its GA
28 Timestamps • The SOURCE_DATE_EPOCH arg is also propagated to ”RUN” containers as an environment variable • The SOURCE_DATE_EPOCH env var is recognized by gcc, clang, cmake, and a bunch of other tools to make application binaries reproducible: https://reproducible-builds.org/docs/source-date-epoch/
29 Pinning the base image FROM debian
30 Pinning the base image FROM debian:bookworm FROM debian
31 Pinning the base image FROM debian:bookworm-20230904 FROM debian:bookworm FROM debian
32 Pinning the base image FROM debian:bookworm-20230904@sha256:b4042f895d5d1f8df415caebe7c416f9dbcf0dc8867abb225955006de50b21f3 FROM debian:bookworm-20230904 FROM debian:bookworm FROM debian
33 Pinning the base image FROM debian:bookworm-20230904@sha256:b4042f895d5d1f8df415caebe7c416f9dbcf0dc8867abb225955006de50b21f3 FROM debian:bookworm-20230904 FROM debian:bookworm FROM debian apt-get on bookworm-20230904 still installs the latest packages, not the past packages (So, not reproducible)
34 Pinning packages: Debian and Ubuntu FROM debian:bookworm-20230904-slim RUN rm -rf /etc/apt/sources.list* && echo 'deb [check-valid-until=no] http://snapshot.debian.org/archive/debian/20230904T000000Z bookworm main' >/etc/apt/sources.list && echo 'deb [check-valid-until=no] http://snapshot.debian.org/archive/debian-security/20230904T000000Z bookworm-security main' >>/etc/apt/sources.list && echo 'deb [check-valid-until=no] http://snapshot.debian.org/archive/debian/20230904T000000Z bookworm-updates main' >>/etc/apt/sources.list && apt-get update && apt-get install -y gcc snapshot.debian.org and snapshot.ubuntu.com keep old packages
35 Pinning packages: Debian and Ubuntu FROM debian:bookworm-20230904-slim ADD --chmod=0755 https://raw.githubusercontent.com/reproducible-containers/repro-sources-list.sh/v0.1.0/repro-sources-list.sh /usr/local/bin/repro-sources-list.sh RUN --mount=type=cache,target=/var/cache/apt repro-sources-list.sh && apt-get update && apt-get install -y gcc More examples at: https://github.com/reproducible-containers/repro-sources-list.sh repro-sources-list.sh simplifies the Dockerfile, and enables caching dpkg files Caching is practically necessary, as snapshot servers are slow
36 Pinning packages: Debian and Ubuntu • RUN --mount=type=cache,target=/var/cache/apt can be saved on GitHub Actions using: https://github.com/reproducible-containers/buildkit-cache-dance steps: - uses: actions/cache@v3 with: path: var-cache-apt key: var-cache-apt-${{ hashFiles('Dockerfile') }} - uses: reproducible-containers/buildkit-cache-dance@v2.1.2 with: cache-source: var-cache-apt cache-target: /var/cache/apt
37 Pinning packages: Debian and Ubuntu • The (checksums of the) packages on snapshot.debian.org are signed by Debian, just like regular apt-get repositories • The signatures are fetched and verified against the package metadata checksums on running apt-get update (Not on apt-get install) • If /var/lib/apt (metadata) is compromised, apt-get update will fail • If /var/cache/apt (dpkg files) is compromised, apt-get install will fail • The situation is same for snapshot.ubuntu.com (signed by Canonical)
38 Pinning packages: Debian and Ubuntu • If you don’t trust the latest package signatures, you can reproduce the most of the packages by yourself: https://wiki.debian.org/ReproducibleBuilds/Howto
39 https://tests.reproducible-builds.org/debian/bookworm/index_suite_amd64_stats.html (Captured on 2023-09-24) Reproducibility rate: 95.3%
40 Pinning packages: NixOS • Repro build is much easier with NixOS (although NixOS per se is often considered to be hard to learn) • The flake.lock file contains the checksums of the sources • If the binary is present on cache.nixos.org, the cached binary is used; otherwise the package is built from the source, with very good reproducibility (99.77% for nixos.iso_minimal.x86_64-linux installation, according to https://r13y.com/)
41 Pinning packages: Alpine, Rocky, Alma, etc. • These distros do not provide snapshot servers like snapshot.debian.org • You have to preserve /etc/apk/cache , /var/cache/dnf, etc. by yourself • Examples can be found at: https://github.com/reproducible-containers/repro-pkg-cache • In the long term, BuildKit frontends may have features to help pinning packages: https://github.com/moby/buildkit/issues/4259
42 Future work (Help wanted) • Proposal to make well-known images reproducible (at least for Debian-based ones) • ”Single-click” platform for attesting reproducibility and sharing the result
43 Recap • Repro builds prove that an image is actually buildable from its source • Whether the source is harmless or not is another topic • Ideally, every image should be bit-for-bit reproducible • Practically, subtle differences can be allowed, when they are explainable (e.g., timestamps)
44 Recap Tools and examples: https://github.com/reproducible-containers • diffoci: diff for OCI images, to analyze non-reproducible builds • repro-sources-list.sh: reproducibility helper for Debian, Ubuntu, etc. • repro-pkg-cache: reproducibility helper for Alpine, Alma, Rocky, etc. • buildkit-cache-dance: apt-get cache for GitHub Actions BuildKit docs: https://github.com/moby/buildkit/blob/master/docs/build-repro.md OCI = Open Container Initiative
45 Recap • Slides will be uploaded to https://github.com/AkihiroSuda (README → “Presentation slides”)
Ad

Recommended

Dockerからcontainerdへの移行
Dockerからcontainerdへの移行Dockerからcontainerdへの移行
Dockerからcontainerdへの移行
Akihiro Suda
 
BuildKitでLazy Pullを有効にしてビルドを早くする話
BuildKitでLazy Pullを有効にしてビルドを早くする話BuildKitでLazy Pullを有効にしてビルドを早くする話
BuildKitでLazy Pullを有効にしてビルドを早くする話
Kohei Tokunaga
 
仮想化環境におけるパケットフォワーディング
仮想化環境におけるパケットフォワーディング仮想化環境におけるパケットフォワーディング
仮想化環境におけるパケットフォワーディング
Takuya ASADA
 
Boosting I/O Performance with KVM io_uring
Boosting I/O Performance with KVM io_uringBoosting I/O Performance with KVM io_uring
Boosting I/O Performance with KVM io_uring
ShapeBlue
 
DockerとKubernetesをかけめぐる
DockerとKubernetesをかけめぐるDockerとKubernetesをかけめぐる
DockerとKubernetesをかけめぐる
Kohei Tokunaga
 
containerdの概要と最近の機能
containerdの概要と最近の機能containerdの概要と最近の機能
containerdの概要と最近の機能
Kohei Tokunaga
 
OSC2011 Tokyo/Fall 濃いバナ(virtio)
OSC2011 Tokyo/Fall 濃いバナ(virtio)OSC2011 Tokyo/Fall 濃いバナ(virtio)
OSC2011 Tokyo/Fall 濃いバナ(virtio)
Takeshi HASEGAWA
 
Dockerからcontainerdへの移行
Dockerからcontainerdへの移行Dockerからcontainerdへの移行
Dockerからcontainerdへの移行
Kohei Tokunaga
 
[Container Plumbing Days 2023] Why was nerdctl made?
[Container Plumbing Days 2023] Why was nerdctl made?[Container Plumbing Days 2023] Why was nerdctl made?
[Container Plumbing Days 2023] Why was nerdctl made?
Akihiro Suda
 
OVS VXLAN Network Accelaration on OpenStack (VXLAN offload and DPDK) - OpenSt...
OVS VXLAN Network Accelaration on OpenStack (VXLAN offload and DPDK) - OpenSt...OVS VXLAN Network Accelaration on OpenStack (VXLAN offload and DPDK) - OpenSt...
OVS VXLAN Network Accelaration on OpenStack (VXLAN offload and DPDK) - OpenSt...
VirtualTech Japan Inc.
 
