Containers wont start on RB3011 UiAS

brunolabozzetta · Thu Sep 19, 2024 1:06 am

I manage to get to work a container on a CHR with RouterOS 7.15.3, and replicating the same configuration on my RB3011UiAS does not work at all.

Containers wont start. And nothing shows up in the log. (When i hit start, container shows that its running for 1 second and returns to stopped).

Yes, i have logging active in the container config and in logging config.
I follow all tutorials and guides out there, and i cant find a way to make it work.
I try pulling images directly from docker registry, and also compiling the images in my linux computer.

I try upgrading to 7.16rc4 and same thing.

Anyone that has a similar problem that can help me out with this?

I buy this specific router because of the container feature, and it doesnt work...

Amm0 · Fri Sep 20, 2024 7:02 pm

Curious. If it gets to "stopped", then we know it got extracted and all the pre-req are there. Likely the cmd or entrypoint are wrong (i.e. it cannot find the path+process to start). It also could be the root-disk is going to flash or something with the disks.

What container are you trying to use? Maybe post your config or at least the "/container export" part?

brunolabozzetta · Thu Sep 26, 2024 3:09 am

Hi! Thanks for replying!

Reading your reply, got me thinking twice in the posibility of doing something wrong in the process,

So i re-do everything, and i still the same...

I create an httpd container with alpine using buildx for armv7, and imported in a tar file.

I try using a pendrive and a samsung external ssd drive, in both cases i still have the problem.

Here's my export:

[bruno@MikroTik] > container export        
# 2024-09-25 21:08:30 by RouterOS 7.16
# software id = U4AN-7YUP
#
# model = RB3011UiAS
# serial number = HF5096ZEDE6
/container
add comment=apache dns=1.1.1.1 hostname=apache interface=veth1 logging=yes root-dir=\
    usb2-part1/containers/apache start-on-boot=yes
/container config
set registry-url=https://registry-1.docker.io tmpdir=usb2-part1/docker_temp
[bruno@MikroTik] >

It's driving me crazy cause it doesnt even log anything...

Many thanks for the help!

brunolabozzetta · Thu Sep 26, 2024 3:13 am

I forgot...

The entrypoint cant be the problem in this case cause the image itself has the entrypoint configured and..... the famous phrase... it works in my pc

brunolabozzetta · Thu Sep 26, 2024 4:42 am

I just do another test.

I install an alpine container that just pings 8.8.8.8.

And i install it on the internal memory.

Same result.

This is the dockerfile:

FROM alpine:latest

RUN apk add --no-cache iputils

CMD ["ping", "8.8.8.8"]

Amm0 · Thu Sep 26, 2024 5:50 am

I just do another test.
I install an alpine container that just pings 8.8.8.8.
And i install it on the internal memory.
Same result.

Does it still not stay started?

One note: it's absolutely critical the VETH is created before the container, once the image is first started those setting get persisted to the alpine image. I'm not sure RouterOS updates image if you later change gateway/etc., or at least with alpine.

I just tried this using alpine:latest in /container (without a custom build, the iputils package is not need for ping), and it works.

/interface veth add address=172.19.6.2/24 gateway=172.19.6.1 name=veth-alpine
/ip address add address=172.19.6.1/24 interface=veth-alpine network=172.19.6.0
/ip firewall nat add action=masquerade chain=srcnat out-interface=veth-alpine place-before=1 
:global alpine [/container add cmd="ping 8.8.8.8" interface=veth-alpine remote-image=alpine:latest logging=yes]
:delay 5s
/container start $alpine
:delay 5s
/log/print where message~"8.8.8.8"

