To clarify a few comments here: this is not only OCI containers: container machines add support for persistence and filesystem mounting, making container machines a great lightweight Linux environment for developers using macOS. More details here: https://developer.apple.com/videos/play/wwdc2026/389

• jt2190

  today at 12:35 PM

  > container runs containers differently. Using the open source Containerization package, it runs a lightweight VM for each container that you create. This approach has the following properties:

  > - Security: Each container has the isolation properties of a full VM, using a minimal set of core utilities and dynamic libraries to reduce resource utilization and attack surface.

  > - Privacy: When sharing host data using container, you mount only necessary data into each VM. With a shared VM, you need to mount all data that you may ever want to use into the VM, so that it can be mounted selectively into containers.

  > -Performance: Containers created using container require less memory than full VMs, with boot times that are comparable to containers running in a shared VM.

  More details, including technical limitations (they’re looking for bug reports and contributions): “Container: Technical Overview” https://github.com/apple/container/blob/main/docs/technical-...

  • mikepurvis

    today at 1:31 PM

    Sounds like a lot of the same choices/compromises that are in wsl2.

• jjtheblunt

  today at 4:58 AM

  > ... highly integrated Linux environment that works seamlessly on your Mac. ...

  Which kernel is running, and is it hosted in hypervisor.framework, as is done with UTM (when not using the qemu mode)?

  • Scarbutt

    today at 5:22 AM

    The katas container kernel by default.

• bogantech

  today at 6:54 AM

  > filesystem mounting

  How is this different to bind mounts

  • jdub

    today at 8:31 AM

    Very different: Linux running in a virtual machine can't bind mount into a macOS host's filesystem. So they use virtiofs.

    • miohtama

      today at 12:21 PM

      MacOS container filesystem/IO has been bog slow preventing even some basic dev container use cases. Hopefully this will fix the issue.

      • jdub

        today at 4:12 PM

        It's not substantially different from previous approaches (9pfs vs. virtiofs).

        My suggestion: Don't use the host filesystem from the guest at all. It'll be faster, and better isolated. It's a false convenience.

    • lxgr

      today at 9:12 AM

      This applies to both containers and container machines though, right?

      • jdub

        today at 11:07 AM

        Containers (those popularised on Linux by Docker) are built on Linux primitives like cgroups and namespaces, so they're running directly on the same kernel, same VFS, often the same FS, etc. Their isolation properties rely on (a) all those Linux features working as expected, and (b) the container runtime setting them up properly.

        Depending on your threat model, that's fine, but a lot of people (including me) will say that containers are not a security mechanism.

        But macOS requires[1] virtualisation for containers anyway; the security is just a bonus.

        [1] at least for a real Linux kernel...

        • lxgr

          today at 2:01 PM

          The surface of an OS is definitely larger than that of many hypervisors, which is e.g. why browsers often provide their own much narrower sandbox.

          On the other hand, in other scenarios, people trust the security boundaries of their working as expected all the time, no? This is the basis of e.g. Android app isolation (every app runs under its own Linux UID/GID), and true multi-user Unix systems trusting the OS's security boundaries to hold have decades of history.

          • jdub

            today at 4:08 PM

            Different threat models. Your typical Android device (and Linux server for that matter, at home or at scale) is not usually running security-sensitive general workloads for multiple tenants in the same OS instance. :-)

• Onavo

  today at 1:34 AM

  Ah, the Darwin/BSD Subsystem for Linux.

  • CGamesPlay

    today at 1:55 AM

    Not quite, it’s still a VM. And while it supports virtio balloon for growing RAM, it doesn’t yet support releasing that RAM back to the host. And there isn’t a convenient way to shrink the sparse disk images as they grow yet, either.

    • AlexB138

      today at 2:00 AM

      Isn't the Windows subsystem for Linux (the reference there) also a VM?

      • gsnedders

        today at 2:03 AM

        Only WSL2; WSL1 was an actual subsystem.

        • selcuka

          today at 2:09 AM

          So this is Darwin/BSD Subsystem for Linux 2.

          • rvz

            today at 4:26 AM

            Yes.

        • LoganDark

          today at 2:37 AM

          WSL1 was so cool, WSL2 made it boring and isolated.

          • mjg59

            today at 8:08 AM

            WSL1 was very conceptually appealing, and ended up working very poorly because of the poor matching between Linux syscalls and the Windows kernel. Git suffered terribly as a result. The inverse is also somewhat true - there have been cases where Wine is much slower than native Windows because Linux simply doesn't provide a simple way to achieve the same outcome, and interestingly the Wine developers have had reasonable (if tediously slow) success in making it possible to express the same semantics to Linux and have it handle things fast. It would be fascinating to know whether WSL1 developers didn't have enough traction to get Windows internals altered to match, or whether it's just way harder to do the same under Windows.

            • alerighi

              today at 12:24 PM

              It did work quite well. The problem with the filesystem could have been solved by optimizing the Windows kernel, that would have benefit also programs run outside the WSL by the way (NTFS have performance problems and Microsoft knows, and even provided a kind of solution as far as I know with the developer FS or what they call it).

              The thing that I don't like of the WSL2 is that is just a VM, but a VM that is very limited. For example working in the embedded development field I often need to use serial ports or USB devices, a thing that the WSL2 is not capable of doing (unless passing trough USB/IP that has its compatibility issues especially for stuff like debuggers needing precise timing), and that the WSL1 was at least for the serial ports able to do. This is a limitation that doesn't allow me to use the WSL. Same thing with all kind of other software that wants to access peripherals of the machine natively (e.g. a GPU for example, or another PCI card, something that to be fair is not even doable as far as I know with hypervisors on Windows but completely doable with hypervisors running on a Linux OS where trough the IO MMU you can share any PCI device of the host to the VM).

              WSL1 was a great idea, bad thing that Microsoft abandoned it for something that is just good for web application development.

              • 0x1d7

                today at 2:47 PM

                > (NTFS have performance problems and Microsoft knows, and even provided a kind of solution as far as I know with the developer FS or what they call it)

                NTFS does not have performance problems. The difference between DevDrive, which uses ReFS (arguably a more 'resilient' file system than NTFS due to journaling) and a standard NTFS volume is the file system filters are either removed or in the case of Defender, put in async mode.

                The file system filter architecture is the performance problem, not the file systems. It's a trade off to have a more extensible I/O stack.

                • sterlind

                  today at 5:00 PM

                  I recall there was also an issue with how paths are treated in NT. I don't fully recall, but I think NT paths are parsed by the kernel early on, and the whole kernel operates on "cooked" paths. there was some major performance implications this had for WSL1 in addition to the filter driver architecture.

                  I also don't remember why they couldn't just bypass the filter stack for paths in a certain volume - WSL2-like I/O on WSL1 - but there must have been a reason.

              • smallnamespace

                today at 1:13 PM

                > The problem with the filesystem could have been solved by optimizing the Windows kernel

                Over time this would tie the Windows kernel’s requirements so that they matched the Linux kernel’s due to expectations from WSL1 users. This of course is a bad idea for any engineering organization - you will have requirements imposed on you that don’t mesh well with your other non-WSL users and you also have no real sway over Linux governance. This would lead to the Windows kernel either becoming a clone of Linux or serving at least one set of users poorly.

              • someguyiguess

                today at 1:35 PM

                Why would you work on embedded development through a VM? Out of curiosity.

            • barrkel

              today at 11:59 AM

              It's my understanding that a big part of WSL1 performance loss comes from the relatively thick layered filesystem architecture on Windows.

              Since git and nodejs are both common in modern development and are expected to work efficiently with huge numbers of files, this was a real bottleneck and it couldn't easily be tackled without threatening backward compatibility.

            • LoganDark

              today at 8:34 AM

              Wine achieves better performance these days due to things like... adding a module to the Linux kernel that implements NT-like synchronization primitives. So, Linux subsystem for NT synchronization basically. (a.k.a. NTSync)

              Maybe this works out better because Linux is more flexible, while Windows/NT is more "set in its ways" and therefore more difficult to implement Linux on top of... Maybe?

          • TylerE

            today at 2:42 AM

            Back in my day you to to download a couple GB worth of cygwin, and that wasn't an actual environment, basically just a GNU toolchain compiled for windows. But it got you like....grep and bash and stuff that ran natively on windows which was kinda cool.

            • qalmakka

              today at 5:48 AM

              Does any older folk here remembers when NT was the Cool New Thing (TM) and it had by design support to multiple subsystems plopped over the NT API, and Win32 was just one of them alongside POSIX (Interix) and OS/2? There was even a _very short_ time span when Interix was actually usable (it was extremely short though)

              • naishoya

                today at 9:46 AM

                I guess that makes me square within the 'older folk' subset - I continued to use the NT core with LiteSTEP alongside the SGI/IRIX Octane2 well after Y2K.

                Those days I was working on a rework of the TRO PLATO learning system which was a real beast but essential for the individual learning project of a charter school i was supporting.

                PLATO had been taken from it's dedicated mainframe world and made 'runnable' on W95 workstations with an NT server - but it really didn't run well, and the kids could really get behind the interface into regular Windows environment too readily. In combination the workstations were crazy hard to keep running cleanly.

                So in the end; we had to take the software out of Windows, wash it clean in the waters of Silicon Graphics System-V with BSD extensions (X11) Unix and BSD - NeXTSTEP, just so we could bring it back to Windows properly using LiteStep.

                Life happened and I lost touch with the outcome of it all, moving on to my next project; but, I kept a LiteSTEP desktop until moving entirely over to Linux in 2004.

                Haven't used Windows for anything but a gaming load since '05 and stopped doing even that in about 2010, nothing later than XP.

              • pjmlp

                today at 6:27 AM

                Yes, the only reason I cared for Linux in first place was that the POSIX support wasn't that good.

                I am convinced that if POSIX subsystem was UNIX serious, GNU/Linux would never taken off on PC, and the whole would be divided between SGI, HP-UX, Solaris, Aix and Windows NT.

                • hnlmorg

                  today at 6:40 AM

                  There were already better free options than Linux when Linux first started gaining traction.

                  The reason Linux grew in the 90s was because it was part of the hacker culture. Not because better options didn’t exist.

                  Kids liked the fact that Linux was a free-for-all, anything-goes, platform. It wasn’t stuffy like Unix and it wasn’t proprietary like Windows.

                  Then those kids grew up and became decision makers themselves. And we started to see Linux replace FreeBSD and commercial Unixes.

                  • nyrikki

                    today at 5:28 PM

                    Actually Linux was very SysV like back in the day, so it was more like the stuffy OS's that people liked.

                    GCC was the real catalyst, With even SUN which had used bundled dev tools as a early selling point was unbundling them and charging more, many x86 UNIXes like SCO didn't even come with a tcp/ip stack without an extra fee...and you couldn't take C code from HP to another system and actually have it compile.

                    As Solaris is really just a sysV-ification of the bsdish sunOs...the introduction of posix as a least common denominator, and Linux being closer to the commercial-ish unixes it was just an easier sell for a lot of users.

                    In hindsight it may seem silly, but in may projects I was involved with, linux using sysV /etc/init.d/, vs BSD's /etc/rc.conf was the driving factor, because /etc/rc.conf was a shared dependency and harder for us to modularize projects.