KubeCon + CloudNativeCon Europe 2022 Recap / Kubernetes Meetup Tokyo #51 / #k...
KubeCon + CloudNativeCon Europe 2022 Recap / Kubernetes Meetup Tokyo #51 / #k...KubeCon + CloudNativeCon Europe 2022 Recap / Kubernetes Meetup Tokyo #51 / #k...
KubeCon + CloudNativeCon Europe 2022 Recap / Kubernetes Meetup Tokyo #51 / #k...
Preferred Networks
 
Harbor RegistryのReplication機能
Harbor RegistryのReplication機能Harbor RegistryのReplication機能
Harbor RegistryのReplication機能
Masanori Nara
 
今話題のいろいろなコンテナランタイムを比較してみた
今話題のいろいろなコンテナランタイムを比較してみた今話題のいろいろなコンテナランタイムを比較してみた
今話題のいろいろなコンテナランタイムを比較してみた
Kohei Tokunaga
 
BuildKitの概要と最近の機能
BuildKitの概要と最近の機能BuildKitの概要と最近の機能
BuildKitの概要と最近の機能
Kohei Tokunaga
 
Docker Swarm Introduction
Docker Swarm IntroductionDocker Swarm Introduction
Docker Swarm Introduction
rajdeep
 
OCIランタイムの筆頭「runc」を俯瞰する
OCIランタイムの筆頭「runc」を俯瞰するOCIランタイムの筆頭「runc」を俯瞰する
OCIランタイムの筆頭「runc」を俯瞰する
Kohei Tokunaga
 
Ixgbe internals
Ixgbe internalsIxgbe internals
Ixgbe internals
SUSE Labs Taipei
 
自宅サーバ仮想化
自宅サーバ仮想化自宅サーバ仮想化
自宅サーバ仮想化
anubis_369
 
ゼロからはじめるKVM超入門
ゼロからはじめるKVM超入門ゼロからはじめるKVM超入門
ゼロからはじめるKVM超入門
VirtualTech Japan Inc.
 
[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOS[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOS
Akihiro Suda
 
NEDIA_SNIA_CXL_講演資料.pdf
NEDIA_SNIA_CXL_講演資料.pdfNEDIA_SNIA_CXL_講演資料.pdf
NEDIA_SNIA_CXL_講演資料.pdf
Yasunori Goto
 
ProxySQL on Kubernetes
ProxySQL on KubernetesProxySQL on Kubernetes
ProxySQL on Kubernetes
René Cannaò
 
Kubernetes にこれから入るかもしれない注目機能!(2022年11月版) / TechFeed Experts Night #7 〜 コンテナ技術を語る
Kubernetes にこれから入るかもしれない注目機能!(2022年11月版) / TechFeed Experts Night #7 〜 コンテナ技術を語るKubernetes にこれから入るかもしれない注目機能!(2022年11月版) / TechFeed Experts Night #7 〜 コンテナ技術を語る
Kubernetes にこれから入るかもしれない注目機能!(2022年11月版) / TechFeed Experts Night #7 〜 コンテナ技術を語る
Preferred Networks
 
P2P Container Image Distribution on IPFS With containerd and nerdctl
P2P Container Image Distribution on IPFS With containerd and nerdctlP2P Container Image Distribution on IPFS With containerd and nerdctl
P2P Container Image Distribution on IPFS With containerd and nerdctl
Kohei Tokunaga
 
10GbE時代のネットワークI/O高速化
10GbE時代のネットワークI/O高速化10GbE時代のネットワークI/O高速化
10GbE時代のネットワークI/O高速化
Takuya ASADA
 
Learn nginx in 90mins
Learn nginx in 90minsLearn nginx in 90mins
Learn nginx in 90mins
Larry Cai
 
OpenStackトラブルシューティング入門
OpenStackトラブルシューティング入門OpenStackトラブルシューティング入門
OpenStackトラブルシューティング入門
VirtualTech Japan Inc.
 
分散環境におけるDocker とオーケストレーション
分散環境におけるDocker とオーケストレーション分散環境におけるDocker とオーケストレーション
分散環境におけるDocker とオーケストレーション
Masahito Zembutsu
 
Docker security
Docker securityDocker security
Docker security
Janos Suto
 
Dependencies Managers in C/C++. Using stdcpp 2014
Dependencies Managers in C/C++. Using stdcpp 2014Dependencies Managers in C/C++. Using stdcpp 2014
Dependencies Managers in C/C++. Using stdcpp 2014
biicode
 
Ad

More Related Content

What's hot (20)

[Container Plumbing Days 2023] Why was nerdctl made?
[Container Plumbing Days 2023] Why was nerdctl made?[Container Plumbing Days 2023] Why was nerdctl made?
[Container Plumbing Days 2023] Why was nerdctl made?
Akihiro Suda
 
OVS VXLAN Network Accelaration on OpenStack (VXLAN offload and DPDK) - OpenSt...
OVS VXLAN Network Accelaration on OpenStack (VXLAN offload and DPDK) - OpenSt...OVS VXLAN Network Accelaration on OpenStack (VXLAN offload and DPDK) - OpenSt...
OVS VXLAN Network Accelaration on OpenStack (VXLAN offload and DPDK) - OpenSt...
VirtualTech Japan Inc.
 
KubeCon + CloudNativeCon Europe 2022 Recap / Kubernetes Meetup Tokyo #51 / #k...
KubeCon + CloudNativeCon Europe 2022 Recap / Kubernetes Meetup Tokyo #51 / #k...KubeCon + CloudNativeCon Europe 2022 Recap / Kubernetes Meetup Tokyo #51 / #k...
KubeCon + CloudNativeCon Europe 2022 Recap / Kubernetes Meetup Tokyo #51 / #k...
Preferred Networks
 
Harbor RegistryのReplication機能
Harbor RegistryのReplication機能Harbor RegistryのReplication機能
Harbor RegistryのReplication機能
Masanori Nara
 
今話題のいろいろなコンテナランタイムを比較してみた
今話題のいろいろなコンテナランタイムを比較してみた今話題のいろいろなコンテナランタイムを比較してみた
今話題のいろいろなコンテナランタイムを比較してみた
Kohei Tokunaga
 
BuildKitの概要と最近の機能
BuildKitの概要と最近の機能BuildKitの概要と最近の機能
BuildKitの概要と最近の機能
Kohei Tokunaga
 
Docker Swarm Introduction
Docker Swarm IntroductionDocker Swarm Introduction
Docker Swarm Introduction
rajdeep
 
OCIランタイムの筆頭「runc」を俯瞰する
OCIランタイムの筆頭「runc」を俯瞰するOCIランタイムの筆頭「runc」を俯瞰する
OCIランタイムの筆頭「runc」を俯瞰する
Kohei Tokunaga
 
Ixgbe internals
Ixgbe internalsIxgbe internals
Ixgbe internals
SUSE Labs Taipei
 
自宅サーバ仮想化
自宅サーバ仮想化自宅サーバ仮想化
自宅サーバ仮想化
anubis_369
 
ゼロからはじめるKVM超入門
ゼロからはじめるKVM超入門ゼロからはじめるKVM超入門
ゼロからはじめるKVM超入門
VirtualTech Japan Inc.
 
[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOS[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOS
Akihiro Suda
 
NEDIA_SNIA_CXL_講演資料.pdf
NEDIA_SNIA_CXL_講演資料.pdfNEDIA_SNIA_CXL_講演資料.pdf
NEDIA_SNIA_CXL_講演資料.pdf
Yasunori Goto
 
ProxySQL on Kubernetes
ProxySQL on KubernetesProxySQL on Kubernetes
ProxySQL on Kubernetes
René Cannaò
 
Kubernetes にこれから入るかもしれない注目機能!(2022年11月版) / TechFeed Experts Night #7 〜 コンテナ技術を語る
Kubernetes にこれから入るかもしれない注目機能!(2022年11月版) / TechFeed Experts Night #7 〜 コンテナ技術を語るKubernetes にこれから入るかもしれない注目機能!(2022年11月版) / TechFeed Experts Night #7 〜 コンテナ技術を語る
Kubernetes にこれから入るかもしれない注目機能!(2022年11月版) / TechFeed Experts Night #7 〜 コンテナ技術を語る
Preferred Networks
 
P2P Container Image Distribution on IPFS With containerd and nerdctl
P2P Container Image Distribution on IPFS With containerd and nerdctlP2P Container Image Distribution on IPFS With containerd and nerdctl
P2P Container Image Distribution on IPFS With containerd and nerdctl
Kohei Tokunaga
 
10GbE時代のネットワークI/O高速化
10GbE時代のネットワークI/O高速化10GbE時代のネットワークI/O高速化
10GbE時代のネットワークI/O高速化
Takuya ASADA
 
Learn nginx in 90mins
Learn nginx in 90minsLearn nginx in 90mins
Learn nginx in 90mins
Larry Cai
 
OpenStackトラブルシューティング入門
OpenStackトラブルシューティング入門OpenStackトラブルシューティング入門
OpenStackトラブルシューティング入門
VirtualTech Japan Inc.
 