9-25 19:44:14 system,info item added by tcp-msg(winbox):XXXX@192.168.XX.XX/terminal (*8 = /container add cmd="ping 8.8.8.8" interface=veth-alpine logging=yes remote-image=alpine:latest)
09-25 19:44:19 container,info,debug PING 8.8.8.8 (8.8.8.: 56 data bytes
09-25 19:44:19 container,info,debug 64 bytes from 8.8.8.8: seq=0 ttl=53 time=12.814 ms
09-25 19:44:20 container,info,debug 64 bytes from 8.8.8.8: seq=1 ttl=53 time=12.909 ms
09-25 19:44:21 container,info,debug 64 bytes from 8.8.8.8: seq=2 ttl=53 time=12.852 ms
09-25 19:44:22 container,info,debug 64 bytes from 8.8.8.8: seq=3 ttl=53 time=13.152 ms
09-25 19:44:23 container,info,debug 64 bytes from 8.8.8.8: seq=4 ttl=53 time=12.994 ms
09-25 19:44:24 container,info,debug 64 bytes from 8.8.8.8: seq=5 ttl=53 time=12.585 ms

To remove:
/interface veth remove [find name=veth-alpine]
/ip address remove [find interface=veth-alpine]
/ip firewall nat remove [find action=masquerade chain=srcnat out-interface=veth-alpine]
/container { stop [find cmd="ping 8.8.8.8"]; :delay 5s; remove [find cmd="ping 8.8.8.8"] }

Thu Sep 26, 2024 6:30 am

It's driving me crazy cause it doesnt even log anything...

Setting "logging=yes" isn't enough. You also have to enable the "container" topic:

/system/logging/set topics=container action=memory

brunolabozzetta · Thu Sep 26, 2024 3:55 pm

Does it still not stay started?

One note: it's absolutely critical the VETH is created before the container, once the image is first started those setting get persisted to the alpine image. I'm not sure RouterOS updates image if you later change gateway/etc., or at least with alpine.

Yes, it still doesn't start.
I created VETH before the container, may be that i need to delete the interface and create one specific for this container?

I'll try that.

brunolabozzetta · Thu Sep 26, 2024 4:06 pm

It's driving me crazy cause it doesnt even log anything...

Setting "logging=yes" isn't enough. You also have to enable the "container" topic:
Code: Select all
/system/logging/set topics=container action=memory

Here's my logging config:

brunolabozzetta · Thu Sep 26, 2024 4:18 pm

I try deleting the VETH interface that i'm always using to test this, and create another one with another ip address, and same results.

I even try adding this interface to the docker_bridge that i created, and nothing...

Amm0 · Thu Sep 26, 2024 4:47 pm

Yeah, I was betting on VETH... but if you re-create it before and don't change it, then that's not VETH.

So if you're using a custom build image, you want to make sure to "--sbom=false --provenance=false" to your build as the "attestations" have caused problems in past (and I'm not sure what RouterOS wants/check WRT to this - so disabling them has worked for me)

brunolabozzetta · Thu Sep 26, 2024 5:26 pm

i'll try that.

What router do you have?

PS: i'll post my export in here for a guy on reddit. ( or for anyone who wants to take a look at it )

