Hacker News

228 points by timsneath 3 hours ago | 89 comments

To clarify a few comments here: this is not only OCI containers: container machines add support for persistence and filesystem mounting, making container machines a great lightweight Linux environment for developers using macOS. More details here: https://developer.apple.com/videos/play/wwdc2026/389

Onavo 2 hours ago

Ah, the Darwin/BSD Subsystem for Linux.

CGamesPlay 57 minutes ago

Not quite, it’s still a VM. And while it supports virtio balloon for growing RAM, it doesn’t yet support releasing that RAM back to the host. And there isn’t a convenient way to shrink the sparse disk images as they grow yet, either.

AlexB138 52 minutes ago

Isn't the Windows subsystem for Linux (the reference there) also a VM?

gsnedders 49 minutes ago

Only WSL2; WSL1 was an actual subsystem.

selcuka 43 minutes ago

So this is Darwin/BSD Subsystem for Linux 2.

LoganDark 15 minutes ago

WSL1 was so cool, WSL2 made it boring and isolated.

TylerE 10 minutes ago

Back in my day you to to download a couple GB worth of cygwin, and that wasn't an actual environment, basically just a GNU toolchain compiled for windows. But it got you like....grep and bash and stuff that ran natively on windows which was kinda cool.

_blk 3 minutes ago

... Now it's just called git bash

jayd16 50 minutes ago

Mac Subsystem for Linux 2

m132 18 minutes ago

Every time I see Apple flaunting Linux containers I can hardly consider it as anything but admitting defeat. It could easily be Darwin, if they still had the capacity.

groundzeros2015 2 minutes ago

Just change 30 years of internet history

ahknight 2 minutes ago

[dead]

cogman10 17 minutes ago

Is there any reason why macOS doesn't try a WSL1 style approach? I get why that didn't fully work out for windows, but it seems like macOS being another *nix would make a lot of what was hard for windows, easy for mac. It seems like it should be possible to run most linux applications natively on macOS with few additional new APIs.

BSD actually has this already.

twoodfin 5 minutes ago

What would be the advantages over a VM infrastructure Apple needs anyway and that has a much simpler, more stable “ABI” compared to the Linux kernel?

blahgeek 2 hours ago

OrbStack works really well for me. I wonder how it’s compared to this performance wise

kdrag0n 2 hours ago

(OrbStack dev here.) Instead of Virtualization.framework, we have a custom Rust virtualization stack with custom devices and protocols for things like filesystem sharing. It's a highly optimized vertically integrated stack specifically for running our Linux machines and containers.

Our biggest perf/resource gain is dynamic memory, which reduces memory usage a lot by releasing unused memory back to macOS. Nothing else supports this, including Containerization.

I gave Container Machines a try and it seems to be much closer to OCI containers with a default bind mount than OrbStack machines. It has fewer integrations and doesn't run systemd or any other normal init system, so it's hard to run services.

mescalito 26 minutes ago

Super happy orbstack customer. Just curious on your statement:

> I gave Container Machines a try and it seems to be much closer to OCI containers with a default bind mount than OrbStack machines. It has fewer integrations and doesn't run systemd or any other normal init system, so it's hard to run services.

The linked md document says:

> Real Linux services for testing. Run a database or whatever your stack needs as a system service — systemctl start postgresql works on images with systemd installed.

Was that not the case when you used container machines?

kdrag0n 7 minutes ago

That's my bad, I used the example alpine commands and the official alpine doesn't have init. It's supported if you build an image with systemd installed

CGamesPlay 49 minutes ago

> Our biggest perf/resource gain is dynamic memory, which reduces memory usage a lot by releasing unused memory back to macOS. Nothing else supports this, including Containerization.

Wow, missed this when reviewing OrbStack. I assumed that you just used Containerization and therefore would have the same limitation.

trueno 41 minutes ago

just dropping in to say orbstack super owns and i use it every day. huge respect to rethinking this experience, for a minute there i thought docker was just going to be the only path. i dont think ive looked back for docker since. orbstack just feels right, and damn its so fast and good with resources, and the UI is just insanely straight forward. props!

