Cannot Start Container

lutfisan · July 8, 2023, 1:55pm

I want to install pihole using container but after extracting the container cannot start

# 2023-07-08 20:48:01 by RouterOS 7.10.1
# model = S53UG+5HaxD2HaxD&FG621-EA
/container mounts
add dst=/etc/pihole name=pihole_etc src=/usb1-part1/etc-pihole
add dst=/etc/dnsmasq.d name=pihole_dnsmasq src=/usb1-part1/etc-dnsmasq.d
/disk
set usb1 type=hardware
add parent=usb1 partition-number=1 partition-offset=512 partition-size="4 009 754 112" type=partition
/interface bridge
add admin-mac=48:A9:8A:CC:11:A4 auto-mac=no comment=defconf name=bridge
add name=dockers
/interface lte
set [ find default-name=lte1 ] allow-roaming=no band="" network-mode=lte
/interface wifiwave2
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac configuration.mode=ap .ssid=workhard_5G \
    disabled=no security.authentication-types=wpa2-psk,wpa3-psk
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac configuration.mode=ap .ssid=workhard \
    disabled=no security.authentication-types=wpa2-psk,wpa3-psk
/interface veth
add address=192.168.99.2/24 gateway=192.168.99.1 name=veth1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/snmp community
set [ find default=yes ] name=secure
/container
add envlist=pihole_envs interface=veth1 logging=yes mounts=pihole_etc,pihole_dnsmasq root-dir=\
    usb1-part1/pihole
/container config
set registry-url=https://registry-1.docker.io tmpdir=usb1-part1/pull
/container envs
add key=TZ name=pihole_envs value=Asia/Jakarta
add key=WEBPASSWORD name=pihole_envs value=pihole_pass
add key=DNSMASQ_USER name=pihole_envs value=root
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
add bridge=dockers interface=veth1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=192.168.99.1/24 interface=dockers network=192.168.99.0
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=\
    127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=\
    !dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=\
    WAN
add action=masquerade chain=srcnat src-address=192.168.99.0/24
/ip firewall service-port
set ftp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 \
    protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=\
    in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" \
    in-interface-list=!LAN
/system clock
set time-zone-name=Asia/Jakarta
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add comment=InternetWatchDog disabled=no down-script="/log warning \"start Netwatch DOWN-script...\";\r\
    \n/interface lte disable lte1;\r\
    \n/interface lte enable lte1;" host=1.1.1.1 http-codes="" interval=10s test-script="" timeout=500ms \
    type=simple up-script="/log warning \"RESET Netwatch scheduled DOWN-script... ISP WORKS\";"

Screenshot 2023-07-08 205311.png

holvoetn · July 8, 2023, 2:19pm

What does log file show ?
Are you sure your usb stick is available as usb1-part1 ? Check Winbox System/Disks or terminal /disk/print
How is your USB formatted ?

lutfisan · July 8, 2023, 2:57pm

the log does not show any error
USB slot name: usb1-part1
format using this command

/disk format-drive usb1 file-system=ext4 mbr-partition-table=yes

Screenshot 2023-07-08 215323.png

holvoetn · July 8, 2023, 3:01pm

Those log entries are for the extraction part.

What happens when you hit “start” ?

Amm0 · July 8, 2023, 3:08pm

Also might want enable “Start On Boot”.

If you’re getting errors after hitting “Start”, might want to post those.

Amm0 · July 8, 2023, 3:11pm

Also, I noticed an ARP conflict in logs. If that’s the VETH container IP or VETH gateway (/ip/address assigned to the VETH), that might be a problem.

lutfisan · July 8, 2023, 3:38pm

Nothing happens when I press the “Start” button.
https://drive.google.com/file/d/1Ah6CtbugEuCBw32P3wLZh-r-lSvp0f79/view?usp=sharing

optio · July 8, 2023, 4:04pm

Your container is not properly deployed, from your recording it is visible that OS and Arch is missing, also you have some file in pull directory which can conclude that something went wrong because files in there are deleted when container deployment process is complete. Delete container and files from pull directory and try to add container again, wait until extraction process is complete and examine log if there are some errors during the process.
When container is properly deployed it will look like this:

Amm0 · July 8, 2023, 4:05pm

Just noticed it’s not picking up the OS/etc myself, so yeah it’s not “fully” loaded.

Not 100% sure it’s your issue, could be, but the docker bridge should be in the LAN:

/interface list member add list=LAN interface=docker

optio · July 8, 2023, 4:18pm

I think this problem is not related to network, I also don’t have containers in LAN interface list, I’m using filter rules to forward specific service port LAN → container host and specific rule for containers to access WAN. Pi-hole can start w/o internet access.

lutfisan · July 9, 2023, 11:24am

I believe the issue is with pihole docker. I attempted to save the container from Ubuntu and it is now operational.