Date: Sat, 14 May 2022 14:03:59 +0100 From: Doug Rabson <dfr@rabson.org> To: freebsd-jail@freebsd.org Subject: FreeBSD containers with podman and buildah Message-ID: <CACA0VUgigOMsYA89r1PfJ0MQ9c6FKFb0t_JE6UxbPgrtV0vfpg@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
--00000000000052279d05def86d88 Content-Type: text/plain; charset="UTF-8" Recently I've been working on porting the buildah and podman container tools to FreeBSD. Podman is a drop-in replacement for docker and buildah focuses on the narrower problem of building container images. At this point, there is enough functionality to show that these tools are viable on FreeBSD so I thought I would write a note here about how to install and try out my proof-of-concept. This will pull in source code for buildah and related modules, build everything and install to /usr/local. Be aware that if you have sysutils/runj installed, it will be overwritten with a modified version. This all happens in a directory named 'build' which can be deleted to clean up or to force a clean build: mkdir -p build fetch https://gist.github.com/dfr/ac4dc043ee3780b690c5887a61f53494/raw/11474779a16bdff1ca31c94437ddb25a8f1f364b/buildah-install.sh chmod +x buildah-install.sh (cd build && ../buildah-install.sh) Make a container and run things inside it: c=$(sudo buildah from docker.io/kwiat/freebsd:13.0-RELEASE) sudo buildah run $c freebsd-version sudo buildah run $c ifconfig sudo buildah rm $c Download and run images in podman: sudo podman run --rm docker.io/dougrabson/hello The containers will use the default 'podman' network which is defined in /usr/local/etc/cni/net.d/87-podman-bridge.conflist. This relies on NAT to allow the container traffic out to the internet and I use pf with the following simple pf.conf: nat on egress inet from <cni-nat> to any -> (egress) nat on egress inet6 from <cni-nat> to !ff00::/8 -> (egress) rdr-anchor "cni-rdr/*" table <cni-nat> Note: I'm using the OpenBSD convention to identify the host's main interface by putting it into the 'egress' group using ifconfig, e.g.: sudo ifconfig vtnet0 group egress There is a lot of room for improvement in this area - NAT works fairly well for ipv4 but can get confused with ipv6 if the egress interface has non-routable addresses assigned to it. Port mapping is very limited and does not work for connections from localhost. Perhaps someone with better pf skills can help figure out how to get this working (probably needs to NAT from localhost back to the container network). --00000000000052279d05def86d88 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable <div dir=3D"ltr"><div>Recently I've been working on porting the buildah= and podman container tools to FreeBSD. Podman is a drop-in replacement for= docker and buildah=C2=A0focuses on the narrower problem of building contai= ner=C2=A0images. At this point, there is enough functionality=C2=A0to show = that these tools are viable on=C2=A0FreeBSD so I thought I would write a no= te here about=C2=A0how to install and try out my proof-of-concept.</div><di= v><br></div>This will pull in source code for buildah and related modules, = build everything and install to /usr/local. Be aware that if you have sysut= ils/runj installed, it will be overwritten with a modified version. This al= l happens in a directory named 'build' which can be deleted to clea= n up or to force a clean build:<br><br><blockquote style=3D"margin:0 0 0 40= px;border:none;padding:0px"><font face=3D"monospace">mkdir -p build<br>fetc= h <a href=3D"https://gist.github.com/dfr/ac4dc043ee3780b690c5887a61f53494/r= aw/11474779a16bdff1ca31c94437ddb25a8f1f364b/buildah-install.sh">https://gis= t.github.com/dfr/ac4dc043ee3780b690c5887a61f53494/raw/11474779a16bdff1ca31c= 94437ddb25a8f1f364b/buildah-install.sh</a><br>chmod +x buildah-install.sh<b= r>(cd build && ../buildah-install.sh)</font></blockquote><br>Make a= container and run things inside it:<br><br><blockquote style=3D"margin:0 0= 0 40px;border:none;padding:0px"><font face=3D"monospace">c=3D$(sudo builda= h from <a href=3D"http://docker.io/kwiat/freebsd:13.0-RELEASE">docker.io/kw= iat/freebsd:13.0-RELEASE</a>)<br>sudo buildah run $c freebsd-version<br>sud= o buildah run $c ifconfig<br>sudo buildah rm $c</font></blockquote><br>Down= load and run images in podman:<br><br><blockquote style=3D"margin:0 0 0 40p= x;border:none;padding:0px"><font face=3D"monospace">sudo podman run --rm <a= href=3D"http://docker.io/dougrabson/hello">docker.io/dougrabson/hello</a><= /font></blockquote><br>The containers will use the default 'podman'= network which is defined in <font face=3D"monospace">/usr/local/etc/cni/ne= t.d/87-podman-bridge.conflist</font>. This relies on NAT to allow the conta= iner traffic out to the internet and I use pf with the following simple <fo= nt face=3D"monospace">pf.conf</font>:<br><br><blockquote style=3D"margin:0 = 0 0 40px;border:none;padding:0px"><font face=3D"monospace">nat on egress in= et from <cni-nat> to any -> (egress)<br>nat on egress inet6 from &= lt;cni-nat> to !ff00::/8 -> (egress)<br>rdr-anchor "cni-rdr/*&qu= ot;<br>table <cni-nat></font></blockquote><br>Note: I'm using the= OpenBSD convention to identify the host's main interface by putting it= into the 'egress' group using ifconfig, e.g.:<br><br><blockquote s= tyle=3D"margin:0 0 0 40px;border:none;padding:0px"><font face=3D"monospace"= >sudo ifconfig vtnet0 group egress</font></blockquote><br>There is a lot of= room for improvement in this area - NAT works fairly well for ipv4 but can= get confused with ipv6 if the egress interface has non-routable addresses = assigned to it. Port mapping is very limited and does not work for connecti= ons from localhost. Perhaps someone with better pf skills can help figure o= ut how to get this working (probably needs to NAT from localhost back to th= e container network).</div> --00000000000052279d05def86d88--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CACA0VUgigOMsYA89r1PfJ0MQ9c6FKFb0t_JE6UxbPgrtV0vfpg>