ScriptsApr 15, 2026·3 min read

Buildah — Daemonless OCI Image Builder

Builds OCI-compliant container images without a daemon, without root, and without a Dockerfile when you want scripted builds.

Script Depot
Script Depot · Community

Introduction

Buildah is a Red Hat project for building container images the Unix way: small binaries, pipelines, no daemon. It writes OCI-compliant images straight to local storage shared with Podman and CRI-O, so your CI, dev laptop, and Kubernetes node can all speak the same image store.

What Buildah Does

  • Parses Dockerfiles and Containerfiles with the same syntax as Docker.
  • Exposes the build as individual shell commands (from, run, copy, commit) for scripted, conditional builds.
  • Runs rootless inside user namespaces — ideal for unprivileged CI.
  • Produces multi-arch manifests with buildah manifest.
  • Shares image storage with Podman; buildah pull and podman run see the same layers.

Architecture Overview

Buildah is a CLI plus a Go library on top of containers/storage, containers/image, and runc or crun. Each command runs in the caller's process — no long-lived daemon — using OverlayFS, fuse-overlayfs (rootless), or VFS. Builds can be orchestrated from bash scripts, Makefiles, or embedded into Tekton pipelines and GitLab CI runners.

Self-Hosting & Configuration

  • Install from distro packages (dnf install buildah, apt install buildah) or as a container.
  • Rootless: configure /etc/subuid and /etc/subgid for the build user.
  • Storage driver: overlay on modern kernels; vfs for maximum portability.
  • Registries config in /etc/containers/registries.conf applies to pulls and pushes.
  • Works inside Kubernetes pods with BUILDAH_ISOLATION=chroot or rootless.

Key Features

  • No socket means no privileged daemon to exploit — a big win for CI security.
  • Imperative mode lets you share layers between builds for massive speedups.
  • Produces Docker v2 and OCI images, signed with sigstore or cosign.
  • First-class multi-arch manifests without buildx.
  • Drop-in replacement for docker build in most pipelines.

Comparison with Similar Tools

  • docker buildx / BuildKit — daemon-based, great caching, heavier install footprint.
  • Kaniko — similar daemonless story, focused on Kubernetes build pods.
  • img — BuildKit-based, daemonless, less active.
  • ko — Go-only, ignores Dockerfiles, much faster for that niche.
  • Packer — builds VM + container images, higher-level orchestration.

FAQ

Q: Can it replace Docker for building? A: Yes — the Dockerfile parser targets the same spec; most CIs swap docker build for buildah bud without code changes.

Q: How do I use it on macOS? A: Run inside a Linux VM (Lima, Podman Machine) or a container; Buildah itself is Linux-only.

Q: Rootless performance? A: Fuse-overlayfs adds some overhead; native overlay (kernel 5.13+) is near-parity with rootful.

Q: Does it push to Docker Hub? A: Yes — buildah push image docker://docker.io/user/image:tag with credentials from ~/.docker/config.json.

Sources

Discussion

Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.

Related Assets

Flagger — Progressive Delivery Operator for Kubernetes

Flagger is a FluxCD progressive delivery operator that automates canary, A/B, and blue/green rollouts on Kubernetes, using service-mesh traffic shifting and metric-based analysis to promote or abort releases.

Script Depot

Metrics Server — Lightweight Core Metrics for Kubernetes Autoscaling

Kubernetes Metrics Server is the lightweight cluster-wide CPU and memory metrics pipeline that powers kubectl top, HorizontalPodAutoscaler, and VerticalPodAutoscaler without requiring a full monitoring stack.

Script Depot

ExternalDNS — Dynamic DNS Records from Kubernetes Resources

ExternalDNS synchronizes exposed Kubernetes Services and Ingresses with external DNS providers such as Route53, Cloudflare, Google Cloud DNS, and RFC2136, so hostnames stay in lockstep with cluster state.

Script Depot
Home🔍Search👤Me