Advanced container builds

Overview

Teaching: 15 min
Exercises: 5 min
Questions
  • How can I build better container images?

  • How can I build more reproducible images?

  • How can I build more performant images?

Objectives
  • Learn about OCI image spec

  • Learn about SIF (Singularity Image File)

  • Learn about Buildah

  • Learn about Buildah advanced build feature

  • Learn to edit the OCI image spec

OCI Image Spec

The OCI Image spec defines a container image, consisting of a manifest, an image index (optional), a set of filesystem layers, and a configuration. The goal of this specification is to enable the creation of interoperable tools for building, transporting, and preparing a container image to run.

At a high level the image manifest contains metadata about the contents and dependencies of the image including the content-addressable identity of one or more filesystem layer changeset archives that will be unpacked to make up the final runnable filesystem. The image configuration includes information such as application arguments, environments, etc. The image index is a higher-level manifest which points to a list of manifests and descriptors. Typically, these manifests may provide different implementations of the image, possibly varying by platform or other attributes.

OCI image

Image taken from https://github.com/opencontainers/image-spec

The Schema

The Config-schema is usually a json file, stored in the same tar file of a container bundle.

{
  "description": "OpenContainer Config Specification",
  "$schema": "https://json-schema.org/draft-04/schema#",
  "id": "https://opencontainers.org/schema/image/config",
  "type": "object",
  "properties": {
    "created": {
      "type": "string",
      "format": "date-time"
    },
    "author": {
      "type": "string"
    },
    "architecture": {
      "type": "string"
    },
    "variant": {
      "type": "string"
    },
    "os": {
      "type": "string"
    },
    "os.version": {
      "type": "string"
    },
    "os.features": {
      "type": "array",
      "items": {
        "type": "string"
      }
    },
    "config": {
      "type": "object",
      "properties": {
        "User": {
          "type": "string"
        },
        "ExposedPorts": {
          "$ref": "defs.json#/definitions/mapStringObject"
        },
        "Env": {
          "type": "array",
          "items": {
            "type": "string"
          }
        },
        "Entrypoint": {
          "oneOf": [
            {
              "type": "array",
              "items": {
                "type": "string"
              }
            },
            {
              "type": "null"
            }
          ]
        },
        "Cmd": {
          "oneOf": [
            {
              "type": "array",
              "items": {
                "type": "string"
              }
            },
            {
              "type": "null"
            }
          ]
        },
        "Volumes": {
          "oneOf": [
            {
              "$ref": "defs.json#/definitions/mapStringObject"
            },
            {
              "type": "null"
            }
          ]
        },
        "WorkingDir": {
          "type": "string"
        },
        "Labels": {
          "oneOf": [
            {
              "$ref": "defs.json#/definitions/mapStringString"
            },
            {
              "type": "null"
            }
          ]
        },
        "StopSignal": {
          "type": "string"
        }
      }
    },
    "rootfs": {
      "type": "object",
      "properties": {
        "diff_ids": {
          "type": "array",
          "items": {
            "type": "string"
          }
        },
        "type": {
          "type": "string",
          "enum": [
            "layers"
          ]
        }
      },
      "required": [
        "diff_ids",
        "type"
      ]
    },
    "history": {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "created": {
            "type": "string",
            "format": "date-time"
          },
          "author": {
            "type": "string"
          },
          "created_by": {
            "type": "string"
          },
          "comment": {
            "type": "string"
          },
          "empty_layer": {
            "type": "boolean"
          }
        }
      }
    }
  },
  "required": [
    "architecture",
    "os",
    "rootfs"
  ]
}

Example:

