1buildah-bud(1) General Commands Manual buildah-bud(1)
2
6 buildah-bud - Build an image using instructions from Containerfiles
7
10 buildah build-using-dockerfile [options] [context]
11 buildah bud [options] [context]
14 bud is an alias for build-using-dockerfile.
17
20 Builds an image using instructions from one or more Containerfiles or
21 Dockerfiles and a specified build context directory. A Containerfile
22 uses the same syntax as a Dockerfile internally. For this document, a
23 file referred to as a Containerfile can be a file named either 'Con‐
24 tainerfile' or 'Dockerfile'.
25 The build context directory can be specified as the http(s) URL of an
28 archive, git repository or Containerfile.
29 If no context directory is specified, then Buildah will assume the cur‐
32 rent working directory as build context, which should contain a Con‐
33 tainerfile.
34 Containerfiles ending with a ".in" suffix will be preprocessed via
37 CPP(1). This can be useful to decompose Containerfiles into several
38 reusable parts that can be used via CPP's #include directive. Notice,
39 a Containerfile.in file can still be used by other tools when manually
40 preprocessing them via cpp -E.
41 When the URL is an archive, the contents of the URL is downloaded to a
44 temporary location and extracted before execution.
45 When the URL is a Containerfile, the file is downloaded to a temporary
48 location.
49 When a Git repository is set as the URL, the repository is cloned
52 locally and then set as the context.
53
56 --add-host=[]
57 Add a custom host-to-IP mapping (host:ip)
60 Add a line to /etc/hosts. The format is hostname:ip. The --add-host
63 option can be set multiple times.
64 --annotation annotation
67 Add an image annotation (e.g. annotation=value) to the image metadata.
70 Can be used multiple times.
71 Note: this information is not present in Docker image formats, so it is
74 discarded when writing images in Docker formats.
75 --arch="ARCH"
78 Set the ARCH of the image to the provided value instead of using the
81 architecture of the host.
82 --authfile path
85 Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/contain‐
88 ers/auth.json, which is set using buildah login. If the authorization
89 state is not found there, $HOME/.docker/config.json is checked, which
90 is set using docker login.
91 --build-arg arg=value
94 Specifies a build argument and its value, which will be interpolated in
97 instructions read from the Containerfiles in the same way that environ‐
98 ment variables are, but which will not be added to environment variable
99 list in the resulting image's configuration.
100 --cache-from
103 Images to utilise as potential cache sources. Buildah does not cur‐
106 rently support caching so this is a NOOP.
107 --cap-add=CAP_xxx
110 When executing RUN instructions, run the command specified in the
113 instruction with the specified capability added to its capability set.
114 Certain capabilities are granted by default; this option can be used to
115 add more.
116 --cap-drop=CAP_xxx
119 When executing RUN instructions, run the command specified in the
122 instruction with the specified capability removed from its capability
123 set. The CAP_AUDIT_WRITE, CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_FOWNER,
124 CAP_FSETID, CAP_KILL, CAP_MKNOD, CAP_NET_BIND_SERVICE, CAP_SETFCAP,
125 CAP_SETGID, CAP_SETPCAP, CAP_SETUID, and CAP_SYS_CHROOT capabilities
126 are granted by default; this option can be used to remove them.
127 If a capability is specified to both the --cap-add and --cap-drop
130 options, it will be dropped, regardless of the order in which the
131 options were given.
132 --cert-dir path
135 Use certificates at path (*.crt, *.cert, *.key) to connect to the reg‐
138 istry. Default certificates directory is /etc/containers/certs.d.
139 --cgroup-parent=""
142 Path to cgroups under which the cgroup for the container will be cre‐
145 ated. If the path is not absolute, the path is considered to be rela‐
146 tive to the cgroups path of the init process. Cgroups will be created
147 if they do not already exist.
148 --compress
151 This option is added to be aligned with other containers CLIs. Buildah
154 doesn't send a copy of the context directory to a daemon or a remote
155 server. Thus, compressing the data before sending it is irrelevant to
156 Buildah.
157 --cni-config-dir=directory
160 Location of CNI configuration files which will dictate which plugins
163 will be used to configure network interfaces and routing for containers
164 created for handling RUN instructions, if those containers will be run
165 in their own network namespaces, and networking is not disabled.
166 --cni-plugin-path=directory[:directory[:directory[...]]]
