Understand disk partition, container and volume

more info:

• File System Basics
• https://developer.apple.com/support/downloads/Apple-File-System-Reference.pdf (PDF file).
• https://www.ntfs.com/apfs-structure.htm
• Role of Apple File System - Apple Support (QA)
• Rearrange-apfs-volumes-inside-apfs-container - Apple.StackExchange.com (or try this same link).
• https://EclecticLight.co/2021/12/16/boot-disk-layout-in-macos-monterey/
• Apple Developer Documentation (File-system - Developer - Documentation).
• File system formats available in Disk Utility on Mac - Apple Support (QA)
• Partition schemes available in Disk Utility on Mac - Apple Support (QA)
• Volume encryption with FileVault in macOS - Apple Support (QA)
• Secure Enclave - Apple Support (QA)
• Managing FileVault in macOS - Apple Support (QA)
• https://en.wikipedia.org/wiki/Apple_File_System
• Volume Format Comparison
• https://bombich.com/kb/ccc5/working-apfs-volume-groups

Volumes (and containers) are encrypted independently of one-another.

FileVault isn't really the encryption. It is the glue that allows you to decrypt and login with the same credentials, instead of having to use one to decrypt, and another to log into the account.

Either way you install, you can mount or not mount the other container or volumes from each. I think everything about APFS is voodoo at the moment. Apple hasn't thoroughly documented it (and probably never will). It certainly could have been true in those early stages of APFS that you could not have two boot volumes, but you can now. I don't know why one method would be superior to the other except the choice of fixing the storage space for both with a container.

I’m not sure where you see a partition and a container, except that they are essentially the same. The important distinction is a container hosts multiple “virtual” subdivisions called Volumes.

Volumes share the storage space of the container, but can be restricted when created.

However, the right side of disk utility says "Shared by 5 volumes" so I am guessing there are 3 hidden volumes? What are these 3 hidden volumes?

Preboot, VM, Recovery, Update, and I think there is at least one other that I can’t remember the name.

Then I try to understand how this structure is reflected on the file system.

Apple Silicon Macs have one (or more) small partitions at the beginning of the disk for boot up. Those don’t appear except in some of the diskutil functions.

In general, disk# is either a physical or synthesized disk. The s# are subdivisions if that disk. You see more than five because there are more than five as I noted above. I don’t know why it said shared with five except that they all may not be mounted and not reported.

There is a blog on The Electic Light Company website that diagrams and discusses the macOS disk layout in much more detail (and many other esoteric Mac things).

Forgot the snapshot part. APFS has snapshots which are created for a couple of things, System (OS) and Update. For those, it mounts the snapshot and they show up as disk#s#s#.

Snapshots are a "picture" of the storage on the drive that cannot be altered (at least not without extreme effort and access).

With a Volume, it is really simple to remove. Removing a Container takes a little more work.

So, if you don't like the way volumes work and want to change to a Container, I think it is slightly easier.

sebastien244 wrote:

I want to install 2 macOS version, so that I can dual boot.

Why?

I want the 2 OS to be completely isolated

First of all, that's not possible. There is always going to be some degree of impact on the other system. Depending on how you implement it, that degree of impact could be minor, or it could corrupt all of your data.

sebastien244 wrote:

"There is always going to be some degree of impact on the other system."

Hmm, I am surprised by that. If I install the 2 oses on 2 distinct encrypted volumes, I don't see how what one process does on one OS impacts what happens on the other OS?

That's what I mean by "some degree of impact". If you are really careful and make sure, via various methods, to ensure that neither volume can ever see the contents of the other, then you can minimize that impact. But you'll never get it to zero. There is always the question of things like Recovery, boot partitions, NVRAM, and iCloud. With any kind of sync system, your computer has to be uniquely identified. How does that work? Serial number? MAC address? Those are the same on both volumes.

That's why I ask why. Just because a given feature exists, even if Apple documented it, doesn't mean you should ever use it. This particular "feature" is one of those red light, danger areas. It has never been well tested by Apple. Depending on what you are trying to do, and how, you can minimize the potential problems. But without knowing specifics, I wouldn't recommend attempting it.

sebastien244 wrote:

Very good points. I have to run some software that I do not fully trust, and I am trying to think of a way to do it as safely as possible. That's why I thought of running it through another OS, with the idea that if it turns out to be malware, it won't affect my main OS.

Your point about Recovery and boot volumes is what I am thinking about the most : if I put the 2 OSes inside 2 different containers, rather than on 2 different volumes of the same container, then they will not share recovery and boot volumes? How important do you think it might be?

Based on what Etresoft explained, you would be going through some acrobatics and possibly compromising your Mac, even if the likelihood is remote, to set something up so you can "run some software you don't fully trust"? I guess I would never run software I have any doubts about in terms of "trust." What do you do if the software executes some code that erases all the mounted drives, volumes, etc. with any data on them? I would never risk it.

If you are trying to set up a testbed for testing malware antidotes (?), or some such thing, requiring to run software you don't trust, I would absolutely ever put that on any computer with anything of value; I would set up a cheap separate computer and after such testing, would then erase/format/wipe the computer and install a fresh system, ready for the next "test." Of course there is also the problem that this "test" computer is sharing your home or work network with your "good" computers, but presumably you can protect them.

Malware?

<sigh>

Outta here...