[YUNIKORN-2485] Shim: Use Docker to build reproducible binaries (#803)

Introduces a build var (REPRODUCIBLE_BUILDS=1) to force building binaries using Docker. This results in builds with a consistent environment every time. Closes: #803
apache · Mar 15, 2024 · c770925 · c770925
1 parent 09ba018
commit c770925
Show file tree

Hide file tree

Showing 3 changed files with 46 additions and 0 deletions.
diff --git a/.gitignore b/.gitignore
@@ -11,4 +11,5 @@
 *.crt
 *.key
 *.test
+*.swp
 /build.date
diff --git a/.go_repro_version b/.go_repro_version
@@ -0,0 +1 @@
+1.21.8
diff --git a/Makefile b/Makefile
@@ -74,6 +74,14 @@ else
   PLUGIN_OPTS := 
 endif
 
+# Reproducible builds mode
+GO_REPRO_VERSION := $(shell cat .go_repro_version)
+ifeq ($(REPRODUCIBLE_BUILDS),1)
+  REPRO := 1
+else
+  REPRO :=
+endif
+
 # Build date - Use git commit, then cached build.date, finally current date
 # This allows for reproducible builds as long as release tarball contains the build.date file.
 DATE := $(shell if [ -d "$(BASE_DIR)/.git" ]; then TZ=UTC0 git --no-pager log -1 --date=iso8601-strict-local --format=%cd 2>/dev/null ; fi || true)
@@ -392,6 +400,17 @@ scheduler: $(RELEASE_BIN_DIR)/$(SCHEDULER_BINARY)
 $(RELEASE_BIN_DIR)/$(SCHEDULER_BINARY): go.mod go.sum $(shell find pkg)
 	@echo "building binary for scheduler docker image"
 	@mkdir -p "$(RELEASE_BIN_DIR)"
+ifeq ($(REPRO),1)
+	docker run -t --rm=true --volume "$(BASE_DIR):/buildroot" "golang:$(GO_REPRO_VERSION)" sh -c "cd /buildroot && \
+	CGO_ENABLED=0 GOOS=linux GOARCH=\"${EXEC_ARCH}\" go build \
+	-a \
+	-o=${RELEASE_BIN_DIR}/${SCHEDULER_BINARY} \
+	-trimpath \
+	-ldflags '-buildid= -extldflags \"-static\" -X ${FLAG_PREFIX}.buildVersion=${VERSION} -X ${FLAG_PREFIX}.buildDate=${DATE} -X ${FLAG_PREFIX}.isPluginVersion=false -X ${FLAG_PREFIX}.goVersion=${GO_REPRO_VERSION} -X ${FLAG_PREFIX}.arch=${EXEC_ARCH} -X ${FLAG_PREFIX}.coreSHA=${CORE_SHA} -X ${FLAG_PREFIX}.siSHA=${SI_SHA} -X ${FLAG_PREFIX}.shimSHA=${SHIM_SHA}' \
+	-tags netgo \
+	-installsuffix netgo \
+	./pkg/cmd/shim/"
+else
 	CGO_ENABLED=0 GOOS=linux GOARCH="${EXEC_ARCH}" "$(GO)" build \
 	-a \
 	-o=${RELEASE_BIN_DIR}/${SCHEDULER_BINARY} \
@@ -400,6 +419,7 @@ $(RELEASE_BIN_DIR)/$(SCHEDULER_BINARY): go.mod go.sum $(shell find pkg)
 	-tags netgo \
 	-installsuffix netgo \
 	./pkg/cmd/shim/
+endif
 
