We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

Rootless, Reproducible & Hermetic: Secure Container Build Showdown

Formale Metadaten

Titel
Rootless, Reproducible & Hermetic: Secure Container Build Showdown
Alternativer Titel
Rootless, Reproducible & Hermetic: Secure OCI Container Build Showdown
Serientitel
Anzahl der Teile
44
Autor
Lizenz
CC-Namensnennung 3.0 Unported:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen.
Identifikatoren
Herausgeber
Erscheinungsjahr
Sprache
Produzent

Inhaltliche Metadaten

Fachgebiet
Genre
Abstract
How can we build hostile and untrusted code in containers? There are many options available, but not all of them are as safe as they claim to be... Rootless container image builds (as distinct from rootless container runtimes) have crept ever closer with orca-build, BuildKit, and img proving the concept. They are desperately needed: a build pipeline with an exposed Docker socket can be used by a malicious actor to escalate privilege - and is probably a backdoor into most Kubernetes-based CI build farms. With a slew of new rootless tooling emerging including Red Hat’s buildah, Google’s Kaniko, and Uber’s Makisu, we will see build systems that support building untrusted Dockerfiles? How are traditional build and packaging requirements like reproducibility and hermetic isolation being approached? In this talk we: - Detail attacks on container image builds - Compare the strengths and weaknesses of modern container build tooling - Chart the history and future of container build projects - Explore the safety of untrusted builds