The editorial frames Apple's choice as a deliberate inversion of the shared-VM model that Docker Desktop, Colima, and OrbStack all rely on. By giving every container its own sub-second-booting microVM through Virtualization.framework, Apple eliminates noisy-neighbor stalls, leaky bind-mounts, and the localhost-vs-VM confusion that has plagued Mac container workflows for a decade — mirroring the Firecracker architecture AWS uses for Lambda.
The piece emphasizes that Apple's runtime ships with no Docker daemon, no shared linuxkit VM, and no Docker Desktop license — an Apache 2.0 alternative baked into the OS. The Docker-compatible CLI surface (container run, container build, container images) is framed as a deliberate migration ramp, letting developers port muscle memory over in an afternoon while leaving Docker's commercial layer behind.
By surfacing Apple's container-machine documentation to the HN front page and driving it to 440 points, the submitter signaled that the developer community sees this as a significant, daemon-free, license-free alternative worth rallying around. The choice of headline and link points directly at the architectural break from the Docker Desktop status quo.
The editorial calls out that the project requires Apple Silicon (M1 or later) and macOS 15 Sequoia, narrowing the addressable audience to a specific slice of the Mac developer base. Combined with the Virtualization.framework dependency, this ties the runtime tightly to Apple's newest hardware and OS — a constraint that shapes who can actually replace Docker Desktop today.
Apple has quietly published the `container-machine` documentation for its open-source `container` project on GitHub, and the Hacker News front page noticed — 440 points and counting. The headline: every Linux container you run on macOS gets its own lightweight virtual machine, booted from Apple's `Virtualization.framework`, with no Docker daemon, no shared `linuxkit` VM, and no Docker Desktop license.
The architecture is the interesting part. A `container-machine` is a long-running VM that hosts a single container (or a small group of related containers). Each VM boots a minimal Linux kernel plus `vminitd` — Apple's custom init process written specifically for this runtime — and exposes the container's filesystem and network back to the host through Virtio. Images are OCI-compatible and pulled from any standard registry. The CLI surface (`container run`, `container build`, `container images`) is deliberately close to Docker's, so muscle memory ports over in an afternoon.
The project requires Apple Silicon (M1 or later) and macOS 15 Sequoia. It is Apache 2.0 licensed. Builds use BuildKit. Networking is handled per-VM with a virtual NIC bridged through a host-side networking daemon. The whole thing was first teased at WWDC 2024 and has been iterating in public on `github.com/apple/container` ever since.
For a decade, running Linux containers on a Mac meant running a shared Linux VM — `xhyve`, then HyperKit, then the QEMU-based VM that Docker Desktop, Colima, OrbStack, and Rancher Desktop all variants of. Containers inside that VM shared a kernel and a network namespace, which is fine until it isn't: noisy-neighbor CPU stalls, leaky bind-mounts, and the perpetual confusion about whether `localhost` means the host or the VM.
Apple's bet is the opposite: one VM per container, booted in well under a second, isolated at the hypervisor boundary. That's the same architectural choice AWS made with Firecracker for Lambda, and the same one Fly.io made for their micro-VMs. The reason it works now and didn't five years ago is `Virtualization.framework` — Apple's first-party hypervisor API that ships in the OS, has direct access to the secure enclave, and can boot a Linux kernel with effectively zero overhead on M-series silicon. Cold start latency in the docs is described as sub-second for typical images. Memory ballooning lets idle VMs give pages back to the host. Rosetta-on-VM means you can still run x86_64 images, though slower.
The community reaction on the HN thread is unusually warm for a corporate release. The top comments aren't "this is Docker but worse" — they're "finally, the bind-mount performance might not be terrible." That's the real wound Docker Desktop has been bleeding from on macOS: file-sharing via gRPC-FUSE or VirtioFS has always been the bottleneck for anyone doing real development inside containers. Apple's per-container VM model sidesteps the shared filesystem problem entirely — each VM mounts only what it needs, directly, with no cross-VM cache invalidation to coordinate.
There's also the licensing dimension nobody on the technical side wants to talk about. Docker Desktop has been a paid product for companies over 250 employees or $10M revenue since 2021. Procurement at every mid-size shop has spent the last four years either paying, switching to OrbStack, or pretending not to know. Apple just dropped an Apache-2.0 alternative built into the OS hypervisor. The Docker pricing page will look different by next year.
If you're on Apple Silicon and your local dev loop is "edit code, `docker compose up`, hit endpoints," you should at minimum kick the tires. The CLI is close enough to Docker's that a `docker` → `container` alias gets you 80% of the way. Compose support is not yet at parity — that's the gap to watch. If you depend on multi-container `docker-compose.yml` files with custom networks, expect to wait another release or two before this is a drop-in replacement. Single-container workflows, scratch builds, and CI-style "spin up Postgres for a test" patterns work today.
For teams maintaining a fleet of macOS dev machines, this changes the procurement math immediately. You no longer need Docker Desktop seats for engineers whose only requirement is "run a Linux container locally." Colima and OrbStack remain better choices if you need Docker Compose, Kubernetes, or x86 emulation that doesn't pay Rosetta tax. But the cost floor for a working container setup on a Mac just dropped to zero, with first-party support from the OS vendor.
The security story is the under-discussed angle. Hypervisor isolation per container means a compromised container can't escape into a shared kernel that other containers share. For anyone running untrusted code locally — security researchers, anyone evaluating npm packages, anyone running AI-generated Bash — the blast radius shrinks dramatically. This is the same value proposition Kata Containers has been selling on the server side for years; Apple just made it the default for desktop developers.
The interesting question isn't whether `container` kills Docker Desktop on macOS — that outcome is already priced in, it's a matter of months. The interesting question is whether Apple ports `vminitd` and the per-container VM model to Linux servers, where it would compete directly with Firecracker and gVisor. That would be a much bigger story, and there's no public signal it's coming. For now, Apple has done what it usually does: take a category everyone assumed was settled, ship a first-party version, and let the third-party tax disappear quietly.
With the BUILD and WWDC 2026 announcements, it is the Year of Linux Containers Desktop.Which for many folks is good enough for what they are doing, thus the status quo of desktop platforms will hardly change for current form factors.
OrbStack works really well for me. I wonder how it’s compared to this performance wise
Do these containers share a common kernel? Or are they each ran in a separate VM?Edit: It's a VM per container. https://github.com/apple/container/blob/main/docs/technical-...
Is there any reason why macOS doesn't try a WSL1 style approach? I get why that didn't fully work out for windows, but it seems like macOS being another *nix would make a lot of what was hard for windows, easy for mac. It seems like it should be possible to run most linux applications nati
Top 10 dev stories every morning at 8am UTC. AI-curated. Retro terminal HTML email.
To clarify a few comments here: this is not only OCI containers: container machines add support for persistence and filesystem mounting, making container machines a great lightweight Linux environment for developers using macOS. More details here: https://developer.apple.com/videos&#x