0xlgmz
DevOpsAppleContainersSecurityPerformance

Apple Containers: A New Way to Run Containers Natively on macOS

It's been over a month now since Apple released Container at WWDC 2025 and it's awesome!

10 min read

The Old Way: A Single, Heavy Virtual Machine

Traditional container setups on macOS, everything ran inside a single, always-on virtual machine. This model had several drawbacks:

  • Resource Inefficiency: Resources like CPU and memory were reserved upfront, even if no containers were running.
  • Security & Privacy Limitations: File sharing followed a two-step process: first with the VM, then with the container. Increased risk of unintended file access.
  • High Maintenance: The VM housed a full Linux distro with core utilities and libraries, increasing the attack surface and requiring frequent updates.

The New Way: Apple’s Containerisation Framework

Apple has reimagined container support on macOS with a new system that’s leaner, safer, and more performant, purpose-built for developers.

The framework’s design principles:

  • Security: Each container now runs inside its own lightweight virtual machine. No shared kernel, no shared system utilities, dramatically reducing the attack surface.
  • Privacy: File and directory access is granted on a strict, per-container basis. Only the requesting container gets access. Nothing is shared broadly by default.
  • Performance: Containers start in under a second and, when stopped, consume no system resources. It’s efficient by design. Best of all, optimised for Apple Silicon.
  • Native macOS Integration: Containers leverage macOS’s Virtualization.framework, enabling seamless integration with native tools like Xcode and Swift, simplifying development workflows.

Why is this Different?

This isn’t just a new API. Fundamentally it’s a different runtime architecture. Apple’s approach decouples containers from the traditional all-in-one VM model and instead treats each container as a secure, resource-isolated unit.

Instead, containers boot up on demand and shut down cleanly when no longer needed.

Why It Matters

For developers, this means faster workflows, better security hygiene, and less friction integrating containers into native macOS environments. Apple is setting a new standard for what modern containerisation can look like: secure by default, private by design, and efficient in practice.

Notes

  • The framework is officially supported in macOS 26 (Tahoe) beta, with limited functionality on macOS 15 (Sequoia).
  • Memory optimisation is partially implemented, which may slightly affect resource efficiency for some workloads.

Installing Apple Containers

Something worth looking closely if you’re in the market for a Docker-Compose like CLI tool

Newer post

Learning in Public Systems

Field notes

Get notified on the next discovery.