 # Build plugin binary in a production ready version
 .PHONY: plugin
@@ -408,6 +428,17 @@ plugin: $(RELEASE_BIN_DIR)/$(PLUGIN_BINARY)
 $(RELEASE_BIN_DIR)/$(PLUGIN_BINARY): go.mod go.sum $(shell find pkg)
 	@echo "building binary for plugin docker image"
 	@mkdir -p "$(RELEASE_BIN_DIR)"
+ifeq ($(REPRO),1)
+	docker run -t --rm=true --volume "$(BASE_DIR):/buildroot" "golang:$(GO_REPRO_VERSION)" sh -c "cd /buildroot && \
+	CGO_ENABLED=0 GOOS=linux GOARCH=\"${EXEC_ARCH}\" go build \
+	-a \
+	-o=${RELEASE_BIN_DIR}/${PLUGIN_BINARY} \
+	-trimpath \
+	-ldflags '-buildid= -extldflags \"-static\" -X ${FLAG_PREFIX}.buildVersion=${VERSION} -X ${FLAG_PREFIX}.buildDate=${DATE} -X ${FLAG_PREFIX}.isPluginVersion=true -X ${FLAG_PREFIX}.goVersion=${GO_REPRO_VERSION} -X ${FLAG_PREFIX}.arch=${EXEC_ARCH} -X ${FLAG_PREFIX}.coreSHA=${CORE_SHA} -X ${FLAG_PREFIX}.siSHA=${SI_SHA} -X ${FLAG_PREFIX}.shimSHA=${SHIM_SHA}' \
+	-tags netgo \
+	-installsuffix netgo \
+	./pkg/cmd/schedulerplugin/"
+else
 	CGO_ENABLED=0 GOOS=linux GOARCH="${EXEC_ARCH}" "$(GO)" build \
 	-a \
 	-o=${RELEASE_BIN_DIR}/${PLUGIN_BINARY} \
@@ -416,6 +447,7 @@ $(RELEASE_BIN_DIR)/$(PLUGIN_BINARY): go.mod go.sum $(shell find pkg)
 	-tags netgo \
 	-installsuffix netgo \
 	./pkg/cmd/schedulerplugin/
+endif
 
 # Build a scheduler image based on the production ready version
 .PHONY: sched_image
@@ -465,6 +497,17 @@ admission: $(RELEASE_BIN_DIR)/$(ADMISSION_CONTROLLER_BINARY)
 $(RELEASE_BIN_DIR)/$(ADMISSION_CONTROLLER_BINARY): go.mod go.sum $(shell find pkg)
 	@echo "building admission controller binary"
 	@mkdir -p "$(RELEASE_BIN_DIR)"
+ifeq ($(REPRO),1)
+	docker run -t --rm=true --volume "$(BASE_DIR):/buildroot" "golang:$(GO_REPRO_VERSION)" sh -c "cd /buildroot && \
+	CGO_ENABLED=0 GOOS=linux GOARCH=\"${EXEC_ARCH}\" go build \
+	-a \
+	-o=$(RELEASE_BIN_DIR)/$(ADMISSION_CONTROLLER_BINARY) \
+	-trimpath \
+	-ldflags '-buildid= -extldflags \"-static\" -X ${FLAG_PREFIX}.buildVersion=${VERSION} -X ${FLAG_PREFIX}.buildDate=${DATE} -X ${FLAG_PREFIX}.goVersion=${GO_REPRO_VERSION} -X ${FLAG_PREFIX}.arch=${EXEC_ARCH}' \
+	-tags netgo \
+	-installsuffix netgo \
+	./pkg/cmd/admissioncontroller"
+else
 	CGO_ENABLED=0 GOOS=linux GOARCH="${EXEC_ARCH}" "$(GO)" build \
 	-a \
 	-o=$(RELEASE_BIN_DIR)/$(ADMISSION_CONTROLLER_BINARY) \
@@ -473,6 +516,7 @@ $(RELEASE_BIN_DIR)/$(ADMISSION_CONTROLLER_BINARY): go.mod go.sum $(shell find pk
 	-tags netgo \
 	-installsuffix netgo \
 	./pkg/cmd/admissioncontroller
+endif
 
 # Build an admission controller image based on the production ready version
 .PHONY: adm_image
-Original file line number
+Diff line change
@@ Expand Up / @@ -11,4 +11,5 @@ @@
     *.crt
     *.key
     *.test
+    *.swp
     /build.date