https://github.com/containers/buildah ----------------------------------------------------util-images---------------------------------------- ----------------------------------------------------util-images---------------------------------------- ----------------------------------------------------util-images---------------------------------------- ----------------------------------------------------util-images---------------------------------------- ----------------------------------------------------util-images---------------------------------------- https://github.com/phusion/baseimage-docker https://blog.phusion.nl/2015/01/20/docker-and-the-pid-1-zombie-reaping-problem/ https://snyk.io/product/container-vulnerability-management/ https://docs.docker.com/develop/develop-images/dockerfile_best-practices/ https://docs.docker.com/engine/reference/builder/ https://www.ctl.io/developers/blog/post/dockerfile-entrypoint-vs-cmd/ https://thenewstack.io/docker-basics-how-to-use-dockerfiles/ https://examples.javacodegeeks.com/devops/docker/docker-hello-world-example/ https://podman.io/blogs/2018/10/31/podman-buildah-relationship.html ----------------------------------------------------java-images---------------------------------------- ----------------------------------------------------java-images---------------------------------------- ----------------------------------------------------java-images---------------------------------------- ----------------------------------------------------java-images---------------------------------------- ----------------------------------------------------java-images---------------------------------------- https://snyk.io/blog/best-practices-to-build-java-containers-with-docker/ https://snyk.io/blog/docker-for-java-developers/ -----------------------------------------------------redhat-images-------------------------------------- -----------------------------------------------------redhat-images-------------------------------------- -----------------------------------------------------redhat-images-------------------------------------- -----------------------------------------------------redhat-images-------------------------------------- -----------------------------------------------------redhat-images-------------------------------------- https://catalog.redhat.com/software/containers/search https://catalog.redhat.com/software/containers/explore https://www.redhat.com/sysadmin/building-buildah https://www.redhat.com/sysadmin/getting-started-buildah https://developers.redhat.com/blog/2019/02/21/podman-and-buildah-for-docker-users https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/building_running_and_managing_containers/index#building-container-images-with-buildah_porting-containers-to-systemd-using-podman https://access.redhat.com/documentation/en-us/openshift_container_platform/4.8/html/images/image-configuration -----------------------------------------------------oracle-images-------------------------------------- -----------------------------------------------------oracle-images-------------------------------------- -----------------------------------------------------oracle-images-------------------------------------- -----------------------------------------------------oracle-images-------------------------------------- -----------------------------------------------------oracle-images-------------------------------------- https://github.com/oracle/docker-images ----------------------------------------------native commands-------------------------------------------- ----------------------------------------------native commands-------------------------------------------- ----------------------------------------------native commands-------------------------------------------- ----------------------------------------------native commands-------------------------------------------- ----------------------------------------------native commands-------------------------------------------- ubuntu@node010:~$ container=$(buildah from ) ubuntu@node010:~$ echo $container openjdk-17-runtime-working-container -------------------------------------------------------images-------------------------------------------- -------------------------------------------------------images-------------------------------------------- -------------------------------------------------------images-------------------------------------------- -------------------------------------------------------images-------------------------------------------- -------------------------------------------------------images-------------------------------------------- NAME buildah-images - List images in local storage. SYNOPSIS buildah images [options] [image] DESCRIPTION Displays locally stored images, their names, sizes, created date and their IDs. The created date is displayed in the time locale of the local machine. -------------------------------------------------------containers-------------------------------------------- -------------------------------------------------------containers-------------------------------------------- -------------------------------------------------------containers-------------------------------------------- -------------------------------------------------------containers-------------------------------------------- -------------------------------------------------------containers-------------------------------------------- NAME buildah-containers - List the working containers and their base images. SYNOPSIS buildah containers [options] DESCRIPTION Lists containers which appear to be Buildah working containers, their names and IDs, and the names and IDs of the images from which they were initialized. -------------------------------------------------------bud-------------------------------------------- -------------------------------------------------------bud-------------------------------------------- -------------------------------------------------------bud-------------------------------------------- -------------------------------------------------------bud-------------------------------------------- -------------------------------------------------------bud-------------------------------------------- NAME buildah-bud - Build an image using instructions from Container files SYNOPSIS buildah build-using-dockerfile [options] [context] buildah bud [options] [context] bud is an alias for build-using-dockerfile. DESCRIPTION Builds an image using instructions from one or more Containerfiles or Dockerfiles and a specified build context directory. A Containerfile uses the