Add Macro for Passing Down OptionGroups#717
Open
Mcrich23 wants to merge 38 commits intoapple:mainfrom
Open
Conversation
1 task
Contributor
Author
|
Closes #633 |
Contributor
Author
|
@jglogan Any thoughts towards the status of this PR? I know you all have a lot going on, but this has been open for more than a month and is currently the hold on me writing documentation about plugins. It doesn't have to be merged, but I would love insight into this idea. |
commit 69445b9 Author: jwhur <57657645+JaewonHur@users.noreply.github.com> Date: Mon Jan 19 13:09:34 2026 -0800 Throw error when starting a container with invalid virtiofs source (apple#1051) Run = Create + Start 1) Mount source points to a valid directory - Run and Create + Start both correctly create the container with mount. 2) Mount source points to a file - Run fails bootstrapping the container, thus container not created. - Create creates the container, but Start fails bootstrapping, removing the container. (Thus, both are the same.) 3) Mount source deleted or replaced to file after container created - Start throw errors but do not delete the container. commit 08f48d9 Author: Danny Canter <danny_canter@apple.com> Date: Fri Jan 16 21:48:58 2026 -0800 ContainerSvc: Handle unexpected sandbox svc exits (apple#1065) Closes apple#1050 If the sandbox svc exits out of band of the usual stop (or regular exit) case the container svc's state is not properly updated for the container. This was due to the cleanup steps involving trying to send the shutdown rpc which cannot succeed as the sandbox svc does not exist to service it. To handle this, let's treat shutdown not returning successfully as non-fatal (as this is mostly best effort), log an error and continue the state cleanup. commit b928e3f Author: Amir Alperin <me@remotecpp.dev> Date: Sat Jan 17 07:43:48 2026 +0200 fix: performance warning should not output ANSI codes if stderr redirected (apple#1059) commit 744e7f7 Author: J Logan <john_logan@apple.com> Date: Fri Jan 16 16:26:13 2026 -0800 Update for containerization 0.21.0. (apple#1056) - Update image load and build to handle rejected paths during tar extraction. For the image load command there is now a `--force` function that fails extractions with rejected paths when false, and just warns about the rejected paths when true. - Update `container stats` for statistics API properties now all being optional. ## Type of Change - [x] Bug fix - [ ] New feature - [ ] Breaking change - [x] Documentation update ## Motivation and Context See above ## Testing - [x] Tested locally - [x] Added/updated tests - [x] Added/updated docs commit b1577d8 Author: J Logan <john_logan@apple.com> Date: Fri Jan 16 15:50:47 2026 -0800 Adds opt-in pre-commit hook for format and header checks. (apple#1062) - Closes apple#639. - Adds swift format configuration that removes lint checks so we can use `swift lint` to perform format-only tests. - Adds `check` target that invokes format and header checks. - Adds pre-commit script that runs `make check`. - Adds `pre-commit` target that installs the check script as a pre-commit hook. ## Type of Change - [ ] Bug fix - [x] New feature - [ ] Breaking change - [x] Documentation update ## Motivation and Context Avoids wasting time and commit rewrites. ## Testing - [x] Tested locally - [ ] Added/updated tests - [x] Added/updated docs commit 3cf2c6a Author: J Logan <john_logan@apple.com> Date: Fri Jan 16 13:41:32 2026 -0800 Fix unstable integration tests. (apple#1060) - TestCLIRunCommand now run so many tests concurrently that the API server gets swamped and tests randomly time out. - The parallelism options on `swift test` only work for XCTest, not swift-testing. - Work around this while retaining some parallelism (good for stress testing) by breaking the tests into two suites. commit 8897fcc Author: Manu Schiller <56154253+manuschillerdev@users.noreply.github.com> Date: Wed Jan 14 04:39:08 2026 +0100 fix: use pax instead of tar for pkg payload extraction (apple#1038) - It is common to have `gnu-tar` alongside other GNU tools installed and aliased for compatibility reasons. However, this breaks the current make build. - Use BSD-only binaries (no GNU equivalents that are commonly aliased), making the Makefile more portable. commit dbec1db Author: Ronit Sabhaya <ronitsabhaya75@gmail.com> Date: Mon Jan 12 20:34:25 2026 -0600 Add support for aarch64 architecture alias (apple#1040) - Adds `aarch64` as an alias for `arm64` in the `Arch` enum. This addresses the maintainer's request to support this common architecture name, ensuring consistency with `x86_64` normalization and preventing failures for users expecting `aarch64` support. commit 837aa5e Author: jwhur <57657645+JaewonHur@users.noreply.github.com> Date: Mon Jan 12 14:36:10 2026 -0800 Fix the FS error when using Virtualization (apple#1041) - Fixes apple#614. - Use VZ cached mode instead of auto. Signed-off-by: jwhur <jaewon_hur@apple.com> commit e465b10 Author: 박성근 <117553364+ParkSeongGeun@users.noreply.github.com> Date: Tue Jan 13 03:30:51 2026 +0900 Fix relative path resolution in entrypoint (apple#987) - Fixes apple#962. - Adds test to exercise apple/containerization#473. - Updates containerization to 0.20.1. Signed-off-by: ParkSeongGeun <phd0801@naver.com> commit aa77928 Author: Ronit Sabhaya <ronitsabhaya75@gmail.com> Date: Mon Jan 12 12:04:46 2026 -0600 Fix: Support x86_64 architecture alias to prevent silent pull failure… (apple#1036) - Adds architecture name normalization to accept `x86_64` and `x86-64` as aliases for `amd64`. commit dc4682b Author: Amir Alperin <me@remotecpp.dev> Date: Fri Jan 9 21:10:53 2026 +0200 fix: extract hostname from FQDN (apple#1011) (apple#1017) - Set the container hostname to the first DNS label derived from the container id, strip everything after the first dot. - Fixes apple#1011. commit 4af1cc0 Author: Ronit Sabhaya <ronitsabhaya75@gmail.com> Date: Thu Jan 8 21:27:43 2026 -0600 fix: improve error message when binding to privileged ports (fixes apple#978) (apple#1031) - The container fails to start with a generic "permission denied" error when attempting to publish privileged ports (ports below 1024) without root privileges. This provides a confusing user experience as the error doesn't explain why permission was denied. commit 21facf0 Author: J Logan <john_logan@apple.com> Date: Thu Jan 8 17:02:22 2026 -0800 Add instructions for using locally built init filesystem. (apple#1032) - Closes apple#1030. commit b671690 Author: Danny Canter <danny_canter@apple.com> Date: Wed Jan 7 21:01:10 2026 -0800 ProgressBar: Various fixes (apple#1025) There's a couple things I don't think are intuitive about this. 1. Because of the internal task, render() can still be called even after finish() completes. Ideally async defers are supported and we could just await the final render completing after cancelling the task and setting .finished, but alas. To fix this we can just lock across the methods for now. 2. We always clear the screen in the destructor, even if we don't use the progress bar. I don't think we should honestly do anything in the destructor. Feels a programmer error not to defer { bar.finish() } or call it somewhere. 3. Our spaces based line clearing. Use the ansi escape sequence for clearing line; I think our calculations were slightly off and it would leave trailing output ( "s]" ) in some cases. 4. Shrinking the window until the output is smaller than the terminal window (and vice versa) is wonky on various term emulators. Truthfully, this is just a hard problem, but we can truncate our output and still provide some useful info. This fixes some single line output (cat /etc/hostname etc.) getting cleared in our atexit handler, as well as the need for the usleep. commit 98410fd Author: J Logan <john_logan@apple.com> Date: Wed Jan 7 18:23:31 2026 -0800 Adds IPv6 port forwarding. (apple#1029) - Closes apple#1006. commit 9d06475 Author: Saehej Kang <saehej.kang@gmail.com> Date: Wed Jan 7 16:53:33 2026 -0800 [container]: add startedDate field (apple#1018) - Closes apple#302. - Closes apple#336 (obsoletes this PR). commit db8932a Author: J Logan <john_logan@apple.com> Date: Wed Jan 7 15:35:35 2026 -0800 Resolve IPv6 address queries for container names. (apple#1016) - Closes apple#1005. - Adapt everything to use MACAddress type from containerization 0.20.0. - Allocate MAC addresses for every container so that we have deterministic IPv6 link local addresses. - Add AAAA handling to ContainerDNSHandler. - NOTE: Only works on Tahoe. On Sequoia, we don't have a good way to set or determine the IPv6 network prefix when networks are created, so we can't infer the IPv6 link local addresses for AAAA responses and we instead return `NODATA`. commit 5d6c750 Author: Danny Canter <danny_canter@apple.com> Date: Wed Jan 7 14:48:58 2026 -0800 CLI: Add read-only flag to run/create (apple#999) Closes apple#990 Sets the rootfs for a container to read-only. commit aac2457 Author: Danny Canter <danny_canter@apple.com> Date: Wed Jan 7 13:46:26 2026 -0800 Tests: Fix relative path mount tests (apple#1028) The tests are run in parallel on CI, and were split into three tests. They change the cwd, so it's kind of a gamble whether some of them pass. This just moves all the logic into one test mostly. commit 9cd5397 Author: J Logan <john_logan@apple.com> Date: Wed Jan 7 10:35:19 2026 -0800 Update to containerization 0.20.0. (apple#1027) - Use MACAddress for Attachment and CZ interfaces. - Move data validation closer to API surface. commit 356c8d2 Author: J Logan <john_logan@apple.com> Date: Tue Jan 6 08:27:14 2026 -0800 Reorganize client libraries. (apple#1020) - Closes apple#461. - Extract core types into ContainerResources target. - Extract ContainerNetworkServiceClient from ContainerNetworkService. - Relocate sandbox client from ContainerClient to ContainerSandboxServiceClient. - Relocate ContainerClient to ContainerAPIServiceClient. - Common structure from services and clients under Source/Services. Updated project hierarchy: ``` Sources/CAuditToken - audit token access wrapper Sources/CLI - CLI executable Sources/ContainerBuild - builder Sources/ContainerCommands - CLI command implementations Sources/ContainerLog - logging helpers Sources/ContainerPersistence - persistent data and system property helpers Sources/ContainerPlugin - plugin system Sources/ContainerResource - resource (container, image, volume, network) types Sources/ContainerVersion - version helpers Sources/ContainerXPC - XPC helpers Sources/CVersion - injected project version Sources/DNSServer - container DNS resolver Sources/Helpers - service executables Sources/Services/*/Client - service clients Sources/Services/*/Server - service implementations Sources/SocketForwarder - port forwarding Sources/TerminalProgress - progress bar ``` ## Type of Change - [ ] Bug fix - [ ] New feature - [x] Breaking change - [ ] Documentation update ## Motivation and Context The ContainerClient library was a bit of a grab bag. This refactor applies a more sensible project and library structure for resource data types, services, and clients. ## Testing - [x] Tested locally - [x] Added/updated tests - [ ] Added/updated docs commit 8c439cd Author: Danny Canter <danny_canter@apple.com> Date: Mon Jan 5 13:50:57 2026 -0800 makefile: Add cli target (apple#1022) Often times I'll be making a change that only touches the cli and I don't feel like sitting through the potential song and dance of the other components building/installing. commit d6f052d Author: Kathryn Baldauf <k_baldauf@apple.com> Date: Mon Jan 5 13:09:34 2026 -0800 Update license header on all files to include the current year (apple#1024) ## Motivation and Context Now that we're in 2026, we need to update the license headers on all the files. Unfortunately, Hawkeye doesn't have an attribute for the current year to help us avoid this in the future. Instead, I had to work around this by doing the following: 1. Update licenserc.toml with: ``` [properties] ... (other properties) currentYear = "2026" ``` 2. Update scripts/license-header.txt with ``` Copyright ©{{ " " }}{%- set created = attrs.git_file_created_year or attrs.disk_file_created_year -%}{%- set modified = props["currentYear"] -%}{%- if created != modified -%} {{created}}-{{modified}}{%- else -%}{{created}}{%- endif -%}{{ " " }}{{ props["copyrightOwner"] }}. ``` Then I removed these two changes before committing. After this PR is merged, all files will have recently had git updates, so the existing code for setting the modified year should work as intended. Signed-off-by: Kathryn Baldauf <k_baldauf@apple.com> commit 20dc0bc Author: Danny Canter <danny_canter@apple.com> Date: Sun Jan 4 11:11:09 2026 -0800 Parser: Support relative paths for --volume (apple#1013) commit 028e7e1 Author: Danny Canter <danny_canter@apple.com> Date: Sun Jan 4 10:52:46 2026 -0800 Deps: Bump Containerization to 0.19.0 (apple#1015) Has read-only rootfs support. commit 020949e Author: Danny Canter <danny_canter@apple.com> Date: Sun Jan 4 10:51:20 2026 -0800 CLI: Small fixups for implicit envvars (apple#1014) We should only inherit from the host if there's no =. Additionally document the flag a little more to show that we can inherit from the host. commit df368b7 Author: Amir Alperin <alperin.amir@gmail.com> Date: Sun Jan 4 20:49:22 2026 +0200 Fix port validation to allow same port for different protocols (apple#992) (apple#1000) - Fixes: apple#992 - Port validation previously rejected valid configurations when the same port number was used for different protocols (TCP and UDP). For example: `-p 1024:1024/udp -p 1024:1024/tcp` Although this is a valid and common use case, the validation logic treated it as a conflict. To fix this, I updated the validation key to include the protocol name. The validation now checks for overlapping port numbers only within the same protocol, rather than across all protocols. This change enables binding the same port number for both TCP and UDP, aligning the validation behavior with real-world networking requirements. ## Testing - [x] Tested locally - [x] Added/updated tests - [ ] Added/updated docs commit cf64614 Author: J Logan <john_logan@apple.com> Date: Fri Jan 2 14:10:48 2026 -0800 Update OSS header in Package.swift. (apple#1010) commit 375ce16 Author: J Logan <john_logan@apple.com> Date: Fri Jan 2 12:09:12 2026 -0800 Fix OSS header dates that break CI checks. (apple#1009) commit 580d853 Author: c <claudeaceae@icloud.com> Date: Fri Jan 2 00:19:57 2026 -0500 Use full path for uninstall script in upgrade instructions (apple#983) - Makes the upgrade section consistent with the uninstall section by using the full path to the uninstall script. commit 4cadc40 Author: c <claudeaceae@icloud.com> Date: Thu Jan 1 22:53:56 2026 -0500 Clarify uninstall script location in README (apple#982) - Clarifies where the `uninstall-container.sh` script is located after installation - Updates example commands to use the full path commit 4e78e30 Author: c <claudeaceae@icloud.com> Date: Thu Jan 1 20:57:47 2026 -0500 Fix grammar in tutorial.md (apple#985) ## Summary - Fixes a grammar error in the tutorial's publish section ## Details Line 287 of `docs/tutorial.md` had "you need push images" which should be "you need to push images". This is a simple grammar fix to improve readability. ## Test plan - [x] Verified the sentence