1buildah-build(1) General Commands Manual buildah-build(1)
2
6 buildah-build - Build an image using instructions from Containerfiles
7
10 buildah build [options] [context]
11 buildah bud [options] [context]
14
17 Builds an image using instructions from one or more Containerfiles or
18 Dockerfiles and a specified build context directory. A Containerfile
19 uses the same syntax as a Dockerfile internally. For this document, a
20 file referred to as a Containerfile can be a file named either 'Con‐
21 tainerfile' or 'Dockerfile'.
22 The build context directory can be specified as the http(s) URL of an
25 archive, git repository or Containerfile.
26 If no context directory is specified, then Buildah will assume the cur‐
29 rent working directory as build context, which should contain a Con‐
30 tainerfile.
31 Containerfiles ending with a ".in" suffix will be preprocessed via
34 cpp(1). This can be useful to decompose Containerfiles into several
35 reusable parts that can be used via CPP's #include directive. Notice,
36 a Containerfile.in file can still be used by other tools when manually
37 preprocessing them via cpp -E. Any comments ( Lines beginning with # )
38 in included Containerfile(s) that are not preprocess commands, will be
39 printed as warnings during builds.
40 When the URL is an archive, the contents of the URL is downloaded to a
43 temporary location and extracted before execution.
44 When the URL is a Containerfile, the file is downloaded to a temporary
47 location.
48 When a Git repository is set as the URL, the repository is cloned lo‐
51 cally and then used as the build context. A non-default branch (or
52 commit ID) and subdirectory of the cloned git repository can be used by
53 including their names at the end of the URL in the form myrepo.git#my‐
54 branch:subdir, myrepo.git#mycommit:subdir, or myrepo.git#:subdir if the
55 subdirectory should be used from the default branch.
56
59 --add-host=[]
60 Add a custom host-to-IP mapping (host:ip)
63 Add a line to /etc/hosts. The format is hostname:ip. The --add-host op‐
66 tion can be set multiple times. Conflicts with the --no-hosts option.
67 --all-platforms
70 Instead of building for a set of platforms specified using the --plat‐
73 form option, inspect the build's base images, and build for all of the
74 platforms for which they are all available. Stages that use scratch as
75 a starting point can not be inspected, so at least one non-scratch
76 stage must be present for detection to work usefully.
77 --annotation annotation[=value]
80 Add an image annotation (e.g. annotation=value) to the image metadata.
83 Can be used multiple times. If annotation is named, but neither = nor
84 a value is provided, then the annotation is set to an empty value.
85 Note: this information is not present in Docker image formats, so it is
88 discarded when writing images in Docker formats.
89 --arch="ARCH"
92 Set the ARCH of the image to be built, and that of the base image to be
95 pulled, if the build uses one, to the provided value instead of using
96 the architecture of the host. (Examples: arm, arm64, 386, amd64,
97 ppc64le, s390x)
98 --authfile path
101 Path of the authentication file. Default is ${XDG_\RUNTIME_DIR}/con‐
104 tainers/auth.json. If XDG_RUNTIME_DIR is not set, the default is
105 /run/containers/$UID/auth.json. This file is created using buildah lo‐
106 gin.
107 If the authorization state is not found there, $HOME/.docker/con‐
110 fig.json is checked, which is set using docker login.
111 Note: You can also override the default path of the authentication file
114 by setting the REGISTRY_AUTH_FILE environment variable. export REG‐
115 ISTRY_AUTH_FILE=path
116 --build-arg arg=value
119 Specifies a build argument and its value, which will be interpolated in
122 instructions read from the Containerfiles in the same way that environ‐
123 ment variables are, but which will not be added to environment variable
124 list in the resulting image's configuration.
125 Please refer to the BUILD TIME VARIABLES ⟨#build-time-variables⟩ sec‐
128 tion for the list of variables that can be overridden within the Con‐
129 tainerfile at run time.
130 --build-context name=value
133 Specify an additional build context using its short name and its loca‐
136 tion. Additional build contexts can be referenced in the same manner as
137 we access different stages in COPY instruction.
138 Valid values could be: * Local directory – e.g. --build-context
141 project2=../path/to/project2/src * HTTP URL to a tarball – e.g.
142 --build-context src=https://example.org/releases/src.tar * Container
143 image – specified with a container-image:// prefix, e.g. --build-con‐
144 text alpine=container-image://alpine:3.15, (also accepts docker://,
145 docker-image://)
146 On the Containerfile side, you can reference the build context on all
149 commands that accept the “from” parameter. Here’s how that might look:
150 FROM [name]
153 COPY --from=[name] ...
154 RUN --mount=from=[name] …
155 The value of [name] is matched with the following priority order:
159 • Named build context defined with --build-context [name]=..
162 • Stage defined with AS [name] inside Containerfile
164 • Image [name], either local or in a remote registry
166 --cache-from
170 Repository to utilize as a potential cache source. When specified,
173 Buildah will try to look for cache images in the specified repository
174 and will attempt to pull cache images instead of actually executing the
175 build steps locally. Buildah will only attempt to pull previously
176 cached images if they are considered as valid cache hits.
177 Use the --cache-to option to populate a remote repository with cache
180 content.
181 Example
184 # populate a cache and also consult it
187 buildah build -t test --layers --cache-to registry/myrepo/cache --cache-from registry/myrepo/cache .
188 Note: --cache-from option is ignored unless --layers is specified.
192 --cache-to
195 Set this flag to specify a remote repository that will be used to store
198 cache images. Buildah will attempt to push newly built cache image to
199 the remote repository.
200 Note: Use the --cache-from option in order to use cache content in a
203 remote repository.
204 Example
207 # populate a cache and also consult it
210 buildah build -t test --layers --cache-to registry/myrepo/cache --cache-from registry/myrepo/cache .
211 Note: --cache-to option is ignored unless --layers is specified.
215 --cache-ttl duration
218 Limit the use of cached images to only consider images with created
221 timestamps less than duration ago. For example if --cache-ttl=1h is
222 specified, Buildah will only consider intermediate cache images which
223 are created under the duration of one hour, and intermediate cache im‐
224 ages outside this duration will be ignored.
