Community discussions

MikroTik App
 
d412s
just joined
Topic Author
Posts: 17
Joined: Fri May 08, 2020 1:32 pm
Location: Ukraine

Docker? Does anybody use it?

Tue Jan 31, 2023 2:38 am

Was really interested how can I setup pihole in container on my RB5009, watched videos, then repeated according to https://help.mikrotik.com/docs/display/ROS/Container , added all my ADList rules with 786000 domains (I used pihole on my NAS for few years).

What can I say:
-- very poor usability
-- bad performance: 50% of RAM used and it is only one pihole container
-- macvlan?!
-- portainer?
-- wanted to add Unbound (I use it as DNS in pihole setup) - didn`t figure out how to do that on mikrotik ...
-- yaml doesn`t supported
-- docker ps - bad command

When I use pihole on separate server I can easily switch between DNS when my NAS is powered off, it helps me don`t loose connection, just simple - add script to Netwatch what will ping my pihole address and if pihole unreachable - /ip dns set servers=8.8.8.8 and vise-versa.
With this "mikrotik" solution when you use pihole inside routerOS you can not execute the same script, scenario: after some update docker will not start and you will be without internet, because you have DNS=172.17.0.2 (from example in docs), you can not ping 172.17.0.2 - it`s always have ping even when container is powered off and from routerOS terminal always will return successfull ping to 8.8.8.8 even if you don`t have internet on all your clients. So, this is huge minus, to such implementation of docker inside routerOS.

If I`m not mistaken RB5009 - flagship and it can handle only one simple container and even this will take 50% of RAM... what will be if I decided to use one or two more containers?!
When you added wireguard I was happy, when you added containers - I asked "why", why someone needs this on router, I still have no idea.

Also don`t understand one more thing - if you decided to add support of virtualization standard to your routerOS why you can`t provide approved and standard tool (yaml, stack, macvlan, logs, comfortable works with file system and container data itself), why each update to routerOS looks like broken bicycle, only youtube video from mikrotik channel really helpful, without these videos is really complicated to understand what you guys decided to turn inside out and add some "mikrotik" features when even if you know technology - you can not work with this due to weird mikrotik logic, syntaxis so on.
I think in mikrotik on brainstorm session someone told "let`s add container to routerOS, I know how to do that, just few weeks and deploy to production" and some boss stopped this guy with next words: "Hold on, if we add it as people got used to work with it will easy, let`s add complicated syntaxis, 10 places where user have to setup everything, 20 commands for terminal and short instruction and then will "improve" it for years".

After such experiment with your top level router I just wanna buy simple hap ac2 or something similar and forget about these beautiful numbers what everyone show - Ethernet test results (from item description), because they show nothing related to real performance, it`s router guys, don`t try to transform it to computer, nobody will learn your syntaxis to execute simple script.

So, does someone use container? How do you use it? What is your experience? How many free resources you have on router when you decided to use containers?
 
w0lt
Long time Member
Long time Member
Posts: 537
Joined: Wed Apr 02, 2008 2:12 pm
Location: Minnesota USA

Re: Docker? Does anybody use it?

Tue Jan 31, 2023 3:27 am

Don't use it..Don't need it.. Who cares..
That being said, I wish Mikrotik would spend development efforts into refining their core ROS instead of releasing adding that very few people would use other than once.
I could be wrong.. Thoughts ?? 😎

-tp
 
Moba
Member Candidate
Member Candidate
Posts: 206
Joined: Sun Sep 27, 2020 6:15 pm

Re: Docker? Does anybody use it?

Tue Jan 31, 2023 3:31 am

Where did MikroTik promote the idea of using their routers for Dockers or Pi-hole ? The 5009 has a very good SoC for routing (in home router world), but in computing world, it's a very limited low power ARM based SoC. Hence, any similar SoC in a router or NAS will have lots of limitations. An Intel based mini computer/appliance will do what you want and more...it will cost more than the 5009 in most cases.

BTW, most companies sell routers with slower ARM processors for even more money...and most of them can't route while doing anything else above 1 GB.

