macOS Container Machines (github.com)
1074 points by timsneath 17 hours ago
timsneath 16 hours ago
To clarify a few comments here: this is not only OCI containers: container machines add support for persistence and filesystem mounting, making container machines a great lightweight Linux environment for developers using macOS. More details here: https://developer.apple.com/videos/play/wwdc2026/389
jt2190 4 hours ago
> container runs containers differently. Using the open source Containerization package, it runs a lightweight VM for each container that you create. This approach has the following properties:
> - Security: Each container has the isolation properties of a full VM, using a minimal set of core utilities and dynamic libraries to reduce resource utilization and attack surface.
> - Privacy: When sharing host data using container, you mount only necessary data into each VM. With a shared VM, you need to mount all data that you may ever want to use into the VM, so that it can be mounted selectively into containers.
> -Performance: Containers created using container require less memory than full VMs, with boot times that are comparable to containers running in a shared VM.
More details, including technical limitations (they’re looking for bug reports and contributions): “Container: Technical Overview” https://github.com/apple/container/blob/main/docs/technical-...
mikepurvis 4 hours ago
Sounds like a lot of the same choices/compromises that are in wsl2.
jjtheblunt 12 hours ago
> ... highly integrated Linux environment that works seamlessly on your Mac. ...
Which kernel is running, and is it hosted in hypervisor.framework, as is done with UTM (when not using the qemu mode)?
Scarbutt 12 hours ago
The katas container kernel by default.
bogantech 10 hours ago
> filesystem mounting
How is this different to bind mounts
jdub 9 hours ago
Very different: Linux running in a virtual machine can't bind mount into a macOS host's filesystem. So they use virtiofs.
miohtama 5 hours ago
lxgr 8 hours ago
Onavo 15 hours ago
Ah, the Darwin/BSD Subsystem for Linux.
CGamesPlay 15 hours ago
Not quite, it’s still a VM. And while it supports virtio balloon for growing RAM, it doesn’t yet support releasing that RAM back to the host. And there isn’t a convenient way to shrink the sparse disk images as they grow yet, either.
alerighi 5 hours ago
AlexB138 15 hours ago
burnte 2 hours ago
hedora 2 hours ago
BodyCulture 6 hours ago
jayd16 15 hours ago
pseudosavant 11 hours ago
Exactly what I thought. The Mac equivalent to WSL. Which is a great thing for Mac devs. Lots of stuff expects Linux these days, not POSIX. Mach isn’t Linux.
oulipo2 8 hours ago
how does that compare to something like, eg, Orbstack?
CaptainCyber99 7 hours ago
Still feels like a apple-ified microvm
TingPing 6 hours ago
Well yeah it’s a simple vm…
golem14 12 hours ago
I belong to a rare breed of very opportunistic hobby-developers that like to use MacOS but also like to use linux machines or BSDs (rpi etc) sometimes.
I can create docker-images with docker compose, or use something like colima, which this seems to be close to (that should have some advantages over docker, although my hope of circumventing W^X page protection did not pan out).
I was perplexed that the repository does not put these container machines in context. The seem to be close to colima? When should I use which option (docker, collima, container machines ?)
Maybe others wonder too but are ashamed to ask. I have no shame ;)
Thanks for any pointers
binsquare an hour ago
I built this tool to solve that exact problem: https://github.com/smol-machines/smolvm
djsavvy 11 hours ago
Why try to circumvent W^X page protection? Some sort of self-modifying program without extra pointer indirections?
bogantech 10 hours ago
Bad legacy apps like Xilinx ISE
klohto 11 hours ago
https://github.com/apple/container/blob/main/docs/technical-... read documentation mr. rare breed
startakovsky1 10 hours ago
Like, this doesn’t answer when to use this vs Docker. Any reference there?
happyopossum 6 hours ago
cowsandmilk 6 hours ago
qalmakka 11 hours ago
This is all fine and dandy, but where are the native Darwin Jails Apple? Still scared that people will filling whole rooms of Mac Minis if you allow them to have multiple macOS containers and not only up to two fat VMs per machine?
cedws 5 hours ago
Darwin namespaces would be much more interesting and we are in dire need of them in the current security landscape.
I don’t really understand the hype for Apple’s Containerization, it’s just another container runtime alongside many others. It’s not really any better than OrbStack - in fact it’s worse.
RationPhantoms an hour ago
Thank you for answering that question because I adore OrbStack and didn't find much difference.
gyoridavid 4 hours ago
+1 I'd love to have network namespaces
jorisw 10 hours ago
[Replied to wrong comment]
qalmakka 10 hours ago
That's totally unrelated to what I wrote
adastra22 10 hours ago
sandbox profiles?
qalmakka 10 hours ago
macOS sandboxing is deliberately limited just enough to prevent anyone from truly implement Darwin-on-Darwin containers. People have been discussing about this for a while, see https://github.com/apple/container/discussions/611
In general I understand the rationale behind Apple's decision. They sell hardware, and there's real demand for macOS on servers to run build jobs and other Mac-only tools. Giving you the ability to run multiple containers on a single Mac would end up turning a 10 Mac Mini order into a 2 Mac Minis order for most people. Rest assured, even if it would be technically possible they'd find a way to cap it somehow via the EULA or whatever
coldtea 8 hours ago
larodi 6 hours ago
blahgeek 16 hours ago
OrbStack works really well for me. I wonder how it’s compared to this performance wise
kdrag0n 16 hours ago
(OrbStack dev here.) Instead of Virtualization.framework, we have a custom Rust virtualization stack with custom devices and protocols for things like filesystem sharing. It's a highly optimized vertically integrated stack specifically for running our Linux machines and containers.
Our biggest perf/resource gain is dynamic memory, which reduces memory usage a lot by releasing unused memory back to macOS. Nothing else supports this, including Containerization.
