-
> Also not sure if it can be dynamically set by a parent process for a child?
Yes, it can. See sandbox-exec tool. And I actually plan to use it: https://github.com/macOScontainers/rund/issues/15
-
SaaSHub
SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives
-
-
This is a failed attempt to upstream part of containerd changes: https://github.com/containerd/containerd/pull/8789
Other part of containerd changes waits for gods-know-what: https://github.com/containerd/containerd/pull/9054
But I haven't gave up yet.
-
Nope, that PR was an attempt to upstream my changes: https://github.com/macOScontainers/containerd/commits/macos
Vanilla containerd cannot mount anything on macos.
-
https://github.com/macOScontainers/homebrew-formula
"macOS native containers"
Cool, this sounds interesting.
"Disable System Identity Protection."
Eesh.
-
Perhaps they are talking about Homebrew the package manager [1].
[1] https://brew.sh
-
> i haven't found any issues with it that i could not get over in the past 2+ years of m1.
I'm currently running a Journal of Open Source Software x86 container on aarch64 and it's terribly slow. Takes 12GB of RAM and 3 minutes to build a LaTeX document, see https://github.com/openjournals/inara/issues/30. Any tips?
-
SIP is a feature that protects you from malicious actors with root (admin) access on your device. After they've encrypted your photos and drives and changed your passwords, it prevents them from making your machine unbootable by deleting or altering system binaries. As a side effect of this protection, you give up certain freedoms to customize your system.
https://github.com/koekeishiya/yabai
For instance requires SIP to be disabled.
-
> What's the licensing situation on this?
1. This project didn't take explicit permission from Apple to redistribute binaries
2. There are multiple jurisdictions where you don't need to explicitly have such permission, it is implied by law
3. Usage of this software implies you already have macOS system. I'm not a lawyer, but it looks to be covered by section 3 of macOS EULA.
4. There are existing precedents of redistribution of macOS binaries for multiple years aready:
- https://github.com/cirruslabs/macos-image-templates/pkgs/con...
- https://hub.docker.com/r/sickcodes/docker-osx
- https://app.vagrantup.com/jhcook/boxes/macos-sierra
And so on.
-
Docker-OSX
Run macOS VM in a Docker! Run near native OSX-KVM in Docker! X11 Forwarding! CI/CD for OS X Security Research! Docker mac Containers.
> What's the licensing situation on this?
1. This project didn't take explicit permission from Apple to redistribute binaries
2. There are multiple jurisdictions where you don't need to explicitly have such permission, it is implied by law
3. Usage of this software implies you already have macOS system. I'm not a lawyer, but it looks to be covered by section 3 of macOS EULA.
4. There are existing precedents of redistribution of macOS binaries for multiple years aready:
- https://github.com/cirruslabs/macos-image-templates/pkgs/con...
- https://hub.docker.com/r/sickcodes/docker-osx
- https://app.vagrantup.com/jhcook/boxes/macos-sierra
And so on.
-
OrbStack doesn’t require breaking security: https://orbstack.dev/
-
Reminds me: Still waiting for native ARM support on GitHub Actions https://github.com/actions/runner-images/issues/5631
-
moby
Moby Project - a collaborative project for the container ecosystem to assemble container-based systems (by darwin-containers)
-
buildkit
concurrent, cache-efficient, and Dockerfile-agnostic builder toolkit (by darwin-containers)
-
-
Oh, it was easier than I thought: https://semver.org/#spec-item-2
A normal version number MUST take the form X.Y.Z where X, Y, and Z are
-
-
Moby
The Moby Project - a collaborative project for the container ecosystem to assemble container-based systems