Use something else to run Pi-hole and Dockers - lots of options. Keep the 5009 for what it was designed for...
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Docker? Does anybody use it?

Tue Jan 31, 2023 7:44 am

Pi-hole works just fine here on my RB5009.
Sure, it consumes quite some RAM, but performance is fine in my HOME scenario.

Don't know if the container could be optimized to use even less. If you in Pi-hole GUI and check the utilization there ;

Total CPU utilization: 0.2%
Memory utilization: 1.9%
Used memory: 19.04 MB

So I also don't know why is consume several 100 MBytes of RAM,
I have about 2.100.000 domains on the adlist.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26287
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Docker? Does anybody use it?

Tue Jan 31, 2023 8:00 am

Very strange complaints :D :D Sorry
It is a command line tool, what usability did you expect? And it is running a whole other operating system, of course it is resource hungry. This is completely expected. It only uses as much resources as PiHole needs, not more.

Mind you, this is not Docker. It is a container app unrelated to Docker, which is a trademark.
 
User avatar
sirbryan
Member Candidate
Member Candidate
Posts: 298
Joined: Fri May 29, 2020 6:40 pm
Location: Utah
Contact:

Re: Docker? Does anybody use it?

Tue Jan 31, 2023 9:15 am

Once you figure out the ins and outs of containers as implemented by MikroTik, it's not too bad.

If you want to manipulate things with Docker, you can first load it on to your machine, pull the container you want and customize it as you wish, use docker buildx to build for ARM/ARM64, then docker save to export it. SCP it over to the router and load it from a local tar file, then you're set.

I have three containers running on my 2116 (Pi Hole, a simple SMB server, and elico's Open Speedtest container), all of which also work on my 5009's in the lab. I recommend a separate USB3 drive for the 5009.

There are a couple of container threads you can search for with detailed instructions on loading up these and other containers.
 
nepotu
just joined
Posts: 2
Joined: Mon Jan 23, 2023 9:04 am

Re: Docker? Does anybody use it?

Tue Jan 31, 2023 11:00 am

When I use pihole on separate server I can easily switch between DNS when my NAS is powered off, it helps me don`t loose connection, just simple - add script to Netwatch what will ping my pihole address and if pihole unreachable - /ip dns set servers=8.8.8.8 and vise-versa.
With this "mikrotik" solution when you use pihole inside routerOS you can not execute the same script, scenario: after some update docker will not start and you will be without internet, because you have DNS=172.17.0.2 (from example in docs), you can not ping 172.17.0.2 - it`s always have ping even when container is powered off and from routerOS terminal always will return successfull ping to 8.8.8.8 even if you don`t have internet on all your clients. So, this is huge minus, to such implementation of docker inside routerOS.
I use PiHole on an AX3 and I can trigger a DNS change from Netwatch with the below script
/tool netwatch
add comment="Use PiHole DNS if available" disabled=no down-script="/ip dns set servers=\"9.9.9.9,1.1.1.1\""\
    host=172.17.0.2 interval=1m port=80 type=http-get up-script=\
    "/ip dns set servers=\"172.17.0.2\""
Don't rely on ping as you will always get a reply from the virtual interface, even if the container is not up.
Last edited by nepotu on Tue Jan 31, 2023 11:02 am, edited 1 time in total.
 
fritzme
Frequent Visitor
Frequent Visitor
Posts: 52
Joined: Thu Oct 31, 2019 6:10 pm

Re: Docker? Does anybody use it?

Tue Jan 31, 2023 12:41 pm

Some ppl drive a Buick and complaint it is not as fast as a Lambo :D :D

For docker complainers, 1st must understand their equipment/resources/limits...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Docker? Does anybody use it?

Tue Jan 31, 2023 3:40 pm

Yes, so thats why, MT should provide zero trust cloudflare tunnel as an options package and not stick it to limited and complex and additional security concerns CONTAINER, and oh yes make it available to all MT devices.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26287
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Docker? Does anybody use it?

Tue Jan 31, 2023 4:01 pm

I run the Cloudflare container on my hAP ax2 which is one of the lowest spec devices that can run containers, and well ...
Screenshot 2023-01-31 at 16.01.08.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Docker? Does anybody use it?

Tue Jan 31, 2023 5:57 pm

It could be better.
2023-01-31_19-19-33.jpg
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Docker? Does anybody use it?

Tue Jan 31, 2023 6:07 pm

............
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Docker? Does anybody use it?

Tue Jan 31, 2023 6:08 pm

that was a post of cloudlfare running on any non arm-MT device.
Cloudflare seems pretty simple to setup. dockers/container not so much.
perhaps an ax3 experiment but limited time these days.
 
User avatar
qatar2022
Member Candidate
Member Candidate
Posts: 141
Joined: Mon Aug 24, 2020 11:12 am

Re: Docker? Does anybody use it?

Fri Feb 03, 2023 10:03 am

Was really interested how can I setup pihole in container on my RB5009, watched videos, then repeated according to https://help.mikrotik.com/docs/display/ROS/Container , added all my ADList rules with 786000 domains (I used pihole on my NAS for few years).

What can I say:
-- very poor usability
-- bad performance: 50% of RAM used and it is only one pihole container
-- macvlan?!
-- portainer?
-- wanted to add Unbound (I use it as DNS in pihole setup) - didn`t figure out how to do that on mikrotik ...
-- yaml doesn`t supported
-- docker ps - bad command

When I use pihole on separate server I can easily switch between DNS when my NAS is powered off, it helps me don`t loose connection, just simple - add script to Netwatch what will ping my pihole address and if pihole unreachable - /ip dns set servers=8.8.8.8 and vise-versa.
With this "mikrotik" solution when you use pihole inside routerOS you can not execute the same script, scenario: after some update docker will not start and you will be without internet, because you have DNS=172.17.0.2 (from example in docs), you can not ping 172.17.0.2 - it`s always have ping even when container is powered off and from routerOS terminal always will return successfull ping to 8.8.8.8 even if you don`t have internet on all your clients. So, this is huge minus, to such implementation of docker inside routerOS.

If I`m not mistaken RB5009 - flagship and it can handle only one simple container and even this will take 50% of RAM... what will be if I decided to use one or two more containers?!
When you added wireguard I was happy, when you added containers - I asked "why", why someone needs this on router, I still have no idea.

Also don`t understand one more thing - if you decided to add support of virtualization standard to your routerOS why you can`t provide approved and standard tool (yaml, stack, macvlan, logs, comfortable works with file system and container data itself), why each update to routerOS looks like broken bicycle, only youtube video from mikrotik channel really helpful, without these videos is really complicated to understand what you guys decided to turn inside out and add some "mikrotik" features when even if you know technology - you can not work with this due to weird mikrotik logic, syntaxis so on.
I think in mikrotik on brainstorm session someone told "let`s add container to routerOS, I know how to do that, just few weeks and deploy to production" and some boss stopped this guy with next words: "Hold on, if we add it as people got used to work with it will easy, let`s add complicated syntaxis, 10 places where user have to setup everything, 20 commands for terminal and short instruction and then will "improve" it for years".

After such experiment with your top level router I just wanna buy simple hap ac2 or something similar and forget about these beautiful numbers what everyone show - Ethernet test results (from item description), because they show nothing related to real performance, it`s router guys, don`t try to transform it to computer, nobody will learn your syntaxis to execute simple script.

So, does someone use container? How do you use it? What is your experience? How many free resources you have on router when you decided to use containers?
Well i have MY RB5009 and i tried to use pihole and i was suffering with it 85% of nand gos to pihole and finally it’s not stable at all so i used raspberry pi with pihole and worked great
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Docker? Does anybody use it?

Fri Feb 03, 2023 6:43 pm

I don't use Pi-Hole specifically, but can see how it be useful to some. But I actually think it poor example for the container feature, since it pretty big container and complex since it has to interact with RouterOS feature/firewall/etc – unlike when installed directly on RPI.