I gave Container Machines a try and it seems to be much closer to OCI containers with a default bind mount than OrbStack machines. It has fewer integrations and doesn't run systemd or any other normal init system, so it's hard to run services.
rubnogueira 8 hours ago
Just to give a thumbs up to you and OrbStack. I've been using it every day since the first releases, and it is one of the most stable and performant drop-in replacements that I've seen.
kdrag0n 3 hours ago
mescalito 15 hours ago
Super happy orbstack customer. Just curious on your statement:
> I gave Container Machines a try and it seems to be much closer to OCI containers with a default bind mount than OrbStack machines. It has fewer integrations and doesn't run systemd or any other normal init system, so it's hard to run services.
The linked md document says:
> Real Linux services for testing. Run a database or whatever your stack needs as a system service — systemctl start postgresql works on images with systemd installed.
Was that not the case when you used container machines?
kdrag0n 14 hours ago
d3v1an7 13 hours ago
just adding a 'hell yeah: orbstack is so good' to the thread. i mainly avoid containers where i can, but when containers need to happen, orbstack is 'just enough' for me. lovely and well considered ui, stable, performant. don't need much else. thank you for your work and care!
egernst 15 hours ago
Thanks for the info kdrag0n! Big fan of OrbStack; good call out on dynamic memory.
If the guest image has /sbin/init, we use that.
We'd recommend using a base image for the guest that includes systemd. ie: https://github.com/apple/container/blob/main/docs/container-...
kxxx 15 hours ago
Apple says that `systemctl` is supported... hmm am I missing something?
"Real Linux services for testing. Run a database or whatever your stack needs as a system service — systemctl start postgresql works on images with systemd installed."
kdrag0n 15 hours ago
rswail 10 hours ago
I changed over to Orbstack just for local builds and it is one of those apps that makes owning a Mac that much better.
This post reminded me to buy a license, just done it, worth it for the time saved.
CGamesPlay 15 hours ago
> Our biggest perf/resource gain is dynamic memory, which reduces memory usage a lot by releasing unused memory back to macOS. Nothing else supports this, including Containerization.
Wow, missed this when reviewing OrbStack. I assumed that you just used Containerization and therefore would have the same limitation.
saltamimi 15 hours ago
I know this is off topic, but I do thank you for your Android work, the idea and elegance of fastboot.js and that SafetyNet workaround trick was truly really cool.
kdrag0n 15 hours ago
trueno 15 hours ago
just dropping in to say orbstack super owns and i use it every day. huge respect to rethinking this experience, for a minute there i thought docker was just going to be the only path. i dont think ive looked back for docker since. orbstack just feels right, and damn its so fast and good with resources, and the UI is just insanely straight forward. props!
TheTaytay 15 hours ago
We love OrbStack too! Thank you for it,
I wanted to make its VM/machine our default secure agent sandbox, but I couldn’t figure out how to isolate this VM from the host properly. This thread prompted me to find the issue though, and I saw this was recently implemented! https://github.com/orbstack/orbstack/issues/169
kdrag0n 15 hours ago
torarnv 9 hours ago
Those are awesome features! The one missing for me is bridge networking. Any idea why orbstack doesn’t have that?
jhancock 15 hours ago
I’ve been using podman on Mac. It’s been a nice fit as the container build files are identical to what I use on my fedora server. I have noticed my 2 virtual core 4 gb Linode vps runs apps faster in the same container as when run on my MacBook Air M2 16 gb. I expected some performance overhead but didn’t think it would be noticeable as it is. Overall happy with podman. How might OrbStack differ?
thatxliner 15 hours ago
rahen 7 hours ago
What kind of virtualization do you use internally? I assume some kind of LXD fork? OrbStack really feels like a single-node Incus host.
kdrag0n 3 hours ago
bekantan 6 hours ago
Amazing software, thanks!
vsgherzi 15 hours ago
I love orbstack, is there any code I could read on the rust side? Seems very interesting
blackqueeriroh 13 hours ago
When are y’all gonna support sandboxing? Preferably Docker Sandboxes?
keybits 8 hours ago
bjt12345 11 hours ago
Orbstack plays well with Pycharms BTW.
emmelaich 15 hours ago
I'd like to see a comparison to https://tart.run/ as well.
AFAICT it's pretty similar.
eatonphil 5 hours ago
Tart was just bought by OpenAI so its future is suspect.
mpeg 14 hours ago
I like orbstack in theory, but I find it hard to justify a $96/yr license fee for something that has so many open source, free alternatives. As it is, I’d rather use podman or colima
Ghoelian 11 hours ago
It's free for personal use, and for a company 96/year is absolutely nothing, I'd hope.
baq 10 hours ago
The alternatives are all broken in some ways is the answer, including the official paid docker enterprise.
Personally I’d rather the company provisioned me MacBook hardware with Linux. Unless Fable or some other ai ports asahi properly to modern hardware I expect to retire before this is possible, orbstack is the next best thing, available today.
kxxx 15 hours ago
I really like OrbStack and am also not sure why I'd use Container Machines over it, at the moment...
gempir 10 hours ago
I just wish bind mounts would be more performant/native. I get that this is probably impossible, and probably also sucks on Linux, haven't tried.
But like having containers that need file watchers like vite dev server, or frankenphp in watch mode will overload OrbStack real quick since It seems to fallback to polling instead of listening to fs events.
So I'm stuck running vite dev servers and the like on the host.
kdrag0n 4 hours ago
Can you share more details? OrbStack has always supported inotify/fanotify (Linux fs watching APIs) on bind mounts and most people use watchers with no issues. Happy to look into whatever you're running into: [email protected]
gempir 3 hours ago
jnewton_dev 4 hours ago
We dealt with this exact issue at my company. The root cause turned out to be something completely unrelated to what we initially suspected.
gempir 4 hours ago
cpuguy83 15 hours ago
Not a full docker env, I aimed this as doing builds though you can run dockerd as an option, https://github.com/cpuguy83/crucible uses the containerization framework to run either build kitd or dockerd and wire it up to docker/buildx cli (or whatever client tooling you want to use).