                    IMHO the real Linux advantage is that it was using the gnu user land, and thus gcc worked well with it and companies started to sell commercial support early.

                    But there were still flavor wars from all sides all the time, and being an ex-op on #unix and #unixhelp from the 1990s, I dealt with them all.

                    But BSD and heck even ITS etc... was the free-for-all, anything-goes, platform of record.

                  • pjmlp

                    today at 7:15 AM

                    Which ones? BSD was tied in a lawsuit that left doubts on its future.

                    Minix was a toy OS for university teachings.

                    Coherent was commercial.

                    Nothing else was there on the PC market.

                    • hnlmorg

                      today at 12:42 PM

                      386BSD and its derivatives (eg FreeBSD) weren’t really attacked by SCO like other UNIXes were. In fact SCO filed more lawsuits against Linux than they did (for example) FreeBSD.

                      FreeBSD was also used heavily in the late 90s in ISPs and similar domains.

                      • nyrikki

                        today at 5:03 PM

                        I think you are a possibly a decade off on the timing here.

                        USL v. BSDi is what impacted the BSD side, and it was during that lawsuit before Novell bought USL etc.... that the problems were that allowed Linux to make gains while the net/2 distros were in a waiting game IMHO.

                        The timing absolutely helped Linux and GNU being packaged as a complete system by the various distros etc..., and common OSS distribution points like Walnut Creek and PHT were very much concerned about USL v. BSDi and in an era when you had to make long distance phone calls to download with a modem, a lack of CDroms etc... absolutely caused a dip in adoption of the BSDs.

                        By the time the IBM v. SCO lawsuits happened (2003) the UNIX wars were long gone and Linux was already established.

                        SCO/Interactive/Coherent/etc... and other x86ish UNIXes were quite common in my work in the early 1990s, but the whole unix wars is way to complicated to cover in a single post.

                        The post .com bubble SCO lawsuits really just didn't matter much, the consolidation that happened in the early 90's that ended the UNIX wars, plus Intel killing most of the commercial unix independent CPUs with Itanium untruths and impossible promises and an inability for the major vendors to adapt to a lower margin model etc... killed those off.

                        The SCO lawsuits were really just the flailing of a dyeing company which was the end result of WordPerfect buying Novell with Novells money and local Utah politics.

                      • manithree

                        today at 4:59 PM

                        Nobody said SCO sued BSD or BSD users. USL sued BSD and UC (https://en.wikipedia.org/wiki/UNIX_System_Laboratories,_Inc.....) long before the SCO lawsuits.

                      • pjmlp

                        today at 4:49 PM

                        Those only came to be after AT&T lawsuit was cleared, and by then Linux already had enough wind behind it.

                        Also SCO lawsuit was more due to IBM's money than Linux.

                        Both a different situation than Windows NT being available a decade earlier.

            • noduerme

              today at 3:17 AM

              Cygwin was fun. I'd done zero development on Windows, but about 10 years ago I had to figure out how to deploy some nightly shell scripts across a bunch of local computers in a few dozen offices, where about 80% were MacOS and the rest were Windows. I don't remember exactly how I rigged it, but basically cygwin allowed me to keep the scripts as they were and trigger them in place, with a few small modifications.

              I never want to deal with that again ;)

              [edit] fwiw, Termux on Android is similarly a fun pseudo-environment. It's a nice and helpful toy.

              • TylerE

                today at 3:25 AM

                The biggest issue I remember is directory seperators... windows of course using \ which bash would then interpret as an escape. Cygwin mostly papered over that from what I can recall, but it could lead to some weirdness, like sometimes you'd get C:\\path\\es\\like\\this

                • bschwindHN

                  today at 5:06 AM

                  We should be using the baguette emoji for path separators for cross-platform compatibility.

                  https://old.reddit.com/r/ProgrammerHumor/comments/96ufiz/pro...

                • rpeden

                  today at 3:41 AM

                  You could also use forward slashes, like C:/path/subpath, which has worked since Windows 1.0/DOS 2.0.

                  That's handy when you're entering paths in a Cygwin/MSYS Bash shell, but might not help much if you're trying to parse or otherwise work with existing patgh variables composed with backslashes.

                  • TylerE

                    today at 3:59 AM

                    Yes, you could if you were entering them manually, but some apps that generated file names would screw it up. I think they were using some sort of stdlib function to get the path seperator. Forward slash paths working in native windows apps also wasn't quite a given, either. Keep in mind this was a loooong time ago... like windows xp era maybe, even.

                    • noduerme

                      today at 6:07 AM

                      Yeah, I recall directory paths being the biggest PITA with running scripts in cygwin. But I mean, that was a very minor set of things to fix compared to what would've had to be written in anything else available at the time.

                      Doing retail office deployments of custom code on employee computers is a weird niche, and you find whatever works and hope you can maintain it somehow. Cygwin was awesome though, saved me a ton of time and the client a lot of money for the moment. (The client later stipulated to all future franchisees that they had to buy only Macs, lol)

                • coldtea

                  today at 9:06 AM

                  Always used / and it worked for both cygwin/windows lands.

            • kergonath

              today at 6:17 AM

              > Back in my day you to to download a couple GB worth of cygwin

              You still can, and it still works exactly the same way.

              • procflora

                today at 4:07 PM

                It's true, but to be honest the MinGW-built stuff that ships with git for Windows has been enough since WSL took off.

            • iririririr

              today at 7:22 AM

              what do you mean? that's still the only way to work as a human in windows. wsl1 almost replaced it, but obviously they scrapped it.

              if you must use windows, it's because you will compile for windows. so you install MSYS, which is a linux distro-ish compiled native for windows. and do your work.

              wsl2 (and this apple thing) is just a meme. if you're working in it, you're better of just installing Linux or ssh'ing to a server.

              • metaltyphoon

                today at 12:40 PM

                > wsl2 (and this apple thing) is just a meme. if you're working in it, you're better of just installing Linux or ssh'ing to a server.

                Many enterprises allow windows only so your way into Linux is via WSL2

              • TylerE

                today at 8:23 AM

                shrug. I haven't owned a Windows machine in years at this point. It's one of those things like PHP that I just decided my life was better off without.

            • _blk

              today at 2:49 AM

              ... Now it's just called git bash

              • michaelsbradley

                today at 2:55 AM

                Just install and use MSYS2, git bash is derived from it anyway, and a regular MSYS2 installation offers a lot more.

          • kevinminehart

            today at 6:23 AM

            It was soooo slow though. Practically unusable for anything i/o heavy.

            • dented42

              today at 7:13 AM

              Those issues could have been fixed…

        • pjmlp

          today at 5:01 AM

          WSL 1 is long gone for all practical purposes, yet it still dominates conversations.

          Also everyone on FOSS gets it wrong, WSL wasn't a subsystem like classical Windows NT ones.

          It was based on Drawbridge research using picoprocesses, a new approach for library OSes.

          https://learn.microsoft.com/en-us/archive/blogs/wsl/pico-pro...

          • embedding-shape

            today at 12:15 PM

            > Also everyone on FOSS gets it wrong, WSL wasn't a subsystem like classical Windows NT ones.

            Everyone in FOSS? How about Microsoft got it wrong, since they actually named it The Windows Subsystem for Linux (WSL)? It wasn't the FOSS community who chose the name for them.

            • pjmlp

              today at 5:42 PM

              What has that to do with a version number and not keeping up with the times?

              • embedding-shape

                today at 6:01 PM

                What version number? WSL1 vs WSL2?

                I'm not sure if you see the quoted part. My comment is about the part that starts with "> " that you wrote earlier.

    • alerighi

      today at 12:27 PM

      And a limited VM, for example I look at the documentation and it's not possible to share USB devices with the VM, making it perfectly useless for doing embedded development where you have to connect to the boards with USB. I will continue to use UTM for that reason...

      • mrpippy

        today at 4:39 PM

        Virtualization.framework just gained USB passthrough support in macOS 27. It might be a niche feature for containers to add, but other VM software will likely add support soon.

    • burnte

      today at 3:22 PM

      WSL is a VM too, but that's still what this is. WSL for MacOS. It's great!

    • jayd16

      today at 2:03 AM

      Mac Subsystem for Linux 2

    • BodyCulture

      today at 11:01 AM

      This is not a problem at all as most Apple computers come with plenty of RAM and lots of disk space! We are so lucky that Apple engineers always think so differently into the future!

    • hedora

      today at 3:22 PM

      So, heavier than running docker in qemu?

  • pseudosavant

    today at 6:23 AM

    Exactly what I thought. The Mac equivalent to WSL. Which is a great thing for Mac devs. Lots of stuff expects Linux these days, not POSIX. Mach isn’t Linux.

• oulipo2

  today at 8:41 AM

  how does that compare to something like, eg, Orbstack?

• CaptainCyber99

  today at 10:13 AM

  Still feels like a apple-ified microvm

  • TingPing

    today at 11:03 AM

    Well yeah it’s a simple vm…

• today at 2:01 AM

Michael Crosby wrote this! He's a long-time maintainer of Docker, Containerd, and more! He was Docker's first to receive the 'Distinguished Engineer' Title. This means a lot coming from him.

I belong to a rare breed of very opportunistic hobby-developers that like to use MacOS but also like to use linux machines or BSDs (rpi etc) sometimes.

I can create docker-images with docker compose, or use something like colima, which this seems to be close to (that should have some advantages over docker, although my hope of circumventing W^X page protection did not pan out).

I was perplexed that the repository does not put these container machines in context. The seem to be close to colima? When should I use which option (docker, collima, container machines ?)

Maybe others wonder too but are ashamed to ask. I have no shame ;)

Thanks for any pointers

• binsquare

  today at 3:44 PM

  I built this tool to solve that exact problem: https://github.com/smol-machines/smolvm

• djsavvy

  today at 5:49 AM

  Why try to circumvent W^X page protection? Some sort of self-modifying program without extra pointer indirections?

  • golem14

    today at 6:09 PM

    I just do, Mr Cooch, I just do.

  • bogantech

    today at 6:56 AM

    Bad legacy apps like Xilinx ISE

• klohto

  today at 5:39 AM

  https://github.com/apple/container/blob/main/docs/technical-... read documentation mr. rare breed

  • startakovsky1

    today at 6:55 AM

    Like, this doesn’t answer when to use this vs Docker. Any reference there?

    • happyopossum

      today at 10:58 AM

      This is not the apple container framework / that’s the docker alternative. This is a project to easily run full Linux machines in macOS containers.

    • cowsandmilk

      today at 11:25 AM

      Use this because docker has very problematic licensing on MacOS.

This is all fine and dandy, but where are the native Darwin Jails Apple? Still scared that people will filling whole rooms of Mac Minis if you allow them to have multiple macOS containers and not only up to two fat VMs per machine?

• cedws

  today at 12:13 PM

  Darwin namespaces would be much more interesting and we are in dire need of them in the current security landscape.

  I don’t really understand the hype for Apple’s Containerization, it’s just another container runtime alongside many others. It’s not really any better than OrbStack - in fact it’s worse.

