Esta página se muestra en inglés. Una traducción al español está en curso.
SkillsApr 15, 2026·3 min de lectura

Buildah — Daemonless OCI Image Builder

Builds OCI-compliant container images without a daemon, without root, and without a Dockerfile when you want scripted builds.

Script Depot
Script Depot · Community
Listo para agents

Instalación con revisión previa

Este activo requiere revisión. El prompt copiado pide dry-run, muestra escrituras y continúa solo tras confirmación.

Needs Confirmation · 64/100Política: confirmar
Superficie agent
Cualquier agent MCP/CLI
Tipo
Skill
Instalación
Single
Confianza
Confianza: Established
Entrada
Buildah Guide
Comando con revisión previa
npx -y tokrepo@latest install 299862e5-3919-11f1-9bc6-00163e2b0d79 --target codex

Primero dry-run, confirma las escrituras y luego ejecuta este comando.

TL;DR
Buildah builds OCI container images without a daemon or root privileges, with optional Dockerfile-free scripted builds.
§01

What it is

Buildah is a command-line tool for building OCI-compliant container images. Unlike Docker, Buildah does not require a running daemon and can build images without root privileges. It supports standard Dockerfiles but also offers an imperative scripting mode where you build images step-by-step using shell commands.

Buildah targets container developers and CI/CD pipelines that need secure, daemonless image builds. It pairs with Podman (for running containers) and Skopeo (for moving images between registries) as part of the container tools ecosystem maintained by Red Hat.

§02

How it saves time or tokens

Buildah's imperative mode lets you build images with fine-grained control. Instead of writing a Dockerfile with workarounds for caching and multi-stage builds, you script the build directly. This is useful for complex build processes that are awkward to express in Dockerfile syntax.

Daemonless, rootless builds mean you can run Buildah in CI environments without privileged containers, simplifying security compliance.

§03

How to use

  1. Build from a Dockerfile:
buildah bud -t myapp:latest .
  1. Build imperatively without a Dockerfile:
ctr=$(buildah from ubuntu:22.04)
buildah run $ctr -- apt-get update
buildah run $ctr -- apt-get install -y python3
buildah copy $ctr ./app /opt/app
buildah config --cmd '/opt/app/start.sh' $ctr
buildah commit $ctr myapp:latest
  1. Push to a registry:
buildah push myapp:latest docker://registry.example.com/myapp:latest
§04

Example

A CI-friendly build script with caching:

#!/bin/bash
set -e

# Create working container from base
ctr=$(buildah from golang:1.22)

# Copy source and build
buildah copy $ctr . /src
buildah run $ctr -- sh -c 'cd /src && go build -o /app'

# Create minimal runtime image
runtime=$(buildah from gcr.io/distroless/static:latest)
buildah copy --from $ctr $runtime /app /app
buildah config --entrypoint '["app"]' $runtime
buildah commit $runtime myapp:latest

This achieves a multi-stage build without Dockerfile syntax.

§05

Related on TokRepo

§06

Common pitfalls

  • Forgetting to clean up working containers. Each buildah from creates a working container. Use buildah rm --all to clean up after builds.
  • Not using --layers for Dockerfile builds. Without layer caching, every build starts from scratch. Use buildah bud --layers to enable Docker-style layer caching.
  • Mixing Buildah and Docker image stores. Buildah and Docker use separate image stores by default. Use Skopeo to copy images between them if needed.

Preguntas frecuentes

How is Buildah different from Docker build?+

Buildah does not require a daemon process. It builds images as a regular user process without root privileges. Buildah also supports imperative (scripted) builds in addition to Dockerfiles, giving you more control over the build process.

Can Buildah build images from Dockerfiles?+

Yes. The 'buildah bud' (build-using-dockerfile) command is fully compatible with standard Dockerfiles and Containerfiles. Existing Dockerfiles work without modification.

Does Buildah work with Podman?+

Yes. Buildah and Podman share the same image store. Images built with Buildah are immediately available to Podman for running. They are complementary tools: Buildah builds, Podman runs.

Can I use Buildah in rootless mode?+

Yes. Buildah supports rootless builds using user namespaces. This is the recommended mode for CI/CD environments where running as root is a security concern.

What registries does Buildah support?+

Buildah pushes to any OCI-compliant registry: Docker Hub, GitHub Container Registry, Amazon ECR, Google Artifact Registry, and private registries. Use 'buildah push' with the registry URL.

Referencias (3)
Relacionados en TokRepo
DevOps toolsAutomation toolsFeatured workflows

Discusión

Inicia sesión para unirte a la discusión.
Aún no hay comentarios. Sé el primero en compartir tus ideas.

Activos relacionados

BuildKit — Concurrent, Cache-Efficient OCI Image Builder

BuildKit is the modern container image builder behind docker build and buildx, providing a concurrent DAG-based frontend, cross-platform builds, remote caching, and rootless operation.

Skills
Script Depot

Podman — Daemonless Container Engine for OCI Containers

Podman is a daemonless, open-source tool for developing, managing, and running OCI containers and pods. Drop-in replacement for Docker CLI without requiring a root daemon. Used by Red Hat, Fedora, and increasingly adopted in enterprise environments.

Skills
Script Depot

Skopeo — Registry-Agnostic Container Image Toolkit

Skopeo inspects, copies, signs, and deletes container images across registries without a daemon — the Swiss Army knife for OCI image plumbing in CI pipelines.

Skills
Script Depot

Clair — Container Image Vulnerability Scanner

Perform static vulnerability analysis on OCI and Docker container images by indexing their contents and matching against multiple security databases.

Skills
Script Depot
Inicio🔍Buscar👤Yo