macOS Container Machines

Posted by timsneath 7 hours ago

Counter628Comment236OpenOriginal

Comments

Comment by timsneath 6 hours ago

To clarify a few comments here: this is not only OCI containers: container machines add support for persistence and filesystem mounting, making container machines a great lightweight Linux environment for developers using macOS. More details here: https://developer.apple.com/videos/play/wwdc2026/389

Comment by bogantech 51 minutes ago

> filesystem mounting

How is this different to bind mounts

Comment by jjtheblunt 2 hours ago

> ... highly integrated Linux environment that works seamlessly on your Mac. ...

Which kernel is running, and is it hosted in hypervisor.framework, as is done with UTM (when not using the qemu mode)?

Comment by Scarbutt 2 hours ago

The katas container kernel by default.

Comment by Onavo 6 hours ago

Ah, the Darwin/BSD Subsystem for Linux.

Comment by CGamesPlay 5 hours ago

Not quite, it’s still a VM. And while it supports virtio balloon for growing RAM, it doesn’t yet support releasing that RAM back to the host. And there isn’t a convenient way to shrink the sparse disk images as they grow yet, either.

Comment by AlexB138 5 hours ago

Isn't the Windows subsystem for Linux (the reference there) also a VM?

Comment by gsnedders 5 hours ago

Only WSL2; WSL1 was an actual subsystem.

Comment by selcuka 5 hours ago

So this is Darwin/BSD Subsystem for Linux 2.

Comment by rvz 3 hours ago

Yes.

Comment by LoganDark 5 hours ago

WSL1 was so cool, WSL2 made it boring and isolated.

Comment by TylerE 5 hours ago

Back in my day you to to download a couple GB worth of cygwin, and that wasn't an actual environment, basically just a GNU toolchain compiled for windows. But it got you like....grep and bash and stuff that ran natively on windows which was kinda cool.

Comment by qalmakka 1 hour ago

Does any older folk here remembers when NT was the Cool New Thing (TM) and it had by design support to multiple subsystems plopped over the NT API, and Win32 was just one of them alongside POSIX (Interix) and OS/2? There was even a _very short_ time span when Interix was actually usable (it was extremely short though)

Comment by pjmlp 1 hour ago

Yes, the only reason I cared for Linux in first place was that the POSIX support wasn't that good.

I am convinced that if POSIX subsystem was UNIX serious, GNU/Linux would never taken off on PC, and the whole would be divided between SGI, HP-UX, Solaris, Aix and Windows NT.

Comment by hnlmorg 1 hour ago

There were already better free options than Linux when Linux first started gaining traction.

The reason Linux grew in the 90s was because it was part of the hacker culture. Not because better options didn’t exist.

Kids liked the fact that Linux was a free-for-all, anything-goes, platform. It wasn’t stuffy like Unix and it wasn’t proprietary like Windows.

Then those kids grew up and became decision makers themselves. And we started to see Linux replace FreeBSD and commercial Unixes.

Comment by pjmlp 31 minutes ago

Which ones? BSD was tied in a lawsuit that left doubts on its future.

Minix was a toy OS for university teachings.

Coherent was commercial.

Nothing else was there on the PC market.

Comment by noduerme 4 hours ago

Cygwin was fun. I'd done zero development on Windows, but about 10 years ago I had to figure out how to deploy some nightly shell scripts across a bunch of local computers in a few dozen offices, where about 80% were MacOS and the rest were Windows. I don't remember exactly how I rigged it, but basically cygwin allowed me to keep the scripts as they were and trigger them in place, with a few small modifications.

I never want to deal with that again ;)

[edit] fwiw, Termux on Android is similarly a fun pseudo-environment. It's a nice and helpful toy.

Comment by TylerE 4 hours ago

The biggest issue I remember is directory seperators... windows of course using \ which bash would then interpret as an escape. Cygwin mostly papered over that from what I can recall, but it could lead to some weirdness, like sometimes you'd get C:\\path\\es\\like\\this

Comment by bschwindHN 2 hours ago

We should be using the baguette emoji for path separators for cross-platform compatibility.

https://old.reddit.com/r/ProgrammerHumor/comments/96ufiz/pro...

Comment by rpeden 4 hours ago

You could also use forward slashes, like C:/path/subpath, which has worked since Windows 1.0/DOS 2.0.

That's handy when you're entering paths in a Cygwin/MSYS Bash shell, but might not help much if you're trying to parse or otherwise work with existing patgh variables composed with backslashes.

Comment by TylerE 3 hours ago

Yes, you could if you were entering them manually, but some apps that generated file names would screw it up. I think they were using some sort of stdlib function to get the path seperator. Forward slash paths working in native windows apps also wasn't quite a given, either. Keep in mind this was a loooong time ago... like windows xp era maybe, even.

Comment by noduerme 1 hour ago

Yeah, I recall directory paths being the biggest PITA with running scripts in cygwin. But I mean, that was a very minor set of things to fix compared to what would've had to be written in anything else available at the time.

Doing retail office deployments of custom code on employee computers is a weird niche, and you find whatever works and hope you can maintain it somehow. Cygwin was awesome though, saved me a ton of time and the client a lot of money for the moment. (The client later stipulated to all future franchisees that they had to buy only Macs, lol)

Comment by kergonath 1 hour ago

> Back in my day you to to download a couple GB worth of cygwin

You still can, and it still works exactly the same way.

Comment by iririririr 24 minutes ago

what do you mean? that's still the only way to work as a human in windows. wsl1 almost replaced it, but obviously they scrapped it.

if you must use windows, it's because you will compile for windows. so you install MSYS, which is a linux distro-ish compiled native for windows. and do your work.

wsl2 (and this apple thing) is just a meme. if you're working in it, you're better of just installing Linux or ssh'ing to a server.

Comment by _blk 4 hours ago

... Now it's just called git bash

Comment by michaelsbradley 4 hours ago

Just install and use MSYS2, git bash is derived from it anyway, and a regular MSYS2 installation offers a lot more.

Comment by kevinminehart 1 hour ago

It was soooo slow though. Practically unusable for anything i/o heavy.

