Best way to use Docker on FreeBSD server

Hello,

I have to use docker for https://nextcloud.com/collaboraonline/

What is the best way to use docker on a FreeBSD 11.x server? Requirement: Package(s) must have a minimal impact of the root system. All my services runs in a jail. My root system is only built up with iocage and portmaster. I don't want to install a experimental docker package in my root system.

I read few tutorial, are following things right?
- to run docker I need to create a zpool and create a zfs file system (zfs create)
- that cannot be done in a jail or I have to tear down the security policy?
Code:
security.jail.enforce_statfs
security.jail.mount_allowed
security.jail.mount_devfs_allowed
security.jail.mount_zfs_allowed

- iohyve cannot run in a jail as well? the same thing for iohyve with the zfs settings.



What is the best way to use docker in freebsd?
 
thanks. Thats the reason why I prefer iohyve and a linux image to run inside the linux vm docker.

Does somebody has a config like this?

Steffen
 
https://github.com/sadaszewski/focker/ is the best way for a Docker-like experience on FreeBSD. However for deploying NextCloud you would have to translate their Docker recipes to Focker syntax accounting for the FreeBSD base system. Focker is fully native using ZFS snapshots and clones for image layering and jails for containers. It uses FreeBSD (bsdinstall jail) for base system.
 
Although the affiliation is obvious from matching the github account name with your user name here and it's probably a nice opensource project, I don't think it makes sense to spread it in every docker-related thread you can find, no matter how old. It might even confuse people because it just ist not Docker. From what I understand, it's "just" a jail/zfs management tool (there exist several others) designed to somewhat resemble the docker commandline.

Maybe, if you'd like to spread this software and haven't done it already, creating an official FreeBSD port of it would make more sense?
 
collabora does not run on FreeBSD natively ... have not tried with compat linux though. Just setup a VM with your preferred distro (last time I could not install Debian 10, don't know if that problem is already fixed in bhyve) and setup docker inside, or, a tipp from my side: go with a different runtime environment, e.g. podman.
My personal take on collabora: it works for personal stuff, but if you intend to use it for professional/corporate data look for something else, it's quite buggy and a resource hog.
 
Although the affiliation is obvious from matching the github account name with your user name here and it's probably a nice opensource project, I don't think it makes sense to spread it in every docker-related thread you can find, no matter how old. It might even confuse people because it just ist not Docker. From what I understand, it's "just" a jail/zfs management tool (there exist several others) designed to somewhat resemble the docker commandline.

Maybe, if you'd like to spread this software and haven't done it already, creating an official FreeBSD port of it would make more sense?
Thanks for your feedback. I think it makes a lot of sense to spread the word. It is much more important to promote the nice Docker-like workflow than to go on the fool's errand of porting Docker to FreeBSD. Thus, it doesn't matter at all if it "is Docker". Docker has nothing to offer as such. It's the state of the mind that matters - nice separation of data (volumes) and code (images) on the system level; layered image building to allow faster write, build, debug cycle; composition tool for setting up jails in a declarative manner, etc, etc, etc. Focker is a completely new quality in terms of image / container management on FreeBSD and it is completely native and works perfectly. I have submitted the port already some time ago but I guess you will have to either use the version from GitHub or wait till it gets integrated: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=246001 .
 
Docker has nothing to offer as such.
Except for huge repositories with pre-made "docker containers", and I bet that's often the reason people want Docker on FreeBSD – and in that case, all you can say is: won't work.
Otherwise, there are a variety of tools using jails/zfs for something similar (arguably: better) already. I think e.g. Bastille aims at something pretty similar. That's not meant to criticize your project, I didn't look at either :) And some choice never hurts! All I was saying is: Don't "necropost" Docker-related threads just for promotion, at least IMHO. A hint in a current Docker-related thread probably makes sense though, as for some usecases, it might actually be what people are looking for.

I have submitted the port already some time ago
That's good! If it sits there without any feedback for too long (say: 2 months?), it might have been overlooked. In that case, I'd kindly ask on ports@ for feedback :) An official port is arguably the best way to make it easily accessible to users.

edit: I had a quick look, you should at least use ports-mgmt/portlint on ports you submit. E.g. the Makefile for py-jailconf could be fixed like this:
Code:
# Created by: s.adaszewski@gmail.com
# $FreeBSD$

PORTNAME=    jailconf
PORTVERSION=    0.2.1
CATEGORIES=    devel python
PKGNAMEPREFIX=  ${PYTHON_PKGNAMEPREFIX}

MAINTAINER=    s.adaszewski@gmail.com
COMMENT=    Parse and edit your FreeBSD jail.conf with python

LICENSE=    BSD

RUN_DEPENDS=    ${PYTHON_PKGNAMEPREFIX}ply>0:devel/py-ply@${PY_FLAVOR}

USES=        python
USE_PYTHON=    distutils autoplist
USE_GITHUB=    yes
GH_ACCOUNT=    leforestier
GH_TAGNAME=    v${PORTVERSION}

NO_ARCH=        yes

.include <bsd.port.mk>
(Note: don't add blank lines at the end, and pasting it here in the forum somehow destroys tabs...)

So, before asking for feedback on ports@, make sure the ports are in "good shape" :)
 
Except for huge repositories with pre-made "docker containers", and I bet that's often the reason people want Docker on FreeBSD – and in that case, all you can say is: won't work.

Well, it sounds almost as if you weren't using Docker that much yourself. I am using it daily and the case of pre-made containers is a marginal one. Unless by pre-made you consider as well the base system images (alpine, ubuntu, etc). You usually build your customized container yourself, as it is very easy.

Anyhow, Focker by definition aims to run containerized FreeBSD not Linux, therefore all those docker containers simply never were a target. Why would one like to run Linux on FreeBSD when the same can be easily achieved by building a corresponding FreeBSD image is beyond me.

Otherwise, there are a variety of tools using jails/zfs for something similar (arguably: better) already. I think e.g. Bastille aims at something pretty similar. That's not meant to criticize your project, I didn't look at either :)

Well, ok. No offense but without taking a look you really have no idea what you are talking about. I have inspected BastilleBSD very closely (PRIOR to starting the development of Focker) and it comes nowhere close neither to the functionality nor to the quality of Focker. I mean c'mon a system that is supposed to manage my jail deployments without test coverage? Please...

Again, there is nothing better on FreeBSD that mimicks the experience of Docker with the difference that it actually runs FreeBSD userland inside of the containers. Focker has the same build logic using Fockerfiles and has the focker-compose.yml based declarative jail creation, no need to wrap it any kind of additional tool like Ainsible. It itself enforces the desired state of all jail deployments.

And some choice never hurts! All I was saying is: Don't "necropost" Docker-related threads just for promotion, at least IMHO. A hint in a current Docker-related thread probably makes sense though, as for some usecases, it might actually be what people are looking for.
Ok, good, I think no more dead Docker-related threads are left anyway ;)

That's good! If it sits there without any feedback for too long (say: 2 months?), it might have been overlooked. In that case, I'd kindly ask on ports@ for feedback :) An official port is arguably the best way to make it easily accessible to users.

edit: I had a quick look, you should at least use ports-mgmt/portlint on ports you submit. E.g. the Makefile for py-jailconf could be fixed like this:
Code:
# Created by: s.adaszewski@gmail.com
# $FreeBSD$

PORTNAME=    jailconf
PORTVERSION=    0.2.1
CATEGORIES=    devel python
PKGNAMEPREFIX=  ${PYTHON_PKGNAMEPREFIX}

MAINTAINER=    s.adaszewski@gmail.com
COMMENT=    Parse and edit your FreeBSD jail.conf with python

LICENSE=    BSD

RUN_DEPENDS=    ${PYTHON_PKGNAMEPREFIX}ply>0:devel/py-ply@${PY_FLAVOR}

USES=        python
USE_PYTHON=    distutils autoplist
USE_GITHUB=    yes
GH_ACCOUNT=    leforestier
GH_TAGNAME=    v${PORTVERSION}

NO_ARCH=        yes

.include <bsd.port.mk>
(Note: don't add blank lines at the end, and pasting it here in the forum somehow destroys tabs...)

So, before asking for feedback on ports@, make sure the ports are in "good shape" :)

Thank you for the tips. It seems like there is quite a lot of hassle to add anything to the ports tree. I am scared of how the eventual updates look like o_O For the time being I would really simply recommend an installation from the Git repository using python setup.py sdist && pip install.
 
Back
Top