分散環境におけるDocker とオーケストレーション
分散環境におけるDocker とオーケストレーション分散環境におけるDocker とオーケストレーション
分散環境におけるDocker とオーケストレーション
Masahito Zembutsu
 
[Container Plumbing Days 2023] Why was nerdctl made?
[Container Plumbing Days 2023] Why was nerdctl made?[Container Plumbing Days 2023] Why was nerdctl made?
[Container Plumbing Days 2023] Why was nerdctl made?
Akihiro Suda
 
OVS VXLAN Network Accelaration on OpenStack (VXLAN offload and DPDK) - OpenSt...
OVS VXLAN Network Accelaration on OpenStack (VXLAN offload and DPDK) - OpenSt...OVS VXLAN Network Accelaration on OpenStack (VXLAN offload and DPDK) - OpenSt...
OVS VXLAN Network Accelaration on OpenStack (VXLAN offload and DPDK) - OpenSt...
VirtualTech Japan Inc.
 
KubeCon + CloudNativeCon Europe 2022 Recap / Kubernetes Meetup Tokyo #51 / #k...
KubeCon + CloudNativeCon Europe 2022 Recap / Kubernetes Meetup Tokyo #51 / #k...KubeCon + CloudNativeCon Europe 2022 Recap / Kubernetes Meetup Tokyo #51 / #k...
KubeCon + CloudNativeCon Europe 2022 Recap / Kubernetes Meetup Tokyo #51 / #k...
Preferred Networks
 
Harbor RegistryのReplication機能
Harbor RegistryのReplication機能Harbor RegistryのReplication機能
Harbor RegistryのReplication機能
Masanori Nara
 
今話題のいろいろなコンテナランタイムを比較してみた
今話題のいろいろなコンテナランタイムを比較してみた今話題のいろいろなコンテナランタイムを比較してみた
今話題のいろいろなコンテナランタイムを比較してみた
Kohei Tokunaga
 
BuildKitの概要と最近の機能
BuildKitの概要と最近の機能BuildKitの概要と最近の機能
BuildKitの概要と最近の機能
Kohei Tokunaga
 
Docker Swarm Introduction
Docker Swarm IntroductionDocker Swarm Introduction
Docker Swarm Introduction
rajdeep
 
OCIランタイムの筆頭「runc」を俯瞰する
OCIランタイムの筆頭「runc」を俯瞰するOCIランタイムの筆頭「runc」を俯瞰する
OCIランタイムの筆頭「runc」を俯瞰する
Kohei Tokunaga
 
Ixgbe internals
Ixgbe internalsIxgbe internals
Ixgbe internals
SUSE Labs Taipei
 
自宅サーバ仮想化
自宅サーバ仮想化自宅サーバ仮想化
自宅サーバ仮想化
anubis_369
 
ゼロからはじめるKVM超入門
ゼロからはじめるKVM超入門ゼロからはじめるKVM超入門
ゼロからはじめるKVM超入門
VirtualTech Japan Inc.
 
[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOS[KubeCon EU 2022] Running containerd and k3s on macOS
[KubeCon EU 2022] Running containerd and k3s on macOS
Akihiro Suda
 
NEDIA_SNIA_CXL_講演資料.pdf
NEDIA_SNIA_CXL_講演資料.pdfNEDIA_SNIA_CXL_講演資料.pdf
NEDIA_SNIA_CXL_講演資料.pdf
Yasunori Goto
 
ProxySQL on Kubernetes
ProxySQL on KubernetesProxySQL on Kubernetes
ProxySQL on Kubernetes
René Cannaò
 
Kubernetes にこれから入るかもしれない注目機能!(2022年11月版) / TechFeed Experts Night #7 〜 コンテナ技術を語る
Kubernetes にこれから入るかもしれない注目機能!(2022年11月版) / TechFeed Experts Night #7 〜 コンテナ技術を語るKubernetes にこれから入るかもしれない注目機能!(2022年11月版) / TechFeed Experts Night #7 〜 コンテナ技術を語る
Kubernetes にこれから入るかもしれない注目機能!(2022年11月版) / TechFeed Experts Night #7 〜 コンテナ技術を語る
Preferred Networks
 
P2P Container Image Distribution on IPFS With containerd and nerdctl
P2P Container Image Distribution on IPFS With containerd and nerdctlP2P Container Image Distribution on IPFS With containerd and nerdctl
P2P Container Image Distribution on IPFS With containerd and nerdctl
Kohei Tokunaga
 
10GbE時代のネットワークI/O高速化
10GbE時代のネットワークI/O高速化10GbE時代のネットワークI/O高速化
10GbE時代のネットワークI/O高速化
Takuya ASADA
 
Learn nginx in 90mins
Learn nginx in 90minsLearn nginx in 90mins
Learn nginx in 90mins
Larry Cai
 
OpenStackトラブルシューティング入門
OpenStackトラブルシューティング入門OpenStackトラブルシューティング入門
OpenStackトラブルシューティング入門
VirtualTech Japan Inc.
 
分散環境におけるDocker とオーケストレーション
分散環境におけるDocker とオーケストレーション分散環境におけるDocker とオーケストレーション
分散環境におけるDocker とオーケストレーション
Masahito Zembutsu
 

Similar to [DockerCon 2023] Reproducible builds with BuildKit for software supply chain security (20)

Docker security
Docker securityDocker security
Docker security
Janos Suto
 
Dependencies Managers in C/C++. Using stdcpp 2014
Dependencies Managers in C/C++. Using stdcpp 2014Dependencies Managers in C/C++. Using stdcpp 2014
Dependencies Managers in C/C++. Using stdcpp 2014
biicode
 
Introduction to Docker - Learning containerization XP conference 2016
Introduction to Docker - Learning containerization XP conference 2016Introduction to Docker - Learning containerization XP conference 2016
Introduction to Docker - Learning containerization XP conference 2016
XP Conference India
 
Docker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in PragueDocker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in Prague
tomasbart
 
Docker 1.5
Docker 1.5Docker 1.5
Docker 1.5
rajdeep
 
Docker.io
Docker.ioDocker.io
Docker.io
Ladislav Prskavec
 
Very Early Review - Rocket(CoreOS)
Very Early Review - Rocket(CoreOS)Very Early Review - Rocket(CoreOS)
Very Early Review - Rocket(CoreOS)
충섭 김
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slides
Docker, Inc.
 
Preparation study of_docker - (MOSG)
Preparation study of_docker - (MOSG)Preparation study of_docker - (MOSG)
Preparation study of_docker - (MOSG)
Soshi Nemoto
 
Настройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'aНастройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'a
corehard_by
 
[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile
[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile
[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile
Akihiro Suda
 
Docker 1.11 Presentation
Docker 1.11 PresentationDocker 1.11 Presentation
Docker 1.11 Presentation
Sreenivas Makam
 
Docker Introductory workshop
Docker Introductory workshopDocker Introductory workshop
Docker Introductory workshop
Runcy Oommen
 
JDO 2019: Tips and Tricks from Docker Captain - Łukasz Lach
JDO 2019: Tips and Tricks from Docker Captain - Łukasz LachJDO 2019: Tips and Tricks from Docker Captain - Łukasz Lach
JDO 2019: Tips and Tricks from Docker Captain - Łukasz Lach
PROIDEA
 
Docker as an every day work tool
Docker as an every day work toolDocker as an every day work tool
Docker as an every day work tool
Przemyslaw Koltermann
 
Build and Run Containers With Lazy Pulling - Adoption status of containerd St...
Build and Run Containers With Lazy Pulling - Adoption status of containerd St...Build and Run Containers With Lazy Pulling - Adoption status of containerd St...
Build and Run Containers With Lazy Pulling - Adoption status of containerd St...
Kohei Tokunaga
 
DCSF 19 Building Your Development Pipeline
DCSF 19 Building Your Development Pipeline DCSF 19 Building Your Development Pipeline
DCSF 19 Building Your Development Pipeline
Docker, Inc.
 
