chore: minimize diff

.bazelrc

@@ -8,4 +8,4 @@ test:release --workspace_status_command=./private/stamp.bash --stamp
 
 # Allow external dependencies to be retried. debian snapshot is unreliable and needs retries.
 common --experimental_repository_downloader_retries=20
-common --http_timeout_scaling=2.0
+common --http_timeout_scaling=2.0

WORKSPACE

@@ -5,9 +5,9 @@ load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
 # rules_distroless setup
 http_archive(
     name = "rules_distroless",
-    sha256 = "4b6d6a4bd03431f4f680ff5f6feea0b8ccf52c0296a12818d2c9595392e45543",
-    strip_prefix = "rules_distroless-0.2.0",
-    url = "https://github.com/GoogleContainerTools/rules_distroless/releases/download/v0.2.0/rules_distroless-v0.2.0.tar.gz",
+    sha256 = "9306b5b8a296d95745d7b38be20c320db125f1b5f6fc3ad507de21c8d562b159",
+    strip_prefix = "rules_distroless-896a27f8aee503c6ea3eeae47b51a4fc84c8496a",
+    url = "https://github.com/GoogleContainerTools/rules_distroless/archive/896a27f8aee503c6ea3eeae47b51a4fc84c8496a.tar.gz",
 )
 
 load("@rules_distroless//distroless:dependencies.bzl", "distroless_dependencies")

base/base.bzl

@@ -1,8 +1,8 @@
 "defines a function to replicate the container images for different distributions"
 
 load("@container_structure_test//:defs.bzl", "container_structure_test")
-load("@rules_oci//oci:defs.bzl", "oci_image", "oci_image_index")
 load("@io_bazel_rules_go//go:def.bzl", "go_binary")
+load("@rules_oci//oci:defs.bzl", "oci_image", "oci_image_index")
 load("@rules_pkg//:pkg.bzl", "pkg_tar")
 load("//:checksums.bzl", "ARCHITECTURES", "VARIANTS")
 load("//common:variables.bzl", "NONROOT")
@@ -82,15 +82,14 @@ def base_images(distro):
                     deb.package(arch, distro, "base-files"),
                     deb.package(arch, distro, "netbase"),
                     deb.package(arch, distro, "tzdata"),
-                    # Create /tmp, too many things assume it exists.
-                    # tmp.tar has a /tmp with the correct permissions 01777
-                    # A tar is needed because at the moment there is no way to create a
-                    # directory with specific permissions.
-                    ":tmp.tar",
-                    ":nsswitch.tar",
+                    "//common:rootfs",
                     "//common:passwd",
                     "//common:home",
                     "//common:group",
+                    # Create /tmp, too many things assume it exists.
+                    # tmp.tar has a /tmp with the correct permissions 01777
+                    "//common:tmp",
+                    ":nsswitch.tar",
                     "//common:os_release_" + distro,
                     "//common:cacerts_" + distro + "_" + arch,
                 ],

common/BUILD.bazel

@@ -1,10 +1,35 @@
+load("@aspect_bazel_lib//lib:tar.bzl", "tar")
 load("@rules_distroless//distroless:defs.bzl", "cacerts", "group", "home", "locale", "os_release", "passwd")
 load("//:checksums.bzl", "ARCHITECTURES", "VERSIONS")
 load("//base:distro.bzl", "DISTROS")
-load(":variables.bzl", "NOBODY", "NONROOT", "OS_RELEASE", "ROOT", "quote")
+load("//private/util:deb.bzl", "deb")
+load(":variables.bzl", "MTIME", "NOBODY", "NONROOT", "OS_RELEASE", "ROOT", "quote")
 
 package(default_visibility = ["//visibility:public"])
 
+tar(
+    name = "rootfs",
+    srcs = [],
+    args = [
+        "--format",
+        "gnutar",
+    ],
+    compress = "gzip",
+    mtree = ["./ type=dir uid=0 gid=0 time=0.0"],
+)
+
+tar(
+    name = "tmp",
+    srcs = [],
+    # original tmp.tar was created on a gnutar, mimic that.
+    args = [
+        "--format",
+        "gnutar",
+    ],
+    compress = "gzip",
+    mtree = ["./tmp gname=root uname=root time=1501783453.0 mode=1777 gid=0 uid=0 type=dir"],
+)
+
 [
     os_release(
         name = "os_release_%s" % dist,
@@ -15,6 +40,7 @@ package(default_visibility = ["//visibility:public"])
             ))
             for (key, value) in OS_RELEASE.items()
         },
+        time = MTIME,
     )
     for (dist, codename, version) in VERSIONS
 ]
@@ -28,7 +54,8 @@ package(default_visibility = ["//visibility:public"])
         # >     debian/rules: rename the C.UTF-8 locale into C.utf8 to match upstream
         # >     naming.
         charset = "C.UTF-8" if distro == "debian11" else "C.utf8",
-        package = "@%s_%s_libc-bin//:data" % (arch, distro),
+        package = deb.data(arch, distro, "libc-bin"),
+        time = MTIME,
     )
     for arch in ARCHITECTURES
     for distro in DISTROS
@@ -37,7 +64,8 @@ package(default_visibility = ["//visibility:public"])
 [
     cacerts(
         name = "cacerts_%s_%s" % (distro, arch),
-        package = "@%s_%s_ca-certificates//:data" % (arch, distro),
+        package = deb.data(arch, distro, "ca-certificates"),
+        time = MTIME,
     )
     for arch in ARCHITECTURES
     for distro in DISTROS
@@ -46,43 +74,39 @@ package(default_visibility = ["//visibility:public"])
 # create /etc/group with the root, tty, and staff groups
 group(
     name = "group",
-    groups = [
+    entries = [
         {
             "name": "root",  # root_group
             "gid": ROOT,
             "password": "x",
-            "users": [],
         },
         {
             "name": "nobody",  # nobody_group
             "gid": NOBODY,
             "password": "x",
-            "users": [],
         },
         {
             "name": "tty",  # tty_group
             "gid": 5,
             "password": "x",
-            "users": [],
         },
         {
             "name": "staff",  # staff_group
             "gid": 50,
             "password": "x",
-            "users": [],
         },
         {
             "name": "nonroot",  # nonroot_group
             "gid": NONROOT,
             "password": "x",
-            "users": [],
         },
     ],
+    time = MTIME,
 )
 
 passwd(
     name = "passwd",
-    passwds = [
+    entries = [
         {
             "gecos": ["root"],
             "gid": ROOT,
@@ -117,14 +141,22 @@ home(
     name = "home",
     dirs = [
         {
-            "home": "./root",
+            "home": "/root",
             "uid": ROOT,
             "gid": ROOT,
+            "mode": 700,
+        },
+        {
+            "home": "/home",
+            "uid": NONROOT,
+            "gid": NONROOT,
+            "mode": 755,
         },
         {
-            "home": "./home/nonroot",
+            "home": "/home/nonroot",
             "uid": NONROOT,
             "gid": NONROOT,
+            "mode": 700,
         },
     ],
 )

common/variables.bzl

@@ -17,3 +17,6 @@ OS_RELEASE = dict(
 NOBODY = 65534
 NONROOT = 65532
 ROOT = 0
+
+# TODO: this should be 0, but for now we'll use this to minimize diff.
+MTIME = "946684800"

examples/nonroot/BUILD

@@ -11,7 +11,7 @@ load("//base:distro.bzl", "DISTROS")
 # Create a passwd file and home directory with a nonroot user and uid.
 passwd(
     name = "passwd",
-    passwds = [
+    entries = [
         {
             "gecos": ["nonroot"],
             "gid": 1000,

private/tools/diff.bash

@@ -235,4 +235,4 @@ if [[ "${SET_GITHUB_OUTPUT}" == "1" ]]; then
     echo "changed_targets<<EOF" >> "$GITHUB_OUTPUT"
     cat "$CHANGED_IMAGES_FILE" >> "$GITHUB_OUTPUT"
     echo "EOF" >> "$GITHUB_OUTPUT"
-fi
+fi

private/util/deb.bzl

@@ -1,8 +1,12 @@
 "utility functions for constructing debian package labels"
 
-def deb_package(arch, dist, package):
+def _package(arch, dist, package):
     return "@{arch}_{dist}_{package}".format(arch = arch, dist = dist, package = package)
 
+def _data(arch, dist, package):
+    return "@{}//:data".format(_package(arch = arch, dist = dist, package = package))
+
 deb = struct(
-    package = deb_package,
+    package = _package,
+    data = _data,
 )

private/util/java_cacerts.bzl

@@ -1,6 +1,7 @@
 "java ca certificates"
 
 load("@rules_distroless//distroless:defs.bzl", "java_keystore")
+load("//common:variables.bzl", "MTIME")
 load(":extract.bzl", "tar_extract_file")
 
 def java_cacerts(name, archive):
@@ -15,4 +16,5 @@ def java_cacerts(name, archive):
         certificates = [
             ":" + name + "_extract",
         ],
+        time = MTIME,
     )