Mosquitto - 401 when trying to install from docker

Bomber67 · April 22, 2025, 8:16am

Hi all,

Get an error message when trying to install the Mosquitto container.
Earlier I succeeded in installing the HA container on same RB, but on this one I’m stumped.

Config:

# 2025-04-22 10:03:44 by RouterOS 7.18.2
# software id = *
#
# model = RB5009UPr+S+
# serial number = *
/container mounts
add dst=/mosquitto/config name=msqt_config src=/usb2/mosquitto_mounted
/interface bridge
add name=msqt
/interface veth
add address=172.19.0.2/24 gateway=172.19.0.1 gateway6="" name=veth1
/container
add interface=veth1 logging=yes mounts=msqt_config root-dir=usb2/mosquitto
/container config
set layer-dir=usb2/layers ram-high=800.0MiB registry-url=https://registry-1.docker.io tmpdir=/usb2/pull
/interface bridge port
add bridge=msqt interface=veth1
/ip address
add address=172.19.0.1/24 interface=msqt network=172.19.0.0
/ip dhcp-client
add default-route-tables=main interface=ether1
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=192.168.0.141 dst-port=1883 protocol=tcp to-addresses=172.19.0.2 to-ports=1883
/system clock
set time-zone-name=Europe/Oslo
/system note
set show-at-login=no

This is how my disk looks like:

Flags: E - EMPTY, B - BLOCK-DEVICE; M - MOUNTED
Columns: SLOT, MOUNT-POINT, MODEL, SERIAL, INTERFACE
#    SLOT  MOUNT-POINT  MODEL              SERIAL                INTERFACE       
0 E  usb1                                                                        
1 BM usb2  usb2         SanDisk Ultra Fit  4C530001300713118414  USB 2.10 480Mbps

Command I run for installing the container:

/container/add remote-image=eclipse-mosquitto:latest interface=veth1 root-dir=usb2/mosquitto mounts=msqt_config logging=yes

Log output:

 2025-04-22 08:02:39 container,info,debug importing remote image
 2025-04-22 08:02:39 system,info item added by winbox-3.41/mac-msg(winbox):admin@C8:60:00:A1:C0:FF/terminal (*2 = /container add interface=veth1 logging=yes mounts=msqt_config remote-image=eclipse-mosquitto:latest root-dir=usb2/mosquitto)
 2025-04-22 08:02:41 container,info,debug [cont] error response getting manifests: 401
 2025-04-22 08:02:41 container,info,debug was unable to import, container dbb04c38-a590-4737-b341-5cfa9f0aeb1e

From what I have read, 401 is about failed authentication.
I have also tried with my Docker creds but no difference, so what is the problem?

Anyone?

BTW, after formatting the USB stick (the one I have), it turns up as usb2 and there is also a “dummy” usb1. Why?

Bomber67 · April 28, 2025, 4:20am

Nobody tried this?

Amm0 · April 29, 2025, 12:19am

What URL are you using for the registry-url in /container/settings?

Sometimes using the fully qualified name (or sometimes not, i.e. without :latest) helps in remote-image= . Also make sure your running the latest stable version, since various past versions have had bugs in this area.

Bomber67 · April 29, 2025, 4:25am

It’s in the code i posted:

registry-url=https://registry-1.docker.io

I run 7.18.2

Amm0 · April 29, 2025, 4:56am

While this was not always true (see docs)… if docker-1.docker.io is registry, you need to use “library/eclipse-mosquitto:latest”.

7.18 made some changes… so new default is https://lscr.io and they also support using a “fully-qualified” remote-image that include the “hub”/registry, so “registry-1.docker.io/library/eclipse-mosquitto” also works (even if registry-url is not set or set to ghcr.io/lscr.io/etc)

Bomber67 · April 29, 2025, 5:35am

The command

/container/add remote-image=eclipse-mosquitto:latest interface=veth1 root-dir=usb1/mosquitto mounts=msqt_config logging=yes

gives

"2025-04-29 07:24:37 container,info,debug [cont] error response getting manifests: 401

The command

/container/add remote-image=eclipse-mosquitto interface=veth1 root-dir=usb1/mosquitto mounts=msqt_config logging=yes

Gives just

failure: could not add"

while

/container/add remote-image=registry-1.docker.io/library/eclipse-mosquitto interface=veth1 root-dir=usb1/mosquitto mounts=msqt_config logging=yes

somehow seems to work.
II once managed to add the container, but it refused to start.

Every second time I try to add it it says just “could not add”, the other times it gives the following:

2025-04-29 07:28:34 container,info,debug importing remote image
 2025-04-29 07:28:34 system,info item added by winbox-3.41/mac-msg(winbox):admin@C8:60:00:A1:C0:FF/terminal (*6 = /container add interface=veth1 logging=yes mounts=msqt_config remote-image=registry-1.docker.io/library/eclipse-mosquitto root-dir=usb1/mosquitto)
 2025-04-29 07:28:36 container,info,debug [cont] getting layer sha256:6e771e15690e2fabf2332d3a3b744495411d6e0b00b2aea64419b58b0066cf81
 2025-04-29 07:28:37 container,info,debug [cont] layer sha256:6e771e15690e2fabf2332d3a3b744495411d6e0b00b2aea64419b58b0066cf81 downloaded
 2025-04-29 07:28:37 container,info,debug was unable to import, container f9889541-6873-4f74-9309-d2be4d702afc

What reallly confuses me is that upon every reboot, the disk I created on the USB stick changes between “usb1” and “usb2” so I have to change the settings …
Why isn’t the name persistent?

BTW, what do you mean by

default is > https://lscr.io

?
Can Registry URL be omitted, making ROS default to this one?

jaclaz · April 29, 2025, 9:41am

That issue may be connected to the USB storage device you are using, as an example some SanDisk USB sticks tend to cause the issue (the RoS is confused whether the device is USB2 or USB3.,x) see:
http://forum.mikrotik.com/t/usb1-vs-usb2-mount-after-each-reboot-a-surprise/182437/1
http://forum.mikrotik.com/t/usb-disk-issue-after-hardware-reboot/172598/1

Bomber67 · April 29, 2025, 10:24am

I think you’re at something there…my stick IS a Sandisk USB3…thank you!
I’d rather run it on a device with M.2 support, but apart from RB1100AH X4 Dude ed. there aren’t many around AFAIK.

jaclaz · April 29, 2025, 12:16pm

Yep - just to give you some context - Sandisk is one of the few (only?) USB stick manufacturer that uses “own, proprietary” USB controller chips (which are actually very good), most (if not all) the other manufacturer use chips manufactured by third parties ( Phison, Alcor, SMI, USBest, etc.) that behave differently (in this case better) when it comes to negotiating the USB connection on the host.

Very likely it is a timing problem, Mikrotik devices are either too fast or too slow for the different Sandisk mechanism to connect “properly”, it seems like Sandisk first advertises itself as USB 2.0, and only later checks if the host is capable to reach USB 3.x speed and only then tells the host, “no wait, I was joking, I am actually a USB 3.x device” but by that time the USB 2.0 device PID/VID/whatever has been mounted.

Or something like that.

Amm0 · April 30, 2025, 3:26pm

On new units or after reset-configuration, that’s the new default. I haven’t test that much, why I asked (even though a more careful reading might have seen that).
I filed a bug on docs, Mikrotik fix the mosquito doc to reference the need for library/ - so the docs should be right now.

And yeah you can use a fully qualified name without a registry-url, but I have not tested it that much, but that’s the idea.

Now your USB situation, you can also try reformatting on RouterOS – although I’d listen to jaclaz