Comment by dented42 32 minutes ago

Those issues could have been fixed…

Comment by pjmlp 2 hours ago

[dead]

Comment by jayd16 5 hours ago

Mac Subsystem for Linux 2

Comment by pseudosavant 1 hour ago

Exactly what I thought. The Mac equivalent to WSL. Which is a great thing for Mac devs. Lots of stuff expects Linux these days, not POSIX. Mach isn’t Linux.

Comment by 5 hours ago

Comment by qalmakka 1 hour ago

This is all fine and dandy, but where are the native Darwin Jails Apple? Still scared that people will filling whole rooms of Mac Minis if you allow them to have multiple macOS containers and not only up to two fat VMs per machine?

Comment by jorisw 18 minutes ago

[Replied to wrong comment]

Comment by qalmakka 17 minutes ago

That's totally unrelated to what I wrote

Comment by adastra22 17 minutes ago

sandbox profiles?

Comment by qalmakka 13 minutes ago

macOS sandboxing is deliberately limited just enough to prevent anyone from truly implement Darwin-on-Darwin containers. People have been discussing about this for a while, see https://github.com/apple/container/discussions/611

In general I understand the rationale behind Apple's decision. They sell hardware, and there's real demand for macOS on servers to run build jobs and other Mac-only tools. Giving you the ability to run multiple containers on a single Mac would end up turning a 10 Mac Mini order into a 2 Mac Minis order for most people. Rest assured, even if it would be technically possible they'd find a way to cap it somehow via the EULA or whatever

Comment by golem14 2 hours ago

I belong to a rare breed of very opportunistic hobby-developers that like to use MacOS but also like to use linux machines or BSDs (rpi etc) sometimes.

I can create docker-images with docker compose, or use something like colima, which this seems to be close to (that should have some advantages over docker, although my hope of circumventing W^X page protection did not pan out).

I was perplexed that the repository does not put these container machines in context. The seem to be close to colima? When should I use which option (docker, collima, container machines ?)

Maybe others wonder too but are ashamed to ask. I have no shame ;)

Thanks for any pointers

Comment by djsavvy 1 hour ago

Why try to circumvent W^X page protection? Some sort of self-modifying program without extra pointer indirections?

Comment by bogantech 49 minutes ago

Bad legacy apps like Xilinx ISE

Comment by klohto 2 hours ago

https://github.com/apple/container/blob/main/docs/technical-... read documentation mr. rare breed

Comment by startakovsky1 50 minutes ago

Like, this doesn’t answer when to use this vs Docker. Any reference there?

Comment by Havoc 8 minutes ago

Always nice to have more options especially without third party tools

Comment by blahgeek 6 hours ago

OrbStack works really well for me. I wonder how it’s compared to this performance wise

Comment by kdrag0n 6 hours ago

(OrbStack dev here.) Instead of Virtualization.framework, we have a custom Rust virtualization stack with custom devices and protocols for things like filesystem sharing. It's a highly optimized vertically integrated stack specifically for running our Linux machines and containers.

Our biggest perf/resource gain is dynamic memory, which reduces memory usage a lot by releasing unused memory back to macOS. Nothing else supports this, including Containerization.

I gave Container Machines a try and it seems to be much closer to OCI containers with a default bind mount than OrbStack machines. It has fewer integrations and doesn't run systemd or any other normal init system, so it's hard to run services.

Comment by rswail 36 minutes ago

I changed over to Orbstack just for local builds and it is one of those apps that makes owning a Mac that much better.

This post reminded me to buy a license, just done it, worth it for the time saved.

Comment by d3v1an7 3 hours ago

just adding a 'hell yeah: orbstack is so good' to the thread. i mainly avoid containers where i can, but when containers need to happen, orbstack is 'just enough' for me. lovely and well considered ui, stable, performant. don't need much else. thank you for your work and care!

Comment by mescalito 5 hours ago

Super happy orbstack customer. Just curious on your statement:

> I gave Container Machines a try and it seems to be much closer to OCI containers with a default bind mount than OrbStack machines. It has fewer integrations and doesn't run systemd or any other normal init system, so it's hard to run services.

The linked md document says:

> Real Linux services for testing. Run a database or whatever your stack needs as a system service — systemctl start postgresql works on images with systemd installed.

Was that not the case when you used container machines?

Comment by kdrag0n 5 hours ago

That's my bad, I used the example alpine commands and the official alpine doesn't have init. It's supported if you build an image with systemd installed

Comment by egernst 6 hours ago

Thanks for the info kdrag0n! Big fan of OrbStack; good call out on dynamic memory.

If the guest image has /sbin/init, we use that.

We'd recommend using a base image for the guest that includes systemd. ie: https://github.com/apple/container/blob/main/docs/container-...

Comment by kxxx 5 hours ago

Apple says that `systemctl` is supported... hmm am I missing something?

"Real Linux services for testing. Run a database or whatever your stack needs as a system service — systemctl start postgresql works on images with systemd installed."

Comment by kdrag0n 5 hours ago

Good catch, I tried the example alpine commands and there was no init system. Makes sense if it's based on OCI images

Comment by kxxx 5 hours ago

Just tested it on on an OCI image with systemd and it works well. I can see the appeal of OrbStack regarding memory reallocation and will stick with it in the time being :)

Comment by CGamesPlay 5 hours ago

> Our biggest perf/resource gain is dynamic memory, which reduces memory usage a lot by releasing unused memory back to macOS. Nothing else supports this, including Containerization.

Wow, missed this when reviewing OrbStack. I assumed that you just used Containerization and therefore would have the same limitation.

Comment by saltamimi 5 hours ago

I know this is off topic, but I do thank you for your Android work, the idea and elegance of fastboot.js and that SafetyNet workaround trick was truly really cool.

Comment by kdrag0n 5 hours ago

Ahh those were good times, glad you came across it :)

Comment by trueno 5 hours ago

just dropping in to say orbstack super owns and i use it every day. huge respect to rethinking this experience, for a minute there i thought docker was just going to be the only path. i dont think ive looked back for docker since. orbstack just feels right, and damn its so fast and good with resources, and the UI is just insanely straight forward. props!

