Containerized SNMP monitoring (short term) - a step above built-in graphs

Advice / help / guidance needed to build / install on-device basic bandwidth monitoring tool (inside a container), with a bit more detail for the non-technical users.
Nothing as fancy as Grafana / Prometheus for instance required, but a bit more advanced than built-in graphs functionality.
Apologies in advance for a lengthy post.

I’m a self-proclaimed member of Tinkerers Anonymous (7 years and have not been able to kick the addicition) and I am super excited with the potential containers bring to ROS.
However, my skill level on Mikrotik is still relatively low, and I have only been looking at containers / dockers for a week now (Quite a bit of learning ahead for me).
I have been able to get Pihole and Uptime Kuma set up as containers as part of my journey this week.
I understand that the routerboards have grown a lot in power, but they are still limited in terms of both CPU, RAM and storage compared to for instance an External Pi, or x86 based homelab server.
I have read through numerous posts where members advise to keep the device to its core function (good router), and leave the monitoring etc. for other devices.

Here is my home setup, and I will follow it with what I would like to accomplish. (All running the latest 7.12 Router OS)
Main Core Router - 1 x RB5009. Connected to the internet via 1) Primary - Fibre link, and 2) Auto failover to LTE router (connected via eth). This is working and reporting as expected. Attached to this is a 512 Gb SSD, connected via USB. Working as expected and currently the home for PiHole (disk1) and Uptime Kuma (disk2). I have split this disk into 5 partitions.
Passive Backup - 1 x RB4011. This is providing both the main area of the house with WiFi, and is powerful enough to handle traffic / failover / Natting / Firewalling / VPNs should the Rb5009 fail (Murphy is always lurking in a corner)
1 x HAP AX3 - Installed in another section of the house. This is part of the project to get the whole property on WiFi 6, and also to test capabilities of the unit. (Bought after the RB5009 and RB4011)
1 x HAP AX2 - Installed in workshop area, also part of the WiFi 6 project, and also test-bench (more info later). (Bought after the RB5009 and RB4011)
3 x HAP AC2 units. Part of the legacy installation and will in the next 12 months be replaced with WiFi 6 capable units.

What I would like to accomplish in a docker/container on the Mikrotik:

1. Basic SNMP Monitoring with a Web front-end to show 1) Overall usage (inbound / outbound / total traffic) 2) Traffic per additional router/ap in my home network.
   In short, I should be able to see if my link is saturating, and how much each of the Mikrotik devices (SNMP monitored) is contributing to the total usage.
   All Mikrotiks have SNMP enabled and can currently be monitored in theory by a Grafana + Prometheus setup running on a Pi or VM.
   … However, the Grafana + Prometheus is an overkill for this, and way too resource intensive to host on the Mikrotik itself (this seems to be clear).
   Smaller solutions (eg. Bitmeter OS, Netdata, [feel free to suggest alternatives]), can potentially give me the graphs and detail I would like.
   The reason I would like this to be working from a container on the router is that I have some friends / family that come to me for advice on IT matters (one-eyed idiot leading the blind), and I have all of them on Mikrotik devices by now. Most of them would like to have a web-page they can access from the PC / phone browser, that gives them a bit of info (and history) on the internet connection. I have tried to get them to use the built-in graphs, but a number of them ask questions like: What was my total usage in Gb for the a) last hour or b) last day? or Who is using all the data? or similar.
   A lot of this info can be gleamed from super-lightweight packages like Bitmeter OS or Netdata, but most of them do not have extra computers / Pi’s lying aound for this purpose.

