I’m a complete noob.

My goal is to set up a static local website without public access. Working with a HAP AX3 and a USB stick for storage. Pi Hole is running via a container. It is configured with a veth1 and bridge named ‘containers.’

I am having trouble setting up a working Nginx container. I created an Nginx container with interface=veth1 but it stopped immediately after starting. Trying to follow this Mikrotik video, but some steps were done before hand. https://www.youtube.com/watch?v=pmyVQS93HMM

Do I need a separate veth for the Nginx container? How do I configure it to work with the bridge named ‘containers'?

Without having tried it, I’m willing to guess that they’re both trying to bind to the same port, likely 8080. You can’t have two programs (pihole and nginx in this case) binding to the same TCP port on the same IP address.

If I’m right, giving one of the two a different port will require rebuilding it. While that should be as simple as deriving another container from it with just two directives…


…then arranging for nginx to listen on that port 7070 internally instead and rebuilding it, the simpler path is to give the other container another veth, thus another IP address, solving the problem while leaving the images untouched.

I think you need to change the NGINX config file to do this. I don't the EXPOSE has any effect.

i.e. The DockerHub version of NGINX has a script that parses env variables to "passthrough", see https://hub.docker.com/_/nginx under "Using environment variables in nginx configuration (new in 1.19)"

In a full-featured container engine, you have to do both, but now that you mention it, yeah, container.npk ignores the EXPOSE directive, doesn’t it?

The nginx website and Pi Hole containers are now working simultaneously. I don't fully understand what I did. These three videos were helpful. Looking at Network Berg’s settings were helpful since he had multiple containers configured.

What I learned:
--Need a veth for each container.
--Had to set up a firewall rule (dsnat) just like for Pi Hole except used port 80 for source and destination.
--Mount configuration. This took me awhile to figure out. In the Mikrotik web server video, the website files were hosted on the router itself. Mine are on a USB drive. So I had to change the mount destination from what was in the video to usb1/nginx/usr/share/nginx/html. The video had only /usr/share/nginx/html.


Mikrotik: Docker containers on Mikrotik? Part 2: PiHole
https://www.youtube.com/watch?v=UMcJs4oyHDk

Mikrotik: Host a webserver on your router using CONTAINERS!
https://www.youtube.com/watch?v=pmyVQS93HMM

The Network Berg: Take Control of Your Network: Install Uptime-Kuma on MikroTik
https://youtu.be/vzT00PlP1G8?si=9eKrW6HcqlkegLXq

Yeah the mounts can be tricky. Especially since RouterOS only allows mapping directories, not files.

In a full-featured container engine, you have to do both, but now that you mention it, yeah, container.npk ignores the EXPOSE directive, doesn’t it?

Nope, EXPOSE does nothing. Now ideally it be good it read an EXPOSE, created a dst-nat for VETH to make the configuration easier.

I've updated my Container Limitations article to cover these latter details.

I chose not to address the topic's primary question since you can cause this same port number conflict under Docker and Podman, too, most easily by giving the --host flag. I can't justify calling this a "limitation" of container.npk; it's more a difference, which isn't what that article is about.

I've updated my Container Limitations article to cover these latter details.

I chose not to address the topic's primary question since you can cause this same port number conflict under Docker and Podman, too, most easily by giving the --host flag. I can't justify calling this a "limitation" of container.npk; it's more a difference, which isn't what that article is about.

FWIW, in your wiki on /container... First, great work there. Only one technical quibble, there is a "REST API" since RouterOS APIs can create/manage /container albeit complex since there is no "wait". Also, for completeness, MT has mentioned "serial passthrough" in some forum postings, similar to USB passthrough.

there is a "REST API"

Better?

MT has mentioned "serial passthrough" in some forum postings, similar to USB passthrough.

Is that something that exists, or is merely acknowledged as having made it from our wishlist to theirs? That is, are you asking for serial control to be added to the list of hardware pass-through limitations, or that I missed that they did USB, and it needs to come off the list?

there is a "REST API"

Better?

Sure, your commentary here is 100% spot on:

If you find yourself needing a control plane for your routers’ containers, you will likely need to write it yourself.

And it is kinda pedantic, but complex/hard is different than impossible .

MT has mentioned "serial passthrough" in some forum postings, similar to USB passthrough.

Is that something that exists, or is merely acknowledged as having made it from our wishlist to theirs? That is, are you asking for serial control to be added to the list of hardware pass-through limitations, or that I missed that they did USB, and it needs to come off the list?

Serial is same category as USB, IMO. And MT ack'ed serial recently as "TODO". See
viewtopic.php?p=1109498&hilit=serial#p1109498