...
when a security expert publishes his exploit research - anyone can apply such an exploit;
someone will build a docker container image that will do the exploit AND provide a Linux root shell;
by using a root shell someone may leave a permanent backdoor/vulnerability in your RouterOS system even after the docker image is removed and the container feature disabled;
if a vulnerability is injected into the primary or secondary routerboot (or vendor pre-loader), then even netinstall may not be able to fix it;
...
Property | Description |
---|---|
cmd (string; Default: ) command to execute inside a container (will overwrite CMD parameter) | The main purpose of a CMD is to provide defaults for an executing container. These defaults can include an executable, or they can omit the executable, in which case you must specify an ENTRYPOINT instruction as well. |
comment (string; Default: ) | Short description |
dns (string; Default: ) | |
domain-name (string; Default: ) | |
entrypoint (string; Default: ) | path to the binaryAn ENTRYPOINT allows to specify executable to run when starting container. Example: /bin/sh |
envlist (string; Default: ) | list of environmental variables (configured under /container envs ) to be used with container |
file (string; Default: ) | container *tar.gz tarball if the container is imported from a file |
hostname (string; Default: ) | |
interface (string; Default: ) | veth interface to be used with the container |
logging (string; Default: ) | if set to yes, all container-generated output will be shown in the RouterOS log |
mounts (string; Default: ) | mounts from /container/mounts/ sub-menu to be used with this container |
remote-image (string; Default: ) | the container image name to be installed if an external registry is used (configured under /container/config set registry-url=...) |
root-dir (string; Default: ) | used to save container store outside main memory |
stop-signal (string; Default: ) | |
workdir (string; Default: ) | the working directory for cmd entrypoint |
Container configuration
Code Block | ||
---|---|---|
| ||
/container/config/ |
Property | Description |
---|---|
registry-url | external registry url from where the container will be downloaded |
tmpdir | container extraction directory |
ram-high | RAM usage limit. ( 0 for unlimited) |
username | Specifies the username for authentication ( starting from ROS 7.8) |
password | Specifies the password for authentication ( starting from ROS 7.8) |
Container use example
Prerequisites:
...
Code Block | ||
---|---|---|
| ||
/interface/bridge/add name=dockerscontainers /ip/address/add address=172.17.0.1/24 interface=dockerscontainers /interface/bridge/port add bridge=dockerscontainers interface=veth1 |
Setup NAT for outgoing traffic:
...
pull or create your project with Dockerfile included and build, extract image (adjust --platform if needed):
Code Block | ||
---|---|---|
| ||
git clone https://github.com/pi-hole/docker-pi-hole.git
cd docker-pi-hole
docker buildx build --no-cache --platform arm64 --output=type=docker -t pihole .
docker save pihole > pihole.tar |
...
You should be able to access the PiHole web panel by navigating to http://172.17.0.2/admin/
in your web browser.
Forward ports to internal
...
container
Ports can be forwarded using dst-nat (where 192.168.88.1 routers IP address):
...
For starting containers after router reboot use start-on-boot option (starting from 7.6beta6)
Code Block language ros /container/print 0 name="2e679415-2edd-4300-8fab-a779ec267058" tag="test_arm64:latest" os="linux" arch="arm" interface=veth2 root-dir=disk1/alpine mounts="" dns="" logging=yes start-on-boot=yes status=running /container/set 0 start-on-boot=yes
It is possible to get to running container shell:
Code Block language ros /container/shell 0
Enable logging to get output from container:
Code Block language ros /container/set 0 logging=yes
- Starting from 7.11beta5 version multiple addresses and ipv6 addresses can be added:
Code Block language ros interface/veth add address=172.17.0.3/16,fd8d:5ad2:24:2::2/64 gateway=172.17.0.1 gateway6=fd8d:5ad2:24:2::1