Aiming to get minimal 22.03.5 bin - pls advise on my diffconfig (what esle can be =n)

Hi) I'm trying to get as as minimal 22.03.5 bin as possible for my unusual setup on eth79 arch.
The host device is Mikrotik mAP2nd, however, the image will not be burned to the device itself, but onto a "container" (MetaRouter) that is running inside ROS.

The reason for that is kinda simple - I do need Zerotier and Mosquitto on my mAP2nd, but Mikrotik doesn't support Zerotier on MIPS arch. So I've decided to try OpenWRT.

Thus, the resulting image will not handle "anything" beside Zerotier and Mosquitto connections coming from my LAN and going out to another interface. So, no wifi, no firewalls, etc.

Ideally, I would achieve smth around 3MB )))

Can anyone who is working on "minimal", please advise what alre in my diffconfig can be turned off?

CONFIG_TARGET_ath79=y
CONFIG_TARGET_ath79_mikrotik=y
CONFIG_TARGET_ath79_mikrotik_DEVICE_mikrotik_routerboard-mapl-2nd=y
CONFIG_DEFAULT_TARGET_OPTIMIZATION="-Os -pipe -mno-branch-likely -march=24kc"
CONFIG_TARGET_OPTIMIZATION="-Os -pipe -mno-branch-likely -march=24kc"
CONFIG_BUSYBOX_DEFAULT_FEATURE_IPV6=n
CONFIG_CLEAN_IPKG=y
CONFIG_DOWNLOAD_CHECK_CERTIFICATE=n
CONFIG_SIGNATURE_CHECK=n
CONFIG_SIGNED_PACKAGES=n
CONFIG_STRIP_KERNEL_EXPORTS=y
CONFIG_USE_MKLIBS=y
CONFIG_uhttpd_ucode=n
CONFIG_DEFAULT_firewall4=n
CONFIG_DRIVER_11N_SUPPORT=n
CONFIG_FEED_luci=n
CONFIG_FEED_packages=n
CONFIG_FEED_routing=n
CONFIG_FEED_telephony=n
CONFIG_IPV6=n
CONFIG_KERNEL_CC_OPTIMIZE_FOR_PERFORMANCE=n
CONFIG_KERNEL_CC_OPTIMIZE_FOR_SIZE=y
CONFIG_KERNEL_DEBUG_FS=n
CONFIG_KERNEL_DEBUG_INFO=n
CONFIG_KERNEL_DEBUG_KERNEL=n
CONFIG_KERNEL_ELF_CORE=n
CONFIG_KERNEL_IPV6=n
CONFIG_KERNEL_KALLSYMS=n
CONFIG_KERNEL_MAGIC_SYSRQ=n
CONFIG_KERNEL_MEMCG_KMEM=n
CONFIG_KERNEL_PRINTK=n
CONFIG_KERNEL_PRINTK_TIME=n
CONFIG_KERNEL_PROC_STRIPPED=y
CONFIG_KERNEL_SWAP=n
CONFIG_MOSQUITTO_CTRL=y
CONFIG_MOSQUITTO_DYNAMIC_SECURITY=y
CONFIG_MOSQUITTO_LWS=yfirewalls, 
CONFIG_MOSQUITTO_PASSWD=y
CONFIG_OPENSSL_ENGINE=y
CONFIG_OPENSSL_PREFER_CHACHA_OVER_GCM=y
CONFIG_OPENSSL_WITH_ASM=y
CONFIG_OPENSSL_WITH_CHACHA_POLY1305=y
CONFIG_OPENSSL_WITH_CMS=y
CONFIG_OPENSSL_WITH_DEPRECATED=y
CONFIG_OPENSSL_WITH_ERROR_MESSAGES=y
CONFIG_OPENSSL_WITH_PSK=y
CONFIG_OPENSSL_WITH_SRP=y
CONFIG_OPENSSL_WITH_TLS13=y
CONFIG_PACKAGE_cJSON=y
CONFIG_PACKAGE_dnsmasq=n
CONFIG_PACKAGE_dropbear=n
CONFIG_PACKAGE_ip-tiny=y
CONFIG_PACKAGE_iw=n
CONFIG_PACKAGE_iwinfo=n
CONFIG_PACKAGE_jansson=n
CONFIG_PACKAGE_kmod-ath=n
CONFIG_PACKAGE_kmod-ath9k=n
CONFIG_PACKAGE_kmod-cfg80211=n
CONFIG_PACKAGE_kmod-crypto-aead=n
CONFIG_PACKAGE_kmod-crypto-ccm=n
CONFIG_PACKAGE_kmod-crypto-cmac=n
CONFIG_PACKAGE_kmod-crypto-crc32c=n
CONFIG_PACKAGE_kmod-crypto-ctr=n
CONFIG_PACKAGE_kmod-crypto-gcm=n
CONFIG_PACKAGE_kmod-crypto-gf128=n
CONFIG_PACKAGE_kmod-crypto-ghash=n
CONFIG_PACKAGE_kmod-crypto-hash=n
CONFIG_PACKAGE_kmod-crypto-hmac=n
CONFIG_PACKAGE_kmod-crypto-manager=n
CONFIG_PACKAGE_kmod-crypto-null=n
CONFIG_PACKAGE_kmod-crypto-rng=n
CONFIG_PACKAGE_kmod-crypto-seqiv=n
CONFIG_PACKAGE_kmod-crypto-sha256=n
CONFIG_PACKAGE_kmod-lib-crc-ccitt=n
CONFIG_PACKAGE_kmod-lib-crc32c=n
CONFIG_PACKAGE_kmod-mac80211=n
CONFIG_PACKAGE_kmod-nf-conntrack=n
CONFIG_PACKAGE_kmod-nf-flow=n
CONFIG_PACKAGE_kmod-nf-log=n
CONFIG_PACKAGE_kmod-nf-nat=n
CONFIG_PACKAGE_kmod-nf-reject=n
CONFIG_PACKAGE_kmod-nfnetlink=n
CONFIG_PACKAGE_kmod-nft-core=n
CONFIG_PACKAGE_kmod-nft-fib=n
CONFIG_PACKAGE_kmod-nft-nat=n
CONFIG_PACKAGE_kmod-ppp=n
CONFIG_PACKAGE_kmod-tun=y
CONFIG_PACKAGE_libcap=y
CONFIG_PACKAGE_libiwinfo=n
CONFIG_PACKAGE_libminiupnpc=y
CONFIG_PACKAGE_libmnl=n
CONFIG_PACKAGE_libnatpmp=y
CONFIG_PACKAGE_libnftnl=n
CONFIG_PACKAGE_libopenssl=y
CONFIG_PACKAGE_liboping=y
CONFIG_PACKAGE_librt=y
CONFIG_PACKAGE_libstdcpp=y
CONFIG_PACKAGE_libwebsockets-openssl=y
CONFIG_PACKAGE_mosquitto-ssl=y
CONFIG_PACKAGE_nftables-json=n
CONFIG_PACKAGE_openwrt-keyring=n
CONFIG_PACKAGE_oping=y
CONFIG_PACKAGE_opkg=n
CONFIG_PACKAGE_ppp=n
CONFIG_PACKAGE_ucode=n
CONFIG_PACKAGE_uhttpd=y
CONFIG_PACKAGE_uhttpd-mod-ubus=y
CONFIG_PACKAGE_uhttpd-mod-ucode=n
CONFIG_PACKAGE_usign=n
CONFIG_PACKAGE_wireless-regdb=n
CONFIG_PACKAGE_zerotier=y
CONFIG_PACKAGE_zlib=y

