Add support for fake, and speed up reproducible builds

[mafredri]

See this in use here: coder/envbuilder#213

This PR adds support for fake builds, essentially a way to detect if a build is cached and what the final image hash should be.

The final image hash requires reproducible builds.

Anothe option to using reproducible builds is to instead tag the final image with the final build step hash.

Part of coder/envbuilder#186

Example output from cache hit (DoFakeBuild):

#2: fakeStage 0 built successfully with digest sha256:d76c332b89231eb2b8324e28f53ea4f5a394231ee76efdc2a8c8ad11ffd0891b
#2: 🏗️ Built fake image! [1.245278609s]

DoBuild:

#2: Stage 0 built successfully with digest sha256:d76c332b89231eb2b8324e28f53ea4f5a394231ee76efdc2a8c8ad11ffd0891b
#3: 🏗️ Built image! [2.020869675s]
#4: 🏗️ Pushing image...
#2: Pushing image to 172.17.0.3:5000/local/cache
#2: Pushed 172.17.0.3:5000/local/cache@sha256:d76c332b89231eb2b8324e28f53ea4f5a394231ee76efdc2a8c8ad11ffd0891b
#4: 🏗️ Pushed image! [6.134857ms]

Example output from cache miss:

#2: failed to build fake image: error fake building stage: uncached command *commands.RunMarkerCommand is not supported in fake build
#2: 🏗️ Built fake image! [1.232616498s]

[dannykopping]

AFAICS this aligns with the implementation of build(). I'm concerned that this will drift; how do you plan to keep these two in lock-step?

As an aside: I think the term "fake" is a problematic one.

This PR adds support for fake builds, essentially a way to detect if a build is cached and what the final image hash should be.

Perhaps renaming it to something (admittedly less pithy) like "cacheProbeBuild" or "preemptiveBuild" might be more clear?

The term "fake" is quite overloaded and I don't think it expresses the intent well here.

[mafredri]

That's a fair concern, one I have as well. I don't really have a plan for ensuring they're kept in sync other than adding tests to verify a build and "fakeBuild" produce the same (or not) hash in the end.

I also agree with you on "fake", and "cacheProbe" is actually a pretty good one, thanks for the suggestions.

[johnstcn]

LGTM so far, but I think this needs some more unit tests before merging.

[johnstcn]

If canonical is set and we encounter other formats (such as formatSTAR or formatMax), should we throw an error?

[mafredri]

I'm not sure, I don't know how we'd encounter that, actually 🤔. This was borrowed from:

kaniko/vendor/github.com/google/go-containerregistry/pkg/v1/mutate/mutate.go

Lines 471 to 475 in a8afc79

	//PAX and GNU Format support additional timestamps in the header
	if header.Format == tar.FormatPAX || header.Format == tar.FormatGNU {
	header.AccessTime = t
	header.ChangeTime = t
	}

[johnstcn]

This may require extra tests in tar_util_test.go

[johnstcn]

What would you think about making a separate fakeBuilder that embeds *stageBuilder but overrides the build() method?

e.g. https://go.dev/play/p/5ZxGr4ozeOV

[mafredri]

Are you also thinking we'd merge the logic in Build and FakeBuild into one, just swap out the stageBuilder? (My main reason to keep them separate was to remove anything that could accidentally cause changes to the fs.)

I'll think about it, definitely doable.

[johnstcn]

non-blocking, just a suggestion

[dannykopping]

I think what could solve both my concern (about lock-step with build()) and Cian's is an adapter that can be passed in which would effect the changes. For your "fake" case, this adapter would not interact with the FS even though it satisfies the implementation.

I haven't looked too closely at the implementation so maybe this is im{practical,possible}, but thought I'd mention it.

[dannykopping]

non-blocking, just a suggestion

Ditto 👍

[johnstcn]

I've renamed the DoFakeBuild etc. methods to ProbeCache, and added a minimal integration-style test for same.
CanonicalTar is now ReproducibleTar as that did not appear immediately descriptive to me.

[BrunoQuaresma]

Code looks good and tested. 👍

[dannykopping]

Great work, the new names are very clear as well 👍

[dannykopping]

Slick

[johnstcn]

That's just someone else's slick code I copy-pasted 🙃

[mtojek]

post-merge approval 👍

I'm curious if this modification works with multi-stage Dockerfiles.

[johnstcn]

post-merge approval 👍

I'm curious if this modification works with multi-stage Dockerfiles.

Good call. I added a separate test and it doesn't appear to work. Will raise a separate PR.

[mtojek]

I don't mind adding support for multi-stage Dockerfiles as a separate issue 👍