  • whimblepop

    today at 5:47 PM

    When Apple Sherlocks something, aren't their implementations usually worse? Typically the thing being Sherlock'd is very mature and featureful, and Apple's implementation is much less capable and has undergone much less user testing, at least at the outset.

  • RationPhantoms

    today at 3:37 PM

    Thank you for answering that question because I adore OrbStack and didn't find much difference.

  • gyoridavid

    today at 1:19 PM

    +1 I'd love to have network namespaces

• today at 11:19 AM

• jorisw

  today at 7:27 AM

  [Replied to wrong comment]

  • qalmakka

    today at 7:28 AM

    That's totally unrelated to what I wrote

• adastra22

  today at 7:28 AM

  sandbox profiles?

  • qalmakka

    today at 7:33 AM

    macOS sandboxing is deliberately limited just enough to prevent anyone from truly implement Darwin-on-Darwin containers. People have been discussing about this for a while, see https://github.com/apple/container/discussions/611

    In general I understand the rationale behind Apple's decision. They sell hardware, and there's real demand for macOS on servers to run build jobs and other Mac-only tools. Giving you the ability to run multiple containers on a single Mac would end up turning a 10 Mac Mini order into a 2 Mac Minis order for most people. Rest assured, even if it would be technically possible they'd find a way to cap it somehow via the EULA or whatever

    • coldtea

      today at 9:10 AM

      I doubt this insignificant statistically speaking market (compared to the overall units they move) is what prevents them.

      • inejge

        today at 9:35 AM

        Domino theory as applied to business, plus one should never underestimate the lengths to which a company will go to wring the last ounce of profit from a market.

    • larodi

      today at 11:01 AM

      and how is this, having containers run hardware one owns, a bad or even shameful idea, given people do it and want to do it with their hardware all the time?

      • qalmakka

        today at 1:59 PM

        > aving containers run hardware one owns, a bad or even shameful idea

        what? it isn't, it's absolutely a right you surely have. The problem is that

        a. Apple forces people to buy Macs to build, notarise and deploy iOS and macOS apps b. Apple refuses to implement jails which is something that every OS, including Windows, has nowadays c. Apple only allows you to have 2 VMs - full, fat, with GUI - on each Mac computer, running at once c. Jails/Containers would allow you to easily deploy multiple jobs, which would allow you to have N jobs in parallel, which would mean you'd need way less Mac Studios/Mini in your local CI

OrbStack works really well for me. I wonder how it’s compared to this performance wise

• kdrag0n

  today at 1:32 AM

  (OrbStack dev here.) Instead of Virtualization.framework, we have a custom Rust virtualization stack with custom devices and protocols for things like filesystem sharing. It's a highly optimized vertically integrated stack specifically for running our Linux machines and containers.

  Our biggest perf/resource gain is dynamic memory, which reduces memory usage a lot by releasing unused memory back to macOS. Nothing else supports this, including Containerization.

  I gave Container Machines a try and it seems to be much closer to OCI containers with a default bind mount than OrbStack machines. It has fewer integrations and doesn't run systemd or any other normal init system, so it's hard to run services.

  • rubnogueira

    today at 9:12 AM

    Just to give a thumbs up to you and OrbStack. I've been using it every day since the first releases, and it is one of the most stable and performant drop-in replacements that I've seen.

    • kdrag0n

      today at 2:09 PM

      love to hear it!

  • mescalito

    today at 2:26 AM

    Super happy orbstack customer. Just curious on your statement:

    > I gave Container Machines a try and it seems to be much closer to OCI containers with a default bind mount than OrbStack machines. It has fewer integrations and doesn't run systemd or any other normal init system, so it's hard to run services.

    The linked md document says:

    > Real Linux services for testing. Run a database or whatever your stack needs as a system service — systemctl start postgresql works on images with systemd installed.

    Was that not the case when you used container machines?

    • kdrag0n

      today at 2:45 AM

      That's my bad, I used the example alpine commands and the official alpine doesn't have init. It's supported if you build an image with systemd installed

  • d3v1an7

    today at 4:29 AM

    just adding a 'hell yeah: orbstack is so good' to the thread. i mainly avoid containers where i can, but when containers need to happen, orbstack is 'just enough' for me. lovely and well considered ui, stable, performant. don't need much else. thank you for your work and care!

  • egernst

    today at 1:45 AM

    Thanks for the info kdrag0n! Big fan of OrbStack; good call out on dynamic memory.

    If the guest image has /sbin/init, we use that.

    We'd recommend using a base image for the guest that includes systemd. ie: https://github.com/apple/container/blob/main/docs/container-...

  • kxxx

    today at 1:47 AM

    Apple says that `systemctl` is supported... hmm am I missing something?

    "Real Linux services for testing. Run a database or whatever your stack needs as a system service — systemctl start postgresql works on images with systemd installed."

    • kdrag0n

      today at 1:51 AM

      Good catch, I tried the example alpine commands and there was no init system. Makes sense if it's based on OCI images

      • kxxx

        today at 1:58 AM

        Just tested it on on an OCI image with systemd and it works well. I can see the appeal of OrbStack regarding memory reallocation and will stick with it in the time being :)

  • rswail

    today at 7:10 AM

    I changed over to Orbstack just for local builds and it is one of those apps that makes owning a Mac that much better.

    This post reminded me to buy a license, just done it, worth it for the time saved.

  • CGamesPlay

    today at 2:04 AM

    > Our biggest perf/resource gain is dynamic memory, which reduces memory usage a lot by releasing unused memory back to macOS. Nothing else supports this, including Containerization.

    Wow, missed this when reviewing OrbStack. I assumed that you just used Containerization and therefore would have the same limitation.

  • saltamimi

    today at 1:55 AM

    I know this is off topic, but I do thank you for your Android work, the idea and elegance of fastboot.js and that SafetyNet workaround trick was truly really cool.

    • kdrag0n

      today at 1:57 AM

      Ahh those were good times, glad you came across it :)

  • trueno

    today at 2:11 AM

    just dropping in to say orbstack super owns and i use it every day. huge respect to rethinking this experience, for a minute there i thought docker was just going to be the only path. i dont think ive looked back for docker since. orbstack just feels right, and damn its so fast and good with resources, and the UI is just insanely straight forward. props!

  • TheTaytay

    today at 2:20 AM

    We love OrbStack too! Thank you for it,

    I wanted to make its VM/machine our default secure agent sandbox, but I couldn’t figure out how to isolate this VM from the host properly. This thread prompted me to find the issue though, and I saw this was recently implemented! https://github.com/orbstack/orbstack/issues/169

    • kdrag0n

      today at 2:23 AM

      Yep! Still refining it but isolated machines now have fine-grained settings for filesystem mounts, network isolation, SSH agent forwarding, and CPU/memory/disk limits

  • torarnv

    today at 8:11 AM

    Those are awesome features! The one missing for me is bridge networking. Any idea why orbstack doesn’t have that?

    https://github.com/orbstack/orbstack/issues/342

  • jhancock

    today at 1:54 AM

    I’ve been using podman on Mac. It’s been a nice fit as the container build files are identical to what I use on my fedora server. I have noticed my 2 virtual core 4 gb Linode vps runs apps faster in the same container as when run on my MacBook Air M2 16 gb. I expected some performance overhead but didn’t think it would be noticeable as it is. Overall happy with podman. How might OrbStack differ?

    • thatxliner

      today at 1:59 AM

      Having used both, it feels like OrbStack "just works" more than Podman. The main example of this is Supabase.

  • rahen

    today at 9:39 AM

    What kind of virtualization do you use internally? I assume some kind of LXD fork? OrbStack really feels like a single-node Incus host.

    • kdrag0n

      today at 1:57 PM

      The Linux VM host and guest components are all custom, as well as the daemon that manages machines. It currently uses LXC as the runtime but that's being replaced as well. For containers we run a standard Docker engine inside a special machine.

  • vsgherzi

    today at 2:00 AM

    I love orbstack, is there any code I could read on the rust side? Seems very interesting

  • bekantan

    today at 11:14 AM

    Amazing software, thanks!

  • blackqueeriroh

    today at 3:37 AM

    When are y’all gonna support sandboxing? Preferably Docker Sandboxes?

    • keybits

      today at 9:14 AM

      Isolated machines was release recently: https://docs.orbstack.dev/machines/isolated - various recent improvements in the release notes: https://docs.orbstack.dev/release-notes

      Nothing specific for Docker yet, but I find the Linux machines are lightweight enough that I just run Docker inside them.

  • bjt12345

    today at 5:51 AM

    Orbstack plays well with Pycharms BTW.

• emmelaich

  today at 2:06 AM

  I'd like to see a comparison to https://tart.run/ as well.

  AFAICT it's pretty similar.

  • eatonphil

    today at 12:18 PM

    Tart was just bought by OpenAI so its future is suspect.

• mpeg

  today at 3:20 AM

  I like orbstack in theory, but I find it hard to justify a $96/yr license fee for something that has so many open source, free alternatives. As it is, I’d rather use podman or colima

  • Ghoelian

    today at 6:16 AM

    It's free for personal use, and for a company 96/year is absolutely nothing, I'd hope.

  • baq

    today at 6:42 AM

    The alternatives are all broken in some ways is the answer, including the official paid docker enterprise.

    Personally I’d rather the company provisioned me MacBook hardware with Linux. Unless Fable or some other ai ports asahi properly to modern hardware I expect to retire before this is possible, orbstack is the next best thing, available today.

• kxxx

  today at 1:45 AM

  I really like OrbStack and am also not sure why I'd use Container Machines over it, at the moment...

• gempir

  today at 6:44 AM

  I just wish bind mounts would be more performant/native. I get that this is probably impossible, and probably also sucks on Linux, haven't tried.

  But like having containers that need file watchers like vite dev server, or frankenphp in watch mode will overload OrbStack real quick since It seems to fallback to polling instead of listening to fs events.

  So I'm stuck running vite dev servers and the like on the host.

  • kdrag0n

    today at 1:25 PM

    Can you share more details? OrbStack has always supported inotify/fanotify (Linux fs watching APIs) on bind mounts and most people use watchers with no issues. Happy to look into whatever you're running into: danny@orbstack.dev

    • gempir

      today at 2:04 PM

      I'll remember it and email you when I try it again.

      Last time I tried all of orbstack froze and I had to restart my whole mac to fix it. But you also did some recent releases that fix issues related to freezing up, so maybe it was unrelated.

      Thanks for the great software! Happy enterprise customer

  • jnewton_dev

    today at 1:01 PM

    We dealt with this exact issue at my company. The root cause turned out to be something completely unrelated to what we initially suspected.

    • gempir

      today at 1:15 PM

      Hmm, that sounds very vague. how DID you solve it? Do you now run Vite dev servers in containers?

• cpuguy83

  today at 2:30 AM

  Not a full docker env, I aimed this as doing builds though you can run dockerd as an option, https://github.com/cpuguy83/crucible uses the containerization framework to run either build kitd or dockerd and wire it up to docker/buildx cli (or whatever client tooling you want to use).

  The Containerization framework is a library that sits as a layer on top of the virtualization framework. So each container is its own VM.

  Machine is tooling above the containerization framework to run multiple things in a container in a vm.