TheTaytay 32 minutes ago

We love OrbStack too! Thank you for it,

I wanted to make its VM/machine our default secure agent sandbox, but I couldn’t figure out how to isolate this VM from the host properly. This thread prompted me to find the issue though, and I saw this was recently implemented! https://github.com/orbstack/orbstack/issues/169

kdrag0n 29 minutes ago

Yep! Still refining it but isolated machines now have fine-grained settings for filesystem mounts, network isolation, SSH agent forwarding, and CPU/memory/disk limits

egernst 2 hours ago

Thanks for the info kdrag0n! Big fan of OrbStack; good call out on dynamic memory.

If the guest image has /sbin/init, we use that.

We'd recommend using a base image for the guest that includes systemd. ie: https://github.com/apple/container/blob/main/docs/container-...

kxxx 2 hours ago

Apple says that `systemctl` is supported... hmm am I missing something?

"Real Linux services for testing. Run a database or whatever your stack needs as a system service — systemctl start postgresql works on images with systemd installed."

kdrag0n 2 hours ago

Good catch, I tried the example alpine commands and there was no init system. Makes sense if it's based on OCI images

kxxx 54 minutes ago

Just tested it on on an OCI image with systemd and it works well. I can see the appeal of OrbStack regarding memory reallocation and will stick with it in the time being :)

saltamimi 58 minutes ago

I know this is off topic, but I do thank you for your Android work, the idea and elegance of fastboot.js and that SafetyNet workaround trick was truly really cool.

kdrag0n 55 minutes ago

Ahh those were good times, glad you came across it :)

jhancock 58 minutes ago

I’ve been using podman on Mac. It’s been a nice fit as the container build files are identical to what I use on my fedora server. I have noticed my 2 virtual core 4 gb Linode vps runs apps faster in the same container as when run on my MacBook Air M2 16 gb. I expected some performance overhead but didn’t think it would be noticeable as it is. Overall happy with podman. How might OrbStack differ?

thatxliner 53 minutes ago

Having used both, it feels like OrbStack "just works" more than Podman. The main example of this is Supabase.

vsgherzi 52 minutes ago

I love orbstack, is there any code I could read on the rust side? Seems very interesting

cpuguy83 23 minutes ago

Not a full docker env, I aimed this as doing builds though you can run dockerd as an option, https://github.com/cpuguy83/crucible uses the containerization framework to run either build kitd or dockerd and wire it up to docker/buildx cli (or whatever client tooling you want to use).

The Containerization framework is a library that sits as a layer on top of the virtualization framework. So each container is its own VM.

Machine is tooling above the containerization framework to run multiple things in a container in a vm.

emmelaich 46 minutes ago

I'd like to see a comparison to https://tart.run/ as well.

AFAICT it's pretty similar.

kxxx 2 hours ago

I really like OrbStack and am also not sure why I'd use Container Machines over it, at the moment...

WatchDog 2 hours ago

Do these containers share a common kernel? Or are they each ran in a separate VM?

Edit: It's a VM per container. https://github.com/apple/container/blob/main/docs/technical-...

osigurdson 42 minutes ago

I'm surprised they cared enough to do this. I'd still rather use Linux but MacBook value is incredible.

marssaxman 16 minutes ago

I'd always rather use Linux, but sometimes your employer gives you a MacBook. I might use this tool.

llimllib 2 hours ago

Is this new? I thought we had this already

In my testing (iirc) filesystem performance was not good enough to be usable with node/rust dev where lots of small files get stat-ed

update: what's new is the `container machine` subcommand. I went to test it out, but container failed to run at all for me: https://github.com/apple/container/issues/1681

kdrag0n 50 minutes ago

Curious if you've tried OrbStack? There's always more work to do (test workloads appreciated!) but we've put a lot of effort into optimizing for small files and other common developer workloads in OrbStack's customized filesystem sharing protocol (not standard virtiofs).

numbsafari 2 hours ago

Wouldn’t it be nice if services like Codespaces or Coder or Gitlab would allow you to target running on their hosted/integrated platform, or let you launch that same container completely locally? Sometimes I wanna take my “remote” dev environment off-line but still benefit from the integrated UX.

