fix: reproducibility of rootfs-tree.tar

.github/actions/bazel/action.yaml

@@ -158,9 +158,6 @@ runs:
           ^@@rules_rust..crate.crate_index__cranelift-isle            # has a non reproducible isle_tests.rs in its OUT_DIR.
           ^@@rules_rust..crate.crate_index__secp256k1-sys             # has non reproducible object files, like lax_der_parsing.o, in it OUT_DIR.
           ^@@rules_rust..crate.crate_index__sev                       # build.rs depends on the presence of /dev/sev and /dev/sev-guest. See: https://github.com/virtee/sev/issues/315
-          # TODO: fix the following ASAP:
-          ^//ic-os/hostos/envs/prod:rootfs-tree.tar                   # became non-reproducible because of https://github.com/dfinity/ic/pull/10208
-          ^//ic-os/setupos/envs/prod:rootfs-tree.tar                  # idem
         )
         for execlog_zst in $(find '${{ steps.metrics-tmpdir.outputs.dir }}' -name 'execlog-*.zst'); do
           zstd -f -d "$execlog_zst" -o "$execlog"

MODULE.bazel

@@ -322,6 +322,18 @@ http_archive(
     url = "https://github.com/apalache-mc/apalache/releases/download/v0.52.2/apalache-0.52.2.tgz",
 )
 
+# Android SDK platform-tools, for the hermetic `e2fsdroid` binary used while
+# assembling ext4 filesystem images. This is the same statically-linked binary
+# that Ubuntu's `google-android-platform-tools-installer` package downloads at
+# install time; pinning it here removes the host dependence.
+http_archive(
+    name = "android_platform_tools",
+    build_file_content = """exports_files(["e2fsdroid"], visibility = ["//visibility:public"])""",
+    sha256 = "defcee9da1f22fe5c2324ec0edf612122f1c6ffe01a7b124191e07fcc74f8fff",
+    strip_prefix = "platform-tools",
+    url = "https://dl.google.com/android/repository/platform-tools_r33.0.2-linux.zip",
+)
+
 # Official WebAssembly test suite.
 # To be used for testing libraries that handle canister Wasm code.
 http_archive(

bazel/noble.lock.json

@@ -983,6 +983,84 @@
 			"url": "https://snapshot.ubuntu.com/ubuntu/20260131T000000Z/pool/main/u/util-linux/libblkid1_2.39.3-9ubuntu6.4_amd64.deb",
 			"version": "2.39.3-9ubuntu6.4"
 		},
+		{
+			"arch": "amd64",
+			"dependencies": [
+				{
+					"key": "libc6_2.39-0ubuntu8.6_amd64",
+					"name": "libc6",
+					"version": "2.39-0ubuntu8.6"
+				},
+				{
+					"key": "libgcc-s1_14.2.0-4ubuntu2_24.04_amd64",
+					"name": "libgcc-s1",
+					"version": "14.2.0-4ubuntu2~24.04"
+				},
+				{
+					"key": "gcc-14-base_14.2.0-4ubuntu2_24.04_amd64",
+					"name": "gcc-14-base",
+					"version": "14.2.0-4ubuntu2~24.04"
+				},
+				{
+					"key": "libfakeroot_1.33-1_amd64",
+					"name": "libfakeroot",
+					"version": "1.33-1"
+				}
+			],
+			"key": "fakeroot_1.33-1_amd64",
+			"name": "fakeroot",
+			"sha256": "d58b7fc73f0b7ae8b9441b0aa41e44ead0d7e4deedf5aaf5696db182eac71031",
+			"url": "https://snapshot.ubuntu.com/ubuntu/20260131T000000Z/pool/main/f/fakeroot/fakeroot_1.33-1_amd64.deb",
+			"version": "1.33-1"
+		},
+		{
+			"arch": "amd64",
+			"dependencies": [],
+			"key": "libfakeroot_1.33-1_amd64",
+			"name": "libfakeroot",
+			"sha256": "a78087f50586595375f850b4445261f7a47a83005b05ce521331929fab49df4b",
+			"url": "https://snapshot.ubuntu.com/ubuntu/20260131T000000Z/pool/main/f/fakeroot/libfakeroot_1.33-1_amd64.deb",
+			"version": "1.33-1"
+		},
+		{
+			"arch": "amd64",
+			"dependencies": [
+				{
+					"key": "libc6_2.39-0ubuntu8.6_amd64",
+					"name": "libc6",
+					"version": "2.39-0ubuntu8.6"
+				},
+				{
+					"key": "libgcc-s1_14.2.0-4ubuntu2_24.04_amd64",
+					"name": "libgcc-s1",
+					"version": "14.2.0-4ubuntu2~24.04"
+				},
+				{
+					"key": "gcc-14-base_14.2.0-4ubuntu2_24.04_amd64",
+					"name": "gcc-14-base",
+					"version": "14.2.0-4ubuntu2~24.04"
+				},
+				{
+					"key": "libfaketime_0.9.10-2.1_amd64",
+					"name": "libfaketime",
+					"version": "0.9.10-2.1"
+				}
+			],
+			"key": "faketime_0.9.10-2.1_amd64",
+			"name": "faketime",
+			"sha256": "665f136637004d2f1c9af0cef03b9070ea6a68087c167b83ec6417095530d3f5",
+			"url": "https://snapshot.ubuntu.com/ubuntu/20260131T000000Z/pool/universe/f/faketime/faketime_0.9.10-2.1_amd64.deb",
+			"version": "0.9.10-2.1"
+		},
+		{
+			"arch": "amd64",
+			"dependencies": [],
+			"key": "libfaketime_0.9.10-2.1_amd64",
+			"name": "libfaketime",
+			"sha256": "25fc8987f1f700c58603f68edd93ac03a1b7dea35da1e84509f29f444d5b11e9",
+			"url": "https://snapshot.ubuntu.com/ubuntu/20260131T000000Z/pool/universe/f/faketime/libfaketime_0.9.10-2.1_amd64.deb",
+			"version": "0.9.10-2.1"
+		},
 		{
 			"arch": "amd64",
 			"dependencies": [

