Merge pull request #39 from Dstack-TEE/better-pkg-pin

kvinwang · web-flow · commit ccc672752667 · 2025-06-16T09:22:39.000+08:00
Better package pinning
diff --git a/custom-domain/dstack-ingress/Dockerfile b/custom-domain/dstack-ingress/Dockerfile
@@ -1,32 +1,41 @@
 FROM nginx@sha256:b6653fca400812e81569f9be762ae315db685bc30b12ddcdc8616c63a227d3ca
 
-# Use a specific Debian snapshot for reproducible builds
+COPY pinned-packages.txt /tmp/
+
 RUN set -e; \
     # Create a sources.list file pointing to a specific snapshot
     echo 'deb [check-valid-until=no] https://snapshot.debian.org/archive/debian/20250411T024939Z bookworm main' > /etc/apt/sources.list && \
     echo 'deb [check-valid-until=no] https://snapshot.debian.org/archive/debian-security/20250411T024939Z bookworm-security main' >> /etc/apt/sources.list && \
     echo 'Acquire::Check-Valid-Until "false";' > /etc/apt/apt.conf.d/10no-check-valid-until && \
-    # Install packages with exact versions for reproducibility
-    apt-get -o Acquire::Check-Valid-Until=false update && \
+    # Create preferences file to pin all packages
+    mkdir -p /etc/apt/preferences.d && \
+    cat /tmp/pinned-packages.txt | while read line; do \
+        pkg=$(echo $line | cut -d= -f1); \
+        ver=$(echo $line | cut -d= -f2); \
+        if [ ! -z "$pkg" ] && [ ! -z "$ver" ]; then \
+            echo "Package: $pkg\nPin: version $ver\nPin-Priority: 1001\n" >> /etc/apt/preferences.d/pinned-packages; \
+        fi; \
+    done && \
+    apt-get update && \
     apt-get install -y --no-install-recommends \
-        certbot=2.1.0-4 \
-        openssl=3.0.15-1~deb12u1 \
-        bash=5.2.15-2+b7 \
-        python3=3.11.2-1+b1 \
-        python3-pip=23.0.1+dfsg-1 \
-        python3-requests=2.28.1+dfsg-1 \
-        python3.11-venv=3.11.2-6+deb12u5 \
-        curl=7.88.1-10+deb12u12 \
-        jq=1.6-2.1 \
-        coreutils=9.1-1 && \
-        rm -rf /var/lib/apt/lists/* /var/log/* /var/cache/ldconfig/aux-cache
-
+        certbot \
+        openssl \
+        bash \
+        python3-pip \
+        python3-requests \
+        python3.11 \
+        python3.11-venv \
+        curl \
+        jq \
+        coreutils && \
+        rm -rf /var/lib/apt/lists/* /var/log/* /var/cache/ldconfig/aux-cache /tmp/pinned-packages.txt
 
 RUN mkdir -p /etc/letsencrypt /var/www/certbot /usr/share/nginx/html
 
 COPY ./scripts/* /scripts/
 RUN chmod +x /scripts/*
 ENV PATH="/scripts:$PATH"
+COPY .GIT_REV /etc/
 
