buildah

buildah [GLOBAL-OPTIONS] SUBCOMMAND [SUBCOMMAND-OPTIONS] [ARGS]

--allow-root
    Allow rootless operation as root

--cgroup-manager string
    Cgroup manager: cgroupfs, systemd

--common-cidpath string
    Path for common ID mapping file

--compat
    Enable legacy compatibility mode

--configdir string
    Configuration directory path

--consign
    Run as systemd unit

--debug
    Enable debug logging

--device [=]host-device
    Add host device to container

--hooks-dir dir
    OCI hooks directory

--http-proxy string
    HTTP proxy URL

--https-proxy string
    HTTPS proxy URL

--iidfile file
    Write image ID to file

--log-level string
    Set logging level (debug, warn, etc.)

--network string
    Networking: host, none, slirp4netns

--no-proxy strings
    No-proxy hosts/domains

--pull-policy string
    Image pull policy: always, never, missing

--quiet, -q
    Suppress extra output

--registries-conf string
    registries.conf path

--registries-conf-dir string
    registries.conf.d path

--registries-insecure strings
    Insecure registries (no TLS)

--registry strings
    Search registries

--root string
    Storage root directory

--storage-driver string
    Storage driver (overlay, vfs)

--storage-opt []string
    Storage options

--tmpdir string
    Temporary directory

--userns string
    User namespace: auto, private

--version, -v
    Print version info

--write string
    Always/never write image after build

Buildah is a command-line tool designed for building Operating Container Initiative (OCI) images without requiring a persistent container daemon, unlike Docker. It enables users to create containers layer-by-layer through intuitive subcommands that manage working containers directly on the host filesystem. Key capabilities include initializing containers from images (buildah from), running commands inside them (buildah run), mounting volumes, copying files, and committing changes to new images (buildah commit). It supports both rootful and rootless modes, leveraging user namespaces for secure, unprivileged operation.

Integrated with the libpod library (same as Podman), Buildah excels in environments prioritizing security and minimal overhead, such as desktops, laptops, and CI systems. It handles OCI and Docker image formats, allowing pushes to registries via buildah push. Buildah also supports containerfiles (Dockerfile-compatible) for scripted builds with buildah build. Its daemonless nature avoids single points of failure and reduces attack surface, making it ideal for air-gapped or multi-tenant setups. Common workflows involve scripting sequences of operations or using Bud (Buildah-from-Dockerfile) for compatibility.

Rootless mode requires fuse-overlayfs or similar for layered storage; some subcommands need capabilities like CAP_SYS_ADMIN; not all Docker features supported identically.

from: Create working container.
run: Execute in container.
commit: Save as image.
build: Build from Containerfile.
push: Push to registry.

buildah from ubuntu
buildah run $@CONTAINER ls /
buildah commit $@CONTAINER myimage
buildah images

Developed by Red Hat's Container Tools team starting 2017 as part of Project Atomic. First stable release in Podman/Buildah 1.0 (2019). Evolved with OCI specs, now core to Fedora/CentOS container workflows, emphasizing daemonless tools.

podman(1), skopeo(1), docker(1), runc(8)