225 Note: Setting --cache-ttl=0 manually is equivalent to using --no-cache
228 in the implementation since this would effectively mean that user is
229 not willing to use cache at all.
230 --cap-add=CAP_xxx
233 When executing RUN instructions, run the command specified in the in‐
236 struction with the specified capability added to its capability set.
237 Certain capabilities are granted by default; this option can be used to
238 add more.
239 --cap-drop=CAP_xxx
242 When executing RUN instructions, run the command specified in the in‐
245 struction with the specified capability removed from its capability
246 set. The CAP_AUDIT_WRITE, CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_FOWNER,
247 CAP_FSETID, CAP_KILL, CAP_MKNOD, CAP_NET_BIND_SERVICE, CAP_SETFCAP,
248 CAP_SETGID, CAP_SETPCAP, CAP_SETUID, and CAP_SYS_CHROOT capabilities
249 are granted by default; this option can be used to remove them.
250 If a capability is specified to both the --cap-add and --cap-drop op‐
253 tions, it will be dropped, regardless of the order in which the options
254 were given.
255 --cert-dir path
258 Use certificates at path (*.crt, *.cert, *.key) to connect to the reg‐
261 istry. The default certificates directory is /etc/containers/certs.d.
262 --cgroup-parent=""
265 Path to cgroups under which the cgroup for the container will be cre‐
268 ated. If the path is not absolute, the path is considered to be rela‐
269 tive to the cgroups path of the init process. Cgroups will be created
270 if they do not already exist.
271 --cgroupns how
274 Sets the configuration for cgroup namespaces when handling RUN instruc‐
277 tions. The configured value can be "" (the empty string) or "private"
278 to indicate that a new cgroup namespace should be created, or it can be
279 "host" to indicate that the cgroup namespace in which buildah itself is
280 being run should be reused.
281 --compress
284 This option is added to be aligned with other containers CLIs. Buildah
287 doesn't send a copy of the context directory to a daemon or a remote
288 server. Thus, compressing the data before sending it is irrelevant to
289 Buildah.
290 --cpp-flag=""
293 Set additional flags to pass to the C Preprocessor cpp(1). Container‐
296 files ending with a ".in" suffix will be preprocessed via cpp(1). This
297 option can be used to pass additional flags to cpp. Note: You can also
298 set default CPPFLAGS by setting the BUILDAH_CPPFLAGS environment vari‐
299 able (e.g., export BUILDAH_CPPFLAGS="-DDEBUG").
300 --cpu-period=0
303 Set the CPU period for the Completely Fair Scheduler (CFS), which is a
306 duration in microseconds. Once the container's CPU quota is used up, it
307 will not be scheduled to run until the current period ends. Defaults to
308 100000 microseconds.
309 On some systems, changing the CPU limits may not be allowed for non-
312 root users. For more details, see https://github.com/containers/pod‐
313 man/blob/main/troubleshooting.md#26-running-containers-with-cpu-limits-
314 fails-with-a-permissions-error
315 --cpu-quota=0
318 Limit the CPU CFS (Completely Fair Scheduler) quota
321 Limit the container's CPU usage. By default, containers run with the
324 full CPU resource. This flag tells the kernel to restrict the con‐
325 tainer's CPU usage to the quota you specify.
326 On some systems, changing the CPU limits may not be allowed for non-
329 root users. For more details, see https://github.com/containers/pod‐
330 man/blob/main/troubleshooting.md#26-running-containers-with-cpu-limits-
331 fails-with-a-permissions-error
332 --cpu-shares, -c=0
335 CPU shares (relative weight)
338 By default, all containers get the same proportion of CPU cycles. This
341 proportion can be modified by changing the container's CPU share
342 weighting relative to the weighting of all other running containers.
343 To modify the proportion from the default of 1024, use the --cpu-shares
346 flag to set the weighting to 2 or higher.
347 The proportion will only apply when CPU-intensive processes are run‐
350 ning. When tasks in one container are idle, other containers can use
351 the left-over CPU time. The actual amount of CPU time will vary depend‐
352 ing on the number of containers running on the system.
353 For example, consider three containers, one has a cpu-share of 1024 and
356 two others have a cpu-share setting of 512. When processes in all three
357 containers attempt to use 100% of CPU, the first container would re‐
358 ceive 50% of the total CPU time. If you add a fourth container with a
359 cpu-share of 1024, the first container only gets 33% of the CPU. The
360 remaining containers receive 16.5%, 16.5% and 33% of the CPU.
361 On a multi-core system, the shares of CPU time are distributed over all
364 CPU cores. Even if a container is limited to less than 100% of CPU
365 time, it can use 100% of each individual CPU core.
366 For example, consider a system with more than three cores. If you start
369 one container {C0} with -c=512 running one process, and another con‐
370 tainer {C1} with -c=1024 running two processes, this can result in the
371 following division of CPU shares:
372 PID container CPU CPU share
375 100 {C0} 0 100% of CPU0
376 101 {C1} 1 100% of CPU1
377 102 {C1} 2 100% of CPU2
378 --cpuset-cpus=""
382 CPUs in which to allow execution (0-3, 0,1)
385 --cpuset-mems=""
388 Memory nodes (MEMs) in which to allow execution (0-3, 0,1). Only effec‐
391 tive on NUMA systems.
392 If you have four memory nodes on your system (0-3), use --cpuset-
395 mems=0,1 then processes in your container will only use memory from the
396 first two memory nodes.
397 --creds creds
400 The [username[:password]] to use to authenticate with the registry if
403 required. If one or both values are not supplied, a command line
404 prompt will appear and the value can be entered. The password is en‐
405 tered without echo.
406 --decryption-key key[:passphrase]
409 The [key[:passphrase]] to be used for decryption of images. Key can
412 point to keys and/or certificates. Decryption will be tried with all
413 keys. If the key is protected by a passphrase, it is required to be
414 passed in the argument and omitted otherwise.
415 --device=device
418 Add a host device to the container. Optional permissions parameter can
421 be used to specify device permissions, it is combination of r for read,
422 w for write, and m for mknod(2).
423 Example: --device=/dev/sdc:/dev/xvdc:rwm.
426 Note: if _hostdevice is a symbolic link then it will be resolved first.
429 The container will only store the major and minor numbers of the host
430 device.
