logo with docker and buildah

Dockerfile is a fucking pain because it’s like HCL (HashiCorp configuration language) and other things where you’re limited. Back to secure way : Shell

This example is from latex-builder

Why I migrated to buildah?

I don’t use anymore Docker excepted on my laptop (macOS) for a limited things and buildah is available in repositories.

Also because I prefer a shell script or other true solution (hello Python) instead of using a configuration language which is limited by definition.

My usage of Docker daemon

In production, I have few VMs with Docker daemon just for Drone Agent, Archery and few other things… I hope to replace it quickly by podman.

Shell is beautiful

It’s more simple to implement conditions in Shell than Dockerfile, also when you need to decide some things depending of another process (external from building image).

buildah mount

It’s the best way to integrate external files when you need to download it.

From run.sh

mnt=$(buildah mount $mk)
git clone https://gitlab.kitware.com/kmorel/UseLATEX.git
mv UseLATEX/UseLATEX.cmake $mntimg/usr/share/cmake-*/Modules/
rm -rf $mnt#/var/cache/pacman/pkg/*
git clone https://github.com/sycured/pdfcompressor.git
mv pdfcompressor/pdfcompressor $mntimg/usr/local/bin/
chmod 555 $mntimg/usr/local/bin/pdfcompressor
buildah unmount $mk#</code></pre>

Directly, I use curl for the host to download files where I need them, it’s more easy to operate in filesystem than doing it in RUN where you need to remember that the same thing in Docker without using a lot of layer is a long line with multiple “&&

OCI vs Docker format : Docker Hub is an asshole

Docker Hub doesn’t support default format from buildah (OCI) and need his format : Docker… It’s why, I’ve a double commit and push…

From run.sh

buildah commit --squash "$mk#" "buildah-vfs"
buildah commit --squash --format docker "$mk#" "buildah-vfs-docker"

Example: .drone.yml

- echo $DCKIOAK | buildah login -u sycured --password-stdin docker.io
- buildah push latex-builder-docker:latest docker://sycured/latex-builder:latest
- buildah logout docker.io
- echo $QUAYIOAK | buildah login -u sycured --password-stdin quay.io
- buildah push latex-builder:latest docker://quay.io/sycured/latex-builder:latest
- buildah logout quay.io

My Quay.io for public repositories.

CI/CD more easy

I use buildah to build all my images in CI/CD and it’s a lot more easy. I just need a distribution where I can install buildah (Debian, Red Hat Enterprise Linux … no limit) and it’s better about universality.

Any regret?

It’s impossible when you can finally use a secure (rootless and without daemon) and with the possibility to use any language instead of Dockerfile. In addition, Docker doesn’t permit to integrate external step in Dockerfile easily where buildah has this concept from the first day.

Freedom is also in the usage of the tool, Docker has no concern about the community and it’s more proprietary (vendor lock) philosophy.

Now, I can use shell function and more when I build a container.

Docker is forbidden in production !

Drone Agent is the only exception to use buildah-vfs. - sycured

Docker is ready to finish inside a black hole. We don’t need insecure tool like Docker.

In addition, buildah is included in Red Hat Enterprise Linux.