undefined | Better HN

0 pointsznpy2y ago0 comments

So essentially a chroot with a bit of make-up and a lot of marketing?

Except for bind mounts (not even overlayfs...) there isn't much interesting.

> - Host-network mode only

Yeah expect a lot of things to break in subtle ways... most containers are developed kinda expecting you have your own network namespace (and that no one else is using ports)

0 comments

slonopotamus2y ago

Original author here.

> So essentially a chroot with a bit of make-up

Well.

1. It is not trivial to properly set up a chroot on macOS. If you try to find a working guide/tool that works with modern macOS, I doubt you'll find anything (at least, I failed, even though tried very hard) 2. I believe that ability to package stuff into a Docker image distributable via already existing infrastructure and compatible with already existing tools maybe "a bit of make-up", but it is an important makeup. 3. Kubernetes recently got HostProcesses for Windows: https://kubernetes.io/blog/2022/12/13/windows-host-process-c.... They are even less isolated from host than chroot and still, people find them useful for certain scenarios.

> and a lot of marketing?

Thanks for "a lot of marketing", that made me chuckle. My own submission got buried yesterday with humble 8 points: https://news.ycombinator.com/item?id=37640688

e12e2y ago

Great effort. I get why you call it container - but sounds more like jail or cheroot would give more appropriate expectations; like "tooling to build and run Darwin containers in a macOS chroot"?

slonopotamus2y ago

I didn't want to use "jail" term because it is mostly unheard of outside of FreeBSD.

Container definition is very stretched nowadays. Look at Windows HostProcesses in Kubernetes [1]. They don't have neither process, network nor device isolation from the host.

I also plan to try macOS sandbox-exec tool, which should offer additional isolation from the host.

[1]: https://kubernetes.io/blog/2022/12/13/windows-host-process-c...

xenadu022y ago

If the parent process of the container here changes its bootstrap port to itself or disinherits it then it could also create an isolated mach namespace, restricting access to mach/XPC services.

lloeki2y ago

overlayfs and bind mounts are orthogonal:

- bind mounting solves the exposition of filesystem within the root pivot.

- overlayfs solves the persistence efficiency issue using a layered union fs.

> most containers are developed

Most Linux (and Windows) containers. Since these are macOS containers there are no containers developed yet so by definition there is nothing to break.

j / k navigate · click thread line to collapse

0 comments

slonopotamus2y ago

Original author here.

> So essentially a chroot with a bit of make-up

Well.

> and a lot of marketing?

Thanks for "a lot of marketing", that made me chuckle. My own submission got buried yesterday with humble 8 points: https://news.ycombinator.com/item?id=37640688

e12e2y ago

Great effort. I get why you call it container - but sounds more like jail or cheroot would give more appropriate expectations; like "tooling to build and run Darwin containers in a macOS chroot"?

slonopotamus2y ago

I didn't want to use "jail" term because it is mostly unheard of outside of FreeBSD.

Container definition is very stretched nowadays. Look at Windows HostProcesses in Kubernetes [1]. They don't have neither process, network nor device isolation from the host.

I also plan to try macOS sandbox-exec tool, which should offer additional isolation from the host.

[1]: https://kubernetes.io/blog/2022/12/13/windows-host-process-c...

xenadu022y ago

If the parent process of the container here changes its bootstrap port to itself or disinherits it then it could also create an isolated mach namespace, restricting access to mach/XPC services.

lloeki2y ago

overlayfs and bind mounts are orthogonal:

- bind mounting solves the exposition of filesystem within the root pivot.

- overlayfs solves the persistence efficiency issue using a layered union fs.

> most containers are developed

Most Linux (and Windows) containers. Since these are macOS containers there are no containers developed yet so by definition there is nothing to break.

j / k navigate · click thread line to collapse