same syntax as a Dockerfile internally. For this document, a file referred to as a Containerfile can be a file named either 'Containerfile' or 'Dockerfile'. The build context directory can be specified as the http(s) URL of an archive, git repository or Containerfile. If no context directory is specified, then Buildah will assume the current working directory as build context, which should contain a Containerfile. Containerfiles ending with a ".in" suffix will be preprocessed via cpp(1). This can be useful to decompose Containerfiles into several reusable parts that can be used via CPP's #include directive. Notice, a Containerfile.in file can still be used by other tools when manually preprocessing them via cpp -E. Any comments ( Lines beginning with # ) in included Containerfile(s) that are not preprocess commands, will be printed as warnings during builds. When the URL is an archive, the contents of the URL is downloaded to a temporary location and extracted before execution. When the URL is a Containerfile, the file is downloaded to a temporary location. When a Git repository is set as the URL, the repository is cloned locally and then set as the context. ----------------- with tag and file path ubuntu@node010:~$ buildah bud -t -f . <--- the dot = in this directory -------------------------------------------------------rmi-------------------------------------------- -------------------------------------------------------rmi-------------------------------------------- -------------------------------------------------------rmi-------------------------------------------- -------------------------------------------------------rmi-------------------------------------------- -------------------------------------------------------rmi-------------------------------------------- NAME buildah-rmi - Removes one or more images. SYNOPSIS buildah rmi [image ...] DESCRIPTION Removes one or more locally stored images. LIMITATIONS If the image was pushed to a directory path using the 'dir:' transport the rmi command can not remove the image. Instead standard file system commands should be used. If im‐ ageID is a name, but does not include a registry name, buildah will attempt to find and remove an image named using the registry name localhost, if no such image is found, it will search for the intended image by attempting to expand the given name using the names of registries provided in the system's registries configuration file, registries.conf. -------------------------------------------------------from-------------------------------------------- -------------------------------------------------------from-------------------------------------------- -------------------------------------------------------from-------------------------------------------- -------------------------------------------------------from-------------------------------------------- -------------------------------------------------------from-------------------------------------------- NAME buildah-from - Creates a new working container, either from scratch or using a specified image as a starting point. SYNOPSIS buildah from [options] image DESCRIPTION Creates a working container based upon the specified image name. If the supplied image name is "scratch" a new empty container is created. Image names use a "transport":"de‐ tails" format. Multiple transports are supported: dir:path An existing local directory path containing the manifest, layer tarballs, and signatures in individual files. This is a non-standardized format, primarily useful for debug‐ ging or noninvasive image inspection. docker://docker-reference (Default) An image in a registry implementing the "Docker Registry HTTP API V2". By default, uses the authorization state in $XDG\_RUNTIME\_DIR/containers/auth.json, which is set using (buildah login). If XDG_RUNTIME_DIR is not set, the default is /run/containers/$UID/auth.json. If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using (docker login). If docker-reference does not include a registry name, localhost will be consulted first, followed by any registries named in the registries configuration. docker-archive:path An image is retrieved as a docker load formatted file. docker-daemon:docker-reference An image docker-reference stored in the docker daemon's internal storage. docker-reference must include either a tag or a digest. Alternatively, when reading images, the format can also be docker-daemon:algo:digest (an image ID). oci:path:tag** An image tag in a directory compliant with "Open Container Image Layout Specification" at path. oci-archive:path:tag An image tag in a directory compliant with "Open Container Image Layout Specification" at path. DEPENDENCIES Buildah resolves the path to the registry to pull from by using the /etc/containers/registries.conf file, containers-registries.conf(5). If the buildah from command fails with an "image not known" error, first verify that the registries.conf file is installed and configured appropriately. -------------------------------------------------------config-------------------------------------------- -------------------------------------------------------config-------------------------------------------- -------------------------------------------------------config-------------------------------------------- -------------------------------------------------------config-------------------------------------------- -------------------------------------------------------config-------------------------------------------- NAME buildah-config - Update image configuration settings. SYNOPSIS buildah config [options] container DESCRIPTION Updates one or more of the settings kept for a container. ----------------------by cmd ubuntu@node010:~$ buildah config --cmd 'java -jar /opt/repoJava/HelloWorld.jar' -------------------------------------------------------run-------------------------------------------- -------------------------------------------------------run-------------------------------------------- -------------------------------------------------------run-------------------------------------------- -------------------------------------------------------run-------------------------------------------- -------------------------------------------------------run-------------------------------------------- NAME buildah-run - Run a command inside of the container. SYNOPSIS buildah run [options] [--] container command DESCRIPTION Launches a container and runs the specified command in that container using the container's root filesystem as a root filesystem, using configuration