431 Note: if the user only has access rights via a group, accessing the de‐
434 vice from inside a rootless container will fail. The crun(1) runtime
435 offers a workaround for this by adding the option --annotation
436 run.oci.keep_original_groups=1.
437 --disable-compression, -D
440 Don't compress filesystem layers when building the image unless it is
443 required by the location where the image is being written. This is the
444 default setting, because image layers are compressed automatically when
445 they are pushed to registries, and images being written to local stor‐
446 age would only need to be decompressed again to be stored. Compression
447 can be forced in all cases by specifying --disable-compression=false.
448 --disable-content-trust
451 This is a Docker specific option to disable image verification to a
454 Container registry and is not supported by Buildah. This flag is a
455 NOOP and provided solely for scripting compatibility.
456 --dns=[]
459 Set custom DNS servers. Invalid if using --dns with --network=none.
462 This option can be used to override the DNS configuration passed to the
465 container. Typically this is necessary when the host DNS configuration
466 is invalid for the container (e.g., 127.0.0.1). When this is the case
467 the --dns flag is necessary for every run.
468 The special value none can be specified to disable creation of /etc/re‐
471 solv.conf in the container by Buildah. The /etc/resolv.conf file in the
472 image will be used without changes.
473 --dns-option=[]
476 Set custom DNS options. Invalid if using --dns-option with --net‐
479 work=none.
480 --dns-search=[]
483 Set custom DNS search domains. Invalid if using --dns-search with
486 --network=none.
487 --env env[=value]
490 Add a value (e.g. env=value) to the built image. Can be used multiple
493 times. If neither = nor a *value* are specified, but env is set in the
494 current environment, the value from the current environment will be
495 added to the image. To remove an environment variable from the built
496 image, use the --unsetenv option.
497 --file, -f Containerfile
500 Specifies a Containerfile which contains instructions for building the
503 image, either a local file or an http or https URL. If more than one
504 Containerfile is specified, FROM instructions will only be accepted
505 from the first specified file.
506 If a local file is specified as the Containerfile and it does not ex‐
509 ist, the context directory will be prepended to the local file value.
510 If you specify -f -, the Containerfile contents will be read from
513 stdin.
514 --force-rm bool-value
517 Always remove intermediate containers after a build, even if the build
520 fails (default false).
521 --format
524 Control the format for the built image's manifest and configuration
527 data. Recognized formats include oci (OCI image-spec v1.0, the de‐
528 fault) and docker (version 2, using schema format 2 for the manifest).
529 Note: You can also override the default format by setting the BUIL‐
532 DAH_FORMAT environment variable. export BUILDAH_FORMAT=docker
533 --from
536 Overrides the first FROM instruction within the Containerfile. If
539 there are multiple FROM instructions in a Containerfile, only the first
540 is changed.
541 --help, -h
544 Print usage statement
547 --hooks-dir path
550 Each *.json file in the path configures a hook for buildah build con‐
553 tainers. For more details on the syntax of the JSON files and the se‐
554 mantics of hook injection. Buildah currently support both the 1.0.0 and
555 0.1.0 hook schemas, although the 0.1.0 schema is deprecated.
556 This option may be set multiple times; paths from later options have
559 higher precedence.
560 For the annotation conditions, buildah uses any annotations set in the
563 generated OCI configuration.
564 For the bind-mount conditions, only mounts explicitly requested by the
567 caller via --volume are considered. Bind mounts that buildah inserts by
568 default (e.g. /dev/shm) are not considered.
569 If --hooks-dir is unset for root callers, Buildah will currently de‐
572 fault to /usr/share/containers/oci/hooks.d and /etc/contain‐
573 ers/oci/hooks.d in order of increasing precedence. Using these defaults
574 is deprecated, and callers should migrate to explicitly setting
575 --hooks-dir.
576 --http-proxy=true
579 By default proxy environment variables are passed into the container if
582 set for the buildah process. This can be disabled by setting the
583 --http-proxy option to false. The environment variables passed in in‐
584 clude http_proxy, https_proxy, ftp_proxy, no_proxy, and also the upper
585 case versions of those.
586 --identity-label bool-value
589 Adds default identity label io.buildah.version if set. (default true).
592 --ignorefile file
595 Path to an alternative .containerignore (.dockerignore) file.
598 --iidfile ImageIDfile
601 Write the built image's ID to the file. When --platform is specified
604 more than once, attempting to use this option will trigger an error.
605 --ipc how
608 Sets the configuration for IPC namespaces when handling RUN instruc‐
611 tions. The configured value can be "" (the empty string) or "con‐
612 tainer" to indicate that a new IPC namespace should be created, or it
613 can be "host" to indicate that the IPC namespace in which buildah it‐
614 self is being run should be reused, or it can be the path to an IPC
615 namespace which is already in use by another process.
616 --isolation type
619 Controls what type of isolation is used for running processes as part
622 of RUN instructions. Recognized types include oci (OCI-compatible run‐
623 time, the default), rootless (OCI-compatible runtime invoked using a
624 modified configuration, with --no-new-keyring added to its create invo‐
625 cation, reusing the host's network and UTS namespaces, and creating
626 private IPC, PID, mount, and user namespaces; the default for unprivi‐
627 leged users), and chroot (an internal wrapper that leans more toward
628 chroot(1) than container technology, reusing the host's control group,
629 network, IPC, and PID namespaces, and creating private mount and UTS
630 namespaces, and creating user namespaces only when they're required for
631 ID mapping).
632 Note: You can also override the default isolation type by setting the
635 BUILDAH_ISOLATION environment variable. export BUILDAH_ISOLATION=oci
636 --jobs N
639 Run up to N concurrent stages in parallel. If the number of jobs is
642 greater than 1, stdin will be read from /dev/null. If 0 is specified,
643 then there is no limit on the number of jobs that run in parallel.
644 --label label[=value]
647 Add an image label (e.g. label=value) to the image metadata. Can be
650 used multiple times. If label is named, but neither = nor a value is
651 provided, then the label is set to an empty value.
