Skills2026年4月15日·1 分钟阅读

Buildah — Daemonless OCI Image Builder

Builds OCI-compliant container images without a daemon, without root, and without a Dockerfile when you want scripted builds.

Script Depot
Script Depot · Community
Agent 就绪

先审查再安装

这个资产需要先审查。复制的指令会要求 Agent dry-run、列出写入项,确认后再继续。

Needs Confirmation · 64/100策略:需确认
Agent 入口
任意 MCP/CLI Agent
类型
Skill
安装
Single
信任
信任等级:Established
入口
Buildah Guide
先审查命令
npx -y tokrepo@latest install 299862e5-3919-11f1-9bc6-00163e2b0d79 --target codex

先 dry-run,确认写入项后再运行此命令。

TL;DR
Buildah builds OCI container images without a daemon or root privileges, with optional Dockerfile-free scripted builds.
§01

What it is

Buildah is a command-line tool for building OCI-compliant container images. Unlike Docker, Buildah does not require a running daemon and can build images without root privileges. It supports standard Dockerfiles but also offers an imperative scripting mode where you build images step-by-step using shell commands.

Buildah targets container developers and CI/CD pipelines that need secure, daemonless image builds. It pairs with Podman (for running containers) and Skopeo (for moving images between registries) as part of the container tools ecosystem maintained by Red Hat.

§02

How it saves time or tokens

Buildah's imperative mode lets you build images with fine-grained control. Instead of writing a Dockerfile with workarounds for caching and multi-stage builds, you script the build directly. This is useful for complex build processes that are awkward to express in Dockerfile syntax.

Daemonless, rootless builds mean you can run Buildah in CI environments without privileged containers, simplifying security compliance.

§03

How to use

  1. Build from a Dockerfile:
buildah bud -t myapp:latest .
  1. Build imperatively without a Dockerfile:
ctr=$(buildah from ubuntu:22.04)
buildah run $ctr -- apt-get update
buildah run $ctr -- apt-get install -y python3
buildah copy $ctr ./app /opt/app
buildah config --cmd '/opt/app/start.sh' $ctr
buildah commit $ctr myapp:latest
  1. Push to a registry:
buildah push myapp:latest docker://registry.example.com/myapp:latest
§04

Example

A CI-friendly build script with caching:

#!/bin/bash
set -e

# Create working container from base
ctr=$(buildah from golang:1.22)

# Copy source and build
buildah copy $ctr . /src
buildah run $ctr -- sh -c 'cd /src && go build -o /app'

# Create minimal runtime image
runtime=$(buildah from gcr.io/distroless/static:latest)
buildah copy --from $ctr $runtime /app /app
buildah config --entrypoint '["app"]' $runtime
buildah commit $runtime myapp:latest

This achieves a multi-stage build without Dockerfile syntax.

§05

Related on TokRepo

§06

Common pitfalls

  • Forgetting to clean up working containers. Each buildah from creates a working container. Use buildah rm --all to clean up after builds.
  • Not using --layers for Dockerfile builds. Without layer caching, every build starts from scratch. Use buildah bud --layers to enable Docker-style layer caching.
  • Mixing Buildah and Docker image stores. Buildah and Docker use separate image stores by default. Use Skopeo to copy images between them if needed.

常见问题

How is Buildah different from Docker build?+

Buildah does not require a daemon process. It builds images as a regular user process without root privileges. Buildah also supports imperative (scripted) builds in addition to Dockerfiles, giving you more control over the build process.

Can Buildah build images from Dockerfiles?+

Yes. The 'buildah bud' (build-using-dockerfile) command is fully compatible with standard Dockerfiles and Containerfiles. Existing Dockerfiles work without modification.

Does Buildah work with Podman?+

Yes. Buildah and Podman share the same image store. Images built with Buildah are immediately available to Podman for running. They are complementary tools: Buildah builds, Podman runs.

Can I use Buildah in rootless mode?+

Yes. Buildah supports rootless builds using user namespaces. This is the recommended mode for CI/CD environments where running as root is a security concern.

What registries does Buildah support?+

Buildah pushes to any OCI-compliant registry: Docker Hub, GitHub Container Registry, Amazon ECR, Google Artifact Registry, and private registries. Use 'buildah push' with the registry URL.

引用来源 (3)
TokRepo 相关
DevOps toolsAutomation toolsFeatured workflows

讨论

登录后参与讨论。
还没有评论,来写第一条吧。

相关资产

BuildKit — Concurrent, Cache-Efficient OCI Image Builder

BuildKit is the modern container image builder behind docker build and buildx, providing a concurrent DAG-based frontend, cross-platform builds, remote caching, and rootless operation.

Skills
Script Depot

Podman — Daemonless Container Engine for OCI Containers

Podman is a daemonless, open-source tool for developing, managing, and running OCI containers and pods. Drop-in replacement for Docker CLI without requiring a root daemon. Used by Red Hat, Fedora, and increasingly adopted in enterprise environments.

Skills
Script Depot

Skopeo — Registry-Agnostic Container Image Toolkit

Skopeo inspects, copies, signs, and deletes container images across registries without a daemon — the Swiss Army knife for OCI image plumbing in CI pipelines.

Skills
Script Depot

Clair — Container Image Vulnerability Scanner

Perform static vulnerability analysis on OCI and Docker container images by indexing their contents and matching against multiple security databases.

Skills
Script Depot
首页🔍搜索👤我的