To me, each container should do one thing to work well. If you need multiple containers to do something, that's kinda the idea. When you start using containers more as a full "virtual machine" with an entire Linux distro, you're asking for trouble. Pi-Hole start with Ubuntu, so you're essentially running Ubuntu and RouterOS at same time with Pi-Hole. On top of that, content inspection is an expensive CPU task, which even the RB5009 has limited capacity.

If you contrast this with cloudflare container, that does one thing: create a VPN tunnel using cloudflare's Argo protocol. And the container is just the executable and very limited libraries. Or to this point on using multiple containers...

unbound (I use it as DNS in pihole setup) - didn`t figure out how to do that on mikrotik ...

For this, you can spin up another container with just unbound DNS and then refer to its container IP in the Pi-Hole configuration. See https://hub.docker.com/r/klutchell/unbound - Unbound should be pretty efficient too, since like cloudfare in that it's just the unbound binary.

Or, you can even use the cloudflare container, just use "proxy-dns" instead of the "tunnel XXXXX" as the cmd, this will run a standard DNS resolver on container's IP, that will forward to cloudflare using DOH, which might be another alternative for Mikrotik DNS or running a full recursive resolver like unbound.
 
tangent
Forum Guru
Forum Guru
Posts: 1329
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: Docker? Does anybody use it?

Tue Feb 07, 2023 10:26 pm

it is running a whole other operating system

Containers share the kernel of the host, so it isn't a whole-other anything. Containers don't run without the host's kernel to handle the syscalls of the binaries inside. This is why Docker for macOS and Windows have to maintain a hidden Linux VM in the background to run containers.

Atop that, there's nothing requiring you to build pudgy containers other than a wish to run pudgy apps. It's perfectly possible to build a container with a single statically-linked binary inside, without this "whole other operating system" file set at all. The tricky bit is finding the single statically-linked binary that does everything you want it to do.

Containers are not VMs.

It is a container app unrelated to Docker, which is a trademark.

MikroTik has caused some of the confusion here by misusing the brand "Docker" in its container docs. Never mind the trademark; I doubt Docker, Inc will sue MikroTik over this. The real problem is that the word "Docker" brings along a whole pile of assumptions about what the system can be reasonably expected to do and the scope of what is allowed.

A better term would be "OCI container." The only place your docs should use the word "docker" is when using the Docker tooling to build OCI containers.

It might help if the person writing the docs would try using Podman instead, simply because it would break them free of the mental shackle that container = Docker.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Docker? Does anybody use it?

Tue Feb 07, 2023 10:52 pm

Nice link..........
Found your wireguard site and found the xplanation lacking or not clear............
/ip firewall nat
add action=src-nat chain=srcnat src-address=192.168.77.0/24 to-addresses=192.168.88.1


THis........---> The srcnat rule at the end is the novel bit. Without it, the clients can connect to internal LAN hosts, but they can't get back out to the Internet. That may in fact be fine for some use cases, but one of my uses for a VPN is to encrypt my Internet traffic over potentially hostile LANs. (Coffee shop and hotel type cases.) The consequence is that double-NAT may be a problem, so it's better to terminate WireGuard on the Internet border gateway router if you can, letting you drop that rule.

Doesnt make sense to me. If you are arriving at the MT, firewall rules (input chain to configure the router, forward chain to reach the local MT subnets) dictate traffic flow to the router and to the internal LAN hosts. There is no problem reaching them assuming you have wg to LAN subnet allow rules. As for getting out the internet thats not an issue as the WG request, will exit the WG tunnel and the MT server device, be routed out the MT wan port and will hit the external router and then go out the internet.
The reason one should ensure they sourcenat the wireguard traffic coming in, is so that the external router sees one of its own LANIPs as source ( the MT routers wanIP = external Router lanIP ) and thus the external router sends return traffic to the MT, which then unsourcenats to the wireguard remote user and the via firewall routing and firewall rules the return traffic re-enters the tunnel.

In essence your source nat rule is 100% correct, the explanation was lacking IMHO.

Who is online

Users browsing this forum: No registered users and 31 guests