To clarify a few comments here: this is not only OCI containers: container machines add support for persistence and filesystem mounting, making container machines a great lightweight Linux environment for developers using macOS. More details here: https://developer.apple.com/videos/play/wwdc2026/389
Onavo 45 minutes ago [-]
Ah, the Darwin/BSD Subsystem for Linux.
CGamesPlay 24 minutes ago [-]
Not quite, it’s still a VM. And while it supports virtio balloon for growing RAM, it doesn’t yet support releasing that RAM back to the host. And there isn’t a convenient way to shrink the sparse disk images as they grow yet, either.
AlexB138 19 minutes ago [-]
Isn't the Windows subsystem for Linux (the reference there) also a VM?
gsnedders 16 minutes ago [-]
Only WSL2; WSL1 was an actual subsystem.
selcuka 10 minutes ago [-]
So this is Darwin/BSD Subsystem for Linux 2.
jayd16 17 minutes ago [-]
Mac Subsystem for Linux 2
18 minutes ago [-]
0xbadcafebee 2 minutes ago [-]
[delayed]
osigurdson 9 minutes ago [-]
I'm surprised they cared enough to do this. I'd still rather use Linux but MacBook value is incredible.
WatchDog 47 minutes ago [-]
Do these containers share a common kernel? Or are they each ran in a separate VM?
OrbStack works really well for me. I wonder how it’s compared to this performance wise
kdrag0n 47 minutes ago [-]
(OrbStack dev here.) Instead of Virtualization.framework, we have a custom Rust virtualization stack with custom devices and protocols for things like filesystem sharing. It's a highly optimized vertically integrated stack specifically for running our Linux machines and containers.
Our biggest perf/resource gain is dynamic memory, which reduces memory usage a lot by releasing unused memory back to macOS. Nothing else supports this, including Containerization.
I gave Container Machines a try and it seems to be much closer to OCI containers with a default bind mount than OrbStack machines. It has fewer integrations and doesn't run systemd or any other normal init system, so it's hard to run services.
trueno 8 minutes ago [-]
just dropping in to say orbstack super owns and i use it every day. huge respect to rethinking this experience, for a minute there i thought docker was just going to be the only path. i dont think ive looked back for docker since. orbstack just feels right, and damn its so fast and good with resources, and the UI is just insanely straight forward. props!
CGamesPlay 16 minutes ago [-]
> Our biggest perf/resource gain is dynamic memory, which reduces memory usage a lot by releasing unused memory back to macOS. Nothing else supports this, including Containerization.
Wow, missed this when reviewing OrbStack. I assumed that you just used Containerization and therefore would have the same limitation.
egernst 34 minutes ago [-]
Thanks for the info kdrag0n! Big fan of OrbStack; good call out on dynamic memory.
I’ve been using podman on Mac. It’s been a nice fit as the container build files are identical to what I use on my fedora server. I have noticed my 2 virtual core 4 gb Linode vps runs apps faster in the same container as when run on my MacBook Air M2 16 gb. I expected some performance overhead but didn’t think it would be noticeable as it is. Overall happy with podman. How might OrbStack differ?
thatxliner 20 minutes ago [-]
Having used both, it feels like OrbStack "just works" more than Podman. The main example of this is Supabase.
saltamimi 24 minutes ago [-]
I know this is off topic, but I do thank you for your Android work, the idea and elegance of fastboot.js and that SafetyNet workaround trick was truly really cool.
kdrag0n 22 minutes ago [-]
Ahh those were good times, glad you came across it :)
kxxx 32 minutes ago [-]
Apple says that `systemctl` is supported... hmm am I missing something?
"Real Linux services for testing. Run a database or whatever your stack needs as a system service — systemctl start postgresql works on images with systemd installed."
kdrag0n 28 minutes ago [-]
Good catch, I tried the example alpine commands and there was no init system. Makes sense if it's based on OCI images
kxxx 21 minutes ago [-]
Just tested it on on an OCI image with systemd and it works well. I can see the appeal of OrbStack regarding memory reallocation and will stick with it in the time being :)
vsgherzi 19 minutes ago [-]
I love orbstack, is there any code I could read on the rust side? Seems very interesting
Curious if you've tried OrbStack? There's always more work to do (test workloads appreciated!) but we've put a lot of effort into optimizing for small files and other common developer workloads in OrbStack's customized filesystem sharing protocol (not standard virtiofs).
numbsafari 31 minutes ago [-]
Wouldn’t it be nice if services like Codespaces or Coder or Gitlab would allow you to target running on their hosted/integrated platform, or let you launch that same container completely locally? Sometimes I wanna take my “remote” dev environment off-line but still benefit from the integrated UX.
