Community discussions

MikroTik App
 
PhotoshopPhilipp
just joined
Topic Author
Posts: 5
Joined: Wed Feb 10, 2021 10:32 am

v7.5 container mount files

Tue Sep 27, 2022 3:48 pm

Hey,

im testing the new container package and im wondering if it is possible to mount a file instead of a directory.
Ive tried to mount a file but the mikrotik is trying to mount it as a dir.

Has someone tested that?
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: v7.5 container mount files

Tue Sep 27, 2022 3:59 pm

No.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11438
Joined: Thu Mar 03, 2016 10:23 pm

Re: v7.5 container mount files

Tue Sep 27, 2022 4:21 pm

... im wondering if it is possible to mount a file ...

Linux requires loopback filesystem driver for that and it seems that ROS doesn't include it.
 
tangent
Forum Guru
Forum Guru
Posts: 1351
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: v7.5 container mount files

Tue Sep 27, 2022 6:48 pm

Linux requires loopback filesystem driver for that

I don't interpret the OP's question as asking about filesystems-on-files, which is what you need the loop driver for.

Instead, I believe he's asking about bind-mounting single files into place inside the container. This is useful when the container has a directory full of files and you want to replace or add just one, as with a configuration file. With directory-only bind mounts, you have to provide all of the other contents of that directory.

This shouldn't be hard to add atop the existing implementation, but MikroTik isn't likely to add it unless they believe it's a sufficiently common use case. It will help them decide if someone takes the time to write up a feature request, particularly if it includes a motivating example that shows why the current implementation doesn't suffice.
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: v7.5 container mount files

Tue Sep 27, 2022 7:10 pm

There's a big fat warning on that documentation regarding this:
Bind mounts allow access to sensitive files

One side effect of using bind mounts, for better or for worse, is that you can change the host filesystem via processes running in a container, including creating, modifying, or deleting important system files or directories. This is a powerful ability which can have security implications, including impacting non-Docker processes on the host system.
So I don't see this happening.
As a workaround I guess you can edit the container and keep that specific single file in another folder that you can mount; and have a symlink to that file in the original folder? Can this work?
If mounting the whole folder is not an option that is.
 
tangent
Forum Guru
Forum Guru
Posts: 1351
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: v7.5 container mount files

Tue Sep 27, 2022 7:33 pm

There's a big fat warning

They're merely saying that if you map a file or directory on the host into the container, the safety guarantees of the container go out the window for that file or directory. If you want an example, they're saying if you bind-mount the host's /etc into the container, you've probably hosed yourself when it comes to security.

This caveat is just as true for bind-mounted directories, which the RouterOS container implementation calls "mounts". Thus the OP's language about "mounting files" instead.

Making this facility work for files won't increase the container's attack surface. If anything, it will narrow it.

I doubt RouterOS lets you mount anything outside specific directories (/flash, USB sticks, etc.) anyway, so the warning doesn't even apply.

As a workaround

A more containery solution if you're trying to add or replace a single file in a directory full of them is to copy the others out of the container into a host-side directory and then mount that directory back over the top with your addition/replacement included. Containers use Linux's union filesystem features to do directory mounting, so the duplications won't cause a conflict.

Who is online

Users browsing this forum: sgiglio, truefriendcz and 100 guests