now reads correctly commit 22dfd6e Author: Danny Canter <danny_canter@apple.com> Date: Thu Jan 1 17:57:00 2026 -0800 CLI: Fix stop not signalling waiters (apple#972) commit 4958cf2 Author: c <claudeaceae@icloud.com> Date: Thu Jan 1 20:51:10 2026 -0500 Fix bash completion source path in documentation (apple#981) - Corrects the source path for bash completion script when not using bash-completion package. commit 25ac79a Author: c <claudeaceae@icloud.com> Date: Thu Jan 1 20:50:19 2026 -0500 Fix MAC address option typo in how-to documentation (apple#980) - Corrects the MAC address example command in the how-to guide to use the correct `--network` flag syntax instead of the incorrect `--mac-address` flag. commit edadf15 Author: Raj <realrajaryan@gmail.com> Date: Thu Jan 1 15:10:39 2026 +0530 Fix container auto-delete on rapid stop/start (apple#841) Fixes apple#833. Currently, when stopping and immediately restarting a container, it would fail with the error: `“container expected to be in created state, got: shuttingDown”` and then be automatically deleted. The `SandboxService` process waits five seconds before exiting after shutdown. During this interval, a rapid restart could reconnect to the still-terminating process in the `shuttingDown` state, triggering a state validation error. This fix forcefully terminates the `SandboxService` process with `SIGKILL` upon container exit, instead of waiting five seconds. The bootstrap now defensively checks for and cleans up any stale services before registering new ones, preventing reconnections to processes in the `shuttingDown` state. commit 5064b0f Author: J Logan <john_logan@apple.com> Date: Mon Dec 22 10:16:14 2025 -0800 Adds network IPv6 configuration. (apple#975) - Part of work for apple#460. - Enable set/get of IPv6 network prefix in ReservedVmnetNetwork. - Show IPv6 prefix in `network list` full output. - Option for setting IPv6 prefix when creating a network. - System property for default IPv6 prefix. ## Type of Change - [ ] Bug fix - [x] New feature - [ ] Breaking change - [x] Documentation update ## Motivation and Context See apple#460. ## Testing - [x] Tested locally - [ ] Added/updated tests - [x] Added/updated docs commit 9c239aa Author: Volodymyr Bortniak <25820601+Bortnyak@users.noreply.github.com> Date: Sat Dec 20 00:36:02 2025 +0100 Add support for reading env from named pipes (apple#974) This is a fix for [issue#956](apple#956) `FileManager.default.contents(atPath:)` returns `nil` for named pipes (FIFOs) and process substitutions like `/dev/fd/XX` because: 1. It expects regular files with a known size 2. Named pipes are stream-based and block until data arrives ## Solution Use `FileHandle(forReadingFrom:)` instead, which: - Properly handles blocking I/O - Works with named pipes, process substitutions, and regular files (mentioned in the [doc](https://developer.apple.com/documentation/foundation/filehandle)) Co-authored-by: Bortniak Volodymyr <Bortnyak@users.noreply.github.com> commit 3c3a83c Author: Danny Canter <danny_canter@apple.com> Date: Thu Dec 18 16:28:44 2025 -0800 Turn on oops=panic kernel cmdline (apple#971) commit b1b9980 Author: Michael Gathara <mikegtrm@gmail.com> Date: Wed Dec 17 20:58:50 2025 -0600 Fix: Kubes Cluster in Container Crashing Container (IS#923) (apple#930) - Fixes issue apple#923 - I fixed a race condition in `ConnectHandler.swift` where an asynchronous network connection could complete after the handler had already been removed from the pipeline. - This prevents the EXC_BREAKPOINT crash in container-runtime-linux that occurred when kinc (Kubernetes in Container) created rapid connections. - The actual fix was inadvertently applied in apple#957, so this PR contains only the test code. commit 9f4efe0 Author: Saehej Kang <saehej.kang@gmail.com> Date: Wed Dec 17 00:30:33 2025 -0800 [networks]: add prune command (apple#914) - Closes apple#893 commit 4f88725 Author: J Logan <john_logan@apple.com> Date: Tue Dec 16 16:34:13 2025 -0800 Use new IP/CIDR types from Containerization. (apple#957) - Part of work for apple#460. - With CZ release 0.17.0, the IP and CIDR address types changed from String to IPv4Address and CIDRv4, respectively. This PR applies the corresponding adaptations to container. commit 8e16bb2 Author: Salman Chishti <salmanmkc@GitHub.com> Date: Tue Dec 16 20:14:45 2025 +0000 Upgrade GitHub Actions to latest versions (apple#959) - Upgrade GitHub Actions to their latest versions for improved features, bug fixes, and security updates. Signed-off-by: Salman Muin Kayser Chishti <13schishti@gmail.com> commit 0c7dca4 Author: Salman Chishti <salmanmkc@GitHub.com> Date: Tue Dec 16 19:23:31 2025 +0000 Add Dependabot for GitHub Actions updates (apple#960) ## Summary Add Dependabot configuration to automatically keep GitHub Actions up to date. ## Changes Adds `.github/dependabot.yml` configured to: - Check for GitHub Actions updates weekly - Group all action updates together for easier review - Use `ci` prefix for commit messages ## Why As discussed in apple#958, this helps: - Keep actions up to date with security patches automatically - Handle Node runtime deprecations proactively (e.g., Node 20 → Node 24) - Reduce manual maintenance burden ## Reference Based on the pattern used in [swift-nio](https://github.com/apple/swift-nio/blob/main/.github/dependabot.yml). commit 637c8f1 Author: Salman Chishti <salmanmkc@GitHub.com> Date: Tue Dec 16 18:15:42 2025 +0000 Upgrade GitHub Actions for Node 24 compatibility (apple#958) ## Summary Upgrade GitHub Actions to their latest versions to ensure compatibility with Node 24, as Node 20 will reach end-of-life in April 2026. ## Changes | Action | Old Version(s) | New Version | SHA | |--------|---------------|-------------|-----| | `actions/checkout` | v4 | v6 | `8e8c483` | | `actions/download-artifact` | v4 | v7 | `37930b1` | | `actions/upload-artifact` | v4 | v6 | `b7c566a` | | `actions/labeler` | v5 | v6 | `634933e` | | `actions/configure-pages` | v5 | v5 | `983d773` | | `actions/upload-pages-artifact` | v3 | v3 | `56afc60` | | `softprops/action-gh-release` | v2 | v2 | `a06a81a` | ## Context Per [GitHub's announcement](https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/), Node 20 is being deprecated and runners will begin using Node 24 by default starting March 4th, 2026. ### Why this matters - **Node 20 EOL**: April 2026 - **Node 24 default**: March 4th, 2026 - **Action**: Update to latest action versions that support Node 24 ### Security All actions are now **pinned to commit SHAs** instead of mutable version tags. This provides: - Protection against tag hijacking attacks - Immutable, reproducible builds - Version comments for readability ### Automated Updates A follow-up PR (apple#960) adds Dependabot configuration to automatically keep these actions updated with new SHA-pinned versions. ### Testing These changes only affect CI/CD workflow configurations and should not impact application functionality. The workflows should be tested by running them on a branch before merging. Signed-off-by: Salman Muin Kayser Chishti <13schishti@gmail.com> commit c22f128 Author: karen heckel <karen.heckel@utexas.edu> Date: Mon Dec 15 21:16:55 2025 -0800 Feat: customize console output with env variable (apple#952) Fixes apple#915 Added a new feature to support the passing of buildkit colors for customizing console output. commit 9b7cfd8 Author: Saehej Kang <saehej.kang@gmail.com> Date: Mon Dec 15 17:52:00 2025 -0800 [images]: refactor prune command (apple#941) - Updates to `image prune` for consistency with how other `prune` commands are done. Added missing test cases as well for the command - Relates to the discussion from apple#914 commit 7d30720 Author: Danny Canter <danny_canter@apple.com> Date: Thu Dec 11 05:36:15 2025 -0800 CLI: Fix -it not being able to pipe stdout (apple#951) Fixes apple#949 Typically if one fd is a tty, it's common for all 3 of stdio to be the same, but that is not always the case. In our case we were using our Terminal type from Containerization to comb through err/out/in and give us a type backed by one of the 3 if -t was supplied. It happens that stderr is the first we check, so our Terminal() is backed by fd 2. This change modifies things so that we always initialize our Terminal if asked for with fd 0, and out/err are backed by their corresponding correct fd number. ## Type of Change - [x] Bug fix - [ ] New feature - [ ] Breaking change - [ ] Documentation update ## Testing - [x] Tested locally - [ ] Added/updated tests - [ ] Added/updated docs commit a2901e0 Author: wangxiaolei <fatelei@gmail.com> Date: Wed Dec 10 10:04:40 2025 +0800 feat: implement version sub command (apple#911) - closes apple#383 - implement version sub command, give more info --------- Co-authored-by: fatelei <fatelei@fateleis-MacBook-Pro.local> commit 0cde1ef Author: Danny Canter <danny_canter@apple.com> Date: Tue Dec 9 13:24:45 2025 -0800 Deps: Bump Containerization to 0.16.2 (apple#947) Closes apple#928 Has a cgroup fix when stopping certain containers commit 3896055 Author: Dmitry Kovba <dkovba@apple.com> Date: Tue Dec 9 12:32:28 2025 -0800 Lowercase error messages (apple#945) ## Type of Change - [x] Bug fix - [ ] New feature - [ ] Breaking change - [ ] Documentation update ## Motivation and Context For consistency, all error messages are lowercased. ## Testing - [ ] Tested locally - [ ] Added/updated tests - [ ] Added/updated docs --------- Co-authored-by: J Logan <sgtbakerrahulnet@yahoo.com> commit 0733a81 Author: Saehej Kang <saehej.kang@gmail.com> Date: Tue Dec 9 10:54:37 2025 -0800 [volumes]: refactor prune command (apple#940) - Refactor the `volume prune` command to follow a client-side approach. The `volumeDiskUsage` is calculated in the service file, so it made sense to leave that there. - Relates to the discussion from apple#914 commit 42528e6 Author: Kathryn Baldauf <k_baldauf@apple.com> Date: Tue Dec 9 10:42:27 2025 -0800 Update CONTRIBUTORS to MAINTAINERS and point at containerization (apple#942) ## Type of Change - [x] Documentation update ## Motivation and Context See apple/containerization#435 for more information on this change. commit a64bd77 Author: J Logan <john_logan@apple.com> Date: Tue Dec 9 14:35:34 2025 -0300 Fix broken image integration tests. (apple#944) - Fixes apple#943. - Use images other than alpine:3.20 for image concurrency test so as not to interfere with tests using that image. - Rename test files to match suite names. commit ab92f39 Author: TTtie <me@tttie.cz> Date: Mon Dec 8 18:17:10 2025 +0100 fix(TerminalProgress): make the progress bar respect locale-specific decimal separator (apple#936) - The `ProgressBar#adjustFormattedSize` function currently expects a decimal dot when adding the additional ".0" to the size. This, however, breaks when a region with a non-dot decimal separator is used. commit 420be74 Author: J Logan <john_logan@apple.com> Date: Mon Dec 8 03:00:02 2025 -0300 Data integrity: bump to cz 0.16.1, adjust sync mode. (apple#939) - 0.16.1 changes an ext4 superblock setting that might have been causing problems. - apple#877 fixed an issue where the cache and sync settings for block filesystems weren't being passed down to the VZ virtual machine configuration. The default sync value getting passed down is `full`, which reduces I/O performance. Relax this to use `fsync` for now. ## Type of Change - [*] Bug fix - [ ] New feature - [ ] Breaking change - [ ] Documentation update ## Motivation and Context May address problems reported in apple#877. ## Testing - [x] Tested locally - [ ] Added/updated tests - [ ] Added/updated docs commit f7bcb68 Author: Santosh Bhavani <santosh.bhavani@live.com> Date: Sun Dec 7 10:56:50 2025 -0800 Add --max-concurrent-downloads flag for parallel layer downloads (apple#716) Adds `--max-concurrent-downloads` flag to `container image pull` for configurable concurrent layer downloads. Fixes apple#715 Depends on apple/containerization#311 **Usage**: ```bash container image pull nginx:latest --max-concurrent-downloads 6 ``` **Changes**: - Add CLI flag (default: 3) - Thread parameter through XPC stack - Update to use forked containerization with configurable concurrency **Performance**: ~1.2-1.3x faster pulls for multi-layer images with higher concurrency **Tests**: Included standalone tests verify concurrency behavior and parameter flow --------- Co-authored-by: Claude <noreply@anthropic.com>
commit 69445b9 Author: jwhur <57657645+JaewonHur@users.noreply.github.com> Date: Mon Jan 19 13:09:34 2026 -0800 Throw error when starting a container with invalid virtiofs source (apple#1051) Run = Create + Start 1) Mount source points to a valid directory - Run and Create + Start both correctly create the container with mount. 2) Mount source points to a file - Run fails bootstrapping the container, thus container not created. - Create creates the container, but Start fails bootstrapping, removing the container. (Thus, both are the same.) 3) Mount source deleted or replaced to file after container created - Start throw errors but do not delete the container. commit 08f48d9 Author: Danny Canter <danny_canter@apple.com> Date: Fri Jan 16 21:48:58 2026 -0800 ContainerSvc: Handle unexpected sandbox svc exits (apple#1065) Closes apple#1050 If the sandbox svc exits out of band of the usual stop (or regular exit) case the container svc's state is not properly updated for the container. This was due to the cleanup steps involving trying to send the shutdown rpc which cannot succeed as the sandbox svc does not exist to service it. To handle this, let's treat shutdown not returning successfully as non-fatal (as this is mostly best effort), log an error and continue the state cleanup. commit b928e3f Author: Amir Alperin <me@remotecpp.dev> Date: Sat Jan 17 07:43:48 2026 +0200 fix: performance warning should not output ANSI codes if stderr redirected (apple#1059) commit 744e7f7 Author: J Logan <john_logan@apple.com> Date: Fri Jan 16 16:26:13 2026 -0800 Update for containerization 0.21.0. (apple#1056) - Update image load and build to handle rejected paths during tar extraction. For the image load command there is now a `--force` function that fails extractions with rejected paths when false, and just warns about the rejected paths when true. - Update `container stats` for statistics API properties now all being optional. ## Type of Change - [x] Bug fix - [ ] New feature - [ ] Breaking change - [x] Documentation update ## Motivation and Context See above ## Testing - [x] Tested locally - [x] Added/updated tests - [x] Added/updated docs commit b1577d8 Author: J Logan <john_logan@apple.com> Date: Fri Jan 16 15:50:47 2026 -0800 Adds opt-in pre-commit hook for format and header checks. (apple#1062) - Closes apple#639. - Adds swift format configuration that removes lint checks so we can use `swift lint` to perform format-only tests. - Adds `check` target that invokes format and header checks. - Adds pre-commit script that runs `make check`. - Adds `pre-commit` target that installs the check script as a pre-commit hook. ## Type of Change - [ ] Bug fix - [x] New feature - [ ] Breaking change - [x] Documentation update ## Motivation and Context Avoids wasting time and commit rewrites. ## Testing - [x] Tested locally - [ ] Added/updated tests - [x] Added/updated docs commit 3cf2c6a Author: J Logan <john_logan@apple.com> Date: Fri Jan 16 13:41:32 2026 -0800 Fix unstable integration tests. (apple#1060) - TestCLIRunCommand now run so many tests concurrently that the API server gets swamped and tests randomly time out. - The parallelism options on `swift test` only work for XCTest, not swift-testing. - Work around this while retaining some parallelism (good for stress testing) by breaking the tests into two suites. commit 8897fcc Author: Manu Schiller <56154253+manuschillerdev@users.noreply.github.com> Date: Wed Jan 14 04:39:08 2026 +0100 fix: use pax instead of tar for pkg payload extraction (apple#1038) - It is common to have `gnu-tar` alongside other GNU tools installed and aliased for compatibility reasons. However, this breaks the current make build. - Use BSD-only binaries (no GNU equivalents that are commonly aliased), making the Makefile more portable. commit dbec1db Author: Ronit Sabhaya <ronitsabhaya75@gmail.com> Date: Mon Jan 12 20:34:25 2026 -0600 Add support for aarch64 architecture alias (apple#1040) - Adds `aarch64` as an alias for `arm64` in the `Arch` enum. This addresses the maintainer's request to support this common architecture name, ensuring consistency with `x86_64` normalization and preventing failures for users expecting `aarch64` support. commit 837aa5e Author: jwhur <57657645+JaewonHur@users.noreply.github.com> Date: Mon Jan 12 14:36:10 2026 -0800 Fix the FS error when using Virtualization (apple#1041) - Fixes apple#614. - Use VZ cached mode instead of auto. Signed-off-by: jwhur <jaewon_hur@apple.com> commit e465b10 Author: 박성근 <117553364+ParkSeongGeun@users.noreply.github.com> Date: Tue Jan 13 03:30:51 2026 +0900 Fix relative path resolution in entrypoint (apple#987) - Fixes apple#962. - Adds test to exercise apple/containerization#473. - Updates containerization to 0.20.1. Signed-off-by: ParkSeongGeun <phd0801@naver.com> commit aa77928 Author: Ronit Sabhaya <ronitsabhaya75@gmail.com> Date: Mon Jan 12 12:04:46 2026 -0600 Fix: Support x86_64 architecture alias to prevent silent pull failure… (apple#1036) - Adds architecture name normalization to accept `x86_64` and `x86-64` as aliases for `amd64`. commit dc4682b Author: Amir Alperin <me@remotecpp.dev> Date: Fri Jan 9 21:10:53 2026 +0200 fix: extract hostname from FQDN (apple#1011) (apple#1017) - Set the container hostname to the first DNS label derived from the container id, strip everything after the first dot. - Fixes apple#1011. commit 4af1cc0 Author: Ronit Sabhaya <ronitsabhaya75@gmail.com> Date: Thu Jan 8 21:27:43 2026 -0600 fix: improve error message when binding to privileged ports (fixes apple#978) (apple#1031) - The container fails to start with a generic "permission denied" error when attempting to publish privileged ports (ports below 1024) without root privileges. This provides a confusing user experience as the error doesn't explain why permission was denied. commit 21facf0 Author: J Logan <john_logan@apple.com> Date: Thu Jan 8 17:02:22 2026 -0800 Add instructions for using locally built init filesystem. (apple#1032) - Closes apple#1030. commit b671690 Author: Danny Canter <danny_canter@apple.com> Date: Wed Jan 7 21:01:10 2026 -0800 ProgressBar: Various fixes (apple#1025) There's a couple things I don't think are intuitive about this. 1. Because of the internal task, render() can still be called even after finish() completes. Ideally async defers are supported and we could just await the final render completing after cancelling the task and setting .finished, but alas. To fix this we can just lock across the methods for now. 2. We always clear the screen in the destructor, even if we don't use the progress bar. I don't think we should honestly do anything in the destructor. Feels a programmer error not to defer { bar.finish() } or call it somewhere. 3. Our spaces based line clearing. Use the ansi escape sequence for clearing line; I think our calculations were slightly off and it would leave trailing output ( "s]" ) in some cases. 4. Shrinking the window until the output is smaller than the terminal window (and vice versa) is wonky on various term emulators. Truthfully, this is just a hard problem, but we can truncate our output and still provide some useful info. This fixes some single line output (cat /etc/hostname etc.) getting cleared in our atexit handler, as well as the need for the usleep. commit 98410fd Author: J Logan <john_logan@apple.com> Date: Wed Jan 7 18:23:31 2026 -0800 Adds IPv6 port forwarding. (apple#1029) - Closes apple#1006. commit 9d06475 Author: Saehej Kang <saehej.kang@gmail.com> Date: Wed Jan 7 16:53:33 2026 -0800 [container]: add startedDate field (apple#1018) - Closes apple#302. - Closes apple#336 (obsoletes this PR). commit db8932a Author: J Logan <john_logan@apple.com> Date: Wed Jan 7 15:35:35 2026 -0800 Resolve IPv6 address queries for container names. (apple#1016) - Closes apple#1005. - Adapt everything to use MACAddress type from containerization 0.20.0. - Allocate MAC addresses for every container so that we have deterministic IPv6 link local addresses. - Add AAAA handling to ContainerDNSHandler. - NOTE: Only works on Tahoe. On Sequoia, we don't have a good way to set or determine the IPv6 network prefix when networks are created, so we can't infer the IPv6 link local addresses for AAAA responses and we instead return `NODATA`. commit 5d6c750 Author: Danny Canter <danny_canter@apple.com> Date: Wed Jan 7 14:48:58 2026 -0800 CLI: Add read-only flag to run/create (apple#999) Closes apple#990 Sets the rootfs for a container to read-only. commit aac2457 Author: Danny Canter <danny_canter@apple.com> Date: Wed Jan 7 13:46:26 2026 -0800 Tests: Fix relative path mount tests (apple#1028) The tests are run in parallel on CI, and were split into three tests. They change the cwd, so it's kind of a gamble whether some of them pass. This just moves all the logic into one test mostly. commit 9cd5397 Author: J Logan <john_logan@apple.com> Date: Wed Jan 7 10:35:19 2026 -0800 Update to containerization 0.20.0. (apple#1027) - Use MACAddress for Attachment and CZ interfaces. - Move data validation closer to API surface. commit 356c8d2 Author: J Logan <john_logan@apple.com> Date: Tue Jan 6 08:27:14 2026 -0800 Reorganize client libraries. (apple#1020) - Closes apple#461. - Extract core types into ContainerResources target. - Extract ContainerNetworkServiceClient from ContainerNetworkService. - Relocate sandbox client from ContainerClient to ContainerSandboxServiceClient. - Relocate ContainerClient to ContainerAPIServiceClient. - Common structure from services and clients under Source/Services. Updated project hierarchy: ``` Sources/CAuditToken - audit token access wrapper Sources/CLI - CLI executable Sources/ContainerBuild - builder Sources/ContainerCommands - CLI command implementations Sources/ContainerLog - logging helpers Sources/ContainerPersistence - persistent data and system property helpers Sources/ContainerPlugin - plugin system Sources/ContainerResource - resource (container, image, volume, network) types Sources/ContainerVersion - version helpers Sources/ContainerXPC - XPC helpers Sources/CVersion - injected project version Sources/DNSServer - container DNS resolver Sources/Helpers - service executables Sources/Services/*/Client - service clients Sources/Services/*/Server - service implementations Sources/SocketForwarder - port forwarding Sources/TerminalProgress - progress bar ``` ## Type of Change - [ ] Bug fix - [ ] New feature - [x] Breaking change - [ ] Documentation update ## Motivation and Context The ContainerClient library was a bit of a grab bag. This refactor applies a more sensible project and library structure for resource data types, services, and clients. ## Testing - [x] Tested locally - [x] Added/updated tests - [ ] Added/updated docs commit 8c439cd Author: Danny Canter <danny_canter@apple.com> Date: Mon Jan 5 13:50:57 2026 -0800 makefile: Add cli target (apple#1022) Often times I'll be making a change that only touches the cli and I don't feel like sitting through the potential song and dance of the other components building/installing. commit d6f052d Author: Kathryn Baldauf <k_baldauf@apple.com> Date: Mon Jan 5 13:09:34 2026 -0800 Update license header on all files to include the current year (apple#1024) ## Motivation and Context Now that we're in 2026, we need to update the license headers on all the files. Unfortunately, Hawkeye doesn't have an attribute for the current year to help us avoid this in the future. Instead, I had to work around this by doing the following: 1. Update licenserc.toml with: ``` [properties] ... (other properties) currentYear = "2026" ``` 2. Update scripts/license-header.txt with ``` Copyright ©{{ " " }}{%- set created = attrs.git_file_created_year or attrs.disk_file_created_year -%}{%- set modified = props["currentYear"] -%}{%- if created != modified -%} {{created}}-{{modified}}{%- else -%}{{created}}{%- endif -%}{{ " " }}{{ props["copyrightOwner"] }}. ``` Then I removed these two changes before committing. After this PR is merged, all files will have recently had git updates, so the existing code for setting the modified year should work as intended. Signed-off-by: Kathryn Baldauf <k_baldauf@apple.com> commit 20dc0bc Author: Danny Canter <danny_canter@apple.com> Date: Sun Jan 4 11:11:09 2026 -0800 Parser: Support relative paths for --volume (apple#1013) commit 028e7e1 Author: Danny Canter <danny_canter@apple.com> Date: Sun Jan 4 10:52:46 2026 -0800 Deps: Bump Containerization to 0.19.0 (apple#1015) Has read-only rootfs support. commit 020949e Author: Danny Canter <danny_canter@apple.com> Date: Sun Jan 4 10:51:20 2026 -0800 CLI: Small fixups for implicit envvars (apple#1014) We should only inherit from the host if there's no =. Additionally document the flag a little more to show that we can inherit from the host. commit df368b7 Author: Amir Alperin <alperin.amir@gmail.com> Date: Sun Jan 4 20:49:22 2026 +0200 Fix port validation to allow same port for different protocols (apple#992) (apple#1000) - Fixes: apple#992 - Port validation previously rejected valid configurations when the same port number was used for different protocols (TCP and UDP). For example: `-p 1024:1024/udp -p 1024:1024/tcp` Although this is a valid and common use case, the validation logic treated it as a conflict. To fix this, I updated the validation key to include the protocol name. The validation now checks for overlapping port numbers only within the same protocol, rather than across all protocols. This change enables binding the same port number for both TCP and UDP, aligning the validation behavior with real-world networking requirements. ## Testing - [x] Tested locally - [x] Added/updated tests - [ ] Added/updated docs commit cf64614 Author: J Logan <john_logan@apple.com> Date: Fri Jan 2 14:10:48 2026 -0800 Update OSS header in Package.swift. (apple#1010) commit 375ce16 Author: J Logan <john_logan@apple.com> Date: Fri Jan 2 12:09:12 2026 -0800 Fix OSS header dates that break CI checks. (apple#1009) commit 580d853 Author: c <claudeaceae@icloud.com> Date: Fri Jan 2 00:19:57 2026 -0500 Use full path for uninstall script in upgrade instructions (apple#983) - Makes the upgrade section consistent with the uninstall section by using the full path to the uninstall script. commit 4cadc40 Author: c <claudeaceae@icloud.com> Date: Thu Jan 1 22:53:56 2026 -0500 Clarify uninstall script location in README (apple#982) - Clarifies where the `uninstall-container.sh` script is located after installation - Updates example commands to use the full path commit 4e78e30 Author: c <claudeaceae@icloud.com> Date: Thu Jan 1 20:57:47 2026 -0500 Fix grammar in tutorial.md (apple#985) ## Summary - Fixes a grammar error in the tutorial's publish section ## Details Line 287 of `docs/tutorial.md` had "you need push images" which should be "you need to push images". This is a simple grammar fix to improve readability. ## Test plan - [x] Verified the sentence now reads correctly commit 22dfd6e Author: Danny Canter <danny_canter@apple.com> Date: Thu Jan 1 17:57:00 2026 -0800 CLI: Fix stop not signalling waiters (apple#972) commit 4958cf2 Author: c <claudeaceae@icloud.com> Date: Thu Jan 1 20:51:10 2026 -0500 Fix bash completion source path in documentation (apple#981) - Corrects the source path for bash completion script when not using bash-completion package. commit 25ac79a Author: c <claudeaceae@icloud.com> Date: Thu Jan 1 20:50:19 2026 -0500 Fix MAC address option typo in how-to documentation (apple#980) - Corrects the MAC address example command in the how-to guide to use the correct `--network` flag syntax instead of the incorrect `--mac-address` flag. commit edadf15 Author: Raj <realrajaryan@gmail.com> Date: Thu Jan 1 15:10:39 2026 +0530 Fix container auto-delete on rapid stop/start (apple#841) Fixes apple#833. Currently, when stopping and immediately restarting a container, it would fail with the error: `“container expected to be in created state, got: shuttingDown”` and then be automatically deleted. The `SandboxService` process waits five seconds before exiting after shutdown. During this interval, a rapid restart could reconnect to the still-terminating process in the `shuttingDown` state, triggering a state validation error. This fix forcefully terminates the `SandboxService` process with `SIGKILL` upon container exit, instead of waiting five seconds. The bootstrap now defensively checks for and cleans up any stale services before registering new ones, preventing reconnections to processes in the `shuttingDown` state. commit 5064b0f Author: J Logan <john_logan@apple.com> Date: Mon Dec 22 10:16:14 2025 -0800 Adds network IPv6 configuration. (apple#975) - Part of work for apple#460. - Enable set/get of IPv6 network prefix in ReservedVmnetNetwork. - Show IPv6 prefix in `network list` full output. - Option for setting IPv6 prefix when creating a network. - System property for default IPv6 prefix. ## Type of Change - [ ] Bug fix - [x] New feature - [ ] Breaking change - [x] Documentation update ## Motivation and Context See apple#460. ## Testing - [x] Tested locally - [ ] Added/updated tests - [x] Added/updated docs commit 9c239aa Author: Volodymyr Bortniak <25820601+Bortnyak@users.noreply.github.com> Date: Sat Dec 20 00:36:02 2025 +0100 Add support for reading env from named pipes (apple#974) This is a fix for [issue#956](apple#956) `FileManager.default.contents(atPath:)` returns `nil` for named pipes (FIFOs) and process substitutions like `/dev/fd/XX` because: 1. It expects regular files with a known size 2. Named pipes are stream-based and block until data arrives ## Solution Use `FileHandle(forReadingFrom:)` instead, which: - Properly handles blocking I/O - Works with named pipes, process substitutions, and regular files (mentioned in the [doc](https://developer.apple.com/documentation/foundation/filehandle)) Co-authored-by: Bortniak Volodymyr <Bortnyak@users.noreply.github.com> commit 3c3a83c Author: Danny Canter <danny_canter@apple.com> Date: Thu Dec 18 16:28:44 2025 -0800 Turn on oops=panic kernel cmdline (apple#971) commit b1b9980 Author: Michael Gathara <mikegtrm@gmail.com> Date: Wed Dec 17 20:58:50 2025 -0600 Fix: Kubes Cluster in Container Crashing Container (IS#923) (apple#930) - Fixes issue apple#923 - I fixed a race condition in `ConnectHandler.swift` where an asynchronous network connection