RossBencina 15 minutes ago [-]
This exists. It's called devcontainers and there is a cli for managing it locally.
If you can express that operation in Terraform, then Coder would let you do that. First problems I can think of are connectivity from the Coder provisioner to your local machine (Tailscale? Local?), and migrating disk images if you want to actually switch a workspace between environments (local provisioner could do this, but no matter what it’ll be slow and janky).
jayd16 15 minutes ago [-]
Maybe I don't understand but why doesn't Gitlabs self hosted setup work?
jaimehrubiks 1 hours ago [-]
Will this be able to replace docker desktop an equivalents, removing the expensive Linux VM that runs alongside them?
thejazzman 1 hours ago [-]
It mostly removes the big shared background VM and replaces it with smaller, more isolated Apple-native VMs.
deathanatos 29 minutes ago [-]
How does that work, realistically?
> Memory defaults to half of host memory
That's the most expensive part of the whole transaction, b/c AFAIK, RAM is then dedicated to the VM. It can be swapped out, I suppose, but that's not great.
usernametaken29 55 minutes ago [-]
My first thought as well, docker desktop overhead is pretty bad, would be awesome to see this land natively in DD. By my estimate this could happen, seeing as Docker has historically tried to improve performance but quickly had to accept platform limitations… would only be natural to settle DD over to containers
deathanatos 33 minutes ago [-]
Well, you can avoid the Docker Desktop tax by not running Docker Desktop. colima is a perfectly usable implementation of Docker for macOS, without the bloat of Docker Desktop.
That said, colima still has the expensive VM that upthread is mentioning.
TimTheTinker 21 minutes ago [-]
OrbStack is great also
lostlogin 48 minutes ago [-]
Others here mention it and I’m a new convert to Colima.
The pain of working around Docker Desktop is bad.
trollbridge 1 hours ago [-]
That sure would be nice. I seem to rm -rf ~/.colima every few days.
20 minutes ago [-]
Barbing 39 minutes ago [-]
I found it hard to believe I didn’t have a simple way of staying safe by installing an arbitrary application in a sandbox on macOS. (Restoring using Time Machine doesn’t count! :) )
This is a step in the right direction but requires any given developer’s buy-in first, right?
a1o 60 minutes ago [-]
With colima I can run AMD64 (x86) Linux containers in my Arm64 too. I think this is strictly for Arm64 Linux VMs, or is there some way to run x86 with this too?
frizlab 50 minutes ago [-]
Rosetta should be supported
sachinjoseph 19 minutes ago [-]
WSL-like implementation on macOS?
commandersaki 37 minutes ago [-]
Would be cool if you can redirect USB devices to the VM.
Would be nice if they also support Intel based macs, what prevents?
MBCook 42 minutes ago [-]
Apple won’t support them with MacOS 27, and it seems they announced this tool as part of this year’s WWDC.
Basically: they’ve moved on.
danhon 60 minutes ago [-]
Allocation of a finite amount of engineering resources.
joshuat 57 minutes ago [-]
And a legitimate business interest to further incentivize the adoption of Apple Silicon devices. Same with Rosetta deprecation after macOS 27.
ForOldHack 37 seconds ago [-]
Rosetta 2. Rosetta was for Intel to emulate 68k, now if you could get Rosetta 2 to run under Rosetta, then you could run 68k, on an ARM, and if you could get the apple ][ emulator...
JumpCrisscross 40 minutes ago [-]
> a legitimate business interest to further incentivize the adoption of Apple Silicon devices
Apple has never been about supporting legacy platforms with new features. And with over a quarter of revenue and two fifths of Apple's gross profits coming from services, one could argue the incentives run either way.
Or ... Just use linux. No lock in. Better hardware support. Better UI (believe it or not!)