Cloud Foundry V2 | Intermediate Deep Dive
Cloud Foundry V2 | Intermediate Deep DiveCloud Foundry V2 | Intermediate Deep Dive
Cloud Foundry V2 | Intermediate Deep Dive
Kazuto Kusama
 
ABCs of docker
ABCs of dockerABCs of docker
ABCs of docker
Sabyrzhan Tynybayev
 
Introduction to InSpec and 1.0 release update
Introduction to InSpec and 1.0 release updateIntroduction to InSpec and 1.0 release update
Introduction to InSpec and 1.0 release update
Alex Pop
 
Docker security
Docker securityDocker security
Docker security
Janos Suto
 
Dependencies Managers in C/C++. Using stdcpp 2014
Dependencies Managers in C/C++. Using stdcpp 2014Dependencies Managers in C/C++. Using stdcpp 2014
Dependencies Managers in C/C++. Using stdcpp 2014
biicode
 
Introduction to Docker - Learning containerization XP conference 2016
Introduction to Docker - Learning containerization XP conference 2016Introduction to Docker - Learning containerization XP conference 2016
Introduction to Docker - Learning containerization XP conference 2016
XP Conference India
 
Docker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in PragueDocker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in Prague
tomasbart
 
Docker 1.5
Docker 1.5Docker 1.5
Docker 1.5
rajdeep
 
Docker.io
Docker.ioDocker.io
Docker.io
Ladislav Prskavec
 
Very Early Review - Rocket(CoreOS)
Very Early Review - Rocket(CoreOS)Very Early Review - Rocket(CoreOS)
Very Early Review - Rocket(CoreOS)
충섭 김
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slides
Docker, Inc.
 
Preparation study of_docker - (MOSG)
Preparation study of_docker - (MOSG)Preparation study of_docker - (MOSG)
Preparation study of_docker - (MOSG)
Soshi Nemoto
 
Настройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'aНастройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'a
corehard_by
 
[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile
[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile
[FOSDEM2023] Bit-for-bit reproducible builds with Dockerfile
Akihiro Suda
 
Docker 1.11 Presentation
Docker 1.11 PresentationDocker 1.11 Presentation
Docker 1.11 Presentation
Sreenivas Makam
 
Docker Introductory workshop
Docker Introductory workshopDocker Introductory workshop
Docker Introductory workshop
Runcy Oommen
 
JDO 2019: Tips and Tricks from Docker Captain - Łukasz Lach
JDO 2019: Tips and Tricks from Docker Captain - Łukasz LachJDO 2019: Tips and Tricks from Docker Captain - Łukasz Lach
JDO 2019: Tips and Tricks from Docker Captain - Łukasz Lach
PROIDEA
 
Docker as an every day work tool
Docker as an every day work toolDocker as an every day work tool
Docker as an every day work tool
Przemyslaw Koltermann
 
Build and Run Containers With Lazy Pulling - Adoption status of containerd St...
Build and Run Containers With Lazy Pulling - Adoption status of containerd St...Build and Run Containers With Lazy Pulling - Adoption status of containerd St...
Build and Run Containers With Lazy Pulling - Adoption status of containerd St...
Kohei Tokunaga
 
DCSF 19 Building Your Development Pipeline
DCSF 19 Building Your Development Pipeline DCSF 19 Building Your Development Pipeline
DCSF 19 Building Your Development Pipeline
Docker, Inc.
 
Cloud Foundry V2 | Intermediate Deep Dive
Cloud Foundry V2 | Intermediate Deep DiveCloud Foundry V2 | Intermediate Deep Dive
Cloud Foundry V2 | Intermediate Deep Dive
Kazuto Kusama
 
ABCs of docker
ABCs of dockerABCs of docker
ABCs of docker
Sabyrzhan Tynybayev
 
Introduction to InSpec and 1.0 release update
Introduction to InSpec and 1.0 release updateIntroduction to InSpec and 1.0 release update
Introduction to InSpec and 1.0 release update
Alex Pop
 
Ad

More from Akihiro Suda (20)

20250403 [KubeCon EU] containerd - Project Update and Deep Dive.pdf
20250403 [KubeCon EU] containerd - Project Update and Deep Dive.pdf20250403 [KubeCon EU] containerd - Project Update and Deep Dive.pdf
20250403 [KubeCon EU] containerd - Project Update and Deep Dive.pdf
Akihiro Suda
 
20250403 [KubeCon EU Pavilion] containerd.pdf
20250403 [KubeCon EU Pavilion] containerd.pdf20250403 [KubeCon EU Pavilion] containerd.pdf
20250403 [KubeCon EU Pavilion] containerd.pdf
Akihiro Suda
 
20250402 [KubeCon EU Pavilion] Lima.pdf_
20250402 [KubeCon EU Pavilion] Lima.pdf_20250402 [KubeCon EU Pavilion] Lima.pdf_
20250402 [KubeCon EU Pavilion] Lima.pdf_
Akihiro Suda
 
20241115 [KubeCon NA Pavilion] Lima.pdf_
20241115 [KubeCon NA Pavilion] Lima.pdf_20241115 [KubeCon NA Pavilion] Lima.pdf_
20241115 [KubeCon NA Pavilion] Lima.pdf_
Akihiro Suda
 
20241113 [KubeCon NA Pavilion] containerd.pdf
20241113 [KubeCon NA Pavilion] containerd.pdf20241113 [KubeCon NA Pavilion] containerd.pdf
20241113 [KubeCon NA Pavilion] containerd.pdf
Akihiro Suda
 
【情報科学若手の会 (2024/09/14】なぜオープンソースソフトウェアにコントリビュートすべきなのか
【情報科学若手の会 (2024/09/14】なぜオープンソースソフトウェアにコントリビュートすべきなのか【情報科学若手の会 (2024/09/14】なぜオープンソースソフトウェアにコントリビュートすべきなのか
【情報科学若手の会 (2024/09/14】なぜオープンソースソフトウェアにコントリビュートすべきなのか
Akihiro Suda
 
【Vuls祭り#10 (2024/08/20)】 VexLLM: LLMを用いたVEX自動生成ツール
【Vuls祭り#10 (2024/08/20)】 VexLLM: LLMを用いたVEX自動生成ツール【Vuls祭り#10 (2024/08/20)】 VexLLM: LLMを用いたVEX自動生成ツール
【Vuls祭り#10 (2024/08/20)】 VexLLM: LLMを用いたVEX自動生成ツール
Akihiro Suda
 
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
Akihiro Suda
 
20240321 [KubeCon EU Pavilion] Lima.pdf_
20240321 [KubeCon EU Pavilion] Lima.pdf_20240321 [KubeCon EU Pavilion] Lima.pdf_
20240321 [KubeCon EU Pavilion] Lima.pdf_
Akihiro Suda
 
20240320 [KubeCon EU Pavilion] containerd.pdf
20240320 [KubeCon EU Pavilion] containerd.pdf20240320 [KubeCon EU Pavilion] containerd.pdf
20240320 [KubeCon EU Pavilion] containerd.pdf
Akihiro Suda
 
20240201 [HPC Containers] Rootless Containers.pdf
20240201 [HPC Containers] Rootless Containers.pdf20240201 [HPC Containers] Rootless Containers.pdf
20240201 [HPC Containers] Rootless Containers.pdf
Akihiro Suda
 
[Podman Special Event] Kubernetes in Rootless Podman
[Podman Special Event] Kubernetes in Rootless Podman[Podman Special Event] Kubernetes in Rootless Podman
[Podman Special Event] Kubernetes in Rootless Podman
Akihiro Suda
 
[KubeConNA2023] Lima pavilion
[KubeConNA2023] Lima pavilion[KubeConNA2023] Lima pavilion
[KubeConNA2023] Lima pavilion
Akihiro Suda
 
[KubeConNA2023] containerd pavilion
[KubeConNA2023] containerd pavilion[KubeConNA2023] containerd pavilion
[KubeConNA2023] containerd pavilion
Akihiro Suda
 
[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf
[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf
[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf
Akihiro Suda
 
[CNCF TAG-Runtime] Usernetes Gen2
[CNCF TAG-Runtime] Usernetes Gen2[CNCF TAG-Runtime] Usernetes Gen2
[CNCF TAG-Runtime] Usernetes Gen2
Akihiro Suda
 
