17
freebsd
5
nuxt
PrevNext
CICD LearningsDot Net in FreeBSD Jail

Purpose

This article provides awareness on why FreeBSDers should consider learning Podman. Content to install/configure Podman on FreeBSD is available on the Podman site.

Why OCI containers are a big deal for FreeBSD

FreeBSD has containers too

FreeBSD has its own implementation of containers, called Jails. For most purposes jails meets requirements, and is comparatively secure. It's lightweight, performant, and feature packed. There's also a range of management tools including iocage, Bastille, and AppJail. Couple this with a fleet management tool like Ansible and one can deploy a jail for relatively small setups.

It's the ecosystem

What jails needs is an ecosystem for horizonal scaling; like Kubernetes or Swarm. There was an exploratory effort with Nomand and Pot. The Pot driver has not been updated for almost a year; not looking good for such an early phase.

Images are a big part of the container lifecycle. Images are stored and distributed via registries. If/when FreeBSD images become mainstream major image distribution/ caching products such as Harbor and Artifactory will provide similar support. This includes container orchestration services including Nomad, Kubernetes, and Swarm.

Podman makes transition easy

In a nutshell: Podman builds and deploys jails using CLI syntaxes very similar to Docker. It supports Dockerfile and Containerfile; the latter is the standard way to define container image builds.

Building with Podman

Containerfile

The simplest Containerfile can look like this

FROM quay.io/bergblume/freebsd:14.1
CMD [ "ls", "-al" ]

Building the container

Save the above as Containerfile, then run the following as root

podman build . -t simple:test

The image is stored locally as simple with tag test.

Listing containers

#podman images
# Returns
# REPOSITORY                      TAG         IMAGE ID      CREATED         SIZE
# localhost/simple                test        f82305ba6b35  10 seconds ago  1.05 GB

Execute the container

The command below runs code within the container; the container itself being a jail. Once completed the jail is shut down.

#podman run simple:test
total 206
dr-xr-xr-x  18 root wheel   22 Dec 29 14:44 .
dr-xr-xr-x  18 root wheel   22 Dec 29 14:44 ..
-rw-r--r--   2 root wheel 1011 May 31  2024 .cshrc
-rw-r--r--   2 root wheel  495 May 31  2024 .profile
-r--r--r--   1 root wheel 6109 May 31  2024 COPYRIGHT
drwxr-xr-x   2 root wheel   49 May 31  2024 bin
drwxr-xr-x  14 root wheel   68 May 31  2024 boot
dr-xr-xr-x   9 root wheel  512 Dec 31 09:19 dev
drwxr-xr-x  30 root wheel  104 Dec 31 09:19 etc
drwxr-xr-x   4 root wheel   78 May 31  2024 lib
drwxr-xr-x   3 root wheel    5 May 31  2024 libexec
drwxr-xr-x   2 root wheel    2 May 31  2024 media
drwxr-xr-x   2 root wheel    2 May 31  2024 mnt
drwxr-xr-x   2 root wheel    2 May 31  2024 net
dr-xr-xr-x   2 root wheel    2 May 31  2024 proc
drwxr-xr-x   2 root wheel  150 May 31  2024 rescue
drwxr-x---   2 root wheel    7 May 31  2024 root
drwxr-xr-x   2 root wheel  150 May 31  2024 sbin
lrwxr-xr-x   1 root wheel   11 May 31  2024 sys -> usr/src/sys
drwxrwxrwx   2 root wheel    2 May 31  2024 tmp
drwxr-xr-x  14 root wheel   14 May 31  2024 usr
drwxr-xr-x  24 root wheel   24 May 31  2024 var

To run containers as daemons use the -d option.

Observations

  1. Note that a simple ls image consumes 1GB storage. This is unnecessary for this specific example. It uses the largest (static) base image, and is probably required for most package (pkg) installations. Other base images include dynamic and minimal; details available here.

Conclusion

Not quite ready for prime time but it's getting there

Podman can't quite do the 100 other things Bastille or Appjail can, but it's the best path today to get FreeBSD recognized as a viable container host. The FreeBSD Foundation seems to agree by completing a trial.