buildah-commit(1)

1buildah-commit(1)           General Commands Manual          buildah-commit(1)
2
3
4

NAME

6       buildah-commit - Create an image from a working container.
7
8

SYNOPSIS

10       buildah commit [options] container [image]
11
12

DESCRIPTION

14       Writes a new image using the specified container's read-write layer and
15       if it is based on an image, the layers of that image.   If  image  does
16       not  begin  with  a registry name component, localhost will be added to
17       the name.  If image is not provided, the image will have no name.  When
18       an image has no name, the buildah images command will display <none> in
19       the REPOSITORY and TAG columns.
20
21

RETURN VALUE

23       The image ID of the image that was created.  On error,  1  is  returned
24       and errno is returned.
25
26

OPTIONS

28       --authfile path
29
30
31       Path  of  the  authentication file. Default is ${XDG_\RUNTIME_DIR}/con‐
32       tainers/auth.json. If  XDG_RUNTIME_DIR  is  not  set,  the  default  is
33       /run/containers/$UID/auth.json.  This file is created using buildah lo‐
34       gin.
35
36
37       If the authorization  state  is  not  found  there,  $HOME/.docker/con‐
38       fig.json is checked, which is set using docker login.
39
40
41       Note: You can also override the default path of the authentication file
42       by setting the REGISTRY_AUTH_FILE  environment  variable.  export  REG‐
43       ISTRY_AUTH_FILE=path
44
45
46       --cert-dir path
47
48
49       Use  certificates at path (*.crt, *.cert, *.key) to connect to the reg‐
50       istry.  The default certificates directory is /etc/containers/certs.d.
51
52
53       --creds creds
54
55
56       The [username[:password]] to use to authenticate with the  registry  if
57       required.   If  one  or  both  values  are not supplied, a command line
58       prompt will appear and the value can be entered.  The password  is  en‐
59       tered without echo.
60
61
62       --disable-compression, -D
63
64
65       Don't  compress  filesystem layers when building the image unless it is
66       required by the location where the image is being written.  This is the
67       default setting, because image layers are compressed automatically when
68       they are pushed to registries, and images being written to local  stor‐
69       age would only need to be decompressed again to be stored.  Compression
70       can be forced in all cases by specifying --disable-compression=false.
71
72
73       --encrypt-layer layer(s)
74
75
76       Layer(s) to encrypt: 0-indexed layer indices with support for  negative
77       indexing  (e.g. 0 is the first layer, -1 is the last layer). If not de‐
78       fined, will encrypt all layers if encryption-key flag is specified.
79
80
81       --encryption-key key
82
83
84       The [protocol:keyfile] specifies the encryption protocol, which can  be
85       JWE  (RFC7516), PGP (RFC4880), and PKCS7 (RFC2315) and the key material
86       required for image encryption. For  instance,  jwe:/path/to/key.pem  or
87       pgp:admin@example.com or pkcs7:/path/to/x509-file.
88
89
90       --format, -f [oci | docker]
91
92
93       Control the format for the image manifest and configuration data.  Rec‐
94       ognized formats include oci (OCI  image-spec  v1.0,  the  default)  and
95       docker (version 2, using schema format 2 for the manifest).
96
97
98       Note:  You  can  also  override the default format by setting the BUIL‐
99       DAH_FORMAT environment variable.  export BUILDAH\_FORMAT=docker
100
101
102       --identity-label bool-value
103
104
105       Adds default identity label io.buildah.version if set. (default true).
106
107
108       --iidfile ImageIDfile
109
110
111       Write the image ID to the file.
112
113
114       --manifest "listName"
115
116
117       Name of the manifest list to which the built image will be added.  Cre‐
118       ates  the manifest list if it does not exist. This option is useful for
119       building multi architecture images.
120
121
122       --omit-history bool-value
123
124
125       Omit build history information in the built image. (default false).
126
127
128       This option is useful for the cases where end users explicitly want  to
129       set  --omit-history  to  omit the optional History from built images or
130       when working with images built using build tools that  do  not  include
131       History information in their images.
132
133
134       --quiet, -q
135
136
137       When writing the output image, suppress progress output.
138
139
140       --rm  Remove  the working container and its contents after creating the
141       image.  Default leaves the container and its content in place.
142
143
144       --sign-by fingerprint
145
146
147       Sign the new image using the GPG key that matches the specified finger‐
148       print.
149
150
151       --squash
152
153
154       Squash  all of the new image's layers (including those inherited from a
155       base image) into a single new layer.
156
157
158       --timestamp seconds
159
160
161       Set the create timestamp to seconds since epoch to allow for  determin‐
162       istic builds (defaults to current time).  By default, the created time‐
163       stamp is changed and written into the image manifest with every commit,
164       causing the image's sha256 hash to be different even if the sources are
165       exactly the same otherwise.  When --timestamp is set, the created time‐
166       stamp  is  always  set to the time specified and therefore not changed,
167       allowing the image's sha256 to remain the same. All files committed  to
168       the layers of the image will be created with the timestamp.
169
170
171       --tls-verify bool-value
172
173
174       Require  HTTPS  and  verification  of certificates when talking to con‐
175       tainer registries (defaults to true).  TLS verification cannot be  used
176       when talking to an insecure registry.
177
178
179       --unsetenv env
180
181
182       Unset environment variables from the final image.
183
184

