Community discussions

MikroTik App
  4. Other topics
  5. Containers

Allowing Containers to do More

Post Reply
 
artooro
just joined
Topic Author
Posts: 2
Joined: Fri Aug 04, 2023 7:46 pm

Allowing Containers to do More

Fri Aug 04, 2023 8:10 pm

The containers capability in RouterOS is a great start, but to be really useful we need two main features added to it.

Host Networking
Currently it requires you to create a virtual container network. This is a problem for running network security apps or other apps such as runZero which need to access mDNS and ARP data from the network layer.

Kernel Capabilities
Some apps especially for network security require access to the kernel in order to block, allow and monitor network traffic.
To do this for eg. on docker you would use the --cap-add flags to add things like NET_BIND_SERVICE NET_RAW NET_ADMIN and SYS_ADMIN

I'm sure there are other applications that would make use of these two additional features. Please comment below on what apps you would like to run on RouterOS that need host networking or scoped kernel access.
Top
 
onedegreetech
just joined
Posts: 1
Joined: Wed Aug 16, 2023 7:03 pm

Re: Allowing Containers to do More

Wed Aug 16, 2023 7:14 pm

We use software called adamONE on a ION device for security. If we could run this on Layer2 on Mikrotik this will really be a game changer for us.
Top
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3506
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Allowing Containers to do More

Wed Aug 16, 2023 8:25 pm

Kernel Capabilities
Some apps especially for network security require access to the kernel in order to block, allow and monitor network traffic.
To do this for eg. on docker you would use the --cap-add flags to add things like NET_BIND_SERVICE NET_RAW NET_ADMIN and SYS_ADMIN
The VETH exposes Layer2 and can be bridge with a normal VLAN if needed. And you can even send a VLAN trunk over with the right tagging in /interface/bridge/vlans. e.g. You can put the VETH in the main bridge, not a specific "Dockers" one that the docs always seem to use.

I just don't SYS_ADMIN, NET_ADMIN coming anytime soon — creates a bunch of security concerns, and likely break a lot of routing features depending on exact what a container was doing with the raw interfaces.
Top
 
artooro
just joined
Topic Author
Posts: 2
Joined: Fri Aug 04, 2023 7:46 pm

Re: Allowing Containers to do More

Wed Jan 31, 2024 5:07 pm

There is certainly an element of risk allowing a container to access the network stack. But in order for a security application to operate it needs access to iptables/nftables to dynamically block and allow traffic.
It could be made clear to the user that this has the potential to break things.
VyOS has support for this in their container functionality.
Top
Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests
  4. Other topics
  5. Containers