I was curious to see if it is possible to use the new OCI container images with
standard jail tooling (not podman).
The following script downloads and untars the 14.2 image:
If you create a minimal jail config in /etc/jails.conf.d/minimal.conf, eg
minimal {
exec.start += "/bin/echo \"while true; do sleep 1d; done\" | /bin/sh &";
host.hostname = "${name}";
path = "/usr/local/jails/${name}";
}
And create the related mountpoint
zfs create -o mountpoint=/usr/local/jails/minimal root/jails/minimal
you can run the above script to download and extract the OCI image contents into a directory
sh ociimageextract.sh /usr/local/jails/minimal
and create the jail with
# jail -c minimal
the jail is pretty small at 16M
# jexec minimal df -h
Filesystem Size Used Avail Capacity Mounted on
root/jails/minimal 55G 16M 55G 0% /
If you add networking to the jail's config you can then add pkg support from inside the jail by running
# /usr/bin/env PACKAGESITE=https://pkg.freebsd.org/FreeBSD:14:amd64/latest /usr/sbin/pkg bootstrap -y
Eg I then installed isc-cron (regular cron wasn't working) with
# pkg install -y isc-cron
(I changed the start to exec.start += "/usr/local/sbin/cron")
So it does seem possible on some level to use the OCI images with regular jails, though
it may only be useful for experimenting.
standard jail tooling (not podman).
The following script downloads and untars the 14.2 image:
sh:
#!/bin/sh
set -eu -o pipefail
OCI_IMAGE_URL=${OCI_IMAGE_URL:-https://download.freebsd.org/releases/OCI-IMAGES/14.2-RELEASE/amd64/Latest/FreeBSD-14.2-RELEASE-amd64-container-image-minimal.txz}
if [ $# != 1 ]
then
echo Usage: ociimagextract.sh /path/to/output/directory
echo Default OCI image: $OCI_IMAGE_URL
echo To use a different image set OCI_IMAGE_URL:
echo OCI_IMAGE_URL=https://other-image-url ociimagextract.sh /path/to/output/directory
exit 1
fi
TARGET=$1
which jq
if [ $? != 0 ]
then
echo Could not find jq command
echo You can install jq using "pkg install jq"
exit 1
fi
mkdir -p $TARGET
DIR=`mktemp --directory`
fetch -q -o - $OCI_IMAGE_URL | tar -xzvpf - -C$DIR
TOPDIGEST=`cat $DIR/index.json | jq -r .manifests[0].digest | tr ':' '/'`
DIGESTS=`cat $DIR/blobs/$TOPDIGEST | jq -r '.layers[] | .digest' | tr ':' '/'`
for DIGEST in $DIGESTS
do
cat $DIR/blobs/$DIGEST | tar -xzvpf - -C$TARGET
done
echo jail root filesystem directory created at $TARGETIf you create a minimal jail config in /etc/jails.conf.d/minimal.conf, eg
minimal {
exec.start += "/bin/echo \"while true; do sleep 1d; done\" | /bin/sh &";
host.hostname = "${name}";
path = "/usr/local/jails/${name}";
}
And create the related mountpoint
zfs create -o mountpoint=/usr/local/jails/minimal root/jails/minimal
you can run the above script to download and extract the OCI image contents into a directory
sh ociimageextract.sh /usr/local/jails/minimal
and create the jail with
# jail -c minimal
the jail is pretty small at 16M
# jexec minimal df -h
Filesystem Size Used Avail Capacity Mounted on
root/jails/minimal 55G 16M 55G 0% /
If you add networking to the jail's config you can then add pkg support from inside the jail by running
# /usr/bin/env PACKAGESITE=https://pkg.freebsd.org/FreeBSD:14:amd64/latest /usr/sbin/pkg bootstrap -y
Eg I then installed isc-cron (regular cron wasn't working) with
# pkg install -y isc-cron
(I changed the start to exec.start += "/usr/local/sbin/cron")
So it does seem possible on some level to use the OCI images with regular jails, though
it may only be useful for experimenting.