The Containerization framework is a library that sits as a layer on top of the virtualization framework. So each container is its own VM.
Machine is tooling above the containerization framework to run multiple things in a container in a vm.
kiproping 10 hours ago
Thank you for mentioning this, I have been suffering under the yoke of docker.
jbverschoor 12 hours ago
Note that orbstack supports audio and usb pass through, which is super nice
kenanfyi 9 hours ago
I don‘t understand why these tools always advertise about mounting the $HOME inside the container. Isn‘t it better to have a complete isolation? Isn‘t that the point of using such a thing?
sigmoid10 8 hours ago
Containers only got so popular as a tool for developers to make developing/deploying easier. If you want to use them as a security layer that is a completely different goal and has many highly dangerous pitfalls [1]. Just last week there was a post where people were shocked how an AI agent used docker to bypass sudo on a system. I'd imagine this could happen to most people who installed docker. So if you want to use containers for anything but easier development, you need to be much more proficient than the average user already. In that case not exposing $HOME is just a small thing on your config to-do list.
[1] https://cheatsheetseries.owasp.org/cheatsheets/Docker_Securi...
lxgr 8 hours ago
> Just last week there was a post where people were shocked how an AI agent used docker to bypass sudo on a system.
This was due to implicitly granting the LLM access to the host docker daemon, which has superuser privileges, not due to a "container breakout". That's arguably a very different scenario, but of course both are worth considering.
> So if you want to use containers for anything but easier development, you need to be much more proficient than the average user already.
I'd disagree. Containers, at least without granting them additional privileges such as CAP_NET_ADMIN and without write-bind-mounting sensitive host directories into the container, offer a reasonable security boundary compared to the counterfactual, despite their bad reputation.
sigmoid10 4 hours ago
kenanfyi 8 hours ago
I see. Why this interests me is the similar stuff I have been reading lately. All these supply chain attacks regarding npm, Tanstack etc. Therefore I wanted to create a totally isolated sandbox and while considering options I have seen they all by default mount the $HOME. I needed to explicitly tell colima to not do that.
But yeah, I guess my use case is not the main use of such tools or their purpose in general. Thanks for the link, I‘ll take a look at it.
saljam 8 hours ago
the reason i use this (and just a container with -v $HOME:$HOME before) is to get an environment with all the command line tools i'm familiar with from debian, instead of using something like homebrew. in general, i mostly trust these with access to my home directory. a bonus is that i can throw it away and rebuild it easily if i need to.
i'd still use less permissive containers for things i don't feel comfortable installing on the host, e.g. npm.
stefan_ 8 hours ago
No, the whole point of machines is their external interfaces? A Linux VM with no interfaces is just a closed box wasting power doing math.
And I think I would caution Apple to consider the lessons of WSL; having shared access to the filesystem is just the bare minimum. Next is networking (and god is this a rabbit hole with WSL), people will want to access their USB devices, X forwarding, GPU passthrough..
coldtea 8 hours ago
The whole point of container machines is their isolation.
If we wanted access to all interfaces, we'd just run it locally.
We want the container as a closed box, "wasting power doing math", i.e. processing what we actually passed to it.
LoganDark 8 hours ago
No, the point of using such a thing is to be able to run Linux workloads. For example, I recently used Containerization to generate trace logs from the tup test suite so that I could bring it up to relative parity on macOS. If it had complete isolation, I would have difficulty getting the modified source code into the container and difficulty getting the trace logs back out of the container. Sure, you can paper over this with bind mounts or whatever the fuck but that's annoying
kenanfyi 8 hours ago
Understand. And yeah that‘s annoying. I use containers only for development and to keep my main system secure from supply chain attacks. I have almost no build tooling in my Mac anymore. No npm, no cargo, no uv. Nothing. They all live inside the container which is completely isolated.
I guess my use case is not that important for the main user of these tools.
LoganDark 8 hours ago
WatchDog 16 hours ago
Do these containers share a common kernel? Or are they each ran in a separate VM?
Edit: It's a VM per container. https://github.com/apple/container/blob/main/docs/technical-...
leshenka 14 minutes ago
Isn't it wasteful? I know it's a "tiny" vm but still is a vm
Igor_Wiwi 8 hours ago
Interesting from a Docker perspective, but I’m more interested in it as a sandbox for AI agents and untrusted code execution.
I wrote about that angle here: https://igorstechnoclub.com/sandbox-exec/
Feels like the spiritual successor to sandbox-exec, but with VM-level isolation.
avel 2 hours ago
Yes, that article states that as well under limitations: "Deprecation status: While functional, Apple discourages its direct use in favor of App Sandbox for developers."
thedougd an hour ago
I still can’t use Containers because of a broken DNS implementation. I suppose I could manually set the DNS as I switch on and off VPN, but I don’t have to with Finch, Podman, or Docker Desktop.
jaimehrubiks 16 hours ago
Will this be able to replace docker desktop an equivalents, removing the expensive Linux VM that runs alongside them?
thejazzman 16 hours ago
It mostly removes the big shared background VM and replaces it with smaller, more isolated Apple-native VMs.
I did an experiment migrating my Podman workload to Apple's container @ https://gist.github.com/jmonster/39e14585e107dbf990a90966c0f...
TL;DR reduces ram/storage usage; minimizes it's existence
deathanatos 15 hours ago
How does that work, realistically?
> Memory defaults to half of host memory
That's the most expensive part of the whole transaction, b/c AFAIK, RAM is then dedicated to the VM. It can be swapped out, I suppose, but that's not great.