# 2024-09-26 10:55:14 by RouterOS 7.16
# software id = U4AN-7YUP
#
# model = RB3011UiAS
# serial number = HF5096ZEDE6
/disk
set usb2 media-interface=none media-sharing=no
add media-interface=none media-sharing=no parent=usb2 partition-number=1 \
    partition-offset=512 partition-size="31 004 294 656" type=partition
/interface bridge
add admin-mac=78:9A:18:76:4A:A7 auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short
add comment=docker_bridge name=docker_bridge
add name=lo_soflex
/interface ethernet
set [ find default-name=ether1 ] name=WAN1
set [ find default-name=sfp1 ] disabled=yes
/interface veth
add address=10.10.104.8/24 comment=testtt gateway=10.10.104.254 gateway6="" \
    name=veth111
/interface wireguard
add comment=server listen-port=51820 mtu=1420 name=wg0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
add dh-group=modp2048 dpd-interval=20s dpd-maximum-failures=3 enc-algorithm=\
    aes-128 hash-algorithm=sha256 name=soflex-huawei
/ip ipsec peer
add address=119.8.74.219/32 exchange-mode=ike2 name=soflex-huawei passive=yes \
    profile=soflex-huawei send-initial-contact=no
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add auth-algorithms=sha256 enc-algorithms=aes-128-cbc,aes-128-ctr,aes-128-gcm \
    lifetime=1h name=soflex-huawei pfs-group=modp2048
/ip pool
add name=default-dhcp ranges=10.2.88.1-10.2.88.253
add name=OVPN_SERVER_POOL ranges=192.168.192.1-192.168.192.253
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=4h name=defconf
/port
set 0 name=serial0
/ppp profile
add bridge-learning=no comment=OVPN_SERVER local-address=192.168.192.254 \
    name=OVPN_SERVER only-one=yes remote-address=OVPN_SERVER_POOL \
    use-encryption=yes use-ipv6=no
/system logging action
add disk-file-count=1 disk-file-name=logs/firewall.log disk-lines-per-file=\
    15000 name=FirewallDisk target=disk
add disk-file-count=1 disk-file-name=logs/error.log disk-lines-per-file=8000 \
    name=ErrorDisk target=disk
add disk-file-count=1 disk-file-name=logs/critical.log disk-lines-per-file=\
    5000 name=CriticalDisk target=disk
add disk-file-count=1 disk-file-name=logs/warning.log disk-lines-per-file=\
    5000 name=WarningDisk target=disk
add disk-file-count=1 disk-file-name=logs/info.log disk-lines-per-file=15000 \
    name=InfoDisk target=disk
add disk-file-count=1 disk-file-name=logs/ovpn.log disk-lines-per-file=10000 \
    name=OvpnDisk target=disk
add disk-file-count=1 disk-file-name=logs/system.log disk-lines-per-file=9000 \
    name=SystemInfo target=disk
add disk-file-count=1 disk-file-name=logs/dns name=DnsDisk target=disk
add disk-file-count=1 disk-file-name=logs/container name=ContainerDisk \
    target=disk
add disk-file-count=1 disk-file-name=logs/dhcp name=DhcpDisk target=disk
add disk-file-count=1 disk-file-name=logs/Debug name=DebugDisk target=disk
/container
add comment=testttt interface=veth111 root-dir=testtt-container
/container config
set ram-high=500 registry-url=https://registry-1.docker.io tmpdir=\
    usb2-part1/docker_temp
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether10 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1 \
    internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=WAN wan-interface-list=WAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=WAN1 list=WAN
/interface ovpn-server server
set auth=sha256,sha512 certificate=ovpn_server cipher=\
    aes128-cbc,aes192-cbc,aes256-cbc,aes128-gcm,aes192-gcm,aes256-gcm \
    default-profile=OVPN_SERVER enabled=yes port=1198 protocol=udp \
    require-client-certificate=yes
/interface wireguard peers
add allowed-address=10.10.103.2/32 client-address=10.10.103.2/32 client-dns=\
    8.8.8.8 client-endpoint=vpn.brunolab.com.ar client-keepalive=20s \
    client-listen-port=65031 interface=wg0 is-responder=yes name=\
    "Bruno Celular" private-key=\
    "UJXi6A27L7R521eYppi7l5sELMfXUAuuHNSo95vL00A=" public-key=\
    "I1/mhHTxF6iyilmkFTdC41rCWZ8fOjGBWx9HXRPTu1o="
/ip address
add address=10.2.88.254/24 interface=bridge network=10.2.88.0
add address=10.2.88.1 interface=lo_soflex network=10.2.88.1
add address=10.10.103.254/24 interface=wg0 network=10.10.103.0
add address=10.10.104.254/24 interface=docker_bridge network=10.10.104.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=2m
/ip dhcp-client
add comment=defconf interface=WAN1 use-peer-dns=no
/ip dhcp-server network
add address=10.2.88.0/24 comment=defconf dns-server=8.8.8.8,1.1.1.1 gateway=\
    10.2.88.254
/ip dns
set allow-remote-requests=yes cache-size=20480KiB servers=8.8.8.8,1.1.1.1
/ip dns adlist
add ssl-verify=no url=\
    https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall address-list
add address=nb.brunolab.com.ar comment="Notebook Bruno" list=seguras

