11 Buildah Overview #
Buildah is tool for building OCI-compliant container images. Buildah can handle the following tasks.
Create containers from scratch, or from an existing image.
Create an image from a working container or via Dockerfile.
Build images in the OCI or Docker Open Source Engine image formats.
Mount a working container's root filesystem for manipulation.
Use the updated contents of a container's root filesystem as a filesystem layer to create a new image.
Delete a working container or an image and rename a local container.
Compared to Docker Open Source Engine, Buildah has several advantages.
The tool makes it possible to mount a working container's filesystem, so it becomes accessible by the host.
The process of building container images using Buildah can be automated via scripts by using Buildah's subcommands instead of a Containerfile or Dockerfile.
Similar to Podman, Buildah does not require a daemon to run and can be used by unprivileged users.
It is possible to build images inside a container without mounting the Docker socket, which improves security.
11.1 Podman and Buildah #
Both Podman and Buildah can be used to build container images. While Podman makes it possible to build images using Dockerfiles, Buildah offers an expanded range of image building options and capabilities.
11.2 Buildah Installation #
To install Buildah, run the sudo zypper in buildah. Run
buildah --version to check whether Buildah has been
installed successfully.
If you already have Podman installed and set up for use in the rootless mode, Buildah can be used in an unprivileged environment without any further configuration. If you need to enable the rootless mode for Buildah, run the following command:
> sudo usermod --add-subuids 100000-165535 --add-subgids 100000-165535 USERThis command enables the rootless mode for the current user. After running the command, log out and log in again to enable the changes.
The command above defines a range of local uids on the host, on to which the
uids allocated to users inside the container are mapped. Note that the
ranges defined for different users must not overlap. It is also important
that the ranges do not reuse the uid of any existing local users or groups.
By default, adding a user with the useradd on SLES
15, automatically allocates subuid and subgid ranges.
In the rootless mode, Buildah commands must be executed in a modified
user namespace of the user. To enter this user namespace, run the command
buildah unshare. Otherwise, the buildah
mount command will fail.
11.3 Building Images with Buildah #
Instead of a special file with instructions, Buildah uses individual commands to build an image. Building an image with Buildah involves several steps: run a container based on the specified image, edit container (install packages, configure settings, etc.), configure container options, commit all changes into a new image. While this process may include additional steps, such as mounting the container's filesystem and working with it, the basic workflow logic remains the same.
The following example can give you a general idea of how to build an image with Buildah.
container=$(buildah from suse/sle15) 1 buildah run $container zypper up 2 buildah copy $container . /usr/src/example/ 3 buildah config --workingdir /usr/src/example $container buildah config --port 8000 $container buildah config --cmd "php -S 0.0.0.0:8000" $container 4 buildah config --label maintainer="Tux" $container buildah config --label version="0.1" $container 5 buildah commit $container example 6 buildah rm $container 7
Run a container (also called a working container) based on the specified
image (in this case, | |
Run a command in the working container you just created. In this example,
Buildah runs the | |
Copy files and directories to the specified location in the container. In
this example, Buildah copies the entire contents of the current
directory to | |
The | |
The | |
Create an image from the working container by committing all the modifications. | |
Delete the working container. |