103 lines
2.1 KiB
Markdown
103 lines
2.1 KiB
Markdown
# Podman
|
|
|
|
Podman! On FreeBSD!
|
|
|
|
# Install
|
|
|
|
```sh
|
|
pkg install podman-suite
|
|
```
|
|
|
|
or
|
|
|
|
Repeat the messages:
|
|
|
|
```sh
|
|
pkg info -D containers-common podman podman-suite
|
|
```
|
|
|
|
Follow the instructions for creating the zfs mount point, enabling podman and Linux.
|
|
|
|
Then PF:
|
|
|
|
```sh
|
|
cp /usr/local/etc/containers/pf.conf.sample /etc/pf.conf
|
|
```
|
|
|
|
Edit it. I added my own rules too:
|
|
|
|
```pf
|
|
v4egress_if = "em0"
|
|
v6egress_if = "em0"
|
|
|
|
nat on $v4egress_if inet from <cni-nat> to any -> ($v4egress_if)
|
|
nat on $v6egress_if inet6 from <cni-nat> to !ff00::/8 -> ($v6egress_if)
|
|
|
|
rdr-anchor "cni-rdr/*"
|
|
nat-anchor "cni-rdr/*"
|
|
table <cni-nat>
|
|
|
|
# My rules
|
|
block in all
|
|
|
|
ext_if="em0"
|
|
|
|
pass in on $ext_if proto tcp to ($ext_if) port 22
|
|
pass in on $ext_if proto tcp to ($ext_if) port 80
|
|
pass in on $ext_if proto tcp to ($ext_if) port 443
|
|
|
|
tailscale_if="tailscale0"
|
|
pass in on $tailscale_if proto tcp to any port 22
|
|
|
|
pass out all keep state
|
|
```
|
|
|
|
# Run
|
|
|
|
Run a Freebsd container:
|
|
|
|
```sh
|
|
podman run --rm quay.io/dougrabson/hello
|
|
```
|
|
|
|
Run a Linux container. Note that when you want to run something from docker you qualify it with `docker.io`
|
|
|
|
```sh
|
|
podman run --rm --os=linux docker.io/alpine cat /etc/os-release | head -1
|
|
```
|
|
|
|
# Networking
|
|
|
|
If you run a container, it will use the default network podman which has a subnet of `10.88.0.0/16`, for example:
|
|
|
|
```sh
|
|
podman run --rm --os=linux docker.io/httpd
|
|
```
|
|
|
|
Will give you
|
|
|
|
```
|
|
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 10.88.0.8. Set the 'ServerName' directive globally to suppress this message
|
|
```
|
|
|
|
This message actually comes from the Apache Web Server, so that's useful. You can only access it from the same machine though:
|
|
|
|
```sh
|
|
curl 10.88.0.8
|
|
```
|
|
|
|
If you want to expose it externally, like we do on our Linux box, you need to attach it to the host network:
|
|
|
|
```sh
|
|
podman run --rm --os=linux --network=host docker.io/httpd
|
|
```
|
|
|
|
Then Apache complains:
|
|
|
|
```
|
|
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
|
|
```
|
|
|
|
I can now access the website on the host machine:
|
|
|
|
* http://192.168.1.10/
|