652 Users can set a special LABEL io.containers.capabilities=CAP1,CAP2,CAP3
655 in a Containerfile that specifies the list of Linux capabilities re‐
656 quired for the container to run properly. This label specified in a
657 container image tells container engines, like Podman, to run the con‐
658 tainer with just these capabilities. The container engine launches the
659 container with just the specified capabilities, as long as this list of
660 capabilities is a subset of the default list.
661 If the specified capabilities are not in the default set, container en‐
664 gines should print an error message and will run the container with the
665 default capabilities.
666 --layers bool-value
669 Cache intermediate images during the build process (Default is false).
672 Note: You can also override the default value of layers by setting the
675 BUILDAH_LAYERS environment variable. export BUILDAH_LAYERS=true
676 --logfile filename
679 Log output which would be sent to standard output and standard error to
682 the specified file instead of to standard output and standard error.
683 --logsplit bool-value
686 If --logfile and --platform is specified following flag allows end-
689 users to split log file for each platform into different files with
690 naming convention as ${logfile}_${platform-os}_${platform-arch}.
691 --manifest listName
694 Name of the manifest list to which the built image will be added. Cre‐
697 ates the manifest list if it does not exist. This option is useful for
698 building multi architecture images. If listName does not include a
699 registry name component, the registry name localhost will be prepended
700 to the list name.
701 --memory, -m=""
704 Memory limit (format: [], where unit = b, k, m or g)
707 Allows you to constrain the memory available to a container. If the
710 host supports swap memory, then the -m memory setting can be larger
711 than physical RAM. If a limit of 0 is specified (not using -m), the
712 container's memory is not limited. The actual limit may be rounded up
713 to a multiple of the operating system's page size (the value would be
714 very large, that's millions of trillions).
715 --memory-swap="LIMIT"
718 A limit value equal to memory plus swap. Must be used with the -m
721 (--memory) flag. The swap LIMIT should always be larger than -m (--mem‐
722 ory) value. By default, the swap LIMIT will be set to double the value
723 of --memory.
724 The format of LIMIT is <number>[<unit>]. Unit can be b (bytes), k
727 (kilobytes), m (megabytes), or g (gigabytes). If you don't specify a
728 unit, b is used. Set LIMIT to -1 to enable unlimited swap.
729 --network, --net=mode
732 Sets the configuration for network namespaces when handling RUN in‐
735 structions.
736 Valid mode values are:
739 • none: no networking. Invalid if using --dns, --dns-opt, or
742 --dns-search;
743 • host: use the host network stack. Note: the host mode gives
745 the container full access to local system services such as D-
746 bus and is therefore considered insecure;
747 • ns:path: path to a network namespace to join;
749 • private: create a new namespace for the container (default)
751 • <network name|ID>: Join the network with the given name or ID,
753 e.g. use --network mynet to join the network with the name
754 mynet. Only supported for rootful users.
755 --no-cache
759 Do not use existing cached images for the container build. Build from
762 the start with a new set of cached layers.
763 --no-hosts
766 Do not create /etc/hosts for the container.
769 By default, Buildah manages /etc/hosts, adding the container's own IP
772 address. --no-hosts disables this, and the image's /etc/hosts will be
773 preserved unmodified. Conflicts with the --add-host option.
774 --omit-history bool-value
777 Omit build history information in the built image. (default false).
780 This option is useful for the cases where end users explicitly want to
783 set --omit-history to omit the optional History from built images or
784 when working with images built using build tools that do not include
785 History information in their images.
786 --os="OS"
789 Set the OS of the image to be built, and that of the base image to be
792 pulled, if the build uses one, instead of using the current operating
793 system of the host.
794 --os-feature feature
797 Set the name of a required operating system feature for the image which
800 will be built. By default, if the image is not based on scratch, the
801 base image's required OS feature list is kept, if the base image speci‐
802 fied any. This option is typically only meaningful when the image's OS
803 is Windows.
804 If feature has a trailing -, then the feature is removed from the set
807 of required features which will be listed in the image.
808 --os-version version
811 Set the exact required operating system version for the image which
814 will be built. By default, if the image is not based on scratch, the
815 base image's required OS version is kept, if the base image specified
816 one. This option is typically only meaningful when the image's OS is
817 Windows, and is typically set in Windows base images, so using this op‐
818 tion is usually unnecessary.
819 --output, -o=""
822 Output destination (format: type=local,dest=path)
825 The --output (or -o) option extends the default behavior of building a
828 container image by allowing users to export the contents of the image
829 as files on the local filesystem, which can be useful for generating
830 local binaries, code generation, etc.
831 The value for --output is a comma-separated sequence of key=value
834 pairs, defining the output type and options.
835 Supported keys are: - dest: Destination path for exported output. Valid
838 value is absolute or relative path, - means the standard output. -
839 type: Defines the type of output to be used. Valid values is documented
840 below.
841 Valid type values are: - local: write the resulting build files to a
844 directory on the client-side. - tar: write the resulting files as a
845 single tarball (.tar).
846 If no type is specified, the value defaults to local. Alternatively,
849 instead of a comma-separated sequence, the value of --output can be
850 just a destination (in the **dest** format) (e.g.--output some-
851 path,--output -) where--output some-pathis treated as if **type=local**
852 and--output -` is treated as if type=tar.
853 --pid how
856 Sets the configuration for PID namespaces when handling RUN instruc‐
859 tions. The configured value can be "" (the empty string) or "private"
860 to indicate that a new PID namespace should be created, or it can be
861 "host" to indicate that the PID namespace in which buildah itself is
862 being run should be reused, or it can be the path to a PID namespace
863 which is already in use by another process.
864 --platform="OS/ARCH[/VARIANT]"
867 Set the OS/ARCH of the built image (and its base image, if your build
870 uses one) to the provided value instead of using the current operating
871 system and architecture of the host (for example linux/arm).
872 The --platform flag can be specified more than once, or given a comma-
875 separated list of values as its argument. When more than one platform
876 is specified, the --manifest option should be used instead of the --tag
877 option.
878 OS/ARCH pairs are those used by the Go Programming Language. In sev‐
881 eral cases the ARCH value for a platform differs from one produced by
882 other tools such as the arch command. Valid OS and architecture name
883 combinations are listed as values for $GOOS and $GOARCH at
884 https://golang.org/doc/install/source#environment, and can also be
885 found by running go tool dist list.