169 List of directories in which the CNI plugins which will be used for
172 configuring network namespaces can be found.
173 --cpu-period=0
176 Limit the CPU CFS (Completely Fair Scheduler) period
179 Limit the container's CPU usage. This flag tell the kernel to restrict
182 the container's CPU usage to the period you specify.
183 --cpu-quota=0
186 Limit the CPU CFS (Completely Fair Scheduler) quota
189 Limit the container's CPU usage. By default, containers run with the
192 full CPU resource. This flag tell the kernel to restrict the con‐
193 tainer's CPU usage to the quota you specify.
194 --cpu-shares, -c=0
197 CPU shares (relative weight)
200 By default, all containers get the same proportion of CPU cycles. This
203 proportion can be modified by changing the container's CPU share
204 weighting relative to the weighting of all other running containers.
205 To modify the proportion from the default of 1024, use the --cpu-shares
208 flag to set the weighting to 2 or higher.
209 The proportion will only apply when CPU-intensive processes are run‐
212 ning. When tasks in one container are idle, other containers can use
213 the left-over CPU time. The actual amount of CPU time will vary depend‐
214 ing on the number of containers running on the system.
215 For example, consider three containers, one has a cpu-share of 1024 and
218 two others have a cpu-share setting of 512. When processes in all three
219 containers attempt to use 100% of CPU, the first container would
220 receive 50% of the total CPU time. If you add a fourth container with a
221 cpu-share of 1024, the first container only gets 33% of the CPU. The
222 remaining containers receive 16.5%, 16.5% and 33% of the CPU.
223 On a multi-core system, the shares of CPU time are distributed over all
226 CPU cores. Even if a container is limited to less than 100% of CPU
227 time, it can use 100% of each individual CPU core.
228 For example, consider a system with more than three cores. If you start
231 one container {C0} with -c=512 running one process, and another con‐
232 tainer {C1} with -c=1024 running two processes, this can result in the
233 following division of CPU shares:
234 PID container CPU CPU share
237 100 {C0} 0 100% of CPU0
238 101 {C1} 1 100% of CPU1
239 102 {C1} 2 100% of CPU2
240 --cpuset-cpus=""
244 CPUs in which to allow execution (0-3, 0,1)
247 --cpuset-mems=""
250 Memory nodes (MEMs) in which to allow execution (0-3, 0,1). Only effec‐
253 tive on NUMA systems.
254 If you have four memory nodes on your system (0-3), use
257 --cpuset-mems=0,1 then processes in your container will only use memory
258 from the first two memory nodes.
259 --creds creds
262 The [username[:password]] to use to authenticate with the registry if
265 required. If one or both values are not supplied, a command line
266 prompt will appear and the value can be entered. The password is
267 entered without echo.
268 --device=device
271 Add a host device or devices under a directory to the container. The
274 format is <device-on-host>[:<device-on-container>][:<permissions>]
275 (e.g. --device=/dev/sdc:/dev/xvdc:rwm)
276 --disable-compression, -D Don't compress filesystem layers when build‐
279 ing the image unless it is required by the location where the image is
280 being written. This is the default setting, because image layers are
281 compressed automatically when they are pushed to registries, and images
282 being written to local storage would only need to be decompressed again
283 to be stored. Compression can be forced in all cases by specifying
284 --disable-compression=false.
285 --disable-content-trust
288 This is a Docker specific option to disable image verification to a
291 Docker registry and is not supported by Buildah. This flag is a NOOP
292 and provided solely for scripting compatibility.
293 --dns=[]
296 Set custom DNS servers
299 This option can be used to override the DNS configuration passed to the
302 container. Typically this is necessary when the host DNS configuration
303 is invalid for the container (e.g., 127.0.0.1). When this is the case
304 the --dns flag is necessary for every run.
305 The special value none can be specified to disable creation of
308 /etc/resolv.conf in the container by Buildah. The /etc/resolv.conf file
309 in the image will be used without changes.
310 --dns-option=[]
313 Set custom DNS options
316 --dns-search=[]
319 Set custom DNS search domains
322 --file, -f Containerfile
325 Specifies a Containerfile which contains instructions for building the
328 image, either a local file or an http or https URL. If more than one
329 Containerfile is specified, FROM instructions will only be accepted
330 from the first specified file.
