Conversation
dcantah
approved these changes
Jan 23, 2026
Contributor
Author
|
vmnet issue I guess. Checked the tests succeed in the latest MacOS version. |
jglogan
reviewed
Jan 24, 2026
| @Option(name: .customLong("label"), help: "Set metadata for a network") | ||
| var labels: [String] = [] | ||
|
|
||
| @Flag(name: .customLong("internal"), help: "Restrict external access to the network") |
Contributor
There was a problem hiding this comment.
Wouldn't this be prohibiting external access by containers on the network?
This reads like things outside the network cannot access containers on the network, but the host is outside the network and it can access it, right?
Let's consider how the "network mode" (NAT or host-only today, but maybe someday we'll have access to "host mode" too) fits in with the changes on #1081.
Contributor
Author
There was a problem hiding this comment.
Updated the help message.
I think not much conflict with #1081?
jglogan
reviewed
Jan 24, 2026
jglogan
reviewed
Jan 24, 2026
Sources/Services/ContainerNetworkService/Server/AllocationOnlyVmnetNetwork.swift
Outdated
Show resolved
Hide resolved
jglogan
approved these changes
Jan 27, 2026
saehejkang
pushed a commit
to saehejkang/container
that referenced
this pull request
Jan 27, 2026
- Closes apple#1037. - Adds a `--mode` flag that has `nat` and `hostOnly` options. The host-only option selects the vmnet host-only mode, where containers attached to the network can reach each other and the host, but not external systems.
Mcrich23
added a commit
to Mcrich23/container
that referenced
this pull request
Feb 4, 2026
commit a65c6f4 Merge: 9d32bc5 ce1b629 Author: Morris Richman <81453549+Mcrich23@users.noreply.github.com> Date: Tue Feb 3 20:08:38 2026 -0800 Merge branch 'apple:main' into main commit ce1b629 Author: Manoj Mahapatra <mahaplipsa@gmail.com> Date: Tue Feb 3 13:43:07 2026 -0800 [Docs] Fix typo in BUILDING.md: launchd -> launchctl (apple#1146) ## Type of Change - [ ] Bug fix - [ ] New feature - [ ] Breaking change - [x] Documentation update ## Motivation and Context The debug instructions in `BUILDING.md` incorrectly reference launchd list instead of `launchctl` list. `launchd` is the daemon itself and cannot be invoked directly. ## Testing - [ ] Tested locally - [ ] Added/updated tests - [x] Added/updated docs commit 3e49dce Author: Danny Canter <danny_canter@apple.com> Date: Tue Feb 3 00:45:01 2026 -0800 Add in missing rlimits (apple#1140) Containerization didn't have these defined until a recent tag. commit c4c2e85 Author: J Logan <john_logan@apple.com> Date: Tue Feb 3 00:27:09 2026 -0800 Upgrade kernel to Kata 3.26.0. (apple#1134) - Upgrade to containerization 0.24.5 to pick up zstd decompression enhancement. - Closes apple#767. - Closes apple#988. - Closes apple#1132. - Requires apple/containerization#508. commit 5c86337 Author: William Laverty <developer@william-laverty.com> Date: Mon Feb 2 13:57:59 2026 -0800 Add explanatory message before admin password prompt in uninstall script (apple#1118) - Added message: "This script requires an administrator password to remove the application files from system directories." - Fixes apple#1111 commit 7da25e1 Author: Danny Canter <danny_canter@apple.com> Date: Mon Feb 2 13:35:02 2026 -0800 Deps: Bump Containerization to 0.24.0 (apple#1127) Brings in some rlimit bumps/adjustments commit 7dfe27d Author: Danny Canter <danny_canter@apple.com> Date: Mon Feb 2 13:30:19 2026 -0800 CLI: Add support for rlimits (apple#1129) Closes apple#1097. commit b3b5c3e Author: J Logan <john_logan@apple.com> Date: Mon Feb 2 12:24:27 2026 -0800 Use labels instead of id to discriminate the builtin network. (apple#1123) - Closes apple#1122. - Adds placeholder ManagedResource and unit tests. Nothing is using these yet. - Adds system-defined resource labels for owning plugin and resource role. The system discriminates the builtin network using role "builtin". - Adds builtin role when