add address=209.13.0.0/16 comment=ARGENTINA list=ARGENTINA
add address=209.99.224.0/20 comment=ARGENTINA list=ARGENTINA
add address=216.244.192.0/18 comment=ARGENTINA list=ARGENTINA
add address=fortilabbo.duckdns.org comment="Juanjo Casa" list=Juanjo
add address=fortilabbo.fortiddns.com comment="Juanjo Casa" list=seguras
add address=192.168.196.18 comment="Tunel Huawei Soflex" list=seguras
add address=51.144.224.215 comment="Juanjo Azure" list=seguras
add address=119.8.74.219 comment=Soflex-Huawei list=seguras
add address=119.8.75.5 comment=Soflex-Huawei list=seguras
add address=119.8.74.219 comment="Soflex Huawei" list=ARGENTINA
add address=119.8.75.5 comment="Soflex Huawei" list=ARGENTINA
add address=181.13.190.62 comment=catamarca list=Juanjo
/ip firewall filter
add action=accept chain=input comment=established,related,untracked \
    connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="ICMP Seguras" protocol=icmp \
    src-address-list=seguras
add action=accept chain=input comment="ICMP Rango VPN" protocol=icmp \
    src-address=192.168.192.0/24
add action=accept chain=input comment="ICMP Rango Wireguard" protocol=icmp \
    src-address=10.10.103.0/24
add action=accept chain=input comment="ICMP Soflex Huawei" protocol=icmp \
    src-address=192.168.201.0/24
add action=accept chain=input comment="Web Proxy" dst-port=65041 \
    in-interface-list=WAN protocol=tcp src-address-list=Juanjo
add action=accept chain=input comment="OpenVPN Server" dst-port=1198 \
    in-interface-list=WAN protocol=udp
add action=drop chain=input comment="Country Block" connection-state=new \
    in-interface-list=WAN src-address-list=!ARGENTINA
add action=accept chain=input comment="Winbox - SSH - WAN" dst-port=\
    20001,422,421 in-interface-list=WAN protocol=tcp src-address-list=seguras
add action=accept chain=input comment="Winbox - SSH - LAN" dst-port=20001,422 \
    in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Winbox - SSH - OVPN" dst-port=\
    20001,422 protocol=tcp src-address=192.168.192.0/24
add action=accept chain=input comment=DNS dst-port=53 in-interface-list=LAN \
    protocol=udp
add action=accept chain=input comment=NTP dst-port=123 in-interface-list=!WAN \
    protocol=udp
add action=accept chain=input comment="Broadcast - Multicast" \
    dst-address-type=broadcast,multicast in-interface-list=LAN
add action=accept chain=input comment="Wireguard VPN" dst-port=51820 \
    in-interface-list=WAN protocol=udp
add action=accept chain=input comment="IPSec - IKE" dst-port=500,4500 \
    in-interface-list=WAN protocol=udp src-address=119.8.74.219
add action=accept chain=input comment="IPSec - ESP" in-interface-list=WAN \
    protocol=ipsec-esp src-address=119.8.74.219
add action=drop chain=input comment="Drop Port Scanners" src-address-list=\
    port_scanners
add action=add-src-to-address-list address-list=port_scanners \
    address-list-timeout=4w2d chain=input comment="Port Knocking Trap" \
    dst-port=3389,22,21,3306,5432,1194,1433,5060,8080,23,8291 \
    in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="Not LAN" in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment=Fasttrack \
    connection-mark=!ipsec connection-state=established,related hw-offload=\
    yes
add action=accept chain=forward comment="established,related, untracked" \
    connection-state=established,related,untracked
add action=drop chain=forward comment=Invalid connection-state=invalid
add action=drop chain=forward comment="drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=input comment="Drop Default" in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=forward comment=ipsec-mark ipsec-policy=\
    in,ipsec new-connection-mark=ipsec passthrough=no
add action=mark-connection chain=forward comment=ipsec-mark ipsec-policy=\
    out,ipsec new-connection-mark=ipsec passthrough=no
/ip firewall nat
add action=redirect chain=dstnat comment="DNS Redirect" dst-port=53 \
    in-interface-list=LAN protocol=udp
add action=masquerade chain=srcnat comment=masquerade-containers \
    ipsec-policy=out,none out-interface-list=WAN src-address=10.10.104.0/24
add action=masquerade chain=srcnat comment=masquerade ipsec-policy=out,none \
    out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
set sip disabled=yes
/ip ipsec identity
add peer=soflex-huawei
/ip ipsec policy
set 0 disabled=yes
add dst-address=192.168.201.0/24 peer=soflex-huawei proposal=soflex-huawei \