So, after all of that, how would I go about (if actually possible / feasible) installing a lightweight SNMP monitoring app with a web front-end on a container on the Mikrotik.
Ideally, it should be lightweight enough to work on a HAP AX2 with a small USB drive for storage.
Data does not need to be retained for extended periods (for instance, 24-72 hours should be OK)

Wishlist (over and above the aforementioned tool), but not critical for the project:

1. Alerting - sending an alert in case of certain events (eg. link saturation for longer than x time, or link failing over to backup [capped solution, so cost performance implications])
2. Login capability - a bit of security is never a bad thing

Dreamlist (Flights of fancy that is likely unrealistic give the processing power / other limitations):

1. Very (yes very) basic protocol breakdown - so they can see if it is YouTube or Facebook or e-mails consuming the bandwidth. No need for too much detail.
2. Integration into the Mikrotik API, allowing be to block an IP / MAC / etc from a web frontend. Most of my friends / family find Winbox and the Mikrotik menus etc inundating when I try to teach them,

So, after all of the above, please give some thoughts, ideas, how-to’s etc. I am sure there might be quite a number of relatively basic users that can benefit from somehting like this.

LibreNMS might fit your bill.

I use it extensively. There is a docker container for it.

Thank you elbob2002.

I will check it out…

From a YouTube video it seems on the surface to be lightweight enough, and from the first bit of research it seems it will do what I need.

In the YouTube video, the LibrenNMS is running on a Prox environment, but if you consider the HAP AX2 has 1 Gb of RAM and a quad-core 64 bit CPU, it should be able to handle it, provided the external disk can handle the required reads/writes (throughput/speed/reliability).

Any specific instructions or hints on setting up the environment variables and mountpoints will be greatly appreciated, as I am shining new to the docker / containers environment.

From the yml file I see there are quite a number of variables, but I have no idea how to translate that to Mikrotik environment.
If anyone can point me to a write-up, or help me figure it out, it will be great.

https://github.com/librenms/docker#environment-variables

Well, there is also Dude which is built-in… while old, it is extreme lightweight… since it just’s writing to a sqlite db.
Webfig will show a network map so there is some web GUI…

Thanks Amm0

A blast from the past… I have not used the Dude since about v2 or 3 I think.
It used to be good at diplaying a network map and some info on the map, but not really bandwidth graphs as far as I can recall.

I should have looked at it as well in my quest, but perhaps I was just to focussed on containers etc.
Also, since in my mind it held a spot of a network mapping tool, I might have overlooked it.
It there a way to just display the info on a url without having to go trough webfig?

Also, os there a way to have the Dude run / store info on the external storage instead of constant reading / writing to the NAND?
For some reason I have this irrational worry about prematurely wearing out my NAND storage… Haha.
If you can point me to right post / link it might save me some time in my research.

You use a “link” object in a map to specify the a RouterOS (or SNMP) interface to track bandwidth, and those will show a traffic graph. Custom probes that are assigned to device can also monitor a SNMP variable, which you can also graph.

If you used firewall/queues to mark traffic (eg QoS), you be able to monitor the queue traffic using a custom probe to “see” different kinds of traffic (indirectly via a queue’s stats and custom probe in Dude).

Look at ROSE in help. You can mount a NAS/share/etc and then specify the Dude directory to the mounted volume.

No, but you can use a “read” account so that someone monitoring can’t change anything.

Assuming you’re referring to the RouterOS user group policy of that name and not a LibreNMS feature, alas, it doesn’t currently work that way. If your container has a “/bin/sh” inside and your read-only RouterOS user can get access to the RouterOS CLI somehow (WebFig Terminal, SSH, etc.) it has permission to execute “/container/shell 0”, which then drops that user into a full root shell inside the container!

Read-only RouterOS users also have the ability to start and stop containers, something else I don’t think of as “read-only”.

A safer option may be to expose access via LibreNMS’s own “global read” user level, though that’s speculation, since I’ve never run LibreNMS.

I was answering re the Dude alternative. e.g. if no container to start/stop…

But yeah with a container, you can expose a webpage & avoid needing any RouterOS login. So totally fair point that the policy system leaves some gaps.

Thanks All.

I am trying to get LibreNMS going, but running into a few noob issues. Like I said, I am brand new to containers / dockers and not someone that work with routers on a regular basis.

1. Do I load a lightweight Ubuntu or Debian Docker, and then add LibreNMS via their installation script? (This seems like a bit of overkill and might expose more “features” that are not required.

