Saltar a contenido

Week 6 - buildah: Building Images Without Dockerfiles

6.1 Conceptual Core

  • A Dockerfile is one DSL for building images. It is not the only one. buildah exposes the underlying primitives: create a working container, run commands in it, copy files, set config, commit to an image.
  • This matters because:
  • CI systems can build images without a privileged daemon.
  • You can build images programmatically (e.g., from a Go program).
  • You can construct images with stricter properties (provenance, reproducibility) than Dockerfiles natively allow.

6.2 Mechanical Detail

  • The buildah API has Dockerfile-equivalent commands plus richer ones:
  • `buildah from - start a working container from a base.
  • `buildah run -- - run a command inside.
  • `buildah copy - copy files in.
  • `buildah config --entrypoint='["..."]' - set config.
  • `buildah commit - produce an image.
  • `buildah unshare - enter a user namespace; lets you operate on storage as "root" without being host-root. Foundation for rootless builds.
  • buildah build (alias buildah bud) reads a Dockerfile and uses the same primitives.

6.3 Lab-"Image as a Shell Script"

  1. Write a shell script that uses buildah from, run, copy, config, commit to produce a small Go-binary-on-alpine image. No Dockerfile.
  2. Add reproducibility flags: - -source-date-epoch, - -timestamp, SOURCE_DATE_EPOCH env. Build twice; verify hashes match.
  3. Build the same image with buildah bud -f Dockerfile. Compare hashes-they should be identical when both are reproducible.

6.4 Hardening Drill

  • Build everything as a non-root user (buildah unshare, rootless mode). Confirm the storage location is in ~/.local/share/containers/, not /var/lib/containers.

6.5 Production Readiness Slice

  • Wire buildah into a CI job that targets linux/amd64 and linux/arm64 from the same x86 runner using qemu-user-static. Document the multi-arch build contract.

Comments