• kiproping

  today at 7:26 AM

  Thank you for mentioning this, I have been suffering under the yoke of docker.

• jbverschoor

  today at 5:08 AM

  Note that orbstack supports audio and usb pass through, which is super nice

I don‘t understand why these tools always advertise about mounting the $HOME inside the container. Isn‘t it better to have a complete isolation? Isn‘t that the point of using such a thing?

• sigmoid10

  today at 8:38 AM

  Containers only got so popular as a tool for developers to make developing/deploying easier. If you want to use them as a security layer that is a completely different goal and has many highly dangerous pitfalls [1]. Just last week there was a post where people were shocked how an AI agent used docker to bypass sudo on a system. I'd imagine this could happen to most people who installed docker. So if you want to use containers for anything but easier development, you need to be much more proficient than the average user already. In that case not exposing $HOME is just a small thing on your config to-do list.

  [1] https://cheatsheetseries.owasp.org/cheatsheets/Docker_Securi...

  • lxgr

    today at 9:16 AM

    > Just last week there was a post where people were shocked how an AI agent used docker to bypass sudo on a system.

    This was due to implicitly granting the LLM access to the host docker daemon, which has superuser privileges, not due to a "container breakout". That's arguably a very different scenario, but of course both are worth considering.

    > So if you want to use containers for anything but easier development, you need to be much more proficient than the average user already.

    I'd disagree. Containers, at least without granting them additional privileges such as CAP_NET_ADMIN and without write-bind-mounting sensitive host directories into the container, offer a reasonable security boundary compared to the counterfactual, despite their bad reputation.

    • sigmoid10

      today at 1:03 PM

      >without granting them additional privileges such as CAP_NET_ADMIN and without write-bind-mounting sensitive host directories into the container, offer a reasonable security boundary compared to the counterfactua

      There's much more to it than that if you check out the link above. Misconfiguring a container is the 2026 version of misconfiguring FTP and MYSQL in the 90s. I.e. most users don't even know how they are asking to get rooted.

      • lxgr

        today at 1:55 PM

        If you let your container write setuid binaries to your path, give it admin access to your network, let it access the Docker daemon socket etc., sure, you're going to have a bad time. But how is that different from e.g. giving software running in a VM SSH access to your host or a writable bind mount to the host's root directory?

  • kenanfyi

    today at 8:58 AM

    I see. Why this interests me is the similar stuff I have been reading lately. All these supply chain attacks regarding npm, Tanstack etc. Therefore I wanted to create a totally isolated sandbox and while considering options I have seen they all by default mount the $HOME. I needed to explicitly tell colima to not do that.

    But yeah, I guess my use case is not the main use of such tools or their purpose in general. Thanks for the link, I‘ll take a look at it.

• saljam

  today at 9:17 AM

  the reason i use this (and just a container with -v $HOME:$HOME before) is to get an environment with all the command line tools i'm familiar with from debian, instead of using something like homebrew. in general, i mostly trust these with access to my home directory. a bonus is that i can throw it away and rebuild it easily if i need to.

  i'd still use less permissive containers for things i don't feel comfortable installing on the host, e.g. npm.

• stefan_

  today at 8:59 AM

  No, the whole point of machines is their external interfaces? A Linux VM with no interfaces is just a closed box wasting power doing math.

  And I think I would caution Apple to consider the lessons of WSL; having shared access to the filesystem is just the bare minimum. Next is networking (and god is this a rabbit hole with WSL), people will want to access their USB devices, X forwarding, GPU passthrough..

  • coldtea

    today at 9:08 AM

    The whole point of container machines is their isolation.

    If we wanted access to all interfaces, we'd just run it locally.

    We want the container as a closed box, "wasting power doing math", i.e. processing what we actually passed to it.

• LoganDark

  today at 8:37 AM

  No, the point of using such a thing is to be able to run Linux workloads. For example, I recently used Containerization to generate trace logs from the tup test suite so that I could bring it up to relative parity on macOS. If it had complete isolation, I would have difficulty getting the modified source code into the container and difficulty getting the trace logs back out of the container. Sure, you can paper over this with bind mounts or whatever the fuck but that's annoying

  • kenanfyi

    today at 9:01 AM

    Understand. And yeah that‘s annoying. I use containers only for development and to keep my main system secure from supply chain attacks. I have almost no build tooling in my Mac anymore. No npm, no cargo, no uv. Nothing. They all live inside the container which is completely isolated.

    I guess my use case is not that important for the main user of these tools.

    • LoganDark

      today at 9:05 AM

      I wouldn't say your use case is not important. That is a completely reasonable way to work. I just wouldn't say mounting home directories is an anti-feature. There just should be a way to turn it off.

      • kenanfyi

        today at 9:23 AM

        Well, maybe I should have used relativity unimportant. And yes there should be a way to turn them off. In OrbStack it was not possible to do that until lately.

Do these containers share a common kernel? Or are they each ran in a separate VM?

Edit: It's a VM per container. https://github.com/apple/container/blob/main/docs/technical-...

• leshenka

  today at 4:49 PM

  Isn't it wasteful? I know it's a "tiny" vm but still is a vm

  • pjmlp

    today at 6:05 PM

    See Kata containers.

    https://katacontainers.io/

    For ultimate security, containers alone aren't enough.

    Windows is also having a similar feature on top of WSL, announced at BUILD.

    https://github.com/microsoft/mxc

Interesting from a Docker perspective, but I’m more interested in it as a sandbox for AI agents and untrusted code execution.

I wrote about that angle here: https://igorstechnoclub.com/sandbox-exec/

Feels like the spiritual successor to sandbox-exec, but with VM-level isolation.

• avel

  today at 2:41 PM

  Yes, that article states that as well under limitations: "Deprecation status: While functional, Apple discourages its direct use in favor of App Sandbox for developers."

This is awesome! I just added this as a backend for yoloAI on Mac, and wow... super fast startup times now!

Will this be able to replace docker desktop an equivalents, removing the expensive Linux VM that runs alongside them?

• thejazzman

  today at 1:09 AM

  It mostly removes the big shared background VM and replaces it with smaller, more isolated Apple-native VMs.

  I did an experiment migrating my Podman workload to Apple's container @ https://gist.github.com/jmonster/39e14585e107dbf990a90966c0f...

  TL;DR reduces ram/storage usage; minimizes it's existence

  • deathanatos

    today at 1:50 AM

    How does that work, realistically?

    > Memory defaults to half of host memory

    That's the most expensive part of the whole transaction, b/c AFAIK, RAM is then dedicated to the VM. It can be swapped out, I suppose, but that's not great.

    • MBCook

      today at 3:45 AM

      CGamesPlay said above its balloon memory so it won’t use all that memory by default, but it can’t release balloon memory yet.

  • nozzlegear

    today at 2:55 AM

    Nice, thanks for this. My plan is to swap over to Apple's containers for local dev, and keep using podman quadlets in production.

• usernametaken29

  today at 1:25 AM

  My first thought as well, docker desktop overhead is pretty bad, would be awesome to see this land natively in DD. By my estimate this could happen, seeing as Docker has historically tried to improve performance but quickly had to accept platform limitations… would only be natural to settle DD over to containers

  • deathanatos

    today at 1:46 AM

    Well, you can avoid the Docker Desktop tax by not running Docker Desktop. colima is a perfectly usable implementation of Docker for macOS, without the bloat of Docker Desktop.

    That said, colima still has the expensive VM that upthread is mentioning.

    • TimTheTinker

      today at 1:58 AM

      OrbStack is great also

      • CarlitosHighway

        today at 9:33 AM

        until they remove the free tier and raise prices, once their user base is sufficiently reliant on it.

        • TimTheTinker

          today at 2:23 PM

          I had no idea they have a free tier. I've been paying for a couple of years and it's been so worth it.

      • phinnaeus

        today at 3:28 AM

        Postman Desktop too

        • rawland

          today at 6:01 AM

          You mean Podman Desktop?

          • phinnaeus

            today at 6:42 AM

            Yes, thank you iOS autocorrect.

• binsquare

  today at 5:37 AM

  Linux VMs on doesn't have to be expensive!

• lxgr

  today at 9:18 AM

  This explicitly provides a Linux VM, which seems hard to do without providing a Linux VM.

  The use case is actually the opposite of what you seem to want (i.e. running Linux containers on macOS without a Linux VM); this uses a Linux-based container implementation of macOS to provide a long-lived Linux VM that looks more like a VM itself than a container.

• lostlogin

  today at 1:31 AM

  Others here mention it and I’m a new convert to Colima.

  The pain of working around Docker Desktop is bad.

• prmoustache

  today at 11:23 AM

  this is more like toolbox/distrobox equivalent for MacOs, but running in individual VMs.

• trollbridge

  today at 1:08 AM

  That sure would be nice. I seem to rm -rf ~/.colima every few days.

• today at 2:00 AM

So essentially both macOS and Windows now heavily support developing using Linux on them. They can't more openly admit that they are no match for Linux in that area.

There's some clever advertising in it for Linux, if Linux was advertising.

• rahkiin

  today at 6:47 AM

  I’d argue they both admin that Linux servers are the target for a lot of applications to run on. Not to develop on.

• artistonn

  today at 10:35 AM

  Linux also can't openly admit that it's no match for macOS/Windows on the desktop, which is why we have this hybrid situation - macOS/Windows desktops running Linux VMs

  • krzyk

    today at 11:22 AM

    Unfortunately there are more and more users on Linux and as a result windowsization/macosization of Linux is in progress (systemd, wayland, some scary stuff Poettering is doing with boot, snap/flatpack).

    • cromka

      today at 2:08 PM

      How is that a problem? Both systemd and Wayland helped tremendously in unifying Linux for desktop use, which together with Flatpak enable more 3rd party software to get official support. Yes it adds complexity but it's all still developed in an open fashion and you get very good insight into how things work. With Windows and macOS you have no clue what's happening in the background, or very little.

      • krzyk

        today at 2:21 PM

        It is done in the open, but it adds complexity and it removes that made Unix/Linux great - composability, variety and replaces it with corporate introduced "stuff". And any distro is forced to support those additions because corps owning Fedora, Redhat, Ubuntu just rule the Linux world, and event Debian gives up.

        As long as there are just few "normies" using Linux, it is safe from corporations adding their "security", "safety" etc.

        • cromka

          today at 5:35 PM

          The point is you NEED those things if you want wide adoption of Linux, which, in turn, is a necessary condition for commercial software to get ported over to Linux. You just can't have both. We need a middle ground I believe 2026 desktop Linux is exactly that: a good compromise.

        • hedora

          today at 3:35 PM

          You can still run devuan. I highly recommend it, though FreeBSD got really good over the last few years, and is even more insulated than devuan is.

          I currently have one systemd infected machine, two devuan machines and two freebsd. Next step is paving the systemd one (it randomly craps out) and probably putting FreeBSD on it, but I’m on the fence. It’s a family member’s machine, and devuan is less change.

  • regexorcist

    today at 12:41 PM

    This is a tired cliché. Today, a modern Linux desktop like KDE Plasma just works and more importantly, gets out of your way unlike obnoxious MacOS and Windows. Aside of that you get the most advanced OS in the world where the thing being discussed here is a decade old.

