Minimal reproduction showing that Playwright (and any CDP-based automation) cannot reach OrbStack container domains on macOS when run from an ad-hoc signed parent process (e.g. Homebrew-installed tmux).
OrbStack routes container traffic through a macOS Network Extension. macOS restricts Network Extension access based on code signing of the process tree. When a parent process (like tmux) is ad-hoc signed (flags=0x2(adhoc)), all child processes lose access to Network Extension routes — even if the child itself is properly signed.
This means BSD socket connections to OrbStack container IPs fail with EHOSTUNREACH / ERR_ADDRESS_UNREACHABLE, while Network.framework-based tools (curl, Chrome address bar) continue to work.
| Method | Network layer | Ad-hoc signed parent | Properly signed parent |
|---|---|---|---|
curl |
Network.framework | Works | Works |
| Chrome address bar | Network.framework | Works | Works |
Chrome CDP Page.navigate |
BSD sockets | Fails | Works |
| Playwright (uses CDP) | BSD sockets | Fails | Works |
Node.js net.connect() |
BSD sockets | Fails | Works |
Python socket.connect() |
BSD sockets | Fails | Works |
You must run the repro script from inside a terminal whose parent process is ad-hoc signed. The most common case is Homebrew-installed tmux:
# Check if tmux is ad-hoc signed:
codesign -dvvv $(which tmux) 2>&1 | grep -E 'flags|Signature'
# Ad-hoc will show: flags=0x2(adhoc), Signature=adhocIf you run the repro from a properly signed terminal (e.g. Terminal.app or iTerm2 directly, without tmux), everything will pass.
- macOS (tested on macOS 15 Sequoia, Apple Silicon)
- OrbStack installed and running
- Node.js 18+
- Docker (via OrbStack)
- tmux (Homebrew-installed, ad-hoc signed) to trigger the failure
# Start tmux (must be ad-hoc signed to trigger the bug)
tmux
# Inside tmux:
git clone <this-repo>
cd orbstack-playwright-repro
npm install
bash repro.shThe script will:
- Start an nginx container via
docker compose - Show that
curlcan reachhttps://web.orbstack-playwright-repro.orb.local(Network.framework — works) - Show that Node.js TCP
connect()to the container IP fails withEHOSTUNREACH(BSD sockets — fails) - Run Playwright tests — they fail with
ERR_ADDRESS_UNREACHABLE - Launch Chrome manually, show the address bar loads the page, then show CDP
Page.navigateto the same URL fails
Running the same script outside tmux (directly in Terminal.app / iTerm2) will pass all tests.
Sign tmux with your Apple Developer identity:
# List your signing identities:
security find-identity -v -p codesigning
# Sign tmux (replace with your identity):
codesign -fs "Apple Development: Your Name (XXXXXXXXXX)" /opt/homebrew/bin/tmux
# Verify:
codesign -dvvv /opt/homebrew/bin/tmux 2>&1 | grep -E 'Authority|Signature'
# Should show your developer identity, not "adhoc"Then restart tmux (tmux kill-server && tmux) and re-run the repro — all tests will pass.
Note:
codesign -fs - /opt/homebrew/bin/tmux(re-signing ad-hoc) is NOT sufficient. You need a real Apple Developer identity to get Network Extension access.
Expose container ports to localhost via docker-compose.override.yml:
services:
web:
ports:
- "8080:80"Then use http://localhost:8080 instead of https://web.project.local.
Or simply run your tests outside tmux.
- orbstack/orbstack#1266 — Containers accessible via Safari but not Chrome (macOS 15)
- orbstack/orbstack#1415 — Container domain names do not work in chrome://inspect
- orbstack/orbstack#2244 — Local Network Access Broken in Chrome 142