MBCook 13 hours ago
nozzlegear 14 hours ago
Nice, thanks for this. My plan is to swap over to Apple's containers for local dev, and keep using podman quadlets in production.
usernametaken29 16 hours ago
My first thought as well, docker desktop overhead is pretty bad, would be awesome to see this land natively in DD. By my estimate this could happen, seeing as Docker has historically tried to improve performance but quickly had to accept platform limitations… would only be natural to settle DD over to containers
deathanatos 15 hours ago
Well, you can avoid the Docker Desktop tax by not running Docker Desktop. colima is a perfectly usable implementation of Docker for macOS, without the bloat of Docker Desktop.
That said, colima still has the expensive VM that upthread is mentioning.
TimTheTinker 15 hours ago
binsquare 11 hours ago
Linux VMs on doesn't have to be expensive!
lxgr 8 hours ago
This explicitly provides a Linux VM, which seems hard to do without providing a Linux VM.
The use case is actually the opposite of what you seem to want (i.e. running Linux containers on macOS without a Linux VM); this uses a Linux-based container implementation of macOS to provide a long-lived Linux VM that looks more like a VM itself than a container.
lostlogin 16 hours ago
Others here mention it and I’m a new convert to Colima.
The pain of working around Docker Desktop is bad.
prmoustache 6 hours ago
this is more like toolbox/distrobox equivalent for MacOs, but running in individual VMs.
trollbridge 16 hours ago
That sure would be nice. I seem to rm -rf ~/.colima every few days.
0xbadcafebee 15 hours ago
Anyone know why you would use this instead of QEMU+Lima+Colima+Docker/containerd? The latter works on multiple OSes, has a very large ecosystem of tools, images, documentation, and lets you replace pieces as needed
lxgr 7 hours ago
QEMU has worse performance than Apple's native virtualization framework on macOS, for one thing. That said, Lima supports the latter as well.
einsteinx2 36 minutes ago
Yeah I was gonna say I use Colima with Apple’s virtualization framework (it’s not the default for some reason but it’s a single command line flag), and found it works better than QEMU (better performance and resolved some bugs I was running into with the Supabase docker stack)
CarlitosHighway 7 hours ago
From a layman's POV ("I just want to run my containers I need for dev work"), there's no point in switching to this for now. It's just cool that Apple cares enough about containers and might come up with an Apple-like built-in solution some day, this is the groundwork.
I'd stick to Colima, or Orbstack if you trust them enough to not do a rug-pull once their users are reliant on them enough to pay any amount.
cromka 11 hours ago
So essentially both macOS and Windows now heavily support developing using Linux on them. They can't more openly admit that they are no match for Linux in that area.
There's some clever advertising in it for Linux, if Linux was advertising.
rahkiin 10 hours ago
I’d argue they both admin that Linux servers are the target for a lot of applications to run on. Not to develop on.
artistonn 6 hours ago
Linux also can't openly admit that it's no match for macOS/Windows on the desktop, which is why we have this hybrid situation - macOS/Windows desktops running Linux VMs
regexorcist 4 hours ago
This is a tired cliché. Today, a modern Linux desktop like KDE Plasma just works and more importantly, gets out of your way unlike obnoxious MacOS and Windows. Aside of that you get the most advanced OS in the world where the thing being discussed here is a decade old.
QuiEgo 4 hours ago
krzyk 6 hours ago
Unfortunately there are more and more users on Linux and as a result windowsization/macosization of Linux is in progress (systemd, wayland, some scary stuff Poettering is doing with boot, snap/flatpack).
cromka 3 hours ago
pjmlp 5 hours ago
Not really, this means the complete defeat of The Year of Linux Desktop.
Linux games depend on Windows ecosystem as their content source.
By having Linux nicely packaged in containers, they get to keep the 90% combined market share, almost no one bothers to support the market of Linux OEMs selling pre-installed Linux desktops and laptops.
The other "distros" used by consumers are Android, WebOs and going forward Googlebooks as Chromebooks evolution.
Meaning in the end a Pyrrhic victory, when Apple Linux, Microsoft Linux, Google Linux, Asus Linux, LG Linux, is all that the general public cares about, and hence no incentive for IT departments to support Linux laptops.
plutokras 10 hours ago
Enterprises would do anything to develop on Linux except using an actual Linux distro.
neop1x 7 hours ago
A lot of devs needs to use linux but they still use it just as a VM (Mac) or in some kind emulation (WSL). How pathetic.
cromka 3 hours ago
If they need to, it's because it's their work computers. Otherwise it's a choice.
mkagenius 14 hours ago
Apple containers are great for providing a sandbox to your AI coding agents
I have made it a MCP so that it's easily discoverable by all the coding agents
rakel_rakel 12 hours ago
It's funny that the system config page (https://github.com/apple/container/blob/main/docs/container-...) lists pebibytes for RAM configurations... in this day and age where buying a 16GB stick for workstation would cause me to eat instant ramen for a couple of months because my dentist needs an LLM chatbot on their page to stay competitive!
UX wise it looks kinda neat though!
borborigmus an hour ago
Signed in just to say LoL at the dentist comment.
yeswecatan 2 hours ago
How would I replace docker compose containing multiple services that communicate with each other with this? Seems cool for an individual service.
solenoid0937 2 hours ago
They shouldn't bury the details about how the containerization actually works.
tannhaeuser 10 hours ago
Just to clarify, this requires Mac OS 26 Tahoe for "container" doesn't it? So those of us holding out on Sequoia who can't stand the broken glass UI or what's called and the other undesired features need to stick to Docker desktop.
masklinn 5 hours ago
> Just to clarify, this requires Mac OS 26 Tahoe for "container" doesn't it?
Yes’n’t: https://github.com/apple/container/blob/main/docs/technical-...
> container relies on the new features and enhancements present in macOS 26. You can run container on macOS 15, but you will need to be aware of some user experience and functional limitations. There is no plan to address issues found with macOS 15 that cannot be reproduced on macOS 26.
