FreeBSD Bugzilla – Attachment 237442 Details for
Bug 267184
port dfr's podman + buildah + conmon + CNI plugins
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
notes from 1a67b6322081831320347abde2ef901a7059ccc8
buildah-install.md (text/plain), 1.94 KB, created by
Dave Cottlehuber
on 2022-10-18 19:44:43 UTC
(
hide
)
Description:
notes from 1a67b6322081831320347abde2ef901a7059ccc8
Filename:
MIME Type:
Creator:
Dave Cottlehuber
Created:
2022-10-18 19:44:43 UTC
Size:
1.94 KB
patch
obsolete
>This will pull in source code for podman, buildah and related modules, >build everything and install to /usr/local. This all happens in a >directory named 'build' which can be deleted to clean up or to force a >clean build. > >``` >mkdir -p build >fetch https://gist.github.com/dfr/ac4dc043ee3780b690c5887a61f53494/raw/1e55da486792ffda61c9d6070d5d834888be9590/buildah-install.sh >chmod +x buildah-install.sh >(cd build && ../buildah-install.sh) >``` > >Make a container and run things inside it: > >``` >c=$(sudo buildah from docker.io/kwiat/freebsd:13.0-RELEASE) > >sudo buildah run $c freebsd-version >sudo buildah run $c ifconfig >sudo buildah rm -a >``` > >Download and run images in podman: > >``` >sudo podman run --rm docker.io/dougrabson/hello >``` > >The containers will use the default 'podman' network which is defined in >`/usr/local/etc/cni/net.d/87-podman-bridge.conflist`. This relies on NAT >to allow the container traffic out to the internet and I use pf with the >following simple `pf.conf`: > >``` >nat on egress inet from <cni-nat> to any -> (egress) >nat on egress inet6 from <cni-nat> to !ff00::/8 -> (egress) >rdr-anchor "cni-rdr/*" >table <cni-nat> >``` > >Note: I'm using the OpenBSD convention to identify the host's main >interface by putting it into the 'egress' group using `ifconfig`, e.g.: > >``` >sudo ifconfig vtnet0 group egress >``` > >There is a lot of room for improvement in this area - NAT works fairly >well for ipv4 but can get confused with ipv6 if the egress interface has >non-routable addresses assigned to it. Port mapping is very limited and >does not work for connections from localhost. Perhaps someone with >better pf skills can help figure out how to get this working (probably >needs to NAT from localhost back to the container network). > >Stats for running podman containers can be accessed using the 'podman >stats' command. This relies on the RACCT accounting framework which is >present in GENERIC kernels but must be enabled by adding >`kern.racct.enable="1"` to `/boot/loader.conf`. >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=237442">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 267184
:
237441
| 237442