Comment by TheTaytay 5 hours ago

We love OrbStack too! Thank you for it,

I wanted to make its VM/machine our default secure agent sandbox, but I couldn’t figure out how to isolate this VM from the host properly. This thread prompted me to find the issue though, and I saw this was recently implemented! https://github.com/orbstack/orbstack/issues/169

Comment by kdrag0n 5 hours ago

Yep! Still refining it but isolated machines now have fine-grained settings for filesystem mounts, network isolation, SSH agent forwarding, and CPU/memory/disk limits

Comment by jhancock 5 hours ago

I’ve been using podman on Mac. It’s been a nice fit as the container build files are identical to what I use on my fedora server. I have noticed my 2 virtual core 4 gb Linode vps runs apps faster in the same container as when run on my MacBook Air M2 16 gb. I expected some performance overhead but didn’t think it would be noticeable as it is. Overall happy with podman. How might OrbStack differ?

Comment by thatxliner 5 hours ago

Having used both, it feels like OrbStack "just works" more than Podman. The main example of this is Supabase.

Comment by bjt12345 1 hour ago

Orbstack plays well with Pycharms BTW.

Comment by blackqueeriroh 4 hours ago

When are y’all gonna support sandboxing? Preferably Docker Sandboxes?

Comment by vsgherzi 5 hours ago

I love orbstack, is there any code I could read on the rust side? Seems very interesting

Comment by kiproping 20 minutes ago

Thank you for mentioning this, I have been suffering under the yoke of docker.

Comment by gempir 1 hour ago

I just wish bind mounts would be more performant/native. I get that this is probably impossible, and probably also sucks on Linux, haven't tried.

But like having containers that need file watchers like vite dev server, or frankenphp in watch mode will overload OrbStack real quick since It seems to fallback to polling instead of listening to fs events.

So I'm stuck running vite dev servers and the like on the host.

Comment by emmelaich 5 hours ago

I'd like to see a comparison to https://tart.run/ as well.

AFAICT it's pretty similar.

Comment by mpeg 4 hours ago

I like orbstack in theory, but I find it hard to justify a $96/yr license fee for something that has so many open source, free alternatives. As it is, I’d rather use podman or colima

Comment by Ghoelian 1 hour ago

It's free for personal use, and for a company 96/year is absolutely nothing, I'd hope.

Comment by baq 1 hour ago

The alternatives are all broken in some ways is the answer, including the official paid docker enterprise.

Personally I’d rather the company provisioned me MacBook hardware with Linux. Unless Fable or some other ai ports asahi properly to modern hardware I expect to retire before this is possible, orbstack is the next best thing, available today.

Comment by kxxx 6 hours ago

I really like OrbStack and am also not sure why I'd use Container Machines over it, at the moment...

Comment by cpuguy83 5 hours ago

Not a full docker env, I aimed this as doing builds though you can run dockerd as an option, https://github.com/cpuguy83/crucible uses the containerization framework to run either build kitd or dockerd and wire it up to docker/buildx cli (or whatever client tooling you want to use).

The Containerization framework is a library that sits as a layer on top of the virtualization framework. So each container is its own VM.

Machine is tooling above the containerization framework to run multiple things in a container in a vm.

Comment by jbverschoor 2 hours ago

Note that orbstack supports audio and usb pass through, which is super nice

Comment by aspeckt_112 13 minutes ago

This is pretty cool - being able to bring your own container machine image goes a long way to helping it's adoption.

I started using Colima a couple of years ago because I got bored of how bad Docker Desktop was and just started using the CLI / the "Services" tool window in whatever Jetbrains IDE I was using at the time anyway. I can't see myself moving away from it any time - having multiple profiles is an absolute winner of a feature for me there, but maybe the next time I set up a Mac from scratch I'll have a play with this.

Comment by WatchDog 6 hours ago

Do these containers share a common kernel? Or are they each ran in a separate VM?

Edit: It's a VM per container. https://github.com/apple/container/blob/main/docs/technical-...

Comment by LaFolle 34 minutes ago

Python binary wheels now have to be built for aarch64 for them to work inside the container, unless they are built using the corresponding build system while installing. It is not common for python binary libs to publish arm64 binary wheels, as most often they target amd64.

Comment by pmontra 31 minutes ago

How is this different from Virtualbox or similar products with a shared folder with the host machine? I expected that existing virtualization tech for Macs already did that. Maybe the improvement is having nothing to configure.

By the way, is it headless or can it run a full Linux desktop? Use case: buy a Mac, uninistall whatever can be uninstalled, run the Linux VM as primary desktop forgetting MacOS and without going through Asahi and the incomplete hardware support.

Comment by iririririr 18 minutes ago

it differs by lacking all the cool options that makes vmware and virtualbox good products, but apple users will praise it as a benefit

"bind mounts? I'm better without it"

Comment by tannhaeuser 47 minutes ago

Just to clarify, this requires Mac OS 26 Tahoe for "container" doesn't it? So those of us holding out on Sequoia who can't stand the broken glass UI or what's called and the other undesired features need to stick to Docker desktop.

Comment by jorisw 19 minutes ago

[dead]

Comment by jaimehrubiks 6 hours ago

Will this be able to replace docker desktop an equivalents, removing the expensive Linux VM that runs alongside them?

Comment by binsquare 2 hours ago

Linux VMs on doesn't have to be expensive!

Comment by usernametaken29 6 hours ago

My first thought as well, docker desktop overhead is pretty bad, would be awesome to see this land natively in DD. By my estimate this could happen, seeing as Docker has historically tried to improve performance but quickly had to accept platform limitations… would only be natural to settle DD over to containers

Comment by deathanatos 5 hours ago

Well, you can avoid the Docker Desktop tax by not running Docker Desktop. colima is a perfectly usable implementation of Docker for macOS, without the bloat of Docker Desktop.

That said, colima still has the expensive VM that upthread is mentioning.

Comment by TimTheTinker 5 hours ago

OrbStack is great also

Comment by phinnaeus 4 hours ago

Postman Desktop too

Comment by rawland 1 hour ago

You mean Podman Desktop?

Comment by phinnaeus 1 hour ago

Yes, thank you iOS autocorrect.

Comment by thejazzman 6 hours ago

It mostly removes the big shared background VM and replaces it with smaller, more isolated Apple-native VMs.

I did an experiment migrating my Podman workload to Apple's container @ https://gist.github.com/jmonster/39e14585e107dbf990a90966c0f...

TL;DR reduces ram/storage usage; minimizes it's existence

Comment by deathanatos 5 hours ago

How does that work, realistically?

