Table of Contents |
---|
Summary
Sub-menu: /container
Packages required: container
A container is MikroTik's implementation of Linux containers, allowing users to run containerized environments within RouterOS. The container feature was added in RouterOS v7.4beta4.
...
language | ros |
---|
...
Disclaimer
Warning |
---|
|
Security risks:
when an a security expert publishes his exploit research - anyone can apply such an exploit;
someone will build a docker container image that will do the exploit AND provide a Linux root shell;
by using a root shell someone may leave a permanent backdoor/vulnerability in your RouterOS system even after the docker image is removed and the container feature disabled;
if a vulnerability is injected into the primary or secondary routerboot (or vendor pre-loader), then even netinstall may not be able to fix it;
...
Warning |
---|
Container package needs to be installed |
Code Block | ||
---|---|---|
| ||
/container |
Properties
Property | Description |
---|---|
cmd (string; Default: ) command to execute inside a container (will overwrite CMD parameter) | The main purpose of a CMD is to provide defaults for an executing container. These defaults can include an executable, or they can omit the executable, in which case you must specify an ENTRYPOINT instruction as well. |
comment (string; Default: ) | Short description |
dns (string; Default: ) | |
domain-name (string; Default: ) | |
entrypoint (string; Default: ) | path to the binaryAn ENTRYPOINT allows to specify executable to run when starting container. Example: /bin/sh |
envlist (string; Default: ) | list of environmental variables (configured under /container envs ) to be used with container |
file (string; Default: ) | container *tar.gz tarball if the container is imported from a file |
hostname (string; Default: ) | |
interface (string; Default: ) | veth interface to be used with the container |
logging (string; Default: ) | if set to yes, all container-generated output will be shown in the RouterOS log |
mounts (string; Default: ) | mounts from /container/mounts/ sub-menu to be used with this container |
remote-image (string; Default: ) | the container image name to be installed if an external registry is used (configured under /container/config set registry-url=...) |
root-dir (string; Default: ) | used to save container store outside main memory |
stop-signal (string; Default: ) | |
workdir (string; Default: ) | the working directory for cmd entrypoint |
Container configuration
Code Block | ||
---|---|---|
| ||
/container/config/ |
Property | Description |
---|---|
registry-url | external registry url from where the container will be downloaded |
tmpdir | container extraction directory |
ram-high | RAM usage limit. ( 0 for unlimited) |
username | Specifies the username for authentication ( starting from ROS 7.8) |
password | Specifies the password for authentication ( starting from ROS 7.8) |
Container use example
Prerequisites:
- RouterOS device with RouterOS v7.4beta or later and installed Container package
- Physical access to a device to enable container mode
- Attached hard drive or USB drive for storage - formatted as ext3/ext4
- RouterOS device with RouterOS v7.4beta or later and installed Container package
...
Code Block | ||
---|---|---|
| ||
/system/device-mode/update container=yes |
You will need to confirm the device-mode with a press of the reset button, or a cold reboot, if using container on X86.
Create network
Add veth interface for the container:
Code Block | ||
---|---|---|
| ||
/interface/veth/add name=veth1 address=172.17.0.2/1624 gateway=172.17.0.1 |
Create a bridge for containers and add veth to it:
Code Block | ||
---|---|---|
| ||
/interface/bridge/add name=dockerscontainers /ip/address/add address=172.17.0.1/1624 interface=dockerscontainers /interface/bridge/port add bridge=dockerscontainers interface=veth1 |
Setup NAT for outgoing traffic:
Code Block | ||
---|---|---|
| ||
/ip/firewall/nat/add chain=srcnat action=masquerade src-address=172.17.0.0/1624 |
Add environment variables and mounts (optional)
...
pull or create your project with Dockerfile included and build, extract image (adjust --platform if needed):
Code Block | ||
---|---|---|
| ||
git clone https://github.com/pi-hole/docker-pi-hole.git cd docker-pi-hole docker buildx build --no-cache --platform arm64 --output=type=docker -t pihole . docker save pihole > pihole.tar |
...
You should be able to access the PiHole web panel by navigating to http://172.17.0.2/admin/
in your web browser.
Forward ports to internal
...
container
Ports can be forwarded using dst-nat (where 192.168.88.1 routers IP address):
...
this will soft limit RAM usage - if a RAM usage goes over the high boundary, the processes of the cgroup are throttled and put under heavy reclaim pressure.
For starting containers after router reboot use
Schedulerstart-on-boot option (starting from 7.6beta6)
Code Block language ros /container/print 0 name="2e679415-2edd-4300-8fab-a779ec267058" tag="test_arm64:latest" os="linux" arch="arm" interface=veth2 root-dir=disk1/alpine mounts="" dns="" logging=yes start-on-boot=yes status=running /container/set 0 start-on-boot=yes
It is possible to get to running container shell:
Code Block language ros /container/shell 0
Enable logging to get output from container:
Code Block language ros /container/set 0 logging=yes
- Starting from 7.11beta5 version multiple addresses and ipv6 addresses can be added:
Code Block language ros interface/veth add address=172.17.0.3/16,fd8d:5ad2:24:2::2/64 gateway=172.17.0.1 gateway6=fd8d:5ad2:24:2::1