The internals and the latest trends of container runtimes
The internals and the latest trends of container runtimesThe internals and the latest trends of container runtimes
The internals and the latest trends of container runtimes
Akihiro Suda
 
[KubeConEU2023] Lima pavilion
[KubeConEU2023] Lima pavilion[KubeConEU2023] Lima pavilion
[KubeConEU2023] Lima pavilion
Akihiro Suda
 
[KubeConEU2023] containerd pavilion
[KubeConEU2023] containerd pavilion[KubeConEU2023] containerd pavilion
[KubeConEU2023] containerd pavilion
Akihiro Suda
 
[CNCF TAG-Runtime 2022-10-06] Lima
[CNCF TAG-Runtime 2022-10-06] Lima[CNCF TAG-Runtime 2022-10-06] Lima
[CNCF TAG-Runtime 2022-10-06] Lima
Akihiro Suda
 
20250403 [KubeCon EU] containerd - Project Update and Deep Dive.pdf
20250403 [KubeCon EU] containerd - Project Update and Deep Dive.pdf20250403 [KubeCon EU] containerd - Project Update and Deep Dive.pdf
20250403 [KubeCon EU] containerd - Project Update and Deep Dive.pdf
Akihiro Suda
 
20250403 [KubeCon EU Pavilion] containerd.pdf
20250403 [KubeCon EU Pavilion] containerd.pdf20250403 [KubeCon EU Pavilion] containerd.pdf
20250403 [KubeCon EU Pavilion] containerd.pdf
Akihiro Suda
 
20250402 [KubeCon EU Pavilion] Lima.pdf_
20250402 [KubeCon EU Pavilion] Lima.pdf_20250402 [KubeCon EU Pavilion] Lima.pdf_
20250402 [KubeCon EU Pavilion] Lima.pdf_
Akihiro Suda
 
20241115 [KubeCon NA Pavilion] Lima.pdf_
20241115 [KubeCon NA Pavilion] Lima.pdf_20241115 [KubeCon NA Pavilion] Lima.pdf_
20241115 [KubeCon NA Pavilion] Lima.pdf_
Akihiro Suda
 
20241113 [KubeCon NA Pavilion] containerd.pdf
20241113 [KubeCon NA Pavilion] containerd.pdf20241113 [KubeCon NA Pavilion] containerd.pdf
20241113 [KubeCon NA Pavilion] containerd.pdf
Akihiro Suda
 
【情報科学若手の会 (2024/09/14】なぜオープンソースソフトウェアにコントリビュートすべきなのか
【情報科学若手の会 (2024/09/14】なぜオープンソースソフトウェアにコントリビュートすべきなのか【情報科学若手の会 (2024/09/14】なぜオープンソースソフトウェアにコントリビュートすべきなのか
【情報科学若手の会 (2024/09/14】なぜオープンソースソフトウェアにコントリビュートすべきなのか
Akihiro Suda
 
【Vuls祭り#10 (2024/08/20)】 VexLLM: LLMを用いたVEX自動生成ツール
【Vuls祭り#10 (2024/08/20)】 VexLLM: LLMを用いたVEX自動生成ツール【Vuls祭り#10 (2024/08/20)】 VexLLM: LLMを用いたVEX自動生成ツール
【Vuls祭り#10 (2024/08/20)】 VexLLM: LLMを用いたVEX自動生成ツール
Akihiro Suda
 
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
Akihiro Suda
 
20240321 [KubeCon EU Pavilion] Lima.pdf_
20240321 [KubeCon EU Pavilion] Lima.pdf_20240321 [KubeCon EU Pavilion] Lima.pdf_
20240321 [KubeCon EU Pavilion] Lima.pdf_
Akihiro Suda
 
20240320 [KubeCon EU Pavilion] containerd.pdf
20240320 [KubeCon EU Pavilion] containerd.pdf20240320 [KubeCon EU Pavilion] containerd.pdf
20240320 [KubeCon EU Pavilion] containerd.pdf
Akihiro Suda
 
20240201 [HPC Containers] Rootless Containers.pdf
20240201 [HPC Containers] Rootless Containers.pdf20240201 [HPC Containers] Rootless Containers.pdf
20240201 [HPC Containers] Rootless Containers.pdf
Akihiro Suda
 
[Podman Special Event] Kubernetes in Rootless Podman
[Podman Special Event] Kubernetes in Rootless Podman[Podman Special Event] Kubernetes in Rootless Podman
[Podman Special Event] Kubernetes in Rootless Podman
Akihiro Suda
 
[KubeConNA2023] Lima pavilion
[KubeConNA2023] Lima pavilion[KubeConNA2023] Lima pavilion
[KubeConNA2023] Lima pavilion
Akihiro Suda
 
[KubeConNA2023] containerd pavilion
[KubeConNA2023] containerd pavilion[KubeConNA2023] containerd pavilion
[KubeConNA2023] containerd pavilion
Akihiro Suda
 
[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf
[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf
[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf
Akihiro Suda
 
[CNCF TAG-Runtime] Usernetes Gen2
[CNCF TAG-Runtime] Usernetes Gen2[CNCF TAG-Runtime] Usernetes Gen2
[CNCF TAG-Runtime] Usernetes Gen2
Akihiro Suda
 
The internals and the latest trends of container runtimes
The internals and the latest trends of container runtimesThe internals and the latest trends of container runtimes
The internals and the latest trends of container runtimes
Akihiro Suda
 
[KubeConEU2023] Lima pavilion
[KubeConEU2023] Lima pavilion[KubeConEU2023] Lima pavilion
[KubeConEU2023] Lima pavilion
Akihiro Suda
 
[KubeConEU2023] containerd pavilion
[KubeConEU2023] containerd pavilion[KubeConEU2023] containerd pavilion
[KubeConEU2023] containerd pavilion
Akihiro Suda
 
[CNCF TAG-Runtime 2022-10-06] Lima
[CNCF TAG-Runtime 2022-10-06] Lima[CNCF TAG-Runtime 2022-10-06] Lima
[CNCF TAG-Runtime 2022-10-06] Lima
Akihiro Suda
 
Ad

Recently uploaded (20)

Explaining GitHub Actions Failures with Large Language Models Challenges, In...
Explaining GitHub Actions Failures with Large Language Models Challenges, In...Explaining GitHub Actions Failures with Large Language Models Challenges, In...
Explaining GitHub Actions Failures with Large Language Models Challenges, In...
ssuserb14185
 
Avast Premium Security Crack FREE Latest Version 2025
Avast Premium Security Crack FREE Latest Version 2025Avast Premium Security Crack FREE Latest Version 2025
Avast Premium Security Crack FREE Latest Version 2025
mu394968
 
Expand your AI adoption with AgentExchange
Expand your AI adoption with AgentExchangeExpand your AI adoption with AgentExchange
Expand your AI adoption with AgentExchange
Fexle Services Pvt. Ltd.
 
Societal challenges of AI: biases, multilinguism and sustainability
Societal challenges of AI: biases, multilinguism and sustainabilitySocietal challenges of AI: biases, multilinguism and sustainability
Societal challenges of AI: biases, multilinguism and sustainability
Jordi Cabot
 
How can one start with crypto wallet development.pptx
How can one start with crypto wallet development.pptxHow can one start with crypto wallet development.pptx
How can one start with crypto wallet development.pptx
laravinson24
 
WinRAR Crack for Windows (100% Working 2025)
WinRAR Crack for Windows (100% Working 2025)WinRAR Crack for Windows (100% Working 2025)
WinRAR Crack for Windows (100% Working 2025)
sh607827
 
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdfMicrosoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
TechSoup
 
What Do Contribution Guidelines Say About Software Testing? (MSR 2025)
What Do Contribution Guidelines Say About Software Testing? (MSR 2025)What Do Contribution Guidelines Say About Software Testing? (MSR 2025)
What Do Contribution Guidelines Say About Software Testing? (MSR 2025)
Andre Hora
 
Adobe Illustrator Crack FREE Download 2025 Latest Version
Adobe Illustrator Crack FREE Download 2025 Latest VersionAdobe Illustrator Crack FREE Download 2025 Latest Version
Adobe Illustrator Crack FREE Download 2025 Latest Version
kashifyounis067
 
Automation Techniques in RPA - UiPath Certificate
Automation Techniques in RPA - UiPath CertificateAutomation Techniques in RPA - UiPath Certificate
Automation Techniques in RPA - UiPath Certificate
VICTOR MAESTRE RAMIREZ
 
