This post is created from a presentation I originally gave to the St Louis Linux Users Group My slide deck and Video
By Andrew Denner
Table of Contents
In the ever-evolving landscape of software development and deployment, containerization has emerged as a pivotal technology. It offers a solution to the age-old problem of inconsistent environments across different stages of development, testing, and production. Among the plethora of tools available, Buildah stands out as a powerful utility for building Open Container Initiative (OCI) compliant images without the need for a container daemon.
In this blog post, we’ll delve deep into Buildah, how it compares to other tools like Docker and Podman, and explore detailed examples to help you efficiently build and manage your OCI containers.
Containerization encapsulates an application and its dependencies into a single package, ensuring consistency across different environments. It abstracts the operating system’s kernel and provides a lightweight, portable environment for applications to run consistently.
Before diving into containers, it’s essential to understand how they differ from virtual machines (VMs).
Virtual Machines:
Containers:
Docker revolutionized containerization by making it accessible and user-friendly. It introduced:
Dockerfile
scripts.However, over time, Docker Inc. made changes that included licensing adjustments and feature limitations, which led the open-source community to seek alternatives.
Kubernetes is an orchestration platform that automates container deployment, scaling, and management across clusters. It became the de-facto standard for managing containerized applications at scale. Kubernetes abstracts containers into units called “pods” and provides advanced features like load balancing, rollouts, and rollbacks.
Podman and Buildah emerged from the need for Docker alternatives that address specific concerns:
Buildah is a command-line tool that facilitates building OCI-compliant container images. It focuses exclusively on image building, separating the concerns of image creation and container management.
Dockerfile
s.Dockerfile
.Dockerfile
or Buildah commands in scripts for more granular control.sudo dnf install buildah
Since Buildah is included in the repositories for newer versions:
sudo apt update
sudo apt install buildah
For older versions, you may need to add the PPA
:
sudo apt update
sudo apt install software-properties-common
sudo add-apt-repository ppa:projectatomic/ppa
sudo apt update
sudo apt install buildah
Buildah can be used within WSL (Windows Subsystem for Linux). Ensure you have WSL2 installed with a supported Linux distribution and proceed with installation as per the Linux instructions.
Let’s explore building a container image using Buildah with a practical example.
We’ll build a simple Rust “Hello, World!” application and containerize it.
rustc
and cargo
).cargo new hello_world
cd hello_world
Edit src/main.rs
if necessary. It should look like:
fn main() {
println!("Hello, world!");
}
While Buildah can work without a Dockerfile, we’ll use one for familiarity.
# Stage 1: Builder
FROM rust:1.65 as builder
WORKDIR /app
COPY . .
RUN cargo build --release
# Stage 2: Runner
FROM debian:buster-slim
COPY --from=builder /app/target/release/hello_world /usr/local/bin/hello_world
CMD ["hello_world"]
buildah bud -t hello_world:latest .
bud
is Buildah’s equivalent of docker build
.-t
tags the image.podman run --rm hello_world:latest
You should see:
Hello, world!
Ensure that you can build and run containers without root privileges.
buildah unshare ./build.sh
Multi-stage builds help reduce the final image size by separating the build environment from the runtime environment.
In our example, the first stage (builder
) compiles the Rust application. The second stage uses a minimal base image (e.g., debian:buster-slim
) and only copies the compiled binary.
Buildah allows you to squash image layers, combining them into a single layer.
After building your image:
buildah commit --squash $container $image_name
Alternatively, during the build:
buildah bud --squash -t $image_name .
Security is paramount when building containers.
clair
or trivy
to scan for vulnerabilities.USER
directives and avoid unnecessary capabilities.Podman is a container runtime that works seamlessly with Buildah.
podman run --rm hello_world:latest
Since Buildah produces OCI-compliant images, they are compatible with Podman.
One of the challenges with moving away from Docker is compatibility with Docker Compose.
podman-compose
, but be aware of limitations.kubectl
for orchestration.Buildah’s command-line syntax can be less intuitive compared to Docker commands.
Buildah offers a robust, secure, and efficient way to build OCI-compliant container images without the overhead of a container daemon. By leveraging Buildah and Podman together, developers can maintain a seamless workflow while enhancing security and control.
Transitioning to Buildah may come with challenges, especially concerning compatibility with Docker-centric tools. However, the benefits of a daemonless, rootless environment make it a compelling choice for modern containerization needs.
References:
About the Author:
Andrew Denner is the president of the Central Iowa Linux Users Group and a senior scientific software developer. With a passion for Linux and containerization technologies, he actively explores and shares knowledge about efficient software development and deployment practices.
Feel free to reach out with questions or share your experiences using Buildah and Podman!