The issues are around networking.
niek_pas 7 hours ago
It seems macOS Golden Gate (the upcoming version) fixes quite a few of the problems with Tahoe, so you might consider skipping Tahoe entirely.
coldtea 8 hours ago
>those of us holding out on Sequoia who can't stand the broken glass UI or what's called
Maybe hold 1 release back, but other than that, I don't think "holding out" on macOS releases has ever been a winning strategy.
In the end, macOS model presupposes users moving to the latest release sooner rather than later.
jrochkind1 4 hours ago
I turned off what "glass" UI I could with config, and it's not too different than Sequoia, got used to it pretty quick. Obviously the things not supported on an old OS will keep increasing, until eventually it is EOL'd.
egorfine 6 hours ago
Yeah I use Tahoe and I can't stand the liquid glass.
It looks like Golden Gate fixes this design a lot.
llimllib 15 hours ago
Is this new? I thought we had this already
In my testing (iirc) filesystem performance was not good enough to be usable with node/rust dev where lots of small files get stat-ed
update: what's new is the `container machine` subcommand. I went to test it out, but container failed to run at all for me: https://github.com/apple/container/issues/1681
kdrag0n 15 hours ago
Curious if you've tried OrbStack? There's always more work to do (test workloads appreciated!) but we've put a lot of effort into optimizing for small files and other common developer workloads in OrbStack's customized filesystem sharing protocol (not standard virtiofs).
ahknight 14 hours ago
Podman is on macOS, FWIW. Uses the existing container framework to run the machine already. Root-full or not.
dchest 10 hours ago
Did you use their volumes for node_modules or a shared dir? I mounted the whole project directory (with node_modules) inside the container and it seems to work fine (MBA M1 8 GB RAM).
noobcoder 13 hours ago
The costs are startup time and image compatibility: dockerhub images don't work as machine images because container machine expects systemd
I am trying it on but its brekaing on homebrew 1.0.0. The formula puts plugins at opt/container/libexec/container-plugins/ and the apiserver looks in libexec/container/plugins/
This can be solved through a symlink or smth
masklinn 11 hours ago
> dockerhub images don't work as machine images because container machine expects systemd
Are you sure about that? A few comments above a commenter states that they don’t run inits at all (because they ran alpine), multiple people replied that it works fine if you give it an image with an init, and they acknowledged their error.
emulio 9 hours ago
This appears to be an LXC-style alternative for macOS; however, unlike native LXC on Linux, this tool relies on VMs. While Docker and Podman also utilize a VM on macOS, they offer the advantage of the Docker Compose format. In my view, the ability to use YAML for declarative configuration is the most critical feature for any container tool. I have nothing against CLI tools in general, but I prefer avoiding repetitive manual commands that could be easily automated via Docker Compose or Kubernetes manifests.
notpushkin 8 hours ago
Apple does have an OCI variant of this: https://github.com/apple/container
Doesn’t seem to have Compose support though, but it’s probably not impossible to build upon.
And of course, it also uses VMs, though unlike Docker, it’s one (micro-?) VM per container: https://github.com/apple/container/blob/main/docs/technical-...
exabrial an hour ago
Handy for sure!
In production though, I've moved completely to systemd isolation of apps, rather than Docker-like containers; essentially blackboxes and present a supply chain threat. There's also a DRY principle here. Verification of a host presents a much smaller surface area.
bityard 42 minutes ago
> moved completely to systemd isolation
On MacOS?
cogman10 14 hours ago
Is there any reason why macOS doesn't try a WSL1 style approach? I get why that didn't fully work out for windows, but it seems like macOS being another *nix would make a lot of what was hard for windows, easy for mac. It seems like it should be possible to run most linux applications natively on macOS with few additional new APIs.
BSD actually has this already.
qalmakka 11 hours ago
FreeBSD has Linuxlator because there is a lot of binary only software that was never and never will be ported to BSD, so it's necessary for them in order to avoid bleeding users away. Conversely, macOS has basically all software ported natively to it, so when you _need_ a Linux environment 95% of the time it isn't because you need $XYZ that only run Linux, but because you need a proper Linux environment with systemd, cgroups etc. Implementing that stuff on top of XNU would probably be extremely expensive and it would arguably defeat the point of having their own kernel in the first place.
cogman10 an hour ago
> Implementing that stuff on top of XNU would probably be extremely expensive and it would arguably defeat the point of having their own kernel in the first place.
I'm not sure how it'd defeat the point of having their own kernel.
As for cost, possibly, but it would really be a huge boon to macOS for software devs. It's hard for me to believe that Rosetta isn't similarly costly, but it's been done because running x86 software is still very much a necessity for MacOS.
twoodfin 14 hours ago
What would be the advantages over a VM infrastructure Apple needs anyway and that has a much simpler, more stable “ABI” compared to the Linux kernel?
cogman10 14 hours ago
Potentially faster application execution along much lower memory requirements. In the case of docker, even a possibility of shared library loading further reducing runtime costs (For example, containers based on the same base image could load glibc into memory only once).
There's also simply the possibility of using linux software directly in macos without doing OS dependent changes to the software.
MBCook 13 hours ago
bicepjai 2 hours ago
So are there any benchmarks that compare all containers / docker / Lima / Colima / virtual box / VMware / orbstack and others ?
running101 an hour ago
Seems like wsl (windows subsystem for linux)
katspaugh 12 hours ago
I've looked into replacing Lima with Apple Containers for https://runmachine.dev.
However, unlike Lima, an Apple Container is not a full VM, so you cannot SSH to it, or forward SSH-agent signatures into a machine.
So it's more of a devcontainer story, which is also a great use case. Nice to see Apple creating tooling around their VZ framework.
