Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> Does XNU have such namespacing functionality across all its interfaces?

I don't think so, but some Docker features could be implemented using XNU sandboxing AFAIK

> Furthermore, the existing container ecosystem assumes a Linux syscall interface. [1]. Does macOS provide that? I expect not.

This project is about running macOS containers on macOS. It's not about running Linux containers.



> > Does XNU have such namespacing functionality across all its interfaces?

> I don't think so, but some Docker features could be implemented using XNU sandboxing AFAIK

Theoretically, probably, for coarse-grained yes/no things? I don't think it's able to go much further than "you can use the local network and/or internet" and "you can read/write to the filesystem location corresponding to you bundle identifier `com.foo.bar`" but not "hey let me present you with a namespaced view of loopback or process list".

Also not sure if it can be dynamically set by a parent process for a child? Seems like it's very bundle oriented (except maybe for Apple processes) so not very practical.


> Also not sure if it can be dynamically set by a parent process for a child?

Yes, it can. See sandbox-exec tool. And I actually plan to use it: https://github.com/macOScontainers/rund/issues/15


Oh my I totally forgot about sandbox-exec!

I played with it some time ago, can't recall the context but it was about build systems / packaging (maybe nix?), doing the configure/make/make install with reduced privileges.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: