[isar-cip-core,v1,2/2] scripts/repro-tests.sh: Update script to check wic file reproducibility

Commit Message

Adithya Balakumar Feb. 24, 2025, 9 a.m. UTC

From: Adithya Balakumar <adithya.balakumar@toshiba-tsip.com>

Running diffoscope on the full wic image can be problematic as diffoscope
has issues with high memory consumption and jobs could fail in the CI [1]

Instead check the hash values of the wic files and if found
non-reproducible then run diffoscope on the individual partition images

[1] https://salsa.debian.org/reproducible-builds/diffoscope/-/issues/383

Signed-off-by: Adithya Balakumar <adithya.balakumar@toshiba-tsip.com>
---
 scripts/repro-tests.sh | 92 +++++++++++++++++++++++++++---------------
 1 file changed, 60 insertions(+), 32 deletions(-)

Comments

Jan Kiszka Feb. 25, 2025, 4:41 p.m. UTC | #1

On 24.02.25 10:00, Adithya.Balakumar@toshiba-tsip.com wrote:
> From: Adithya Balakumar <adithya.balakumar@toshiba-tsip.com>
> 
> Running diffoscope on the full wic image can be problematic as diffoscope
> has issues with high memory consumption and jobs could fail in the CI [1]
> 
> Instead check the hash values of the wic files and if found
> non-reproducible then run diffoscope on the individual partition images
> 
> [1] https://salsa.debian.org/reproducible-builds/diffoscope/-/issues/383
> 
> Signed-off-by: Adithya Balakumar <adithya.balakumar@toshiba-tsip.com>
> ---
>  scripts/repro-tests.sh | 92 +++++++++++++++++++++++++++---------------
>  1 file changed, 60 insertions(+), 32 deletions(-)
> 
> diff --git a/scripts/repro-tests.sh b/scripts/repro-tests.sh
> index 8bdb34b..7249204 100755
> --- a/scripts/repro-tests.sh
> +++ b/scripts/repro-tests.sh
> @@ -14,11 +14,12 @@ set -e
>  
>  usage()
>  {
> -	echo "usage: repro-tests.sh [--release RELEASE] [--target TARGET] artfacts1 artifacts2"
> +	echo "usage: repro-tests.sh [--release RELEASE] [--target TARGET] artifacts1 artifacts2"
>  	echo ""
>  	echo " Optional arguments:"
> -	echo "  --release RELEASE: debian distro releases e.g. buster, bullseye, etc. (default: buster)"
> +	echo "  --release RELEASE: debian distro releases e.g. buster, bullseye, etc. (default: bookworm)"
>  	echo "  --target TARGET: e.g. qemu-amd64, qemu-arm64, qemu-arm (default: qemu-amd64)"
> +	echo "  --extension EXTENSION: e.g. security (default: "")"
>  	echo ""
>  	echo " Mandatory arguments:"
>  	echo "  artifacts1 and artifacts2 paths to test the artifacts reproducibility"
> @@ -29,7 +30,7 @@ RED='\033[0;31m'
>  NC='\033[0m'
>  GREEN='\033[0;32m'
>  IMAGE_BASE="cip-core-image-cip-core"
> -RELEASE="bullseye"
> +RELEASE="bookworm"
>  TARGET="qemu-amd64"
>  EXTENSION=""
>  DIFFOSCOPE="diffoscope"
> @@ -72,35 +73,62 @@ if [ "${EXTENSION}" = "security" ]; then
>  	IMAGE_BASE="cip-core-image-security-cip-core"
>  fi
>  
> -# Define files in the artifacts for checking the reproducibility
> -set -- \
> -	"${IMAGE_BASE}-${RELEASE}-${TARGET}.swu" \
> -	"${IMAGE_BASE}-${RELEASE}-${TARGET}.wic.p0" \
> -	"${IMAGE_BASE}-${RELEASE}-${TARGET}.wic.p1" \
> -	"${IMAGE_BASE}-${RELEASE}-${TARGET}.wic.p2" \
> -	"${IMAGE_BASE}-${RELEASE}-${TARGET}.wic.p3" \
> -	"${IMAGE_BASE}-${RELEASE}-${TARGET}.wic.p4" \
> -	"${IMAGE_BASE}-${RELEASE}-${TARGET}.wic.p5" \
> -	"${IMAGE_BASE}-${RELEASE}-${TARGET}.wic.p6" \
> -	"${IMAGE_BASE}-${RELEASE}-${TARGET}.wic.p7"
> +run_diffoscope() {
> +    local file="$1"

In scripts/repro-tests.sh line 77:
    local file="$1"
    ^--------^ SC3043 (warning): In POSIX sh, 'local' is undefined.

