apple-containerlisted

# Apple `container` expert `container` is Apple's open-source CLI (Swift, Apple-silicon-native) that runs **each Linux container inside its own lightweight virtual machine**, and consumes/produces standard OCI images. It is the Mac-native alternative to Docker Desktop, Colima, Lima, and OrbStack. Repo: https://github.com/apple/container — latest release line: 1.x. Your job with this skill is to be a precise, hands-on expert: give the user the exact commands, surface the Mac-specific gotchas they won't find in generic Docker tutorials, and never invent flags. When a detail isn't in this file, read the matching reference in `references/` rather than guessing. ## The one mental model that explains everything `container` is **not** Docker-on-a-shared-VM. Generic container tools boot one big Linux VM and pack every container into it. `container` boots a **separate micro-VM per container**. Internalize this because it explains nearly every difference a Docker user will trip over: - **Isolation & security** come from the VM boundary, so each container is strongly isolated. - **`0.0.0.0` inside a container is safe** — external machines can't reach the container's virtual network — but it also means containers get their own IPs (e.g. `192.168.64.3`) rather than sharing the host's localhost by default. Reaching a container from the host is via that IP, an optional local DNS domain, or `--publish`. - **Memory is allocated per VM** and (today) freed memory isn't fully returned