> Memory defaults to half of host memory

That's the most expensive part of the whole transaction, b/c AFAIK, RAM is then dedicated to the VM. It can be swapped out, I suppose, but that's not great.

Comment by MBCook 4 hours ago

CGamesPlay said above its balloon memory so it won’t use all that memory by default, but it can’t release balloon memory yet.

Comment by nozzlegear 4 hours ago

Nice, thanks for this. My plan is to swap over to Apple's containers for local dev, and keep using podman quadlets in production.

Comment by lostlogin 6 hours ago

Others here mention it and I’m a new convert to Colima.

The pain of working around Docker Desktop is bad.

Comment by trollbridge 6 hours ago

That sure would be nice. I seem to rm -rf ~/.colima every few days.

Comment by 5 hours ago

Comment by shelled 22 minutes ago

I hope this brought us one step closer to being able to run our distros of choice very freely and easily on a Mac.

Comment by rakel_rakel 2 hours ago

It's funny that the system config page (https://github.com/apple/container/blob/main/docs/container-...) lists pebibytes for RAM configurations... in this day and age where buying a 16GB stick for workstation would cause me to eat instant ramen for a couple of months because my dentist needs an LLM chatbot on their page to stay competitive!

UX wise it looks kinda neat though!

Comment by k_bx 1 hour ago

Most of my team's development happens on beefy desktop machine in incus containers per dev+project (so you run yourname-projname-dev). It has its own tailscale inside so you can open it like regular https website or give to another dev to check out – no need to deploy your branch somewhere, just run it. New dev onboard takes 10 minutes from zero to dev env with VSCode remote development.

I would really love if apple could give inexpensive way to run amd64 containers for situations when dev wants to use their own hardware. We've used LIMA for now, was too much of a hussle. But if there's a more native experience – would give it another try.

Comment by noobcoder 4 hours ago

The costs are startup time and image compatibility: dockerhub images don't work as machine images because container machine expects systemd

I am trying it on but its brekaing on homebrew 1.0.0. The formula puts plugins at opt/container/libexec/container-plugins/ and the apiserver looks in libexec/container/plugins/

This can be solved through a symlink or smth

Comment by masklinn 1 hour ago

> dockerhub images don't work as machine images because container machine expects systemd

Are you sure about that? A few comments above a commenter states that they don’t run inits at all (because they ran alpine), multiple people replied that it works fine if you give it an image with an init, and they acknowledged their error.

Comment by katspaugh 2 hours ago

I've looked into replacing Lima with Apple Containers for https://runmachine.dev.

However, unlike Lima, an Apple Container is not a full VM, so you cannot SSH to it, or forward SSH-agent signatures into a machine.

So it's more of a devcontainer story, which is also a great use case. Nice to see Apple creating tooling around their VZ framework.

Edit: referential clarity.

Comment by binsquare 2 hours ago

Might consider https://github.com/smol-machines/smolvm

It's a full vm

Comment by 0xbadcafebee 5 hours ago

Anyone know why you would use this instead of QEMU+Lima+Colima+Docker/containerd? The latter works on multiple OSes, has a very large ecosystem of tools, images, documentation, and lets you replace pieces as needed

Comment by llimllib 6 hours ago

Is this new? I thought we had this already

In my testing (iirc) filesystem performance was not good enough to be usable with node/rust dev where lots of small files get stat-ed

update: what's new is the `container machine` subcommand. I went to test it out, but container failed to run at all for me: https://github.com/apple/container/issues/1681

Comment by kdrag0n 5 hours ago

Curious if you've tried OrbStack? There's always more work to do (test workloads appreciated!) but we've put a lot of effort into optimizing for small files and other common developer workloads in OrbStack's customized filesystem sharing protocol (not standard virtiofs).

Comment by dchest 1 hour ago

Did you use their volumes for node_modules or a shared dir? I mounted the whole project directory (with node_modules) inside the container and it seems to work fine (MBA M1 8 GB RAM).

Comment by ahknight 4 hours ago

Podman is on macOS, FWIW. Uses the existing container framework to run the machine already. Root-full or not.

Comment by cromka 2 hours ago

So essentially both macOS and Windows now heavily support developing using Linux on them. They can't more openly admit that they are no match for Linux in that area.

There's some clever advertising in it for Linux, if Linux was advertising.

Comment by plutokras 24 minutes ago

Enterprises would do anything to develop on Linux except using an actual Linux distro.

Comment by rahkiin 59 minutes ago

I’d argue they both admin that Linux servers are the target for a lot of applications to run on. Not to develop on.

Comment by mkagenius 4 hours ago

Apple containers are great for providing a sandbox to your AI coding agents

I have made it a MCP so that it's easily discoverable by all the coding agents

https://github.com/instavm/coderunner

Comment by sdevonoes 32 minutes ago

Im running Multipass on M1 for full linux VMs. Are container machines better?

Comment by m1keil 19 minutes ago

Isn't multiphase is Ubuntu only?

Comment by pjmlp 2 hours ago

With the BUILD and WWDC 2026 announcements, it is the Year of Linux Containers Desktop.

Which for many folks is good enough for what they are doing, thus the status quo of desktop platforms will hardly change for current form factors.

Comment by osigurdson 5 hours ago

I'm surprised they cared enough to do this. I'd still rather use Linux but MacBook value is incredible.

Comment by marssaxman 5 hours ago

I'd always rather use Linux, but sometimes your employer gives you a MacBook. I might use this tool.

Comment by harrouet 1 hour ago

Why did they have to invent their own solution instead of just shipping docker or an equivalent clone ?

Comment by nottorp 1 minute ago

Isn't docker on mac os still a large preallocated linux VM that runs the containers inside itself? With this maybe you can separate them.

Comment by cogman10 5 hours ago

Is there any reason why macOS doesn't try a WSL1 style approach? I get why that didn't fully work out for windows, but it seems like macOS being another *nix would make a lot of what was hard for windows, easy for mac. It seems like it should be possible to run most linux applications natively on macOS with few additional new APIs.

BSD actually has this already.

Comment by qalmakka 1 hour ago

FreeBSD has Linuxlator because there is a lot of binary only software that was never and never will be ported to BSD, so it's necessary for them in order to avoid bleeding users away. Conversely, macOS has basically all software ported natively to it, so when you _need_ a Linux environment 95% of the time it isn't because you need $XYZ that only run Linux, but because you need a proper Linux environment with systemd, cgroups etc. Implementing that stuff on top of XNU would probably be extremely expensive and it would arguably defeat the point of having their own kernel in the first place.