Example image docker.io/library/golang:1.18.1-buster

[
    {
        "Id": "7f157abc65790f9f770cdae8b17c2fac5183f98a632b5cf186dee17d3ea4d867",
        "Digest": "sha256:d8f864bac466e488bb425a59ff9bc104828cd44d0985a8d2fcb5570a9250258a",
        "RepoTags": [
            "docker.io/library/golang:1.18.1-buster"
        ],
        "RepoDigests": [
            "docker.io/library/golang@sha256:d8f864bac466e488bb425a59ff9bc104828cd44d0985a8d2fcb5570a9250258a",
            "docker.io/library/golang@sha256:f1e97d64a50f4c2b4fa61211f5206e636a54f992a047d192d6d068fbcd1946c3"
        ],
        "Parent": "",
        "Comment": "",
        "Created": "2022-04-20T22:28:29.609431856Z",
        "Config": {
            "Env": [
                "PATH=/go/bin:/usr/local/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
                "GOLANG_VERSION=1.18.1",
                "GOPATH=/go"
            ],
            "Cmd": [
                "bash"
            ],
            "WorkingDir": "/go"
        },
        "Version": "20.10.12",
        "Author": "",
        "Architecture": "amd64",
        "Os": "linux",
        "Size": 929774290,
        "VirtualSize": 929774290,
        "GraphDriver": {
            "Name": "overlay",
            "Data": {
                "LowerDir": "/home/eduardo/.local/share/containers/storage/overlay/e1479c5af0eec492b4942886f33cea901664fcbf30a90cce2ec4f94cbe849399/diff:/home/eduardo/.local/share/containers/storage/overlay/f88ec5845fe9da6e7a4c4278b464d995af00477fb3d5ca6bb8c25e931ee4afb5/diff:/home/eduardo/.local/share/containers/storage/overlay/2819380fc5af7064586ce4a9fc8956257b3e858f1aa9c13eb7d9a9d69e6fad5a/diff:/home/eduardo/.local/share/containers/storage/overlay/989c0ec34539574af4207a1687000b58b0586142096cf0e746ed6079cdf6131f/diff:/home/eduardo/.local/share/containers/storage/overlay/08209b595f6969502c34ba6021037ab0d99b422cf007bcd6da3912f14227bf2a/diff:/home/eduardo/.local/share/containers/storage/overlay/b9fd5db9c9a6470a6c668ade7fa1faf299b734be4f20fef105ec719ac161cee4/diff",
                "UpperDir": "/home/eduardo/.local/share/containers/storage/overlay/865684fea3913d035c50efe6e3f679ca43c1386ed7e2e4c2b78878e58a331a11/diff",
                "WorkDir": "/home/eduardo/.local/share/containers/storage/overlay/865684fea3913d035c50efe6e3f679ca43c1386ed7e2e4c2b78878e58a331a11/work"
            }
        },
        "RootFS": {
            "Type": "layers",
            "Layers": [
                "sha256:b9fd5db9c9a6470a6c668ade7fa1faf299b734be4f20fef105ec719ac161cee4",
                "sha256:5d253e59e5233a8eeebb8acdf660c9a5dff6f064656a00fe856e45cd091be47f",
                "sha256:85fe0038088133c12b3556a09e7817998e2043b1dc73630561a0d446d969f755",
                "sha256:957a6eed8d1f1779b315b725c58f42fa20dd6bd59dbea586bf05b9dd32f1d3f2",
                "sha256:0526a14b6add2837dc89f4e600994984b77d3fac897b4a494dcfe53d8fa1974a",
                "sha256:7b3901e2c555ecef791cc80f2c81499a6cc94af0c54d3ae47ee421b437c903ee",
                "sha256:874249d61bed46f7b94af7e81ed64f60b33c363f1a022e69699e2dfa538e123b"
            ]
        },
        "Labels": null,
        "Annotations": {},