331 If a local file is specified as the Containerfile and it does not
334 exist, the context directory will be prepended to the local file value.
335 If you specify -f -, the Containerfile contents will be read from
338 stdin.
339 --force-rm bool-value
342 Always remove intermediate containers after a build, even if the build
345 fails (default false).
346 --format
349 Control the format for the built image's manifest and configuration
352 data. Recognized formats include oci (OCI image-spec v1.0, the
353 default) and docker (version 2, using schema format 2 for the mani‐
354 fest).
355 Note: You can also override the default format by setting the BUIL‐
358 DAH_FORMAT environment variable. export BUILDAH_FORMAT=docker
359 --http-proxy
362 By default proxy environment variables are passed into the container if
365 set for the buildah process. This can be disabled by setting the
366 --http-proxy option to false. The environment variables passed in
367 include http_proxy, https_proxy, ftp_proxy, no_proxy, and also the
368 upper case versions of those.
369 Defaults to true
372 --iidfile ImageIDfile
375 Write the image ID to the file.
378 --ipc how
381 Sets the configuration for IPC namespaces when handling RUN instruc‐
384 tions. The configured value can be "" (the empty string) or "con‐
385 tainer" to indicate that a new IPC namespace should be created, or it
386 can be "host" to indicate that the IPC namespace in which buildah
387 itself is being run should be reused, or it can be the path to an IPC
388 namespace which is already in use by another process.
389 --isolation type
392 Controls what type of isolation is used for running processes as part
395 of RUN instructions. Recognized types include oci (OCI-compatible run‐
396 time, the default), rootless (OCI-compatible runtime invoked using a
397 modified configuration, with --no-new-keyring added to its create invo‐
398 cation, with network and UTS namespaces disabled, and IPC, PID, and
399 user namespaces enabled; the default for unprivileged users), and
400 chroot (an internal wrapper that leans more toward chroot(1) than con‐
401 tainer technology).
402 Note: You can also override the default isolation type by setting the
405 BUILDAH_ISOLATION environment variable. export BUILDAH_ISOLATION=oci
406 --label label
409 Add an image label (e.g. label=value) to the image metadata. Can be
412 used multiple times.
413 --loglevel number
416 Adjust the logging level up or down. Valid option values range from -2
419 to 3, with 3 being roughly equivalent to using the global
420 --log-level=debug option, and values below 0 omitting even error mes‐
421 sages which accompany fatal errors.
422 --layers bool-value
425 Cache intermediate images during the build process (Default is false).
428 Note: You can also override the default value of layers by setting the
431 BUILDAH_LAYERS environment variable. export BUILDAH_LAYERS=true
432 --logfile filename
435 Log output which would be sent to standard output and standard error to
438 the specified file instead of to standard output and standard error.
439 --memory, -m=""
442 Memory limit (format: [], where unit = b, k, m or g)
445 Allows you to constrain the memory available to a container. If the
448 host supports swap memory, then the -m memory setting can be larger
449 than physical RAM. If a limit of 0 is specified (not using -m), the
450 container's memory is not limited. The actual limit may be rounded up
451 to a multiple of the operating system's page size (the value would be
452 very large, that's millions of trillions).
453 --memory-swap="LIMIT"
456 A limit value equal to memory plus swap. Must be used with the -m
459 (--memory) flag. The swap LIMIT should always be larger than -m (--mem‐
460 ory) value. By default, the swap LIMIT will be set to double the value
461 of --memory.
462 The format of LIMIT is <number>[<unit>]. Unit can be b (bytes), k
465 (kilobytes), m (megabytes), or g (gigabytes). If you don't specify a
466 unit, b is used. Set LIMIT to -1 to enable unlimited swap.
467 --net how --network how
470 Sets the configuration for network namespaces when handling RUN
473 instructions. The configured value can be "" (the empty string) or
474 "container" to indicate that a new network namespace should be created,
475 or it can be "host" to indicate that the network namespace in which
476 buildah itself is being run should be reused, or it can be the path to
477 a network namespace which is already in use by another process.
478 --no-cache
481 Do not use existing cached images for the container build. Build from
484 the start with a new set of cached layers.
485 --os="OS"
488 Set the OS of the image to the provided value instead of using the cur‐
491 rent operating system of the host.
