When people talk about containers in FreeBSD, they usually talk about Jails. We’ve already seen how this works in general here and here. An additional option you have, is to install Podman on FreeBSD. Podman is well known in the Linux world and can be used to build and run containers. With the release of FreeBSD 14.2, the FreeBSD project is now also publishing OCI-compatible container images of FreeBSD.
We again start with a fresh installation of FreeBSD 14.2, nothing was added or modified. Podman, as with most of the additional software, can either be installed as a binary package or from the ports collection. If you want to install from the ports collection you can find Podman here:
root@freebsd14-latest:~ $ find /usr/ports/ -name "*podman*"
/usr/ports/sysutils/podman
/usr/ports/sysutils/podman/files/podman_service.in
/usr/ports/sysutils/podman/files/podman.in
/usr/ports/sysutils/podman-suite
As it is faster to install from binary packages, we’ll do it like this for the scope of this post:
root@freebsd14-latest:~ $ pkg update
The package management tool is not yet installed on your system.
Do you want to fetch and install it now? [y/N]: y
Bootstrapping pkg from pkg+https://pkg.FreeBSD.org/FreeBSD:14:amd64/quarterly, please wait...
Verifying signature with trusted certificate pkg.freebsd.org.2013102301... done
Installing pkg-1.21.3...
Extracting pkg-1.21.3: 100%
Updating FreeBSD repository catalogue...
Fetching meta.conf: 100% 178 B 0.2kB/s 00:01
Fetching data.pkg: 100% 7 MiB 7.5MB/s 00:01
Processing entries: 100%
FreeBSD repository update completed. 35568 packages processed.
All repositories are up to date.
root@freebsd14-latest:~ $ pkg upgrade
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
Updating database digests format: 100%
Checking for upgrades (1 candidates): 100%
Processing candidates (1 candidates): 100%
Checking integrity... done (0 conflicting)
Your packages are up to date.
root@freebsd14-latest:~ $ pkg install podman
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 33 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
conmon: 2.1.12_3
containernetworking-plugins: 0.5_9
containers-common: 0.59.1
gettext-runtime: 0.22.5
...
--
The FreeBSD port of the Podman container engine is experimental and should be
used for evaluation and testing purposes only.
$ sudo podman run --rm docker.io/dougrabson/hello
Podman can restart containers after a host is rebooted. To enable this, use:
$ sudo sysrc podman_enable=YES
and start the container with a restart policy:
$ sudo podman run -d --restart=always myimage
It is possible to run many Linux container images using FreeBSD's Linux emulation:
$ sudo sysrc linux_enable=YES
$ sudo service linux start
$ sudo podman run --rm --os=linux alpine cat /etc/os-release | head -1
NAME="Alpine Linux"
The package gives you quite some information at the end of the installation process. First of all, this is not yet considered production ready and should be used for testing only. Second, you will need to enable Podman and the Linux compatibility layer:
root@freebsd14-latest:~ $ sysrc podman_enable=YES
podman_enable: -> YES
root@freebsd14-latest:~ $ sysrc linux_enable=YES
linux_enable: NO -> YES
root@freebsd14-latest:~ $ service linux start
If you want the containers to restart automatically, you should also mount the fdescfs file system:
root@freebsd14-latest:~ $ mount -t fdescfs fdesc /dev/fd
root@freebsd14-latest:~ $ df -h | grep fd
fdescfs 1.0K 0B 1.0K 0% /compat/linux/dev/fd
fdescfs 1.0K 0B 1.0K 0% /dev/fd
If you try to search for container images using Podman, you’ll notice that there is no result:
root@freebsd14-latest:~ $ podman search rockylinux
The reason is, that no container registries are defined, but this can easily be fixed by adding a registry to “/usr/local/etc/containers/registries.conf”:
root@freebsd14-latest:~ $ tail -1 /usr/local/etc/containers/registries.conf
unqualified-search-registries = ['docker.io']
Once this is configured, you can search the registry for container images:
root@freebsd14-latest:~ $ podman search rockylinux
NAME DESCRIPTION
docker.io/rockylinux/rockylinux
docker.io/library/rockylinux The official build of Rocky Linux.
docker.io/rockylinux/rocky-toolbox Toolbox image for Rocky Linux - https://gith...