There are also some more warnings (info/style), but those aren't new.
Still, bonus for addressing them in round 2 as well ;)

Jan

> +    local artifacts1="$2"
> +    local artifacts2="$3"
> +    local label=""
> +    local fstype=""
> +    local res=0
>  
> -# compare artifacts
> -res=0
> -for file in "$@"; do
> -	if [ -f "${artifacts1}/${file}" ] && [ -f "${artifacts2}/${file}" ]; then
> -		label=$(blkid -s LABEL -o value ${artifacts1}/${file} || true)
> -		fstype=$(blkid -s TYPE -o value ${artifacts1}/${file} || true)
> -		if $DIFFOSCOPE --text "${file}.diffoscope_output.txt" \
> -			--html-dir diffoscope_output \
> -			--html "${file}.diffoscope_output.html" \
> -			"${artifacts1}/${file}" \
> -			"${artifacts2}/${file}" > /dev/null 2>&1; then
> -			echo "${file}($label,$fstype): ${GREEN}Reproducible${NC}" | tee -a diffoscope_output.txt
> -		else
> -			echo "${file}($label,$fstype): ${RED}Not-Reproducible${NC}" | tee -a diffoscope_output.txt
> -			res=1
> -		fi
> +    # Get partition label and filesystem type
> +    label=$(blkid -s LABEL -o value ${artifacts1}/${file} || true)
> +    fstype=$(blkid -s TYPE -o value ${artifacts1}/${file} || true)
> +
> +    # Run diffoscope comparison
> +    if $DIFFOSCOPE --text "${file}.diffoscope_output.txt" \
> +        --html-dir diffoscope_output \
> +        --html "${file}.diffoscope_output.html" \
> +        "${artifacts1}/${file}" \
> +        "${artifacts2}/${file}" > /dev/null 2>&1; then
> +        echo "${file}($label,$fstype): ${GREEN}Reproducible${NC}" | tee -a diffoscope_output.txt
> +    else
> +        echo "${file}($label,$fstype): ${RED}Not-Reproducible${NC}" | tee -a diffoscope_output.txt
> +        res=1
> +    fi
> +
> +    return $res
> +}
> +
> +# compare swu file
> +res_swu=0
> +swu_file="${IMAGE_BASE}-${RELEASE}-${TARGET}.swu"
> +if [ -f "${artifacts1}/${swu_file}" ] && [ -f "${artifacts2}/${swu_file}" ]; then
> +	swu1_sha256sum=$(sha256sum "${artifacts1}/${IMAGE_BASE}-${RELEASE}-${TARGET}.swu" | awk '{ print $1 }')
> +	swu2_sha256sum=$(sha256sum "${artifacts2}/${IMAGE_BASE}-${RELEASE}-${TARGET}.swu" | awk '{ print $1 }')
> +	if [ "$swu1_sha256sum" != "$swu2_sha256sum" ]; then
> +		run_diffoscope "$swu_file" "$artifacts1" "$artifacts2"
> +		[ $? -ne 0 ] && res_swu=1
> +	else
> +		echo "${IMAGE_BASE}-${RELEASE}-${TARGET}.swu: ${GREEN}Reproducible${NC}" | tee -a diffoscope_output.txt
>  	fi
> -done
> +fi
>  
> -exit $res
> +# compare wic files
> +res_wic=0
> +image1_sha256sum=$(sha256sum "${artifacts1}/${IMAGE_BASE}-${RELEASE}-${TARGET}.wic" | awk '{ print $1 }')
> +image2_sha256sum=$(sha256sum "${artifacts2}/${IMAGE_BASE}-${RELEASE}-${TARGET}.wic" | awk '{ print $1 }')
> +if [ "$image1_sha256sum" != "$image2_sha256sum" ]; then
> +	echo "${IMAGE_BASE}-${RELEASE}-${TARGET}.wic: ${RED}Not-Reproducible${NC}"
> +	res_wic=1
> +	echo "Running diffoscope on individual partitions..."
> +	for part_num in $(seq 0 7); do
> +		file=${IMAGE_BASE}-${RELEASE}-${TARGET}.wic.p${part_num}
> +		if [ -f "${artifacts1}/${file}" ] && [ -f "${artifacts2}/${file}" ]; then
> +			run_diffoscope "$file" "$artifacts1" "$artifacts2"
> +		fi
> +	done
> +else
> +	echo "${IMAGE_BASE}-${RELEASE}-${TARGET}.wic: ${GREEN}Reproducible${NC}" | tee -a diffoscope_output.txt
> +fi
> +exit $(( res_swu || res_wic ))
> \ No newline at end of file