RossBencina 48 minutes ago

This exists. It's called devcontainers and there is a cli for managing it locally.

https://github.com/devcontainers/ https://containers.dev/

CGamesPlay 54 minutes ago

If you can express that operation in Terraform, then Coder would let you do that. First problems I can think of are connectivity from the Coder provisioner to your local machine (Tailscale? Local?), and migrating disk images if you want to actually switch a workspace between environments (local provisioner could do this, but no matter what it’ll be slow and janky).

jayd16 48 minutes ago

Maybe I don't understand but why doesn't Gitlabs self hosted setup work?

jaimehrubiks 2 hours ago

Will this be able to replace docker desktop an equivalents, removing the expensive Linux VM that runs alongside them?

usernametaken29 2 hours ago

My first thought as well, docker desktop overhead is pretty bad, would be awesome to see this land natively in DD. By my estimate this could happen, seeing as Docker has historically tried to improve performance but quickly had to accept platform limitations… would only be natural to settle DD over to containers

deathanatos 2 hours ago

Well, you can avoid the Docker Desktop tax by not running Docker Desktop. colima is a perfectly usable implementation of Docker for macOS, without the bloat of Docker Desktop.

That said, colima still has the expensive VM that upthread is mentioning.

TimTheTinker 54 minutes ago

OrbStack is great also

lostlogin 2 hours ago

Others here mention it and I’m a new convert to Colima.

The pain of working around Docker Desktop is bad.

thejazzman 2 hours ago

It mostly removes the big shared background VM and replaces it with smaller, more isolated Apple-native VMs.

I did an experiment migrating my Podman workload to Apple's container @ https://gist.github.com/jmonster/39e14585e107dbf990a90966c0f...

TL;DR reduces ram/storage usage; minimizes it's existence

deathanatos 2 hours ago

How does that work, realistically?

> Memory defaults to half of host memory

That's the most expensive part of the whole transaction, b/c AFAIK, RAM is then dedicated to the VM. It can be swapped out, I suppose, but that's not great.

trollbridge 2 hours ago

That sure would be nice. I seem to rm -rf ~/.colima every few days.

Barbing 2 hours ago

I found it hard to believe I didn’t have a simple way of staying safe by installing an arbitrary application in a sandbox on macOS. (Restoring using Time Machine doesn’t count! :) )

This is a step in the right direction but requires any given developer’s buy-in first, right?

0xbadcafebee 35 minutes ago

Anyone know why you would use this instead of QEMU+Lima+Colima+Docker/containerd? The latter works on multiple OSes, has a very large ecosystem of tools, images, documentation, and lets you replace pieces as needed

a1o 2 hours ago

With colima I can run AMD64 (x86) Linux containers in my Arm64 too. I think this is strictly for Arm64 Linux VMs, or is there some way to run x86 with this too?

frizlab 2 hours ago

Rosetta should be supported

t1234s 17 minutes ago

Is this similar to what cygwin was for windows? Could this be an alternative to homebrew?

ChrisArchitect 2 hours ago

WWDC presentation video:

Discover container machines

https://developer.apple.com/videos/play/wwdc2026/389/

commandersaki 2 hours ago

Would be cool if you can redirect USB devices to the VM.

kdrag0n 2 hours ago

We just released this in OrbStack :) https://docs.orbstack.dev/features/usb

Blog post soon

commandersaki 35 minutes ago

Yeah I find this useful for redirecting storage/sdcard*, so you can format linux filesystems or use other tools.

* need a usb sdcard reader for macbook pro cause the builtin is not usb)

egernst 2 hours ago

Agreed! There's some good improvements around Accessory Access in virtualization framework this year also - checkout: https://developer.apple.com/videos/play/wwdc2026/224/?time=2...

commandersaki 22 minutes ago

I wonder if the custom virtio can be used to support attaching the built-in sdcard readers on macs which aren't exposed as usb.

sachinjoseph 52 minutes ago

WSL-like implementation on macOS?

namegulf 2 hours ago

Would be nice if they also support Intel based macs, what prevents?

danhon 2 hours ago

Allocation of a finite amount of engineering resources.

joshuat 2 hours ago

And a legitimate business interest to further incentivize the adoption of Apple Silicon devices. Same with Rosetta deprecation after macOS 27.

JumpCrisscross 2 hours ago

> a legitimate business interest to further incentivize the adoption of Apple Silicon devices

Apple has never been about supporting legacy platforms with new features. And with over a quarter of revenue and two fifths of Apple's gross profits coming from services, one could argue the incentives run either way.

ForOldHack 34 minutes ago

Rosetta 2. Rosetta was for Intel to emulate 68k, now if you could get Rosetta 2 to run under Rosetta, then you could run 68k, on an ARM, and if you could get the apple ][ emulator...

MBCook 2 hours ago

Apple won’t support them with MacOS 27, and it seems they announced this tool as part of this year’s WWDC.

Basically: they’ve moved on.

teaearlgraycold 2 hours ago

Intel Macs are cringe.

