buildah

buildah [GLOBAL_OPTIONS] COMMAND [COMMAND_OPTIONS] [ARGUMENTS]

Common Commands:
buildah from [OPTIONS] IMAGE [COMMAND]
buildah bud [OPTIONS] PATH
buildah run [OPTIONS] CONTAINER COMMAND [ARGUMENTS]
buildah commit [OPTIONS] CONTAINER [IMAGE]

--debug
    Enable debug output.

--json
    Output in JSON format.

--log-level level
    Set the logging level (e.g., debug, info, warn, error).

--root path
    Set the root directory for container storage (default is /var/lib/containers/storage).

--storage-driver driver
    Specify the storage driver (e.g., overlay, vfs).

--storage-opt option
    Set options for the storage driver.

--version
    Print the version information.

buildah is a command-line tool that facilitates building Open Container Initiative (OCI) and Docker-compatible images. Unlike traditional container engines, buildah operates without a central daemon, making it lightweight, secure, and ideal for scripting and integration into CI/CD pipelines. It allows users to construct images from scratch, using either a Dockerfile-like syntax (via buildah bud) or by executing commands incrementally within a running container (via buildah from, buildah run, buildah commit). This granular control provides flexibility for advanced image building scenarios. buildah leverages existing kernel features and container storage technologies, working seamlessly with tools like podman for running containers and skopeo for image inspection and transfer. Its daemon-less and rootless capabilities enhance security by reducing the attack surface, allowing users to build images as non-privileged users. It's a core component of the broader container tools ecosystem developed by Red Hat.

While powerful, buildah requires understanding of OCI image concepts and underlying container storage. Rootless mode, though secure, may have limitations such as not being able to bind to privileged ports (below 1024) without additional system configurations (e.g., setcap). It depends on an OCI runtime like crun or runc being installed on the system. The learning curve can be steeper for users accustomed to simpler, daemon-based workflows.

buildah offers two primary ways to build images:
1. Dockerfile-like Builds: Using buildah bud, you can build images from a Dockerfile, similar to docker build.
2. Incremental Container Builds: For fine-grained control, you can start a base image with buildah from, run commands interactively or via scripts with buildah run, and then save the changes as a new image with buildah commit. This allows for complex build logic and debugging of image layers.

A significant advantage of buildah is its ability to operate in rootless mode. This means users can build container images without requiring root privileges or a privileged daemon running in the background. This greatly enhances security by isolating the build process from the host system's critical resources and reducing the potential attack surface. It relies on user namespaces for isolation.

buildah is designed to work seamlessly with other tools in the Red Hat container ecosystem. Images built with buildah can be run using podman. Images can be inspected, signed, and pushed to registries using skopeo. This interoperability provides a comprehensive and flexible suite of tools for managing container images and containers.

buildah was developed by Red Hat engineers as part of their efforts to create a daemon-less container ecosystem. It emerged around 2017, alongside podman, to provide modular and secure alternatives to the monolithic Docker engine. Its design focuses on leveraging existing Linux kernel features and adhering to OCI standards, allowing for greater flexibility and integration with other tools. It quickly became a cornerstone for building container images in environments prioritizing security, auditability, and automation, especially within Red Hat Enterprise Linux and Fedora ecosystems.

podman(1), skopeo(1), crun(1), runc(8), containers-registries.conf(5), storage.conf(5)