The containers capability in RouterOS is a great start, but to be really useful we need two main features added to it.
Host Networking
Currently it requires you to create a virtual container network. This is a problem for running network security apps or other apps such as runZero which need to access mDNS and ARP data from the network layer.
Kernel Capabilities
Some apps especially for network security require access to the kernel in order to block, allow and monitor network traffic.
To do this for eg. on docker you would use the --cap-add flags to add things like NET_BIND_SERVICE NET_RAW NET_ADMIN and SYS_ADMIN
I’m sure there are other applications that would make use of these two additional features. Please comment below on what apps you would like to run on RouterOS that need host networking or scoped kernel access.
The VETH exposes Layer2 and can be bridge with a normal VLAN if needed. And you can even send a VLAN trunk over with the right tagging in /interface/bridge/vlans. e.g. You can put the VETH in the main bridge, not a specific “Dockers” one that the docs always seem to use.
I just don’t SYS_ADMIN, NET_ADMIN coming anytime soon — creates a bunch of security concerns, and likely break a lot of routing features depending on exact what a container was doing with the raw interfaces.
There is certainly an element of risk allowing a container to access the network stack. But in order for a security application to operate it needs access to iptables/nftables to dynamically block and allow traffic.
It could be made clear to the user that this has the potential to break things.
VyOS has support for this in their container functionality.