Container status=error

RouterOS Containers
1

Hello,
I'm experimenting with containers on a CCR2004-16G-2S+ running 7.19.6, because this platform only has a 128MB flash (no USB on this model) I've decided to use tmpfs.

So I've allocated 1GB to tmpfs:

[admin@jen-rou-001] /container> /disk/print
Flags: M - MOUNTED
Columns: SLOT, MOUNT-POINT, MODEL, INTERFACE, SIZE, FREE, USE, FS
#   SLOT  MOUNT-POINT  MODEL  INTERFACE           SIZE         FREE  USE  FS
0 M tmp1  tmp1         tmpfs  ram        1 000 001 536  995 762 176  0%   tmpfs

I use a bridge called "docker" with veth1 in this bridge:

[admin@jen-rou-001] /container> /interface/bridge/port/print
Flags: H - HW-OFFLOAD
Columns: INTERFACE, BRIDGE, HW, HORIZON, TRUSTED, FAST-LEAVE, BPDU-GUARD, EDGE, POINT-TO-POINT, PVID, FRAME-TYPES
#   INTERFACE  BRIDGE   HW   HORIZON  TRUSTED  FAST-LEAVE  BPDU-GUARD  EDGE  POINT-TO-POINT  PVID  FRAME-TYPES
0 H ether1     bridge1  yes  none     no       no          no          auto  auto               1  admit-all
1 H ether15    bridge2  yes  none     no       no          no          auto  auto               1  admit-all
2 H ether16    bridge2  yes  none     no       no          no          auto  auto               1  admit-all
3   veth1      docker        none     no       no          no          auto  auto               1  admit-all

[admin@jen-rou-001] /container> /ip/address/print
Flags: D - DYNAMIC; S - SLAVE
Columns: ADDRESS, NETWORK, INTERFACE
#    ADDRESS           NETWORK       INTERFACE
0    192.168.30.1/24   192.168.30.0  wireguard1
1    192.168.5.1/24    192.168.5.0   bridge1
2    10.0.0.1/24       10.0.0.0      docker
3 D  192.168.0.114/24  192.168.0.0   bridge2
4  S 10.0.0.2/24       10.0.0.0      veth1

However when running a container from a remote repo, it reports "status=error", but when uploading a file "busybox.tar" to the flash drive and running from this drive the container works well.

[admin@jen-rou-001] /container> print
 0 name="debian" repo="registry-1.docker.io/debian:stable" os="" arch="" interface=veth1 cmd="sleep infinity" root-dir=tmp1/debian mounts=proc dns=1.1.1.1 logging=yes status=error
 1 name="busybox" repo="registry-1.docker.io/busybox:stable" os="" arch="" interface=veth1 cmd="sleep infinity" root-dir=tmp1/busybox mounts=proc dns=1.1.1.1 logging=yes status=error
 2 name="busybox.tar" repo="" os="linux" arch="arm64" interface=veth1 cmd="sleep infinity" root-dir=tmp1/busybox mounts="" dns=1.1.1.1 logging=yes status=running

[admin@jen-rou-001] /container/config> print
      ram-high: 1024.0MiB
  registry-url: https://registry-1.docker.io
        tmpdir: tmp1/pull
      username:
      password:
     layer-dir:

I'm a bit puzzled as of why the container starts and runs well from busybox.tar but doesn't run it when using an external registry. I was thinking maybe it can't pull it due to networking issues, but I have a masquerading rule which should allow the docker bridge to connect to the internet:

[admin@jen-rou-001] /container/config> /ip/firewall/nat/print
Flags: X - disabled, I - invalid; D - dynamic
 0 X  chain=srcnat action=accept src-address=192.168.5.0/24 dst-address=192.168.1.0/24 log=no log-prefix=""
 1 X  chain=srcnat action=accept src-address=192.168.5.0/24 dst-address=192.168.30.0/24 log=no log-prefix=""
 2    chain=srcnat action=masquerade src-address=10.0.0.0/24
 3    chain=srcnat action=masquerade in-interface=docker out-interface=bridge2
 4    chain=srcnat action=masquerade out-interface=bridge2 log=no log-prefix=""