    • QuiEgo

      today at 12:53 PM

      The issue with Linux isn’t the software, it’s the hardware. Apple Silicon Macs are still the nicest laptop hardware by a huge margin. All the Linux-native options are, at best, “okay”.

      • regexorcist

        today at 1:13 PM

        Agreed, the Linux laptop story is pretty dire compared to Apple hardware. My travel laptop is an M1 with Asahi.

        • cromka

          today at 2:01 PM

          Same here but after 4 months with Asahi on M1 I wouldn't trust it fully. Had 3 freezes/reboots so far and WiFi often hangs on resume to the point I need to rmmod/modprobe.

• pjmlp

  today at 12:10 PM

  Not really, this means the complete defeat of The Year of Linux Desktop.

  Linux games depend on Windows ecosystem as their content source.

  By having Linux nicely packaged in containers, they get to keep the 90% combined market share, almost no one bothers to support the market of Linux OEMs selling pre-installed Linux desktops and laptops.

  The other "distros" used by consumers are Android, WebOs and going forward Googlebooks as Chromebooks evolution.

  Meaning in the end a Pyrrhic victory, when Apple Linux, Microsoft Linux, Google Linux, Asus Linux, LG Linux, is all that the general public cares about, and hence no incentive for IT departments to support Linux laptops.

• plutokras

  today at 7:21 AM

  Enterprises would do anything to develop on Linux except using an actual Linux distro.

• neop1x

  today at 10:18 AM

  A lot of devs needs to use linux but they still use it just as a VM (Mac) or in some kind emulation (WSL). How pathetic.

  • cromka

    today at 2:03 PM

    If they need to, it's because it's their work computers. Otherwise it's a choice.

  • nozzlegear

    today at 6:02 PM

    What's pathetic?

Anyone know why you would use this instead of QEMU+Lima+Colima+Docker/containerd? The latter works on multiple OSes, has a very large ecosystem of tools, images, documentation, and lets you replace pieces as needed

• CarlitosHighway

  today at 9:54 AM

  From a layman's POV ("I just want to run my containers I need for dev work"), there's no point in switching to this for now. It's just cool that Apple cares enough about containers and might come up with an Apple-like built-in solution some day, this is the groundwork.

  I'd stick to Colima, or Orbstack if you trust them enough to not do a rug-pull once their users are reliant on them enough to pay any amount.

• lxgr

  today at 10:18 AM

  QEMU has worse performance than Apple's native virtualization framework on macOS, for one thing. That said, Lima supports the latter as well.

  • einsteinx2

    today at 4:27 PM

    Yeah I was gonna say I use Colima with Apple’s virtualization framework (it’s not the default for some reason but it’s a single command line flag), and found it works better than QEMU (better performance and resolved some bugs I was running into with the Supabase docker stack)

Apple containers are great for providing a sandbox to your AI coding agents

I have made it a MCP so that it's easily discoverable by all the coding agents

https://github.com/instavm/coderunner

It's funny that the system config page (https://github.com/apple/container/blob/main/docs/container-...) lists pebibytes for RAM configurations... in this day and age where buying a 16GB stick for workstation would cause me to eat instant ramen for a couple of months because my dentist needs an LLM chatbot on their page to stay competitive!

UX wise it looks kinda neat though!

• borborigmus

  today at 4:01 PM

  Signed in just to say LoL at the dentist comment.

How would I replace docker compose containing multiple services that communicate with each other with this? Seems cool for an individual service.

Is this new? I thought we had this already

In my testing (iirc) filesystem performance was not good enough to be usable with node/rust dev where lots of small files get stat-ed

update: what's new is the `container machine` subcommand. I went to test it out, but container failed to run at all for me: https://github.com/apple/container/issues/1681

• kdrag0n

  today at 2:02 AM

  Curious if you've tried OrbStack? There's always more work to do (test workloads appreciated!) but we've put a lot of effort into optimizing for small files and other common developer workloads in OrbStack's customized filesystem sharing protocol (not standard virtiofs).

• ahknight

  today at 2:53 AM

  Podman is on macOS, FWIW. Uses the existing container framework to run the machine already. Root-full or not.

• dchest

  today at 6:37 AM

  Did you use their volumes for node_modules or a shared dir? I mounted the whole project directory (with node_modules) inside the container and it seems to work fine (MBA M1 8 GB RAM).

I still can’t use Containers because of a broken DNS implementation. I suppose I could manually set the DNS as I switch on and off VPN, but I don’t have to with Finch, Podman, or Docker Desktop.

Just to clarify, this requires Mac OS 26 Tahoe for "container" doesn't it? So those of us holding out on Sequoia who can't stand the broken glass UI or what's called and the other undesired features need to stick to Docker desktop.

• masklinn

  today at 12:05 PM

  > Just to clarify, this requires Mac OS 26 Tahoe for "container" doesn't it?

  Yes’n’t: https://github.com/apple/container/blob/main/docs/technical-...

  > container relies on the new features and enhancements present in macOS 26. You can run container on macOS 15, but you will need to be aware of some user experience and functional limitations. There is no plan to address issues found with macOS 15 that cannot be reproduced on macOS 26.

  The issues are around networking.

• niek_pas

  today at 9:35 AM

  It seems macOS Golden Gate (the upcoming version) fixes quite a few of the problems with Tahoe, so you might consider skipping Tahoe entirely.

• coldtea

  today at 9:12 AM

  >those of us holding out on Sequoia who can't stand the broken glass UI or what's called

  Maybe hold 1 release back, but other than that, I don't think "holding out" on macOS releases has ever been a winning strategy.

  In the end, macOS model presupposes users moving to the latest release sooner rather than later.

• jrochkind1

  today at 1:21 PM

  I turned off what "glass" UI I could with config, and it's not too different than Sequoia, got used to it pretty quick. Obviously the things not supported on an old OS will keep increasing, until eventually it is EOL'd.

  • nozzlegear

    today at 6:05 PM

    I didn't make any adjustments and hardly ever notice Liquid Glass on macOS. To me, it's only ever noticed if I hang out in the control center/notification center all day.

• egorfine

  today at 11:22 AM

  Yeah I use Tahoe and I can't stand the liquid glass.

  It looks like Golden Gate fixes this design a lot.

• jorisw

  today at 7:27 AM

  [dead]

The costs are startup time and image compatibility: dockerhub images don't work as machine images because container machine expects systemd

I am trying it on but its brekaing on homebrew 1.0.0. The formula puts plugins at opt/container/libexec/container-plugins/ and the apiserver looks in libexec/container/plugins/

This can be solved through a symlink or smth

• masklinn

  today at 5:46 AM

  > dockerhub images don't work as machine images because container machine expects systemd

  Are you sure about that? A few comments above a commenter states that they don’t run inits at all (because they ran alpine), multiple people replied that it works fine if you give it an image with an init, and they acknowledged their error.

This appears to be an LXC-style alternative for macOS; however, unlike native LXC on Linux, this tool relies on VMs. While Docker and Podman also utilize a VM on macOS, they offer the advantage of the Docker Compose format. In my view, the ability to use YAML for declarative configuration is the most critical feature for any container tool. I have nothing against CLI tools in general, but I prefer avoiding repetitive manual commands that could be easily automated via Docker Compose or Kubernetes manifests.

• notpushkin

  today at 8:33 AM

  Apple does have an OCI variant of this: https://github.com/apple/container

  Doesn’t seem to have Compose support though, but it’s probably not impossible to build upon.

  And of course, it also uses VMs, though unlike Docker, it’s one (micro-?) VM per container: https://github.com/apple/container/blob/main/docs/technical-...

Is there any reason why macOS doesn't try a WSL1 style approach? I get why that didn't fully work out for windows, but it seems like macOS being another *nix would make a lot of what was hard for windows, easy for mac. It seems like it should be possible to run most linux applications natively on macOS with few additional new APIs.

BSD actually has this already.

• qalmakka

  today at 5:52 AM

  FreeBSD has Linuxlator because there is a lot of binary only software that was never and never will be ported to BSD, so it's necessary for them in order to avoid bleeding users away. Conversely, macOS has basically all software ported natively to it, so when you _need_ a Linux environment 95% of the time it isn't because you need $XYZ that only run Linux, but because you need a proper Linux environment with systemd, cgroups etc. Implementing that stuff on top of XNU would probably be extremely expensive and it would arguably defeat the point of having their own kernel in the first place.

  • cogman10

    today at 4:00 PM

    > Implementing that stuff on top of XNU would probably be extremely expensive and it would arguably defeat the point of having their own kernel in the first place.

    I'm not sure how it'd defeat the point of having their own kernel.

    As for cost, possibly, but it would really be a huge boon to macOS for software devs. It's hard for me to believe that Rosetta isn't similarly costly, but it's been done because running x86 software is still very much a necessity for MacOS.

• twoodfin

  today at 2:47 AM

  What would be the advantages over a VM infrastructure Apple needs anyway and that has a much simpler, more stable “ABI” compared to the Linux kernel?

  • cogman10

    today at 3:00 AM

    Potentially faster application execution along much lower memory requirements. In the case of docker, even a possibility of shared library loading further reducing runtime costs (For example, containers based on the same base image could load glibc into memory only once).

    There's also simply the possibility of using linux software directly in macos without doing OS dependent changes to the software.

    • MBCook

      today at 3:49 AM

      Yeah. But in exchange it’s a lot of work to keep up with. For GUI stuff you’re now having to have some sort of Wayland layer/driver.

      Running VMs is really really easy and low maintenance demand on Apple. And it’s guaranteed compatibility.

      Wasn’t compatibility what really sunk WSL1?

      • skissane

        today at 4:39 AM

        > Wasn’t compatibility what really sunk WSL1?

        Yes, but a big part of the problem with WSL1 was the size of the conceptual gap between POSIX and Windows NT that WSL1 had to bridge. An “MSL1” would likely have fewer problems because the gap between macOS and Linux is smaller, given they are both POSIX

        The other thing Apple could potentially do, is add Linux-compatible APIs to macOS. IBM wanted to support Kubernetes on their z/OS mainframe operating system, so they implemented on it a clone of Linux namespace APIs, e.g. unshare. Then we could have macOS nodes in a K8S cluster-which might actually be useful for some people, e.g. if you have a Jenkins CI farm, the Linux nodes can run on K8S, but currently macOS nodes (which you need if you are targeting iOS or macOS) can’t, they have to be bare metal or VMs.

        More Linux-macOS source compatibility would also benefit macOS by making it less work to port software to it from Linux

        • qalmakka

          today at 5:54 AM

          Linux and the BSDs take APIs one from the other all of the time. The issue with having a Linux ABI is that you don't need just the few APIs you're missing, you need to implement the WHOLE Linux API and it has to be _perfect_, otherwise stuff will randomly break. I loved the original WSL, I had to use it for a time period back in the day when I was stuck on a Windows PC, but it can't be denied it was full of random bugs

          • cogman10

            today at 3:57 PM

            The original WSL proves that you actually don't need to be perfect or to have the entire ABI to be pretty useful.

            It's true that missing ABIs will cause random crashes and problems. However, a lot of apps can run with a minimal set of ABIs.

