ols-nos/scripts/docker_version_control.sh

# This script is for reproducible build.
# Reproducible build for docker enabled: Before build docker image, this script will change image:tag to image:sha256 in DOCKERFILE.
# And record image sha256 to a target file.
#!/bin/bash

IMAGENAME=$1
DOCKERFILE=$2
ARCH=$3
DOCKERFILE_TARGE=$4
DISTRO=$5

version_file=files/build/versions/default/versions-docker
new_version_file=target/versions/default/versions-docker
mkdir -p target/versions/default

. src/sonic-build-hooks/buildinfo/config/buildinfo.config

image_tag=`grep "^FROM " $DOCKERFILE | awk '{print$2}'`
image_tag_noprefix=$image_tag
[ -n "$DEFAULT_CONTAINER_REGISTRY" ] && image_tag_noprefix=$(echo $image_tag | sed "s#$DEFAULT_CONTAINER_REGISTRY##")
image=`echo $image_tag | cut -f1 -d:`
tag=`echo $image_tag | cut -f2 -d:`

if [[ ",$SONIC_VERSION_CONTROL_COMPONENTS," == *,all,* ]] || [[ ",$SONIC_VERSION_CONTROL_COMPONENTS," == *,docker,* ]]; then
    # if docker image not in white list, exit
    if [[ "$image_tag" != */debian:* ]] && [[ "$image_tag" != debian:* ]] && [[ "$image_tag" != multiarch/debian-debootstrap:* ]];then
        exit 0
    fi
    if [ -f $version_file ];then
        hash_value=`grep "${ARCH}:${image_tag_noprefix}" $version_file | awk -F== '{print$2}'`
    fi
    if [ -z $hash_value ];then
        hash_value=unknown
        echo "$image_tag sha256 value is unknown" >> ${new_version_file}.log
        exit 0
    fi
    oldimage=${image_tag//\//\\/}
    newimage="${oldimage}@$hash_value"
    echo "sed -i \"s/$oldimage/$newimage/\" $DOCKERFILE" >> ${new_version_file}.log
    sed -i "s/$oldimage/$newimage/" $DOCKERFILE
else
    hash_value=`docker pull $image_tag 2> ${new_version_file}.log | grep Digest | awk '{print$2}'`
    if [ -z "$hash_value" ];then
        hash_value=unknown
    fi
fi
if [[ "$hash_value" != "unknown" ]];then
    echo -e "${ARCH}:${image_tag_noprefix}==$hash_value" >> $new_version_file
fi