Logo for the Buildah project

A little over a year ago, I challenged my engineering team to create a “coreutils” of container images—essentially, a utility that could be used with existing container host tools like cp, make, yum, and more to build Open Container Initiative (OCI) and docker container images. These images could then be stored at container registries and used by a multitude of container runtimes. I told the team that OCI images were nothing more than a tarball of related container-specific files, so asked, why can’t we create a simple tool to build them without running a container daemon? The engineers asked me what to call it and I responded: “just call it builder.” The engineers heard my Boston accent and `Buildah` was born. I am thrilled to announce that we feel Buildah is developed enough to declare a 1.0 release, with the intent to continue adding innovation and features in the future.

It’s not really a secret that Linux containers are becoming a staple in the mix for modern enterprise IT. Gartner predicts that, by 2020, more than 50% of global organizations will be running containerized applications in production, up from less than 20% today.* This means to us that developers need to be able to more quickly and easily create containerized applications. It’s this challenge that the Buildah project, with the release of version 1.0, aims to solve by bringing new innovation to the world of container development.

While Linux containers themselves present a path to digital transformation, the actual building of these containers isn’t quite so clear. Typically, building a Linux container image requires the use of an extensive set of tools and daemons (a container engine, so to speak). The existing tools are bulky by container standards and I believe there has been a distinct lack of innovation. IT teams may want their build systems running the bare minimum of processes and tools, otherwise, additional complexity can be introduced that could lead to loss of system stability and even security risks. Complexity is a serious architectural and security challenge.

This is where Buildah comes in. A command line utility, Buildah provides only the basic requirements needed to create or modify Linux container images making it easier to integrate into existing application build pipelines.

The resulting container images are not snowflakes, either; they are OCI-compliant and can even be built using Dockerfiles. Buildah is a distillation of container development to the bare necessities, designed to help IT teams to limit complexity on critical systems and streamline ownership and security workflows.

When we say “bare necessities,” we mean it. Buildah allows for the on-the-fly creation of containers from scratch—think of it as an empty box. For example, Buildah can assemble containers that omit things like package managers (DNF/YUM), that are not required by the final image. So not only can Buildah provide the capability to build these containers in a less complex and more secure fashion, it can cut bloat (and therefore image size) and extend customization to what you need in your cloud-native applications.

Since Buildah is daemonless, it is easier to run it in a container without setting up special infrastructure on the host or “leaking” host sockets into the container. You can run Buildah inside of your Kubernetes (or enterprise Kubernetes, like Red Hat OpenShift) cluster.

What’s special about Buildah 1.0

We’ve talked about Buildah before, most notably launching full, product-level support for it in Red Hat Enterprise Linux 7.5. Now that 1.0 has hit the community, here are a few of the notable features in Buildah that make it interesting:

Buildah has added external read/write volumes during builds, which enables users to build container images that reference external volumes while being built, but without having to ship those external volumes in the completed image. This helps to simplify image creation without bloating those images with unnecessary and unwanted artifacts in production.

To enhance security, Buildah can help the resulting images better comply with Federal Information Processing Standards (FIPS), computer systems standards required by the U.S. Federal Government for non-military, governmental operations, with support for FIPS mode. When a host is running in FIPS mode, Buildah can build and run containers in FIPS mode as well, making it easier for containers on hosts running in FIPS mode to comply with the standards.

Buildah now also offers multi-stage builds, multiple container transport methods for pulling and pushing images, and more. By focusing solely on building and manipulating container images, Buildah is a useful tool for anyone working with Linux containers. Whether you’re a developer testing images locally or looking for an independent image builder for a production toolchain, Buildah is a worthy addition to your container toolbelt.

Want to start building with Buildah yourself?

Try `yum -y install buildah` or learn more and contribute at the project site: https://github.com/projectatomic/buildah.

You can also see a more detailed example at https://www.projectatomic.io/blog/2018/03/building-buildah-container-image-for-kubernetes/.

*Smarter with Gartner, 6 Best Practices for Creating a Container Platform Strategy, October 31, 2017, https://www.gartner.com/smarterwithgartner/6-best-practices-for-creatin…


About the authors

Daniel Walsh has worked in the computer security field for over 40 years. Dan is a Senior Distinguished Engineer at Red Hat. He joined Red Hat in August 2001. Dan is the lead architect of the Red Hat Container Runtime Engineering team. Dan has been working on container technologies for 17 years. Dan focusess on the CRI-OvContainer Runtime for Kubernets, Buildah for building container images, Podman for running and managing containers, containers/storage and containers/image. He has led the SELinux project, concentrating on the application space and policy development. Dan helped developed sVirt, Secure Virtualization as well as the SELinux Sandbox. Previously, Dan worked Netect/Bindview's on Vulnerability Assessment Products and at Digital Equipment Corporation working on the Athena Project, AltaVista Firewall/Tunnel (VPN) Products. Dan has a BA in Mathematics from the College of the Holy Cross and a MS in Computer Science from Worcester Polytechnic Institute.

Read full bio

Red Hat is the world’s leading provider of enterprise open source software solutions, using a community-powered approach to deliver reliable and high-performing Linux, hybrid cloud, container, and Kubernetes technologies.

Read full bio