Or

2. Do I just try to load the LibreNMS Docker image? In this case I need assistance please with setting environment variables and mountpoints. I am prepared to put in the learning, but a pointer in the right direction will be appreciated. I am not sure to pass through variables typically set up in a yml file to the design used by ROS. Also, a bit of guidance on how the mount points translate to expected folders for the “OS” sitting below LibreNMS.

Thanks

The term is “container” regardless of whether you’re working with Docker Engine or MikroTik’s lightweight reimplementation of the technology in RouterOS. Docker neither originated the concept nor created the base technologies in Linux that made it possible. Their implementation is distinguished by being the one that first popularized the Linux container concept by making it easy to apply in practice.

In the past, the ROS docs on their container feature misused the term “docker” to refer to the technology generally, and you will find echoes of that misuse here on the forum. Furthermore, there are others who continue to make this confusion for the same reason other brand names have become genericized. I believe it is important to make the distinction because the Docker implementation of containers is different in many ways from the one in RouterOS. Conflating these two unrelated implementations will lead you into misapprehensions, delaying your enlightenment.

The first key thing you must understand is that there isn’t any proprietary Docker, Inc technology in RouterOS, that I’m aware of. As far as I can tell from my position here as an outsider to their development organization, MikroTik started with nothing more than comes with the generic Linux kernel, then reimplemented everything else you need to have a container engine atop that. That isn’t even close to the second time it’s been done before; more like the two-dozenth.

Occasionally the use of the term “Docker” indicates that the one using it either didn’t bother ensuring that their container is portable to other engines, or that they have made purposeful use of some Docker-specific feature, making it non-portable by design. I’ve never run LibreNMS, so I can’t tell you which of these two is the case, if either is.

Do I load a lightweight Ubuntu or Debian Docker, and then add LibreNMS via their installation script?

Definitely not. Containers are not VMs.

I need assistance please with setting environment variables and mountpoints

That’s documented in the RouterOS manual. What’s your difficulty in applying it?

This high-level overview of Docker storage tech may help. RouterOS’s container engine supports bind mounts only, pointing at directories you create on the USB SSD you spoke of in your original post. RouterOS doesn’t have a volume manager as in more featureful container engines, but this lack is inessential from the internal viewpoint of the containerized service.

I am not sure to pass through variables typically set up in a yml file to the design used by ROS

YAML files are used for several things in the container world, but although none of them apply to RouterOS’s indepdendent implementation, there are two standouts in this context, being admin-focused, thus worth a slice of your attention at this early stage in your education, if only so that you can recognize them and adjust as necessary for RouterOS.

One is for “compose” files, named after a Docker feature that lets you define multiple containerized services in a single unit so that you can bring them all up and down together. It’s since been cloned in a few other engines — and even reimplemented once by Docker, Inc! — but it has yet to appear in RouterOS, and frankly, I doubt it ever will. It’s an administration affordance, not an essential backbone feature of containers; while it may be nice to have, only a spoiled snob would consider it a deal-breaker when absent.

Every instance of “yml” on the top-level LibreNMS Docker page is of this type, but the thing is, they’re all talking about “sidecar” containers to get additional services you can hook into LibreNMS. As far as I can tell, having never deployed LibreNMS myself, these are not necessary to make LibreNMS itself run. If you need these other services, you can simply add them one at a time as independent containers under RouterOS until you’ve built up what you need. It isn’t as convenient as saying “docker compose up”, but them’s the downsides of using a bare-bones container engine like the one in RouterOS instead of something full-featured like Docker Engine.

The second major admin-facing use of YAML in the container world is for defining Kubernetes clusters, a much higher level thing than compose meant for managing clusters of container engines, even whole data centers full of them. You will find a good many people who want to jump straight from one container to a k8s cluster, but I beg you to help me resist this tendency toward overcomplexity. Google needs k8s; you probably don’t, and if you do, it is inadvisable in the highest degree to implement a k8s cluster atop RouterOS.

I’d just add anytime that package’s instruction suggest using “docker compose” (and not just “docker run <image_tag>…” — that just going to be harder on RouterOS — since “compose” can create MULTIPLE containers. But nothing in RouterOS knows about compose file, since basically just the “docker run” part of Docker.