    src-address=10.2.88.0/24 tunnel=yes
/ip proxy
set enabled=yes
/ip service
set telnet disabled=yes
set ftp port=421
set www disabled=yes
set ssh port=422
set api disabled=yes
set winbox port=20001
set api-ssl disabled=yes
/lcd
set default-screen=informative-slideshow time-interval=daily
/ppp secret
add comment=Yo name=bruno profile=OVPN_SERVER service=ovpn
add comment=Juanjo name=juanjo profile=OVPN_SERVER service=ovpn
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=America/Argentina/Buenos_Aires
/system logging
set 0 action=InfoDisk disabled=yes
set 1 action=ErrorDisk
set 2 action=WarningDisk
set 3 action=CriticalDisk
add action=FirewallDisk topics=firewall
add action=OvpnDisk topics=ovpn,account,!packet,!debug
add action=SystemInfo topics=system,info
add action=OvpnDisk topics=ovpn,critical
add disabled=yes topics=ipsec
add action=DnsDisk topics=dns,error
add action=InfoDisk prefix=IPSec topics=ipsec,info,account,!packet,!debug
add action=ContainerDisk topics=container,debug
add action=DhcpDisk topics=dhcp,warning
add action=ContainerDisk topics=container,error
add action=ContainerDisk topics=container,info
add action=DebugDisk disabled=yes topics=debug
/system note
set show-at-login=no
/system ntp server
set broadcast=yes enabled=yes
/system scheduler
add comment="Loguea hacia telegram" interval=1m name=logtotg on-event=logtotg \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2024-09-13 start-time=17:22:54
add comment="Avisa cuando el equipo se reinicio" name=reboot on-event=reboot \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-time=startup
/system script
add comment="Log hacia Telegram" dont-require-permissions=no name=logtotg \
    owner=bruno policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
    global lastTime;\
    \n:global output;             \
    \n:global mtIdentity [/system identity get name];  \
    \n\
    \n:local name \"casa\"\
    \n:local chatId \"357485428\"\
    \n:local apiKey \"6177509867:AAFrk0uZV5zm8nLpnEQpk1I_Nh9gK8pjS_M\"\
    \n:local bot \"t.me/bruno_casa_bot\"\
    \n\
    \n:local LogGet [ :toarray [ /log find topics~\"system\" || message~\"logi\
    n failure\" || message~\"logged\" || message~\"connected\" ]];            \
    \_                                         \
    \n\
    \n:local LogtLineCount [ :len \$LogGet ];                                 \
    \_                           \
    \n\
    \nif (\$LogtLineCount > 0) do={                                           \
    \_                        \
    \n\
    \n    :local currentTime \"\$[ /log get [ :pick \$LogGet (\$LogtLineCount \
    -1) ] time ]\";\
    \n\
    \n    :if ([:len \$currentTime] = 10 ) do={                               \
    \_                            \
    \n        :set currentTime [ :pick \$currentTime 0 10 ];                  \
    \_                                \
    \n    }    \
    \n\
    \n    :local output \"\$currentTime - \$[/log get [ :pick \$LogGet (\$Logt\
    LineCount-1) ] message]\";  \
    \n\
    \n    :if (([:len \$lastTime] < 1) || (([:len \$lastTime] > 0) && (\$lastT\
    ime != \$currentTime))) do={       \
    \n        :set lastTime \$currentTime;                                    \
    \_                            \
    \n        :tool fetch url=(\"https://api.telegram.org/bot\$apiKey/sendMess\
    age\?chat_id=\$chatId&text=\$output\") keep-result=no   \
    \n    }\
    \n\
    \n}"
add comment="Avisa cuando se reinicio el equipo" dont-require-permissions=no \
    name=reboot owner=bruno policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
    local chatId \"357485428\"\
    \n:local apiKey \"6177509867:AAFrk0uZV5zm8nLpnEQpk1I_Nh9gK8pjS_M\"\
    \n:local bot \"t.me/bruno_casa_bot\"\
    \n\
    \n# * Cuando un proveedor vuelve a tener conexi\C3\B3n\
    \n\
    \n:do { \
    \n  :delay 10\
    \n  :log warning message=\"Equipo reiniciado.\"\
    \n  :local message \"Equipo reiniciado.\"\
    \n  :local request \"https://api.telegram.org/bot\$apiKey/sendMessage\?cha\
    t_id=\$chatId&text=\$message\"\
    \n  /tool fetch url=\"\$request\" output=none\
    \n  :delay 1\
    \n} on-error={\
    \n    /log error \"No se pudo ejecutar la API Request a Telegram: \$messag\
    e\";\
    \n}\
    \n/log info \"Api Request a Telegram ejecutada con \C3\A9xito.\";\
    \n\
    \n    "
/system watchdog
set watchdog-timer=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