settings inherited from the container's image or as specified using previous calls to the buildah config command. To execute buildah run within an interactive shell, specify the --tty option. -------------------------------------------------------commit-------------------------------------------- -------------------------------------------------------commit-------------------------------------------- -------------------------------------------------------commit-------------------------------------------- -------------------------------------------------------commit-------------------------------------------- -------------------------------------------------------commit-------------------------------------------- NAME buildah-commit - Create an image from a working container. SYNOPSIS buildah commit [options] container [image] DESCRIPTION Writes a new image using the specified container's read-write layer and if it is based on an image, the layers of that image. If image does not begin with a registry name com‐ ponent, localhost will be added to the name. If image is not provided, the image will have no name. When an image has no name, the buildah images command will display in the REPOSITORY and TAG columns. RETURN VALUE The image ID of the image that was created. On error, 1 is returned and errno is returned. ----------------by containerID ubuntu@node010:~$ buildah commit -------------------------------------------------------info-------------------------------------------- -------------------------------------------------------info-------------------------------------------- -------------------------------------------------------info-------------------------------------------- -------------------------------------------------------info-------------------------------------------- -------------------------------------------------------info-------------------------------------------- NAME buildah-info - Display Buildah system information. SYNOPSIS buildah info [options] DESCRIPTION The information displayed pertains to the host and current storage statistics which is useful when reporting issues. -------------------------------------------------------inspect-------------------------------------------- -------------------------------------------------------inspect-------------------------------------------- -------------------------------------------------------inspect-------------------------------------------- -------------------------------------------------------inspect-------------------------------------------- -------------------------------------------------------inspect-------------------------------------------- NAME buildah-inspect - Display information about working containers or images or manifest lists. SYNOPSIS buildah inspect [options] [--] object DESCRIPTION Prints the low-level information on Buildah object(s) (e.g. container, images, manifest lists) identified by name or ID. By default, this will render all results in a JSON ar‐ ray. If the container, image, or manifest lists have the same name, this will return container JSON for an unspecified type. If a format is specified, the given template will be executed for each result. -------------------------------------------------------version-------------------------------------------- -------------------------------------------------------version-------------------------------------------- -------------------------------------------------------version-------------------------------------------- -------------------------------------------------------version-------------------------------------------- -------------------------------------------------------version-------------------------------------------- NAME buildah-version - Display the Buildah Version Information. SYNOPSIS buildah version [options] DESCRIPTION Shows the following information: Version, Go Version, Image Spec, Runtime Spec, CNI Spec, libcni Version, Git Commit, Build Time, OS, and Architecture. -------------------------------------------------------add-------------------------------------------- -------------------------------------------------------add-------------------------------------------- -------------------------------------------------------add-------------------------------------------- -------------------------------------------------------add-------------------------------------------- -------------------------------------------------------add-------------------------------------------- NAME buildah-add - Add the contents of a file, URL, or a directory to a container. SYNOPSIS buildah add [options] container src [[src ...] dest] DESCRIPTION Adds the contents of a file, URL, or a directory to a container's working directory or a specified location in the container. If a local source file appears to be an archive, its contents are extracted and added instead of the archive file itself. If a local directory is specified as a source, its contents are copied to the destination. --------------source and destination ubuntu@node010:~$ buildah add $container '/opt/shared/HelloWorld.jar' '/opt/repoJava/' -------------------------------------------------------copy-------------------------------------------- -------------------------------------------------------copy-------------------------------------------- -------------------------------------------------------copy-------------------------------------------- -------------------------------------------------------copy-------------------------------------------- -------------------------------------------------------copy-------------------------------------------- NAME buildah-copy - Copies the contents of a file, URL, or directory into a container's working directory. SYNOPSIS buildah copy container src [[src ...] dest] DESCRIPTION Copies the contents of a file, URL, or a directory to a container's working directory or a specified location in the container. If a local directory is specified as a source, its contents are copied to the destination. -------------------------------------------------------login-------------------------------------------- -------------------------------------------------------login-------------------------------------------- -------------------------------------------------------login-------------------------------------------- -------------------------------------------------------login-------------------------------------------- -------------------------------------------------------login-------------------------------------------- NAME buildah-login - Login to a container