could complete after the handler had already been removed from the pipeline. - This prevents the EXC_BREAKPOINT crash in container-runtime-linux that occurred when kinc (Kubernetes in Container) created rapid connections. - The actual fix was inadvertently applied in apple#957, so this PR contains only the test code. commit 9f4efe0 Author: Saehej Kang <saehej.kang@gmail.com> Date: Wed Dec 17 00:30:33 2025 -0800 [networks]: add prune command (apple#914) - Closes apple#893 commit 4f88725 Author: J Logan <john_logan@apple.com> Date: Tue Dec 16 16:34:13 2025 -0800 Use new IP/CIDR types from Containerization. (apple#957) - Part of work for apple#460. - With CZ release 0.17.0, the IP and CIDR address types changed from String to IPv4Address and CIDRv4, respectively. This PR applies the corresponding adaptations to container. commit 8e16bb2 Author: Salman Chishti <salmanmkc@GitHub.com> Date: Tue Dec 16 20:14:45 2025 +0000 Upgrade GitHub Actions to latest versions (apple#959) - Upgrade GitHub Actions to their latest versions for improved features, bug fixes, and security updates. Signed-off-by: Salman Muin Kayser Chishti <13schishti@gmail.com> commit 0c7dca4 Author: Salman Chishti <salmanmkc@GitHub.com> Date: Tue Dec 16 19:23:31 2025 +0000 Add Dependabot for GitHub Actions updates (apple#960) ## Summary Add Dependabot configuration to automatically keep GitHub Actions up to date. ## Changes Adds `.github/dependabot.yml` configured to: - Check for GitHub Actions updates weekly - Group all action updates together for easier review - Use `ci` prefix for commit messages ## Why As discussed in apple#958, this helps: - Keep actions up to date with security patches automatically - Handle Node runtime deprecations proactively (e.g., Node 20 → Node 24) - Reduce manual maintenance burden ## Reference Based on the pattern used in [swift-nio](https://github.com/apple/swift-nio/blob/main/.github/dependabot.yml). commit 637c8f1 Author: Salman Chishti <salmanmkc@GitHub.com> Date: Tue Dec 16 18:15:42 2025 +0000 Upgrade GitHub Actions for Node 24 compatibility (apple#958) ## Summary Upgrade GitHub Actions to their latest versions to ensure compatibility with Node 24, as Node 20 will reach end-of-life in April 2026. ## Changes | Action | Old Version(s) | New Version | SHA | |--------|---------------|-------------|-----| | `actions/checkout` | v4 | v6 | `8e8c483` | | `actions/download-artifact` | v4 | v7 | `37930b1` | | `actions/upload-artifact` | v4 | v6 | `b7c566a` | | `actions/labeler` | v5 | v6 | `634933e` | | `actions/configure-pages` | v5 | v5 | `983d773` | | `actions/upload-pages-artifact` | v3 | v3 | `56afc60` | | `softprops/action-gh-release` | v2 | v2 | `a06a81a` | ## Context Per [GitHub's announcement](https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/), Node 20 is being deprecated and runners will begin using Node 24 by default starting March 4th, 2026. ### Why this matters - **Node 20 EOL**: April 2026 - **Node 24 default**: March 4th, 2026 - **Action**: Update to latest action versions that support Node 24 ### Security All actions are now **pinned to commit SHAs** instead of mutable version tags. This provides: - Protection against tag hijacking attacks - Immutable, reproducible builds - Version comments for readability ### Automated Updates A follow-up PR (apple#960) adds Dependabot configuration to automatically keep these actions updated with new SHA-pinned versions. ### Testing These changes only affect CI/CD workflow configurations and should not impact application functionality. The workflows should be tested by running them on a branch before merging. Signed-off-by: Salman Muin Kayser Chishti <13schishti@gmail.com> commit c22f128 Author: karen heckel <karen.heckel@utexas.edu> Date: Mon Dec 15 21:16:55 2025 -0800 Feat: customize console output with env variable (apple#952) Fixes apple#915 Added a new feature to support the passing of buildkit colors for customizing console output. commit 9b7cfd8 Author: Saehej Kang <saehej.kang@gmail.com> Date: Mon Dec 15 17:52:00 2025 -0800 [images]: refactor prune command (apple#941) - Updates to `image prune` for consistency with how other `prune` commands are done. Added missing test cases as well for the command - Relates to the discussion from apple#914 commit 7d30720 Author: Danny Canter <danny_canter@apple.com> Date: Thu Dec 11 05:36:15 2025 -0800 CLI: Fix -it not being able to pipe stdout (apple#951) Fixes apple#949 Typically if one fd is a tty, it's common for all 3 of stdio to be the same, but that is not always the case. In our case we were using our Terminal type from Containerization to comb through err/out/in and give us a type backed by one of the 3 if -t was supplied. It happens that stderr is the first we check, so our Terminal() is backed by fd 2. This change modifies things so that we always initialize our Terminal if asked for with fd 0, and out/err are backed by their corresponding correct fd number. ## Type of Change - [x] Bug fix - [ ] New feature - [ ] Breaking change - [ ] Documentation update ## Testing - [x] Tested locally - [ ] Added/updated tests - [ ] Added/updated docs commit a2901e0 Author: wangxiaolei <fatelei@gmail.com> Date: Wed Dec 10 10:04:40 2025 +0800 feat: implement version sub command (apple#911) - closes apple#383 - implement version sub command, give more info --------- Co-authored-by: fatelei <fatelei@fateleis-MacBook-Pro.local> commit 0cde1ef Author: Danny Canter <danny_canter@apple.com> Date: Tue Dec 9 13:24:45 2025 -0800 Deps: Bump Containerization to 0.16.2 (apple#947) Closes apple#928 Has a cgroup fix when stopping certain containers commit 3896055 Author: Dmitry Kovba <dkovba@apple.com> Date: Tue Dec 9 12:32:28 2025 -0800 Lowercase error messages (apple#945) ## Type of Change - [x] Bug fix - [ ] New feature - [ ] Breaking change - [ ] Documentation update ## Motivation and Context For consistency, all error messages are lowercased. ## Testing - [ ] Tested locally - [ ] Added/updated tests - [ ] Added/updated docs --------- Co-authored-by: J Logan <sgtbakerrahulnet@yahoo.com> commit 0733a81 Author: Saehej Kang <saehej.kang@gmail.com> Date: Tue Dec 9 10:54:37 2025 -0800 [volumes]: refactor prune command (apple#940) - Refactor the `volume prune` command to follow a client-side approach. The `volumeDiskUsage` is calculated in the service file, so it made sense to leave that there. - Relates to the discussion from apple#914 commit 42528e6 Author: Kathryn Baldauf <k_baldauf@apple.com> Date: Tue Dec 9 10:42:27 2025 -0800 Update CONTRIBUTORS to MAINTAINERS and point at containerization (apple#942) ## Type of Change - [x] Documentation update ## Motivation and Context See apple/containerization#435 for more information on this change. commit a64bd77 Author: J Logan <john_logan@apple.com> Date: Tue Dec 9 14:35:34 2025 -0300 Fix broken image integration tests. (apple#944) - Fixes apple#943. - Use images other than alpine:3.20 for image concurrency test so as not to interfere with tests using that image. - Rename test files to match suite names. commit ab92f39 Author: TTtie <me@tttie.cz> Date: Mon Dec 8 18:17:10 2025 +0100 fix(TerminalProgress): make the progress bar respect locale-specific decimal separator (apple#936) - The `ProgressBar#adjustFormattedSize` function currently expects a decimal dot when adding the additional ".0" to the size. This, however, breaks when a region with a non-dot decimal separator is used. commit 420be74 Author: J Logan <john_logan@apple.com> Date: Mon Dec 8 03:00:02 2025 -0300 Data integrity: bump to cz 0.16.1, adjust sync mode. (apple#939) - 0.16.1 changes an ext4 superblock setting that might have been causing problems. - apple#877 fixed an issue where the cache and sync settings for block filesystems weren't being passed down to the VZ virtual machine configuration. The default sync value getting passed down is `full`, which reduces I/O performance. Relax this to use `fsync` for now. ## Type of Change - [*] Bug fix - [ ] New feature - [ ] Breaking change - [ ] Documentation update ## Motivation and Context May address problems reported in apple#877. ## Testing - [x] Tested locally - [ ] Added/updated tests - [ ] Added/updated docs commit f7bcb68 Author: Santosh Bhavani <santosh.bhavani@live.com> Date: Sun Dec 7 10:56:50 2025 -0800 Add --max-concurrent-downloads flag for parallel layer downloads (apple#716) Adds `--max-concurrent-downloads` flag to `container image pull` for configurable concurrent layer downloads. Fixes apple#715 Depends on apple/containerization#311 **Usage**: ```bash container image pull nginx:latest --max-concurrent-downloads 6 ``` **Changes**: - Add CLI flag (default: 3) - Thread parameter through XPC stack - Update to use forked containerization with configurable concurrency **Performance**: ~1.2-1.3x faster pulls for multi-layer images with higher concurrency **Tests**: Included standalone tests verify concurrency behavior and parameter flow --------- Co-authored-by: Claude <noreply@anthropic.com>
commit 69445b9 Author: jwhur <57657645+JaewonHur@users.noreply.github.com> Date: Mon Jan 19 13:09:34 2026 -0800 Throw error when starting a container with invalid virtiofs source (apple#1051) Run = Create + Start 1) Mount source points to a valid directory - Run and Create + Start both correctly create the container with mount. 2) Mount source points to a file - Run fails bootstrapping the container, thus container not created. - Create creates the container, but Start fails bootstrapping, removing the container. (Thus, both are the same.) 3) Mount source deleted or replaced to file after container created - Start throw errors but do not delete the container. commit 08f48d9 Author: Danny Canter <danny_canter@apple.com> Date: Fri Jan 16 21:48:58 2026 -0800 ContainerSvc: Handle unexpected sandbox svc exits (apple#1065) Closes apple#1050 If the sandbox svc exits out of band of the usual stop (or regular exit) case the container svc's state is not properly updated for the container. This was due to the cleanup steps involving trying to send the shutdown rpc which cannot succeed as the sandbox svc does not exist to service it. To handle this, let's treat shutdown not returning successfully as non-fatal (as this is mostly best effort), log an error and continue the state cleanup. commit b928e3f Author: Amir Alperin <me@remotecpp.dev> Date: Sat Jan 17 07:43:48 2026 +0200 fix: performance warning should not output ANSI codes if stderr redirected (apple#1059) commit 744e7f7 Author: J Logan <john_logan@apple.com> Date: Fri Jan 16 16:26:13 2026 -0800 Update for containerization 0.21.0. (apple#1056) - Update image load and build to handle rejected paths during tar extraction. For the image load command there is now a `--force` function that fails extractions with rejected paths when false, and just warns about the rejected paths when true. - Update `container stats` for statistics API properties now all being optional. ## Type of Change - [x] Bug fix - [ ] New feature - [ ] Breaking change - [x] Documentation update ## Motivation and Context See above ## Testing - [x] Tested locally - [x] Added/updated tests - [x] Added/updated docs commit b1577d8 Author: J Logan <john_logan@apple.com> Date: Fri Jan 16 15:50:47 2026 -0800 Adds opt-in pre-commit hook for format and header checks. (apple#1062) - Closes apple#639. - Adds swift format configuration that removes lint checks so we can use `swift lint` to perform format-only tests. - Adds `check` target that invokes format and header checks. - Adds pre-commit script that runs `make check`. - Adds `pre-commit` target that installs the check script as a pre-commit hook. ## Type of Change - [ ] Bug fix - [x] New feature - [ ] Breaking change - [x] Documentation update ## Motivation and Context Avoids wasting time and commit rewrites. ## Testing - [x] Tested locally - [ ] Added/updated tests - [x] Added/updated docs commit 3cf2c6a Author: J Logan <john_logan@apple.com> Date: Fri Jan 16 13:41:32 2026 -0800 Fix unstable integration tests. (apple#1060) - TestCLIRunCommand now run so many tests concurrently that the API server gets swamped and tests randomly time out. - The parallelism options on `swift test` only work for XCTest, not swift-testing. - Work around this while retaining some parallelism (good for stress testing) by breaking the tests into two suites. commit 8897fcc Author: Manu Schiller <56154253+manuschillerdev@users.noreply.github.com> Date: Wed Jan 14 04:39:08 2026 +0100 fix: use pax instead of tar for pkg payload extraction (apple#1038) - It is common to have `gnu-tar` alongside other GNU tools installed and aliased for compatibility reasons. However, this breaks the current make build. - Use BSD-only binaries (no GNU equivalents that are commonly aliased), making the Makefile more portable. commit dbec1db Author: Ronit Sabhaya <ronitsabhaya75@gmail.com> Date: Mon Jan 12 20:34:25 2026 -0600 Add support for aarch64 architecture alias (apple#1040) - Adds `aarch64` as an alias for `arm64` in the `Arch` enum. This addresses the maintainer's request to support this common architecture name, ensuring consistency with `x86_64` normalization and preventing failures for users expecting `aarch64` support. commit 837aa5e Author: jwhur <57657645+JaewonHur@users.noreply.github.com> Date: Mon Jan 12 14:36:10 2026 -0800 Fix the FS error when using Virtualization (apple#1041) - Fixes apple#614. - Use VZ cached mode instead of auto. Signed-off-by: jwhur <jaewon_hur@apple.com> commit e465b10 Author: 박성근 <117553364+ParkSeongGeun@users.noreply.github.com> Date: Tue Jan 13 03:30:51 2026 +0900 Fix relative path resolution in entrypoint (apple#987) - Fixes apple#962. - Adds test to exercise apple/containerization#473. - Updates containerization to 0.20.1. Signed-off-by: ParkSeongGeun <phd0801@naver.com> commit aa77928 Author: Ronit Sabhaya <ronitsabhaya75@gmail.com> Date: Mon Jan 12 12:04:46 2026 -0600 Fix: Support x86_64 architecture alias to prevent silent pull failure… (apple#1036) - Adds architecture name normalization to accept `x86_64` and `x86-64` as aliases for `amd64`. commit dc4682b Author: Amir Alperin <me@remotecpp.dev> Date: Fri Jan 9 21:10:53 2026 +0200 fix: extract hostname from FQDN (apple#1011) (apple#1017) - Set the container hostname to the first DNS label derived from the container id, strip everything after the first dot. - Fixes apple#1011. commit 4af1cc0 Author: Ronit Sabhaya <ronitsabhaya75@gmail.com> Date: Thu Jan 8 21:27:43 2026 -0600 fix: improve error message when binding to privileged ports (fixes apple#978) (apple#1031) - The container fails to start with a generic "permission denied" error when attempting to publish privileged ports (ports below 1024) without root privileges. This provides a confusing user experience as the error doesn't explain why permission was denied. commit 21facf0 Author: J Logan <john_logan@apple.com> Date: Thu Jan 8 17:02:22 2026 -0800 Add instructions for using locally built init filesystem. (apple#1032) - Closes apple#1030. commit b671690 Author: Danny Canter <danny_canter@apple.com> Date: Wed Jan 7 21:01:10 2026 -0800 ProgressBar: Various fixes (apple#1025) There's a couple things I don't think are intuitive about this. 1. Because of the internal task, render() can still be called even after finish() completes. Ideally async defers are supported and we could just await the final render completing after cancelling the task and setting .finished, but alas. To fix this we can just lock across the methods for now. 2. We always clear the screen in the destructor, even if we don't use the progress bar. I don't think we should honestly do anything in the destructor. Feels a programmer error not to defer { bar.finish() } or call it somewhere. 