Thank you!

Have you seen that Mikrotik patched the kernel for this? Next to no documentation, and a decades old patch. They never bothered to upstream anything.

Do you really need a whole OS for that? Consider using Entware, it is as barebones as the image could possibly be.

I know that Metarouter is no longer a part of ROS 7.x (and new ROS 7 containers are not available on MIPSBE architecture), but it still works in 6.x - I've literally installed OpenWRT on my mAP2nd and it kinda reacts to command (though I haven't setup any routing etc).

As funny as it sounds))) :

I prefer to stick to safe/trusted solutions (from security, privacy, etc pov) that have enough public presense/attention especially for devices that are supposed to be online. Zerotier lists OpenWRT, Mikrotik supports OpenWRT and all of them have reasonable presense and attention from community on respective support forums. So it's reasonable to consider them safe (not talking about unintentional bugs, of course).

Is there a reasonable evidence that entware is trusted by int community? It's not present in Mikrotik community, it's barely mentioned by Zerotier community (primarily in the form of questions that are never answered). It looks like it originated from controversial non-trusted country.
The fact that some software is open to public via GitHub doesn't make it safe/trusted automatically, as without reasonable attention from community it's "safety" is simply "not verified".

Thank's anyway!

Entware is a continuation of optware project, which is as old as OpenWrt. It is used by lots of router firmwares which doesn't have as rich application library as OpenWrt, such as Tomato, DD-WRT, Padavan, as well as different NAS. It is semi-officially endorsed by Keenetic manufacturer, as Entware project is run by (as I assume) Zyxel employee.

Why should it? This is just a package repository, for a pretty niche use-case.

Just like a lot of other network projects. Keep an eye on me as well, as my contributions gets merged into OpenWrt, making it less trusted commit after commit.

As far as I read about MetaRouter, it seems to be a full virtual solution and not a container. Entware doesn't have its own kernel, you won't be able to use it as-is.

yep, tnx.
Containers are, unfortunatelly, not supported by RouterOS for MIPS devices.

Entware has a module for zerotier for at lest 2.5 years now. As soon as something is in use, it's reasonable to expect some "traces" (questions, discussions) in relevant communities (including github's issues, etc). It's close to nonexistence in Zerotier community. Nothing to back some trust for it.

lol , it's a broad active community worldwide outside of mad societies that reduces risks of security issues) AFAIK, OpenWRT has one.