Comment by twoodfin 4 hours ago

What would be the advantages over a VM infrastructure Apple needs anyway and that has a much simpler, more stable “ABI” compared to the Linux kernel?

Comment by cogman10 4 hours ago

Potentially faster application execution along much lower memory requirements. In the case of docker, even a possibility of shared library loading further reducing runtime costs (For example, containers based on the same base image could load glibc into memory only once).

There's also simply the possibility of using linux software directly in macos without doing OS dependent changes to the software.

Comment by MBCook 3 hours ago

Yeah. But in exchange it’s a lot of work to keep up with. For GUI stuff you’re now having to have some sort of Wayland layer/driver.

Running VMs is really really easy and low maintenance demand on Apple. And it’s guaranteed compatibility.

Wasn’t compatibility what really sunk WSL1?

Comment by skissane 3 hours ago

> Wasn’t compatibility what really sunk WSL1?

Yes, but a big part of the problem with WSL1 was the size of the conceptual gap between POSIX and Windows NT that WSL1 had to bridge. An “MSL1” would likely have fewer problems because the gap between macOS and Linux is smaller, given they are both POSIX

The other thing Apple could potentially do, is add Linux-compatible APIs to macOS. IBM wanted to support Kubernetes on their z/OS mainframe operating system, so they implemented on it a clone of Linux namespace APIs, e.g. unshare. Then we could have macOS nodes in a K8S cluster-which might actually be useful for some people, e.g. if you have a Jenkins CI farm, the Linux nodes can run on K8S, but currently macOS nodes (which you need if you are targeting iOS or macOS) can’t, they have to be bare metal or VMs.

More Linux-macOS source compatibility would also benefit macOS by making it less work to port software to it from Linux

Comment by qalmakka 1 hour ago

Linux and the BSDs take APIs one from the other all of the time. The issue with having a Linux ABI is that you don't need just the few APIs you're missing, you need to implement the WHOLE Linux API and it has to be _perfect_, otherwise stuff will randomly break. I loved the original WSL, I had to use it for a time period back in the day when I was stuck on a Windows PC, but it can't be denied it was full of random bugs

Comment by vachanmn123 3 hours ago

Could this allow us to use proton on mac maybe?

Comment by xd1936 3 hours ago

This is hilarious. Next year, the PC gamers will be saying "The best Windows gaming experience is win32 on Linux on macOS Containers".

Comment by aurareturn 3 hours ago

The fastest (Geekbench 6) Windows laptop in the world is actually an M5 Max Macbook running Parallels running Windows.

Comment by kergonath 1 hour ago

Wine works fine on macOS, there is no need for a Linux layer.

Comment by Gigachad 3 hours ago

I mean at this point literally anything works better than Windows.

Comment by pjmlp 2 hours ago

Except game development, hence Proton.

Comment by asimovDev 2 hours ago

it always gets a sad chuckle out of me to hear that some native linux ports run worse than the windows version under proton. i think valve games are like that (l4d2 for example) and recently I think Hollow Knight: Silksong was like that

Comment by Gigachad 2 hours ago

I think at this point native linux ports are somewhat a thing of the past. The problem was that the ports were usually contracted out to a 3rd party and rarely updated or cared for that much. There was also the issue that they often relied on dynamically linked libraries provided by the distro rather than static linked libraries bundled with the game. So stuff that did work would break on distro updates.

The proton model has the benefit that bugs on linux can be fixed by Valve and the Wine community. While bugs in an official linux port can only be fixed by the game publisher which rarely happened. There also seems to be virtually no downsides to running a Windows game in Proton. These days I don't even bother checking the Wine DB or proton rating because unless the game is deliberately blocking linux via anti cheat, it will just work.

Comment by pjmlp 1 hour ago

The irony that without Windows there are no Linux games, eventually Linux folks will learn about OS/2 history in regards to Windows compatibility features.

Linux will stay forever a headless operating system great for embedded, server rooms and containers.

We have all limited time on Earth, and eventually Valve won't be around as it used to be, might even be acquired, sold, whatever, then what in regards to Linux gaming?

Comment by Gigachad 1 hour ago

Wine existed before Proton, Valve made it better but the project doesn't rely on Valve. Currently Linux is the best gaming experience. Zero bloat or nagware, everything just works. It's just ironic Wine/Proton ended up being the best platform for gaming on Linux. I don't think anyone expected it to run so well with virtually no performance impact.

Now with the Fex project, it might end up that running Windows games on linux on a modern ARM processor could be the best way to game going forward, especially for mobile platforms like the SteamDeck.

Comment by pjmlp 1 hour ago

The best gaming experience are Switch, PlayStation, XBox, iOS, Android, the very definition of everything just works, and no kernel drivers to worry about.

Comment by gf000 50 minutes ago

You just listed concrete hardware (with the exception of Android). That's a category error, of course a fixed hardware with specialized software will have less inconsistencies.

Comment by pjmlp 29 minutes ago

You would be happier if I listed the respective OSes instead?

Comment by bel8 1 hour ago

I don't think so. This is a VM, closer to WSL2.

Proton is based on Wine which translates Windows instructions to Linux.

Besides there's already Wine for mac.

But I would love to be wrong here.

Comment by numbsafari 5 hours ago

Wouldn’t it be nice if services like Codespaces or Coder or Gitlab would allow you to target running on their hosted/integrated platform, or let you launch that same container completely locally? Sometimes I wanna take my “remote” dev environment off-line but still benefit from the integrated UX.

Comment by RossBencina 5 hours ago

This exists. It's called devcontainers and there is a cli for managing it locally.

https://github.com/devcontainers/ https://containers.dev/

Comment by CGamesPlay 5 hours ago

If you can express that operation in Terraform, then Coder would let you do that. First problems I can think of are connectivity from the Coder provisioner to your local machine (Tailscale? Local?), and migrating disk images if you want to actually switch a workspace between environments (local provisioner could do this, but no matter what it’ll be slow and janky).

Comment by jayd16 5 hours ago

Maybe I don't understand but why doesn't Gitlabs self hosted setup work?

