{"id":161,"date":"2019-11-10T01:14:00","date_gmt":"2019-11-10T06:14:00","guid":{"rendered":"http:\/\/127.0.0.1:8080\/?p=161"},"modified":"2024-01-13T13:31:50","modified_gmt":"2024-01-13T18:31:50","slug":"migration-from-dockerfile-to-buildah","status":"publish","type":"post","link":"http:\/\/10.42.0.68:8080\/blog\/migration-from-dockerfile-to-buildah","title":{"rendered":"Migration from Dockerfile to buildah"},"content":{"rendered":"\n

Dockerfile<\/a> is a fucking pain because it’s like HCL (HashiCorp configuration language)<\/a> and other things where you’re limited. Back to secure way: Shell<\/p>\n\n\n\n

This example is from latex-builder<\/a><\/p>\n\n\n\n\n\n\n\n

Why did I migrate to buildah?<\/h2>\n\n\n\n

I don’t use anymore Docker except on my laptop (macOS) for limited things and buildah is available in repositories.<\/p>\n\n\n\n

Also, I prefer a shell script or other true solution (hello Python) instead of using a configuration language that is limited by definition.<\/p>\n\n\n\n

My usage of the Docker daemon<\/h3>\n\n\n\n

In production, I have a few VMs with Docker daemon just for Drone Agent, Archery, and a few other things\u2026 I hope to replace it quickly with podman<\/a>.<\/p>\n\n\n\n

Shell is beautiful<\/h3>\n\n\n\n

It’s simpler to implement conditions in Shell than Dockerfile, also when you need to decide some things depending on another process (external from building image).<\/p>\n\n\n\n

buildah mount<\/h3>\n\n\n\n

It’s the best way to integrate external files when you need to download them.<\/p>\n\n\n\n

From run.sh<\/a><\/p>\n\n\n\n

mnt=$(buildah mount $mk)\ngit clone https:\/\/gitlab.kitware.com\/kmorel\/UseLATEX.git\nmv UseLATEX\/UseLATEX.cmake $mntimg\/usr\/share\/cmake-*\/Modules\/\nrm -rf $mnt#\/var\/cache\/pacman\/pkg\/*\ngit clone https:\/\/github.com\/sycured\/pdfcompressor.git\nmv pdfcompressor\/pdfcompressor $mntimg\/usr\/local\/bin\/\nchmod 555 $mntimg\/usr\/local\/bin\/pdfcompressor\nbuildah unmount $mk#<\/code><\/pre><\/code><\/pre>\n\n\n\n
Directly, I use curl for the host to download files where I need them, it’s easier to operate in a filesystem than doing it in RUN where you need to remember that the same thing in Docker without using a lot of layers is a long line with multiple “&&<\/em>“<\/p>\n\n\n\n
OCI vs Docker format: Docker Hub is an asshole<\/h2>\n\n\n\n
Docker Hub doesn’t support the default format from buildah (OCI) and needs his format: Docker\u2026 It’s why I have a double commit and push\u2026<\/p>\n\n\n\n
From run.sh<\/a><\/p>\n\n\n\n
buildah commit --squash \"$mk#\" \"buildah-vfs\"\nbuildah commit --squash --format docker \"$mk#\" \"buildah-vfs-docker\"<\/code><\/pre>\n\n\n\n
Example: .drone.yml<\/strong><\/p>\n\n\n\n
- echo $DCKIOAK | buildah login -u sycured --password-stdin docker.io\n- buildah push latex-builder-docker:latest docker:\/\/sycured\/latex-builder:latest\n- buildah logout docker.io\n- echo $QUAYIOAK | buildah login -u sycured --password-stdin quay.io\n- buildah push latex-builder:latest docker:\/\/quay.io\/sycured\/latex-builder:latest\n- buildah logout quay.io<\/code><\/pre>\n\n\n\n
My Quay.io<\/a> for public repositories.<\/p>\n\n\n\n
CI\/CD easier<\/h2>\n\n\n\n
I use buildah to build all my images in CI\/CD and it’s a lot easier. I just need a distribution where I can install buildah (Debian, Red Hat Enterprise Linux \u2026 no limit) and it’s better about universality<\/em>.<\/p>\n\n\n\n
Any regret?<\/h2>\n\n\n\n
It’s impossible when you can finally use a secure (rootless and without daemon) and with the possibility to use any language instead of Dockerfile. In addition, Docker doesn’t permit the integration of external steps in Dockerfile easily whereas buildah has this concept from the first day.<\/p>\n\n\n\n
Freedom is also in the usage of the tool, Docker has no concern about the community and its more proprietary (vendor lock) philosophy.<\/p>\n\n\n\n
Now, I can use the shell function and more when I build a container.<\/p>\n\n\n\n
\n
Docker is forbidden in production!<\/p>\n\n\n\n
Drone Agent is the only exception to use buildah-vfs<\/a>. – sycured<\/a><\/p>\n<\/blockquote>\n\n\n\n
Docker is ready to finish inside a black hole. We don’t need an insecure tool like Docker.<\/p>\n\n\n\n
In addition, buildah is included in Red Hat Enterprise Linux.<\/p>\n","protected":false},"excerpt":{"rendered":"
Dockerfile is a fucking pain because it’s like HCL (HashiCorp configuration language) and other things where you’re limited. Back to secure way: Shell This example is from latex-builder<\/p>\n","protected":false},"author":1,"featured_media":81,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"saved_in_kubio":false,"footnotes":""},"categories":[14],"tags":[15],"_links":{"self":[{"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/posts\/161"}],"collection":[{"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/comments?post=161"}],"version-history":[{"count":1,"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/posts\/161\/revisions"}],"predecessor-version":[{"id":162,"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/posts\/161\/revisions\/162"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/media\/81"}],"wp:attachment":[{"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/media?parent=161"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/categories?post=161"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/10.42.0.68:8080\/wp-json\/wp\/v2\/tags?post=161"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}