Top 10 Client Portal Software Solutions for 2025.docx
Top 10 Client Portal Software Solutions for 2025.docxTop 10 Client Portal Software Solutions for 2025.docx
Top 10 Client Portal Software Solutions for 2025.docx
Portli
 
Landscape of Requirements Engineering for/by AI through Literature Review
Landscape of Requirements Engineering for/by AI through Literature ReviewLandscape of Requirements Engineering for/by AI through Literature Review
Landscape of Requirements Engineering for/by AI through Literature Review
Hironori Washizaki
 
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Dele Amefo
 
Scaling GraphRAG: Efficient Knowledge Retrieval for Enterprise AI
Scaling GraphRAG: Efficient Knowledge Retrieval for Enterprise AIScaling GraphRAG: Efficient Knowledge Retrieval for Enterprise AI
Scaling GraphRAG: Efficient Knowledge Retrieval for Enterprise AI
danshalev
 
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
Egor Kaleynik
 
Adobe Master Collection CC Crack Advance Version 2025
Adobe Master Collection CC Crack Advance Version 2025Adobe Master Collection CC Crack Advance Version 2025
Adobe Master Collection CC Crack Advance Version 2025
kashifyounis067
 
Adobe After Effects Crack FREE FRESH version 2025
Adobe After Effects Crack FREE FRESH version 2025Adobe After Effects Crack FREE FRESH version 2025
Adobe After Effects Crack FREE FRESH version 2025
kashifyounis067
 
Download Wondershare Filmora Crack [2025] With Latest
Download Wondershare Filmora Crack [2025] With LatestDownload Wondershare Filmora Crack [2025] With Latest
Download Wondershare Filmora Crack [2025] With Latest
tahirabibi60507
 
PDF Reader Pro Crack Latest Version FREE Download 2025
PDF Reader Pro Crack Latest Version FREE Download 2025PDF Reader Pro Crack Latest Version FREE Download 2025
PDF Reader Pro Crack Latest Version FREE Download 2025
mu394968
 
Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...
Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...
Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...
Lionel Briand
 
Explaining GitHub Actions Failures with Large Language Models Challenges, In...
Explaining GitHub Actions Failures with Large Language Models Challenges, In...Explaining GitHub Actions Failures with Large Language Models Challenges, In...
Explaining GitHub Actions Failures with Large Language Models Challenges, In...
ssuserb14185
 
Avast Premium Security Crack FREE Latest Version 2025
Avast Premium Security Crack FREE Latest Version 2025Avast Premium Security Crack FREE Latest Version 2025
Avast Premium Security Crack FREE Latest Version 2025
mu394968
 
Expand your AI adoption with AgentExchange
Expand your AI adoption with AgentExchangeExpand your AI adoption with AgentExchange
Expand your AI adoption with AgentExchange
Fexle Services Pvt. Ltd.
 
Societal challenges of AI: biases, multilinguism and sustainability
Societal challenges of AI: biases, multilinguism and sustainabilitySocietal challenges of AI: biases, multilinguism and sustainability
Societal challenges of AI: biases, multilinguism and sustainability
Jordi Cabot
 
How can one start with crypto wallet development.pptx
How can one start with crypto wallet development.pptxHow can one start with crypto wallet development.pptx
How can one start with crypto wallet development.pptx
laravinson24
 
WinRAR Crack for Windows (100% Working 2025)
WinRAR Crack for Windows (100% Working 2025)WinRAR Crack for Windows (100% Working 2025)
WinRAR Crack for Windows (100% Working 2025)
sh607827
 
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdfMicrosoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
TechSoup
 
What Do Contribution Guidelines Say About Software Testing? (MSR 2025)
What Do Contribution Guidelines Say About Software Testing? (MSR 2025)What Do Contribution Guidelines Say About Software Testing? (MSR 2025)
What Do Contribution Guidelines Say About Software Testing? (MSR 2025)
Andre Hora
 
Adobe Illustrator Crack FREE Download 2025 Latest Version
Adobe Illustrator Crack FREE Download 2025 Latest VersionAdobe Illustrator Crack FREE Download 2025 Latest Version
Adobe Illustrator Crack FREE Download 2025 Latest Version
kashifyounis067
 
Automation Techniques in RPA - UiPath Certificate
Automation Techniques in RPA - UiPath CertificateAutomation Techniques in RPA - UiPath Certificate
Automation Techniques in RPA - UiPath Certificate
VICTOR MAESTRE RAMIREZ
 
Top 10 Client Portal Software Solutions for 2025.docx
Top 10 Client Portal Software Solutions for 2025.docxTop 10 Client Portal Software Solutions for 2025.docx
Top 10 Client Portal Software Solutions for 2025.docx
Portli
 
Landscape of Requirements Engineering for/by AI through Literature Review
Landscape of Requirements Engineering for/by AI through Literature ReviewLandscape of Requirements Engineering for/by AI through Literature Review
Landscape of Requirements Engineering for/by AI through Literature Review
Hironori Washizaki
 
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Dele Amefo
 
Scaling GraphRAG: Efficient Knowledge Retrieval for Enterprise AI
Scaling GraphRAG: Efficient Knowledge Retrieval for Enterprise AIScaling GraphRAG: Efficient Knowledge Retrieval for Enterprise AI
Scaling GraphRAG: Efficient Knowledge Retrieval for Enterprise AI
danshalev
 
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
Egor Kaleynik
 
Adobe Master Collection CC Crack Advance Version 2025
Adobe Master Collection CC Crack Advance Version 2025Adobe Master Collection CC Crack Advance Version 2025
Adobe Master Collection CC Crack Advance Version 2025
kashifyounis067
 
Adobe After Effects Crack FREE FRESH version 2025
Adobe After Effects Crack FREE FRESH version 2025Adobe After Effects Crack FREE FRESH version 2025
Adobe After Effects Crack FREE FRESH version 2025
kashifyounis067
 
Download Wondershare Filmora Crack [2025] With Latest
Download Wondershare Filmora Crack [2025] With LatestDownload Wondershare Filmora Crack [2025] With Latest
Download Wondershare Filmora Crack [2025] With Latest
tahirabibi60507
 
PDF Reader Pro Crack Latest Version FREE Download 2025
PDF Reader Pro Crack Latest Version FREE Download 2025PDF Reader Pro Crack Latest Version FREE Download 2025
PDF Reader Pro Crack Latest Version FREE Download 2025
mu394968
 
Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...
Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...
Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...
Lionel Briand
 

[DockerCon 2023] Reproducible builds with BuildKit for software supply chain security