886 While buildah bud is happy to use base images and build images for any
889 platform that exists, RUN instructions will not be able to succeed
890 without the help of emulation provided by packages like qemu-user-
891 static.
892 NOTE: The --platform option may not be used in combination with the
895 --arch, --os, or --variant options.
896 --pull
899 When the flag is enabled or set explicitly to true (with --pull=true),
902 attempt to pull the latest image from the registries listed in reg‐
903 istries.conf if a local image does not exist or the image is newer than
904 the one in storage. Raise an error if the image is not in any listed
905 registry and is not present locally.
906 If the flag is disabled (with --pull=false), do not pull the image from
909 the registry, use only the local version. Raise an error if the image
910 is not present locally.
911 If the pull flag is set to always (with --pull=always), pull the image
914 from the first registry it is found in as listed in registries.conf.
915 Raise an error if not found in the registries, even if the image is
916 present locally.
917 If the pull flag is set to never (with --pull=never), Do not pull the
920 image from the registry, use only the local version. Raise an error if
921 the image is not present locally.
922 Defaults to true.
925 --quiet, -q
928 Suppress output messages which indicate which instruction is being pro‐
931 cessed, and of progress when pulling images from a registry, and when
932 writing the output image.
933 --retry attempts
936 Number of times to retry in case of failure when performing push/pull
939 of images to/from registry.
940 Defaults to 3.
943 --retry-delay duration
946 Duration of delay between retry attempts in case of failure when per‐
949 forming push/pull of images to/from registry.
950 Defaults to 2s.
953 --rm bool-value
956 Remove intermediate containers after a successful build (default true).
959 --runtime path
962 The path to an alternate OCI-compatible runtime, which will be used to
965 run commands specified by the RUN instruction. Default is runc, or crun
966 when machine is configured to use cgroups V2.
967 Note: You can also override the default runtime by setting the BUIL‐
970 DAH_RUNTIME environment variable. export BUILDAH_RUNTIME=/usr/bin/crun
971 --runtime-flag flag
974 Adds global flags for the container rutime. To list the supported
977 flags, please consult the manpages of the selected container runtime.
978 Note: Do not pass the leading -- to the flag. To pass the runc flag
981 --log-format json to buildah build, the option given would be --run‐
982 time-flag log-format=json.
983 --secret=id=id,src=path
986 Pass secret information to be used in the Containerfile for building
989 images in a safe way that will not end up stored in the final image, or
990 be seen in other stages. The secret will be mounted in the container
991 at the default location of /run/secrets/id.
992 To later use the secret, use the --mount flag in a RUN instruction
995 within a Containerfile:
996 RUN --mount=type=secret,id=mysecret cat /run/secrets/mysecret
999 --security-opt=[]
1002 Security Options
1005 "apparmor=unconfined" : Turn off apparmor confinement for the container
1008 "apparmor=your-profile" : Set the apparmor confinement profile for
1009 the container
1010 "label=user:USER" : Set the label user for the container
1013 "label=role:ROLE" : Set the label role for the container
1014 "label=type:TYPE" : Set the label type for the container
1015 "label=level:LEVEL" : Set the label level for the container
1016 "label=disable" : Turn off label confinement for the container
1017 "no-new-privileges" : Not supported
1018 "seccomp=unconfined" : Turn off seccomp confinement for the container
1021 "seccomp=profile.json : White listed syscalls seccomp Json file to
1022 be used as a seccomp filter
1023 --shm-size=""
1026 Size of /dev/shm. The format is <number><unit>. number must be greater
1029 than 0. Unit is optional and can be b (bytes), k (kilobytes),
1030 m(megabytes), or g (gigabytes). If you omit the unit, the system uses
1031 bytes. If you omit the size entirely, the system uses 64m.
1032 --sign-by fingerprint
1035 Sign the built image using the GPG key that matches the specified fin‐
1038 gerprint.
1039 --skip-unused-stages bool-value
1042 Skip stages in multi-stage builds which don't affect the target stage.
1045 (Default is true).
1046 --squash
1049 Squash all of the image's new layers into a single new layer; any pre‐
1052 existing layers are not squashed.
1053 --ssh=default|id[=socket>|[,]
1056 SSH agent socket or keys to expose to the build. The socket path can
1059 be left empty to use the value of default=$SSH_AUTH_SOCK
1060 To later use the ssh agent, use the --mount flag in a RUN instruction
1063 within a Containerfile:
1064 RUN --mount=type=secret,id=id mycmd
1067 --stdin
1070 Pass stdin into the RUN containers. Sometimes commands being RUN within
1073 a Containerfile want to request information from the user. For example
1074 apt asking for a confirmation for install. Use --stdin to be able to
1075 interact from the terminal during the build.
1076 --tag, -t imageName
1079 Specifies the name which will be assigned to the resulting image if the
1082 build process completes successfully. If imageName does not include a
1083 registry name component, the registry name localhost will be prepended
1084 to the image name.
1085 --target stageName
1088 Set the target build stage to build. When building a Containerfile
1091 with multiple build stages, --target can be used to specify an interme‐
1092 diate build stage by name as the final stage for the resulting image.
1093 Commands after the target stage will be skipped.
1094 --timestamp seconds
1097 Set the create timestamp to seconds since epoch to allow for determin‐
1100 istic builds (defaults to current time). By default, the created time‐
1101 stamp is changed and written into the image manifest with every commit,
1102 causing the image's sha256 hash to be different even if the sources are
1103 exactly the same otherwise. When --timestamp is set, the created time‐
1104 stamp is always set to the time specified and therefore not changed,
1105 allowing the image's sha256 to remain the same. All files committed to
1106 the layers of the image will be created with the timestamp.
1107 --tls-verify bool-value
1110 Require HTTPS and verification of certificates when talking to con‐
1113 tainer registries (defaults to true). TLS verification cannot be used
1114 when talking to an insecure registry.
1115 --ulimit type=soft-limit[:hard-limit]
1118 Specifies resource limits to apply to processes launched when process‐
1121 ing RUN instructions. This option can be specified multiple times.
