Salek Ali.
System Operational
aws codebuild docker buildah devops

Using Buildah to Build Docker Images In Your CodeBuild Project

Learn how to build secure, daemonless, and rootless Docker containers using Buildah within AWS CodeBuild.

Dr Salek Ali 20 November 2024
Using Buildah to Build Docker Images In Your CodeBuild Project

What happens when you need a secure, rootless, and daemon-free tool to build Docker containers from within a CI/CD runner container? You use Buildah.

Why Use Buildah?

Buildah lets you build container images without running privileged CI/CD runners or relying on a daemon, making it a great companion for AWS CodeBuild.

  1. Daemonless Builds: Buildah doesn’t require a background daemon. It’s simpler, leaner, and more secure.
  2. Rootless Containers: Buildah builds securely in environments where elevated access isn’t an option.
  3. OCI Compliance: Buildah is Open Container Initiative (OCI) compliant, so your images will work with most runtimes.
  4. Lightweight: Light and efficient, perfect for CI/CD pipelines.

Step-by-Step Implementation

1. Configure Your CodeBuild Environment

Firstly, set up your CodeBuild project. Use a managed image like aws/codebuild/standard:6.0 or another that supports Buildah and your runtime needs. Make sure to:

  • Grant the service role permissions to interact with ECR.
  • Specify a buildspec file for your instructions.

2. Install Buildah in the Build Environment

Here’s how to install Buildah via your buildspec.yml:

phases:
  install:
    runtime-versions:
      docker: 20
    commands:
      - echo "Installing Buildah..."
      - yum -y install buildah

3. Authenticate to Amazon ECR

To push your images to ECR, you’ll need to log in first. Add this command in the pre_build phase:

phases:
  pre_build:
    commands:
      - echo "Logging in to Amazon ECR..."
      - aws ecr get-login-password --region $AWS_REGION | buildah login --username AWS --password-stdin $ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com

4. Build Your Image Using Buildah

Replace your Docker commands with Buildah ones in the build phase:

phases:
  build:
    commands:
      - echo "Building the Docker image with Buildah..."
      - buildah bud -t $REPOSITORY_NAME:latest .

5. Push the Image to Amazon ECR

Your image is built—time to push it to ECR! Add this in the post_build phase:

phases:
  post_build:
    commands:
      - echo "Pushing the Docker image to Amazon ECR..."
      - buildah push $REPOSITORY_NAME:latest docker://$ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$REPOSITORY_NAME:latest

Conclusion

With Buildah, we get a secure, rootless, and efficient way to build container images in AWS CodeBuild. Buildah is ideal for developers who value security without sacrificing functionality. Give Buildah a try—it’s a game-changer for secure CI/CD!

Need help optimizing your CI/CD pipelines or AWS infrastructure? Book a consultation and let’s build something scalable together.