Appjail and podman together on FreeBSD

I’m running my FreeBSD server for a quite of time. I have many jails on this server but then I found that I can run Linux container on FreeBSD too. So I put podman on this box.

Appjail and podman are easy to install and maintain, I had no problem with it.

It was more complex when it came to network.

• Appjail Default Virtual Network (ajnet) use 10.0.0.0/10 as a subnet.
• The default bridge network (called podman) uses 10.88.0.0/16 as a subnet.

And it’s the problem when they can not exist together.

You can change Appjail Default Virtual Network (ajnet) subnet before you create any jail by edit `/usr/local/etc/appjail/appjail.conf`

• AUTO_NETWORK_NAME (default: ajnet)
• AUTO_NETWORK_ADDR (default: 10.0.0.0/10)
• AUTO_NETWORK_DESC (default: AppJail Network)

Then you can create other virtual network manually with other proper subnet, create jail on this virtual network, or just use the AUTO_NETWORK (ajnet).

Unfortunately, I create many jails before I install podman. I can change default podman network to other subnet like 172.16.0.0/12, 192.168.0.0/16 but I didn’t want to.

So this is what I did:

• Delete Appjail ajnet virtual network
• Create other Appjail ajnet virtual network manually with proper subnet
• Fix jails ip by command `appjail network fix addr`
• It’s all done

Now I’m using a reverse proxy on Appjail ajnet virtual network, and containers on both Appjail podman. They are working well.

The docs is quite clear, just needed to edit `/etc/pf.conf`

$ cat /etc/pf.conf
# Change these to the interface(s) with the default route
v4egress_if = "ix0"
v6egress_if = "ix0"

nat on $v4egress_if inet from <cni-nat> to any -> ($v4egress_if)
nat on $v6egress_if inet6 from <cni-nat> to !ff00::/8 -> ($v6egress_if)

rdr-anchor "cni-rdr/*"
nat-anchor "cni-rdr/*"
table <cni-nat>

# AppJail
# https://appjail.readthedocs.io/en/latest/networking/packet-filter
nat-anchor 'appjail-nat/jail/*'
nat-anchor "appjail-nat/network/*"
rdr-anchor "appjail-rdr/*"