      • coldtea

        today at 9:18 AM

        >for GUI stuff you’re now having to have some sort of Wayland layer/driver.

        The target for this isn't GUI stuff.

        • MBCook

          today at 1:17 PM

          Generally I’d agree but the comment I replied to mentioned people running Linux applications and in my mind that means GUI.

          Maybe that’s not what they intended.

They shouldn't bury the details about how the containerization actually works.

I've looked into replacing Lima with Apple Containers for https://runmachine.dev.

However, unlike Lima, an Apple Container is not a full VM, so you cannot SSH to it, or forward SSH-agent signatures into a machine.

So it's more of a devcontainer story, which is also a great use case. Nice to see Apple creating tooling around their VZ framework.

Edit: referential clarity.

• binsquare

  today at 5:36 AM

  Might consider https://github.com/smol-machines/smolvm

  It's a full vm

I'm surprised they cared enough to do this. I'd still rather use Linux but MacBook value is incredible.

• marssaxman

  today at 2:37 AM

  I'd always rather use Linux, but sometimes your employer gives you a MacBook. I might use this tool.

So are there any benchmarks that compare all containers / docker / Lima / Colima / virtual box / VMware / orbstack and others ?

In the intro it mentions automatically mapping user and home dir. So host files accessible the container. Any settings to control this?

Python binary wheels now have to be built for aarch64 for them to work inside the container, unless they are built using the corresponding build system while installing. It is not common for python binary libs to publish arm64 binary wheels, as most often they target amd64.

• KeplerBoy

  today at 7:50 AM

  Isn't that just expected for modern macOS devices? They have been on arm64 for 6 years now.

  • coldtea

    today at 9:15 AM

    This however is for Linux containers on macOS, and for those the deployment target are not usually/necessarily arm.

    (Plus, you could always even have amd64 linux containers on macOS AS, with good performance, via Rosetta2).

We have WSL at home.

Handy for sure!

In production though, I've moved completely to systemd isolation of apps, rather than Docker-like containers; essentially blackboxes and present a supply chain threat. There's also a DRY principle here. Verification of a host presents a much smaller surface area.

• bityard

  today at 4:20 PM

  > moved completely to systemd isolation

  On MacOS?

Most of my team's development happens on beefy desktop machine in incus containers per dev+project (so you run yourname-projname-dev). It has its own tailscale inside so you can open it like regular https website or give to another dev to check out – no need to deploy your branch somewhere, just run it. New dev onboard takes 10 minutes from zero to dev env with VSCode remote development.

I would really love if apple could give inexpensive way to run amd64 containers for situations when dev wants to use their own hardware. We've used LIMA for now, was too much of a hussle. But if there's a more native experience – would give it another try.

Wouldn’t it be nice if services like Codespaces or Coder or Gitlab would allow you to target running on their hosted/integrated platform, or let you launch that same container completely locally? Sometimes I wanna take my “remote” dev environment off-line but still benefit from the integrated UX.

• RossBencina

  today at 2:04 AM

  This exists. It's called devcontainers and there is a cli for managing it locally.

  https://github.com/devcontainers/ https://containers.dev/

• CGamesPlay

  today at 1:58 AM

  If you can express that operation in Terraform, then Coder would let you do that. First problems I can think of are connectivity from the Coder provisioner to your local machine (Tailscale? Local?), and migrating disk images if you want to actually switch a workspace between environments (local provisioner could do this, but no matter what it’ll be slow and janky).

• jayd16

  today at 2:04 AM

  Maybe I don't understand but why doesn't Gitlabs self hosted setup work?

How is this different from Virtualbox or similar products with a shared folder with the host machine? I expected that existing virtualization tech for Macs already did that. Maybe the improvement is having nothing to configure.

By the way, is it headless or can it run a full Linux desktop? Use case: buy a Mac, uninistall whatever can be uninstalled, run the Linux VM as primary desktop forgetting MacOS and without going through Asahi and the incomplete hardware support.

• iririririr

  today at 7:27 AM

  it differs by lacking all the cool options that makes vmware and virtualbox good products, but apple users will praise it as a benefit

  "bind mounts? I'm better without it"

  • coldtea

    today at 9:18 AM

    Funny how confidently people can mock while knowing nothing about the specific tech discussed and the different targets. I'd google: VirtualBox vs containers.

    • pmontra

      today at 10:59 AM

      It's called a container machine but it's a virtual machine. I quote from https://github.com/apple/container/blob/main/docs/technical-...

      > container runs containers differently. Using the open source Containerization package, it runs a lightweight VM for each container that you create. This approach has the following properties:

      > * Security: Each container has the isolation properties of a full VM, using a minimal set of core utilities and dynamic libraries to reduce resource utilization and attack surface.

      > * Privacy: When sharing host data using container, you mount only necessary data into each VM. With a shared VM, you need to mount all data that you may ever want to use into the VM, so that it can be mounted selectively into containers.

      > * Performance: Containers created using container require less memory than full VMs, with boot times that are comparable to containers running in a shared VM.

      So: you build it as a container image and MacOS starts a VM to run it.

      Edit: quite unusually for a container it runs systemd. They give an example "systemctl start postgresql".

With the BUILD and WWDC 2026 announcements, it is the Year of Linux Containers Desktop.

Which for many folks is good enough for what they are doing, thus the status quo of desktop platforms will hardly change for current form factors.

Could this allow us to use proton on mac maybe?

• xd1936

  today at 4:24 AM

  This is hilarious. Next year, the PC gamers will be saying "The best Windows gaming experience is win32 on Linux on macOS Containers".

  • aurareturn

    today at 4:40 AM

    The fastest (Geekbench 6) Windows laptop in the world is actually an M5 Max Macbook running Parallels running Windows.

  • mohamedkoubaa

    today at 3:33 PM

    I think there's one too many layers of graphics driver indirection for this to work

  • kergonath

    today at 6:23 AM

    Wine works fine on macOS, there is no need for a Linux layer.

  • Gigachad

    today at 4:34 AM

    I mean at this point literally anything works better than Windows.

    • pjmlp

      today at 5:03 AM

      Except game development, hence Proton.

      • asimovDev

        today at 5:21 AM

        it always gets a sad chuckle out of me to hear that some native linux ports run worse than the windows version under proton. i think valve games are like that (l4d2 for example) and recently I think Hollow Knight: Silksong was like that

        • Gigachad

          today at 5:27 AM

          I think at this point native linux ports are somewhat a thing of the past. The problem was that the ports were usually contracted out to a 3rd party and rarely updated or cared for that much. There was also the issue that they often relied on dynamically linked libraries provided by the distro rather than static linked libraries bundled with the game. So stuff that did work would break on distro updates.

          The proton model has the benefit that bugs on linux can be fixed by Valve and the Wine community. While bugs in an official linux port can only be fixed by the game publisher which rarely happened. There also seems to be virtually no downsides to running a Windows game in Proton. These days I don't even bother checking the Wine DB or proton rating because unless the game is deliberately blocking linux via anti cheat, it will just work.

          • pjmlp

            today at 5:55 AM

            The irony that without Windows there are no Linux games, eventually Linux folks will learn about OS/2 history in regards to Windows compatibility features.

            Linux will stay forever a headless operating system great for embedded, server rooms and containers.

            We have all limited time on Earth, and eventually Valve won't be around as it used to be, might even be acquired, sold, whatever, then what in regards to Linux gaming?

            • Gigachad

              today at 6:06 AM

              Wine existed before Proton, Valve made it better but the project doesn't rely on Valve. Currently Linux is the best gaming experience. Zero bloat or nagware, everything just works. It's just ironic Wine/Proton ended up being the best platform for gaming on Linux. I don't think anyone expected it to run so well with virtually no performance impact.

              Now with the Fex project, it might end up that running Windows games on linux on a modern ARM processor could be the best way to game going forward, especially for mobile platforms like the SteamDeck.

              • pjmlp

                today at 6:31 AM

                The best gaming experience are Switch, PlayStation, XBox, iOS, Android, the very definition of everything just works, and no kernel drivers to worry about.

                • gf000

                  today at 6:55 AM

                  You just listed concrete hardware (with the exception of Android). That's a category error, of course a fixed hardware with specialized software will have less inconsistencies.

                  • pjmlp

                    today at 7:17 AM

                    You would be happier if I listed the respective OSes instead?

• bel8

  today at 6:25 AM

  I don't think so. This is a VM, closer to WSL2.

  Proton is based on Wine which translates Windows instructions to Linux.

  Besides there's already Wine for mac.

  But I would love to be wrong here.

Seems like wsl (windows subsystem for linux)

I'm pretty sure this is not the use case at all but man do I miss bootcamp. Even for games if we could just run linux without a need for crossover, gaming on mac machines would be a dream.

Oh, I hoped it would be macos contained in those containers. Container for Linux are in millions, while I don't know if there are any with macos inside.

I was wondering if it's possible to have the container volume change to, say, an external drive. I currently use QMEU with qcow2 images to achieve this, works well enough.

• opengears

  today at 6:07 AM

  Also works with UTM.

Every time I see Apple flaunting Linux containers I can hardly consider it as anything but admitting defeat. It could easily be Darwin, if they still had the capacity.

• Danox

  today at 6:12 PM

  Darwin is open source still available (anyone who has the guts and talent) can pick up the gauntlet it’s been about 26 years. For example, those three engineers who left Apple to form Nuvia (to bad they didn’t want to do a OS to go along with hardware).

  https://en.wikipedia.org/wiki/Darwin_(operating_system)

  https://github.com/PureDarwin/PureDarwin

  https://www.reddit.com/r/MacOS/comments/1b75xlv/why_is_darwi...

  https://x.com/LeakerApple/status/2018467873308786771 Nuvia

• groundzeros2015

  today at 2:51 AM

  Just change 30 years of internet history

  • al_borland

    today at 3:54 AM

    For what it's worth, the first web server was a NeXTcube, and NeXTSTEP was the foundation of macOS.

• tw04

  today at 2:53 AM

  What is the alternative? They gave up the server market a decade ago and before that they barely actually supported it.

  If they were to support darwin containers, what would be the point? Literally nobody would build to it, Linux won.

  • riffic

    today at 2:59 AM

    > Literally nobody would build to it

    because nobody does ci/cd against macOS or iOS apps right?

    • tw04

      today at 3:05 AM

      And what is the revenue stream tied to that ci/cd pipeline they aren’t capturing today? Apple would sell less hardware in order to…?

      There aren’t any app developers avoiding the Apple ecosystem because there aren’t Darwin containers. They don’t sell server hardware and by all accounts have no intention of ever reentering that space. So they’d spend a bunch of developer cycles to reduce their own revenue stream with no apparent upside beyond “goodwill” which they’ve never been overly concerned about.

      • m132

        today at 3:25 AM

        Correct me if I'm wrong, but by the same logic, you could also say this whole containerization framework is of no use either.

        If they're investing resources into it regardless, they might at least try making something that Docker for macOS and co. haven't solved the same exact way already. Something that, due to their almost unhealthy obsession with "system integrity", only they can realistically make. Like native containers.