        "ManifestType": "application/vnd.docker.distribution.manifest.v2+json",
        "User": "",
        "History": [
            {
                "created": "2022-04-20T04:43:37.180912862Z",
                "created_by": "/bin/sh -c #(nop) ADD file:7c5789fb822bda2652d7addee832c5a3d71733f0f94f97d89b0c5570c0840829 in / "
            },
            {
                "created": "2022-04-20T04:43:37.732864614Z",
                "created_by": "/bin/sh -c #(nop)  CMD [\"bash\"]",
                "empty_layer": true
            },
            {
                "created": "2022-04-20T06:59:01.964685664Z",
                "created_by": "/bin/sh -c set -eux; \tapt-get update; \tapt-get install -y --no-install-recommends \t\tca-certificates \t\tcurl \t\tnetbase \t\twget \t; \trm -rf /var/lib/apt/lists/*"
            },
            {
                "created": "2022-04-20T06:59:07.088636152Z",
                "created_by": "/bin/sh -c set -ex; \tif ! command -v gpg \u003e /dev/null; then \t\tapt-get update; \t\tapt-get install -y --no-install-recommends \t\t\tgnupg \t\t\tdirmngr \t\t; \t\trm -rf /var/lib/apt/lists/*; \tfi"
            },
            {
                "created": "2022-04-20T06:59:22.097083802Z",
                "created_by": "/bin/sh -c apt-get update \u0026\u0026 apt-get install -y --no-install-recommends \t\tgit \t\tmercurial \t\topenssh-client \t\tsubversion \t\t\t\tprocps \t\u0026\u0026 rm -rf /var/lib/apt/lists/*"
            },
            {
                "created": "2022-04-20T22:28:14.68738972Z",
                "created_by": "/bin/sh -c set -eux; \tapt-get update; \tapt-get install -y --no-install-recommends \t\tg++ \t\tgcc \t\tlibc6-dev \t\tmake \t\tpkg-config \t; \trm -rf /var/lib/apt/lists/*"
            },
            {
                "created": "2022-04-20T22:28:15.101594936Z",
                "created_by": "/bin/sh -c #(nop)  ENV PATH=/usr/local/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
                "empty_layer": true
            },
            {
                "created": "2022-04-20T22:28:15.202569938Z",
                "created_by": "/bin/sh -c #(nop)  ENV GOLANG_VERSION=1.18.1",
                "empty_layer": true
            },
            {
                "created": "2022-04-20T22:28:27.638161981Z",
                "created_by": "/bin/sh -c set -eux; \tarch=\"$(dpkg --print-architecture)\"; arch=\"${arch##*-}\"; \turl=; \tcase \"$arch\" in \t\t'amd64') \t\t\turl='https://dl.google.com/go/go1.18.1.linux-amd64.tar.gz'; \t\t\tsha256='b3b815f47ababac13810fc6021eb73d65478e0b2db4b09d348eefad9581a2334'; \t\t\t;; \t\t'armel') \t\t\texport GOARCH='arm' GOARM='5' GOOS='linux'; \t\t\t;; \t\t'armhf') \t\t\turl='https://dl.google.com/go/go1.18.1.linux-armv6l.tar.gz'; \t\t\tsha256='9edc01c8e7db64e9ceeffc8258359e027812886ceca3444e83c4eb96ddb068ee'; \t\t\t;; \t\t'arm64') \t\t\turl='https://dl.google.com/go/go1.18.1.linux-arm64.tar.gz'; \t\t\tsha256='56a91851c97fb4697077abbca38860f735c32b38993ff79b088dac46e4735633'; \t\t\t;; \t\t'i386') \t\t\turl='https://dl.google.com/go/go1.18.1.linux-386.tar.gz'; \t\t\tsha256='9a8df5dde9058f08ac01ecfaae42534610db398e487138788c01da26a0d41ff9'; \t\t\t;; \t\t'mips64el') \t\t\texport