macOS Container Machines

> - Security: Each container has the isolation properties of a full VM, using a minimal set of core utilities and dynamic libraries to reduce resource utilization and attack surface.

> - Privacy: When sharing host data using container, you mount only necessary data into each VM. With a shared VM, you need to mount all data that you may ever want to use into the VM, so that it can be mounted selectively into containers.

> -Performance: Containers created using container require less memory than full VMs, with boot times that are comparable to containers running in a shared VM.

More details, including technical limitations (they’re looking for bug reports and contributions): “Container: Technical Overview” https://github.com/apple/container/blob/main/docs/technical-...

Which kernel is running, and is it hosted in hypervisor.framework, as is done with UTM (when not using the qemu mode)?

How is this different to bind mounts

I don’t really understand the hype for Apple’s Containerization, it’s just another container runtime alongside many others. It’s not really any better than OrbStack - in fact it’s worse.

Our biggest perf/resource gain is dynamic memory, which reduces memory usage a lot by releasing unused memory back to macOS. Nothing else supports this, including Containerization.

I gave Container Machines a try and it seems to be much closer to OCI containers with a default bind mount than OrbStack machines. It has fewer integrations and doesn't run systemd or any other normal init system, so it's hard to run services.

AFAICT it's pretty similar.

The Containerization framework is a library that sits as a layer on top of the virtualization framework. So each container is its own VM.

Machine is tooling above the containerization framework to run multiple things in a container in a vm.

But like having containers that need file watchers like vite dev server, or frankenphp in watch mode will overload OrbStack real quick since It seems to fallback to polling instead of listening to fs events.

So I'm stuck running vite dev servers and the like on the host.

[1] https://cheatsheetseries.owasp.org/cheatsheets/Docker_Securi...

i'd still use less permissive containers for things i don't feel comfortable installing on the host, e.g. npm.

And I think I would caution Apple to consider the lessons of WSL; having shared access to the filesystem is just the bare minimum. Next is networking (and god is this a rabbit hole with WSL), people will want to access their USB devices, X forwarding, GPU passthrough..

I did an experiment migrating my Podman workload to Apple's container @ https://gist.github.com/jmonster/39e14585e107dbf990a90966c0f...

TL;DR reduces ram/storage usage; minimizes it's existence

The use case is actually the opposite of what you seem to want (i.e. running Linux containers on macOS without a Linux VM); this uses a Linux-based container implementation of macOS to provide a long-lived Linux VM that looks more like a VM itself than a container.

The pain of working around Docker Desktop is bad.

The big thing with Windows laptops is historically, they were slightly more sluggish than Macs because the os/hardware wasn't optimized. On desktops with enough performance, Windows has been king ever since WSL2, considering you can do everything with that system (WSL2 can even run I3WM if you care enough since they have an X server).

Now with Spark and ARM, you can pretty much get a perfect laptop that supports gaming as a first party, can run any windows only software (like CAD for example), and also has WSL2 which is very natively integrated with windows to where it supports CUDA with native like performance.

A

Linux games depend on Windows ecosystem as their content source.

By having Linux nicely packaged in containers, they get to keep the 90% combined market share, almost no one bothers to support the market of Linux OEMs selling pre-installed Linux desktops and laptops.

The other "distros" used by consumers are Android, WebOs and going forward Googlebooks as Chromebooks evolution.

Meaning in the end a Pyrrhic victory, when Apple Linux, Microsoft Linux, Google Linux, Asus Linux, LG Linux, is all that the general public cares about, and hence no incentive for IT departments to support Linux laptops.

I'd stick to Colima, or Orbstack if you trust them enough to not do a rug-pull once their users are reliant on them enough to pay any amount.

Are you sure about that? A few comments above a commenter states that they don’t run inits at all (because they ran alpine), multiple people replied that it works fine if you give it an image with an init, and they acknowledged their error.

Yes’n’t: https://github.com/apple/container/blob/main/docs/technical-...

> container relies on the new features and enhancements present in macOS 26. You can run container on macOS 15, but you will need to be aware of some user experience and functional limitations. There is no plan to address issues found with macOS 15 that cannot be reproduced on macOS 26.

The issues are around networking.