 ENTRYPOINT ["/scripts/entrypoint.sh"]
 CMD ["nginx", "-g", "daemon off;"]
diff --git a/custom-domain/dstack-ingress/build-image.sh b/custom-domain/dstack-ingress/build-image.sh
@@ -8,4 +8,8 @@ fi
 if ! docker buildx inspect buildkit_20 &>/dev/null; then
     docker buildx create --use --driver-opt image=moby/buildkit:v0.20.2 --name buildkit_20
 fi
+touch pinned-packages.txt
+git rev-parse HEAD > .GIT_REV
 docker buildx build --builder buildkit_20 --no-cache --build-arg SOURCE_DATE_EPOCH="0" --output type=docker,name=$NAME,rewrite-timestamp=true .
+docker run --rm --entrypoint bash $NAME -c "dpkg -l | grep '^ii' |awk '{print \$2\"=\"\$3}' | sort" > pinned-packages.txt
+rm .GIT_REV
diff --git a/custom-domain/dstack-ingress/pinned-packages.txt b/custom-domain/dstack-ingress/pinned-packages.txt
@@ -0,0 +1,197 @@
+adduser=3.134
+apt=2.6.1
+base-files=12.4+deb12u10
+base-passwd=3.6.1
+bash=5.2.15-2+b8
+bsdutils=1:2.38.1-5+deb12u3
+ca-certificates=20230311
+certbot=2.1.0-4
+coreutils=9.1-1
+curl=7.88.1-10+deb12u12
+dash=0.5.12-2
+debconf=1.5.82
+debian-archive-keyring=2023.3+deb12u1
+debianutils=5.7-0.5~deb12u1
+diffutils=1:3.8-4
+dpkg=1.21.22
+e2fsprogs=1.47.0-2
+findutils=4.9.0-4
+fontconfig-config=2.14.1-4
+fonts-dejavu-core=2.37-6
+gcc-12-base:amd64=12.2.0-14
+gettext-base=0.21-12
+gpgv=2.2.40-1.1
+grep=3.8-5
+gzip=1.12-1
+hostname=3.23+nmu1
+init-system-helpers=1.65.2
+jq=1.6-2.1
+libabsl20220623:amd64=20220623.1-1
+libacl1:amd64=2.3.1-3
+libaom3:amd64=3.6.0-1+deb12u1
+libapt-pkg6.0:amd64=2.6.1
+libattr1:amd64=1:2.5.1-4
+libaudit-common=1:3.0.9-1
+libaudit1:amd64=1:3.0.9-1
+libavif15:amd64=0.11.1-1
+libblkid1:amd64=2.38.1-5+deb12u3
+libbrotli1:amd64=1.0.9-2+b6
+libbsd0:amd64=0.11.7-2
+libbz2-1.0:amd64=1.0.8-5+b1
+libc-bin=2.36-9+deb12u10
+libc6:amd64=2.36-9+deb12u10
+libcap-ng0:amd64=0.8.3-1+b3
+libcap2:amd64=1:2.66-4
+libcom-err2:amd64=1.47.0-2
+libcrypt1:amd64=1:4.4.33-2
+libcurl4:amd64=7.88.1-10+deb12u12
+libdav1d6:amd64=1.0.0-2+deb12u1
+libdb5.3:amd64=5.3.28+dfsg2-1
+libde265-0:amd64=1.0.11-1+deb12u2
+libdebconfclient0:amd64=0.270
+libdeflate0:amd64=1.14-1
+libedit2:amd64=3.1-20221030-2
+libexpat1:amd64=2.5.0-1+deb12u1
+libext2fs2:amd64=1.47.0-2
+libffi8:amd64=3.4.4-1
+libfontconfig1:amd64=2.14.1-4
+libfreetype6:amd64=2.12.1+dfsg-5+deb12u4
+libgav1-1:amd64=0.18.0-1+b1
+libgcc-s1:amd64=12.2.0-14
+libgcrypt20:amd64=1.10.1-3
+libgd3:amd64=2.3.3-9
+libgeoip1:amd64=1.6.12-10
+libgmp10:amd64=2:6.2.1+dfsg1-1.1
+libgnutls30:amd64=3.7.9-2+deb12u4
+libgpg-error0:amd64=1.46-1
+libgssapi-krb5-2:amd64=1.20.1-2+deb12u2
+libheif1:amd64=1.15.1-1+deb12u1
+libhogweed6:amd64=3.8.1-2
+libicu72:amd64=72.1-3
+libidn2-0:amd64=2.3.3-1+b1
+libjbig0:amd64=2.1-6.1
+libjpeg62-turbo:amd64=1:2.1.5-2
+libjq1:amd64=1.6-2.1
+libk5crypto3:amd64=1.20.1-2+deb12u2
+libkeyutils1:amd64=1.6.3-2
+libkrb5-3:amd64=1.20.1-2+deb12u2
+libkrb5support0:amd64=1.20.1-2+deb12u2
+libldap-2.5-0:amd64=2.5.13+dfsg-5
+liblerc4:amd64=4.0.0+ds-2
+liblz4-1:amd64=1.9.4-1
+liblzma5:amd64=5.4.1-1
+libmd0:amd64=1.0.4-2
+libmount1:amd64=2.38.1-5+deb12u3
+libncursesw6:amd64=6.4-4
+libnettle8:amd64=3.8.1-2
+libnghttp2-14:amd64=1.52.0-1+deb12u2
+libnsl2:amd64=1.3.0-2
+libnuma1:amd64=2.0.16-1
+libonig5:amd64=6.9.8-1
+libp11-kit0:amd64=0.24.1-2
+libpam-modules-bin=1.5.2-6+deb12u1
+libpam-modules:amd64=1.5.2-6+deb12u1
+libpam-runtime=1.5.2-6+deb12u1
+libpam0g:amd64=1.5.2-6+deb12u1
+libpcre2-8-0:amd64=10.42-1
+libpng16-16:amd64=1.6.39-2
+libpsl5:amd64=0.21.2-1
+libpython3-stdlib:amd64=3.11.2-1+b1
+libpython3.11-minimal:amd64=3.11.2-6+deb12u6
+libpython3.11-stdlib:amd64=3.11.2-6+deb12u6
+librav1e0:amd64=0.5.1-6
+libreadline8:amd64=8.2-1.3
+librtmp1:amd64=2.4+20151223.gitfa8646d.1-2+b2
+libsasl2-2:amd64=2.1.28+dfsg-10
+libsasl2-modules-db:amd64=2.1.28+dfsg-10
+libseccomp2:amd64=2.5.4-1+deb12u1
+libselinux1:amd64=3.4-1+b6
+libsemanage-common=3.4-1
+libsemanage2:amd64=3.4-1+b5
+libsepol2:amd64=3.4-2.1
+libsmartcols1:amd64=2.38.1-5+deb12u3
+libsqlite3-0:amd64=3.40.1-2+deb12u1
+libss2:amd64=1.47.0-2
+libssh2-1:amd64=1.10.0-3+b1
+libssl3:amd64=3.0.16-1~deb12u1
+libstdc++6:amd64=12.2.0-14
+libsvtav1enc1:amd64=1.4.1+dfsg-1
+libsystemd0:amd64=252.36-1~deb12u1
+libtasn1-6:amd64=4.19.0-2+deb12u1
+libtiff6:amd64=4.5.0-6+deb12u2
+libtinfo6:amd64=6.4-4
+libtirpc-common=1.3.3+ds-1
+libtirpc3:amd64=1.3.3+ds-1
+libudev1:amd64=252.36-1~deb12u1
+libunistring2:amd64=1.0-2
+libuuid1:amd64=2.38.1-5+deb12u3
+libwebp7:amd64=1.2.4-0.2+deb12u1
+libx11-6:amd64=2:1.8.4-2+deb12u2
+libx11-data=2:1.8.4-2+deb12u2
+libx265-199:amd64=3.5-2+b1
+libxau6:amd64=1:1.0.9-1
+libxcb1:amd64=1.15-1
+libxdmcp6:amd64=1:1.1.2-3
+libxml2:amd64=2.9.14+dfsg-1.3~deb12u1
+libxpm4:amd64=1:3.5.12-1.1+deb12u1
+libxslt1.1:amd64=1.1.35-1+deb12u1
+libxxhash0:amd64=0.8.1-1
+libyuv0:amd64=0.0~git20230123.b2528b0-1
+libzstd1:amd64=1.5.4+dfsg2-5
+login=1:4.13+dfsg1-1+b1
+logsave=1.47.0-2
+lsb-release=12.0-1
+mawk=1.3.4.20200120-3.1
+media-types=10.0.0
+mount=2.38.1-5+deb12u3
+ncurses-base=6.4-4
+ncurses-bin=6.4-4
+nginx-module-geoip=1.27.4-1~bookworm
+nginx-module-image-filter=1.27.4-1~bookworm
+nginx-module-njs=1.27.4+0.8.9-1~bookworm
+nginx-module-xslt=1.27.4-1~bookworm
+nginx=1.27.4-1~bookworm
+openssl=3.0.16-1~deb12u1
+passwd=1:4.13+dfsg1-1+b1
+perl-base=5.36.0-7+deb12u1
+python3-acme=2.1.0-1
+python3-certbot=2.1.0-4
+python3-certifi=2022.9.24-1
+python3-cffi-backend:amd64=1.15.1-5+b1
+python3-chardet=5.1.0+dfsg-2
+python3-charset-normalizer=3.0.1-2
+python3-configargparse=1.5.3-1
+python3-configobj=5.0.8-1
+python3-cryptography=38.0.4-3+deb12u1
+python3-distro=1.8.0-1
+python3-distutils=3.11.2-3
+python3-idna=3.3-1+deb12u1
+python3-josepy=1.13.0-1
+python3-lib2to3=3.11.2-3
+python3-minimal=3.11.2-1+b1
+python3-openssl=23.0.0-1
+python3-parsedatetime=2.6-3
+python3-pip-whl=23.0.1+dfsg-1
+python3-pip=23.0.1+dfsg-1
+python3-pkg-resources=66.1.1-1+deb12u1
+python3-requests=2.28.1+dfsg-1
+python3-rfc3339=1.1-4
+python3-setuptools-whl=66.1.1-1+deb12u1
+python3-setuptools=66.1.1-1+deb12u1
+python3-six=1.16.0-4
+python3-tz=2022.7.1-4
+python3-urllib3=1.26.12-1+deb12u1
+python3-wheel=0.38.4-2
+python3.11-minimal=3.11.2-6+deb12u6
+python3.11-venv=3.11.2-6+deb12u6
+python3.11=3.11.2-6+deb12u6
+python3=3.11.2-1+b1
+readline-common=8.2-1.3
+sed=4.9-1
+sysvinit-utils=3.06-4
+tar=1.34+dfsg-1.2+deb12u1
+tzdata=2025b-0+deb12u1
+usr-is-merged=37~deb12u1
+util-linux-extra=2.38.1-5+deb12u3
+util-linux=2.38.1-5+deb12u3
+zlib1g:amd64=1:1.2.13.dfsg-1
diff --git a/launcher/Dockerfile b/launcher/Dockerfile
@@ -1,16 +1,30 @@
 FROM debian:bookworm-slim@sha256:4b44499bc2a6c78d726f3b281e6798009c0ae1f034b0bfaf6a227147dcff928b
 