Edit: I grow stronger with each downvote

imglorp 2 minutes ago

I'll defend, not cringe for everyone.

Daily driver is a 6yo, 32Mb mbp and it might not scream like an M5 or have the miraculous power draw of an M5, it gets my job done.

One nice thing is x86 containers run natively: I run most of my $work landscape which is 40 or 50 k8s pods on top of Kind, which is itself a plain container. That mirrors my prod. That plus slack, zoom, ff with scores of tabs, etc. all while building rust and playing music.

ncr100 29 minutes ago

More power to ya!

Brian_K_White 2 hours ago

cringe is cringe

riffic 51 minutes ago

darwin containers when?

m463 2 hours ago

looks like apple wrote a native docker in swift

you can now run linux containers on your mac

... but it could be better.

what about (totally contrived):

  FROM apple/macos:10.11.6

  RUN xcodebuild -project myapp.xcodeproj -scheme MyScheme -configuration Release

trollbridge 2 hours ago

Close - but it would be more like this:

  services:
    macos:
      image: dockurr/macos
      container_name: macos
      environment:
        VERSION: "15"

(And indecently slow.)

webXL 2 hours ago

Nice, but expect to page through a few pages of ToS during the build

m463 2 hours ago

lol

  ENV XCODE_FRONTEND=unattended
  ENV XCODE_LICENSES=accept,firstborn,applepay,appleid=sjobs@me.com

windowliker 2 hours ago

It would be wonderful if this ran on older versions of macOS, but according to the README they only support 26.

jadar 2 hours ago

i wish!

sourcegrift 2 hours ago

[flagged]

al_borland 32 minutes ago

macOS only needs to support the hardware it ships on, so of course Linux would have wider hardware support, but that doesn’t really matter in context. The bigger question is what hardware to people actually want? I see most people drool over Apple hardware while not finding any suitable equivalent for the PC that they can install Linux on.

Framework is trying to close that gap with their new release, but we’ll have to see how it is once people get their hands on it. I think it also comes at a price premium. There is always the Thinkpad route, but Lenovo burned just about every bridge with me a decade ago with things like Superfish. Where is the premium Linux laptop OEM that people can trust? Last I heard System76 was just rebranding Clevo hardware. What are people using? Dell? HP?

hollerith 2 hours ago

Sadly, Linux is much much less secure.

pixelatedindex 2 hours ago

This claim is so absurd that I need some sources.

armadyl 57 minutes ago

The person you replied to is right, the "security" of Linux might as well be nonexistent compared to macOS and especially iOS/Android. Even the developers of Secureblue (https://secureblue.dev/) state that despite their hardening and mitigations Linux still lags far behind macOS (and possibly Windows) security-wise. The only Linux derivative that has proper security is Android, and even better GrapheneOS.

https://privsec.dev/posts/linux/linux-insecurities/

https://madaidans-insecurities.github.io/linux.html

I also commented here on Linux phones, the same can apply to Linux as a desktop OS: https://news.ycombinator.com/item?id=46997397

Also on top of that Linux/Windows laptops also lack the hardware-backed security that Macs and to an extent some Chromebooks have.

JumpCrisscross 2 hours ago

Linux is easier to misconfigure. Macs resists being misconfigured insecurely. At their tightest, I'd say neither is fundamentally more insecure than the other. (The exception would be M5-based Macs, which come with MIE. Though that isn't a macOS vs Linux thing per se.)

armadyl 56 minutes ago

This is incorrect macOS is fundamentally more secure than desktop Linux operating systems and it isn't particularly close.

No amount of Linux hardening will get a system even close to an M-chip Mac. Software insecurities aside, desktop Linux OS systems have almost none of the hardware-backed security benefits that Macs do.

TimTheTinker 52 minutes ago

At some point, lack of security becomes a feature. A fully secure, locked-down, T2 attested macOS is able to be controlled not just by Apple, but by increasingly evil governments, with no recourse available to users.

armadyl 45 minutes ago

Conversely, a Linux system with no verified boot can be easily tampered with without the user detecting it by people lower than the government such as casual hackers. So in a world where your government is going crazy, you're opting for an operating system that can be penetrated with relative ease (e.g. with persistent root malware) both by a non-government hacker on top of a state backed one.

JumpCrisscross 29 minutes ago

I'd also guess it's much harder to securely source components for a Linux build in the way Apple is able to.