brunolabozzetta · Thu Sep 26, 2024 5:46 pm

i just use this command to build the image and got the same results...

docker buildx build --no-cache --platform linux/arm/v7 --sbom=false --provenance=false --output=type=docker -t pingtest .

Amm0 · Thu Sep 26, 2024 6:28 pm

If you use my example above (viewtopic.php?t=211025#p1099369), without any custom build, does that work?

It be good to determine if it's your image that's the issue, or if something is actually broken in /container.

FWIW, I use GitHub to build containers for RouterOS since that seems to produce images that always work - when I do thing "by hand" at CLI, it gets complex to build to images. I do have complex example of building my netinstall container locally here: https://github.com/tikoci/netinstall/tr ... es/builder. In looking that it uses an "--output=type=oci,dst=" (and I recalling something about "--output=type=docker" not working).

brunolabozzetta · Thu Sep 26, 2024 7:41 pm

If you use my example above (viewtopic.php?t=211025#p1099369), without any custom build, does that work?

Hey man! Your example works! Don't know why.... first thought was the nat rule... but i dont see hits in that rule...

Things that are different: no root dir setted. no dns. no hostname. and you specified cmd command...

I'm gonna play with this and see what can be wrong...

Many thanks man!!

Amm0 · Thu Sep 26, 2024 7:58 pm

It's the "docker build" vs "docker buildx". I'm not sure Mikrotik's Pi-Hole building instructions are right for recent RouterOS.

Since GitHub will build Docker images for free for public projects... I just use their "GitHub Actions" to deal with the docker stuff. Works very well since I just modify the .github/workflows to build a new images & that's always worked. The netinstall container is pretty complex example for relatively small amount of code. If you look at the "cligames" container that may be better example using GitHub to build RouterOS containers (and then you can use "https://ghcr.io" as the registry and remote-image= to just pull the image from GitHub into /container.

So if you want to try that to build your Dockerfile using GitHub... you can "Fork" the tikoci/cligames project into your own GitHub account. In your forked copy, you then need to enable "Actions" in your repo's settings to allow enable it running the build script. And then if you "." in the browser from your forked version GitHub page... that will bring up VSCode for Web. In VSCode, you can cut-and-paste your own Dockerfile, edit the .github/workflows/build.yaml with your desired tag name & then use the Git tab to "commit" the changes. The build script should trigger, so if you go to "Actions" you'll see your build and all commands as run. I'm likely missing a step there, but it's pretty streamlined if you're not scared of git.

brunolabozzetta · Thu Sep 26, 2024 10:52 pm

i'll try that!

