buildx icon indicating copy to clipboard operation
buildx copied to clipboard
verified publisher icon docker

build: set record provenance in response

Open crazy-max opened this issue 1 year ago • 2 comments

follow-up discussion with @tonistiigi related to https://github.com/docker/buildx/pull/1681

Previously we got containerimage.buildinfo in the metadata file but buildinfo has been removed in BuildKit 0.12 (https://github.com/moby/buildkit/pull/3582): https://github.com/moby/buildkit/blob/master/docs/deprecated.md#build-information

This was useful to see all sources that were used by the build with their exact versions and also the configuration that was passed to the build.

However with the provenance attestation supported since BuildKit v0.11, we have similar (and a "bit" more) information available.

With this change we set the provenance saved along the build record in the metadata file similar to containerimage.buildinfo that is named buildx.build.provenance. Feature opt-in behind the BUILDX_METADATA_PROVENANCE env var.

$ BUILDX_METADATA_PROVENANCE=1 docker buildx --builder builder bake binaries --metadata-file md.json
...
#19 copying files 56.29MB 0.3s done
#19 DONE 0.3s

#20 resolve build record provenance
#20 fetching sha256:d4baadd1c8f5267989b9621ccf533578f5510fccf3b089792b4677419923bd74 40.20kB / 40.20kB 0.0s done
#20 DONE 0.0s

md.json

$ BUILDX_METADATA_PROVENANCE=1 docker buildx --builder builder bake binaries-cross --metadata-file md.json
...
#28 copying files darwin/amd64 63.37MB 2.8s done
#28 copying files darwin/arm64 63.25MB 2.8s done
#28 DONE 2.8s

#29 resolve build record provenance
#29 [linux/arm/v6] fetching sha256:112839ea05d00fccfb812d4748ffe8da75bc22f0a85427b85905d75cf1a4b140 42.95kB / 42.95kB 0.0s done
#29 [windows/amd64] fetching sha256:edf274fbab88bd974325c5e4eba079e3f34fd40a5f0be85bb36e890a939add3a 42.95kB / 42.95kB 0.0s done
#29 [darwin/arm64] fetching sha256:246b18970dea9a715018696790f95b99851a36be28615359c86facc4735ca1b9 42.95kB / 42.95kB 0.0s done
#29 [linux/riscv64] fetching sha256:e4b1c1d5dd268b3a538e045abfa021356a3a1d16ed8c38af9329951308d6b8cc 42.95kB / 42.95kB 0.0s done
#29 [linux/s390x] fetching sha256:a7521dd346a3d781bcb2c1d85a42fa2facca45f5b0b04b51bc9f94766de39901 42.95kB / 42.95kB 0.0s done
#29 [linux/amd64] fetching sha256:e307d7338643d4ccc0eefbd97cc13974e429d66739f0c5562426f7977cdbfd89 42.95kB / 42.95kB 0.0s done
#29 [linux/arm/v7] fetching sha256:80c19944fa2abb3c7493ded7a0e0a20c62ee033edad21c6a681c3837a9aef3a0 42.95kB / 42.95kB 0.0s done
#29 [windows/arm64] fetching sha256:68402e6fb7539a1b436138c751b758285f7c202cd9ed6619efb7a6fb1f64eba7 42.95kB / 42.95kB 0.0s done
#29 [darwin/amd64] fetching sha256:7a29885b5a34d578d2ef8e32caa1aea82ca471a2147b5e468b46bf550ce44529 42.95kB / 42.95kB 0.0s done
#29 [linux/arm64] fetching sha256:6dd72c90a62185275ac514441651af5722ac9ffd2400eef7cefbf740388fa141 42.95kB / 42.95kB 0.0s done
#29 [linux/ppc64le] fetching sha256:c29d0d802b5687b4466689807770b04fe786bd29c6aa4533ba76d690d2dc6a22 42.95kB / 42.95kB 0.0s done
#29 DONE 0.0s

md.json

crazy-max avatar Feb 23 '24 23:02 crazy-max

This is an early draft. Provenance can be quite huge so we might need to set provenance only when the metadata file is requested.

crazy-max avatar Feb 23 '24 23:02 crazy-max

Size of the metadata file can be quite huge for builds with many targets when using bake. We could either split each target to its own metadata file such as:

# docker-bake.hcl
group "default" {
  targets = ["db", "webapp-dev"]
}
target "db" {
  dockerfile = "Dockerfile.db"
  tags = ["docker.io/username/db"]
}
target "webapp-dev" {
  dockerfile = "Dockerfile.webapp"
  tags = ["docker.io/username/webapp"]
}

docker buildx bake --metadata-file md.json

would produce

md.db.json
md.webapp-dev.json

or we could make our own "docker, inc" struct with a minimal provenance similar to buildinfo but I don't really like it. Want to avoid drifting and stick to provenance.

crazy-max avatar Mar 07 '24 16:03 crazy-max

@tonistiigi Updated to strip buildConfig and metadata from provenance if BUILDX_METADATA_PROVENANCE sets to min. Mode max sets full provenance. Let me know if defaulting to min would be good. Atm it doesn't set provenance at all.

crazy-max avatar Mar 27 '24 17:03 crazy-max

@dvdksn Forgot to add docs-followup label on this one 🙈 for BUILDX_METADATA_PROVENANCE env var that should be added in https://docs.docker.com/build/building/variables/#build-tool-configuration-variables

crazy-max avatar Jun 21 '24 07:06 crazy-max