Comment by Joyfield 4 hours ago

We have WSL at home.

Comment by rickstanley 4 hours ago

I was wondering if it's possible to have the container volume change to, say, an external drive. I currently use QMEU with qcow2 images to achieve this, works well enough.

Comment by opengears 1 hour ago

Also works with UTM.

Comment by m132 5 hours ago

Every time I see Apple flaunting Linux containers I can hardly consider it as anything but admitting defeat. It could easily be Darwin, if they still had the capacity.

Comment by groundzeros2015 4 hours ago

Just change 30 years of internet history

Comment by al_borland 3 hours ago

For what it's worth, the first web server was a NeXTcube, and NeXTSTEP was the foundation of macOS.

Comment by TheDong 4 hours ago

Apple set itself up for defeat in the server and developer marketplace as soon as they decided macOS was proprietary code.

Why would any serious developer use closed-source code they can't debug and modify? Especially for a production server?

It's the same reason no serious developers or hackers use macOS, like part of the point of being a developer is being able to dig into the code at any layer and debug and fix things.

Comment by bschwindHN 2 hours ago

> It's the same reason no serious developers or hackers use macOS

I know I'm basically taking the bait, but I guess I've not been "seriously" developing stuff for the past decade or two, which is news to me!

Comment by m132 4 hours ago

OpenDarwin was a thing at one point, with mailing lists and other infrastructure hosted by Apple.

That being said, my point isn't that Apple should absolutely focus on making a server OS again. It just saddens me how far behind macOS has fallen as they stopped caring about the fundamentals; back in the day, it would be Linux trailing behind macOS. Nowadays, you can't even have multiple routing tables on the latter, the firewall code was probably last updated in Snow Leopard, and what Apple happily shows off on WWDC is a wrapper around Linux. Something functionally equal can be cobbled up together by anyone sufficiently experienced in minutes, using just Bash, OpenSSH, and QEMU.

I really wish macOS would let me have a similar level of control over applications as Linux with namespaces, without me having to do all the heavy lifting.

Comment by alwillis 1 hour ago

> Nowadays, you can't even have multiple routing tables on the latter, the firewall code was probably last updated in Snow Leopard

Apple uses OpenBSD's Packet Filter [1]; I doubt multiple routing tables are a problem. Back in the Snow Leopard days, it was FreeBSD's IPFW, which is also no slouch.

Whatever a firewall can do, PF can do it.

You can also get a nice GUI for PF [2].

[1]: https://www.openbsd.org/faq/pf/index.html

[2]: https://www.murusfirewall.com/murus/

Comment by alwillis 1 hour ago

> OpenDarwin was a thing at one point, with mailing lists and other infrastructure hosted by Apple.

"Exploring Darwin and PureDarwin: The Open-Source Foundation of Apple's Operating Systems" - https://machaddr.substack.com/p/exploring-darwin-and-puredar...

Comment by pjmlp 2 hours ago

Apparently game, desktop and app devs aren't serious.

Comment by vehemenz 4 hours ago

No offense, but serious developers don’t think this way at all.

Comment by bel8 3 hours ago

For server side, which I believe is the context here, Linux and open source are king.

Even Microsoft gave up on Windows and just runs Linux most things except niche cases. Heck, even SQL Server which is expensive piece of machinery got ported to Linux and that's the default target now in their docs.

With that said, one can't deny Apple's success on the b2c side of things so it feels wrong to call their strategy a failure.

Comment by pjmlp 1 hour ago

Except the cloud isn't open source, the ones that matter to developers that is.

Which is why so many projects get burned with their license choices.

Comment by gf000 47 minutes ago

I don't see how this comment is relevant to parent's point. Sure, cloud is proprietary. But it is Linux for the vast majority.

Comment by pjmlp 32 minutes ago

Which is an Pyrrhic victory, when Linus and other founders are long gone, most of this generation actually, what will subsist are proprietary forks, just like what happened with UNIX System V.

Comment by tw04 4 hours ago

What is the alternative? They gave up the server market a decade ago and before that they barely actually supported it.

If they were to support darwin containers, what would be the point? Literally nobody would build to it, Linux won.

Comment by riffic 4 hours ago

> Literally nobody would build to it

because nobody does ci/cd against macOS or iOS apps right?

Comment by tw04 4 hours ago

And what is the revenue stream tied to that ci/cd pipeline they aren’t capturing today? Apple would sell less hardware in order to…?

There aren’t any app developers avoiding the Apple ecosystem because there aren’t Darwin containers. They don’t sell server hardware and by all accounts have no intention of ever reentering that space. So they’d spend a bunch of developer cycles to reduce their own revenue stream with no apparent upside beyond “goodwill” which they’ve never been overly concerned about.

Comment by m132 4 hours ago

Correct me if I'm wrong, but by the same logic, you could also say this whole containerization framework is of no use either.

If they're investing resources into it regardless, they might at least try making something that Docker for macOS and co. haven't solved the same exact way already. Something that, due to their almost unhealthy obsession with "system integrity", only they can realistically make. Like native containers.

Comment by tw04 4 hours ago

Supporting the containerization framework lets them sell more laptops to Linux devs that may have otherwise bought a Dell or hp or insert brand to run Linux natively on or windows with WSL.

Comment by MBCook 3 hours ago

Containers are REALLY REALLY popular. This is a a great value add for developers on Mac who need to deal with Linux containers.

Which is a ton of ‘em.

Comment by pjmlp 1 hour ago

They already support this scenario with XCode Cloud, it is only a market for those that don't want to pay Apple for it.

Comment by ahknight 4 hours ago

[dead]

Comment by jzer0cool 2 hours ago

In the intro it mentions automatically mapping user and home dir. So host files accessible the container. Any settings to control this?

Comment by a1o 6 hours ago

With colima I can run AMD64 (x86) Linux containers in my Arm64 too. I think this is strictly for Arm64 Linux VMs, or is there some way to run x86 with this too?

Comment by cpach 2 hours ago

What’s the performance when you do that?

Comment by frizlab 6 hours ago

Rosetta should be supported

Comment by whycombinetor 2 hours ago

Not for long!

Comment by commandersaki 2 hours ago

Very unlikely to lose support for Rosetta for Linux. Maybe just Rosetta 2 for mac apps.

Comment by beemboy 1 hour ago

Is this going to be good for AOSP builds on Macs?