  • 1. Reproducible builds with BuildKit for software supply chain security Akihiro Suda Software Engineer | NTT
  • 2. 2 Background • Security assessment has been hard for Docker images, due to lack of verifiability in the software supply chain • Even when the source code (Dockerfile) is public, and the source code appears to be harmless, it is hard to prove that the image is actually buildable from the source code • Reproducible builds help proving it (But whether the source code is harmless is another topic)
  • 3. 3 What are Reproducible Builds? • Same source, same binary • Attestable by anybody • Attestable at anytime Build FROM debian RUN apt-get install -y gcc make ... COPY . . RUN make sha256:6ea7098583cb6c9470570df28c154 cfec58e122188382cd4a7ceab8a9a79cb67 sha256:6ea7098583cb6c9470570df28c154 cfec58e122188382cd4a7ceab8a9a79cb67 sha256:6ea7098583cb6c9470570df28c154 cfec58e122188382cd4a7ceab8a9a79cb67
  • 4. 4 Why do we need reproducible builds? Because non-reproducible builds cannot be proved to be buildable from harmless sources
  • 5. 5 Why do we need reproducible builds? sha256:AAAAA… Upstream build docker pull some-image Pull Because non-reproducible builds cannot be proved to be buildable from harmless sources
  • 6. 6 Because non-reproducible builds cannot be proved to be buildable from harmless sources Why do we need reproducible builds? FROM debian RUN apt-get install -y gcc make ... COPY . . RUN make sha256:AAAAA… Upstream build docker pull some-image Pull Find the source repo
  • 7. 7 Why do we need reproducible builds? Build FROM debian RUN apt-get install -y gcc make ... COPY . . RUN make sha256:AAAAA… sha256:BBBBB… Upstream build docker pull some-image Pull Find the source repo Because non-reproducible builds cannot be proved to be buildable from harmless sources Your own build (Non-reproducible)
  • 8. 8 Why do we need reproducible builds? Build FROM debian RUN apt-get install -y gcc make ... COPY . . RUN make sha256:AAAAA… sha256:BBBBB… Upstream build docker pull some-image Pull Find the source repo Your own build (Non-reproducible) Is this image really buildable from the source repo? Because non-reproducible builds cannot be proved to be buildable from harmless sources
  • 9. 9 Why do we need reproducible builds? Build FROM debian RUN apt-get install -y gcc make ... COPY . . RUN make sha256:AAAAA… sha256:AAAAA… Upstream build docker pull some-image Pull Find the source repo Proved to be buildable from the source Because non-reproducible builds cannot be proved to be buildable from harmless sources Your own build (Reproducible)
  • 10. 10 Why do we need reproducible builds? • Reproducibility per se doesn’t prove any harmlessness • Non-reproducibility doesn’t prove any harmfulness, either
  • 11. 11 Why do we need reproducible builds? • Reproducibility proves that the image is actually buildable from its source • The source still has to be reviewed • The source may still be malicious • But at least the image contains no secret code that you can never review
  • 12. 12 Docker Hub images are actually reproducible?
  • 13. 13 Docker Hub images are actually reproducible? • No, mostly
  • 14. 14 Docker Hub images are actually reproducible? $ docker pull golang:1.21.1-alpine@ sha256:96634e55b363cb93d39f78fb18aa64abc7f96d372c176660d7b8b6118939d97b $ DOCKER_BUILDKIT=0 docker build -t my-golang "https://github.com/docker-library/golang.git# 585c8c1e705a7a458455f0629922a4f90628ce08:1.21/alpine3.18” $ go install github.com/reproducible-containers/diffoci/cmd/diffoci@latest $ diffoci diff docker://golang:1.21.1-alpine docker://my-golang
  • 15. 15 Docker Hub images are actually reproducible? $ docker pull golang:1.21.1-alpine@ sha256:96634e55b363cb93d39f78fb18aa64abc7f96d372c176660d7b8b6118939d97b $ DOCKER_BUILDKIT=0 docker build -t my-golang "https://github.com/docker-library/golang.git# 585c8c1e705a7a458455f0629922a4f90628ce08:1.21/alpine3.18” $ go install github.com/reproducible-containers/diffoci/cmd/diffoci@latest $ diffoci diff docker://golang:1.21.1-alpine docker://my-golang DOCKER_BUILDKIT=0 with Docker 20.10.23 corresponds to the current Docker Hub image (Will change in the future)
  • 16. 16 Docker Hub images are actually reproducible? $ docker pull golang:1.21.1-alpine@ sha256:96634e55b363cb93d39f78fb18aa64abc7f96d372c176660d7b8b6118939d97b $ DOCKER_BUILDKIT=0 docker build -t my-golang "https://github.com/docker-library/golang.git# 585c8c1e705a7a458455f0629922a4f90628ce08:1.21/alpine3.18” $ go install github.com/reproducible-containers/diffoci/cmd/diffoci@latest $ diffoci diff docker://golang:1.21.1-alpine docker://my-golang DiffOCI: diff for Open Container Initiative (OCI) images https://github.com/reproducible-containers/diffoci
  • 17. 17 Docker Hub images are actually reproducible? $ diffoci diff docker://golang:1.21.1-alpine docker://my-golang TYPE NAME INPUT-0 INPUT-1 Desc application/vnd.docker.distribution.manifest.v2+json b25862... 3c4eca0... ... File etc/ssl/certs/3e45d192.0 2023-08-09 03:36:47 +0000 UTC 2023-09-21 08:35:31 +0000 UTC ... (More than 14,000 lines) ... File go/ 2023-09-06 18:31:40 +0000 UTC 2023-09-21 08:35:45 +0000 UTC
  • 18. 18 Docker Hub images are actually reproducible? $ diffoci --semantic diff docker://golang:1.21.1-alpine docker://my-golang TYPE NAME INPUT-0 INPUT-1 Layer ctx:/layers-1/layer length mismatch (457 vs 454) Layer ctx:/layers-1/layer name "usr/local/share/ca-certificates/.wh..wh..opq" only appears in input 0 Layer ctx:/layers-1/layer name "etc/ca-certificates/.wh..wh..opq" only appears in input 0 Layer ctx:/layers-1/layer name "usr/share/ca-certificates/.wh..wh..opq" only appears in input 0 File lib/apk/db/scripts.tar eef110e... e9bfe18... Layer ctx:/layers-2/layer length mismatch (13939 vs 13938) Layer ctx:/layers-2/layer name "usr/local/go/.wh..wh..opq" only appears in input 0 File lib/apk/db/scripts.tar 60e22bb... 67f2648... Layer ctx:/layers-3/layer length mismatch (4 vs 3) Layer ctx:/layers-3/layer name "go/.wh..wh..opq" only appears in input 0 The “--semantic” flag ignores ”boring” differences (timestamps, file ordering, etc.)
  • 19. 19 Docker Hub images are actually reproducible? $ diffoci --semantic diff docker://golang:1.21.1-alpine docker://my-golang TYPE NAME INPUT-0 INPUT-1 Layer ctx:/layers-1/layer length mismatch (457 vs 454) Layer ctx:/layers-1/layer name "usr/local/share/ca-certificates/.wh..wh..opq" only appears in input 0 Layer ctx:/layers-1/layer name "etc/ca-certificates/.wh..wh..opq" only appears in input 0 Layer ctx:/layers-1/layer name "usr/share/ca-certificates/.wh..wh..opq" only appears in input 0 File lib/apk/db/scripts.tar eef110e... e9bfe18... Layer ctx:/layers-2/layer length mismatch (13939 vs 13938) Layer ctx:/layers-2/layer name "usr/local/go/.wh..wh..opq" only appears in input 0 File lib/apk/db/scripts.tar 60e22bb... 67f2648... Layer ctx:/layers-3/layer length mismatch (4 vs 3) Layer ctx:/layers-3/layer name "go/.wh..wh..opq" only appears in input 0 “.wh..wh..opq” (AUFS whiteouts) are missing due to the filesystem difference The “--semantic” flag ignores ”boring” differences (timestamps, file ordering, etc.)
  • 20. 20 Docker Hub images are actually reproducible? $ diffoci --semantic diff docker://golang:1.21.1-alpine docker://my-golang TYPE NAME INPUT-0 INPUT-1 Layer ctx:/layers-1/layer length mismatch (457 vs 454) Layer ctx:/layers-1/layer name "usr/local/share/ca-certificates/.wh..wh..opq" only appears in input 0 Layer ctx:/layers-1/layer name "etc/ca-certificates/.wh..wh..opq" only appears in input 0 Layer ctx:/layers-1/layer name "usr/share/ca-certificates/.wh..wh..opq" only appears in input 0 File lib/apk/db/scripts.tar eef110e... e9bfe18... Layer ctx:/layers-2/layer length mismatch (13939 vs 13938) Layer ctx:/layers-2/layer name "usr/local/go/.wh..wh..opq" only appears in input 0 File lib/apk/db/scripts.tar 60e22bb... 67f2648... Layer ctx:/layers-3/layer length mismatch (4 vs 3) Layer ctx:/layers-3/layer name "go/.wh..wh..opq" only appears in input 0 “.wh..wh..opq” (AUFS whiteouts) are missing due to the filesystem difference lib/apk/db/scripts.tar differ due to the timestamp information inside scripts.tar (the “--semantic” flag isn’t still clever enough to ignore this “boring” difference”) The “--semantic” flag ignores ”boring” differences (timestamps, file ordering, etc.)