Adithya Balakumar Feb. 26, 2025, 3:42 a.m. UTC | #2

Hi,

>There are also some more warnings (info/style), but those aren't new.
>Still, bonus for addressing them in round 2 as well ;)

Will address them in v2.

Thanks,
Adithya Balakumar

Patch

diff --git a/scripts/repro-tests.sh b/scripts/repro-tests.sh
index 8bdb34b..7249204 100755
--- a/scripts/repro-tests.sh
+++ b/scripts/repro-tests.sh
@@ -14,11 +14,12 @@  set -e
 
 usage()
 {
-	echo "usage: repro-tests.sh [--release RELEASE] [--target TARGET] artfacts1 artifacts2"
+	echo "usage: repro-tests.sh [--release RELEASE] [--target TARGET] artifacts1 artifacts2"
 	echo ""
 	echo " Optional arguments:"
-	echo "  --release RELEASE: debian distro releases e.g. buster, bullseye, etc. (default: buster)"
+	echo "  --release RELEASE: debian distro releases e.g. buster, bullseye, etc. (default: bookworm)"
 	echo "  --target TARGET: e.g. qemu-amd64, qemu-arm64, qemu-arm (default: qemu-amd64)"
+	echo "  --extension EXTENSION: e.g. security (default: "")"
 	echo ""
 	echo " Mandatory arguments:"
 	echo "  artifacts1 and artifacts2 paths to test the artifacts reproducibility"
@@ -29,7 +30,7 @@  RED='\033[0;31m'
 NC='\033[0m'
 GREEN='\033[0;32m'
 IMAGE_BASE="cip-core-image-cip-core"
-RELEASE="bullseye"
+RELEASE="bookworm"
 TARGET="qemu-amd64"
 EXTENSION=""
 DIFFOSCOPE="diffoscope"
@@ -72,35 +73,62 @@  if [ "${EXTENSION}" = "security" ]; then
 	IMAGE_BASE="cip-core-image-security-cip-core"
 fi
 
-# Define files in the artifacts for checking the reproducibility
-set -- \
-	"${IMAGE_BASE}-${RELEASE}-${TARGET}.swu" \
-	"${IMAGE_BASE}-${RELEASE}-${TARGET}.wic.p0" \
-	"${IMAGE_BASE}-${RELEASE}-${TARGET}.wic.p1" \
-	"${IMAGE_BASE}-${RELEASE}-${TARGET}.wic.p2" \
-	"${IMAGE_BASE}-${RELEASE}-${TARGET}.wic.p3" \
-	"${IMAGE_BASE}-${RELEASE}-${TARGET}.wic.p4" \
-	"${IMAGE_BASE}-${RELEASE}-${TARGET}.wic.p5" \
-	"${IMAGE_BASE}-${RELEASE}-${TARGET}.wic.p6" \
-	"${IMAGE_BASE}-${RELEASE}-${TARGET}.wic.p7"
+run_diffoscope() {
+    local file="$1"
+    local artifacts1="$2"
+    local artifacts2="$3"
+    local label=""
+    local fstype=""
+    local res=0
 
