Re: FreeBSD containers with podman and buildah
- In reply to: Doug Rabson : "FreeBSD containers with podman and buildah"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sat, 14 May 2022 15:11:12 UTC
This is great!. El sáb, 14 may 2022 a la(s) 09:04, Doug Rabson (dfr@rabson.org) escribió: > Recently I've been working on porting the buildah and podman container > tools to FreeBSD. Podman is a drop-in replacement for docker and > buildah focuses on the narrower problem of building container images. At > this point, there is enough functionality to show that these tools are > viable on FreeBSD so I thought I would write a note here about how to > install and try out my proof-of-concept. > > This will pull in source code for buildah and related modules, build > everything and install to /usr/local. Be aware that if you have > sysutils/runj installed, it will be overwritten with a modified version. > This all happens in a directory named 'build' which can be deleted to clean > up or to force a clean build: > > mkdir -p build > fetch > https://gist.github.com/dfr/ac4dc043ee3780b690c5887a61f53494/raw/11474779a16bdff1ca31c94437ddb25a8f1f364b/buildah-install.sh > chmod +x buildah-install.sh > (cd build && ../buildah-install.sh) > > > Make a container and run things inside it: > > c=$(sudo buildah from docker.io/kwiat/freebsd:13.0-RELEASE) > sudo buildah run $c freebsd-version > sudo buildah run $c ifconfig > sudo buildah rm $c > > > Download and run images in podman: > > sudo podman run --rm docker.io/dougrabson/hello > > > The containers will use the default 'podman' network which is defined in > /usr/local/etc/cni/net.d/87-podman-bridge.conflist. This relies on NAT to > allow the container traffic out to the internet and I use pf with the > following simple pf.conf: > > nat on egress inet from <cni-nat> to any -> (egress) > nat on egress inet6 from <cni-nat> to !ff00::/8 -> (egress) > rdr-anchor "cni-rdr/*" > table <cni-nat> > > > Note: I'm using the OpenBSD convention to identify the host's main > interface by putting it into the 'egress' group using ifconfig, e.g.: > > sudo ifconfig vtnet0 group egress > > > There is a lot of room for improvement in this area - NAT works fairly > well for ipv4 but can get confused with ipv6 if the egress interface has > non-routable addresses assigned to it. Port mapping is very limited and > does not work for connections from localhost. Perhaps someone with better > pf skills can help figure out how to get this working (probably needs to > NAT from localhost back to the container network). >