1buildah-commit(1) General Commands Manual buildah-commit(1)
2
6 buildah-commit - Create an image from a working container.
7
10 buildah commit [options] container [image]
11
14 Writes a new image using the specified container's read-write layer and
15 if it is based on an image, the layers of that image. If image does
16 not begin with a registry name component, localhost will be added to
17 the name. If image is not provided, the image will have no name. When
18 an image has no name, the buildah images command will display <none> in
19 the REPOSITORY and TAG columns.
20
23 The image ID of the image that was created. On error, 1 is returned
24 and errno is returned.
25
28 --authfile path
29 Path of the authentication file. Default is ${XDG_\RUNTIME_DIR}/con‐
32 tainers/auth.json. If XDG_RUNTIME_DIR is not set, the default is
33 /run/containers/$UID/auth.json. This file is created using buildah lo‐
34 gin.
35 If the authorization state is not found there, $HOME/.docker/con‐
38 fig.json is checked, which is set using docker login.
39 Note: You can also override the default path of the authentication file
42 by setting the REGISTRY_AUTH_FILE environment variable. export REG‐
43 ISTRY_AUTH_FILE=path
44 --cert-dir path
47 Use certificates at path (*.crt, *.cert, *.key) to connect to the reg‐
50 istry. The default certificates directory is /etc/containers/certs.d.
51 --change, -c "INSTRUCTION"
54 Apply the change to the committed image that would have been made if it
57 had been built using a Containerfile which included the specified in‐
58 struction. This option can be specified multiple times.
59 --config filename
62 Read a JSON-encoded version of an image configuration object from the
65 specified file, and merge the values from it with the configuration of
66 the image being committed.
67 --creds creds
70 The [username[:password]] to use to authenticate with the registry if
73 required. If one or both values are not supplied, a command line
74 prompt will appear and the value can be entered. The password is en‐
75 tered without echo.
76 --cw options
79 Produce an image suitable for use as a confidential workload running in
82 a trusted execution environment (TEE) using krun (i.e., crun built with
83 the libkrun feature enabled and invoked as krun). Instead of the con‐
84 ventional contents, the root filesystem of the image will contain an
85 encrypted disk image and configuration information for krun.
86 The value for options is a comma-separated list of key=value pairs,
89 supplying configuration information which is needed for producing the
90 additional data which will be included in the container image.
91 Recognized keys are:
94 attestation_url: The location of a key broker / attestation server. If
97 a value is specified, the new image's workload ID, along with the
98 passphrase used to encrypt the disk image, will be registered with the
99 server, and the server's location will be stored in the container im‐
100 age. At run-time, krun is expected to contact the server to retrieve
101 the passphrase using the workload ID, which is also stored in the con‐
102 tainer image. If no value is specified, a passphrase value must be
103 specified.
104 cpus: The number of virtual CPUs which the image expects to be run with
107 at run-time. If not specified, a default value will be supplied.
108 firmware_library: The location of the libkrunfw-sev shared library. If
111 not specified, buildah checks for its presence in a number of hard-
112 coded locations.
113 memory: The amount of memory which the image expects to be run with at
116 run-time, as a number of megabytes. If not specified, a default value
117 will be supplied.
118 passphrase: The passphrase to use to encrypt the disk image which will
121 be included in the container image. If no value is specified, but an
122 attestation_url value is specified, a randomly-generated passphrase
123 will be used. The authors recommend setting an attestation_url but not
124 a passphrase.
125 slop: Extra space to allocate for the disk image compared to the size
128 of the container image's contents, expressed either as a percentage
129 (..%) or a size value (bytes, or larger units if suffixes like KB or MB
130 are present), or a sum of two or more such specifications separated by
131 "+". If not specified, buildah guesses that 25% more space than the
132 contents will be enough, but this option is provided in case its guess
133 is wrong. If the specified or computed size is less than 10 megabytes,
134 it will be increased to 10 megabytes.
135 type: The type of trusted execution environment (TEE) which the image
138 should be marked for use with. Accepted values are "SEV" (AMD Secure
139 Encrypted Virtualization - Encrypted State) and "SNP" (AMD Secure En‐
140 crypted Virtualization - Secure Nested Paging). If not specified, de‐
141 faults to "SNP".
142 workload_id: A workload identifier which will be recorded in the con‐
145 tainer image, to be used at run-time for retrieving the passphrase
146 which was used to encrypt the disk image. If not specified, a semi-
147 random value will be derived from the base image's image ID.
148 --disable-compression, -D
151 Don't compress filesystem layers when building the image unless it is
154 required by the location where the image is being written. This is the
155 default setting, because image layers are compressed automatically when
156 they are pushed to registries, and images being written to local stor‐
157 age would only need to be decompressed again to be stored. Compression
158 can be forced in all cases by specifying --disable-compression=false.
159 --encrypt-layer layer(s)
162 Layer(s) to encrypt: 0-indexed layer indices with support for negative
165 indexing (e.g. 0 is the first layer, -1 is the last layer). If not de‐
166 fined, will encrypt all layers if encryption-key flag is specified.
167 --encryption-key key
170 The [protocol:keyfile] specifies the encryption protocol, which can be
173 JWE (RFC7516), PGP (RFC4880), and PKCS7 (RFC2315) and the key material
174 required for image encryption. For instance, jwe:/path/to/key.pem or
175 pgp:admin@example.com or pkcs7:/path/to/x509-file.