3. Our spaces based line clearing. Use the ansi escape sequence for clearing line; I think our calculations were slightly off and it would leave trailing output ( "s]" ) in some cases. 4. Shrinking the window until the output is smaller than the terminal window (and vice versa) is wonky on various term emulators. Truthfully, this is just a hard problem, but we can truncate our output and still provide some useful info. This fixes some single line output (cat /etc/hostname etc.) getting cleared in our atexit handler, as well as the need for the usleep. commit 98410fd Author: J Logan <john_logan@apple.com> Date: Wed Jan 7 18:23:31 2026 -0800 Adds IPv6 port forwarding. (apple#1029) - Closes apple#1006. commit 9d06475 Author: Saehej Kang <saehej.kang@gmail.com> Date: Wed Jan 7 16:53:33 2026 -0800 [container]: add startedDate field (apple#1018) - Closes apple#302. - Closes apple#336 (obsoletes this PR). commit db8932a Author: J Logan <john_logan@apple.com> Date: Wed Jan 7 15:35:35 2026 -0800 Resolve IPv6 address queries for container names. (apple#1016) - Closes apple#1005. - Adapt everything to use MACAddress type from containerization 0.20.0. - Allocate MAC addresses for every container so that we have deterministic IPv6 link local addresses. - Add AAAA handling to ContainerDNSHandler. - NOTE: Only works on Tahoe. On Sequoia, we don't have a good way to set or determine the IPv6 network prefix when networks are created, so we can't infer the IPv6 link local addresses for AAAA responses and we instead return `NODATA`. commit 5d6c750 Author: Danny Canter <danny_canter@apple.com> Date: Wed Jan 7 14:48:58 2026 -0800 CLI: Add read-only flag to run/create (apple#999) Closes apple#990 Sets the rootfs for a container to read-only. commit aac2457 Author: Danny Canter <danny_canter@apple.com> Date: Wed Jan 7 13:46:26 2026 -0800 Tests: Fix relative path mount tests (apple#1028) The tests are run in parallel on CI, and were split into three tests. They change the cwd, so it's kind of a gamble whether some of them pass. This just moves all the logic into one test mostly. commit 9cd5397 Author: J Logan <john_logan@apple.com> Date: Wed Jan 7 10:35:19 2026 -0800 Update to containerization 0.20.0. (apple#1027) - Use MACAddress for Attachment and CZ interfaces. - Move data validation closer to API surface. commit 356c8d2 Author: J Logan <john_logan@apple.com> Date: Tue Jan 6 08:27:14 2026 -0800 Reorganize client libraries. (apple#1020) - Closes apple#461. - Extract core types into ContainerResources target. - Extract ContainerNetworkServiceClient from ContainerNetworkService. - Relocate sandbox client from ContainerClient to ContainerSandboxServiceClient. - Relocate ContainerClient to ContainerAPIServiceClient. - Common structure from services and clients under Source/Services. Updated project hierarchy: ``` Sources/CAuditToken - audit token access wrapper Sources/CLI - CLI executable Sources/ContainerBuild - builder Sources/ContainerCommands - CLI command implementations Sources/ContainerLog - logging helpers Sources/ContainerPersistence - persistent data and system property helpers Sources/ContainerPlugin - plugin system Sources/ContainerResource - resource (container, image, volume, network) types Sources/ContainerVersion - version helpers Sources/ContainerXPC - XPC helpers Sources/CVersion - injected project version Sources/DNSServer - container DNS resolver Sources/Helpers - service executables Sources/Services/*/Client - service clients Sources/Services/*/Server - service implementations Sources/SocketForwarder - port forwarding Sources/TerminalProgress - progress bar ``` ## Type of Change - [ ] Bug fix - [ ] New feature - [x] Breaking change - [ ] Documentation update ## Motivation and Context The ContainerClient library was a bit of a grab bag. This refactor applies a more sensible project and library structure for resource data types, services, and clients. ## Testing - [x] Tested locally - [x] Added/updated tests - [ ] Added/updated docs commit 8c439cd Author: Danny Canter <danny_canter@apple.com> Date: Mon Jan 5 13:50:57 2026 -0800 makefile: Add cli target (apple#1022) Often times I'll be making a change that only touches the cli and I don't feel like sitting through the potential song and dance of the other components building/installing. commit d6f052d Author: Kathryn Baldauf <k_baldauf@apple.com> Date: Mon Jan 5 13:09:34 2026 -0800 Update license header on all files to include the current year (apple#1024) ## Motivation and Context Now that we're in 2026, we need to update the license headers on all the files. Unfortunately, Hawkeye doesn't have an attribute for the current year to help us avoid this in the future. Instead, I had to work around this by doing the following: 1. Update licenserc.toml with: ``` [properties] ... (other properties) currentYear = "2026" ``` 2. Update scripts/license-header.txt with ``` Copyright ©{{ " " }}{%- set created = attrs.git_file_created_year or attrs.disk_file_created_year -%}{%- set modified = props["currentYear"] -%}{%- if created != modified -%} {{created}}-{{modified}}{%- else -%}{{created}}{%- endif -%}{{ " " }}{{ props["copyrightOwner"] }}. ``` Then I removed these two changes before committing. After this PR is merged, all files will have recently had git updates, so the existing code for setting the modified year should work as intended. Signed-off-by: Kathryn Baldauf <k_baldauf@apple.com> commit 20dc0bc Author: Danny Canter <danny_canter@apple.com> Date: Sun Jan 4 11:11:09 2026 -0800 Parser: Support relative paths for --volume (apple#1013) commit 028e7e1 Author: Danny Canter <danny_canter@apple.com> Date: Sun Jan 4 10:52:46 2026 -0800 Deps: Bump Containerization to 0.19.0 (apple#1015) Has read-only rootfs support. commit 020949e Author: Danny Canter <danny_canter@apple.com> Date: Sun Jan 4 10:51:20 2026 -0800 CLI: Small fixups for implicit envvars (apple#1014) We should only inherit from the host if there's no =. Additionally document the flag a little more to show that we can inherit from the host. commit df368b7 Author: Amir Alperin <alperin.amir@gmail.com> Date: Sun Jan 4 20:49:22 2026 +0200 Fix port validation to allow same port for different protocols (apple#992) (apple#1000) - Fixes: apple#992 - Port validation previously rejected valid configurations when the same port number was used for different protocols (TCP and UDP). For example: `-p 1024:1024/udp -p 1024:1024/tcp` Although this is a valid and common use case, the validation logic treated it as a conflict. To fix this, I updated the validation key to include the protocol name. The validation now checks for overlapping port numbers only within the same protocol, rather than across all protocols. This change enables binding the same port number for both TCP and UDP, aligning the validation behavior with real-world networking requirements. ## Testing - [x] Tested locally - [x] Added/updated tests - [ ] Added/updated docs commit cf64614 Author: J Logan <john_logan@apple.com> Date: Fri Jan 2 14:10:48 2026 -0800 Update OSS header in Package.swift. (apple#1010) commit 375ce16 Author: J Logan <john_logan@apple.com> Date: Fri Jan 2 12:09:12 2026 -0800 Fix OSS header dates that break CI checks. (apple#1009) commit 580d853 Author: c <claudeaceae@icloud.com> Date: Fri Jan 2 00:19:57 2026 -0500 Use full path for uninstall script in upgrade instructions (apple#983) - Makes the upgrade section consistent with the uninstall section by using the full path to the uninstall script. commit 4cadc40 Author: c <claudeaceae@icloud.com> Date: Thu Jan 1 22:53:56 2026 -0500 Clarify uninstall script location in README (apple#982) - Clarifies where the `uninstall-container.sh` script is located after installation - Updates example commands to use the full path commit 4e78e30 Author: c <claudeaceae@icloud.com> Date: Thu Jan 1 20:57:47 2026 -0500 Fix grammar in tutorial.md (apple#985) ## Summary - Fixes a grammar error in the tutorial's publish section ## Details Line 287 of `docs/tutorial.md` had "you need push images" which should be "you need to push images". This is a simple grammar fix to improve readability. ## Test plan - [x] Verified the sentence now reads correctly commit 22dfd6e Author: Danny Canter <danny_canter@apple.com> Date: Thu Jan 1 17:57:00 2026 -0800 CLI: Fix stop not signalling waiters (apple#972) commit 4958cf2 Author: c <claudeaceae@icloud.com> Date: Thu Jan 1 20:51:10 2026 -0500 Fix bash completion source path in documentation (apple#981) - Corrects the source path for bash completion script when not using bash-completion package. commit 25ac79a Author: c <claudeaceae@icloud.com> Date: Thu Jan 1 20:50:19 2026 -0500 Fix MAC address option typo in how-to documentation (apple#980) - Corrects the MAC address example command in the how-to guide to use the correct `--network` flag syntax instead of the incorrect `--mac-address` flag. commit edadf15 Author: Raj <realrajaryan@gmail.com> Date: Thu Jan 1 15:10:39 2026 +0530 Fix container auto-delete on rapid stop/start (apple#841) Fixes apple#833. Currently, when stopping and immediately restarting a container, it would fail with the error: `“container expected to be in created state, got: shuttingDown”` and then be automatically deleted. The `SandboxService` process waits five seconds before exiting after shutdown. During this interval, a rapid restart could reconnect to the still-terminating process in the `shuttingDown` state, triggering a state validation error. This fix forcefully terminates the `SandboxService` process with `SIGKILL` upon container exit, instead of waiting five seconds. The bootstrap now defensively checks for and cleans up any stale services before registering new ones, preventing reconnections to processes in the `shuttingDown` state. commit 5064b0f Author: J Logan <john_logan@apple.com> Date: Mon Dec 22 10:16:14 2025 -0800 Adds network IPv6 configuration. (apple#975) - Part of work for apple#460. - Enable set/get of IPv6 network prefix in ReservedVmnetNetwork. - Show IPv6 prefix in `network list` full output. - Option for setting IPv6 prefix when creating a network. - System property for default IPv6 prefix. ## Type of Change - [ ] Bug fix - [x] New feature - [ ] Breaking change - [x] Documentation update ## Motivation and Context See apple#460. ## Testing - [x] Tested locally - [ ] Added/updated tests - [x] Added/updated docs commit 9c239aa Author: Volodymyr Bortniak <25820601+Bortnyak@users.noreply.github.com> Date: Sat Dec 20 00:36:02 2025 +0100 Add support for reading env from named pipes (apple#974) This is a fix for [issue#956](apple#956) `FileManager.default.contents(atPath:)` returns `nil` for named pipes (FIFOs) and process substitutions like `/dev/fd/XX` because: 1. It expects regular files with a known size 2. Named pipes are stream-based and block until data arrives ## Solution Use `FileHandle(forReadingFrom:)` instead, which: - Properly handles blocking I/O - Works with named pipes, process substitutions, and regular files (mentioned in the [doc](https://developer.apple.com/documentation/foundation/filehandle)) Co-authored-by: Bortniak Volodymyr <Bortnyak@users.noreply.github.com> commit 3c3a83c Author: Danny Canter <danny_canter@apple.com> Date: Thu Dec 18 16:28:44 2025 -0800 Turn on oops=panic kernel cmdline (apple#971) commit b1b9980 Author: Michael Gathara <mikegtrm@gmail.com> Date: Wed Dec 17 20:58:50 2025 -0600 Fix: Kubes Cluster in Container Crashing Container (IS#923) (apple#930) - Fixes issue apple#923 - I fixed a race condition in `ConnectHandler.swift` where an asynchronous network connection could complete after the handler had already been removed from the pipeline. - This prevents the EXC_BREAKPOINT crash in container-runtime-linux that occurred when kinc (Kubernetes in Container) created rapid connections. - The actual fix was inadvertently applied in apple#957, so this PR contains only the test code. commit 9f4efe0 Author: Saehej Kang <saehej.kang@gmail.com> Date: Wed Dec 17 00:30:33 2025 -0800 [networks]: add prune command (apple#914) - Closes apple#893 commit 4f88725 Author: J Logan <john_logan@apple.com> Date: Tue Dec 16 16:34:13 2025 -0800 Use new IP/CIDR types from Containerization. (apple#957) - Part of work for apple#460. - With CZ release 0.17.0, the IP and CIDR address types changed from String to IPv4Address and CIDRv4, respectively. This PR applies the corresponding adaptations to container. commit 8e16bb2 Author: Salman Chishti <salmanmkc@GitHub.com> Date: Tue Dec 16 20:14:45 2025 +0000 Upgrade GitHub Actions to latest versions (apple#959) - Upgrade GitHub Actions to their latest versions for improved features, bug fixes, and security updates. Signed-off-by: Salman Muin Kayser Chishti <13schishti@gmail.com> commit 0c7dca4 Author: Salman Chishti <salmanmkc@GitHub.com> Date: Tue Dec 16 19:23:31 2025 +0000 Add Dependabot for GitHub Actions updates (apple#960) ## Summary Add Dependabot configuration to automatically keep GitHub Actions up to date. ## Changes Adds `.github/dependabot.yml` configured to: - Check for GitHub Actions updates weekly - Group all action updates together for easier review - Use `ci` prefix for commit messages ## Why As discussed in apple#958, this helps: - Keep actions up to date with security patches automatically - Handle Node runtime deprecations proactively (e.g., Node 20 → Node 24) - Reduce manual maintenance burden ## Reference Based on the pattern used in [swift-nio](https://github.com/apple/swift-nio/blob/main/.github/dependabot.yml). commit 637c8f1 Author: Salman Chishti <salmanmkc@GitHub.com> Date: Tue Dec 16 18:15:42 2025 +0000 Upgrade GitHub Actions for Node 24 compatibility (apple#958) ## Summary Upgrade GitHub Actions to their latest versions to ensure compatibility with Node 24, as Node 20 will reach end-of-life in April 2026. ## Changes | Action | Old Version(s) | New Version | SHA | |--------|---------------|-------------|-----| | `actions/checkout` | v4 | v6 | `8e8c483` | | `actions/download-artifact` | v4 | v7 | `37930b1` | | `actions/upload-artifact` | v4 | v6 | `b7c566a` | | `actions/labeler` | v5 | v6 | `634933e` | | `actions/configure-pages` | v5 | v5 | `983d773` | | `actions/upload-pages-artifact` | v3 | v3 | `56afc60` | | `softprops/action-gh-release` | v2 | v2 | `a06a81a` | ## Context Per [GitHub's announcement](https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/), Node 20 is being deprecated and runners will begin using Node 24 by default starting March 4th, 2026. ### Why this matters - **Node 20 EOL**: April 2026 - **Node 24 default**: March 4th, 2026 - **Action**: Update to latest action versions that support Node 24 ### Security All actions are now **pinned to commit SHAs** instead of mutable version tags. This provides: - Protection against tag hijacking attacks - Immutable, reproducible builds - Version comments for readability ### Automated Updates A follow-up PR (apple#960) adds Dependabot configuration to automatically keep these actions updated with new SHA-pinned