creating builtin network at startup, and ensures that a preexisting network with ID "default" gets updated with the role label. - Replace all network ID checks for "default" with the builtin role check. - Adds "builder" role to builder VM. ## Type of Change - [ ] Bug fix - [x] New feature - [ ] Breaking change - [ ] Documentation update ## Motivation and Context Role and owner labels should make cross-cutting resource policy easier to implement. ## Testing - [x] Tested locally - [x] Added/updated tests - [ ] Added/updated docs commit 1dae1cd Author: w-ferg <43309695+w-ferg@users.noreply.github.com> Date: Sun Feb 1 18:14:41 2026 -0500 Fix pfctl executable path in PacketFilter DNS reload (apple#1128) ## Summary The `reload()` method in `PacketFilter.swift` references `/sbin/reloadProcess` (the local variable name) instead of `/sbin/pfctl`. This causes all DNS create and delete operations to fail: ``` Error: internalError: "pfctl reload exec failed: "Error Domain=NSCocoaErrorDomain Code=4 "The file "reloadProcess" doesn't exist."" ``` ## Fix One-line change: `/sbin/reloadProcess` → `/sbin/pfctl` ## Testing Verified on macOS 26 (Tahoe) with Apple Silicon: - `sudo container system dns create test.sdc.internal --localhost 203.0.113.1` succeeds without error - Container can resolve and reach host services through the DNS redirect commit 113a6ec Author: Ronit Sabhaya <ronitsabhaya75@gmail.com> Date: Fri Jan 30 21:54:57 2026 -0600 Fix file descriptor leak in DirectoryWatcher (apple#1104) - `DirectoryWatcher` opens file descriptors for monitoring directories but never closes them, causing a file descriptor leak. - Adds `setCancelHandler` to properly close file descriptors when the `DispatchSource` is cancelled. Signed-off-by: Ronit Sabhaya <ronitsabhaya75@gmail.com> commit 72f04b6 Author: Saehej Kang <saehej.kang@gmail.com> Date: Fri Jan 30 19:10:03 2026 -0800 [docs]: update steps on building with containerization project (apple#1116) - Closes apple#1095 - Just added a few more details about how to build with the local `containerization` dependency. commit 3a0ad58 Author: Raj <rajaryan_singh@apple.com> Date: Fri Jan 30 16:17:43 2026 -0800 Add resource.role label to builder container (apple#1120) Add resource.role label to builder container commit 1c01d0c Author: J Logan <john_logan@apple.com> Date: Fri Jan 30 11:07:49 2026 -0800 Update to kata 3.20.0 kernel. (apple#1114) - Closes apple#1113. - This is the newest we can do until we address apple#767. - Slight change to PacketFilter error handling so unit tests work more reliably. - Try making CLINetworkTests serialized to see if parallel execution is causing flakes. commit 3f2060e Author: Danny Canter <danny_canter@apple.com> Date: Thu Jan 29 18:25:48 2026 -0800 DirectoryWatcher: Small adjustments (apple#1112) - Have the handler throw - Log the failure at error level commit 0a7fb07 Author: Danny Canter <danny_canter@apple.com> Date: Thu Jan 29 14:21:12 2026 -0800 Set mtu to old Containerization default (apple#1110) The old mtu default in containerization was 1280 to account for some alpine/musl images that have issues with 1500. This changed in the last couple tags to be modifiable, but the new default is the standard 1500. Ideally we eventually allow supplying the mtu to be used when you create a network (or possibly a container creation setting), but for now just default in here back to what CZ used to use. commit 0bceb23 Author: Aditya Ramani <a_ramani@apple.com> Date: Thu Jan 29 12:08:42 2026 +0900 Bump to use containerization 0.23.2 (apple#1106) Updating the package dependency on apple/containerization to pick up bug fixes Signed-off-by: Aditya Ramani <a_ramani@apple.com> Co-authored-by: J Logan <john_logan@apple.com> commit d762fe5 Author: jwhur <57657645+JaewonHur@users.noreply.github.com> Date: Wed Jan 28 18:22:33 2026 -0800 Launch a service with waitForDebugger if specified (apple#1101) This PR enables launching a service