zlacker

[return to "Show HN: NanoClaw – “Clawdbot” in 500 lines of TS with Apple container isolation"]
1. treelo+j3[view] [source] 2026-02-01 23:19:52
>>jimmin+(OP)
Interesting choice to use native Apple Containers over Docker.

I assume this is to keep the footprint minimal on a Mac Mini without the overhead of the Docker VM, but does this limit the agent's ability to run standard Linux tooling? Or are you relying on the AI to just figure out the BSD/macOS equivalents of standard commands?

◧◩
2. selkin+ao[view] [source] 2026-02-02 02:25:01
>>treelo+j3
Not sure if it's intended, but Apple Container is a microvm, providing mich better isolation than containers (while retaining the familiar interface)
◧◩◪
3. TheDon+8G[view] [source] 2026-02-02 05:41:22
>>selkin+ao
"much better isolation than containers"

If you've got an exploit for docker / linux containers, please share it with the class.

What I'm saying is that in practice, containers and VMs have both been quite secure.

Also, you can configure docker to run microvms too https://github.com/firecracker-microvm/firecracker-container...

◧◩◪◨
4. selkin+q72[view] [source] 2026-02-02 17:08:04
>>TheDon+8G
We want to protect against the unknown, not the known. The less surface area, the better, and containers have much wider surface area than VMs. Both had their faults, of course.
[go to top]