492 --pid how
495 Sets the configuration for PID namespaces when handling RUN instruc‐
498 tions. The configured value can be "" (the empty string) or "con‐
499 tainer" to indicate that a new PID namespace should be created, or it
500 can be "host" to indicate that the PID namespace in which buildah
501 itself is being run should be reused, or it can be the path to a PID
502 namespace which is already in use by another process.
503 --platform="OS/ARCH"
506 Set the OS/ARCH of the image to the provided value instead of using the
509 current operating system and architecture of the host (for example
510 linux/arm). If --platform is set, then the values of the --arch and
511 --os options will be overridden.
512 --pull
515 When the flag is enabled, attempt to pull the latest image from the
518 registries listed in registries.conf if a local image does not exist or
519 the image is newer than the one in storage. Raise an error if the image
520 is not in any listed registry and is not present locally.
521 If the flag is disabled (with --pull=false), do not pull the image from
524 the registry, unless there is no local image. Raise an error if the
525 image is not in any registry and is not present locally.
526 Defaults to true.
529 --pull-always
532 Pull the image from the first registry it is found in as listed in reg‐
535 istries.conf. Raise an error if not found in the registries, even if
536 the image is present locally.
537 --pull-never
540 Do not pull the image from the registry, use only the local version.
543 Raise an error if the image is not present locally.
544 --quiet, -q
547 Suppress output messages which indicate which instruction is being pro‐
550 cessed, and of progress when pulling images from a registry, and when
551 writing the output image.
552 --rm bool-value
555 Remove intermediate containers after a successful build (default true).
558 --runtime path
561 The path to an alternate OCI-compatible runtime, which will be used to
564 run commands specified by the RUN instruction. Default is runc, or crun
565 when machine is configured to use cgroups V2.
566 Note: You can also override the default runtime by setting the BUIL‐
569 DAH_RUNTIME environment variable. export BUILDAH_RUNTIME=/usr/bin/crun
570 --runtime-flag flag
573 Adds global flags for the container rutime. To list the supported
576 flags, please consult the manpages of the selected container runtime.
577 Note: Do not pass the leading -- to the flag. To pass the runc flag
580 --log-format json to buildah bud, the option given would be --run‐
581 time-flag log-format=json.
582 --security-opt=[]
585 Security Options
588 "label=user:USER" : Set the label user for the container
591 "label=role:ROLE" : Set the label role for the container
592 "label=type:TYPE" : Set the label type for the container
593 "label=level:LEVEL" : Set the label level for the container
594 "label=disable" : Turn off label confinement for the container
595 "no-new-privileges" : Not supported
596 "seccomp=unconfined" : Turn off seccomp confinement for the container
599 "seccomp=profile.json : White listed syscalls seccomp Json file to
600 be used as a seccomp filter
601 "apparmor=unconfined" : Turn off apparmor confinement for the container
604 "apparmor=your-profile" : Set the apparmor confinement profile for
605 the container
606 --shm-size=""
609 Size of /dev/shm. The format is <number><unit>. number must be greater
612 than 0. Unit is optional and can be b (bytes), k (kilobytes),
613 m(megabytes), or g (gigabytes). If you omit the unit, the system uses
614 bytes. If you omit the size entirely, the system uses 64m.
615 --sign-by fingerprint
618 Sign the built image using the GPG key that matches the specified fin‐
621 gerprint.
622 --squash
625 Squash all of the new image's layers (including those inherited from a
628 base image) into a single new layer.
629 --tag, -t imageName
632 Specifies the name which will be assigned to the resulting image if the
635 build process completes successfully. If imageName does not include a
636 registry name, the registry name localhost will be prepended to the
637 image name.
638 --target stageName
641 Set the target build stage to build. When building a Containerfile
644 with multiple build stages, --target can be used to specify an interme‐
645 diate build stage by name as the final stage for the resulting image.
646 Commands after the target stage will be skipped.
647 --tls-verify bool-value
650 Require HTTPS and verify certificates when talking to container reg‐
653 istries (defaults to true).
654 --ulimit type=soft-limit[:hard-limit]
657 Specifies resource limits to apply to processes launched when process‐
660 ing RUN instructions. This option can be specified multiple times.