Edit: referential clarity.
binsquare 11 hours ago
Might consider https://github.com/smol-machines/smolvm
It's a full vm
osigurdson 15 hours ago
I'm surprised they cared enough to do this. I'd still rather use Linux but MacBook value is incredible.
marssaxman 14 hours ago
I'd always rather use Linux, but sometimes your employer gives you a MacBook. I might use this tool.
jzer0cool 12 hours ago
In the intro it mentions automatically mapping user and home dir. So host files accessible the container. Any settings to control this?
LaFolle 10 hours ago
Python binary wheels now have to be built for aarch64 for them to work inside the container, unless they are built using the corresponding build system while installing. It is not common for python binary libs to publish arm64 binary wheels, as most often they target amd64.
KeplerBoy 9 hours ago
Isn't that just expected for modern macOS devices? They have been on arm64 for 6 years now.
coldtea 8 hours ago
This however is for Linux containers on macOS, and for those the deployment target are not usually/necessarily arm.
(Plus, you could always even have amd64 linux containers on macOS AS, with good performance, via Rosetta2).
Joyfield 14 hours ago
We have WSL at home.
k_bx 11 hours ago
Most of my team's development happens on beefy desktop machine in incus containers per dev+project (so you run yourname-projname-dev). It has its own tailscale inside so you can open it like regular https website or give to another dev to check out – no need to deploy your branch somewhere, just run it. New dev onboard takes 10 minutes from zero to dev env with VSCode remote development.
I would really love if apple could give inexpensive way to run amd64 containers for situations when dev wants to use their own hardware. We've used LIMA for now, was too much of a hussle. But if there's a more native experience – would give it another try.
pmontra 10 hours ago
How is this different from Virtualbox or similar products with a shared folder with the host machine? I expected that existing virtualization tech for Macs already did that. Maybe the improvement is having nothing to configure.
By the way, is it headless or can it run a full Linux desktop? Use case: buy a Mac, uninistall whatever can be uninstalled, run the Linux VM as primary desktop forgetting MacOS and without going through Asahi and the incomplete hardware support.
iririririr 10 hours ago
it differs by lacking all the cool options that makes vmware and virtualbox good products, but apple users will praise it as a benefit
"bind mounts? I'm better without it"
coldtea 8 hours ago
Funny how confidently people can mock while knowing nothing about the specific tech discussed and the different targets. I'd google: VirtualBox vs containers.
pmontra 6 hours ago
numbsafari 15 hours ago
Wouldn’t it be nice if services like Codespaces or Coder or Gitlab would allow you to target running on their hosted/integrated platform, or let you launch that same container completely locally? Sometimes I wanna take my “remote” dev environment off-line but still benefit from the integrated UX.
RossBencina 15 hours ago
This exists. It's called devcontainers and there is a cli for managing it locally.
CGamesPlay 15 hours ago
If you can express that operation in Terraform, then Coder would let you do that. First problems I can think of are connectivity from the Coder provisioner to your local machine (Tailscale? Local?), and migrating disk images if you want to actually switch a workspace between environments (local provisioner could do this, but no matter what it’ll be slow and janky).
jayd16 15 hours ago
Maybe I don't understand but why doesn't Gitlabs self hosted setup work?
pjmlp 12 hours ago
With the BUILD and WWDC 2026 announcements, it is the Year of Linux Containers Desktop.
Which for many folks is good enough for what they are doing, thus the status quo of desktop platforms will hardly change for current form factors.
vachanmn123 13 hours ago
Could this allow us to use proton on mac maybe?
xd1936 13 hours ago
This is hilarious. Next year, the PC gamers will be saying "The best Windows gaming experience is win32 on Linux on macOS Containers".
aurareturn 12 hours ago
The fastest (Geekbench 6) Windows laptop in the world is actually an M5 Max Macbook running Parallels running Windows.
mohamedkoubaa an hour ago
I think there's one too many layers of graphics driver indirection for this to work
kergonath 11 hours ago
Wine works fine on macOS, there is no need for a Linux layer.
Gigachad 12 hours ago
I mean at this point literally anything works better than Windows.
pjmlp 12 hours ago
bel8 11 hours ago
I don't think so. This is a VM, closer to WSL2.
Proton is based on Wine which translates Windows instructions to Linux.
Besides there's already Wine for mac.
But I would love to be wrong here.
yurimo 6 hours ago
I'm pretty sure this is not the use case at all but man do I miss bootcamp. Even for games if we could just run linux without a need for crossover, gaming on mac machines would be a dream.
krzyk 6 hours ago
Oh, I hoped it would be macos contained in those containers. Container for Linux are in millions, while I don't know if there are any with macos inside.
rickstanley 14 hours ago
I was wondering if it's possible to have the container volume change to, say, an external drive. I currently use QMEU with qcow2 images to achieve this, works well enough.
opengears 11 hours ago
Also works with UTM.
m132 14 hours ago
Every time I see Apple flaunting Linux containers I can hardly consider it as anything but admitting defeat. It could easily be Darwin, if they still had the capacity.
groundzeros2015 14 hours ago
Just change 30 years of internet history
al_borland 13 hours ago
For what it's worth, the first web server was a NeXTcube, and NeXTSTEP was the foundation of macOS.
tw04 14 hours ago
What is the alternative? They gave up the server market a decade ago and before that they barely actually supported it.
If they were to support darwin containers, what would be the point? Literally nobody would build to it, Linux won.
riffic 14 hours ago
> Literally nobody would build to it
because nobody does ci/cd against macOS or iOS apps right?
tw04 14 hours ago
pjmlp 10 hours ago
TheDong 14 hours ago
Apple set itself up for defeat in the server and developer marketplace as soon as they decided macOS was proprietary code.
Why would any serious developer use closed-source code they can't debug and modify? Especially for a production server?
It's the same reason no serious developers or hackers use macOS, like part of the point of being a developer is being able to dig into the code at any layer and debug and fix things.
bschwindHN 12 hours ago
> It's the same reason no serious developers or hackers use macOS
I know I'm basically taking the bait, but I guess I've not been "seriously" developing stuff for the past decade or two, which is news to me!
m132 14 hours ago
OpenDarwin was a thing at one point, with mailing lists and other infrastructure hosted by Apple.
