Skip to content

Week 8 - Layer Caching, Build Context, Reproducibility

8.1 Conceptual Core

  • Image-build performance is dominated by layer cache hit rate. A miss invalidates every subsequent layer; a hit reuses upstream work.
  • The cache key is determined by: the parent layer's digest + the operation (the exact command, copy contents, build args). Order operations from least-frequently-changing to most-frequently-changing.
  • Reproducible builds = byte-identical outputs from identical inputs. Requires: pinned base images (by digest, not tag), SOURCE_DATE_EPOCH, deterministic file ordering (tar - -sort=name`), no embedded build-host info.

8.2 Mechanical Detail

  • COPY ordering: copy go.mod/package.json/Cargo.lock first, run dep install (cached on subsequent unrelated changes), then copy source. Saves dep-install time on every code-only change.
  • BuildKit cache mounts (RUN --mount=type=cache,target=/root/.cache/go-build): persist a build directory across image builds, even when the surrounding layer is invalidated. Massive speedup for compiled-language workflows.
  • .dockerignore: every byte sent to the daemon contributes to context size and may invalidate caches. Pattern after .gitignore.
  • Pin base images by digest: FROM golang:1.22@sha256:abc.... Tag-based pins drift silently.

8.3 Lab-"Cache and Reproducibility"

  1. Take a non-trivial image; measure clean-build time and incremental-build time (single source change). Reorder Dockerfile to maximize cache hits; re-measure.
  2. Enable BuildKit cache mounts; measure again.
  3. Build the same image on two machines with SOURCE_DATE_EPOCH set; verify the digests match.

8.4 Hardening Drill

  • Pin every base image by digest. Document a refresh policy (e.g., monthly digest-bump PRs reviewed for security advisories).

8.5 Production Readiness Slice

  • Add a CI job that builds the image twice in fresh runners and asserts digest_run1 == digest_run2. Reproducibility regressions become P1 issues.

Month 2 Capstone Deliverable

A filesystems-and-builds/ workspace: 1. overlayfs-by-hand/ - week 5 lab. 2.buildah-pipeline/ - week 6 daemonless build pipeline. 3. three-image-diet/ - week 7 size comparison + tradeoff analysis. 4.reproducible-build/ - week 8 with hash-equivalence CI gate.

Comments