This will pull in source code for podman, buildah and related modules, build everything and install to /usr/local. This all happens in a directory named 'build' which can be deleted to clean up or to force a clean build.
mkdir -p build
fetch https://gist.github.com/dfr/ac4dc043ee3780b690c5887a61f53494/raw/1e55da486792ffda61c9d6070d5d834888be9590/buildah-install.sh
chmod +x buildah-install.sh
(cd build && ../buildah-install.sh)
Make a container and run things inside it:
c=$(sudo buildah from docker.io/kwiat/freebsd:13.0-RELEASE)
sudo buildah run $c freebsd-version
sudo buildah run $c ifconfig
sudo buildah rm -a
Download and run images in podman:
sudo podman run --rm docker.io/dougrabson/hello
The containers will use the default 'podman' network which is defined in /usr/local/etc/cni/net.d/87-podman-bridge.conflist
. This relies on NAT to allow the container traffic out to the internet and I use pf with the following simple pf.conf
:
nat on egress inet from <cni-nat> to any -> (egress)
nat on egress inet6 from <cni-nat> to !ff00::/8 -> (egress)
rdr-anchor "cni-rdr/*"
table <cni-nat>
Note: I'm using the OpenBSD convention to identify the host's main interface by putting it into the 'egress' group using ifconfig
, e.g.:
sudo ifconfig vtnet0 group egress
There is a lot of room for improvement in this area - NAT works fairly well for ipv4 but can get confused with ipv6 if the egress interface has non-routable addresses assigned to it. Port mapping is very limited and does not work for connections from localhost. Perhaps someone with better pf skills can help figure out how to get this working (probably needs to NAT from localhost back to the container network).
Stats for running podman containers can be accessed using the 'podman stats' command. This relies on the RACCT accounting framework which is present in GENERIC kernels but must be enabled by adding kern.racct.enable="1"
to /boot/loader.conf
.
There still seem to be some issues running containers in buildah and podman though when I test this on a fresh VM. I'll work on debugging it