Building OCI Images With a Container Orchestrator : A comparison of OCI build-tools

• Main Author: Sjödin, Jonas
• Format: Others
• Language: English
• Published: Umeå universitet, Institutionen för datavetenskap 2021
• Subjects: Computer Engineering; Datorteknik
• Online Access: http://urn.kb.se/resolve?urn=urn:nbn:se:umu:diva-184372

Cloud computing is a quickly growing field in modern computing science where new technologies arise every day. One of the latest trends in cloud computing is container based technology, which  allows applications to run in a reproducible and stateless fashion without requiring manually installed dependencies. Another trend in computer science is DevOps, a methodology where developers take part in the operations process. DevOps popularise the use of CI/CD workflows, where automatic pipelines run tests and scripts on new code. A container orchestrator, like Kubernetes, can be used to control and modify containers. Kubernetes allows integrating multiple third-party applications that can monitor performance, analyze logs, and much more. Kubernetes can be integrated into the CI/CD system to utilise its container orchestration perks. Building containers inside a container can cause security issues because of native security flaws with OCI build tools. This thesis aims to look at these issues and analyse the field of container orchestrated OCI build tools using Kubernetes and OCI build tools. We also discover how to develop a test suite that can reliably test container orchestrated OCI build tools and export metrics. The thesis lastly compares different Dockerfile compliant Build tools with the test suite to find out which has the best performance and caching. The compared build tools are BuildKit, Kaniko, Img and Buildah and overall BuildKit and Kaniko are the fastest and most resource effective build tools. It is not obvious which build tool that is the most secure. Kaniko, which is a root container requires no privileges and is therefore tough to break out of but an eventual breakout will give the attacker root access to the host machine. BuildKit and Img only requires unconfined SECcomp and AppArmor which will make a container breakout more probable, even though less than Buildah which must be run in a privileged container. Since they can run rootless, the attacker will only have the same access to the host as that user in case of a container breakout.