So looking a LibreNMS compose example, it’s actually 7 containers, and from quick look most are needed:
https://github.com/librenms/docker/blob/master/examples/compose/compose.yml

As @tangent well explains, the YAML for the compose has the individual containers that would be needed inside that file. e.g. each of the item indented 2 space and under “services” has an “image” field in compose.yml — that what need for “/container/add remote-image=<from_yaml_image_field> …” & so you likely need ~7 x /container/add’s for LibreNMS.

Anyway, containers are useful and worthwhile to learn. But kinda why I was trying to steer ya to the Dude for monitoring if you have just a handful of devices.

Alternately, run LibreNMS on some other always-on server on your LAN that can run a full-featured Docker Engine.

I doubt there’s anything about LibreNMS that makes it impossible to get it running under RouterOS’s bare-bones container engine, but it’s a rock-solid guarantee that it will take more work and give you fewer management features in the end. Issues like the root shell security hole I brought up above may be a deal-killer.

More suggesting LibreNMS may not be the best “intro to containers”.
I haven’t research, but imagine there is lighterweight NMS that be better fit for a RouterOS container.

My rule is anything that require specific “capabilities” in a compose/etc (e.g. stuff like NET_ADMIN, NET_RAW) is a bad idea in RouterOS…

Great feedback and insights.

Ok, if LibreNMS is not the ideal beginner project, let’s hear from others in the community to see if they can propose better suited lighter weight solutions.
From my initial research, I can see that other users are interested in something similar.

I tried with the Dude, but it seems unlikely that I can get what I want from it, especially given the fact that as of V6 they killed the web server portion of it. However, I’m still playing with it and will post successes / failures as I continue.

Thanks for all the info so far, it helps a lot with my understanding.

I didn’t mean to sound discouraging… In fairness, you may not need 7 containers for LibreNMS (I just counted what’s in the example), but at least 2 I’m sure (e.g. a database and librenms). A quick google did turn up the steps for Synlogy NAS and LibreNMS, you’d have to convert the “docker run” to /container/add’s but rough steps are likely similar: https://jasonloong.com/blog/synology-snmp-network-monitoring-with-librenms-docker

The alternative to LibreNMS is Zabbix, but it’s also similarly structured where parts of the monitoring/storage/UI/etc are broken up into multiple containers.

This kinda how containerization is suppose to work (e.g. one function per container) & goes to point “containers are not VM” which @tangent highlights. But you do lose something in using containers without “orchestration” (e.g. “docker compose”) since dealing with “related” containers is a manual process you have to manage yourself.

Webfig should have some web things for Dude. And use can you “skins” in webfig to reduce the UI so it’s easier to find. While Dude excels at the monitoring side, but a simple “dashboard” (or any web UI) not so much…

@Jonte also has Splunk-based monitoring “system” but I’m not sure is a container for the needed Splunk server. But see http://forum.mikrotik.com/t/tool-using-splunk-to-analyse-mikrotik-logs-4-0-graphing-everything/153043/1 since that another NMS idea here.

Thank you for all the great input and links so far.

Tangent - the part that is unclear to me is how you define / decide /map the “name” portion of the below.

/container/envs/add name=pihole_envs key=TZ value=“Europe/Riga”
/container/envs/add name=pihole_envs key=WEBPASSWORD value=“mysecurepassword”
/container/envs/add name=pihole_envs key=DNSMASQ_USER value=“root”

In this example, the name is pihole_envs, with the various variables defined.
In my understanding, the container software need to query variables, looking at a specific name.
But, if that name is incorrect, it will not be able to get the variables.

For instance,
If I created all these variables in the Pihole example with a name of (for instance) “pihole_variables”, I am assuming the software running in the container would have ignored them..

I am sure there is an easy way, but either I am just not finding it, or it is such common knowledge it is not explained in most documentation.

Thanks

You can have any number of environment lists and containers, and the mapping between them is up to you. You choose at container creation time via “/container add…envlist” which environment list to push into the container.

You can call each list whatever you like.