Mua hàng tại Link Shopee hoặc Hotline 0345-148-136.

Appjail and podman together on FreeBSD

I’m running my FreeBSD server for a quite of time. I have many jails on this server but then I found that I can run Linux container on FreeBSD too. So I put podman on this box.

Appjail and podman are easy to install and maintain, I had no problem with it.

It was more complex when it came to network.

  • Appjail Default Virtual Network (ajnet) use 10.0.0.0/10 as a subnet.
  • The default bridge network (called podman) uses 10.88.0.0/16 as a subnet.

And it’s the problem when they can not exist together.

You can change Appjail Default Virtual Network (ajnet) subnet before you create any jail by edit `/usr/local/etc/appjail/appjail.conf`

  • AUTO_NETWORK_NAME (default: ajnet)
  • AUTO_NETWORK_ADDR (default: 10.0.0.0/10)
  • AUTO_NETWORK_DESC (default: AppJail Network)

Then you can create other virtual network manually with other proper subnet, create jail on this virtual network, or just use the AUTO_NETWORK (ajnet).

Unfortunately, I create many jails before I install podman. I can change default podman network to other subnet like 172.16.0.0/12, 192.168.0.0/16 but I didn’t want to.

So this is what I did:

  • Delete Appjail ajnet virtual network
  • Create other Appjail ajnet virtual network manually with proper subnet
  • Fix jails ip by command `appjail network fix addr`
  • It’s all done

Now I’m using a reverse proxy on Appjail ajnet virtual network, and containers on both Appjail podman. They are working well.

The docs is quite clear, just needed to edit `/etc/pf.conf`

$ cat /etc/pf.conf
# Change these to the interface(s) with the default route
v4egress_if = "ix0"
v6egress_if = "ix0"

nat on $v4egress_if inet from <cni-nat> to any -> ($v4egress_if)
nat on $v6egress_if inet6 from <cni-nat> to !ff00::/8 -> ($v6egress_if)

rdr-anchor "cni-rdr/*"
nat-anchor "cni-rdr/*"
table <cni-nat>

# AppJail
# https://appjail.readthedocs.io/en/latest/networking/packet-filter
nat-anchor 'appjail-nat/jail/*'
nat-anchor "appjail-nat/network/*"
rdr-anchor "appjail-rdr/*"

Comments

Trả lời

Email của bạn sẽ không được hiển thị công khai. Các trường bắt buộc được đánh dấu *