1122 Recognized resource types include:
1123 "core": maximum core dump size (ulimit -c)
1124 "cpu": maximum CPU time (ulimit -t)
1125 "data": maximum size of a process's data segment (ulimit -d)
1126 "fsize": maximum size of new files (ulimit -f)
1127 "locks": maximum number of file locks (ulimit -x)
1128 "memlock": maximum amount of locked memory (ulimit -l)
1129 "msgqueue": maximum amount of data in message queues (ulimit -q)
1130 "nice": niceness adjustment (nice -n, ulimit -e)
1131 "nofile": maximum number of open files (ulimit -n)
1132 "nofile": maximum number of open files (1048576); when run by root
1133 "nproc": maximum number of processes (ulimit -u)
1134 "nproc": maximum number of processes (1048576); when run by root
1135 "rss": maximum size of a process's (ulimit -m)
1136 "rtprio": maximum real-time scheduling priority (ulimit -r)
1137 "rttime": maximum amount of real-time execution between blocking
1138 syscalls
1139 "sigpending": maximum number of pending signals (ulimit -i)
1140 "stack": maximum stack size (ulimit -s)
1141 --unsetenv env
1144 Unset environment variables from the final image.
1147 --userns how
1150 Sets the configuration for user namespaces when handling RUN instruc‐
1153 tions. The configured value can be "" (the empty string) , "private"
1154 or "auto" to indicate that a new user namespace should be created, it
1155 can be "host" to indicate that the user namespace in which buildah it‐
1156 self is being run should be reused, or it can be the path to an user
1157 namespace which is already in use by another process.
1158 auto: automatically create a unique user namespace.
1161 The --userns=auto flag, requires that the user name containers and a
1164 range of subordinate user ids that the build container is allowed to
1165 use be specified in the /etc/subuid and /etc/subgid files.
1166 Example: containers:2147483647:2147483648.
1169 Buildah allocates unique ranges of UIDs and GIDs from the containers
1172 subordinate user ids. The size of the ranges is based on the number of
1173 UIDs required in the image. The number of UIDs and GIDs can be overrid‐
1174 den with the size option.
1175 Valid auto options:
1178 • gidmapping=CONTAINER_GID:HOST_GID:SIZE: to force a GID mapping
1181 to be present in the user namespace.
1182 • size=SIZE: to specify an explicit size for the automatic user
1184 namespace. e.g. --userns=auto:size=8192. If size is not speci‐
1185 fied, auto will estimate a size for the user namespace.
1186 • uidmapping=CONTAINER_UID:HOST_UID:SIZE: to force a UID mapping
1188 to be present in the user namespace.
1189 --userns-gid-map-group group
1193 Specifies that a GID mapping which should be used to set ownership, at
1196 the filesystem level, on the working container's contents, can be found
1197 in entries in the /etc/subgid file which correspond to the specified
1198 group. Commands run when handling RUN instructions will default to be‐
1199 ing run in their own user namespaces, configured using the UID and GID
1200 maps. If --userns-uid-map-user is specified, but --userns-gid-map-
1201 group is not specified, buildah will assume that the specified user
1202 name is also a suitable group name to use as the default setting for
1203 this option.
1204 Users can specify the maps directly using --userns-gid-map described in
1207 the buildah(1) man page.
1208 NOTE: When this option is specified by a rootless user, the specified
1211 mappings are relative to the rootless usernamespace in the container,
1212 rather than being relative to the host as it would be when run rootful.
1213 --userns-uid-map-user user
1216 Specifies that a UID mapping which should be used to set ownership, at
1219 the filesystem level, on the working container's contents, can be found
1220 in entries in the /etc/subuid file which correspond to the specified
1221 user. Commands run when handling RUN instructions will default to be‐
1222 ing run in their own user namespaces, configured using the UID and GID
1223 maps. If --userns-gid-map-group is specified, but --userns-uid-map-
1224 user is not specified, buildah will assume that the specified group
1225 name is also a suitable user name to use as the default setting for
1226 this option.
1227 Users can specify the maps directly using --userns-uid-map described in
1230 the buildah(1) man page.
1231 NOTE: When this option is specified by a rootless user, the specified
1234 mappings are relative to the rootless usernamespace in the container,
1235 rather than being relative to the host as it would be when run rootful.
1236 --uts how
1239 Sets the configuration for UTS namespaces when handling RUN instruc‐
1242 tions. The configured value can be "" (the empty string) or "con‐
1243 tainer" to indicate that a new UTS namespace should be created, or it
1244 can be "host" to indicate that the UTS namespace in which buildah it‐
1245 self is being run should be reused, or it can be the path to a UTS
1246 namespace which is already in use by another process.
1247 --variant=""
1250 Set the architecture variant of the image to be pulled.
1253 --volume, -v[=[HOST-DIR:CONTAINER-DIR[:OPTIONS]]]
1256 Mount a host directory into containers when executing RUN instructions
1259 during the build. The OPTIONS are a comma delimited list and can be:
1260 [1] ⟨#Footnote1⟩
1261 • [rw|ro]
1264 • [U]
1266 • [z|Z|O]
1268 • [[r]shared|[r]slave|[r]private]
1270 The CONTAINER-DIR must be an absolute path such as /src/docs. The HOST-
1274 DIR must be an absolute path as well. Buildah bind-mounts the HOST-DIR
1275 to the path you specify. For example, if you supply /foo as the host
1276 path, Buildah copies the contents of /foo to the container filesystem
1277 on the host and bind mounts that into the container.
1278 You can specify multiple -v options to mount one or more mounts to a
1281 container.
1282 Write Protected Volume Mounts
1285 You can add the :ro or :rw suffix to a volume to mount it read-only or
1288 read-write mode, respectively. By default, the volumes are mounted
1289 read-write. See examples.
1290 Chowning Volume Mounts
1293 By default, Buildah does not change the owner and group of source vol‐
1296 ume directories mounted into containers. If a container is created in a
1297 new user namespace, the UID and GID in the container may correspond to
1298 another UID and GID on the host.
1299 The :U suffix tells Buildah to use the correct host UID and GID based
1302 on the UID and GID within the container, to change the owner and group
1303 of the source volume.