        • tw04

          today at 3:35 AM

          Supporting the containerization framework lets them sell more laptops to Linux devs that may have otherwise bought a Dell or hp or insert brand to run Linux natively on or windows with WSL.

        • MBCook

          today at 3:52 AM

          Containers are REALLY REALLY popular. This is a a great value add for developers on Mac who need to deal with Linux containers.

          Which is a ton of ‘em.

    • pjmlp

      today at 6:35 AM

      They already support this scenario with XCode Cloud, it is only a market for those that don't want to pay Apple for it.

• ahknight

  today at 2:51 AM

  [dead]

• TheDong

  today at 3:01 AM

  Apple set itself up for defeat in the server and developer marketplace as soon as they decided macOS was proprietary code.

  Why would any serious developer use closed-source code they can't debug and modify? Especially for a production server?

  It's the same reason no serious developers or hackers use macOS, like part of the point of being a developer is being able to dig into the code at any layer and debug and fix things.

  • bschwindHN

    today at 5:08 AM

    > It's the same reason no serious developers or hackers use macOS

    I know I'm basically taking the bait, but I guess I've not been "seriously" developing stuff for the past decade or two, which is news to me!

  • m132

    today at 3:17 AM

    OpenDarwin was a thing at one point, with mailing lists and other infrastructure hosted by Apple.

    That being said, my point isn't that Apple should absolutely focus on making a server OS again. It just saddens me how far behind macOS has fallen as they stopped caring about the fundamentals; back in the day, it would be Linux trailing behind macOS. Nowadays, you can't even have multiple routing tables on the latter, the firewall code was probably last updated in Snow Leopard, and what Apple happily shows off on WWDC is a wrapper around Linux. Something functionally equal can be cobbled up together by anyone sufficiently experienced in minutes, using just Bash, OpenSSH, and QEMU.

    I really wish macOS would let me have a similar level of control over applications as Linux with namespaces, without me having to do all the heavy lifting.

    • alwillis

      today at 6:08 AM

      > Nowadays, you can't even have multiple routing tables on the latter, the firewall code was probably last updated in Snow Leopard

      Apple uses OpenBSD's Packet Filter [1]; I doubt multiple routing tables are a problem. Back in the Snow Leopard days, it was FreeBSD's IPFW, which is also no slouch.

      Whatever a firewall can do, PF can do it.

      You can also get a nice GUI for PF [2].

      [1]: https://www.openbsd.org/faq/pf/index.html

      [2]: https://www.murusfirewall.com/murus/

      • m132

        today at 9:22 AM

        Yes, I meant pf. Indeed, it was there in the source tree in 10.6 but they only flipped it on it in release builds in 10.7. My bad. Either way, it has hardly changed since then, while the OpenBSD upstream continued to progress.

        > I doubt multiple routing tables are a problem.

        The lack of them is a limitation for me (complex VM + VPN setup), which requires me to do pretty unholy static routing and address rewriting with pf.

        I think even Apple has come across this; they added "scoped routing" (which IMO is a hacky workaround providing some of the functionality you'd get with multiple routing tables) just before iOS shipped with MMS support. Android, for comparison, uses Linux's routing policies and tables to send and receive MMS.

    • alwillis

      today at 6:17 AM

      > OpenDarwin was a thing at one point, with mailing lists and other infrastructure hosted by Apple.

      "Exploring Darwin and PureDarwin: The Open-Source Foundation of Apple's Operating Systems" - https://machaddr.substack.com/p/exploring-darwin-and-puredar...

  • pjmlp

    today at 5:04 AM

    Apparently game, desktop and app devs aren't serious.

  • vehemenz

    today at 3:16 AM

    No offense, but serious developers don’t think this way at all.

    • bel8

      today at 4:30 AM

      For server side, which I believe is the context here, Linux and open source are king.

      Even Microsoft gave up on Windows and just runs Linux most things except niche cases. Heck, even SQL Server which is expensive piece of machinery got ported to Linux and that's the default target now in their docs.

      With that said, one can't deny Apple's success on the b2c side of things so it feels wrong to call their strategy a failure.

      • pjmlp

        today at 6:33 AM

        Except the cloud isn't open source, the ones that matter to developers that is.

        Which is why so many projects get burned with their license choices.

        • gf000

          today at 6:58 AM

          I don't see how this comment is relevant to parent's point. Sure, cloud is proprietary. But it is Linux for the vast majority.

          • pjmlp

            today at 7:13 AM

            Which is an Pyrrhic victory, when Linus and other founders are long gone, most of this generation actually, what will subsist are proprietary forks, just like what happened with UNIX System V.

WWDC presentation video:

Discover container machines

https://developer.apple.com/videos/play/wwdc2026/389/

Why did they have to invent their own solution instead of just shipping docker or an equivalent clone ?

• nottorp

  today at 7:45 AM

  Isn't docker on mac os still a large preallocated linux VM that runs the containers inside itself? With this maybe you can separate them.

With colima I can run AMD64 (x86) Linux containers in my Arm64 too. I think this is strictly for Arm64 Linux VMs, or is there some way to run x86 with this too?

• jdub

  today at 8:38 AM

  You can run amd64 binaries inside an aarch64 Linux virtual machine. Although they're not supporting Rosetta for macOS apps from macOS 27, the Rosetta support in Virtualization Framework will remain.

  • andor

    today at 3:02 PM

    Did Apple officially confirm this or is it based on the statement regarding games?

    • jdub

      today at 3:51 PM

      [dead]

• cpach

  today at 5:21 AM

  What’s the performance when you do that?

• frizlab

  today at 1:30 AM

  Rosetta should be supported

  • whycombinetor

    today at 4:49 AM

    Not for long!

    • commandersaki

      today at 5:08 AM

      Very unlikely to lose support for Rosetta for Linux. Maybe just Rosetta 2 for mac apps.

      • whycombinetor

        today at 4:13 PM

        Oh, didn't read that part of the news. That's great. Ability to run x64 docker images seminatively was one of the big reasons I jumped to the M1 platform when it came out and I was baffled that they would remove it.

This is pretty cool - being able to bring your own container machine image goes a long way to helping it's adoption.

I started using Colima a couple of years ago because I got bored of how bad Docker Desktop was and just started using the CLI / the "Services" tool window in whatever Jetbrains IDE I was using at the time anyway. I can't see myself moving away from it any time - having multiple profiles is an absolute winner of a feature for me there, but maybe the next time I set up a Mac from scratch I'll have a play with this.

Always nice to have more options especially without third party tools

Why it is important ? We have Docker for containers, right ?

I looked at this last year when it came out in Tahoe: https://anil.recoil.org/notes/apple-containerisation and this looks like more of the same.

They've now added a WSL-style virtual machine layer, but there's no x86 container story (Apple's killing Rosetta) so I imagine some qemu shimming will be required.

There's still no equivalent to VPNKit or GVisor for networking so you'll be bridging I think. See: https://cacm.acm.org/research/a-decade-of-docker-containers/ for how Docker for Mac does this

I can't spot any support for dynamic memory ballooning to prevent the hypervisor from gobbling up too much memory. We've had this in Xen since forever! https://xenproject.org/blog/ballooning-rebooting-and-the-fea...

And, most obviously: NO SUPPORT FOR MACOS. This is the single feature that only Apple can do, and they're choosing not to implement it deliberately, and it's so stupid given the pains we all have to go through to implement CI for macOS. In the land of OCaml, we were forced to implement a custom ZFS snapshotter to get reasonably cost effective macOS CI for our package repository: https://tarides.com/blog/2023-08-02-obuilder-on-macos/. This was fun to build, but it sucks to have to maintain it.

Also, I'm really curious what the GPU passthrough story here is for LLMs, since the Apple Silicon -> Linux kernel support is gated on Asahi's support, but that's been lagging beyond M2 due to the efforts of reverse engineering.

Do better for your developers, Apple. This is a half-baked sweep across third-party software without addressing the core needs around your own operating system.

I hope this brought us one step closer to being able to run our distros of choice very freely and easily on a Mac.

It's been over a year since it came out, based on kata-container

And no GPU passthrough? So colima with libkit remains the only method on Apple Silicon?

Sounds like toolbox or distrobox for Mac!

This blew up spectacularly when combined with Time Machine, I wonder if that’s fixed.

• happyopossum

  today at 11:21 AM

  Considering that this project was published less than 24 hours ago I’m guessing you assume it’s a different project.

Would be cool if you can redirect USB devices to the VM.

• kdrag0n

  today at 1:45 AM

  We just released this in OrbStack :) https://docs.orbstack.dev/features/usb

  Blog post soon

  • blackqueeriroh

    today at 3:41 AM

    What happened to Orbstack for like 9 months until earlier this year? Suddenly everything went silent for a bit and I was pretty concerned. Glad y’all are back!!!!

  • calebm

    today at 3:02 AM

    Thank you for sharing this - I looked into OrbStack a few months ago, and this was the reason I didn't use it (as my primary purpose was to have an external wifi adapter for wifi pwnage).

  • commandersaki

    today at 2:17 AM

    Yeah I find this useful for redirecting storage/sdcard*, so you can format linux filesystems or use other tools.

    * need a usb sdcard reader for macbook pro cause the builtin is not usb)

    • kdrag0n

      today at 3:10 AM

      We're working on block device passthrough for the builtin SD reader.

• rgovostes

  today at 3:46 AM

  I've successfully tinkered with USB/IP with Apple containers, but it does require loading a custom kernel (which they make pretty easy, thankfully). On the host side, macOS also doesn't make it easy to unload a driver that attaches automatically.

• egernst

  today at 1:49 AM

  Agreed! There's some good improvements around Accessory Access in virtualization framework this year also - checkout: https://developer.apple.com/videos/play/wwdc2026/224/?time=2...

  • commandersaki

    today at 2:30 AM

    I wonder if the custom virtio can be used to support attaching the built-in sdcard readers on macs which aren't exposed as usb.

Im running Multipass on M1 for full linux VMs. Are container machines better?

• m1keil

  today at 7:26 AM

  Isn't multiphase is Ubuntu only?

  • sdevonoes

    today at 7:57 AM

    It used to be. Any image is allowed now.

I just want thunderbolt pci passthrough for these things.

• kdrag0n

  today at 3:43 PM

  Interesting, what devices would you want to pass through?

"LXC" for macOS?

WSL-like implementation on macOS?

I know its not going to be there but wish we had Windows as well.

• Cadwhisker

  today at 5:35 AM

  Install Windows 11 ARM under the macOS "UTM" App. This lets you run x86 Windows programs on Apple silicon.

Will this come to MacOS 27?

LE: nevermind, it is already on MacOS. Did not read everything.

• asxndu

  today at 12:32 PM

  [dead]

Is this going to be good for AOSP builds on Macs?

Would be nice if they also support Intel based macs, what prevents?

• MBCook

  today at 1:37 AM

  Apple won’t support them with MacOS 27, and it seems they announced this tool as part of this year’s WWDC.

  Basically: they’ve moved on.

• danhon

  today at 1:19 AM

  Allocation of a finite amount of engineering resources.

  • joshuat

    today at 1:22 AM

    And a legitimate business interest to further incentivize the adoption of Apple Silicon devices. Same with Rosetta deprecation after macOS 27.