GOARCH='mips64le' GOOS='linux'; \t\t\t;; \t\t'ppc64el') \t\t\turl='https://dl.google.com/go/go1.18.1.linux-ppc64le.tar.gz'; \t\t\tsha256='33db623d1eecf362fe365107c12efc90eff0b9609e0b3345e258388019cb552a'; \t\t\t;; \t\t's390x') \t\t\turl='https://dl.google.com/go/go1.18.1.linux-s390x.tar.gz'; \t\t\tsha256='5d9301324148ed4dbfaa0800da43a843ffd65c834ee73fcf087255697c925f74'; \t\t\t;; \t\t*) echo \u003e\u00262 \"error: unsupported architecture '$arch' (likely packaging update needed)\"; exit 1 ;; \tesac; \tbuild=; \tif [ -z \"$url\" ]; then \t\tbuild=1; \t\turl='https://dl.google.com/go/go1.18.1.src.tar.gz'; \t\tsha256='efd43e0f1402e083b73a03d444b7b6576bb4c539ac46208b63a916b69aca4088'; \t\techo \u003e\u00262; \t\techo \u003e\u00262 \"warning: current architecture ($arch) does not have a compatible Go binary release; will be building from source\"; \t\techo \u003e\u00262; \tfi; \t\twget -O go.tgz.asc \"$url.asc\"; \twget -O go.tgz \"$url\" --progress=dot:giga; \techo \"$sha256 *go.tgz\" | sha256sum -c -; \t\tGNUPGHOME=\"$(mktemp -d)\"; export GNUPGHOME; \tgpg --batch --keyserver keyserver.ubuntu.com --recv-keys 'EB4C 1BFD 4F04 2F6D DDCC  EC91 7721 F63B D38B 4796'; \tgpg --batch --keyserver keyserver.ubuntu.com --recv-keys '2F52 8D36 D67B 69ED F998  D857 78BD 6547 3CB3 BD13'; \tgpg --batch --verify go.tgz.asc go.tgz; \tgpgconf --kill all; \trm -rf \"$GNUPGHOME\" go.tgz.asc; \t\ttar -C /usr/local -xzf go.tgz; \trm go.tgz; \t\tif [ -n \"$build\" ]; then \t\tsavedAptMark=\"$(apt-mark showmanual)\"; \t\tapt-get update; \t\tapt-get install -y --no-install-recommends golang-go; \t\t\t\t( \t\t\tcd /usr/local/go/src; \t\t\texport GOROOT_BOOTSTRAP=\"$(go env GOROOT)\" GOHOSTOS=\"$GOOS\" GOHOSTARCH=\"$GOARCH\"; \t\t\t./make.bash; \t\t); \t\t\t\tapt-mark auto '.*' \u003e /dev/null; \t\tapt-mark manual $savedAptMark \u003e /dev/null; \t\tapt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \t\trm -rf /var/lib/apt/lists/*; \t\t\t\trm -rf \t\t\t/usr/local/go/pkg/*/cmd \t\t\t/usr/local/go/pkg/bootstrap \t\t\t/usr/local/go/pkg/obj \t\t\t/usr/local/go/pkg/tool/*/api \t\t\t/usr/local/go/pkg/tool/*/go_bootstrap \t\t\t/usr/local/go/src/cmd/dist/dist \t\t; \tfi; \t\tgo version"
            },
            {
                "created": "2022-04-20T22:28:28.825361004Z",
                "created_by": "/bin/sh -c #(nop)  ENV GOPATH=/go",
                "empty_layer": true
            },
            {
                "created": "2022-04-20T22:28:28.916195707Z",
                "created_by": "/bin/sh -c #(nop)  ENV PATH=/go/bin:/usr/local/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
                "empty_layer": true
            },
            {
                "created": "2022-04-20T22:28:29.514751109Z",
                "created_by": "/bin/sh -c mkdir -p \"$GOPATH/src\" \"$GOPATH/bin\" \u0026\u0026 chmod -R 777 \"$GOPATH\""
            },
            {
                "created": "2022-04-20T22:28:29.609431856Z",
                "created_by": "/bin/sh -c #(nop) WORKDIR /go",
                "empty_layer": true
            }
        ],
        "NamesHistory": [
            "docker.io/library/golang:1.18.1-buster"
        ]
    }
]

