Dockerfile

Figure 1. Cover Image: Building OCI images with Buildah In the world of containers, Buildah stands out as a powerful yet lightweight tool for building OCI (Open Container Initiative)-compliant container images. Unlike traditional tools like Docker, Buildah takes a daemonless approach, making it secure, flexible, and ideal for modern development workflows. Key Features Daemonless Architecture: Buildah doesn’t rely on a background service (like Docker’s daemon). Instead, it directly manipulates images, ensuring a smaller footprint and lower resource usage. Rootless and Secure: You can run Buildah without root privileges, making it safer, especially in multi-user environments or CI/CD pipelines. Dockerfile-Free Flexibility: While Buildah supports Dockerfiles, it also enables image creation without one. Developers can use shell commands or scripts, offering full control over the image-building process. OCI Compliance and Versatility: Buildah creates both OCI and Docker-formatted images, ensuring compatibility with tools like Podman, Docker, and Kubernetes. Lightweight and Scriptable: Its minimal design makes Buildah perfect for automation and scripting, particularly in resource-constrained environments. ...

Restrict Network Can be useful when using a third-party image that we do not trust Run with no network docker run --network none <image> Run with private isolated network At least containers attached to this network can talk with another docker network create --internal my_isolated_network docker run --network my_isolated_network <image> Block using firewall e.g. using iptables or ipfw # Get container's IP docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' <container_name> # Block all outbound connections from that IP sudo iptables -I DOCKER-USER -s <container_ip> -j DROP ...