That being said, my point isn't that Apple should absolutely focus on making a server OS again. It just saddens me how far behind macOS has fallen as they stopped caring about the fundamentals; back in the day, it would be Linux trailing behind macOS. Nowadays, you can't even have multiple routing tables on the latter, the firewall code was probably last updated in Snow Leopard, and what Apple happily shows off on WWDC is a wrapper around Linux. Something functionally equal can be cobbled up together by anyone sufficiently experienced in minutes, using just Bash, OpenSSH, and QEMU.
I really wish macOS would let me have a similar level of control over applications as Linux with namespaces, without me having to do all the heavy lifting.
alwillis 11 hours ago
alwillis 11 hours ago
pjmlp 12 hours ago
Apparently game, desktop and app devs aren't serious.
vehemenz 14 hours ago
No offense, but serious developers don’t think this way at all.
bel8 13 hours ago
harrouet 11 hours ago
Why did they have to invent their own solution instead of just shipping docker or an equivalent clone ?
nottorp 9 hours ago
Isn't docker on mac os still a large preallocated linux VM that runs the containers inside itself? With this maybe you can separate them.
ChrisArchitect 15 hours ago
WWDC presentation video:
Discover container machines
alwinaugustin 4 hours ago
Why it is important ? We have Docker for containers, right ?
a1o 16 hours ago
With colima I can run AMD64 (x86) Linux containers in my Arm64 too. I think this is strictly for Arm64 Linux VMs, or is there some way to run x86 with this too?
jdub 8 hours ago
You can run amd64 binaries inside an aarch64 Linux virtual machine. Although they're not supporting Rosetta for macOS apps from macOS 27, the Rosetta support in Virtualization Framework will remain.
andor 2 hours ago
Did Apple officially confirm this or is it based on the statement regarding games?
cpach 12 hours ago
What’s the performance when you do that?
frizlab 16 hours ago
Rosetta should be supported
whycombinetor 12 hours ago
Not for long!
commandersaki 12 hours ago
aspeckt_112 10 hours ago
This is pretty cool - being able to bring your own container machine image goes a long way to helping it's adoption.
I started using Colima a couple of years ago because I got bored of how bad Docker Desktop was and just started using the CLI / the "Services" tool window in whatever Jetbrains IDE I was using at the time anyway. I can't see myself moving away from it any time - having multiple profiles is an absolute winner of a feature for me there, but maybe the next time I set up a Mac from scratch I'll have a play with this.
Havoc 9 hours ago
Always nice to have more options especially without third party tools
zer0zzz an hour ago
I just want thunderbolt pci passthrough for these things.
kdrag0n an hour ago
Interesting, what devices would you want to pass through?
avsm 9 hours ago
I looked at this last year when it came out in Tahoe: https://anil.recoil.org/notes/apple-containerisation and this looks like more of the same.
They've now added a WSL-style virtual machine layer, but there's no x86 container story (Apple's killing Rosetta) so I imagine some qemu shimming will be required.
There's still no equivalent to VPNKit or GVisor for networking so you'll be bridging I think. See: https://cacm.acm.org/research/a-decade-of-docker-containers/ for how Docker for Mac does this
I can't spot any support for dynamic memory ballooning to prevent the hypervisor from gobbling up too much memory. We've had this in Xen since forever! https://xenproject.org/blog/ballooning-rebooting-and-the-fea...
And, most obviously: NO SUPPORT FOR MACOS. This is the single feature that only Apple can do, and they're choosing not to implement it deliberately, and it's so stupid given the pains we all have to go through to implement CI for macOS. In the land of OCaml, we were forced to implement a custom ZFS snapshotter to get reasonably cost effective macOS CI for our package repository: https://tarides.com/blog/2023-08-02-obuilder-on-macos/. This was fun to build, but it sucks to have to maintain it.
Also, I'm really curious what the GPU passthrough story here is for LLMs, since the Apple Silicon -> Linux kernel support is gated on Asahi's support, but that's been lagging beyond M2 due to the efforts of reverse engineering.
Do better for your developers, Apple. This is a half-baked sweep across third-party software without addressing the core needs around your own operating system.
almaight 7 hours ago
It's been over a year since it came out, based on kata-container
shelled 10 hours ago
I hope this brought us one step closer to being able to run our distros of choice very freely and easily on a Mac.
throw1234567891 9 hours ago
And no GPU passthrough? So colima with libkit remains the only method on Apple Silicon?
rcarmo 9 hours ago
This blew up spectacularly when combined with Time Machine, I wonder if that’s fixed.
happyopossum 6 hours ago
Considering that this project was published less than 24 hours ago I’m guessing you assume it’s a different project.
konaraddi 11 hours ago
Sounds like toolbox or distrobox for Mac!
commandersaki 15 hours ago
Would be cool if you can redirect USB devices to the VM.
kdrag0n 15 hours ago
We just released this in OrbStack :) https://docs.orbstack.dev/features/usb
Blog post soon
blackqueeriroh 13 hours ago
What happened to Orbstack for like 9 months until earlier this year? Suddenly everything went silent for a bit and I was pretty concerned. Glad y’all are back!!!!
calebm 14 hours ago
Thank you for sharing this - I looked into OrbStack a few months ago, and this was the reason I didn't use it (as my primary purpose was to have an external wifi adapter for wifi pwnage).
commandersaki 15 hours ago
Yeah I find this useful for redirecting storage/sdcard*, so you can format linux filesystems or use other tools.