versions. ### Testing These changes only affect CI/CD workflow configurations and should not impact application functionality. The workflows should be tested by running them on a branch before merging. Signed-off-by: Salman Muin Kayser Chishti <13schishti@gmail.com> commit c22f128 Author: karen heckel <karen.heckel@utexas.edu> Date: Mon Dec 15 21:16:55 2025 -0800 Feat: customize console output with env variable (apple#952) Fixes apple#915 Added a new feature to support the passing of buildkit colors for customizing console output. commit 9b7cfd8 Author: Saehej Kang <saehej.kang@gmail.com> Date: Mon Dec 15 17:52:00 2025 -0800 [images]: refactor prune command (apple#941) - Updates to `image prune` for consistency with how other `prune` commands are done. Added missing test cases as well for the command - Relates to the discussion from apple#914 commit 7d30720 Author: Danny Canter <danny_canter@apple.com> Date: Thu Dec 11 05:36:15 2025 -0800 CLI: Fix -it not being able to pipe stdout (apple#951) Fixes apple#949 Typically if one fd is a tty, it's common for all 3 of stdio to be the same, but that is not always the case. In our case we were using our Terminal type from Containerization to comb through err/out/in and give us a type backed by one of the 3 if -t was supplied. It happens that stderr is the first we check, so our Terminal() is backed by fd 2. This change modifies things so that we always initialize our Terminal if asked for with fd 0, and out/err are backed by their corresponding correct fd number. ## Type of Change - [x] Bug fix - [ ] New feature - [ ] Breaking change - [ ] Documentation update ## Testing - [x] Tested locally - [ ] Added/updated tests - [ ] Added/updated docs commit a2901e0 Author: wangxiaolei <fatelei@gmail.com> Date: Wed Dec 10 10:04:40 2025 +0800 feat: implement version sub command (apple#911) - closes apple#383 - implement version sub command, give more info --------- Co-authored-by: fatelei <fatelei@fateleis-MacBook-Pro.local> commit 0cde1ef Author: Danny Canter <danny_canter@apple.com> Date: Tue Dec 9 13:24:45 2025 -0800 Deps: Bump Containerization to 0.16.2 (apple#947) Closes apple#928 Has a cgroup fix when stopping certain containers commit 3896055 Author: Dmitry Kovba <dkovba@apple.com> Date: Tue Dec 9 12:32:28 2025 -0800 Lowercase error messages (apple#945) ## Type of Change - [x] Bug fix - [ ] New feature - [ ] Breaking change - [ ] Documentation update ## Motivation and Context For consistency, all error messages are lowercased. ## Testing - [ ] Tested locally - [ ] Added/updated tests - [ ] Added/updated docs --------- Co-authored-by: J Logan <sgtbakerrahulnet@yahoo.com> commit 0733a81 Author: Saehej Kang <saehej.kang@gmail.com> Date: Tue Dec 9 10:54:37 2025 -0800 [volumes]: refactor prune command (apple#940) - Refactor the `volume prune` command to follow a client-side approach. The `volumeDiskUsage` is calculated in the service file, so it made sense to leave that there. - Relates to the discussion from apple#914 commit 42528e6 Author: Kathryn Baldauf <k_baldauf@apple.com> Date: Tue Dec 9 10:42:27 2025 -0800 Update CONTRIBUTORS to MAINTAINERS and point at containerization (apple#942) ## Type of Change - [x] Documentation update ## Motivation and Context See apple/containerization#435 for more information on this change. commit a64bd77 Author: J Logan <john_logan@apple.com> Date: Tue Dec 9 14:35:34 2025 -0300 Fix broken image integration tests. (apple#944) - Fixes apple#943. - Use images other than alpine:3.20 for image concurrency test so as not to interfere with tests using that image. - Rename test files to match suite names. commit ab92f39 Author: TTtie <me@tttie.cz> Date: Mon Dec 8 18:17:10 2025 +0100 fix(TerminalProgress): make the progress bar respect locale-specific decimal separator (apple#936) - The `ProgressBar#adjustFormattedSize` function currently expects a decimal dot when adding the additional ".0" to the size. This, however, breaks when a region with a non-dot decimal separator is used. commit 420be74 Author: J Logan <john_logan@apple.com> Date: Mon Dec 8 03:00:02 2025 -0300 Data integrity: bump to cz 0.16.1, adjust sync mode. (apple#939) - 0.16.1 changes an ext4 superblock setting that might have been causing problems. - apple#877 fixed an issue where the cache and sync settings for block filesystems weren't being passed down to the VZ virtual machine configuration. The default sync value getting passed down is `full`, which reduces I/O performance. Relax this to use `fsync` for now. ## Type of Change - [*] Bug fix - [ ] New feature - [ ] Breaking change - [ ] Documentation update ## Motivation and Context May address problems reported in apple#877. ## Testing - [x] Tested locally - [ ] Added/updated tests - [ ] Added/updated docs commit f7bcb68 Author: Santosh Bhavani <santosh.bhavani@live.com> Date: Sun Dec 7 10:56:50 2025 -0800 Add --max-concurrent-downloads flag for parallel layer downloads (apple#716) Adds `--max-concurrent-downloads` flag to `container image pull` for configurable concurrent layer downloads. Fixes apple#715 Depends on apple/containerization#311 **Usage**: ```bash container image pull nginx:latest --max-concurrent-downloads 6 ``` **Changes**: - Add CLI flag (default: 3) - Thread parameter through XPC stack - Update to use forked containerization with configurable concurrency **Performance**: ~1.2-1.3x faster pulls for multi-layer images with higher concurrency **Tests**: Included standalone tests verify concurrency behavior and parameter flow --------- Co-authored-by: Claude <noreply@anthropic.com>
Mcrich23
force-pushed
the
add-command-option-group-function-macro
branch
from
19cda6a to
94ba456
Compare
commit a65c6f4 Merge: 9d32bc5 ce1b629 Author: Morris Richman <81453549+Mcrich23@users.noreply.github.com> Date: Tue Feb 3 20:08:38 2026 -0800 Merge branch 'apple:main' into main commit ce1b629 Author: Manoj Mahapatra <mahaplipsa@gmail.com> Date: Tue Feb 3 13:43:07 2026 -0800 [Docs] Fix typo in BUILDING.md: launchd -> launchctl (apple#1146) ## Type of Change - [ ] Bug fix - [ ] New feature - [ ] Breaking change - [x] Documentation update ## Motivation and Context The debug instructions in `BUILDING.md` incorrectly reference launchd list instead of `launchctl` list. `launchd` is the daemon itself and cannot be invoked directly. ## Testing - [ ] Tested locally - [ ] Added/updated tests - [x] Added/updated docs commit 3e49dce Author: Danny Canter <danny_canter@apple.com> Date: Tue Feb 3 00:45:01 2026 -0800 Add in missing rlimits (apple#1140) Containerization didn't have these defined until a recent tag. commit c4c2e85 Author: J Logan <john_logan@apple.com> Date: Tue Feb 3 00:27:09 2026 -0800 Upgrade kernel to Kata 3.26.0. (apple#1134) - Upgrade to containerization 0.24.5 to pick up zstd decompression enhancement. - Closes apple#767. - Closes apple#988. - Closes apple#1132. - Requires apple/containerization#508. commit 5c86337 Author: William Laverty <developer@william-laverty.com> Date: Mon Feb 2 13:57:59 2026 -0800 Add explanatory message before admin password prompt in uninstall script (apple#1118) - Added message: "This script requires an administrator password to remove the application files from system directories." - Fixes apple#1111 commit 7da25e1 Author: Danny Canter <danny_canter@apple.com> Date: Mon Feb 2 13:35:02 2026 -0800 Deps: Bump Containerization to 0.24.0 (apple#1127) Brings in some rlimit bumps/adjustments commit 7dfe27d Author: Danny Canter <danny_canter@apple.com> Date: Mon Feb 2 13:30:19 2026 -0800 CLI: Add support for rlimits (apple#1129) Closes apple#1097. commit b3b5c3e Author: J Logan <john_logan@apple.com> Date: Mon Feb 2 12:24:27 2026 -0800 Use labels instead of id to discriminate the builtin network. (apple#1123) - Closes apple#1122. - Adds placeholder ManagedResource and unit tests. Nothing is using these yet. - Adds system-defined resource labels for owning plugin and resource role. The system discriminates the builtin network using role "builtin". - Adds builtin role when creating builtin network at startup, and ensures that a preexisting network with ID "default" gets updated with the role label. - Replace all network ID checks for "default" with the builtin role check. - Adds "builder" role to builder VM. ## Type of Change - [ ] Bug fix - [x] New feature - [ ] Breaking change - [ ] Documentation update ## Motivation and Context Role and owner labels should make cross-cutting resource policy easier to implement. ## Testing - [x] Tested locally - [x] Added/updated tests - [ ] Added/updated docs commit 1dae1cd Author: w-ferg <43309695+w-ferg@users.noreply.github.com> Date: Sun Feb 1 18:14:41 2026 -0500 Fix pfctl executable path in PacketFilter DNS reload (apple#1128) ## Summary The `reload()` method in `PacketFilter.swift` references `/sbin/reloadProcess` (the local variable name) instead of `/sbin/pfctl`. This causes all DNS create and delete operations to fail: ``` Error: internalError: "pfctl reload exec failed: "Error Domain=NSCocoaErrorDomain Code=4 "The file "reloadProcess" doesn't exist."" ``` ## Fix One-line change: `/sbin/reloadProcess` → `/sbin/pfctl` ## Testing Verified on macOS 26 (Tahoe) with Apple Silicon: - `sudo container system dns create test.sdc.internal --localhost 203.0.113.1` succeeds without error - Container can resolve and reach host services through the DNS redirect commit 113a6ec Author: Ronit Sabhaya <ronitsabhaya75@gmail.com> Date: Fri Jan 30 21:54:57 2026 -0600 Fix file descriptor leak in DirectoryWatcher (apple#1104) - `DirectoryWatcher` opens file descriptors for monitoring directories but never closes them, causing a file descriptor leak. - Adds `setCancelHandler` to properly close file descriptors when the `DispatchSource` is cancelled. Signed-off-by: Ronit Sabhaya <ronitsabhaya75@gmail.com> commit 72f04b6 Author: Saehej Kang <saehej.kang@gmail.com> Date: Fri Jan 30 19:10:03 2026 -0800 [docs]: update steps on building with containerization project (apple#1116) - Closes apple#1095 - Just added a few more details about how to build with the local `containerization` dependency. commit 3a0ad58 Author: Raj <rajaryan_singh@apple.com> Date: Fri Jan 30 16:17:43 2026 -0800 Add resource.role label to builder container (apple#1120) Add resource.role label to builder container commit 1c01d0c Author: J Logan <john_logan@apple.com> Date: Fri Jan 30 11:07:49 2026 -0800 Update to kata 3.20.0 kernel. (apple#1114) - Closes apple#1113. - This is the newest we can do until we address apple#767. - Slight change to PacketFilter error handling so unit tests work more reliably. - Try making CLINetworkTests serialized to see if parallel execution is causing flakes. commit 3f2060e Author: Danny Canter <danny_canter@apple.com> Date: Thu Jan 29 18:25:48 2026 -0800 DirectoryWatcher: Small adjustments (apple#1112) - Have the handler throw - Log the failure at error level commit 0a7fb07 Author: Danny Canter <danny_canter@apple.com> Date: Thu Jan 29 14:21:12 2026 -0800 Set mtu to old Containerization default (apple#1110) The old mtu default in containerization was 1280 to account for some alpine/musl images that have issues with 1500. This changed in the last couple tags to be modifiable, but the new default is the standard 1500. Ideally we eventually allow supplying the mtu to be used when you create a network (or possibly a container creation setting), but for now just default in here back to what CZ used to use. commit 0bceb23 Author: Aditya Ramani <a_ramani@apple.com> Date: Thu Jan 29 12:08:42 2026 +0900 Bump to use containerization 0.23.2 (apple#1106) Updating the package dependency on apple/containerization to pick up bug fixes Signed-off-by: Aditya Ramani <a_ramani@apple.com> Co-authored-by: J Logan <john_logan@apple.com> commit d762fe5 Author: jwhur <57657645+JaewonHur@users.noreply.github.com> Date: Wed Jan 28 18:22:33 2026 -0800 Launch a service with waitForDebugger if specified (apple#1101) This PR enables launching a service with `waitForDebugger` flag if the service label matches a given env variable `CONTAINER_DEBUG`. commit 4f93e3e Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed Jan 28 18:21:08 2026 -0800 ci: bump actions/checkout from 6.0.1 to 6.0.2 in the github-actions group (apple#1100) - Updates `actions/checkout` from 6.0.1 to 6.0.2 Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> commit 371db6d Author: jwhur <57657645+JaewonHur@users.noreply.github.com> Date: Wed Jan 28 17:17:08 2026 -0800 Fix testExecOnExitingContainer (apple#1107) Check the container remains only, not its status as the status might not have been updated at the time checking. commit d872270 Author: J Logan <john_logan@apple.com> Date: Wed Jan 28 09:04:58 2026 -0800 Removes ArgumentParser import from NetworkMode. (apple#1102) - ContainerResources shouldn't need to know anything about CLI stuff. - Move ExpressibleByArgument protocol conformance to an extension in the package where it's needed. commit 3abf81f Author: Saehej Kang <saehej.kang@gmail.com> Date: Tue Jan 27 20:00:43 2026 -0800 [image-list]: Add full size field to json output (apple#1098) - Refer to apple#862 - Updated `SIZE` field to `FULL SIZE`, as it seemed more appropriate so it does not get mixed up with the `descriptor size` field - Closes apple#860 commit 24cbed5 Author: ChengHao Yang <17496418+tico88612@users.noreply.github.com> Date: Wed Jan 28 06:55:49 2026 +0800 Implement container prune (apple#904) - Fixed apple#892. - By contrast with `rm`, `prune` should display the amount of reclaimed storage, so added code to retrieve it. Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com> commit a57527e Author: jwhur <57657645+JaewonHur@users.noreply.github.com> Date: Tue Jan 27 11:15:22 2026 -0800 Refactor container lifecycle functions to perform scoped rollback on failure (apple#1080) - Closes apple#977. - Closes apple#1058. - Prevents unexpected removal of containers on bootstrapping and starting failures, by reorganizing error handling for container `run`, `start`, and `exec` so that error handling only unwinds that which was done in the current scope. - Relies on apple/containerization#495. commit 6244129 Author: c <claudeaceae@icloud.com> Date: Mon Jan 26 23:30:45 2026 -0500 Fix grammar in BUILDING.md (apple#984) - Fixes a grammar error in the local Containerization development instructions. commit 9d4cded Author: jwhur <57657645+JaewonHur@users.noreply.github.com> Date: Mon Jan 26 19:35:41 2026 -0800 Isolated network (apple#1079) - Closes apple#1037. - Adds a `--mode` flag that has `nat` and `hostOnly` options. The host-only option selects the vmnet host-only mode, where containers attached to the network can reach each other and the host, but not external systems. commit 033c999 Author: J Logan <john_logan@apple.com> Date: Mon Jan 26 14:07:00 2026 -0800 Make TerminalProgress a library. (apple#1093) - Closes apple#1092. - Allows 3rd party CLI plugins to use the progress indicator. commit b371aee Author: ChengHao Yang <17496418+tico88612@users.noreply.github.com> Date: Tue Jan 27 05:07:05 2026 +0800 Feat: container image delete force option (apple#1096) - Fixed apple#1087 Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com> commit ed1185d Author: jwhur <57657645+JaewonHur@users.noreply.github.com> Date: Fri Jan 23 17:59:28 2026 -0800 Container-to-host networking. (apple#1078) - Closes apple#346. - This PR enables connecting host's localhost ports from containers. - It adds an option `--localhost <localhost>` to DNS create command, after which the packets heading ip address in container are redirected to localhost in host machine. Packet filter rule is added and deleted along with the creation and deletion of localhost domain. commit 14c279f Author: Patrick Linnane <patrick@linnane.io> Date: Fri Jan 23 17:56:35 2026 -0800 Add option to stop services in all launchd domains (apple#1077) - Services started from Terminal run in the `gui/$uid` launchd domain. When `ensure-container-stopped.sh` runs from a different context, `launchctl managername` may return a different domain, causing the script to check the wrong domain and miss running services. I noticed this after upgrading `container` via Homebrew. - Introduces a getopt option `-a` that allows booting out all domains explicitly. Also adds `-h` for a usage message. Signed-off-by: Patrick Linnane <patrick@linnane.io> commit 751c1fc Author: Stanislav Antonichev <cympak2@users.noreply.github.com> Date: Fri Jan 23 23:01:26 2026 +0200 Add --dns support to build command for custom DNS resolution (apple#1067) This change adds --dns parameter support to the build command, matching the existing functionality in the run command. This allows users to specify custom DNS nameservers (like Google DNS 8.8.8.8) when building container images, which is essential when the host machine uses a local DNS resolver (e.g., 127.0.0.2) that doesn't work inside containers. Changes: - Added --dns option to BuildCommand to accept DNS nameserver IP addresses - Modified build logic to detect DNS configuration changes and recreate the builder container when DNS settings differ - Passed DNS configuration to BuilderStart.start() method - Updated builder container creation to use specified DNS nameservers or fall back to network gateway ## Type of Change - [ ] Bug fix - [X] New feature - [ ] Breaking change - [ ] Documentation update ## Motivation and Context This change adds --dns parameter support to the build command, matching the existing functionality in the run command. This allows users to specify custom DNS nameservers (like Google DNS 8.8.8.8) when building container images, which is essential when the host machine uses a local DNS resolver (e.g., 127.0.0.2) that doesn't work inside containers. ## Testing - [X] Tested locally - [ ] Added/updated tests - [ ] Added/updated docs --------- Co-authored-by: J Logan <sgtbakerrahulnet@yahoo.com> commit 55f2112 Author: J Logan <john_logan@apple.com> Date: Fri Jan 23 11:35:10 2026 -0800 Place image store data correctly for app-root path. (apple#1085) - Closes apple#1084. commit 5746ec3 Author: ChengHao Yang <17496418+tico88612@users.noreply.github.com> Date: Sat Jan 24 03:32:59 2026 +0800 Fix: prevent delete default network (apple#1083) - Fixed apple#1073 - Move the conditional check to the front; there's no need to check for a default network after filtering. Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com> commit 9d32bc5 Merge: a2b4486 69445b9 Author: Morris Richman <81453549+Mcrich23@users.noreply.github.com> Date: Mon Jan 19 19:20:12 2026 -0800 Merge branch 'apple:main' into main commit a2b4486 Merge: 27a94a0 bfc5ca9 Author: Morris Richman <81453549+Mcrich23@users.noreply.github.com> Date: Fri Oct 3 23:03:02 2025 -0700 Merge branch 'apple:main' into main commit 27a94a0 Author: Morris Richman <81453549+Mcrich23@users.noreply.github.com> Date: Thu Sep 18 17:07:12 2025 -0700 chore(fmt): auto-format before push commit 4a4d0a9 Author: Morris Richman <81453549+Mcrich23@users.noreply.github.com> Date: Thu Sep 18 17:07:06 2025 -0700 Update PropertySet.swift commit 665d813 Author: Morris Richman <81453549+Mcrich23@users.noreply.github.com> Date: Thu Sep 18 17:02:09 2025 -0700 Update PropertySet.swift commit 01a474e Author: Morris Richman <81453549+Mcrich23@users.noreply.github.com> Date: Thu Sep 18 16:57:41 2025 -0700 chore(fmt): auto-format before push commit e7c68b5 Author: Morris Richman <81453549+Mcrich23@users.noreply.github.com> Date: Thu Sep 18 16:57:01 2025 -0700 Update SystemProperty.swift
Contributor
|
@Mcrich23 Sorry for the delay. I would recommend that you rebase your PR from the main branch of container (see git rebase). |
Contributor
Author
|
@katiewasnothere No problem. I will resolve the conflicts and then we can hopefully move forward with merging this. |
commit c791052 Author: Aditya Ramani <a_ramani@apple.com> Date: Wed Feb 18 07:43:56 2026 +0530 Add init methods for all the members of the Flags type (apple#1203) ## Type of Change - [ ] Bug fix - [x] New feature - [ ] Breaking change - [ ] Documentation update ## Motivation and Context Authors of CLI plugins for container will be able to reuse the container flags defined in the CLI package, instead of having to duplicate them in their project ## Testing - [ ] Tested locally - [ ] Added/updated tests - [ ] Added/updated docs commit dfac83d Author: Danny Canter <danny_canter@apple.com> Date: Tue Feb 17 16:54:44 2026 -0800 ContainerService: Add minimum memory amount validation (apple#1208) Closes apple#1202 Today it's possible to pass a memory amount that very easily will cause the container's VM to not be able to boot. We should protect against this to avoid weird hangs/error messages. I could be convinced that a limit should be in Containerization as well, but I think having one in the daemon is a decent idea regardless. commit 5385a5c Author: Kathryn Baldauf <k_baldauf@apple.com> Date: Tue Feb 17 15:08:32 2026 -0800 Support using multiple different network plugins (apple#1151) ## Type of Change - [x] New feature - [x] Breaking change ## Motivation and Context We want to be able to support using multiple network plugins during `container`'s lifetime. This additionally means needing to pick an interface strategy to interpret a network attachment based on what network plugin was used to create that attachment. This PR will potentially replace apple#1081. Followups: - doc updates to include the ability to specify plugin in the network creation cli ## Testing - [x] Tested locally - [x] Added/updated tests commit 7476743 Author: AJ Emory <239216119+ajemory@users.noreply.github.com> Date: Fri Feb 13 19:27:32 2026 -0800 feat: Moving bundle creation from ContainerService to SandboxService (apple#1076) ## Type of Change - [ ] Bug fix - [x] New feature - [ ] Breaking change - [ ] Documentation update ## Motivation and Context Closes apple#1046 -- Right now we're creating container bundles in ContainersService. Move this to the SandboxService to make it easier to support different container bundle types. ## Testing - [x] Tested locally - [x] Added/updated tests - [ ] Added/updated docs commit 4c800db Author: J Logan <john_logan@apple.com> Date: Fri Feb 13 10:51:27 2026 -0800 Fix persistent CI failures. (apple#1205) ## Type of Change - [x] Bug fix - [ ] New feature - [ ] Breaking change - [ ] Documentation update ## Motivation and Context - CI build is failing because runners don't have an /etc/resolver directory, causing the directory monitor to fail. This occurs while the install-kernel make target is running, so it appears that kernel download is failing when it's just that the API server is dying. Created apple#1207 for the issue. - Fixing the initial scan for the directory just moves the problem to the filesystem watch loop, likely because we're not testing the result of `open()` for errors. - Right now the priority is getting CI running and PRs merged, so just commenting out the realhost DNS server setup. - Also seeing that under some conditions it can take quite a while for launchd to start the helper for the default network (8 seconds or more). With the 10 second health check timeout after API server registration, this means that some CI runs can exhibit this failure mode. Added a `--timeout` option to SystemStart and set a 60 second timeout for install-kernel and integration Makefile targets. - Fixed a bug where `--debug` was being placed in the wrong location in the api server startup args. - Disabled all network CLI tests due to container bootstrap errors when trying to run the container immediately after creating the network. The slow network helper launch could be the reason behind the failures that drove us to serialize these tests. Filed apple#1206 for this issue. ## Testing - [x] Tested locally - [ ] Added/updated tests - [ ] Added/updated docs commit f7d00aa Author: Danny Canter <danny_canter@apple.com> Date: Wed Feb 11 15:09:21 2026 -0800 APIServer: Add support for filtering to list rpc (apple#1175) This is not intended to be used to support `--filter` or similar on the CLIs list yet, it's solely to clean up our rather awkward use of `ContainerClient.list()` today in the CLI. The list RPC simply returns all of the containers we have created. Because of this, for a LOT of our commands we filter to what we need client side, which feels like a waste.. This change introduces a filter struct that we can provide an array of container IDs, labels, and the status of the containers to filter the `list()` output from. This additionally, because it was killing (pun not intended) me and I was already having to change this area for the `list()` additions, changes container kill slightly to return an error if you try and kill a container that doesn't exist. commit c9f81ca Author: ChengHao Yang <17496418+tico88612@users.noreply.github.com> Date: Wed Feb 11 04:26:33 2026 +0800 Feat: add container registry list (apple#1119) - Requires apple/containerization#502 - Closes apple#1088 --------- Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com> commit cf9b335 Author: Manu Schiller <56154253+manuschillerdev@users.noreply.github.com> Date: Tue Feb 10 03:11:27 2026 +0100 feat: add --init-image flag for specifying custom init filesystem images per VM (apple#937) - Users can now specify an alternate image to use with the `container run ---init-image` flag. commit 474906d Author: Amir Alperin <me@remotecpp.dev> Date: Fri Feb 6 23:38:19 2026 +0200 feat: Add runtime flag to container create and run commands (apple#1049) (apple#1109) ## Type of Change - [ ] Bug fix - [ ] New feature - [ ] Breaking change - [ ] Documentation update ## Motivation and Context Fixes apple#1049 - Add --runtime option for Flags.Management - Apply runtime handler in containerConfigFromFlags - Update command-reference.md doc ## Testing - [x] Tested locally - [ ] Added/updated tests - [ ] Added/updated docs Co-authored-by: J Logan <john_logan@apple.com> commit 40de343 Author: Dmitry Kovba <dkovba@apple.com> Date: Fri Feb 6 00:41:29 2026 -0800 Fix relative path mount tests (apple#1168) `make test` occasionally fails with: ``` ✘ Test testHostDNSReinitialize() recorded an issue at HostDNSResolverTest.swift:132:45: Expectation failed: (error → Error Domain=NSPOSIXErrorDomain Code=2 "No such file or directory") as? (ContainerizationError → NSError) ✘ Suite HostDNSResolverTest failed after 0.119 seconds with 1 issue. ``` commit aa17d46 Author: Poetry Of Code <101225909+poetryofcode@users.noreply.github.com> Date: Fri Feb 6 03:38:21 2026 -0500 Warn user when a named volume is auto-created (apple#1108) - Implemented the TODO at ContainerAPIService/Client/Utility.swift:358 — warn the user when a named volume is auto-created. - This only triggers for named volumes (not anonymous ones), matching Docker's behavior of informing users about implicit resource creation. Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com> commit adb3c44 Author: J Logan <john_logan@apple.com> Date: Thu Feb 5 20:19:13 2026 -0800 Don't enable selinux LSM on boot. (apple#1166) - Closes apple#1150. - The problem seems to be that the selinux label attribute enforcement doesn't play well with overlayfs. - Solution is to set the `lsm` boot line argument. The new value corresponds to what one would see in a Lima VM with Colima. The Kata kernel we use doesn't provide any of those modules, so now if you run `dmesg | grep -i lsm` in a container you will just see: `LSM: initializing lsm=capability` commit fdeb1b1 Author: jwhur <57657645+JaewonHur@users.noreply.github.com> Date: Thu Feb 5 10:59:31 2026 -0800 Add builder tests (apple#1154) - Adds test for apple#1094. - Closes apple#933 (with apple/container-builder-shim#62). - Closes apple#425 (with apple/container-builder-shim#63). commit fabfc55 Author: jwhur <57657645+JaewonHur@users.noreply.github.com> Date: Thu Feb 5 09:53:31 2026 -0800 Send tar hash in the first BuildTransfer packet (apple#1149) Send the hash of entire tar file in the first BuildTransfer packet to prevent container-builder-shim from using stale cached contents. This PR resolves apple#1143. This PR relies on apple/container-builder-shim#64. ## Type of Change - [X] Bug fix - [ ] New feature - [ ] Breaking change - [ ] Documentation update ## Motivation and Context Current container-builder-shim uses only first few bytes of tar file as checksum, which leads to the usage of stale cached contents if the change of build context is not included in the first bytes of tar file. ## Testing - [X] Tested locally - [ ] Added/updated tests - [ ] Added/updated docs --------- Co-authored-by: Ronit Sabhaya <ronitsabhaya75@gmail.com> Co-authored-by: J Logan <john_logan@apple.com> commit 6e9b8d7 Author: Danny Canter <danny_canter@apple.com> Date: Thu Feb 5 09:47:20 2026 -0800 CLI: Forego logging errors on multi-container operations (apple#1163) Instead of logging errors, and then additionally throwing an error stating what containers couldn't be stopped/killed/deleted, let's just concatenate the errors and throw the single error. commit d79bc0d Author: Manoj Mahapatra <mahapatra.manoj@hotmail.com> Date: Thu Feb 5 01:16:30 2026 -0800 chore: Replace force-unwrapped String(data:encoding:) with String(decoding:as:) (apple#1164) Use the non-optional String(decoding:as:) initializer for converting JSON-encoded Data to String. This is safe for UTF-8 and eliminates force commit 21dabb7 Author: Saehej Kang <saehej.kang@gmail.com> Date: Thu Feb 5 03:13:36 2026 -0500 [build-command]: Add --pull option for fetching latest image (apple#844) - Closes apple#733. commit 6553f9c Author: Saehej Kang <saehej.kang@gmail.com> Date: Thu Feb 5 01:16:08 2026 -0500 [deps]: bump containerization to 0.25.0 (apple#1161) Co-authored-by: saehejkang <saehej.kang@gmail.com> Co-authored-by: Anthony DePasquale <anthony@depasquale.org> - Bump `containerization` to `0.25.0` - Updates for parameter changes on containerization registry access API. - Updates for change to containerization `cleanUpOrphanedBlobs` function. commit 2d1dd6b Author: Kathryn Baldauf <k_baldauf@apple.com> Date: Wed Feb 4 15:42:29 2026 -0800 Fix file path for the PR number in the PR labeler workflow (apple#1158) ## Type of Change - [x] Bug fix ## Motivation and Context The PR label applier GitHub workflow has been failing for a while. This PR fixes that by correcting the file path we look for when trying to read the PR number. See example failure here https://github.com/apple/container/actions/runs/21691766538/job/62552959972#step:4:23 commit 6451e07 Author: Kathryn Baldauf <k_baldauf@apple.com> Date: Wed Feb 4 14:44:53 2026 -0800 Add debugging to the PR labeler CI flow (apple#1155) ## Type of Change - [x] Bug fix ## Motivation and Context The PR labeler workflow has been failing for a