with `waitForDebugger` flag if the service label matches a given env variable `CONTAINER_DEBUG`. commit 4f93e3e Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed Jan 28 18:21:08 2026 -0800 ci: bump actions/checkout from 6.0.1 to 6.0.2 in the github-actions group (apple#1100) - Updates `actions/checkout` from 6.0.1 to 6.0.2 Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> commit 371db6d Author: jwhur <57657645+JaewonHur@users.noreply.github.com> Date: Wed Jan 28 17:17:08 2026 -0800 Fix testExecOnExitingContainer (apple#1107) Check the container remains only, not its status as the status might not have been updated at the time checking. commit d872270 Author: J Logan <john_logan@apple.com> Date: Wed Jan 28 09:04:58 2026 -0800 Removes ArgumentParser import from NetworkMode. (apple#1102) - ContainerResources shouldn't need to know anything about CLI stuff. - Move ExpressibleByArgument protocol conformance to an extension in the package where it's needed. commit 3abf81f Author: Saehej Kang <saehej.kang@gmail.com> Date: Tue Jan 27 20:00:43 2026 -0800 [image-list]: Add full size field to json output (apple#1098) - Refer to apple#862 - Updated `SIZE` field to `FULL SIZE`, as it seemed more appropriate so it does not get mixed up with the `descriptor size` field - Closes apple#860 commit 24cbed5 Author: ChengHao Yang <17496418+tico88612@users.noreply.github.com> Date: Wed Jan 28 06:55:49 2026 +0800 Implement container prune (apple#904) - Fixed apple#892. - By contrast with `rm`, `prune` should display the amount of reclaimed storage, so added code to retrieve it. Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com> commit a57527e Author: jwhur <57657645+JaewonHur@users.noreply.github.com> Date: Tue Jan 27 11:15:22 2026 -0800 Refactor container lifecycle functions to perform scoped rollback on failure (apple#1080) - Closes apple#977. - Closes apple#1058. - Prevents unexpected removal of containers on bootstrapping and starting failures, by reorganizing error handling for container `run`, `start`, and `exec` so that error handling only unwinds that which was done in the current scope. - Relies on apple/containerization#495. commit 6244129 Author: c <claudeaceae@icloud.com> Date: Mon Jan 26 23:30:45 2026 -0500 Fix grammar in BUILDING.md (apple#984) - Fixes a grammar error in the local Containerization development instructions. commit 9d4cded Author: jwhur <57657645+JaewonHur@users.noreply.github.com> Date: Mon Jan 26 19:35:41 2026 -0800 Isolated network (apple#1079) - Closes apple#1037. - Adds a `--mode` flag that has `nat` and `hostOnly` options. The host-only option selects the vmnet host-only mode, where containers attached to the network can reach each other and the host, but not external systems. commit 033c999 Author: J Logan <john_logan@apple.com> Date: Mon Jan 26 14:07:00 2026 -0800 Make TerminalProgress a library. (apple#1093) - Closes apple#1092. - Allows 3rd party CLI plugins to use the progress indicator. commit b371aee Author: ChengHao Yang <17496418+tico88612@users.noreply.github.com> Date: Tue Jan 27 05:07:05 2026 +0800 Feat: container image delete force option (apple#1096) - Fixed apple#1087 Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com> commit ed1185d Author: jwhur <57657645+JaewonHur@users.noreply.github.com> Date: Fri Jan 23 17:59:28 2026 -0800 Container-to-host networking. (apple#1078) - Closes apple#346. - This PR enables connecting host's localhost ports from containers. - It adds an option `--localhost <localhost>` to DNS create command, after which the packets heading ip address in container are redirected to localhost in host machine. Packet filter rule is added and deleted along with the creation and deletion of localhost domain. commit 14c279f Author: Patrick Linnane <patrick@linnane.io> Date: Fri Jan 23 17:56:35 2026 -0800 Add option to stop services in all launchd domains (apple#1077) - Services started from Terminal run in the `gui/$uid` launchd domain. When `ensure-container-stopped.sh` runs from a different context, `launchctl managername` may return a different domain, causing the script to check the wrong domain and miss running services. I noticed this after upgrading `container` via Homebrew. - Introduces a getopt option `-a` that allows booting out all domains explicitly. Also adds `-h` for a usage message. Signed-off-by: Patrick Linnane <patrick@linnane.io> commit 751c1fc Author: Stanislav Antonichev <cympak2@users.noreply.github.com> Date: Fri Jan 23 23:01:26 2026 +0200 Add --dns support to build command for custom DNS resolution (apple#1067) This change adds --dns parameter support to the build command, matching the existing functionality in the run command. This allows users to specify custom DNS nameservers (like Google DNS 8.8.8.8) when building container images, which is essential when the host machine uses a local DNS resolver (e.g., 127.0.0.2) that doesn't work inside containers. Changes: - Added --dns option to BuildCommand to accept DNS nameserver IP addresses - Modified build logic to detect DNS configuration changes and recreate the builder container when DNS settings differ - Passed DNS configuration to BuilderStart.start() method - Updated builder container creation to use specified DNS nameservers or fall back to network gateway ## Type of Change - [ ] Bug fix - [X] New feature - [ ] Breaking change - [ ] Documentation update ## Motivation and Context This change adds --dns parameter support to the build command, matching the existing functionality in the run command. This allows users to specify custom DNS nameservers (like Google DNS 8.8.8.8) when building container images, which is essential when the host machine uses a local DNS resolver (e.g., 127.0.0.2) that doesn't work inside containers. ## Testing - [X] Tested locally - [ ] Added/updated tests - [ ] Added/updated docs --------- Co-authored-by: J Logan <sgtbakerrahulnet@yahoo.com> commit 55f2112 Author: J Logan <john_logan@apple.com> Date: Fri Jan 23 11:35:10 2026 -0800 Place image store data correctly for app-root path. (apple#1085) - Closes apple#1084. commit 5746ec3 Author: ChengHao Yang <17496418+tico88612@users.noreply.github.com> Date: Sat Jan 24 03:32:59 2026 +0800 Fix: prevent delete default network (apple#1083) - Fixed apple#1073 - Move the conditional check to the front; there's no need to check for a default network after filtering. Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com> commit 9d32bc5 Merge: a2b4486 69445b9 Author: Morris Richman <81453549+Mcrich23@users.noreply.github.com> Date: Mon Jan 19 19:20:12 2026 -0800 Merge branch 'apple:main' into main commit a2b4486 Merge: 27a94a0 bfc5ca9 Author: Morris Richman <81453549+Mcrich23@users.noreply.github.com> Date: Fri Oct 3 23:03:02 2025 -0700 Merge branch 'apple:main' into main commit 27a94a0 Author: Morris Richman <81453549+Mcrich23@users.noreply.github.com> Date: Thu Sep 18 17:07:12 2025 -0700 chore(fmt): auto-format before push commit 4a4d0a9 Author: Morris Richman <81453549+Mcrich23@users.noreply.github.com> Date: Thu Sep 18 17:07:06 2025 -0700 Update PropertySet.swift commit 665d813 Author: Morris Richman <81453549+Mcrich23@users.noreply.github.com> Date: Thu Sep 18 17:02:09 2025 -0700 Update PropertySet.swift commit 01a474e Author: Morris Richman <81453549+Mcrich23@users.noreply.github.com> Date: Thu Sep 18 16:57:41 2025 -0700 chore(fmt): auto-format before push commit e7c68b5 Author: Morris Richman <81453549+Mcrich23@users.noreply.github.com> Date: Thu Sep 18 16:57:01 2025 -0700 Update SystemProperty.swift
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This gives
--internalflag when creating a network, which will be used only for host internal network. Containers under the same subnet can connect each other (and the host), but not the external network (#1037).Type of Change
Motivation and Context
[Why is this change needed?]
Testing