top | item 41423187

(no title)

kdrag0n | 1 year ago

It's a shared VM and kernel, so the security boundary between containers is only as strong as typical Linux containers, and we don't really use the VM as a strong security boundary right now. The security model is similar to running Docker containers on a native Linux machine for development.

Admin privileges aren't required on the macOS side. You can optionally allow a privileged helper for some small niceties, but the VM process never runs as root.

The virtualization stack is custom, which allows for a lot of performance and stability improvements. It's not Virtualization.framework or QEMU.

Containers don't require virtualization, so Docker-in-Docker works. Not sure what you mean by Docker-out-of-Docker, but you can run Docker in OrbStack Linux machines, and you can use the managed engine from macOS.

discuss

pgphn|1 year ago

Is there an example somewhere of how to do Docker-in-Docker with Orbstack? I have given this a try but there does not seem to be a docker.sock (or equivalent) to mount so no way to spawn containers at the “host level” from inside a container. Maybe my mental model of Orbstack is wrong here and there is no need for a mounted socket at all?

bakhtiari_rev|1 year ago

I'm not completely sure about the use case of Docker-out-of-docker (maybe CI probably) but i guess a sibling container (a CI agent maybe) have access to docker.sock, and control other sibling containers, which i guess ( haven't tried yet) is possible with current implementation of orbstack.