-# compare artifacts
-res=0
-for file in "$@"; do
-	if [ -f "${artifacts1}/${file}" ] && [ -f "${artifacts2}/${file}" ]; then
-		label=$(blkid -s LABEL -o value ${artifacts1}/${file} || true)
-		fstype=$(blkid -s TYPE -o value ${artifacts1}/${file} || true)
-		if $DIFFOSCOPE --text "${file}.diffoscope_output.txt" \
-			--html-dir diffoscope_output \
-			--html "${file}.diffoscope_output.html" \
-			"${artifacts1}/${file}" \
-			"${artifacts2}/${file}" > /dev/null 2>&1; then
-			echo "${file}($label,$fstype): ${GREEN}Reproducible${NC}" | tee -a diffoscope_output.txt
-		else
-			echo "${file}($label,$fstype): ${RED}Not-Reproducible${NC}" | tee -a diffoscope_output.txt
-			res=1
-		fi
+    # Get partition label and filesystem type
+    label=$(blkid -s LABEL -o value ${artifacts1}/${file} || true)
+    fstype=$(blkid -s TYPE -o value ${artifacts1}/${file} || true)
+
+    # Run diffoscope comparison
+    if $DIFFOSCOPE --text "${file}.diffoscope_output.txt" \
+        --html-dir diffoscope_output \
+        --html "${file}.diffoscope_output.html" \
+        "${artifacts1}/${file}" \
+        "${artifacts2}/${file}" > /dev/null 2>&1; then
+        echo "${file}($label,$fstype): ${GREEN}Reproducible${NC}" | tee -a diffoscope_output.txt
+    else
+        echo "${file}($label,$fstype): ${RED}Not-Reproducible${NC}" | tee -a diffoscope_output.txt
+        res=1
+    fi
+
+    return $res
+}
+
+# compare swu file
+res_swu=0
+swu_file="${IMAGE_BASE}-${RELEASE}-${TARGET}.swu"
+if [ -f "${artifacts1}/${swu_file}" ] && [ -f "${artifacts2}/${swu_file}" ]; then
+	swu1_sha256sum=$(sha256sum "${artifacts1}/${IMAGE_BASE}-${RELEASE}-${TARGET}.swu" | awk '{ print $1 }')
+	swu2_sha256sum=$(sha256sum "${artifacts2}/${IMAGE_BASE}-${RELEASE}-${TARGET}.swu" | awk '{ print $1 }')
+	if [ "$swu1_sha256sum" != "$swu2_sha256sum" ]; then
+		run_diffoscope "$swu_file" "$artifacts1" "$artifacts2"
+		[ $? -ne 0 ] && res_swu=1
+	else
+		echo "${IMAGE_BASE}-${RELEASE}-${TARGET}.swu: ${GREEN}Reproducible${NC}" | tee -a diffoscope_output.txt
 	fi
-done
+fi
 
-exit $res
+# compare wic files
+res_wic=0
+image1_sha256sum=$(sha256sum "${artifacts1}/${IMAGE_BASE}-${RELEASE}-${TARGET}.wic" | awk '{ print $1 }')
+image2_sha256sum=$(sha256sum "${artifacts2}/${IMAGE_BASE}-${RELEASE}-${TARGET}.wic" | awk '{ print $1 }')
+if [ "$image1_sha256sum" != "$image2_sha256sum" ]; then
+	echo "${IMAGE_BASE}-${RELEASE}-${TARGET}.wic: ${RED}Not-Reproducible${NC}"
+	res_wic=1
+	echo "Running diffoscope on individual partitions..."
+	for part_num in $(seq 0 7); do
+		file=${IMAGE_BASE}-${RELEASE}-${TARGET}.wic.p${part_num}
+		if [ -f "${artifacts1}/${file}" ] && [ -f "${artifacts2}/${file}" ]; then
+			run_diffoscope "$file" "$artifacts1" "$artifacts2"
+		fi
+	done
+else
+	echo "${IMAGE_BASE}-${RELEASE}-${TARGET}.wic: ${GREEN}Reproducible${NC}" | tee -a diffoscope_output.txt
+fi
+exit $(( res_swu || res_wic ))
\ No newline at end of file