Buildah

Buildah logo

Building OCI container images

The purpose of this tutorial is to demonstrate how Buildah can be used to build container images compliant with the Open Container Initiative (OCI) image specification. Images can be built based on existing images, from scratch, and using Dockerfiles. OCI images built using the Buildah command line tool (CLI) and the underlying OCI based technologies (e.g. containers/image and containers/storage) are portable and can therefore run in a Docker environment.

In brief the containers/image project provides mechanisms to copy (push, pull), inspect, and sign container images. The containers/storage project provides mechanisms for storing filesystem layers, container images, and containers. Buildah is a CLI that takes advantage of these underlying projects and therefore allows you to build, move, and manage container images and containers.

Buildah works on a number of Linux distributions, but is not supported on Windows or Mac platforms at this time. Buildah specializes mainly in building OCI images while Podman provides a broader set of commands and functions that help you to maintain, modify and run OCI images and containers. For more information on the difference between the projects please refer to the Buildah and Podman relationship section on the main README.md.

Configure and Install Buildah

Note that installation instructions below assume you are running a Linux distro that uses dnf as its package manager, and have all prerequisites fulfilled. See Buildah’s installation instructions for a full list of prerequisites, and the buildah installation section in the official Red Hat documentation for RHEL-specific instructions.

First step is to install Buildah. Run as root because you will need to be root for installing the Buildah package:

$ sudo -s

Then install buildah by running:

# dnf -y install buildah

Rootless User Configuration

If you plan to run Buildah as a user without root privileges, i.e. a “rootless user”, the administrator of the system might have to do a bit of additional configuration beforehand. The setup required for this is listed on the Podman GitHub site here. Buildah has the same setup and configuration requirements that Podman does for rootless users.

Post Installation Verification

After installing Buildah we can see there are no images installed. The buildah images command will list all the images:

# buildah images

We can also see that there are also no working containers by running:

# buildah containers

When you build a working container from an existing image, Buildah defaults to appending ‘-working-container’ to the image’s name to construct a name for the container. The Buildah CLI conveniently returns the name of the new container. You can take advantage of this by assigning the returned value to a shell variable using standard shell assignment:

# container=$(buildah from fedora)

It is not required to assign the container’s name to a shell variable. Running buildah from fedora is sufficient. It just helps simplify commands later. To see the name of the container that we stored in the shell variable:

# echo $container

What can we do with this new container? Let’s try running bash:

# buildah run $container bash

Notice we get a new shell prompt because we are running a bash shell inside of the container. It should be noted that buildah run is primarily intended for debugging and running commands as part of the build process. A more full-featured engine like Podman or a container runtime interface service like CRI-O is more suited for starting containers in production.

Be sure to exit out of the container and let’s try running something else:

# buildah run $container java

Oops. Java is not installed. A message containing something like the following was returned.

runc create failed: unable to start start container process: exec: "java": executable file not found in $PATH

Let’s try installing it inside the container using:

# buildah run $container -- dnf -y install java

The -- syntax basically tells Buildah: there are no more buildah run command options after this point. The options after this point are for the command that’s started inside the container. It is required if the command we specify includes command line options which are not meant for Buildah.

Now running buildah run $container java will show that Java has been installed. It will return the standard Java Usage output.

Building a container from scratch

One of the advantages of using buildah to build OCI compliant container images is that you can easily build a container image from scratch and therefore exclude unnecessary packages from your image. Most final container images for production probably don’t need a package manager like dnf.

Let’s build a container and image from scratch. The special “image” name “scratch” tells Buildah to create an empty container. The container has a small amount of metadata about the container but no real Linux content.

# newcontainer=$(buildah from scratch)

You can see this new empty container by running:

# buildah containers

You should see output similar to the following:

CONTAINER ID  BUILDER  IMAGE ID     IMAGE NAME                       CONTAINER NAME
82af3b9a9488     *     3d85fcda5754 docker.io/library/fedora:latest  fedora-working-container
ac8fa6be0f0a     *                  scratch                          working-container

Its container name is working-container by default and it’s stored in the $newcontainer variable. Notice the image name (IMAGE NAME) is “scratch”. This is a special value that indicates that the working container wasn’t based on an image. When we run:

# buildah images

We don’t see the “scratch” image listed. There is no corresponding scratch image. A container based on “scratch” starts from nothing.

So does this container actually do anything? Let’s see.

# buildah run $newcontainer bash

Nope. This really is empty. The package installer dnf is not even inside this container. It’s essentially an empty layer on top of the kernel. So what can be done with that? Thankfully there is a buildah mount command.

# scratchmnt=$(buildah mount $newcontainer)

Note: If attempting to mount in rootless mode, the command fails. Mounting a container can only be done in a mount namespace that you own. Create and enter a user namespace and mount namespace by executing the buildah unshare command. See buildah-mount(1) man page for more information.

$ buildah unshare
# scratchmnt=$(buildah mount $newcontainer)

By echoing $scratchmnt we can see the path for the overlay mount point, which is used as the root file system for the container.

# echo $scratchmnt
/var/lib/containers/storage/overlay/b78d0e11957d15b5d1fe776293bd40a36c28825fb6cf76f407b4d0a95b2a200d/merged

Notice that the overlay mount point is somewhere under /var/lib/containers/storage if you started out as root, and under your home directory’s .local/share/containers/storage directory if you’re in rootless mode. (See above on containers/storage or for more information see containers/storage.)

