top | item 44235371

(no title)

emadda | 8 months ago

> The thing macOS really painfully lacks is not ergonomic ways to run Linux VMs, but actual, native containers-- macOS containers

Linux container processes run on the host kernel with extra sandboxing. The container image is an easily sharable and runnable bundle.

macOS .app bundles are kind of like container images.

You can sign them to ensure they are not modified, and put them into the “registry” (App Store).

The Swift ABI ensures it will likely run against future macOS versions, like the Linux system APIs.

There is a sandbox system to restrict file and network access. Any started processes inherit the sandbox, like containers.

One thing missing is fine grained network rules though - I think the sandbox can just define “allow outbound/inbound”.

Obviously “.app”s are not exactly like container images , but they do cover many of the same features.

discuss

xyzzy_plugh|8 months ago

You're kind of right. But at the same time they are nowhere close. The beauty of Linux containerization is that processes can be wholly ignorant that they are not in fact running as root. The containers get, what appear to them, to be the whole OS to themselves.

You don't get that in macOS. It's more of a jail than a sandbox. For example, as an app you can't, as far as I know, shell out and install homebrew and then invoke homebrew and install, say, postgres, and run it, all without affecting the user's environment. I think that's what people mean when they say macOS lacks native containers.

emadda|8 months ago

Good point, apps are missing the docker layered file system to isolate container file writes.