Thanks a lot!

Hope this thread helps more people too.

brunolabozzetta · Fri Sep 27, 2024 5:36 pm

I think i found out a huge bug.

Trying in a RB4011, given the extra storage that this router has, i try to download a debian container.

When i select a root-dir, it won't start, just like at the begining.

Dont know how, but in my 3011 also can't get to work a debian container, but the thing is, without selecting a root-dir, it works. And when selecting root-dir, it doesnt. As simply as that.

But this is a problem in routers with little internal storage space.

I'm reporting this as a bug asap.

Amm0 · Fri Sep 27, 2024 6:04 pm

Well, it annoying and wrong. But I suspect you just need to use "root-dir=usb1-part1/debian-root" — without a leading "/". The mounts don't care about a leading slash, but for some reason root-dir= in main container does.

This, I think, is a historic artifact, but CLI never like "/" in older versions - i.e. RouterOS paths do not internally have a leading "/". And you'll see that in <tab> complete in /file get<tab>. Still dumb.

brunolabozzetta · Fri Sep 27, 2024 6:44 pm

i'm gonna try from the terminal... maybe it's winbox? i'm using winbox new version...

What i do is... i select from the dropdown menu the path... and i dont see a slash at the begining of the path... but maybe winbox it's messing the path anyways...

i'll try from the terminal and let you know.

Amm0 · Fri Sep 27, 2024 7:02 pm

Hmm, if you don't have a preceding slash. Just make sure to pick a new name - I'm not sure what happens if you have had an image file already at the same name.

Also keep in mind despite the name "root-dir=", it's actually the name of the container, not a directory to use. So if you keep picking usb1-part1/debian & expect that to be a directory that holds MULTIPLE containers that's not how it works - you'd want to use root-dir=usb1-part1/debian/container1 to do something like that.

But now you're running out my suggestions...so maybe something is wrong. Just often these "rough edges" in /container bit you first. Good news, is once they get to "running", I've found them to stable but boy one thing wrong in /container setup, all the various things you've seen happen

.

brunolabozzetta · Fri Sep 27, 2024 7:03 pm

I try putting a slash behind the path, and on the end, and neither works.

In every case it recognise the directory as a container store, but it never works.

Now that i think about this.... it makes sense that it doesn't log anything because if this is a path problem, the container never really runs.

I now tested again the pingtest image that i build in my pc, and without using root-dir option it works!

It has to be a bug related to this option...

Already filled a bug report.

Hope they can solve this.

Thanks a lot for looking into this, again!

Amm0 · Fri Sep 27, 2024 7:08 pm

I really would try in the form "root-dir=usb1-part1/some-new-name" from CLI

And make sure you're using the "mount point" shown in "/disk print" (which may not be usb1-part1 in my example).

Amm0 · Fri Sep 27, 2024 7:12 pm

In simplier terms, root-dir= is the file name for the container image so it has to be unique. Despite having "-dir" in the name. No slash at start or end!

brunolabozzetta · Fri Sep 27, 2024 7:15 pm

Hmm, if you don't have a preceding slash. Just make sure to pick a new name - I'm not sure what happens if you have had an image file already at the same name.

Also keep in mind despite the name "root-dir=", it's actually the name of the container, not a directory to use. So if you keep picking usb1-part1/debian & expect that to be a directory that holds MULTIPLE containers that's not how it works - you'd want to use root-dir=usb1-part1/debian/container1 to do something like that.

i'm actually using something like this: "usb2-part1/containers/debian" / "usb2-part1/containers/adguard"

I just try this example and does't seem to work... i just use: "usb2-part1/debian/container1"

For some weird reason the alpine image works...

brunolabozzetta · Fri Sep 27, 2024 7:17 pm

And make sure you're using the "mount point" shown in "/disk print" (which may not be usb1-part1 in my example).

the mount point in my case is usb2-part1,

I really would try in the form "root-dir=usb1-part1/some-new-name" from CLI

I just try this and does't work...