while but it's difficult to know how to fix it since the PR labeler workflow is run from main (aka NOT the current PR branch) for security reasons. Example at https://github.com/apple/container/actions/runs/21690229300/workflow commit 8fdfa29 Author: Danny Canter <danny_canter@apple.com> Date: Wed Feb 4 09:52:09 2026 -0800 CLI: Rework ClientContainer (apple#1139) ClientContainer was honestly extremely awkward. It could only be created by passing either a ContainerConfiguration, or a Snapshot that had to be obtained from calling a static method on the type itself. The type also did not store a connection, so every single method got a new xpc connection to the APIServer. This change aims to rework this type to be just a generic client, that is *not* a client for one specific container, but for any. - Rename to ContainerClient - Have list() return [ContainerSnapshot] - Create a connection in the constructor - Change all the callsites to use the new API - Small, somewhat related, change to logs API in the APIServer. Now that we don't need to call get() to grab a client anymore which was typically what did "does this container exist" logic and gave a nice error message, I added a small check in the APIServer to see if the container exists and return mostly the same error message. commit 23c0ece Author: Danny Canter <danny_canter@apple.com> Date: Wed Feb 4 09:19:50 2026 -0800 CI: Add signed commit check (apple#1152) This requirement of ours often goes unnoticed because nothing yells at you openly about it. Lets fail CI to make it more obvious. commit ce1b629 Author: Manoj Mahapatra <mahaplipsa@gmail.com> Date: Tue Feb 3 13:43:07 2026 -0800 [Docs] Fix typo in BUILDING.md: launchd -> launchctl (apple#1146) ## Type of Change - [ ] Bug fix - [ ] New feature - [ ] Breaking change - [x] Documentation update ## Motivation and Context The debug instructions in `BUILDING.md` incorrectly reference launchd list instead of `launchctl` list. `launchd` is the daemon itself and cannot be invoked directly. ## Testing - [ ] Tested locally - [ ] Added/updated tests - [x] Added/updated docs commit 3e49dce Author: Danny Canter <danny_canter@apple.com> Date: Tue Feb 3 00:45:01 2026 -0800 Add in missing rlimits (apple#1140) Containerization didn't have these defined until a recent tag. commit c4c2e85 Author: J Logan <john_logan@apple.com> Date: Tue Feb 3 00:27:09 2026 -0800 Upgrade kernel to Kata 3.26.0. (apple#1134) - Upgrade to containerization 0.24.5 to pick up zstd decompression enhancement. - Closes apple#767. - Closes apple#988. - Closes apple#1132. - Requires apple/containerization#508. commit 5c86337 Author: William Laverty <developer@william-laverty.com> Date: Mon Feb 2 13:57:59 2026 -0800 Add explanatory message before admin password prompt in uninstall script (apple#1118) - Added message: "This script requires an administrator password to remove the application files from system directories." - Fixes apple#1111 commit 7da25e1 Author: Danny Canter <danny_canter@apple.com> Date: Mon Feb 2 13:35:02 2026 -0800 Deps: Bump Containerization to 0.24.0 (apple#1127) Brings in some rlimit bumps/adjustments commit 7dfe27d Author: Danny Canter <danny_canter@apple.com> Date: Mon Feb 2 13:30:19 2026 -0800 CLI: Add support for rlimits (apple#1129) Closes apple#1097. commit b3b5c3e Author: J Logan <john_logan@apple.com> Date: Mon Feb 2 12:24:27 2026 -0800 Use labels instead of id to discriminate the builtin network. (apple#1123) - Closes apple#1122. - Adds placeholder ManagedResource and unit tests. Nothing is using these yet. - Adds system-defined resource labels for owning plugin and resource role. The system discriminates the builtin network using role "builtin". - Adds builtin role when creating builtin network at startup, and ensures that a preexisting network with ID "default" gets updated with the role label. - Replace all network ID checks for "default" with the builtin role check. - Adds "builder" role to builder VM. ## Type of Change - [ ] Bug fix - [x] New feature - [ ] Breaking change - [ ] Documentation update ## Motivation and Context Role and owner labels should make cross-cutting resource policy easier to implement. ## Testing - [x] Tested locally - [x] Added/updated tests - [ ] Added/updated docs commit 1dae1cd Author: w-ferg <43309695+w-ferg@users.noreply.github.com> Date: Sun Feb 1 18:14:41 2026 -0500 Fix pfctl executable path in PacketFilter DNS reload (apple#1128) ## Summary The `reload()` method in `PacketFilter.swift` references `/sbin/reloadProcess` (the local variable name) instead of `/sbin/pfctl`. This causes all DNS create and delete operations to fail: ``` Error: internalError: "pfctl reload exec failed: "Error Domain=NSCocoaErrorDomain Code=4 "The file "reloadProcess" doesn't exist."" ``` ## Fix One-line change: `/sbin/reloadProcess` → `/sbin/pfctl` ## Testing Verified on macOS 26 (Tahoe) with Apple Silicon: - `sudo container system dns create test.sdc.internal --localhost 203.0.113.1` succeeds without error - Container can resolve and reach host services through the DNS redirect commit 113a6ec Author: Ronit Sabhaya <ronitsabhaya75@gmail.com> Date: Fri Jan 30 21:54:57 2026 -0600 Fix file descriptor leak in DirectoryWatcher (apple#1104) - `DirectoryWatcher` opens file descriptors for monitoring directories but never closes them, causing a file descriptor leak. - Adds `setCancelHandler` to properly close file descriptors when the `DispatchSource` is cancelled. Signed-off-by: Ronit Sabhaya <ronitsabhaya75@gmail.com> commit 72f04b6 Author: Saehej Kang <saehej.kang@gmail.com> Date: Fri Jan 30 19:10:03 2026 -0800 [docs]: update steps on building with containerization project (apple#1116) - Closes apple#1095 - Just added a few more details about how to build with the local `containerization` dependency. commit 3a0ad58 Author: Raj <rajaryan_singh@apple.com> Date: Fri Jan 30 16:17:43 2026 -0800 Add resource.role label to builder container (apple#1120) Add resource.role label to builder container commit 1c01d0c Author: J Logan <john_logan@apple.com> Date: Fri Jan 30 11:07:49 2026 -0800 Update to kata 3.20.0 kernel. (apple#1114) - Closes apple#1113. - This is the newest we can do until we address apple#767. - Slight change to PacketFilter error handling so unit tests work more reliably. - Try making CLINetworkTests serialized to see if parallel execution is causing flakes. commit 3f2060e Author: Danny Canter <danny_canter@apple.com> Date: Thu Jan 29 18:25:48 2026 -0800 DirectoryWatcher: Small adjustments (apple#1112) - Have the handler throw - Log the failure at error level commit 0a7fb07 Author: Danny Canter <danny_canter@apple.com> Date: Thu Jan 29 14:21:12 2026 -0800 Set mtu to old Containerization default (apple#1110) The old mtu default in containerization was 1280 to account for some alpine/musl images that have issues with 1500. This changed in the last couple tags to be modifiable, but the new default is the standard 1500. Ideally we eventually allow supplying the mtu to be used when you create a network (or possibly a container creation setting), but for now just default in here back to what CZ used to use. commit 0bceb23 Author: Aditya Ramani <a_ramani@apple.com> Date: Thu Jan 29 12:08:42 2026 +0900 Bump to use containerization 0.23.2 (apple#1106) Updating the package dependency on apple/containerization to pick up bug fixes Signed-off-by: Aditya Ramani <a_ramani@apple.com> Co-authored-by: J Logan <john_logan@apple.com> commit d762fe5 Author: jwhur <57657645+JaewonHur@users.noreply.github.com> Date: Wed Jan 28 18:22:33 2026 -0800 Launch a service with waitForDebugger if specified (apple#1101) This PR enables launching a service with `waitForDebugger` flag if the service label matches a given env variable `CONTAINER_DEBUG`. commit 4f93e3e Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed Jan 28 18:21:08 2026 -0800 ci: bump actions/checkout from 6.0.1 to 6.0.2 in the github-actions group (apple#1100) - Updates `actions/checkout` from 6.0.1 to 6.0.2 Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> commit 371db6d Author: jwhur <57657645+JaewonHur@users.noreply.github.com> Date: Wed Jan 28 17:17:08 2026 -0800 Fix testExecOnExitingContainer (apple#1107) Check the container remains only, not its status as the status might not have been updated at the time checking. commit d872270 Author: J Logan <john_logan@apple.com> Date: Wed Jan 28 09:04:58 2026 -0800 Removes ArgumentParser import from NetworkMode. (apple#1102) - ContainerResources shouldn't need to know anything about CLI stuff. - Move ExpressibleByArgument protocol conformance to an extension in the package where it's needed. commit 3abf81f Author: Saehej Kang <saehej.kang@gmail.com> Date: Tue Jan 27 20:00:43 2026 -0800 [image-list]: Add full size field to json output (apple#1098) - Refer to apple#862 - Updated `SIZE` field to `FULL SIZE`, as it seemed more appropriate so it does not get mixed up with the `descriptor size` field - Closes apple#860 commit 24cbed5 Author: ChengHao Yang <17496418+tico88612@users.noreply.github.com> Date: Wed Jan 28 06:55:49 2026 +0800 Implement container prune (apple#904) - Fixed apple#892. - By contrast with `rm`, `prune` should display the amount of reclaimed storage, so added code to retrieve it. Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com> commit a57527e Author: jwhur <57657645+JaewonHur@users.noreply.github.com> Date: Tue Jan 27 11:15:22 2026 -0800 Refactor container lifecycle functions to perform scoped rollback on failure (apple#1080) - Closes apple#977. - Closes apple#1058. - Prevents unexpected removal of containers on bootstrapping and starting failures, by reorganizing error handling for container `run`, `start`, and `exec` so that error handling only unwinds that which was done in the current scope. - Relies on apple/containerization#495. commit 6244129 Author: c <claudeaceae@icloud.com> Date: Mon Jan 26 23:30:45 2026 -0500 Fix grammar in BUILDING.md (apple#984) - Fixes a grammar error in the local Containerization development instructions. commit 9d4cded Author: jwhur <57657645+JaewonHur@users.noreply.github.com> Date: Mon Jan 26 19:35:41 2026 -0800 Isolated network (apple#1079) - Closes apple#1037. - Adds a `--mode` flag that has `nat` and `hostOnly` options. The host-only option selects the vmnet host-only mode, where containers attached to the network can reach each other and the host, but not external systems. commit 033c999 Author: J Logan <john_logan@apple.com> Date: Mon Jan 26 14:07:00 2026 -0800 Make TerminalProgress a library. (apple#1093) - Closes apple#1092. - Allows 3rd party CLI plugins to use the progress indicator. commit b371aee Author: ChengHao Yang <17496418+tico88612@users.noreply.github.com> Date: Tue Jan 27 05:07:05 2026 +0800 Feat: container image delete force option (apple#1096) - Fixed apple#1087 Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com> commit ed1185d Author: jwhur <57657645+JaewonHur@users.noreply.github.com> Date: Fri Jan 23 17:59:28 2026 -0800 Container-to-host networking. (apple#1078) - Closes apple#346. - This PR enables connecting host's localhost ports from containers. - It adds an option `--localhost <localhost>` to DNS create command, after which the packets heading ip address in container are redirected to localhost in host machine. Packet filter rule is added and deleted along with the creation and deletion of localhost domain. commit 14c279f Author: Patrick Linnane <patrick@linnane.io> Date: Fri Jan 23 17:56:35 2026 -0800 Add option to stop services in all launchd domains (apple#1077) - Services started from Terminal run in the `gui/$uid` launchd domain. When `ensure-container-stopped.sh` runs from a different context, `launchctl managername` may return a different domain, causing the script to check the wrong domain and miss running services. I noticed this after upgrading `container` via Homebrew. - Introduces a getopt option `-a` that allows booting out all domains explicitly. Also adds `-h` for a usage message. Signed-off-by: Patrick Linnane <patrick@linnane.io> commit 751c1fc Author: Stanislav Antonichev <cympak2@users.noreply.github.com> Date: Fri Jan 23 23:01:26 2026 +0200 Add --dns support to build command for custom DNS resolution (apple#1067) This change adds --dns parameter support to the build command, matching the existing functionality in the run command. This allows users to specify custom DNS nameservers (like Google DNS 8.8.8.8) when building container images, which is essential when the host machine uses a local DNS resolver (e.g., 127.0.0.2) that doesn't work inside containers. Changes: - Added --dns option to BuildCommand to accept DNS nameserver IP addresses - Modified build logic to detect DNS configuration changes and recreate the builder container when DNS settings differ - Passed DNS configuration to BuilderStart.start() method - Updated builder container creation to use specified DNS nameservers or fall back to network gateway ## Type of Change - [ ] Bug fix - [X] New feature - [ ] Breaking change - [ ] Documentation update ## Motivation and Context This change adds --dns parameter support to the build command, matching the existing functionality in the run command. This allows users to specify custom DNS nameservers (like Google DNS 8.8.8.8) when building container images, which is essential when the host machine uses a local DNS resolver (e.g., 127.0.0.2) that doesn't work inside containers. ## Testing - [X] Tested locally - [ ] Added/updated tests - [ ] Added/updated docs --------- Co-authored-by: J Logan <sgtbakerrahulnet@yahoo.com> commit 55f2112 Author: J Logan <john_logan@apple.com> Date: Fri Jan 23 11:35:10 2026 -0800 Place image store data correctly for app-root path. (apple#1085) - Closes apple#1084. commit 5746ec3 Author: ChengHao Yang <17496418+tico88612@users.noreply.github.com> Date: Sat Jan 24 03:32:59 2026 +0800 Fix: prevent delete default network (apple#1083) - Fixed apple#1073 - Move the conditional check to the front; there's no need to check for a default network after filtering. Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>
…hub.com/Mcrich23/container into add-command-option-group-function-macro
Mcrich23
force-pushed
the
add-command-option-group-function-macro
branch
from
40f40d2 to
7d45ac0
Compare
This reverts commit 40f40d2. remove changes for unnecessary files remove changes for unnecessary files remove changes for unnecessary files remove changes for unnecessary files
Mcrich23
force-pushed
the
add-command-option-group-function-macro
branch
from
7d45ac0 to
82d5bd4
Compare
Contributor
Author
|
@katiewasnothere The nice thing is that this is a strictly additory pull request which makes things quite easy as we are just adding a macro. There were some messy commits earlier due to my pre-commit hooks for auto formatting, but I have manually patched that up so very few files are touched in this PR. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Type of Change
Motivation and Context
With the new plugin command exposure, challenges arose around passing down option groups to maintain user preferences without massive developer work (#633). This PR addresses the issue using a macro that will automatically adapt as flags and options are added or changed in the future. The only requirement for a developer to adopt the new changes will be to recompile their code.
Testing