FreeBSD containers with podman and buildah

Reply: carlos antonio neira bustos : "Re: FreeBSD containers with podman and buildah"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Doug Rabson <dfr_at_rabson.org>
Date: Sat, 14 May 2022 13:03:59 UTC

Recently I've been working on porting the buildah and podman container
tools to FreeBSD. Podman is a drop-in replacement for docker and
buildah focuses on the narrower problem of building container images. At
this point, there is enough functionality to show that these tools are
viable on FreeBSD so I thought I would write a note here about how to
install and try out my proof-of-concept.

This will pull in source code for buildah and related modules, build
everything and install to /usr/local. Be aware that if you have
sysutils/runj installed, it will be overwritten with a modified version.
This all happens in a directory named 'build' which can be deleted to clean
up or to force a clean build:

mkdir -p build
fetch
https://gist.github.com/dfr/ac4dc043ee3780b690c5887a61f53494/raw/11474779a16bdff1ca31c94437ddb25a8f1f364b/buildah-install.sh
chmod +x buildah-install.sh
(cd build && ../buildah-install.sh)


Make a container and run things inside it:

c=$(sudo buildah from docker.io/kwiat/freebsd:13.0-RELEASE)
sudo buildah run $c freebsd-version
sudo buildah run $c ifconfig
sudo buildah rm $c


Download and run images in podman:

sudo podman run --rm docker.io/dougrabson/hello


The containers will use the default 'podman' network which is defined in
/usr/local/etc/cni/net.d/87-podman-bridge.conflist. This relies on NAT to
allow the container traffic out to the internet and I use pf with the
following simple pf.conf:

nat on egress inet from <cni-nat> to any -> (egress)
nat on egress inet6 from <cni-nat> to !ff00::/8 -> (egress)
rdr-anchor "cni-rdr/*"
table <cni-nat>


Note: I'm using the OpenBSD convention to identify the host's main
interface by putting it into the 'egress' group using ifconfig, e.g.:

sudo ifconfig vtnet0 group egress


There is a lot of room for improvement in this area - NAT works fairly well
for ipv4 but can get confused with ipv6 if the egress interface has
non-routable addresses assigned to it. Port mapping is very limited and
does not work for connections from localhost. Perhaps someone with better
pf skills can help figure out how to get this working (probably needs to
NAT from localhost back to the container network).