Re: Is it possible to make ext4 images reproducible even after filesystem operations ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Jan 21, 2025, at 5:29 AM, Adithya.Balakumar@xxxxxxxxxxxxxxxx wrote:
> I am working towards reproducible builds for a project that I am involved in. We use a few ext4 partitions in our disk images and I am trying to make the ext4 filesystems reproducible.
> 
> I understand that from e2fsprogs v1.47.1 onwards we can create a reproducible ext4 filesystem image. We can indeed create a reproducible ext4 filesystem image when we use the "-d" option in "mke2fs" command to pass the contents of the filesystem at the time of creation of the filesystem itself. I understand that there are a few other parameters that needs to passed to the "mke2fs" command like a deterministic UUID and hash_seed values to make the filesystem image reproducible.
> 
> In the project that I am working on, there are some mount operations done on the filesystem to copy certain files into the file system. This updates the "Last mount" and "Last write" timestamps in the filesystem metadata (confirmed this with dumpe2fs) thereby making the images generated not reproducible.
> 
> I would like to understand if its possible to make the ext4 images reproducible even after filesystem operations like mounting and unmounting the filesystem ?

It should be possible to use debugfs commands to change the timestamps (and other
fields) in the superblock to an arbitrary value, something like:

    {
        echo "ssv wtime 123456789"
        echo "ssv mtime 123456789"
    } | debugfs -w -F /dev/stdin $IMAGE_FILE

Depending on what changes are being made while the filesystem is mounted, you
may also need to modify the inode timestamps directly as well:

    {
        echo "sif $PATHNAME ctime 123456789"
        echo "sif $PATHNAME2 ctime 123456789"
        :
    } | debugfs -w -F /dev/stdin $IMAGE_FILE

The debugfs commands could all be combined into a single debugfs invocation,
and are just shown here as separate commands for clarity.  If the commands
are always the same, they could also be written into a command file instead
of read from stdin each time:

    debugfs -w -f $COMMANDS $IMAGE_FILE

but for scripting purposes it can be convenient to generate debugfs commands
on the fly (e.g. with looping, etc.) and pipe it to debugfs via stdin, and
this is not obvious, so I thought it would be good to show an example.

Cheers, Andreas

Attachment: signature.asc
Description: Message signed with OpenPGP

[Index of Archives]     [Reiser Filesystem Development]     [Ceph FS]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Linux FS]     [Yosemite National Park]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Device Mapper]     [Linux Media]

  Powered by Linux