registry SYNOPSIS buildah login [options] registry DESCRIPTION buildah login logs into a specified registry server with the correct username and password. buildah login reads in the username and password from STDIN. The username and pass‐ word can also be set using the username and password flags. The path of the authentication file can be specified by the user by setting the authfile flag. The default path used is ${XDG_RUNTIME_DIR}/containers/auth.json. If XDG_RUNTIME_DIR is not set, the default is /run/containers/$UID/auth.json. buildah [GLOBAL OPTIONS] buildah login [GLOBAL OPTIONS] buildah login [OPTIONS] REGISTRY [GLOBAL OPTIONS] -------------------------------------------------------logout-------------------------------------------- -------------------------------------------------------logout-------------------------------------------- -------------------------------------------------------logout-------------------------------------------- -------------------------------------------------------logout-------------------------------------------- -------------------------------------------------------logout-------------------------------------------- NAME buildah-logout - Logout of a container registry SYNOPSIS buildah logout [options] registry DESCRIPTION buildah logout logs out of a specified registry server by deleting the cached credentials stored in the auth.json file. The path of the authentication file can be overridden by the user by setting the authfile flag. The default path used is ${XDG_RUNTIME_DIR}/containers/auth.json. If XDG_RUNTIME_DIR is not set, the default is /run/contain‐ ers/$UID/auth.json. All the cached credentials can be removed by setting the all flag. buildah [GLOBAL OPTIONS] buildah logout [GLOBAL OPTIONS] buildah logout [OPTIONS] REGISTRY [GLOBAL OPTIONS] -------------------------------------------------------pull-------------------------------------------- -------------------------------------------------------pull-------------------------------------------- -------------------------------------------------------pull-------------------------------------------- -------------------------------------------------------pull-------------------------------------------- -------------------------------------------------------pull-------------------------------------------- NAME buildah-pull - Pull an image from a registry. SYNOPSIS buildah pull [options] image DESCRIPTION Pulls an image based upon the specified image name. Image names use a "transport":"details" format. Multiple transports are supported: dir:path An existing local directory path containing the manifest, layer tarballs, and signatures in individual files. This is a non-standardized format, primarily useful for debug‐ ging or noninvasive image inspection. docker://docker-reference (Default) An image in a registry implementing the "Docker Registry HTTP API V2". By default, uses the authorization state in $XDG\_RUNTIME\_DIR/containers/auth.json, which is set using (buildah login). If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using (docker login). If docker-reference does not include a registry name, localhost will be consulted first, followed by any registries named in the registries configuration. docker-archive:path An image is retrieved as a docker load formatted file. docker-daemon:docker-reference An image docker-reference stored in the docker daemon's internal storage. docker-reference must include either a tag or a digest. Alternatively, when reading images, the format can also be docker-daemon:algo:digest (an image ID). oci:path:tag** An image tag in a directory compliant with "Open Container Image Layout Specification" at path. oci-archive:path:tag An image tag in a directory compliant with "Open Container Image Layout Specification" at path. DEPENDENCIES Buildah resolves the path to the registry to pull from by using the /etc/containers/registries.conf file, containers-registries.conf(5). If the buildah pull command fails with an "image not known" error, first verify that the registries.conf file is installed and configured appropriately. RETURN VALUE The image ID of the image that was pulled. On error 1 is returned. -------------------------------------------------------push-------------------------------------------- -------------------------------------------------------push-------------------------------------------- -------------------------------------------------------push-------------------------------------------- -------------------------------------------------------push-------------------------------------------- -------------------------------------------------------push-------------------------------------------- NAME buildah-push - Push an image, manifest list or image index from local storage to elsewhere. SYNOPSIS buildah push [options] image [destination] DESCRIPTION Pushes an image from local storage to a specified destination, decompressing and recompessing layers as needed. imageID Image stored in local container/storage DESTINATION The DESTINATION is a location to store container images. If omitted, the source image parameter will be reused as destination. The Image "DESTINATION" uses a "transport":"details" format. Multiple transports are supported: dir:path An existing local directory path storing the manifest, layer tarballs and signatures as individual files. This is a non-standardized format, primarily useful for debugging or noninvasive container inspection. docker://docker-reference An image in a registry implementing the "Docker Registry HTTP API V2". By default, uses the authorization state in $XDG\_RUNTIME\_DIR/containers/auth.json, which is set using (buildah login). If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using (docker login). If docker-reference does not include a registry name, the image will be pushed to a registry running on localhost. docker-archive:path[:docker-reference] An image is stored in the docker save formatted file. docker-reference is only used when creating such a file, and it must not contain a digest. docker-daemon:docker-reference An image _dockerreference stored in the docker daemon internal storage. If _dockerreference does not begin with a valid registry name (a domain name containing "." or the re‐ served name "localhost") then the default registry name "docker.io" will be prepended. _dockerreference must contain either a tag or a digest. Alternatively, when reading im‐ ages, the format can also be docker-daemon:algo:digest (an image ID). oci:path:tag An image tag in a directory compliant with "Open Container Image