Now that we have a new empty container we can install or remove software packages or simply copy content into that container. So let’s install bash and coreutils so that we can run bash scripts. This could easily be nginx or other packages needed for your container.

NOTE: the version in the example below (35) relates to a Fedora version which is the Linux platform this example was run on. If you are running dnf on the host to populate the container, the version you specify must be valid for the host or dnf will throw an error. I.e. If you were to run this on a RHEL platform, you’d need to specify --releasever 8.1 or similar instead of --releasever 35. If you want the container to be a particular Linux platform, change scratch in the first line of the example to the platform you want, i.e. # newcontainer=$(buildah from fedora), and then you can specify an appropriate version number for that Linux platform.

# dnf install --installroot $scratchmnt --releasever 35 bash coreutils --setopt install_weak_deps=false -y

Let’s try it out (showing the prompt in this example to demonstrate the difference):

# buildah run $newcontainer sh
sh-5.1# cd /usr/bin
sh-5.1# ls
sh-5.1# exit

Notice we now have a /usr/bin directory in the newcontainer’s root file system. Let’s first copy a simple file from our host into the container. Create a file called runecho.sh which contains the following:

#!/usr/bin/env bash
for i in `seq 0 9`;
do
	echo "This is a new container from ipbabble [" $i "]"
done

Change the permissions on the file so that it can be run:

# chmod +x runecho.sh

With buildah files can be copied into the new container. We can then use buildah run to run that command within the container by specifying the command. We can also configure the image we’ll create from this container to run the command directly when we run it using Podman and its podman run command. In short the buildah run command is equivalent to the “RUN” command in a Dockerfile (it always needs to be told what to run), whereas podman run is equivalent to the docker run command (it can look at the image’s configuration to see what to run). Now let’s copy this new command into the container’s /usr/bin directory, configure the command to be run when the image is run by podman, and create an image from the container’s root file system and configuration settings:

# To test with Podman, first install via:
# dnf -y install podman
# buildah copy $newcontainer ./runecho.sh /usr/bin
# buildah config --cmd /usr/bin/runecho.sh $newcontainer
# buildah commit $newcontainer newimage

We’ve got a new image named “newimage”. The container is still there because we didn’t remove it. Now run the command in the container with Buildah specifying the command to run in the container:

# buildah run $newcontainer /usr/bin/runecho.sh
This is a new container from ipbabble [ 0 ]
This is a new container from ipbabble [ 1 ]
This is a new container from ipbabble [ 2 ]
This is a new container from ipbabble [ 3 ]
This is a new container from ipbabble [ 4 ]
This is a new container from ipbabble [ 5 ]
This is a new container from ipbabble [ 6 ]
This is a new container from ipbabble [ 7 ]
This is a new container from ipbabble [ 8 ]
This is a new container from ipbabble [ 9 ]

Now use Podman to run the command in a new container based on our new image (no command required):

# podman run --rm newimage
This is a new container from ipbabble [ 0 ]
This is a new container from ipbabble [ 1 ]
This is a new container from ipbabble [ 2 ]
This is a new container from ipbabble [ 3 ]
This is a new container from ipbabble [ 4 ]
This is a new container from ipbabble [ 5 ]
This is a new container from ipbabble [ 6 ]
This is a new container from ipbabble [ 7 ]
This is a new container from ipbabble [ 8 ]
This is a new container from ipbabble [ 9 ]

It works! Congratulations, you have built a new OCI container image from scratch that uses bash scripting.

Back to Buildah, let’s add some more configuration information.

# buildah config --created-by "ipbabble"  $newcontainer
# buildah config --author "wgh at redhat.com @ipbabble" --label name=fedora35-bashecho $newcontainer

We can inspect the working container’s metadata using the inspect command:

# buildah inspect $newcontainer

We should probably unmount the working container’s rootfs. We will need to commit the container again to create an image that includes the two configuration changes we just made:

 # buildah unmount $newcontainer
 # buildah commit $newcontainer fedora-bashecho
 # buildah images

And you can see there is a new image called localhost/fedora-bashecho:latest. You can inspect the new image using:

# buildah inspect --type=image fedora-bashecho

Later when you want to create a new container or containers from this image, you simply need to do buildah from fedora-bashecho. This will create a new container based on this image for you.

