I have written at length about containers and VMs on this blog: I use them daily to segregate work, contain rogue AI agents, and defend against supply-chain attacks. To build a good developer experience, I package everything with NixOS. A couple of days ago Apple released v1.0.0 of container, a tool to run Linux containers on macOS. I decided to give it a try and compare it against QEMU (battle-tested, but with a large attack surface). Under the hood, container consumes standard OCI images and runs them either: as an ephemeral container (with container run), where each container gets its own VM; as a persistent VM (with container machine create, then ... run). The VM automatically forwards your SSH socket and mounts your home directory read/write. Unset SSH_AUTH_SOCK and add --home-mount none to prevent both. NixOS doesn’t use FHS and containers don’t run systemd. So I wrote a small NixOS module that ensures a smooth boot. It loads the Nix database and bundles the TLS roots, provides…
No comments yet. Log in to reply on the Fediverse. Comments will appear here.