docker.io/rockylinux/rockylinux-shim RockyLinux shim-review images
docker.io/amd64/rockylinux The official build of Rocky Linux.
docker.io/litmusimage/rockylinux
docker.io/arm64v8/rockylinux The official build of Rocky Linux.
docker.io/ericpaulsen/rockylinux
docker.io/romcheck/rockylinux
docker.io/robertdebock/rockylinux Container to test Ansible roles in, includin...
docker.io/lightnear/rockylinux
docker.io/accupara/rockylinux
docker.io/detravi/rockylinux
docker.io/ppc64le/rockylinux The official build of Rocky Linux.
docker.io/aursu/rockylinux
docker.io/s390x/rockylinux The official build of Rocky Linux.
docker.io/uacontainers/rockylinux Up-to-date Rocky Linux Docker images with th...
docker.io/buluma/rockylinux
docker.io/gammabytehosting/rockylinux Rocky Linux minimal image.
docker.io/whatwewant/rockylinux
docker.io/kubestation/rockylinux
docker.io/4geniac/rockylinux
docker.io/jeksterslab/rockylinux
docker.io/ihanick/rockylinux
docker.io/douglarek/rockylinux
Running a container is exactly the same as you know it from Linux:
root@freebsd14-latest:~ $ podman run -it --rm --platform linux/amd64 rockylinux/rockylinux:9 /bin/bash
Resolving "rockylinux/rockylinux" using unqualified-search registries (/usr/local/etc/containers/registries.conf)
Trying to pull docker.io/rockylinux/rockylinux:9...
Getting image source signatures
Copying blob 3442e16c7069 done |
Copying config bb8a97547d done |
Writing manifest to image destination
WARN[0009] Failed to load cached network config: network podman not found in CNI cache, falling back to loading network podman from disk
WARN[0009] Failed to load cached network config: network podman not found in CNI cache, falling back to loading network podman from disk
Error: plugin type="bridge" failed (add): cni plugin bridge failed: The pf kernel module must be loaded to support ipMasq networks
… and this fails because we forgot to configure the container networking. There actually are instructions how to do this in the output of the Podman package installation:
Message from containernetworking-plugins-0.5_9:
--
Container networking relies on NAT to allow container network packets
out to the host's network. This requires a PF firewall to perform the
translation. A simple example is included - to use it:
# cp /usr/local/etc/containers/pf.conf.sample /etc/pf.conf
...
Edit /etc/pf.conf and set v4egress_if, v6egress_if to your network interface(s)
...
# sysrc pf_enable=YES
# service pf start
The sample PF configuration includes support for port redirections. These are
implemented as redirect rules in anchors nested under cni-rdr.
Support for redirecting connections from the container host to services running
inside a container is included for FreeBSD 13.3 and later. To enable this, first
load the pf kernel module, by adding pf_load="YES" to /boot/loader.conf and
enable PF support for these redirections using sysctl:
# kldload pf
# sysctl net.pf.filter_local=1
# service pf restart
Once this is done, all is fine:
root@freebsd14-latest:~ $ podman run -it --rm --platform linux/amd64 rockylinux/rockylinux:9 /bin/bash
[root@71ef409c1d40 /]$ cat /etc/os-release
NAME="Rocky Linux"
VERSION="9.5 (Blue Onyx)"
ID="rocky"
ID_LIKE="rhel centos fedora"
VERSION_ID="9.5"
PLATFORM_ID="platform:el9"
PRETTY_NAME="Rocky Linux 9.5 (Blue Onyx)"
ANSI_COLOR="0;32"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:rocky:rocky:9::baseos"
HOME_URL="https://rockylinux.org/"
VENDOR_NAME="RESF"
VENDOR_URL="https://resf.org/"
BUG_REPORT_URL="https://bugs.rockylinux.org/"
SUPPORT_END="2032-05-31"
ROCKY_SUPPORT_PRODUCT="Rocky-Linux-9"
ROCKY_SUPPORT_PRODUCT_VERSION="9.5"
REDHAT_SUPPORT_PRODUCT="Rocky Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="9.5"
Quite impressive and easy to setup. You might wonder if running Linux containers on FreeBSD actually is a thing. Personally, I think that this is really great, because it gives you another option in the FreeBSD world. Containers are everywhere today, and having more choice where to run them is great.