# Buildah — Daemonless OCI Image Builder

> Builds OCI-compliant container images without a daemon, without root, and without a Dockerfile when you want scripted builds.

## Install

Save as a script file and run:

# Buildah — Daemonless OCI Image Builder

## Quick Use
```bash
# Build from a Containerfile/Dockerfile
buildah bud -t myapp:latest .

# Or build imperatively without any Dockerfile
ctr=$(buildah from alpine:3.20)
buildah run $ctr -- apk add --no-cache curl
buildah config --entrypoint '["/usr/bin/curl"]' $ctr
buildah commit $ctr myapp:latest
buildah push myapp:latest docker://registry.example.com/myapp:latest
```

## Introduction
Buildah is a Red Hat project for building container images the Unix way: small binaries, pipelines, no daemon. It writes OCI-compliant images straight to local storage shared with Podman and CRI-O, so your CI, dev laptop, and Kubernetes node can all speak the same image store.

## What Buildah Does
- Parses Dockerfiles and Containerfiles with the same syntax as Docker.
- Exposes the build as individual shell commands (`from`, `run`, `copy`, `commit`) for scripted, conditional builds.
- Runs rootless inside user namespaces — ideal for unprivileged CI.
- Produces multi-arch manifests with `buildah manifest`.
- Shares image storage with Podman; `buildah pull` and `podman run` see the same layers.

## Architecture Overview
Buildah is a CLI plus a Go library on top of containers/storage, containers/image, and runc or crun. Each command runs in the caller's process — no long-lived daemon — using OverlayFS, fuse-overlayfs (rootless), or VFS. Builds can be orchestrated from bash scripts, Makefiles, or embedded into Tekton pipelines and GitLab CI runners.

## Self-Hosting & Configuration
- Install from distro packages (`dnf install buildah`, `apt install buildah`) or as a container.
- Rootless: configure `/etc/subuid` and `/etc/subgid` for the build user.
- Storage driver: `overlay` on modern kernels; `vfs` for maximum portability.
- Registries config in `/etc/containers/registries.conf` applies to pulls and pushes.
- Works inside Kubernetes pods with `BUILDAH_ISOLATION=chroot` or `rootless`.

## Key Features
- No socket means no privileged daemon to exploit — a big win for CI security.
- Imperative mode lets you share layers between builds for massive speedups.
- Produces Docker v2 and OCI images, signed with sigstore or cosign.
- First-class multi-arch manifests without buildx.
- Drop-in replacement for `docker build` in most pipelines.

## Comparison with Similar Tools
- **docker buildx / BuildKit** — daemon-based, great caching, heavier install footprint.
- **Kaniko** — similar daemonless story, focused on Kubernetes build pods.
- **img** — BuildKit-based, daemonless, less active.
- **ko** — Go-only, ignores Dockerfiles, much faster for that niche.
- **Packer** — builds VM + container images, higher-level orchestration.

## FAQ
**Q:** Can it replace Docker for building?
A: Yes — the Dockerfile parser targets the same spec; most CIs swap `docker build` for `buildah bud` without code changes.

**Q:** How do I use it on macOS?
A: Run inside a Linux VM (Lima, Podman Machine) or a container; Buildah itself is Linux-only.

**Q:** Rootless performance?
A: Fuse-overlayfs adds some overhead; native overlay (kernel 5.13+) is near-parity with rootful.

**Q:** Does it push to Docker Hub?
A: Yes — `buildah push image docker://docker.io/user/image:tag` with credentials from `~/.docker/config.json`.

## Sources
- https://github.com/containers/buildah
- https://buildah.io/

---
Source: https://tokrepo.com/en/workflows/299862e5-3919-11f1-9bc6-00163e2b0d79
Author: Script Depot