Layout Specification" at path. oci-archive:path:tag An image tag in a tar archive compliant with "Open Container Image Layout Specification" at path. If the transport part of DESTINATION is omitted, "docker://" is assumed. -------------------------------------------------------tag-------------------------------------------- -------------------------------------------------------tag-------------------------------------------- -------------------------------------------------------tag-------------------------------------------- -------------------------------------------------------tag-------------------------------------------- -------------------------------------------------------tag-------------------------------------------- NAME buildah-tag - Add additional names to local images. SYNOPSIS buildah tag name new-name ... DESCRIPTION Adds additional names to locally-stored images. EXAMPLE buildah tag imageName firstNewName buildah tag imageName firstNewName SecondNewName -------------------------------------------------------rename-------------------------------------------- -------------------------------------------------------rename-------------------------------------------- -------------------------------------------------------rename-------------------------------------------- -------------------------------------------------------rename-------------------------------------------- -------------------------------------------------------rename-------------------------------------------- NAME buildah-rename - Rename a local container. SYNOPSIS buildah rename container new-name DESCRIPTION Rename a local container. EXAMPLE buildah rename containerName NewName buildah rename containerID NewName -------------------------------------------------------rm-------------------------------------------- -------------------------------------------------------rm-------------------------------------------- -------------------------------------------------------rm-------------------------------------------- -------------------------------------------------------rm-------------------------------------------- -------------------------------------------------------rm-------------------------------------------- NAME buildah-rm - Removes one or more working containers. SYNOPSIS buildah rm [container ...] DESCRIPTION Removes one or more working containers, unmounting them if necessary. OPTIONS --all, -a All Buildah containers will be removed. Buildah containers are denoted with an '*' in the 'BUILDER' column listed by the command 'buildah containers'.A container name or id cannot be provided when this option is used. EXAMPLE buildah rm containerID buildah rm containerID1 containerID2 containerID3 buildah rm --all -------------------------------------------------------mount-------------------------------------------- -------------------------------------------------------mount-------------------------------------------- -------------------------------------------------------mount-------------------------------------------- -------------------------------------------------------mount-------------------------------------------- -------------------------------------------------------mount-------------------------------------------- NAME buildah-mount - Mount a working container's root filesystem. SYNOPSIS buildah mount [container ...] DESCRIPTION Mounts the specified container's root file system in a location which can be accessed from the host, and returns its location. If the mount command is invoked without any arguments, the tool will list all of the currently mounted containers. When running in rootless mode, mount runs in a different namespace so that the mounted volume might not be accessible from the host when using a driver different than vfs. To be able to access the file system mounted, you might need to create the mount namespace separately as part of buildah unshare. In the environment created with buildah unshare you can then use buildah mount and have access to the mounted file system. RETURN VALUE The location of the mounted file system. On error an empty string and errno is returned. ---------------by containerName root@node010:~# podman mount -------------------------------------------------------umount-------------------------------------------- -------------------------------------------------------umount-------------------------------------------- -------------------------------------------------------umount-------------------------------------------- -------------------------------------------------------umount-------------------------------------------- -------------------------------------------------------umount-------------------------------------------- NAME buildah-umount - Unmount the root file system on the specified working containers. SYNOPSIS buildah umount [options] [container ...] DESCRIPTION Unmounts the root file system on the specified working containers. OPTIONS --all, -a All of the currently mounted containers will be unmounted. EXAMPLE buildah umount containerID buildah umount containerID1 containerID2 containerID3 buildah umount --all -------------------------------------------------------unshare-------------------------------------------- -------------------------------------------------------unshare-------------------------------------------- -------------------------------------------------------unshare-------------------------------------------- -------------------------------------------------------unshare-------------------------------------------- -------------------------------------------------------unshare-------------------------------------------- NAME buildah-unshare - Run a command inside of a modified user namespace. SYNOPSIS buildah unshare [options] [--] [command] DESCRIPTION Launches a process (by default, $SHELL) in a new user namespace. The user namespace is configured so that the invoking user's UID and primary GID appear to be UID 0 and GID 0, respectively. Any ranges which match that user and group in /etc/subuid and /etc/subgid are also mapped in as themselves with the help of the newuidmap(1) and newgidmap(1) helpers. buildah unshare is useful for troubleshooting unprivileged operations and for manually clearing storage and other data related to images and containers. It is also useful if you want to use the buildah mount command. If an unprivileged users wants to mount and work with a container, then they need to execute buildah unshare. Executing buildah mount fails for unprivileged users unless the user is running inside a buildah unshare session.