Maybe hold 1 release back, but other than that, I don't think "holding out" on macOS releases has ever been a winning strategy.

In the end, macOS model presupposes users moving to the latest release sooner rather than later.

It looks like Golden Gate fixes this design a lot.

Doesn’t seem to have Compose support though, but it’s probably not impossible to build upon.

And of course, it also uses VMs, though unlike Docker, it’s one (micro-?) VM per container: https://github.com/apple/container/blob/main/docs/technical-...

"bind mounts? I'm better without it"

It's a full vm

https://github.com/devcontainers/ https://containers.dev/

Proton is based on Wine which translates Windows instructions to Linux.

Besides there's already Wine for mac.

But I would love to be wrong here.

https://en.wikipedia.org/wiki/Darwin_(operating_system)

https://github.com/PureDarwin/PureDarwin

https://www.reddit.com/r/MacOS/comments/1b75xlv/why_is_darwi...

https://x.com/LeakerApple/status/2018467873308786771 Nuvia

If they were to support darwin containers, what would be the point? Literally nobody would build to it, Linux won.

Why would any serious developer use closed-source code they can't debug and modify? Especially for a production server?

It's the same reason no serious developers or hackers use macOS, like part of the point of being a developer is being able to dig into the code at any layer and debug and fix things.

Basically: they’ve moved on.

Nobody is coming to save us. But I think that with AI, we have an opportunity to create a zero-cost runtime layer that provides something like Wine or SDL on all platforms. It could/should be the intersection of all mainstream OS features (a bit like the web), with the option to drop down to native components like how Cordova works.

I've been out of the game too long to know if something like this already exists, but would love to contribute.

Note that the thing to get to the thing is runway. With our currently broken open source software (OSS) funding model, we don't have a way to pay developers a stipend of perhaps $24-48k per year (minimum) for their OSS efforts. So they have to work pro bono. That leads to design-by-committee thinking that stands in the way of getting real work done.

So unfortunately we have to pick ourselves up by our bootstraps. I hope to see the creation of a maker's guild someday, where membership provides the stipend, with proceeds coming from the 1 in 10 or 1 in 100 apps that generate a return on investment, to cover the commercial failures. Like Humble Bundle on steroids.

- digression -

Imagine a corporate model, but without gatekeeping, minimum hours or profit. A pure meritocracy working to manifest a gift economy for all.

I'm not aware of an automation-based (instead of artificial-scarcity-based) economic model like this. Solarpunk is more of a cultural revolution, but comes close. Some examples of how it might work:

- Abandoning patents, copyrights and other intellectual property rights in favor of a commons owned by everyone

- Funding drug research but giving away the resulting medication for the cost of production or free

- Universal Basic Income (UBI) or its cousin Universal Basic Capital (UBC) that provides the resources for labor to participate in the exponential gains of capitalism (the missing ladder that the wealthy currently pull up behind them)

China is well on its way to achieving these goals and more by 2049 under its Second Centenary Goal. Meaning that the US is/has been left behind. You can feel it in every way: widespread underemployment, the collapse of our social safety nets, the return of prejudice, our national debt higher than our GDP, CEOs getting compensated hundreds of times more than workers, the upcoming crowning of the first trillionaire. Times 1000 other injustices.

Solving the thing that gets to the thing is akin to solving all things.

Edit: I was wrong about intellectual property (IP) in China. It sounds like they will instead pursue high-value IP to fund their economy, a bit like the UBI funding model. I don't think that's an equitable path, so am suggesting something above and beyond what they're attempting.

Blog post soon

On MacOS?

https://github.com/darwin-containers

However it requires disabling SIP, so that's unfortunately a non-starter for anything serious today.

  services:
    macos:
      image: dockurr/macos
      container_name: macos
      environment:
        VERSION: "15"

Yeah I was working on that, created a prototype. I don't see a business in it, so abandoned.

Framework is trying to close that gap with their new release, but we’ll have to see how it is once people get their hands on it. I think it also comes at a price premium. There is always the Thinkpad route, but Lenovo burned just about every bridge with me a decade ago with things like Superfish. Where is the premium Linux laptop OEM that people can trust? Last I heard System76 was just rebranding Clevo hardware. What are people using? Dell? HP?