Now that you have the new image you can remove the scratch container called working-container:

# buildah rm $newcontainer

or

# buildah rm working-container

OCI images built using Buildah are portable

Let’s test if this new OCI image is really portable to another container engine like Docker. First you should install Docker and start it. Notice that Docker requires a running daemon process in order to run any client commands. Buildah and Podman have no daemon requirement.

# dnf -y install docker
# systemctl start docker

Let’s copy that image from where containers/storage stores it to where the Docker daemon stores its images, so that we can run it using Docker. We can achieve this using buildah push. This copies the image to Docker’s storage area which is located under /var/lib/docker. Docker’s storage is managed by the Docker daemon. This needs to be explicitly stated by telling Buildah to push the image to the Docker daemon using docker-daemon:.

# buildah push fedora-bashecho docker-daemon:fedora-bashecho:latest

Under the covers, the containers/image library calls into the containers/storage library to read the image’s contents from where buildah keeps them, and sends them to the local Docker daemon, which writes them to where it keeps them. This can take a little while. And usually you won’t need to do this. If you’re using buildah you are probably not using Docker. This is just for demo purposes. Let’s try it:

# docker run --rm fedora-bashecho
This is a new container from ipbabble [ 0 ]
This is a new container from ipbabble [ 1 ]
This is a new container from ipbabble [ 2 ]
This is a new container from ipbabble [ 3 ]
This is a new container from ipbabble [ 4 ]
This is a new container from ipbabble [ 5 ]
This is a new container from ipbabble [ 6 ]
This is a new container from ipbabble [ 7 ]
This is a new container from ipbabble [ 8 ]
This is a new container from ipbabble [ 9 ]

OCI container images built with buildah are completely standard as expected. So now it might be time to run:

# dnf -y remove docker

Using Containerfiles/Dockerfiles with Buildah

What if you have been using Docker for a while and have some existing Dockerfiles? Not a problem. Buildah can build images using a Dockerfile. The build command takes a Dockerfile as input and produces an OCI image.

Find one of your Dockerfiles or create a file called Dockerfile. Use the following example or some variation if you’d like:

# Base on the most recently released Fedora
FROM fedora:latest
MAINTAINER ipbabble email buildahboy@redhat.com # not a real email

# Install updates and httpd
RUN echo "Updating all fedora packages"; dnf -y update; dnf -y clean all
RUN echo "Installing httpd"; dnf -y install httpd && dnf -y clean all

# Expose the default httpd port 80
EXPOSE 80

# Run the httpd
CMD ["/usr/sbin/httpd", "-DFOREGROUND"]

Now run buildah build with the name of the Dockerfile and the name to be given to the created image (e.g. fedora-httpd):

# buildah build -f Dockerfile -t fedora-httpd .

or, because buildah build defaults to Dockerfile and using the current directory as the build context:

# buildah build -t fedora-httpd

You will see all the steps of the Dockerfile executing. Afterwards buildah images will show you the new image. Now we can create a container from the image and test it with podman run:

# podman run --rm -p 8123:80 fedora-httpd

While that container is running, in another shell run:

# curl localhost:8123

You will see the standard Apache webpage.

Why not try and modify the Dockerfile. Do not install httpd, but instead ADD the runecho.sh file and have it run as the CMD.

For more information on Buildah and how you might contribute please visit the Buildah home page on GitHub.

Inspired by https://github.com/containers/buildah

SIF

The Singularity Image Format (SIF)

For more information please visit SIF official page

SIF layout

Image taken from the SIF official page

A SIF container image is constructed as a single file that encapsulates an entire file system and a number of predefined and user-defined annotations and arbitrary data. This differs somewhat from OCI image bundle, in that SIF packages the runtime data and the image spec, whereas you’d normally expect to maintain data outside a container when running with Podman, Docker, Kubernetes, etc.

A number of large supercomputing sites have been using SIF-formatted containers. Because everything is contained in a single file, it is very portable and can be transported more easily and efficiently than trying to move workloads with data and applications separately.

Key Points

  • The OCI Image Format project creates and maintains the software shipping container image format spec (OCI Image spec)

  • Buildah can take more robust recipes by skipping the use of a Dockerfile