And much better security but no marketing budget so low information people think macs are more secure. Macs are also known to market specifically to low information people.
hollerith 54 minutes ago [-]
Sadly, Linux is much much less secure.
pixelatedindex 51 minutes ago [-]
This claim is so absurd that I need some sources.
armadyl 24 minutes ago [-]
The person you replied to is right, the "security" of Linux might as well be nonexistent compared to macOS and especially iOS/Android. Even the developers of Secureblue (https://secureblue.dev/) state that despite their hardening and mitigations Linux still lags far behind macOS (and possibly Windows) security-wise. The only Linux derivative that has proper security is Android, and even better GrapheneOS.
Also on top of that Linux/Windows laptops also lack the hardware-backed security that Macs and to an extent some Chromebooks have.
JumpCrisscross 35 minutes ago [-]
Linux is easier to misconfigure. Macs resists being misconfigured insecurely. At their tightest, I'd say neither is fundamentally more insecure than the other. (The exception would be M5-based Macs, which come with MIE. Though that isn't a macOS vs Linux thing per se.)
armadyl 23 minutes ago [-]
This is incorrect macOS is fundamentally more secure than desktop Linux operating systems and it isn't particularly close.
No amount of Linux hardening will get a system even close to an M-chip Mac. Software insecurities aside, desktop Linux OS systems have almost none of the hardware-backed security benefits that Macs do.
TimTheTinker 18 minutes ago [-]
At some point, lack of security becomes a feature. A fully secure, locked-down, T2 attested macOS is able to be controlled not just by Apple, but by increasingly evil governments, with no recourse available to users.
armadyl 12 minutes ago [-]
Conversely, a Linux system with no verified boot can be easily tampered with without the user detecting it by people lower than the government such as casual hackers. So in a world where your government is going crazy, you're opting for an operating system that can be penetrated with relative ease (e.g. with persistent root malware) both by a non-government hacker on top of a state backed one.
Rendered at 02:19:36 GMT+0000 (Coordinated Universal Time) with Vercel.
Edit: It's a VM per container. https://github.com/apple/container/blob/main/docs/technical-...
Our biggest perf/resource gain is dynamic memory, which reduces memory usage a lot by releasing unused memory back to macOS. Nothing else supports this, including Containerization.
I gave Container Machines a try and it seems to be much closer to OCI containers with a default bind mount than OrbStack machines. It has fewer integrations and doesn't run systemd or any other normal init system, so it's hard to run services.
Wow, missed this when reviewing OrbStack. I assumed that you just used Containerization and therefore would have the same limitation.
If the guest image has /sbin/init, we use that.
We'd recommend using a base image for the guest that includes systemd. ie: https://github.com/apple/container/blob/main/docs/container-...
"Real Linux services for testing. Run a database or whatever your stack needs as a system service — systemctl start postgresql works on images with systemd installed."
AFAICT it's pretty similar.
In my testing (iirc) filesystem performance was not good enough to be usable with node/rust dev where lots of small files get stat-ed
update: what's new is the `container machine` subcommand. I went to test it out, but container failed to run at all for me: https://github.com/apple/container/issues/1681
https://github.com/devcontainers/ https://containers.dev/
> Memory defaults to half of host memory
That's the most expensive part of the whole transaction, b/c AFAIK, RAM is then dedicated to the VM. It can be swapped out, I suppose, but that's not great.
That said, colima still has the expensive VM that upthread is mentioning.
The pain of working around Docker Desktop is bad.
This is a step in the right direction but requires any given developer’s buy-in first, right?
Blog post soon
* need a usb sdcard reader for macbook pro cause the builtin is not usb)
Basically: they’ve moved on.
Apple has never been about supporting legacy platforms with new features. And with over a quarter of revenue and two fifths of Apple's gross profits coming from services, one could argue the incentives run either way.
Edit: I grow stronger with each downvote
Discover container machines
https://developer.apple.com/videos/play/wwdc2026/389/
you can now run linux containers on your mac
... but it could be better.
what about (totally contrived):
And much better security but no marketing budget so low information people think macs are more secure. Macs are also known to market specifically to low information people.
https://privsec.dev/posts/linux/linux-insecurities/
https://madaidans-insecurities.github.io/linux.html
I also commented here on Linux phones, the same can apply to Linux as a desktop OS: https://news.ycombinator.com/item?id=46997397
Also on top of that Linux/Windows laptops also lack the hardware-backed security that Macs and to an extent some Chromebooks have.
No amount of Linux hardening will get a system even close to an M-chip Mac. Software insecurities aside, desktop Linux OS systems have almost none of the hardware-backed security benefits that Macs do.