Comment by ChrisArchitect 6 hours ago

WWDC presentation video:

Discover container machines

https://developer.apple.com/videos/play/wwdc2026/389/

Comment by ShinyLeftPad 1 hour ago

Can Podman support these eventually?

Comment by konaraddi 1 hour ago

Sounds like toolbox or distrobox for Mac!

Comment by CSDude 3 hours ago

I know its not going to be there but wish we had Windows as well.

Comment by Cadwhisker 2 hours ago

Install Windows 11 ARM under the macOS "UTM" App. This lets you run x86 Windows programs on Apple silicon.

Comment by commandersaki 6 hours ago

Would be cool if you can redirect USB devices to the VM.

Comment by kdrag0n 6 hours ago

We just released this in OrbStack :) https://docs.orbstack.dev/features/usb

Blog post soon

Comment by blackqueeriroh 4 hours ago

What happened to Orbstack for like 9 months until earlier this year? Suddenly everything went silent for a bit and I was pretty concerned. Glad y’all are back!!!!

Comment by calebm 4 hours ago

Thank you for sharing this - I looked into OrbStack a few months ago, and this was the reason I didn't use it (as my primary purpose was to have an external wifi adapter for wifi pwnage).

Comment by commandersaki 5 hours ago

Yeah I find this useful for redirecting storage/sdcard*, so you can format linux filesystems or use other tools.

* need a usb sdcard reader for macbook pro cause the builtin is not usb)

Comment by kdrag0n 4 hours ago

We're working on block device passthrough for the builtin SD reader.

Comment by rgovostes 3 hours ago

I've successfully tinkered with USB/IP with Apple containers, but it does require loading a custom kernel (which they make pretty easy, thankfully). On the host side, macOS also doesn't make it easy to unload a driver that attaches automatically.

Comment by egernst 5 hours ago

Agreed! There's some good improvements around Accessory Access in virtualization framework this year also - checkout: https://developer.apple.com/videos/play/wwdc2026/224/?time=2...

Comment by commandersaki 5 hours ago

I wonder if the custom virtio can be used to support attaching the built-in sdcard readers on macs which aren't exposed as usb.

Comment by sachinjoseph 5 hours ago

WSL-like implementation on macOS?

Comment by jbverschoor 2 hours ago

Just curious, Apple seems to copy orbstack.. haven’t they made an offer to acquire you guys?

Comment by zekrioca 2 hours ago

"LXC" for macOS?

Comment by itsneulook4 2 hours ago

Yeah but sitting in the tweak circles just to gather personal data about people to make them lose their minds is no bueno. Otipolfueriborsklineypoo

Comment by namegulf 6 hours ago

Would be nice if they also support Intel based macs, what prevents?

Comment by MBCook 6 hours ago

Apple won’t support them with MacOS 27, and it seems they announced this tool as part of this year’s WWDC.

Basically: they’ve moved on.

Comment by danhon 6 hours ago

Allocation of a finite amount of engineering resources.

Comment by joshuat 6 hours ago

And a legitimate business interest to further incentivize the adoption of Apple Silicon devices. Same with Rosetta deprecation after macOS 27.

Comment by JumpCrisscross 6 hours ago

> a legitimate business interest to further incentivize the adoption of Apple Silicon devices

Apple has never been about supporting legacy platforms with new features. And with over a quarter of revenue and two fifths of Apple's gross profits coming from services, one could argue the incentives run either way.

Comment by crote 4 hours ago

Sure, but to what extent?

Enterprise ARM servers are still a niche product, and so are the ARM developer machines running Linux or Windows. Until this significantly changes, Apple will have to provide good x86 interop - or lose the developer market entirely.

Forcing people towards Apple silicon is of course an attractive approach when targeting the large portion of the market using their MacBooks as Facebook browsing machines, but (especially with the new MacBook Neo) what's going to happen when a large portion of the market for high-end MBPs disappears because it turned from the default no-brainer into a liability?

Comment by macintux 4 hours ago

> Until this significantly changes, Apple will have to provide good x86 interop - or lose the developer market entirely.

I'm very, very skeptical of this analysis. Certainly "entirely" is hyperbole.

Comment by solarkraft 1 hour ago

That’s a joke right? I’ve been developing software deployed on x86 servers on ARM Macs ever since they were released.

Comment by ForOldHack 5 hours ago

Rosetta 2. Rosetta was for Intel to emulate 68k, now if you could get Rosetta 2 to run under Rosetta, then you could run 68k, on an ARM, and if you could get the apple ][ emulator...

Comment by weikju 4 hours ago

Rosetta 1 was for emulating PPC not 68k

Comment by teaearlgraycold 6 hours ago

[flagged]

Comment by imglorp 4 hours ago

I'll defend, not cringe for everyone.

Daily driver is a 6yo, 32Mb mbp and it might not scream like an M5 or have the miraculous power draw of an M5, it gets my job done.

One nice thing is x86 containers run natively: I run most of my $work landscape which is 40 or 50 k8s pods on top of Kind, which is itself a plain container. That mirrors my prod. That plus slack, zoom, ff with scores of tabs, etc. all while building rust and playing music.

Comment by MBCook 3 hours ago

That is a far more useful reply than the GP comment. If they had stated something similar I don’t think they would’ve been downvoted.

Comment by teaearlgraycold 2 hours ago

Poe's Law and all that, but I was trolling/shitposting.

Comment by ncr100 5 hours ago

More power to ya!

Comment by Brian_K_White 6 hours ago

cringe is cringe

Comment by tonymet 2 hours ago

What FS mounts the Mac drives into the Linux container ?

Comment by phplovesong 2 hours ago

It was unclear to me, is this a native replacement for docker? I like docker (on mac) but its quite the resource hog.

I usually run like a db, redis, maybe something like rabbitmq/zeromq and have a app that uses these services (makefile/docker-compose).

I would love to switch if this in fact is a lightweight replacement.

Comment by masklinn 46 minutes ago

On the one hand yes, on the other hand there are already multiple lighter alternatives to docker on mac.

Comment by t1234s 5 hours ago

Is this similar to what cygwin was for windows? Could this be an alternative to homebrew?

Comment by gigatexal 4 hours ago

I saw the video on this this is distrobox basically for Mac. It’s very cool. Seamless with your local files and the container. I’m very keen to try it.

