v7.1rc3 adds container support

ech1965 · September 27, 2022, 10:26am

Routeros is a picky community.

Computers are picky things. Those of us who’ve learned to become facile with them learn not to use the wrong terminology and to jump on instances of it where we see it elsewhere as a sign of either sloppy or outright incorrect thinking. When you’re asking for help, you do not want to be giving off the impression of either, else you’re likely to get the right answer to the wrong question.

i was wrongly remembering docker command uses the the same parameter for mounting folders and “devices”.

There does exist “docker create --mount”, but you normally do not use it with /dev, because the container creation process normally does that for you. It’s hidden down in the guts of Docker and tricky to get to, but you can see an example of it exposed here, down at the end. Notice the several /dev mounts.

However, although /dev is automatically mounted, you will notice that, if you fire up a random container (e.g. alpine:latest) you won’t get things like /dev/sda. This is on purpose, else root inside the container could scribble on your hard disk.

I’m not being pointlessly pedantic here. I’m trying to show why I believe you’re off on the wrong track.

I’m simply looking for the equivalent of the --device command line parameter of the docker command in linux.

RouterOS’s implementation of containers is closer to the way bare-bones OCI bundle runners like runc and crun work than to full-fat Docker Engine. You’ll find yourself missing a lot of what you take to be common affordances.

I doubt the problem is as simple as all this anyway. I did some digging into NUT’s USB HID driver, and it looks like it uses libusb to go digging through the device tree. I believe it needs “/sys/bus/usb/devices” to be populated for that to work, which it certainly won’t be in a stock container.

If true, even my suggestion to hard-code a /dev node directly into the container won’t work.

I also came across this in my investigation, which I found discouraging.

Thanks you very much for your detailed answer,
Sorry for having mismatched devices and mounts
Implying I didn’t read the docs “hurted” because I did and couldn’t find anytying avout hid devices.

I’ll keep trying playing with the container features of routeros
I might keep pursuing my plan of attaching a raspi on my ups and have a “native” nut implementation…

Znevna · September 27, 2022, 10:56am

The same way tun/tap access was enabled in containers under RouterOS maybe access to usb devices can be enabled too, with a proper feature request.

antonsb · September 27, 2022, 3:51pm

this is in our to do list.

Znevna · September 27, 2022, 4:05pm

Sweet, thank you!
PS: I’ve managed to trash the container config somehow, but I can’t reproduce it, even though I’ve tried to redo all the steps before it “broke”.
I had AdGuardHome running on it’s own root-dir and veth1, I’ve added a new veth for testing this: http://forum.mikrotik.com/t/problem-with-editing-file-in-container-store/161054/2
I’ve prepared the mount dir, added the container in a new root-dir obviously and with veth2.
Obviously it failed because it didn’t have support for arm64 so I went on to try it on hAP ac3.
When I went back to my RB5009, container print was listing the last container added but twice with different status (I repeat, same “name”), one with error, one with some other status.
AdGuardHome was not showing in container list, but it was still running (checked). I’ve tried deleting them but here something broke:
Terminal history was only going up two commands up to /container and it crashed there, no other input was possible, only in a new terminal window only to crash again at the same history line (same thing via SSH).
A reboot fixed it, I readded the AdGuardHome container to be sure of no problems.
Weird.

Pl07R3K · November 27, 2022, 4:06pm

I’m going to deploy flungo/avahi in a container and I’m wondering how to connect it with VLANs.
Can anyone help me?

Pl07R3K · November 27, 2022, 4:20pm

anav:

Avahi (mdns Reflector)

Hap AC^2 (256M)

It took a while to get working, but I was able to build an Avahi container. Using the cross build instructions at

https://hub.docker.com/r/taoyou/iperf3-alpine

And the avahi container at

https://github.com/flungo-docker/avahi

It came out a bit over 8M in size, so quite big.

It uses a couple of vlans (Vlan setup currently hard coded in the tar file) on it’s veth to connect to the local networks.

It is configured as a mdns reflector.

While working out how to make it work, I used netcat from openwrt to provide a couple of cli sessions. The cli is very basic but works, (You need 2 for when you break one) Probably should learn how to setup a dropbear.

I used 7zip on my desktop to open the tar file, and edit config files, and insert the executables (netcat binary and runcat2.sh script)

It seems to work ok.
Not sure I really want it now though

Hi @rplan,
I am also going to deploy flungo/avahi in container therefore I am looking for information on how to connect it with VLANs. One bridge for every VLAN?
Can you please guide me?

tangent · November 27, 2022, 7:42pm

Like this.

Pl07R3K · November 27, 2022, 10:30pm

Yes. Thank you very much!

shahidi · December 7, 2022, 9:25am

Dear Friends , I have tried many dockers from hub.dockers.com most of them was related to VPN and Proxies and packet ofuscators, and I faced mostly with two problems , first problem , there is no “–cap-add NET_ADMIN” so you can not add dynamic tun interface inside the docker or you can not add special iptable rules inside the docker , and second huge problem when I start second container and set dst nat rules on same range docker bridge and interface or even on second docker bridge and interface , traffic for the first running container becomes lost , i have checked everything and many times , I did all settings with blank config and test environments but the problem exist , please guide me if there are solutions for those two problems. regards

elbob2002 · December 10, 2022, 12:55pm

You need to add the variables for your container before you pull it down:

/container/envs/add key=cap-add name=MYCONTAINER value=NET_ADMIN
/container/envs/add key=device name=MYCONTAINER value=/dev/net/tun

Where MYCONTAINER is the name of your container.

Pl07R3K · December 10, 2022, 8:27pm

Indeed, advanced container network configuration (e.g. with VLAN support) is missing or not described in the documentation.
The docker engine provides a virtual network between host and containers and automatically configures it in containers, in ROS you have to do it manually (via veth with additional bridge and masquerade) it resembles the bridge network which is the primary/default in docker.
BTW I was able to add veth to VLANs on the bridge and subinterfaces to eth0 in the container with alpine linux and get addresses on them from DHCP. For this to work at all it was necessary to assign IP address and gateway in veth.

antonsb · December 12, 2022, 8:23am

You need to add the variables for your container before you pull it down:
/container/envs/add key=cap-add name=MYCONTAINER value=NET_ADMIN
/container/envs/add key=device name=MYCONTAINER value=/dev/net/tun
Where MYCONTAINER is the name of your container.

/dev/net/tun access was added in 7.5beta4 and is also included in 7.6. Your provided commands will do nothing.

MayestroPW · December 12, 2022, 1:58pm

It would be great to have option to nest docker in a docker, or at least have an option to mount /var/run/docker.sock

tangent · December 12, 2022, 4:35pm

I don’t believe RouterOS is running full-fat Docker Engine. By all the signs, it’s a barebones OCI runtime, closer to crun or systemd-nspawn.

There is no API socket to be had.