* need a usb sdcard reader for macbook pro cause the builtin is not usb)
kdrag0n 14 hours ago
rgovostes 13 hours ago
I've successfully tinkered with USB/IP with Apple containers, but it does require loading a custom kernel (which they make pretty easy, thankfully). On the host side, macOS also doesn't make it easy to unload a driver that attaches automatically.
egernst 15 hours ago
Agreed! There's some good improvements around Accessory Access in virtualization framework this year also - checkout: https://developer.apple.com/videos/play/wwdc2026/224/?time=2...
commandersaki 15 hours ago
I wonder if the custom virtio can be used to support attaching the built-in sdcard readers on macs which aren't exposed as usb.
sdevonoes 10 hours ago
Im running Multipass on M1 for full linux VMs. Are container machines better?
m1keil 10 hours ago
Isn't multiphase is Ubuntu only?
sdevonoes 9 hours ago
It used to be. Any image is allowed now.
zekrioca 12 hours ago
"LXC" for macOS?
ExoticPearTree 5 hours ago
Will this come to MacOS 27?
LE: nevermind, it is already on MacOS. Did not read everything.
sachinjoseph 15 hours ago
WSL-like implementation on macOS?
CSDude 12 hours ago
I know its not going to be there but wish we had Windows as well.
Cadwhisker 11 hours ago
Install Windows 11 ARM under the macOS "UTM" App. This lets you run x86 Windows programs on Apple silicon.
beemboy 11 hours ago
Is this going to be good for AOSP builds on Macs?
namegulf 16 hours ago
Would be nice if they also support Intel based macs, what prevents?
MBCook 15 hours ago
Apple won’t support them with MacOS 27, and it seems they announced this tool as part of this year’s WWDC.
Basically: they’ve moved on.
danhon 16 hours ago
Allocation of a finite amount of engineering resources.
joshuat 16 hours ago
And a legitimate business interest to further incentivize the adoption of Apple Silicon devices. Same with Rosetta deprecation after macOS 27.
JumpCrisscross 15 hours ago
crote 14 hours ago
ForOldHack 15 hours ago
jdub 8 hours ago
The underlying Virtualization Framework works on Intel Macs, but they'll miss out on new features landing in macOS 27 and beyond.
ShinyLeftPad 11 hours ago
Can Podman support these eventually?
kosikond 6 hours ago
There _is_ Podman Desktop extension for Apple Containers, however its socktainer version is ancient.
cdnsteve 5 hours ago
Is it just me or is the experience to get this up and running not feeling very Apple like? Is there no one liner to install or did I miss something?
jbverschoor 12 hours ago
Just curious, Apple seems to copy orbstack.. haven’t they made an offer to acquire you guys?
t1234s 14 hours ago
Is this similar to what cygwin was for windows? Could this be an alternative to homebrew?
tonymet 11 hours ago
What FS mounts the Mac drives into the Linux container ?
phplovesong 12 hours ago
It was unclear to me, is this a native replacement for docker? I like docker (on mac) but its quite the resource hog.
I usually run like a db, redis, maybe something like rabbitmq/zeromq and have a app that uses these services (makefile/docker-compose).
I would love to switch if this in fact is a lightweight replacement.
happyopossum 6 hours ago
A native replacement for docker came last year with Apple Containers- this extends that.
masklinn 10 hours ago
On the one hand yes, on the other hand there are already multiple lighter alternatives to docker on mac.
naikrovek 6 hours ago
ah, a rare step closer to plan9.
(you remote into a system and part of your environment comes with you; that's very Plan9-like.)
gigatexal 13 hours ago
I saw the video on this this is distrobox basically for Mac. It’s very cool. Seamless with your local files and the container. I’m very keen to try it.
michaelsbradley 14 hours ago
Can macOS be run as a container machine on macOS?
blackqueeriroh 13 hours ago
Yes
MBCook 13 hours ago
Yep. For a few years. And they keep enhancing it too.
It’s the only legal way to do so, due to the software license on MacOS.
riffic 15 hours ago
darwin containers when?
m463 16 hours ago
looks like apple wrote a native docker in swift
you can now run linux containers on your mac
... but it could be better.
what about (totally contrived):
FROM apple/macos:10.11.6
RUN xcodebuild -project myapp.xcodeproj -scheme MyScheme -configuration ReleasewebXL 16 hours ago
Nice, but expect to page through a few pages of ToS during the build
m463 16 hours ago
lol
ENV XCODE_FRONTEND=unattended
ENV XCODE_LICENSES=accept,firstborn,applepay,[email protected]egorfine 6 hours ago
> FROM apple/macos:10.11.6
Yeah I was working on that, created a prototype. I don't see a business in it, so abandoned.
trollbridge 16 hours ago
Close - but it would be more like this:
services:
macos:
image: dockurr/macos
container_name: macos
environment:
VERSION: "15"
windowliker 15 hours ago
It would be wonderful if this ran on older versions of macOS, but according to the README they only support 26.
m463 14 hours ago
you do not understand... Not run on, run IN :)
I'm saying the older version of macos could build/run INSIDE the container
just like on a ubuntu 24.04 system you can do:
FROM ubuntu:16.04
docker run ubuntu:16.04
windowliker 7 hours ago
MBCook 13 hours ago
jadar 16 hours ago
i wish!
xiaodai 14 hours ago
so basically dockers
jwlake 14 hours ago
haven't we had hypervisor.framework for like years now?
itsneulook4 12 hours ago
Yeah but sitting in the tweak circles just to gather personal data about people to make them lose their minds is no bueno. Otipolfueriborsklineypoo
itsneulook4 12 hours ago
that thepolfus and the Otis and the bors and the alschweid and pretty much anyone in old the the gs gangstalk or just getting people info to sit in the same room as them to try and makr them go crazy deserve to brave hart quartered
khazhoux 11 hours ago
try unplugging your keyboard and then plugging it back in
Barbing 15 hours ago
I found it hard to believe I didn’t have a simple way of staying safe by installing an arbitrary application in a sandbox on macOS. (Restoring using Time Machine doesn’t count! :) )
This is a step in the right direction but requires any given developer’s buy-in first, right?