bazel/noble.yaml

@@ -27,6 +27,8 @@ packages:
   - "dosfstools"
   - "dpkg" # for apt list --installed
   - "e2fsprogs" # for mkfs.ext4 used in ICOS device tests
+  - "fakeroot" # for hermetic fakeroot used in ICOS image builds
+  - "faketime" # for hermetic faketime used in ICOS image builds
   - "gawk" # for build-bootstrap-config-image
   - "gzip" # for tar-ing up ic regsitry store in systests
   - "libcryptsetup-dev"

toolchains/sysimage/BUILD.bazel

@@ -130,6 +130,68 @@ filegroup(
     srcs = [":mkfs_ext4_files"],
 )
 
+# Hermetic libfaketime.so.1 extracted from the apt-snapshot-pinned libfaketime
+# .deb. We deliberately do NOT use the `faketime` wrapper binary because it
+# hard-codes /usr/$LIB/faketime/libfaketime.so.1 and so cannot be relocated.
+# Instead build_ext4_image.py LD_PRELOADs this library and sets FAKETIME
+# directly, matching what the wrapper would do.
+genrule(
+    name = "libfaketime_files",
+    srcs = ["@noble//libfaketime/amd64:data"],
+    outs = ["faketime.d/libfaketime.so.1"],
+    cmd = "tar -xzOf $(location @noble//libfaketime/amd64:data) ./usr/lib/x86_64-linux-gnu/faketime/libfaketime.so.1 > $@",
+)
+
+filegroup(
+    name = "libfaketime_runfiles",
+    srcs = [":libfaketime_files"],
+)
+
+# Hermetic fakeroot bits extracted from the apt-snapshot-pinned fakeroot and
+# libfakeroot .debs: the faked-sysv daemon and the libfakeroot-sysv.so
+# LD_PRELOAD library. We deliberately do NOT use the /usr/bin/fakeroot shell
+# wrapper because it does platform-specific library lookups against the host
+# filesystem. Instead build_ext4_image.py spawns faked-sysv itself and sets
+# FAKEROOTKEY + LD_PRELOAD directly.
+genrule(
+    name = "fakeroot_files",
+    srcs = [
+        "@noble//fakeroot/amd64:data",
+        "@noble//libfakeroot/amd64:data",
+    ],
+    outs = [
+        "fakeroot.d/faked-sysv",
+        "fakeroot.d/libfakeroot-sysv.so",
+    ],
+    cmd = """
+set -euo pipefail
+tmp=$$(mktemp -d)
+trap 'rm -rf $$tmp' EXIT
+for f in $(SRCS); do tar -xzf $$f -C $$tmp; done
+cp $$tmp/usr/bin/faked-sysv                                        $(execpath fakeroot.d/faked-sysv)
+chmod +x                                                           $(execpath fakeroot.d/faked-sysv)
+cp $$tmp/usr/lib/x86_64-linux-gnu/libfakeroot/libfakeroot-sysv.so  $(execpath fakeroot.d/libfakeroot-sysv.so)
+""",
+)
+
+filegroup(
+    name = "fakeroot_runfiles",
+    srcs = [":fakeroot_files"],
+)
+
+# Hermetic e2fsdroid: re-export the statically-linked binary from the pinned
+# Android SDK platform-tools zip. The host's /usr/bin/e2fsdroid (provided by
+# Ubuntu's google-android-platform-tools-installer) comes from the very same
+# upstream zip, so pinning it via http_archive removes the host dependence
+# without changing the binary or its output.
+genrule(
+    name = "e2fsdroid_bin",
+    srcs = ["@android_platform_tools//:e2fsdroid"],
+    outs = ["e2fsdroid"],
+    cmd = "cp $(location @android_platform_tools//:e2fsdroid) $@ && chmod +x $@",
+    executable = True,
+)
+
 py_binary(
     name = "verity_sign",
     srcs = ["verity_sign.py"],