EXAMPLE

186       This example saves an image based on the container.
187        buildah commit containerID newImageName
188
189
190       This example saves an image named newImageName based on the container.
191        buildah commit --rm containerID newImageName
192
193
194       This  example  saves  an  image  with no name, removes the working con‐
195       tainer, and creates a new container using the image's ID.
196        buildah from $(buildah commit --rm containerID)
197
198
199       This example saves an image based on the container  disabling  compres‐
200       sion.
201        buildah commit --disable-compression containerID
202
203
204       This  example  saves an image named newImageName based on the container
205       disabling compression.
206        buildah commit --disable-compression containerID newImageName
207
208
209       This example commits the container to the image on the  local  registry
210       while turning off tls verification.
211        buildah    commit   --tls-verify=false   containerID   docker://local‐
212       host:5000/imageId
213
214
215       This example commits the container to the image on the  local  registry
216       using credentials and certificates for authentication.
217        buildah  commit  --cert-dir  ~/auth   --tls-verify=true  --creds=user‐
218       name:password containerID docker://localhost:5000/imageId
219
220
221       This example commits the container to the image on the  local  registry
222       using  credentials  from  the /tmp/auths/myauths.json file and certifi‐
223       cates for authentication.
224        buildah commit --authfile  /tmp/auths/myauths.json  --cert-dir  ~/auth
225       --tls-verify=true --creds=username:password containerID docker://local‐
226       host:5000/imageName
227
228
229       This example saves an image based on the container,  but  stores  dates
230       based  on epoch time.  buildah commit --timestamp=0 containerID newIma‐
231       geName
232
233
234   Building an multi-architecture image using the --manifest option  (requires
235       emulation software)
236              #!/bin/sh
237              build() {
238                   ctr=$(./bin/buildah from --arch $1 ubi8)
239                   ./bin/buildah run $ctr dnf install -y iputils
240                   ./bin/buildah commit --manifest ubi8ping $ctr
241              }
242              build arm
243              build amd64
244              build s390x
245
246
247

ENVIRONMENT

249       BUILD_REGISTRY_SOURCES
250
251
252       BUILD_REGISTRY_SOURCES,  if set, is treated as a JSON object which con‐
253       tains lists  of  registry  names  under  the  keys  insecureRegistries,
254       blockedRegistries, and allowedRegistries.
255
256
257       When  committing an image, if the image is to be given a name, the por‐
258       tion of the name that corresponds to a  registry  is  compared  to  the
259       items in the blockedRegistries list, and if it matches any of them, the
260       commit attempt is denied.  If there are registries in  the  allowedReg‐
261       istries  list, and the portion of the name that corresponds to the reg‐
262       istry is not in the list, the commit attempt is denied.
263
264
265       TMPDIR The TMPDIR environment variable allows the user to specify where
266       temporary  files are stored while pulling and pushing images.  Defaults
267       to '/var/tmp'.
268
269

FILES

271       registries.conf (/etc/containers/registries.conf)
272
273
274       registries.conf is the configuration file which  specifies  which  con‐
275       tainer registries should be consulted when completing image names which
276       do not include a registry or domain portion.
277
278
279       policy.json (/etc/containers/policy.json)
280
281
282       Signature policy file.  This defines the trust policy for container im‐
283       ages.   Controls  which container registries can be used for image, and
284       whether or not the tool should trust the images.
285
286