176 --format, -f [oci | docker]
179 Control the format for the image manifest and configuration data. Rec‐
182 ognized formats include oci (OCI image-spec v1.0, the default) and
183 docker (version 2, using schema format 2 for the manifest).
184 Note: You can also override the default format by setting the BUIL‐
187 DAH_FORMAT environment variable. export BUILDAH\_FORMAT=docker
188 --identity-label bool-value
191 Adds default identity label io.buildah.version if set. (default true).
194 --iidfile ImageIDfile
197 Write the image ID to the file.
200 --manifest "listName"
203 Name of the manifest list to which the built image will be added. Cre‐
206 ates the manifest list if it does not exist. This option is useful for
207 building multi architecture images.
208 --omit-history bool-value
211 Omit build history information in the built image. (default false).
214 This option is useful for the cases where end users explicitly want to
217 set --omit-history to omit the optional History from built images or
218 when working with images built using build tools that do not include
219 History information in their images.
220 --quiet, -q
223 When writing the output image, suppress progress output.
226 --rm Remove the working container and its contents after creating the
229 image. Default leaves the container and its content in place.
230 --sign-by fingerprint
233 Sign the new image using the GPG key that matches the specified finger‐
236 print.
237 --squash
240 Squash all of the new image's layers (including those inherited from a
243 base image) into a single new layer.
244 --timestamp seconds
247 Set the create timestamp to seconds since epoch to allow for determin‐
250 istic builds (defaults to current time). By default, the created time‐
251 stamp is changed and written into the image manifest with every commit,
252 causing the image's sha256 hash to be different even if the sources are
253 exactly the same otherwise. When --timestamp is set, the created time‐
254 stamp is always set to the time specified and therefore not changed,
255 allowing the image's sha256 to remain the same. All files committed to
256 the layers of the image will be created with the timestamp.
257 --tls-verify bool-value
260 Require HTTPS and verification of certificates when talking to con‐
263 tainer registries (defaults to true). TLS verification cannot be used
264 when talking to an insecure registry.
265 --unsetenv env
268 Unset environment variables from the final image.
271
274 This example saves an image based on the container.
275 buildah commit containerID newImageName
276 This example saves an image named newImageName based on the container.
279 buildah commit --rm containerID newImageName
280 This example saves an image with no name, removes the working con‐
283 tainer, and creates a new container using the image's ID.
284 buildah from $(buildah commit --rm containerID)
285 This example saves an image based on the container disabling compres‐
288 sion.
289 buildah commit --disable-compression containerID
290 This example saves an image named newImageName based on the container
293 disabling compression.
294 buildah commit --disable-compression containerID newImageName
295 This example commits the container to the image on the local registry
298 while turning off tls verification.
299 buildah commit --tls-verify=false containerID docker://local‐
300 host:5000/imageId
301 This example commits the container to the image on the local registry
304 using credentials and certificates for authentication.
305 buildah commit --cert-dir ~/auth --tls-verify=true --creds=user‐
306 name:password containerID docker://localhost:5000/imageId
307 This example commits the container to the image on the local registry
310 using credentials from the /tmp/auths/myauths.json file and certifi‐
311 cates for authentication.
312 buildah commit --authfile /tmp/auths/myauths.json --cert-dir ~/auth
313 --tls-verify=true --creds=username:password containerID docker://local‐
314 host:5000/imageName
315 This example saves an image based on the container, but stores dates
318 based on epoch time. buildah commit --timestamp=0 containerID newIma‐
319 geName
320 Building an multi-architecture image using the --manifest option (requires
323 emulation software)
324 #!/bin/sh
325 build() {
326 ctr=$(./bin/buildah from --arch $1 ubi8)
327 ./bin/buildah run $ctr dnf install -y iputils
328 ./bin/buildah commit --manifest ubi8ping $ctr
329 }
330 build arm
331 build amd64
332 build s390x
333
337 BUILD_REGISTRY_SOURCES
338 BUILD_REGISTRY_SOURCES, if set, is treated as a JSON object which con‐
341 tains lists of registry names under the keys insecureRegistries,
342 blockedRegistries, and allowedRegistries.
343 When committing an image, if the image is to be given a name, the por‐
346 tion of the name that corresponds to a registry is compared to the
347 items in the blockedRegistries list, and if it matches any of them, the
348 commit attempt is denied. If there are registries in the allowedReg‐
349 istries list, and the portion of the name that corresponds to the reg‐
350 istry is not in the list, the commit attempt is denied.
351 TMPDIR The TMPDIR environment variable allows the user to specify where
354 temporary files are stored while pulling and pushing images. Defaults
355 to '/var/tmp'.
356
359 registries.conf (/etc/containers/registries.conf)
360 registries.conf is the configuration file which specifies which con‐
363 tainer registries should be consulted when completing image names which
364 do not include a registry or domain portion.
365 policy.json (/etc/containers/policy.json)
368 Signature policy file. This defines the trust policy for container im‐
371 ages. Controls which container registries can be used for image, and
372 whether or not the tool should trust the images.
373
376 buildah(1), buildah-images(1), containers-policy.json(5), containers-
377 registries.conf(5)
378buildah March 2017 buildah-commit(1)