Hacker News new | ask | show | jobs
by highwaylights 656 days ago
What’s the security model for OrbStack and its containers?

Is OrbStack rootless? Where is the security boundary for the containers? (Are they sandboxed completely from the host?)

How does the virtualisation work? (I’d assume Virtualization.framework, so I can run it without Rosetta if all containers will share host architecture?)

Does it support Docker-in-Docker and Docker-out-of-Docker? (M1 and M2 Mac’s don’t have hardware for nested virtualisation so I assume this also prevents DiD with OrbStack?)

Thanks in advance, eager to try it out.
2 comments
kdrag0n 656 days ago
It's a shared VM and kernel, so the security boundary between containers is only as strong as typical Linux containers, and we don't really use the VM as a strong security boundary right now. The security model is similar to running Docker containers on a native Linux machine for development.

Admin privileges aren't required on the macOS side. You can optionally allow a privileged helper for some small niceties, but the VM process never runs as root.

The virtualization stack is custom, which allows for a lot of performance and stability improvements. It's not Virtualization.framework or QEMU.

Containers don't require virtualization, so Docker-in-Docker works. Not sure what you mean by Docker-out-of-Docker, but you can run Docker in OrbStack Linux machines, and you can use the managed engine from macOS.

link
pgphn 652 days ago
Is there an example somewhere of how to do Docker-in-Docker with Orbstack? I have given this a try but there does not seem to be a docker.sock (or equivalent) to mount so no way to spawn containers at the “host level” from inside a container. Maybe my mental model of Orbstack is wrong here and there is no need for a mounted socket at all?
link
bakhtiari_rev 652 days ago
I'm not completely sure about the use case of Docker-out-of-docker (maybe CI probably) but i guess a sibling container (a CI agent maybe) have access to docker.sock, and control other sibling containers, which i guess ( haven't tried yet) is possible with current implementation of orbstack.
link
bakhtiari_rev 652 days ago
currently using orbstack with a devcontainer project, and in that devcontainer i'm bringing up some other nested containers via `testcontainers` via golang, so it's completely possible and is running sweetly
link