    • JumpCrisscross

      today at 1:40 AM

      > a legitimate business interest to further incentivize the adoption of Apple Silicon devices

      Apple has never been about supporting legacy platforms with new features. And with over a quarter of revenue and two fifths of Apple's gross profits coming from services, one could argue the incentives run either way.

    • crote

      today at 3:08 AM

      Sure, but to what extent?

      Enterprise ARM servers are still a niche product, and so are the ARM developer machines running Linux or Windows. Until this significantly changes, Apple will have to provide good x86 interop - or lose the developer market entirely.

      Forcing people towards Apple silicon is of course an attractive approach when targeting the large portion of the market using their MacBooks as Facebook browsing machines, but (especially with the new MacBook Neo) what's going to happen when a large portion of the market for high-end MBPs disappears because it turned from the default no-brainer into a liability?

      • macintux

        today at 3:31 AM

        > Until this significantly changes, Apple will have to provide good x86 interop - or lose the developer market entirely.

        I'm very, very skeptical of this analysis. Certainly "entirely" is hyperbole.

      • solarkraft

        today at 6:23 AM

        That’s a joke right? I’ve been developing software deployed on x86 servers on ARM Macs ever since they were released.

    • ForOldHack

      today at 2:19 AM

      Rosetta 2. Rosetta was for Intel to emulate 68k, now if you could get Rosetta 2 to run under Rosetta, then you could run 68k, on an ARM, and if you could get the apple ][ emulator...

      • weikju

        today at 3:14 AM

        Rosetta 1 was for emulating PPC not 68k

• jdub

  today at 8:42 AM

  The underlying Virtualization Framework works on Intel Macs, but they'll miss out on new features landing in macOS 27 and beyond.

• teaearlgraycold

  today at 1:20 AM

  [flagged]

  • imglorp

    today at 2:50 AM

    I'll defend, not cringe for everyone.

    Daily driver is a 6yo, 32Mb mbp and it might not scream like an M5 or have the miraculous power draw of an M5, it gets my job done.

    One nice thing is x86 containers run natively: I run most of my $work landscape which is 40 or 50 k8s pods on top of Kind, which is itself a plain container. That mirrors my prod. That plus slack, zoom, ff with scores of tabs, etc. all while building rust and playing music.

    • MBCook

      today at 3:54 AM

      That is a far more useful reply than the GP comment. If they had stated something similar I don’t think they would’ve been downvoted.

      • teaearlgraycold

        today at 4:58 AM

        Poe's Law and all that, but I was trolling/shitposting.

  • ncr100

    today at 2:23 AM

    More power to ya!

  • Brian_K_White

    today at 1:29 AM

    cringe is cringe

Can Podman support these eventually?

• kosikond

  today at 11:25 AM

  There _is_ Podman Desktop extension for Apple Containers, however its socktainer version is ancient.

Is it just me or is the experience to get this up and running not feeling very Apple like? Is there no one liner to install or did I miss something?

Just curious, Apple seems to copy orbstack.. haven’t they made an offer to acquire you guys?

darwin containers when?

Is this similar to what cygwin was for windows? Could this be an alternative to homebrew?

What FS mounts the Mac drives into the Linux container ?

It was unclear to me, is this a native replacement for docker? I like docker (on mac) but its quite the resource hog.

I usually run like a db, redis, maybe something like rabbitmq/zeromq and have a app that uses these services (makefile/docker-compose).

I would love to switch if this in fact is a lightweight replacement.

• happyopossum

  today at 11:24 AM

  A native replacement for docker came last year with Apple Containers- this extends that.

• masklinn

  today at 6:59 AM

  On the one hand yes, on the other hand there are already multiple lighter alternatives to docker on mac.

I saw the video on this this is distrobox basically for Mac. It’s very cool. Seamless with your local files and the container. I’m very keen to try it.

ah, a rare step closer to plan9.

(you remote into a system and part of your environment comes with you; that's very Plan9-like.)

Can macOS be run as a container machine on macOS?

• blackqueeriroh

  today at 3:41 AM

  Yes

  • MBCook

    today at 3:55 AM

    Yep. For a few years. And they keep enhancing it too.

    It’s the only legal way to do so, due to the software license on MacOS.

looks like apple wrote a native docker in swift

you can now run linux containers on your mac

... but it could be better.

what about (totally contrived):

  FROM apple/macos:10.11.6

  RUN xcodebuild -project myapp.xcodeproj -scheme MyScheme -configuration Release

• webXL

  today at 1:07 AM

  Nice, but expect to page through a few pages of ToS during the build

  • m463

    today at 1:30 AM

    lol

      ENV XCODE_FRONTEND=unattended
      ENV XCODE_LICENSES=accept,firstborn,applepay,appleid=sjobs@me.com

• egorfine

  today at 11:24 AM

  > FROM apple/macos:10.11.6

  Yeah I was working on that, created a prototype. I don't see a business in it, so abandoned.

• trollbridge

  today at 1:08 AM

  Close - but it would be more like this:

    services:
      macos:
        image: dockurr/macos
        container_name: macos
        environment:
          VERSION: "15"
  

  (And indecently slow.)

• windowliker

  today at 1:33 AM

  It would be wonderful if this ran on older versions of macOS, but according to the README they only support 26.

  • m463

    today at 3:07 AM

    you do not understand... Not run on, run IN :)

    I'm saying the older version of macos could build/run INSIDE the container

    just like on a ubuntu 24.04 system you can do:

      FROM ubuntu:16.04
    

    or

      docker run ubuntu:16.04 
    

    and though I haven't tried it, I believe docker can do arm in x86 using an emulator (like rosetta)

    • windowliker

      today at 10:17 AM

      Oh right. I don't see Apple having any interest in supporting that given their current trajectory.

    • MBCook

      today at 3:57 AM

      You can already run older versions of macOS inside a VM on macOS.

      So it seems like in theory that should be doable if someone just made the container images right?

• today at 1:09 AM

• jadar

  today at 1:30 AM

  i wish!

[flagged]

[dead]

[dead]

[dead]

[flagged]

• al_borland

  today at 2:20 AM

  macOS only needs to support the hardware it ships on, so of course Linux would have wider hardware support, but that doesn’t really matter in context. The bigger question is what hardware to people actually want? I see most people drool over Apple hardware while not finding any suitable equivalent for the PC that they can install Linux on.

  Framework is trying to close that gap with their new release, but we’ll have to see how it is once people get their hands on it. I think it also comes at a price premium. There is always the Thinkpad route, but Lenovo burned just about every bridge with me a decade ago with things like Superfish. Where is the premium Linux laptop OEM that people can trust? Last I heard System76 was just rebranding Clevo hardware. What are people using? Dell? HP?

• hollerith

  today at 1:25 AM

  Sadly, Linux is much much less secure.

  • pixelatedindex

    today at 1:29 AM

    This claim is so absurd that I need some sources.

    • armadyl

      today at 1:56 AM

      The person you replied to is right, the "security" of Linux might as well be nonexistent compared to macOS and especially iOS/Android. Even the developers of Secureblue (https://secureblue.dev/) state that despite their hardening and mitigations Linux still lags far behind macOS (and possibly Windows) security-wise. The only Linux derivative that has proper security is Android, and even better GrapheneOS.

      https://privsec.dev/posts/linux/linux-insecurities/

      https://madaidans-insecurities.github.io/linux.html

      I also commented here on Linux phones, the same can apply to Linux as a desktop OS: https://news.ycombinator.com/item?id=46997397

      Also on top of that Linux/Windows laptops also lack the hardware-backed security that Macs and to an extent some Chromebooks have.

    • JumpCrisscross

      today at 1:44 AM

      Linux is easier to misconfigure. Macs resists being misconfigured insecurely. At their tightest, I'd say neither is fundamentally more insecure than the other. (The exception would be M5-based Macs, which come with MIE. Though that isn't a macOS vs Linux thing per se.)

      • armadyl

        today at 1:56 AM

        This is incorrect macOS is fundamentally more secure than desktop Linux operating systems and it isn't particularly close.

        No amount of Linux hardening will get a system even close to an M-chip Mac. Software insecurities aside, desktop Linux OS systems have almost none of the hardware-backed security benefits that Macs do.

        • TimTheTinker

          today at 2:01 AM

          At some point, lack of security becomes a feature. A fully secure, locked-down, T2 attested macOS is able to be controlled not just by Apple, but by increasingly evil governments, with no recourse available to users.

          • armadyl

            today at 2:07 AM

            Conversely, a Linux system with no verified boot can be easily tampered with without the user detecting it by people lower than the government such as casual hackers. So in a world where your government is going crazy, you're opting for an operating system that can be penetrated with relative ease (e.g. with persistent root malware) both by a non-government hacker on top of a state backed one.

            • JumpCrisscross

              today at 2:23 AM

              I'd also guess it's much harder to securely source components for a Linux build in the way Apple is able to.

              • armadyl

                today at 3:05 AM

                It's not really about supply chain security it's about the hardware itself. PC manufacturers in general just can't keep up since they don't have full control/integration over the hardware stack like Apple does. Also CPU, secure element etc security is limited but Qualcomm is catching up pretty quickly I believe if they aren't there already. We won't talk about Intel and AMD. But that's beyond my knowledge so I can't say anything too specific that's just what I have from general knowledge I'm sure someone will jump in with additional info if needed.

                I don't think Apple is particularly any more secure against the US government than Intel is with supply chain vulnerabilities but I have nothing to back that up with aside from vibes.

    • hollerith

      today at 5:05 PM

      OK. Here is a kernel developer explaining it recently on this site:

      https://news.ycombinator.com/item?id=48448345 // When people escalate privileges on MacOS it's news, when they do it on Linux it's Tuesday (you might think the recent spate of privesc vulns on Linux was unusual but that is totally normal). I say this as someone who works on Linux security every day (I am a kernel developer) and uses Linux on every computer I have, both at work and at home, BTW. I am not a Linux hater or Apple fanboy by any means.

      https://news.ycombinator.com/item?id=48444187 // I am just talking about the pure tech fact that GNU/Linux desktops do not have any meaningful intra-host security boundaries.

      https://news.ycombinator.com/item?id=48059250 // To convince me Linux is full of kernel LPE bugs, can you share some of the bugs? [answered by the kernel dev]

      I also have some cites of comments on Linux by the founder of GrapheneOS I could dig up.

    • dvhh

      today at 3:07 AM

      Security by obscurity worked quite well

so basically dockers

haven't we had hypervisor.framework for like years now?

Yeah but sitting in the tweak circles just to gather personal data about people to make them lose their minds is no bueno. Otipolfueriborsklineypoo

that thepolfus and the Otis and the bors and the alschweid and pretty much anyone in old the the gs gangstalk or just getting people info to sit in the same room as them to try and makr them go crazy deserve to brave hart quartered

• khazhoux

  today at 5:50 AM

  try unplugging your keyboard and then plugging it back in

I found it hard to believe I didn’t have a simple way of staying safe by installing an arbitrary application in a sandbox on macOS. (Restoring using Time Machine doesn’t count! :) )

This is a step in the right direction but requires any given developer’s buy-in first, right?