containertool: Use epoch date in image metadata

[euanh]

Motivation

The registry is a content-addressable store in which objects are identified by their hashes. Many objects, such as image manifests, contain timestamp fields. A difference in a timestamp field will cause otherwise identical objects to have different hashes, causing a variety of problems:

• an image cannot be verified by rebuilding it from the same original parts and comparing the result
• the registry cannot completely deduplicate two images with almost identical contents because their hashes do not match, wasting storage and network bandwidth (some block-level deduplication may still be possible, but clients which already have one image will have to pull the other in its entirety)

These problems can be avoided by setting timestamp fields to fixed values, often the Unix epoch: https://reproducible-builds.org/docs/source-date-epoch/

Modifications

Set the overall image manifest timestamp and the timestamp used in the image history log to the Unix epoch.

containertool already sets file modification times to the epoch when creating image layers.

Result

An image packaging the same executable will have the same hash when built at different times on the same machine or different machines.

Test Plan

• All existing tests, including end to end tests, continue to pass.
• Manually verified that repeated builds produces images with identical hashes.