FERRAMENTAS LINUX: The Complete Guide to Securing Buildah Container Environments

Secure your container builds: A permanent guide to Buildah security updates. Includes check scripts, automation, and mitigation for Ubuntu, Rocky, SUSE. (188 chars)

Historical note: In April 2026, SUSE released an important update for Buildah (SUSE-SU-2026:1480-1) to rebuild it against a newer Go security release. This guide teaches you the permanent skills to handle such updates—past, present, and future—on any major Linux distribution.

What’s the Real Problem ?

Buildah is a tool for building OCI container images without a daemon. When its underlying Go language runtime has a security flaw (e.g., net/http, crypto/tls), your build host and the images you create can inherit that vulnerability. This affects any system using Buildah, not just SUSE.

How to Check If You Are Vulnerable (Ubuntu, Rocky, SUSE)

Run these commands to see your Buildah version and compare it to the fixed version from the SUSE advisory (1.35.5).

Ubuntu 22.04 / 24.04

# Check installed version
buildah version | grep "Version"
# See available update
apt list --upgradable 2>/dev/null | grep buildah
# Check Go version used by buildah (if you built from source)
go version

Rocky Linux / AlmaLinux 9

# Check version
rpm -q buildah
# Check for update
dnf check-update buildah

SUSE Linux Enterprise / openSUSE Leap

# Check current version
zypper info buildah | grep Version
# List available patches
zypper list-patches | grep -i buildah

Manual check: If your Buildah version is older than 1.35.5 (or the latest stable from your distro), you’re likely vulnerable.

Automation Script to Apply the Fix (Bash – works on all major distros)

Save this as fix-buildah.sh and run it with sudo bash fix-buildah.sh.

#!/bin/bash
# Universal Buildah security updater
# Works on Ubuntu, Rocky, SUSE, and derivatives

set -e

if [ "$EUID" -ne 0 ]; then
    echo "Please run as root (use sudo)."
    exit 1
fi

echo "Checking OS family..."
if [ -f /etc/os-release ]; then
    . /etc/os-release
    OS=$ID
else
    echo "Cannot detect OS."
    exit 1
fi

case $OS in
    ubuntu|debian)
        apt update
        apt install -y buildah
        ;;
    rocky|almalinux|rhel|centos)
        dnf update -y buildah
        ;;
    suse|opensuse-leap|opensuse-tumbleweed)
        zypper refresh
        zypper update -y buildah
        ;;
    *)
        echo "Unsupported OS. Please update buildah manually."
        exit 1
        ;;
esac

echo "Buildah updated. New version:"
buildah version | grep Version

Alternative Mitigation If You Can’t Update Now

If you cannot restart services or update Buildah today, use these temporary workarounds.

1. Restrict Buildah with iptables (prevent network access)

# Create a dedicated user for building
sudo useradd -m buildah-builder
# Block that user's outgoing network except necessary registries
sudo iptables -A OUTPUT -m owner --uid-owner buildah-builder -d 0.0.0.0/0 -j DROP
sudo iptables -A OUTPUT -m owner --uid-owner buildah-builder -d 192.168.0.0/16 -j ACCEPT
sudo iptables -A OUTPUT -m owner --uid-owner buildah-builder -d 10.0.0.0/8 -j ACCEPT
# Allow only your private registry
sudo iptables -A OUTPUT -m owner --uid-owner buildah-builder -d registry.example.com -j ACCEPT

2. AppArmor profile to restrict Buildah capabilities

Create /etc/apparmor.d/usr.bin.buildah:

#include <tunables/global>
/usr/bin/buildah {
  #include <abstractions/base>
  capability setuid,
  capability setgid,
  deny capability sys_admin,
  deny capability net_raw,
  deny network inet,
  deny network inet6,
}

Then load it: sudo apparmor_parser -r /etc/apparmor.d/usr.bin.buildah

3. Run Buildah inside a locked-down container (using Podman)

podman run --security-opt=no-new-privileges --read-only \
  --volume /path/to/context:/context:ro \
  docker.io/containers/buildah:latest buildah bud -f /context/Dockerfile

Suggested book:

Container Security: Fundamental Technology Concepts that Protect Containerized Applications by

This book teaches you how to assess container build tools like Buildah, , and from first principles. Instead of blindly running updates, you’ll learn to: