Error when mounting adguard container

I have RB4011iGS+5HacQ2HnD. It is based on arm architecture, and it seems that I can install containers on it. I understand that it is not the best idea to put a container on it, because it does not have an external drive. But I really want to filter out advertising for all devices on the network at once. I followed the instructions from the wiki before starting the container and got this error:

/container add remote-image=adguard/adguardhome:latest interface=veth1 root-dir=adguard mounts=adguard_etc
failure: not allowed by device-mode

At the same time, all other settings seemed to be applied without problems.
If necessary, I can show you the entire order of command execution

First enable container functionality here:
https://help.mikrotik.com/docs/display/ROS/Device-mode

Strange, I seemed to do it as a command

/system device-mode update container=yes

but when checking it was only

system device-mode print
       mode: enterprise

Perhaps I reset the settings poorly. Now I repeated this procedure and now received the following report:

system device-mode print
       mode: enterprise
  container: yes

Then I tried again

/container add remote-image=adguard/adguardhome:latest interface=veth1 root-dir=adguard mounts=adguard_etc

It seems that I didn’t receive an error, but if I look in the list of containers, the status is “error”

Add the logging=yes directive on the container-creation command and look in the logs. Might explain more about the error.

Unfortunately, setting up logging is an unknown topic for me. I did as written in the Mikrotik wiki

/container set 0 logging=yes

The existing log was cleared and new entries like:

was unable to import, container 78af614f-b4ef-427b-8e17-22e1dc08ba93

Remove the container and re-create and provide the logging=yes from the beginning. You should see a bit more output when it downloads the various layers. I agree the logging is pretty … basic … and will probably not reveil WHY you have this issue.

You specify as root-dir=adguard => This will write on the local flash, you have enough space ??

This was the first thing I tried after your advice to enable logging.

Yes, I write directly to a local drive. In the topic header I wrote a model of my Mikrotik and wrote that I understand that this is not the best idea. But I don’t know how to check how much space is on the local drive.

On which ROS version? There was issue with OCI manifest, fixed in ROS 7.10.
*) container - fixed “container pull” to support OCI manifest format;

7.9.1
Now I’ll try to update to 7.10.2 But I forgot, will I also need to update the packages that are installed on me?

Although I updated ROS and saw that the packages needed to be updated. The container installation is now successful. Although in the state it writes that it has been stopped. I think that the main problem has been solved, I will read further on how to start a container

Containers are stopped by default after deploying, needs to be started manually /container/run <container_number> and also you can set start-on-boot=yes to autorun container on ROS startup.

Now I have another problem. The container was downloaded, installed, received the status “stopped”, I made a command so that it would start automatically after rebooting Mikrotik

container set start-on-boot=yes 0

I overloaded the router, the logs show that the container has started, the status is “running”, but the address is not pinged, the status is “timeout”. The firewall is disabled, or rather almost empty.
At the same time, it writes in the logs

2023/12/06 16:38:40.922017 [info] go to http://172.17.0.2:3000

That is, in theory the container has started (I assigned this address to the interface with the container)
I can’t access the address in the browser either.

I just did this, but another problem appeared, voiced above.

If container VETH is on different bridge than LAN, then this is normal, you need firewall rule fo accept forward traffic in/out containers bridge or VETH IP (depends how you need to secure containers network).

Of course it is on another bridge. I did as in the instructions. The bridge itself pings (172.17.0.1)
Unfortunately, I don’t understand the firewall rules. I just started studying them, but decided to get rid of online advertising first. But I don’t have them. I disabled the existing rule.

If you added other rules from MT Container tutorial try with:

/ip/firewall/filter/add chain=forward action=accept in-interface-list=LAN out-interface=containers

If you have defconf configuration, order that rule below defconf: drop invalid rule.

I will try to do as in the instructions. Here are the steps I did:

/system device-mode update container=yes

/container set 0 logging=yes

/interface bridge add name=dockers

/ip address add address=172.17.0.1 interface=dockers

/interface veth add name=veth1 address=172.17.0.2/24 gateway=172.17.0.1

/ip firewall nat add chain=scrnat action=masquerade src-address=172.17.0.0/24

/container config set ram-high=100M
/container config set registry-ur=https://registry-1.docker.io
/container config set tmpdir=/tmp_docker

/container mounts add name=adguard_etc src=/adguard/etc dst=/etc/adguard

/container add remote-image=adguard/adguardhome:latest interface=veth1 root-dir=adguard mounts=adguard_etc

/container set start-on-boot=yes 0

I understand that I have to substitute my values ​​here. If I understand what LAN is, then I don’t understand what “out-interface=containers” is.

I didn’t know name you assigned to containers bridge, I assumed containers since is like that in tutorial, but in your case is dockers, then replace containers with dockers in that rule. in/out-interface in rules can be interface (not all) or bridge.

That’s what I thought, but unfortunately, the ping still doesn’t work.

I understand that you have looked at my commands and my steps for setting up the container. I didn’t miss anything, did I? Did I do everything right?

Address subnet is missing for dockers bridge:
/ip address add address=172.17.0.1**/24** interface=dockers