I’m running my FreeBSD server for a quite of time. I have many jails on this server but then I found that I can run Linux container on FreeBSD too. So I put podman on this box.
Appjail and podman are easy to install and maintain, I had no problem with it.
It was more complex when it came to network.
- Appjail Default Virtual Network (ajnet) use 10.0.0.0/10 as a subnet.
- The default bridge network (called podman) uses 10.88.0.0/16 as a subnet.
And it’s the problem when they can not exist together.
You can change Appjail Default Virtual Network (ajnet) subnet before you create any jail by edit ` /usr/local/etc/appjail/appjail.conf `
- AUTO_NETWORK_NAME (default: ajnet)
- AUTO_NETWORK_ADDR (default: 10.0.0.0/10)
- AUTO_NETWORK_DESC (default: AppJail Network)
Then you can create other virtual network manually with other proper subnet, create jail on this virtual network, or just use the AUTO_NETWORK (ajnet).
Unfortunately, I create many jails before I install podman. I can change default podman network to other subnet like 172.16.0.0/12, 192.168.0.0/16 but I didn’t want to.
So this is what I did:
- Delete Appjail ajnet virtual network
- Create other Appjail ajnet virtual network manually with proper subnet
- Fix jails ip by command `appjail network fix addr`
- It’s all done
Now I’m using a reverse proxy on Appjail ajnet virtual network, and containers on both Appjail podman. They are working well.
The docs is quite clear, just needed to edit `/etc/pf.conf `
$ cat /etc/pf.conf
# Change these to the interface(s) with the default route
v4egress_if = "ix0"
v6egress_if = "ix0"
nat on $v4egress_if inet from <cni-nat> to any -> ($v4egress_if)
nat on $v6egress_if inet6 from <cni-nat> to !ff00::/8 -> ($v6egress_if)
rdr-anchor "cni-rdr/*"
nat-anchor "cni-rdr/*"
table <cni-nat>
# AppJail
# https://appjail.readthedocs.io/en/latest/networking/packet-filter
nat-anchor 'appjail-nat/jail/*'
nat-anchor "appjail-nat/network/*"
rdr-anchor "appjail-rdr/*"