Comment by michaelsbradley 4 hours ago

Can macOS be run as a container machine on macOS?

Comment by blackqueeriroh 4 hours ago

Yes

Comment by MBCook 3 hours ago

Yep. For a few years. And they keep enhancing it too.

It’s the only legal way to do so, due to the software license on MacOS.

Comment by riffic 5 hours ago

darwin containers when?

Comment by 5 hours ago

Comment by m463 6 hours ago

looks like apple wrote a native docker in swift

you can now run linux containers on your mac

... but it could be better.

what about (totally contrived):

  FROM apple/macos:10.11.6

  RUN xcodebuild -project myapp.xcodeproj -scheme MyScheme -configuration Release

Comment by webXL 6 hours ago

Nice, but expect to page through a few pages of ToS during the build

Comment by m463 6 hours ago

lol

  ENV XCODE_FRONTEND=unattended
  ENV XCODE_LICENSES=accept,firstborn,applepay,appleid=sjobs@me.com

Comment by trollbridge 6 hours ago

Close - but it would be more like this:

  services:
    macos:
      image: dockurr/macos
      container_name: macos
      environment:
        VERSION: "15"
(And indecently slow.)

Comment by windowliker 6 hours ago

It would be wonderful if this ran on older versions of macOS, but according to the README they only support 26.

Comment by m463 4 hours ago

you do not understand... Not run on, run IN :)

I'm saying the older version of macos could build/run INSIDE the container

just like on a ubuntu 24.04 system you can do:

  FROM ubuntu:16.04
or

  docker run ubuntu:16.04
and though I haven't tried it, I believe docker can do arm in x86 using an emulator (like rosetta)

Comment by MBCook 3 hours ago

You can already run older versions of macOS inside a VM on macOS.

So it seems like in theory that should be doable if someone just made the container images right?

Comment by 6 hours ago

Comment by jadar 6 hours ago

i wish!

Comment by lzwjava 2 hours ago

[flagged]

Comment by sourcegrift 6 hours ago

[flagged]

Comment by al_borland 5 hours ago

macOS only needs to support the hardware it ships on, so of course Linux would have wider hardware support, but that doesn’t really matter in context. The bigger question is what hardware to people actually want? I see most people drool over Apple hardware while not finding any suitable equivalent for the PC that they can install Linux on.

Framework is trying to close that gap with their new release, but we’ll have to see how it is once people get their hands on it. I think it also comes at a price premium. There is always the Thinkpad route, but Lenovo burned just about every bridge with me a decade ago with things like Superfish. Where is the premium Linux laptop OEM that people can trust? Last I heard System76 was just rebranding Clevo hardware. What are people using? Dell? HP?

Comment by hollerith 6 hours ago

Sadly, Linux is much much less secure.

Comment by pixelatedindex 6 hours ago

This claim is so absurd that I need some sources.

Comment by armadyl 5 hours ago

The person you replied to is right, the "security" of Linux might as well be nonexistent compared to macOS and especially iOS/Android. Even the developers of Secureblue (https://secureblue.dev/) state that despite their hardening and mitigations Linux still lags far behind macOS (and possibly Windows) security-wise. The only Linux derivative that has proper security is Android, and even better GrapheneOS.

https://privsec.dev/posts/linux/linux-insecurities/

https://madaidans-insecurities.github.io/linux.html

I also commented here on Linux phones, the same can apply to Linux as a desktop OS: https://news.ycombinator.com/item?id=46997397

Also on top of that Linux/Windows laptops also lack the hardware-backed security that Macs and to an extent some Chromebooks have.

Comment by JumpCrisscross 6 hours ago

Linux is easier to misconfigure. Macs resists being misconfigured insecurely. At their tightest, I'd say neither is fundamentally more insecure than the other. (The exception would be M5-based Macs, which come with MIE. Though that isn't a macOS vs Linux thing per se.)

Comment by armadyl 5 hours ago

This is incorrect macOS is fundamentally more secure than desktop Linux operating systems and it isn't particularly close.

No amount of Linux hardening will get a system even close to an M-chip Mac. Software insecurities aside, desktop Linux OS systems have almost none of the hardware-backed security benefits that Macs do.

Comment by TimTheTinker 5 hours ago

At some point, lack of security becomes a feature. A fully secure, locked-down, T2 attested macOS is able to be controlled not just by Apple, but by increasingly evil governments, with no recourse available to users.

Comment by armadyl 5 hours ago

Conversely, a Linux system with no verified boot can be easily tampered with without the user detecting it by people lower than the government such as casual hackers. So in a world where your government is going crazy, you're opting for an operating system that can be penetrated with relative ease (e.g. with persistent root malware) both by a non-government hacker on top of a state backed one.

Comment by JumpCrisscross 5 hours ago

I'd also guess it's much harder to securely source components for a Linux build in the way Apple is able to.

Comment by armadyl 4 hours ago

It's not really about supply chain security it's about the hardware itself. PC manufacturers in general just can't keep up since they don't have full control/integration over the hardware stack like Apple does. Also CPU, secure element etc security is limited but Qualcomm is catching up pretty quickly I believe if they aren't there already. We won't talk about Intel and AMD. But that's beyond my knowledge so I can't say anything too specific that's just what I have from general knowledge I'm sure someone will jump in with additional info if needed.

I don't think Apple is particularly any more secure against the US government than Intel is with supply chain vulnerabilities but I have nothing to back that up with aside from vibes.

Comment by dvhh 4 hours ago

Security by obscurity worked quite well

Comment by xiaodai 4 hours ago

so basically dockers

Comment by jwlake 4 hours ago

haven't we had hypervisor.framework for like years now?

Comment by itsneulook4 2 hours ago

that thepolfus and the Otis and the bors and the alschweid and pretty much anyone in old the the gs gangstalk or just getting people info to sit in the same room as them to try and makr them go crazy deserve to brave hart quartered

Comment by khazhoux 1 hour ago

try unplugging your keyboard and then plugging it back in

Comment by Barbing 6 hours ago

I found it hard to believe I didn’t have a simple way of staying safe by installing an arbitrary application in a sandbox on macOS. (Restoring using Time Machine doesn’t count! :) )

This is a step in the right direction but requires any given developer’s buy-in first, right?