661 Recognized resource types include:
662 "core": maximum core dump size (ulimit -c)
663 "cpu": maximum CPU time (ulimit -t)
664 "data": maximum size of a process's data segment (ulimit -d)
665 "fsize": maximum size of new files (ulimit -f)
666 "locks": maximum number of file locks (ulimit -x)
667 "memlock": maximum amount of locked memory (ulimit -l)
668 "msgqueue": maximum amount of data in message queues (ulimit -q)
669 "nice": niceness adjustment (nice -n, ulimit -e)
670 "nofile": maximum number of open files (ulimit -n)
671 "nofile": maximum number of open files (1048576); when run by root
672 "nproc": maximum number of processes (ulimit -u)
673 "nproc": maximum number of processes (1048576); when run by root
674 "rss": maximum size of a process's (ulimit -m)
675 "rtprio": maximum real-time scheduling priority (ulimit -r)
676 "rttime": maximum amount of real-time execution between blocking
677 syscalls
678 "sigpending": maximum number of pending signals (ulimit -i)
679 "stack": maximum stack size (ulimit -s)
680 --userns how
683 Sets the configuration for user namespaces when handling RUN instruc‐
686 tions. The configured value can be "" (the empty string) or "con‐
687 tainer" to indicate that a new user namespace should be created, it can
688 be "host" to indicate that the user namespace in which buildah itself
689 is being run should be reused, or it can be the path to an user names‐
690 pace which is already in use by another process.
691 --userns-uid-map mapping
694 Directly specifies a UID mapping which should be used to set ownership,
697 at the filesystem level, on the working container's contents. Commands
698 run when handling RUN instructions will default to being run in their
699 own user namespaces, configured using the UID and GID maps.
700 Entries in this map take the form of one or more triples of a starting
703 in-container UID, a corresponding starting host-level UID, and the num‐
704 ber of consecutive IDs which the map entry represents.
705 This option overrides the remap-uids setting in the options section of
708 /etc/containers/storage.conf.
709 If this option is not specified, but a global --userns-uid-map setting
712 is supplied, settings from the global option will be used.
713 If none of --userns-uid-map-user, --userns-gid-map-group, or
716 --userns-uid-map are specified, but --userns-gid-map is specified, the
717 UID map will be set to use the same numeric values as the GID map.
718 --userns-gid-map mapping
721 Directly specifies a GID mapping which should be used to set ownership,
724 at the filesystem level, on the working container's contents. Commands
725 run when handling RUN instructions will default to being run in their
726 own user namespaces, configured using the UID and GID maps.
727 Entries in this map take the form of one or more triples of a starting
730 in-container GID, a corresponding starting host-level GID, and the num‐
731 ber of consecutive IDs which the map entry represents.
732 This option overrides the remap-gids setting in the options section of
735 /etc/containers/storage.conf.
736 If this option is not specified, but a global --userns-gid-map setting
739 is supplied, settings from the global option will be used.
740 If none of --userns-uid-map-user, --userns-gid-map-group, or
743 --userns-gid-map are specified, but --userns-uid-map is specified, the
744 GID map will be set to use the same numeric values as the UID map.
745 --userns-uid-map-user user
748 Specifies that a UID mapping which should be used to set ownership, at
751 the filesystem level, on the working container's contents, can be found
752 in entries in the /etc/subuid file which correspond to the specified
753 user. Commands run when handling RUN instructions will default to
754 being run in their own user namespaces, configured using the UID and
755 GID maps. If --userns-gid-map-group is specified, but
756 --userns-uid-map-user is not specified, buildah will assume that the
757 specified group name is also a suitable user name to use as the default
758 setting for this option.
759 --userns-gid-map-group group
762 Specifies that a GID mapping which should be used to set ownership, at
765 the filesystem level, on the working container's contents, can be found
766 in entries in the /etc/subgid file which correspond to the specified
767 group. Commands run when handling RUN instructions will default to
768 being run in their own user namespaces, configured using the UID and
769 GID maps. If --userns-uid-map-user is specified, but
770 --userns-gid-map-group is not specified, buildah will assume that the
771 specified user name is also a suitable group name to use as the default
772 setting for this option.
773 --uts how
776 Sets the configuration for UTS namespaces when the handling RUN
779 instructions. The configured value can be "" (the empty string) or
780 "container" to indicate that a new UTS namespace should be created, or
781 it can be "host" to indicate that the UTS namespace in which buildah
782 itself is being run should be reused, or it can be the path to a UTS
783 namespace which is already in use by another process.