Amm0 · Fri Sep 27, 2024 7:19 pm

I just try this example and does't seem to work... i just use: "usb2-part1/debian/container1"

For some weird reason the alpine image works...

What partitioning is used on the usb2-part1? If it's FAT you'd want to keep the names shorter. And if FAT, maybe use an ext4 partition.

brunolabozzetta · Fri Sep 27, 2024 7:20 pm

I just try this example and does't seem to work... i just use: "usb2-part1/debian/container1"

For some weird reason the alpine image works...
What partitioning is used on the usb2-part1? If it's FAT you'd want to keep the names shorter. And if FAT, maybe use an ext4 partition.

it's in ext4, yes

Amm0 · Fri Sep 27, 2024 7:23 pm

Okay, I have no idea now. Make sure to include the supout.rif in your support case, as that has logs/config for them.

felted67 · Sat Sep 28, 2024 7:59 pm

Hello everyone,

First of all, please check if the usb-drive is "ext4" and NOT using a "MBR" partition table (during formatting).
Sometimes ros is a little beasty with the handling of disks. When I was about to extend my disk (on CHR)
I got really mad on doing that (several reboots and a complete delete and new creatin was needed).

Also please check within "Files" in winbox, that the container "files-systems" are stated out as "container store".
Also "pull" is needed for downloading the images. There may be some problems wheh giving subdirectories to the
build process, when they are not created on the ros-filesystem. Opposite to normal linux, ros may not create them.
So create the directory-sturcture up to the needed in ros manually.

Perhaps a look in my "base project" for mikrotik-containers may help.
Please look here: https://github.com/felted67/mikrotik-alp_rc

As written before I am using sbom and provenance all the time in all my projects without any problems.

Don't be confused by the complexity of the project: Please look in the "Dockerfile" and in the ".gitlab-ci.yml".

In the ".gitlab-ci.yml" you may find several "script:"-lines:
The first is for building a first image "in the wild", only the second and third "script:" are interesting.
There you may find the complete build command which I am using.

I use "buildx" because I build for all architectures ros is running on right now, so I use this tool and not a "normal" build.

Btw.: I am building container-images for a lot of usecases (only several are public). So I had never problems
in the past year when building them.

If you have any questions or need more help, please post them here. You're welcome.

Regards,

Detlef

Containers wont start on RB3011 UiAS Topic is solved

Containers wont start on RB3011 UiAS

Re: Containers wont start on RB3011 UiAS

Re: Containers wont start on RB3011 UiAS

Re: Containers wont start on RB3011 UiAS

Re: Containers wont start on RB3011 UiAS

Re: Containers wont start on RB3011 UiAS Topic is solved

Re: Containers wont start on RB3011 UiAS

Re: Containers wont start on RB3011 UiAS

Re: Containers wont start on RB3011 UiAS

Re: Containers wont start on RB3011 UiAS

Re: Containers wont start on RB3011 UiAS

Re: Containers wont start on RB3011 UiAS

Re: Containers wont start on RB3011 UiAS

Re: Containers wont start on RB3011 UiAS

Re: Containers wont start on RB3011 UiAS

Re: Containers wont start on RB3011 UiAS

Re: Containers wont start on RB3011 UiAS

Re: Containers wont start on RB3011 UiAS

Re: Containers wont start on RB3011 UiAS

Re: Containers wont start on RB3011 UiAS

Re: Containers wont start on RB3011 UiAS

Re: Containers wont start on RB3011 UiAS

Re: Containers wont start on RB3011 UiAS

Re: Containers wont start on RB3011 UiAS

Re: Containers wont start on RB3011 UiAS

Re: Containers wont start on RB3011 UiAS

Re: Containers wont start on RB3011 UiAS

Re: Containers wont start on RB3011 UiAS

Re: Containers wont start on RB3011 UiAS

Re: Containers wont start on RB3011 UiAS

Who is online