+COPY pinned-packages.txt /tmp/
+
 # Use a specific Debian snapshot for reproducible builds
 RUN set -e; \
     # Create a sources.list file pointing to a specific snapshot
     echo 'deb [check-valid-until=no] https://snapshot.debian.org/archive/debian/20250411T024939Z bookworm main' > /etc/apt/sources.list && \
     echo 'deb [check-valid-until=no] https://snapshot.debian.org/archive/debian-security/20250411T024939Z bookworm-security main' >> /etc/apt/sources.list && \
     echo 'Acquire::Check-Valid-Until "false";' > /etc/apt/apt.conf.d/10no-check-valid-until && \
+    # Create preferences file to pin all packages
+    mkdir -p /etc/apt/preferences.d && \
+    cat /tmp/pinned-packages.txt | while read line; do \
+        pkg=$(echo $line | cut -d= -f1); \
+        ver=$(echo $line | cut -d= -f2); \
+        if [ ! -z "$pkg" ] && [ ! -z "$ver" ]; then \
+            echo "Package: $pkg\nPin: version $ver\nPin-Priority: 1001\n" >> /etc/apt/preferences.d/pinned-packages; \
+        fi; \
+    done && \
     # Install packages with exact versions for reproducibility
-    apt-get -o Acquire::Check-Valid-Until=false update && \
-    apt-get install -y --no-install-recommends docker-compose=1.29.2-3 && \
+    apt-get update && \
+    apt-get install -y --no-install-recommends curl ca-certificates && \
+    curl -L "https://github.com/docker/compose/releases/download/v2.24.6/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose && \
+    chmod +x /usr/local/bin/docker-compose && \
+    ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose && \
     rm -rf /var/lib/apt/lists/* && \
-    rm -rf /var/log/* /var/cache/ldconfig/aux-cache
+    rm -rf /var/log/* /var/cache/ldconfig/aux-cache /tmp/pinned-packages.txt
 
 COPY entrypoint.sh get-latest.sh /scripts/
 RUN chmod +x /scripts/*.sh
diff --git a/launcher/build-image.sh b/launcher/build-image.sh
@@ -8,4 +8,8 @@ fi
 if ! docker buildx inspect buildkit_20 &>/dev/null; then
     docker buildx create --use --driver-opt image=moby/buildkit:v0.20.2 --name buildkit_20
 fi
+touch pinned-packages.txt
+git rev-parse HEAD > .GIT_REV
 docker buildx build --builder buildkit_20 --no-cache --build-arg SOURCE_DATE_EPOCH="0" --output type=docker,name=$NAME,rewrite-timestamp=true .
+docker run --rm --entrypoint bash $NAME -c "dpkg -l | grep '^ii' |awk '{print \$2\"=\"\$3}' | sort" > pinned-packages.txt
+rm .GIT_REV
diff --git a/launcher/pinned-packages.txt b/launcher/pinned-packages.txt