784 --volume, -v[=[HOST-DIR:CONTAINER-DIR[:OPTIONS]]]
787 Create a bind mount. If you specify, -v /HOST-DIR:/CONTAINER-DIR, Buil‐
790 dah
791 bind mounts /HOST-DIR in the host to /CONTAINER-DIR in the Buildah
792 container. The OPTIONS are a comma delimited list and can be:
793 · [rw|ro]
796 · [z|Z|O]
798 · [[r]shared|[r]slave|[r]private]
800 The CONTAINER-DIR must be an absolute path such as /src/docs. The
804 HOST-DIR must be an absolute path as well. Buildah bind-mounts the
805 HOST-DIR to the path you specify. For example, if you supply /foo as
806 the host path, Buildah copies the contents of /foo to the container
807 filesystem on the host and bind mounts that into the container.
808 You can specify multiple -v options to mount one or more mounts to a
811 container.
812 You can add the :ro or :rw suffix to a volume to mount it read-only or
815 read-write mode, respectively. By default, the volumes are mounted
816 read-write. See examples.
817 Labeling Volume Mounts
820 Labeling systems like SELinux require that proper labels are placed on
823 volume content mounted into a container. Without a label, the security
824 system might prevent the processes running inside the container from
825 using the content. By default, Buildah does not change the labels set
826 by the OS.
827 To change a label in the container context, you can add either of two
830 suffixes :z or :Z to the volume mount. These suffixes tell Buildah to
831 relabel file objects on the shared volumes. The z option tells Buildah
832 that two containers share the volume content. As a result, Buildah
833 labels the content with a shared content label. Shared volume labels
834 allow all containers to read/write content. The Z option tells Buildah
835 to label the content with a private unshared label. Only the current
836 container can use a private volume.
837 Overlay Volume Mounts
840 The :O flag tells Buildah to mount the directory from the host as a
843 temporary storage using the Overlay file system. The RUN command con‐
844 tainers are allowed to modify contents within the mountpoint and are
845 stored in the container storage in a separate directory. In Ovelay FS
846 terms the source directory will be the lower, and the container storage
847 directory will be the upper. Modifications to the mount point are
848 destroyed when the RUN command finishes executing, similar to a tmpfs
849 mount point.
850 Any subsequent execution of RUN commands sees the original source
853 directory content, any changes from previous RUN commands no longer
854 exists.
855 One use case of the overlay mount is sharing the package cache from the
858 host into the container to allow speeding up builds.
859 Note:
862 - Overlay mounts are not currently supported in rootless mode.
865 - The `O` flag is not allowed to be specified with the `Z` or `z` flags. Content mounted into the container is labeled with the private label.
866 On SELinux systems, labels in the source directory needs to be readable by the container label. If not, SELinux container separation must be disabled for the container to work.
867 - Modification of the directory volume mounted into the container with an overlay mount can cause unexpected failures. It is recommended that you do not modify the directory until the container finishes running.
868 By default bind mounted volumes are private. That means any mounts done
872 inside container will not be visible on the host and vice versa. This
873 behavior can be changed by specifying a volume mount propagation prop‐
874 erty.
875 When the mount propagation policy is set to shared, any mounts com‐
878 pleted inside the container on that volume will be visible to both the
879 host and container. When the mount propagation policy is set to slave,
880 one way mount propagation is enabled and any mounts completed on the
881 host for that volume will be visible only inside of the container. To
882 control the mount propagation property of the volume use the
883 :[r]shared, :[r]slave or :[r]private propagation flag. The propagation
884 property can be specified only for bind mounted volumes and not for
885 internal volumes or named volumes. For mount propagation to work on the
886 source mount point (the mount point where source dir is mounted on) it
887 has to have the right propagation properties. For shared volumes, the
888 source mount point has to be shared. And for slave volumes, the source
889 mount has to be either shared or slave.
890 Use df <source-dir> to determine the source mount and then use findmnt
893 -o TARGET,PROPAGATION <source-mount-dir> to determine propagation prop‐
894 erties of source mount, if findmnt utility is not available, the source
895 mount point can be determined by looking at the mount entry in
896 /proc/self/mountinfo. Look at optional fields and see if any propagaion
897 properties are specified. shared:X means the mount is shared, master:X
898 means the mount is slave and if nothing is there that means the mount
899 is private.
