Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
jchw 14 hours ago

This... is actually pretty great to have. Very cool.

That said... It really just makes me bummed about the lack of good support for container and sandboxing technology on macOS. I know, totally different thing. But still, we'll probably never have a "native" Docker/Podman/etc. on macOS, and things like the Bazel or Nix sandbox are significantly less effective on macOS due to there just being less kernel APIs for isolating resources. e.g. There are no network namespaces. I get why, but it's surprising how limiting not having network namespaces is once you have used a platform that has an equivalent to this. For Nix it's really tricky since a lot of things need at least a working localhost inside the sandbox. I am sure increasing the surface area of XNU is not a serious consideration, for good reasons, but it's a bit of a shame.

vbezhenar 12 hours ago | parent | next [-]

There are Windows containers and I don't think that most developers using Docker on Windows are even aware of them.

IMO it's kind of good to have Linux as a unified container platform. It's easy to run Linux application in Windows or macOS VM. It's hard form the licensing perspective to run Windows VM and it's very hard to run macOS VM.

jchw 10 hours ago | parent | next [-]

I think it's just that Windows Containers are a lot unlike Linux Docker containers; they're not useless, but they're very different. I don't think Darwin containers have to be so different from Linux containers, not the least of which because Darwin is UNIX. It would be a lot more like if you ported Docker to run natively on BSD than Windows, since it basically is that.

An easy solution to the licensing issue is just having an open source userland that you can use, which Darwin sorta does. That said, since XNU syscalls are not stable, there is some awkwardness here. Either they would need to be made stable somehow (e.g. by providing something like personalities, where different processes get different syscall behavior) or the runtime would need to drop libc/base libraries in from the sky and containers would just need to assume they're available at a specific location. Either thing seems quite viable if Apple wanted to do it, IMO.

pjmlp 11 hours ago | parent | prev [-]

We are very much aware, they are commonly used on deployments used in Windows Server.

Typical examples, Sitecore, Sharepoint, Dynamics, Optimizelly, COM services, SQL Server.

jbverschoor 10 hours ago | parent | prev [-]

sandbox the cli util included with macOS allows you to conure basically anything

Then, using docker/orbstack, I’ve created an easy chroot shell on steroids. It mounts the current dir to a container. Great for development or sandboxing

https://github.com/jrz/container-shell