[admin@jen-rou-001] > /ip/firewall/filter/print
Flags: X - disabled, I - invalid; D - dynamic
 0    chain=input action=accept connection-state=established,related
 1    chain=input action=drop connection-state=invalid
 2 X  chain=input action=accept in-interface=bridge1 log=no log-prefix=""
 3 X  chain=input action=accept protocol=icmp in-interface=wireguard1 log=no log-prefix=""
 4    ;;; allow connections through wireguard to ssh to this router
      chain=input action=accept protocol=tcp src-address=192.168.1.5 src-address-list="" in-interface=wireguard1 dst-port=22 log=no log-prefix=""
 5    chain=input action=accept protocol=tcp dst-address=192.168.5.1 in-interface=bridge1 dst-port=22,8291 log=no log-prefix=""
 6 X  ;;; allow anything hanging from bridge1 to ssh+winbox to this router
      chain=input action=accept protocol=udp in-interface=wireguard1 dst-port=13231 log=no log-prefix=""
 7    chain=input action=drop
 8    chain=forward action=accept connection-state=established,related
 9 X  chain=forward action=accept src-address=192.168.1.0/24 dst-address=192.168.30.0/24 log=no log-prefix=""
10 X  chain=forward action=accept src-address=192.168.5.0/24 dst-address=192.168.1.0/24 log=no log-prefix=""
11 X  chain=forward action=accept src-address=192.168.5.0/24 dst-address=192.168.30.0/24 log=no log-prefix=""
12 X  chain=forward action=accept src-address=192.168.30.0/24 dst-address=192.168.1.0/24 src-address-list="" log=no log-prefix=""
13    ;;; necessary for computers hanging from bridge1 to connect to WOPR (should sea-rou-001 allow that)
      chain=forward action=accept in-interface=bridge1 out-interface=wireguard1 log=no log-prefix=""
14    ;;; necessary for computers hanging from bridge1 to connect to the internet
      chain=forward action=accept in-interface=bridge1 out-interface=bridge2 log=no log-prefix=""
15    ;;; allow internet traffic from docker
      chain=forward action=accept in-interface=docker out-interface=bridge2
16    chain=forward action=drop


[admin@jen-rou-001] > /ip/route/print
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, s - STATIC, d - DHCP; + - ECMP
Columns: DST-ADDRESS, GATEWAY, ROUTING-TABLE, DISTANCE
#      DST-ADDRESS      GATEWAY      ROUTING-TABLE  DISTANCE
  DAd  0.0.0.0/0        192.168.0.1  main                  1
  DAc+ 10.0.0.0/24      docker       main                  0
  DAc+ 10.0.0.0/24      docker       main                  0
  DAc  192.168.0.0/24   bridge2      main                  0
0  As  192.168.1.0/24   wireguard1   main                  1
  DAc  192.168.5.0/24   bridge1      main                  0
  DAc  192.168.30.0/24  wireguard1   main                  0

Maybe containers can't be pulled on a tmpfs? Or is there anything you'd advise me to check?
Thank you for looking!

2

I just realized container logging wasn't enabled, after enabling:


[admin@jen-rou-001] /container> add name="debian2" remote-image="debian:stable" interface=veth1 cmd="sleep infinity" root-dir=tmp1/debian2 logging=yes

[admin@jen-rou-001] /container> print
 0 name="debian" repo="registry-1.docker.io/debian:stable" os="" arch="" interface=veth1 cmd="sleep infinity" root-dir=tmp1/debian mounts=proc dns=1.1.1.1 logging=yes status=error
 1 name="busybox" repo="registry-1.docker.io/busybox:stable" os="" arch="" interface=veth1 cmd="sleep infinity" root-dir=tmp1/busybox mounts=proc dns=1.1.1.1 logging=yes status=error
 2 name="busybox.tar" repo="" os="linux" arch="arm64" interface=veth1 cmd="sleep infinity" root-dir=tmp1/busybox mounts="" dns=1.1.1.1 logging=yes status=running
 3 name="debian2" repo="registry-1.docker.io/debian:stable" os="" arch="" interface=veth1 cmd="sleep infinity" root-dir=tmp1/debian2 mounts="" logging=yes status=error

2025-09-27T11:40:36.219694-07:00 jen-rou-001 container,info,debug [cont] error response getting manifests: 401
2025-09-27T11:40:36.219694-07:00 jen-rou-001 container,info,debug was unable to import, container f449a17b-00e7-4e5c-b0ab-6ed68b4a39d7
3

I change the registry just in case:

[admin@jen-rou-001] /container/config> set registry-url="https://registry.hub.docker.com"


2025-09-27T11:59:54.411655-07:00 jen-rou-001 system,info item added by ssh:admin@192.168.1.5 (*B = /container add interface=veth1 logging=yes name="debian 3" remote-image=debian:stable root-dir=tmp1/debian5)
2025-09-27T11:59:55.310798-07:00 jen-rou-001 container,info,debug [cont] error response getting manifests: 404
2025-09-27T11:59:55.311889-07:00 jen-rou-001 container,info,debug was unable to import, container fc787431-e610-477a-9da4-8155553889aa
4

Okay I figured it out, thanks to this thread:

[admin@jen-rou-001] /container> add name="debian6" remote-image=library/debian interface=veth1 root-dir=tmp1/debian6 logging=yes

this works, note the "remote-image=library/XXX"
no idea why.