900 To change propagation properties of a mount point use the mount com‐
903 mand. For example, to bind mount the source directory /foo do mount
904 --bind /foo /foo and mount --make-private --make-shared /foo. This will
905 convert /foo into a shared mount point. The propagation properties of
906 the source mount can be changed directly. For instance if / is the
907 source mount for /foo, then use mount --make-shared / to convert / into
908 a shared mount.
909
912 Build an image using local Containerfiles
913 buildah bud .
914 buildah bud -f Containerfile .
917 cat /Dockerfile | buildah bud -f - .
920 buildah bud -f Dockerfile.simple -f Dockerfile.notsosimple .
923 buildah bud -t imageName .
926 buildah bud --tls-verify=true -t imageName -f Dockerfile.simple .
929 buildah bud --tls-verify=false -t imageName .
932 buildah bud --runtime-flag log-format=json .
935 buildah bud -f Containerfile --runtime-flag debug .
938 buildah bud --authfile /tmp/auths/myauths.json --cert-dir /auth
941 --tls-verify=true --creds=username:password -t imageName -f Docker‐
942 file.simple .
943 buildah bud --memory 40m --cpu-period 10000 --cpu-quota 50000 --ulimit
946 nofile=1024:1028 -t imageName .
947 buildah bud --security-opt label=level:s0:c100,c200 --cgroup-parent
950 /path/to/cgroup/parent -t imageName .
951 buildah bud --volume /home/test:/myvol:ro,Z -t imageName .
954 buildah bud -v /var/lib/dnf:/var/lib/dnf:O -t imageName .
957 buildah bud --layers -t imageName .
960 buildah bud --no-cache -t imageName .
963 buildah bud -f Containerfile --layers --force-rm -t imageName .
966 buildah bud --no-cache --rm=false -t imageName .
969 buildah bud --dns-search=example.com --dns=223.5.5.5
972 --dns-option=use-vc .
973 Building an image using a URL
976 This will clone the specified GitHub repository from the URL and use it
977 as context. The Containerfile or Dockerfile at the root of the reposi‐
978 tory is used as the context of the build. This only works if the GitHub
979 repository is a dedicated repository.
980 buildah bud github.com/scollier/purpletest
983 Note: You can set an arbitrary Git repository via the git:// scheme.
986 Building an image using a URL to a tarball'ed context
989 Buildah will fetch the tarball archive, decompress it and use its con‐
990 tents as the build context. The Containerfile or Dockerfile at the
991 root of the archive and the rest of the archive will get used as the
992 context of the build. If you pass an -f PATH/Containerfile option as
993 well, the system will look for that file inside the contents of the
994 tarball.
995 buildah bud -f dev/Containerfile https://10.10.10.1/docker/con‐
998 text.tar.gz
999 Note: supported compression formats are 'xz', 'bzip2', 'gzip' and
1002 'identity' (no compression).
1003
1006 BUILD_REGISTRY_SOURCES
1007 BUILD_REGISTRY_SOURCES, if set, is treated as a JSON object which con‐
1010 tains lists of registry names under the keys insecureRegistries,
1011 blockedRegistries, and allowedRegistries.
1012 When pulling an image from a registry, if the name of the registry
1015 matches any of the items in the blockedRegistries list, the image pull
1016 attempt is denied. If there are registries in the allowedRegistries
1017 list, and the registry's name is not in the list, the pull attempt is
1018 denied.
1019 TMPDIR The TMPDIR environment variable allows the user to specify where
1022 temporary files are stored while pulling and pushing images. Defaults
1023 to '/var/tmp'.
1024
1027 registries.conf (/etc/containers/registries.conf)
1028 registries.conf is the configuration file which specifies which con‐
1031 tainer registries should be consulted when completing image names which
1032 do not include a registry or domain portion.
1033 policy.json (/etc/containers/policy.json)
1036 Signature policy file. This defines the trust policy for container
1039 images. Controls which container registries can be used for image, and
1040 whether or not the tool should trust the images.
1041
1044 buildah(1), CPP(1), buildah-login(1), docker-login(1), namespaces(7),
1045 pid_namespaces(7), containers-policy.json(5), containers-reg‐
1046 istries.conf(5), user_namespaces(7), crun(1), runc(8)
1047buildah April 2017 buildah-bud(1)