# How Apple's Container Runtime Leverages Apple Silicon Hardware Features

> Discover how Apple's container runtime uses Virtualization and vmnet frameworks on Apple Silicon for hardware-isolated Linux VMs. Learn about kernel-level networking and M3 requirements.

- Repository: [Apple/container](https://github.com/apple/container)
- Tags: architecture
- Published: 2026-07-01

---

**Apple's container runtime exploits the Virtualization and vmnet frameworks to run each container in a hardware-isolated Linux VM with kernel-level networking, requiring Apple Silicon (M3 or later for nested virtualization).**

The `apple/container` repository delivers a native macOS container runtime that fundamentally differs from traditional Docker-based solutions. By leveraging Apple Silicon's hardware virtualization capabilities, the runtime achieves true isolation without the overhead of full emulation, using dedicated frameworks to manage CPU, memory, and network resources at the hypervisor level.

## The Virtualization Framework: Hardware-Isolated Container Execution

Unlike Linux containers that share the host kernel, this runtime uses Apple's **Virtualization framework** to instantiate a dedicated Linux VM for every container. This approach provides hardware-enforced isolation while maintaining startup performance.

### Per-Container VM Creation with VZVirtualMachine

In [`Sources/Services/RuntimeLinux/Server/RuntimeService.swift`](https://github.com/apple/container/blob/main/Sources/Services/RuntimeLinux/Server/RuntimeService.swift), the runtime creates a `VZVirtualMachine` for each container instance. This dedicated VM model ensures that container processes execute within their own virtualized environment, with the Apple Silicon Hypervisor managing CPU and memory isolation directly in hardware.

The runtime configures each VM using `VZLinuxConfiguration`, specifying the exact Linux boot parameters and hardware resources. This configuration runs on the bare metal of the Apple Silicon chip, avoiding the translation layers common to traditional virtualization stacks.

### Nested Virtualization Support (M3 and Later)

For workflows requiring containers that build other containers (or run their own VMs), the runtime supports nested virtualization. However, this feature is strictly gated to Apple Silicon M3 chips and later running macOS 15 or newer.

The [`Sources/ContainerCommands/Machine/MachineCapabilities.swift`](https://github.com/apple/container/blob/main/Sources/ContainerCommands/Machine/MachineCapabilities.swift) file implements the hardware validation:

```swift
import Virtualization

// Verify host can run nested VMs (M3 + macOS 15+)
try MachineCapabilities.requireNestedVirtualizationSupported()

let cfg = VZLinuxConfiguration()
// Enable nested virtualization
cfg.virtualizationConfiguration.isNestedVirtualizationEnabled = true

let vm = VZVirtualMachine(configuration: cfg, queue: .main)
try vm.start()

```

The `requireNestedVirtualizationSupported()` method checks `VZGenericPlatformConfiguration.isNestedVirtualizationSupported` and aborts execution on unsupported hardware. Command-line users enable this via the `--virtualization` flag, documented in [`docs/command-reference.md`](https://github.com/apple/container/blob/main/docs/command-reference.md), which performs the same hardware capability check before initializing nested VMs.

## The vmnet Framework: Kernel-Level Virtual Networking

Container networking relies on the **vmnet framework**, a macOS API that creates virtual network interfaces at the kernel level. In [`Sources/Services/NetworkVmnet/Server/ReservedVmnetNetwork.swift`](https://github.com/apple/container/blob/main/Sources/Services/NetworkVmnet/Server/ReservedVmnetNetwork.swift), the runtime implements a dedicated XPC helper (`container-network-vmnet`) that establishes private networks without requiring external bridge devices or complex NAT configurations.

The framework creates a `vmnet_network_ref` that the runtime attaches directly to each container's VM:

```swift
import vmnet

let mode: vmnet.operating_modes_t =
    configuration.mode == .hostOnly ? .VMNET_HOST_MODE : .VMNET_SHARED_MODE

guard let vmnetConfig = vmnet_network_configuration_create(mode, &status) else {
    throw error("Failed to create vmnet config")
}

// Example: configure IPv4 subnet
var ipv4 = vmnet_ipv4_address(...)
let result = vmnet_network_configuration_set_ipv4_subnet(vmnetConfig,
                                                        &ipv4,
                                                        &mask)
guard result == .VMNET_SUCCESS else { throw error("Subnet config failed") }

// Create the network
guard let network = vmnet_network_create(vmnetConfig, &status) else {
    throw error("Failed to create vmnet network")
}

```

On Apple Silicon, this approach allows the runtime to hand a virtual NIC directly to the container's VM, enabling high-performance packet processing without userspace emulation overhead.

## Hardware Requirements and Capability Detection

The runtime performs strict hardware validation before enabling Apple Silicon-specific features:

- **Base virtualization**: Requires Apple Silicon (M1 or later) to utilize the Virtualization framework's Hypervisor support.
- **Nested virtualization**: Requires M3 or later with macOS 15+, enforced by [`MachineCapabilities.swift`](https://github.com/apple/container/blob/main/MachineCapabilities.swift).
- **Networking**: vmnet framework operations require Apple Silicon for optimal performance, though the framework itself is available on Intel Macs.

These checks ensure that the runtime fails fast with descriptive errors when users attempt to invoke hardware-dependent features on incompatible systems.

## Summary

- **True hardware isolation**: Each container runs in a dedicated `VZVirtualMachine` using the Apple Silicon Hypervisor, providing stronger security boundaries than shared-kernel containers.
- **Nested virtualization**: Available exclusively on M3 chips and later (macOS 15+), enabling containers to run their own VMs for build workflows.
- **Kernel-level networking**: The vmnet framework provides virtual NICs directly to container VMs through [`ReservedVmnetNetwork.swift`](https://github.com/apple/container/blob/main/ReservedVmnetNetwork.swift), eliminating external bridge dependencies.
- **Capability gating**: The runtime validates hardware features via [`MachineCapabilities.swift`](https://github.com/apple/container/blob/main/MachineCapabilities.swift) before attempting to initialize virtualization or nested virtualization modes.

## Frequently Asked Questions

### What Apple Silicon hardware is required for nested virtualization?

Nested virtualization requires an Apple Silicon M3 chip or later running macOS 15 or newer. The runtime checks `VZGenericPlatformConfiguration.isNestedVirtualizationSupported` in [`MachineCapabilities.swift`](https://github.com/apple/container/blob/main/MachineCapabilities.swift) and aborts with an error if the host hardware predates these requirements.

### How does the container runtime isolate containers without Docker?

Instead of using Linux namespaces and cgroups, the runtime creates a dedicated `VZVirtualMachine` for each container via [`RuntimeService.swift`](https://github.com/apple/container/blob/main/RuntimeService.swift). This leverages the Apple Silicon Hypervisor to enforce memory and CPU isolation at the hardware level, providing stronger security boundaries than shared-kernel approaches.

### What is the vmnet framework and why does it matter for containers?

The vmnet framework is a macOS API that creates kernel-level virtual network interfaces. The runtime uses it in [`ReservedVmnetNetwork.swift`](https://github.com/apple/container/blob/main/ReservedVmnetNetwork.swift) to attach private virtual NICs to each container's VM without requiring external bridge devices or NAT configurations, resulting in lower networking overhead and simpler host configuration.

### Can I run the container runtime on Intel Macs?

While some features may function on Intel Macs, the runtime is optimized for Apple Silicon. Hardware-accelerated virtualization via the Virtualization framework's Hypervisor and specific features like nested virtualization (M3+) require Apple Silicon chips. The runtime performs capability checks and disables or errors on unsupported hardware configurations.