OS-level virtualization (containers) for OS X

I wonder why, apart from good old chroot, no implementation of operating system-level virtualization (or containers if you prefer) exists for Mac OS X.

Could it be due to kernel limitations or license restrictions? Or simply no one has yet launched a similar project?


A key element required for containerization is isolation of networking and other services, but not just isolation but also virtualization. FreeBSD Jails, Linux "containers" (or more correctly "namespaces"), and Solaris/illumos zones all offer some degree of "virtualization" of these operating system system services.

By virtualization, this means that these servers are available (or potentially available) to things inside the "container", but in a way that protects the other things on the same host outside the container. (For example, a container may have its own TCP/IP stack, with its own IP address, ARP cache, etc.)

OS (operating system) virtualization is how we generally refer to this type of "light-weight" virtualization, where processes think they see a virtual kernel, but are all sharing the same real kernel under the hood; that kernel acts as a sort of hypervisor in ensuring that container/virtualization boundaries are not crossed. (Put another way, the OS services are virtualized.) Compare this to hardware virtualization, where what is virtualized is the hardware -- e.g. devices are emulated in software and presented to an operating system running in the container. This is very powerful, but quite resource intensive -- each virtual machine must have its own copy of the operating system.

Recent macOS has native hypervisor support via Hypervisor.framework which allows software like "XHyve" [A port of FreeBSD’s BHyve] (docker on macOS uses this), but lacks the necessary services under the hood to fully virtualize operating system services.

In truth, a lot of what is needed is probably already present, since the work to provide sandboxes means that there are already logical points where system calls are intercepted and handled differently for different applications. However, that's far from the complete story -- implementing true separate network, IPC, and other namespaces is quite a lot of work.

The best reason for why Apple has not done this is likely the same reason that Apple has not released a platform suitable for running macOS in the data center for many years -- lack of market demand, or perceived lack of market demand by Apple leadership. The desktop and mobile focus where they have focused their attention simply don't need virtual macOS instances that much. (This is sad, because I would love to have virtual macOS support -- for example running macOS on VMs at Travis CI is really time consuming compared to Linux containers).


You'd be surprised - Containers actually are supported - the OS X (and iOS) Sandbox has evolved to use them. They have been introduced in 10.7, and are now de facto standard in 10.10 and iOS 8. In the latter they are more strictly enforced (primarily due to reason of application security), to the point where an app can only see itself , and previous methods of enumerating processes or resources now return container-based results - similar to Linux ipc namespace - but more powerful.


While it's using "good old chroot(8)", I started a project that tend to mimic docker's behavior on OS X and NetBSD. It's Free-as-in-speech and is available on GitHub. As the README says, this project is neither about security nor production, but will help testing full stacks natively on your workstation.