Versions Compared

Old Version 28

changes.mady.by.user Antons B.

Saved on

compared with

New Version Current

changes.mady.by.user Normunds R.

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Warning
  • you need physical access to the router to enable support for the container feature, it is disabled by default;
  • once the container feature is enabled, containers can be added/configured/started/stopped/removed remotely!
  • if the router is compromised, containers can be used to easily install malicious software in your router and over network;
  • your router is as secure as anything you run in container;
  • if you run container, there is no security guarantee of any kind;
  • running a 3rd party container image on your router could open a security hole/attack vector/attack surface;
  • an expert with knowledge how to build exploits will be able to jailbreak/elevate to root;

Security risks:

when an a security expert publishes his exploit research - anyone can apply such an exploit;
someone will build a docker container image that will do the exploit AND provide a Linux root shell;
by using a root shell someone may leave a permanent backdoor/vulnerability in your RouterOS system even after the docker image is removed and the container feature disabled;
if a vulnerability is injected into the primary or secondary routerboot (or vendor pre-loader), then even netinstall may not be able to fix it;

...

PropertyDescription

cmd  (string; Default: )

command to execute inside a container (will overwrite CMD parameter)		The main purpose of a CMD is to provide defaults for an executing container. These defaults can include an executable, or they can omit the executable, in which case you must specify an ENTRYPOINT instruction as well.

comment (string; Default: )

Short description

dns (string; Default: )


domain-name (string; Default: )


entrypoint (string; Default: )

path to the binaryAn ENTRYPOINT allows to specify executable to run when starting container. Example: /bin/sh
envlist (string; Default: )list of environmental variables (configured under /container envs ) to be used with container
file (string; Default: )container *tar.gz tarball if the container is imported from a file
hostname (string; Default: )
interface (string; Default: )veth interface to be used with the container
logging (string; Default: )if set to yes, all container-generated output will be shown in the RouterOS log
mounts (string; Default: )mounts from /container/mounts/ sub-menu to be used with this container
remote-image (string; Default: )the container image name to be installed if an external registry is used (configured under /container/config set registry-url=...)
root-dir (string; Default: )used to save container store outside main memory
stop-signal (string; Default: )
workdir (string; Default: )the working directory for cmd entrypoint

Container configuration

Code Block
languageros
/container/config/


PropertyDescription
registry-urlexternal registry url from where the container will be downloaded
tmpdircontainer extraction directory
ram-highRAM usage limit.  ( 0 for unlimited)
usernameSpecifies the username for authentication ( starting from ROS 7.8)
passwordSpecifies the password for authentication ( starting from ROS 7.8)

Container use example

Prerequisites: 

...

Code Block
languageros
/interface/bridge/add name=dockerscontainers
/ip/address/add address=172.17.0.1/24 interface=dockerscontainers
/interface/bridge/port add bridge=dockerscontainers interface=veth1

Setup NAT for outgoing traffic:

...

pull or create your project with Dockerfile included  and build, extract image (adjust --platform if needed):

Code Block
languagebash
git clone https://github.com/pi-hole/docker-pi-hole.git
cd docker-pi-hole
docker buildx build  --no-cache --platform arm64 --output=type=docker -t pihole .
docker save pihole > pihole.tar

...

You should be able to access the PiHole web panel by navigating to http://172.17.0.2/admin/  in your web browser.

Forward ports to internal

...

container

Ports can be forwarded using dst-nat (where 192.168.88.1 routers IP address):

...

  • For starting containers after router reboot use start-on-boot option (starting from 7.6beta6)

    Code Block
    languageros
    /container/print
 0 name="2e679415-2edd-4300-8fab-a779ec267058" tag="test_arm64:latest" os="linux" arch="arm" interface=veth2 
   root-dir=disk1/alpine mounts="" dns="" logging=yes start-on-boot=yes status=running 

/container/set 0 start-on-boot=yes


  • It is possible to get to running container shell:

    Code Block
    languageros
    /container/shell 0


  • Enable logging to get output from container:

    Code Block
    languageros
    /container/set 0 logging=yes


  • Starting from 7.11beta5 version multiple addresses and ipv6 addresses can be added:
    Code Block
    languageros
    interface/veth add address=172.17.0.3/16,fd8d:5ad2:24:2::2/64 gateway=172.17.0.1 gateway6=fd8d:5ad2:24:2::1