  • 21. 21 Docker Hub images are actually reproducible? $ diffoci --semantic diff docker://golang:1.21.1-alpine docker://my-golang TYPE NAME INPUT-0 INPUT-1 Layer ctx:/layers-1/layer length mismatch (457 vs 454) Layer ctx:/layers-1/layer name "usr/local/share/ca-certificates/.wh..wh..opq" only appears in input 0 Layer ctx:/layers-1/layer name "etc/ca-certificates/.wh..wh..opq" only appears in input 0 Layer ctx:/layers-1/layer name "usr/share/ca-certificates/.wh..wh..opq" only appears in input 0 File lib/apk/db/scripts.tar eef110e... e9bfe18... Layer ctx:/layers-2/layer length mismatch (13939 vs 13938) Layer ctx:/layers-2/layer name "usr/local/go/.wh..wh..opq" only appears in input 0 File lib/apk/db/scripts.tar 60e22bb... 67f2648... Layer ctx:/layers-3/layer length mismatch (4 vs 3) Layer ctx:/layers-3/layer name "go/.wh..wh..opq" only appears in input 0 “.wh..wh..opq” (AUFS whiteouts) are missing due to the filesystem difference lib/apk/db/scripts.tar differ due to the timestamp information inside scripts.tar (the “--semantic” flag isn’t still clever enough to ignore this “boring” difference”) This image is not fully reproducible, but its non-reproducibility is explainable (So, this image appears to be actually buildable from the public Dockerfile) The “--semantic” flag ignores ”boring” differences (timestamps, file ordering, etc.)
  • 22. 22 Why are images not reproducible? • Timestamps • Version of the base image (“FROM” images in Dockerfiles) • Versions of the packages (apt-get, pip, etc.) • Others: - Filesystem characteristics (e.g., OverlayFS) - Ordering of files - Randomized mktemp, etc.
  • 23. 23 Timestamps • The images have timestamps in: - the “created” property in the OCI Image Config - the “history” property in the OCI Image Config - the “org.opencontainers.image.created” annotation in the OCI Index - the timestamps of the files in the image layers OCI = Open Container Initiative
  • 24. 24 Timestamps • The images have timestamps in: - the “created” property in the OCI Image Config - the “history” property in the OCI Image Config - the “org.opencontainers.image.created” annotation in the OCI Index - the timestamps of the files in the image layers OCI = Open Container Initiative
  • 25. 25 Timestamps • BuildKit (since v0.11) supports rewriting the timestamps for OCI Image Config and OCI Index • Support was incomplete in v0.11 and v0.12; using v0.13 [beta] is recommended (see the next couple of slides) OCI = Open Container Initiative buildctl build --opt build-arg:SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct) docker buildx build --build-arg SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct) Unix epoch (int64, seconds from 1970-01-01 00:00:00 UTC)
  • 26. 26 Timestamps • The images have timestamps in: - the “created” property in the OCI Image Config - the “history” property in the OCI Image Config - the “org.opencontainers.image.created” annotation in the OCI Index - the timestamps of the files in the image layers OCI = Open Container Initiative
  • 27. 27 Timestamps • BuildKit v0.13 [beta] supports rewriting the timestamps in the OCI image layers too • Docs: https://github.com/moby/buildkit/blob/master/docs/build-repro.md OCI = Open Container Initiative buildctl build --opt build-arg:SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct) --output type=image,name=example.com/image,push=true,rewrite-timestamp=true docker buildx build --build-arg SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct) --output type=image,name=example.com/image,push=true,rewrite-timestamp=true BuildKit v0.13 is still beta and its CLI is still subject to change until its GA
  • 28. 28 Timestamps • The SOURCE_DATE_EPOCH arg is also propagated to ”RUN” containers as an environment variable • The SOURCE_DATE_EPOCH env var is recognized by gcc, clang, cmake, and a bunch of other tools to make application binaries reproducible: https://reproducible-builds.org/docs/source-date-epoch/
  • 29. 29 Pinning the base image FROM debian
  • 30. 30 Pinning the base image FROM debian:bookworm FROM debian
  • 31. 31 Pinning the base image FROM debian:bookworm-20230904 FROM debian:bookworm FROM debian
  • 32. 32 Pinning the base image FROM debian:bookworm-20230904@sha256:b4042f895d5d1f8df415caebe7c416f9dbcf0dc8867abb225955006de50b21f3 FROM debian:bookworm-20230904 FROM debian:bookworm FROM debian
  • 33. 33 Pinning the base image FROM debian:bookworm-20230904@sha256:b4042f895d5d1f8df415caebe7c416f9dbcf0dc8867abb225955006de50b21f3 FROM debian:bookworm-20230904 FROM debian:bookworm FROM debian apt-get on bookworm-20230904 still installs the latest packages, not the past packages (So, not reproducible)
  • 34. 34 Pinning packages: Debian and Ubuntu FROM debian:bookworm-20230904-slim RUN rm -rf /etc/apt/sources.list* && echo 'deb [check-valid-until=no] http://snapshot.debian.org/archive/debian/20230904T000000Z bookworm main' >/etc/apt/sources.list && echo 'deb [check-valid-until=no] http://snapshot.debian.org/archive/debian-security/20230904T000000Z bookworm-security main' >>/etc/apt/sources.list && echo 'deb [check-valid-until=no] http://snapshot.debian.org/archive/debian/20230904T000000Z bookworm-updates main' >>/etc/apt/sources.list && apt-get update && apt-get install -y gcc snapshot.debian.org and snapshot.ubuntu.com keep old packages
  • 35. 35 Pinning packages: Debian and Ubuntu FROM debian:bookworm-20230904-slim ADD --chmod=0755 https://raw.githubusercontent.com/reproducible-containers/repro-sources-list.sh/v0.1.0/repro-sources-list.sh /usr/local/bin/repro-sources-list.sh RUN --mount=type=cache,target=/var/cache/apt repro-sources-list.sh && apt-get update && apt-get install -y gcc More examples at: https://github.com/reproducible-containers/repro-sources-list.sh repro-sources-list.sh simplifies the Dockerfile, and enables caching dpkg files Caching is practically necessary, as snapshot servers are slow
  • 36. 36 Pinning packages: Debian and Ubuntu • RUN --mount=type=cache,target=/var/cache/apt can be saved on GitHub Actions using: https://github.com/reproducible-containers/buildkit-cache-dance steps: - uses: actions/cache@v3 with: path: var-cache-apt key: var-cache-apt-${{ hashFiles('Dockerfile') }} - uses: reproducible-containers/[email protected] with: cache-source: var-cache-apt cache-target: /var/cache/apt
  • 37. 37 Pinning packages: Debian and Ubuntu • The (checksums of the) packages on snapshot.debian.org are signed by Debian, just like regular apt-get repositories • The signatures are fetched and verified against the package metadata checksums on running apt-get update (Not on apt-get install) • If /var/lib/apt (metadata) is compromised, apt-get update will fail • If /var/cache/apt (dpkg files) is compromised, apt-get install will fail • The situation is same for snapshot.ubuntu.com (signed by Canonical)
  • 38. 38 Pinning packages: Debian and Ubuntu • If you don’t trust the latest package signatures, you can reproduce the most of the packages by yourself: https://wiki.debian.org/ReproducibleBuilds/Howto
  • 40. 40 Pinning packages: NixOS • Repro build is much easier with NixOS (although NixOS per se is often considered to be hard to learn) • The flake.lock file contains the checksums of the sources • If the binary is present on cache.nixos.org, the cached binary is used; otherwise the package is built from the source, with very good reproducibility (99.77% for nixos.iso_minimal.x86_64-linux installation, according to https://r13y.com/)
  • 41. 41 Pinning packages: Alpine, Rocky, Alma, etc. • These distros do not provide snapshot servers like snapshot.debian.org • You have to preserve /etc/apk/cache , /var/cache/dnf, etc. by yourself • Examples can be found at: https://github.com/reproducible-containers/repro-pkg-cache • In the long term, BuildKit frontends may have features to help pinning packages: https://github.com/moby/buildkit/issues/4259
  • 42. 42 Future work (Help wanted) • Proposal to make well-known images reproducible (at least for Debian-based ones) • ”Single-click” platform for attesting reproducibility and sharing the result
  • 43. 43 Recap • Repro builds prove that an image is actually buildable from its source • Whether the source is harmless or not is another topic • Ideally, every image should be bit-for-bit reproducible • Practically, subtle differences can be allowed, when they are explainable (e.g., timestamps)
  • 44. 44 Recap Tools and examples: https://github.com/reproducible-containers • diffoci: diff for OCI images, to analyze non-reproducible builds • repro-sources-list.sh: reproducibility helper for Debian, Ubuntu, etc. • repro-pkg-cache: reproducibility helper for Alpine, Alma, Rocky, etc. • buildkit-cache-dance: apt-get cache for GitHub Actions BuildKit docs: https://github.com/moby/buildkit/blob/master/docs/build-repro.md OCI = Open Container Initiative
  • 45. 45 Recap • Slides will be uploaded to https://github.com/AkihiroSuda (README → “Presentation slides”)