1304 Labeling Volume Mounts
1307 Labeling systems like SELinux require that proper labels are placed on
1310 volume content mounted into a container. Without a label, the security
1311 system might prevent the processes running inside the container from
1312 using the content. By default, Buildah does not change the labels set
1313 by the OS.
1314 To change a label in the container context, you can add either of two
1317 suffixes :z or :Z to the volume mount. These suffixes tell Buildah to
1318 relabel file objects on the shared volumes. The z option tells Buildah
1319 that two containers share the volume content. As a result, Buildah la‐
1320 bels the content with a shared content label. Shared volume labels al‐
1321 low all containers to read/write content. The Z option tells Buildah
1322 to label the content with a private unshared label. Only the current
1323 container can use a private volume.
1324 Overlay Volume Mounts
1327 The :O flag tells Buildah to mount the directory from the host as a
1330 temporary storage using the Overlay file system. The RUN command con‐
1331 tainers are allowed to modify contents within the mountpoint and are
1332 stored in the container storage in a separate directory. In Overlay FS
1333 terms the source directory will be the lower, and the container storage
1334 directory will be the upper. Modifications to the mount point are de‐
1335 stroyed when the RUN command finishes executing, similar to a tmpfs
1336 mount point.
1337 Any subsequent execution of RUN commands sees the original source di‐
1340 rectory content, any changes from previous RUN commands no longer ex‐
1341 ist.
1342 One use case of the overlay mount is sharing the package cache from the
1345 host into the container to allow speeding up builds.
1346 Note:
1349 - The `O` flag is not allowed to be specified with the `Z` or `z` flags. Content mounted into the container is labeled with the private label.
1352 On SELinux systems, labels in the source directory must be readable by the container label. If not, SELinux container separation must be disabled for the container to work.
1353 - Modification of the directory volume mounted into the container with an overlay mount can cause unexpected failures. It is recommended that you do not modify the directory until the container finishes running.
1354 By default bind mounted volumes are private. That means any mounts done
1358 inside container will not be visible on the host and vice versa. This
1359 behavior can be changed by specifying a volume mount propagation prop‐
1360 erty.
1361 When the mount propagation policy is set to shared, any mounts com‐
1364 pleted inside the container on that volume will be visible to both the
1365 host and container. When the mount propagation policy is set to slave,
1366 one way mount propagation is enabled and any mounts completed on the
1367 host for that volume will be visible only inside of the container. To
1368 control the mount propagation property of the volume use the
1369 :[r]shared, :[r]slave or :[r]private propagation flag. The propagation
1370 property can be specified only for bind mounted volumes and not for in‐
1371 ternal volumes or named volumes. For mount propagation to work on the
1372 source mount point (the mount point where source dir is mounted on) it
1373 has to have the right propagation properties. For shared volumes, the
1374 source mount point has to be shared. And for slave volumes, the source
1375 mount has to be either shared or slave. [1] ⟨#Footnote1⟩
1376 Use df <source-dir> to determine the source mount and then use findmnt
1379 -o TARGET,PROPAGATION <source-mount-dir> to determine propagation prop‐
1380 erties of source mount, if findmnt utility is not available, the source
1381 mount point can be determined by looking at the mount entry in
1382 /proc/self/mountinfo. Look at optional fields and see if any propaga‐
1383 tion properties are specified. shared:X means the mount is shared,
1384 master:X means the mount is slave and if nothing is there that means
1385 the mount is private. [1] ⟨#Footnote1⟩
1386 To change propagation properties of a mount point use the mount com‐
1389 mand. For example, to bind mount the source directory /foo do mount
1390 --bind /foo /foo and mount --make-private --make-shared /foo. This will
1391 convert /foo into a shared mount point. The propagation properties of
1392 the source mount can be changed directly. For instance if / is the
1393 source mount for /foo, then use mount --make-shared / to convert / into
1394 a shared mount.
1395
1398 The ENV instruction in a Containerfile can be used to define variable
1399 values. When the image is built, the values will persist in the con‐
1400 tainer image. At times it is more convenient to change the values in
1401 the Containerfile via a command-line option rather than changing the
1402 values within the Containerfile itself.
1403 The following variables can be used in conjunction with the --build-arg
1406 option to override the corresponding values set in the Containerfile
1407 using the ENV instruction.
1408 • HTTP_PROXY
1411 • HTTPS_PROXY
1413 • FTP_PROXY
1415 • NO_PROXY
1417 Please refer to the Using Build Time Variables ⟨#using-build-time-vari‐
1421 ables⟩ section of the Examples.
1422
1425 Build an image using local Containerfiles
1426 buildah build .
1427 buildah build -f Containerfile .
1430 cat ~/Containerfile | buildah build -f - .
1433 buildah build -f Containerfile.simple -f Containerfile.notsosimple .
1436 buildah build --timestamp=$(date '+%s') -t imageName .
1439 buildah build -t imageName .
1442 buildah build --tls-verify=true -t imageName -f Containerfile.simple .
1445 buildah build --tls-verify=false -t imageName .
1448 buildah build --runtime-flag log-format=json .
1451 buildah build -f Containerfile --runtime-flag debug .
1454 buildah build --authfile /tmp/auths/myauths.json --cert-dir ~/auth
1457 --tls-verify=true --creds=username:password -t imageName -f Container‐
1458 file.simple .
1459 buildah build --memory 40m --cpu-period 10000 --cpu-quota 50000
1462 --ulimit nofile=1024:1028 -t imageName .
1463 buildah build --security-opt label=level:s0:c100,c200 --cgroup-parent
1466 /path/to/cgroup/parent -t imageName .
1467 buildah build --arch=arm --variant v7 -t imageName .
1470 buildah build --volume /home/test:/myvol:ro,Z -t imageName .
1473 buildah build -v /home/test:/myvol:z,U -t imageName .
1476 buildah build -v /var/lib/dnf:/var/lib/dnf:O -t imageName .
1479 buildah build --layers -t imageName .
1482 buildah build --no-cache -t imageName .
1485 buildah build -f Containerfile --layers --force-rm -t imageName .
1488 buildah build --no-cache --rm=false -t imageName .
1491 buildah build --dns-search=example.com --dns=223.5.5.5 --dns-op‐
1494 tion=use-vc .
1495 buildah build -f Containerfile.in --cpp-flag="-DDEBUG" -t imageName .
1498 buildah build --network mynet .
1501 buildah build --env LANG=en_US.UTF-8 -t imageName .
1504 buildah build --env EDITOR -t imageName .
1507 buildah build --unsetenv LANG -t imageName .
1510 buildah build --os-version 10.0.19042.1645 -t imageName .
1513 buildah build --os-feature win32k -t imageName .
1516 buildah build --os-feature win32k- -t imageName .
1519 Building an multi-architecture image using the --manifest option (requires
1522 emulation software)
1523 buildah build --arch arm --manifest myimage /tmp/mysrc
1524 buildah build --arch amd64 --manifest myimage /tmp/mysrc
1527 buildah build --arch s390x --manifest myimage /tmp/mysrc
1530 buildah bud --platform linux/s390x,linux/ppc64le,linux/amd64 --manifest
1533 myimage /tmp/mysrc
1534 buildah bud --platform linux/arm64 --platform linux/amd64 --manifest
1537 myimage /tmp/mysrc
1538 buildah bud --all-platforms --manifest myimage /tmp/mysrc
1541 Building an image using (--output) custom build output
1544 buildah build -o out .
1545 buildah build --output type=local,dest=out .
1548 buildah build --output type=tar,dest=out.tar .
1551 buildah build -o - . > out.tar
1554 Building an image using a URL
1557 This will clone the specified GitHub repository from the URL and use it
1558 as context. The Containerfile or Dockerfile at the root of the reposi‐
1559 tory is used as the context of the build. This only works if the GitHub
1560 repository is a dedicated repository.
1561 buildah build https://github.com/scollier/purpletest
1564 Note: Github does not support using git:// for performing clone opera‐
1567 tion due to recent changes in their security guidance
1568 (https://github.blog/2021-09-01-improving-git-protocol-security-
1569 github/). Use an https:// URL if the source repository is hosted on
1570 Github.
1571 Building an image using a URL to a tarball'ed context
1574 Buildah will fetch the tarball archive, decompress it and use its con‐
1575 tents as the build context. The Containerfile or Dockerfile at the
1576 root of the archive and the rest of the archive will get used as the
1577 context of the build. If you pass an -f PATH/Containerfile option as
1578 well, the system will look for that file inside the contents of the
1579 tarball.
1580 buildah build -f dev/Containerfile https://10.10.10.1/buildah/con‐
1583 text.tar.gz
1584 Note: supported compression formats are 'xz', 'bzip2', 'gzip' and
1587 'identity' (no compression).
1588 Using Build Time Variables
1591 Replace the value set for the HTTP_PROXY environment variable within the
1592 Containerfile.
1593 buildah build --build-arg=HTTP_PROXY="http://127.0.0.1:8321"
1594
1597 BUILD_REGISTRY_SOURCES
1598 BUILD_REGISTRY_SOURCES, if set, is treated as a JSON object which con‐
1601 tains lists of registry names under the keys insecureRegistries,
1602 blockedRegistries, and allowedRegistries.
1603 When pulling an image from a registry, if the name of the registry
1606 matches any of the items in the blockedRegistries list, the image pull
1607 attempt is denied. If there are registries in the allowedRegistries
1608 list, and the registry's name is not in the list, the pull attempt is
1609 denied.
1610 TMPDIR The TMPDIR environment variable allows the user to specify where
1613 temporary files are stored while pulling and pushing images. Defaults
1614 to '/var/tmp'.
1615
1618 .containerignore/.dockerignore
1619 If the .containerignore/.dockerignore file exists in the context direc‐
1620 tory, buildah build reads its contents. If both exist, then .container‐
1621 ignore is used. Use the --ignorefile flag to override the ignore file
1622 path location. Buildah uses the content to exclude files and directo‐
1623 ries from the context directory, when executing COPY and ADD directives
1624 in the Containerfile/Dockerfile
1625 Users can specify a series of Unix shell globals in a
1628 Buildah supports a special wildcard string ** which matches any number
1631 of directories (including zero). For example, */.go will exclude all
1632 files that end with .go that are found in all directories.
1633 Example .containerignore file:
1636 # exclude this content for image
1639 */*.c
1640 **/output*
1641 src
1642 */*.c Excludes files and directories whose names end with .c in any top
1646 level subdirectory. For example, the source file include/rootless.c.
1647 **/output* Excludes files and directories starting with output from any
1650 directory.
1651 src Excludes files named src and the directory src as well as any con‐
1654 tent in it.
1655 Lines starting with ! (exclamation mark) can be used to make exceptions
1658 to exclusions. The following is an example .containerignore/.dockerig‐
1659 nore file that uses this mechanism:
1660 *.doc
1663 !Help.doc
1664 Exclude all doc files except Help.doc from the image.
1668 This functionality is compatible with the handling of .containerignore
1671 files described here:
1672 https://github.com/containers/buildah/blob/main/docs/containerig‐
1675 nore.5.md
1676 registries.conf (/etc/containers/registries.conf)
1679 registries.conf is the configuration file which specifies which con‐
1682 tainer registries should be consulted when completing image names which
1683 do not include a registry or domain portion.
1684 policy.json (/etc/containers/policy.json)
1687 Signature policy file. This defines the trust policy for container im‐
1690 ages. Controls which container registries can be used for image, and
1691 whether or not the tool should trust the images.
1692
1695 buildah(1), cpp(1), buildah-login(1), docker-login(1), namespaces(7),
1696 pid_namespaces(7), containers-policy.json(5), containers-reg‐
1697 istries.conf(5), user_namespaces(7), crun(1), runc(8)
1698
1701 1: The Buildah project is committed to inclusivity, a core value of
1702 open source. The master and slave mount propagation terminology used
1703 here is problematic and divisive, and should be changed. However, these
1704 terms are currently used within the Linux kernel and must be used as-is
1705 at this time. When the kernel maintainers rectify this usage, Buildah
1706 will follow suit immediately.
1707buildah April 2017 buildah-build(1)