How Networking Is Handled in Apple's Container Runtime for VMs
Apple's container runtime leverages the macOS vmnet framework and an XPC helper service called container-network-vmnet to provide virtual network interfaces for Linux VMs, allocating IP addresses, MAC addresses, and routes through a pluggable architecture that supports isolated networks on macOS 26+.
Apple's container runtime runs each container inside its own lightweight Linux VM, with networking handled through a sophisticated integration with macOS virtualization frameworks. Understanding how networking is handled in Apple's container runtime for VMs requires examining the interplay between the vmnet framework, XPC services, and the pluggable network architecture implemented in the source code.
vmnet Framework Integration
The container CLI uses the Virtualization framework to launch VMs and the vmnet framework to create virtual network attachments. Each VM attaches to this virtual network, providing the container with network connectivity through a virtual NIC.
In Sources/Plugins/NetworkVmnet/NetworkVmnetHelper.swift, the XPC helper implements the core logic for interfacing with vmnet. This helper runs as a separate XPC service, allowing the container runtime to request network allocations without blocking the main process.
XPC Network Helper Architecture
When container-apiserver starts, it launches the XPC service container-network-vmnet. This helper acts as a network control plane, allocating critical network resources for each container:
- IP addresses from the configured subnet
- MAC addresses for the virtual interface
- Gateway routes for external connectivity
The helper logs allocation events that reveal the network configuration process:
container-network-vmnet: allocated attachment [hostname=my-web-server.test.]
[address=192.168.64.2/24] [gateway=192.168.64.1] [id=default]
This architecture separates privileged network operations from the main runtime, improving security and stability.
Network Plugin Model
The runtime implements a pluggable network model defined in Sources/ContainerResource/Network/NetworkConfiguration.swift. While container-network-vmnet serves as the default plugin, the architecture supports alternative networking implementations through the --plugin flag.
Key aspects of the plugin system include:
- Default plugin:
container-network-vmnetprovides vmnet-based networking out of the box - Plugin selection: Users can specify custom plugins via CLI flags
- Configuration: Network settings are defined in
~/.config/container/config.toml, including default subnets
Interface Strategies and Network Isolation
Network interface creation follows specific strategies based on the macOS version and network type. In Sources/Plugins/RuntimeLinux/RuntimeLinuxHelper+Start.swift, the runtime registers distinct interface strategies:
- IsolatedInterfaceStrategy: Used for standard VMs, providing full network isolation
- NonisolatedInterfaceStrategy: Available on macOS 26+ for reserved interfaces, allowing specific host-network integrations
Network capabilities vary significantly by macOS version:
- macOS 15: The vmnet framework supports only a single default network; containers cannot communicate directly with each other over this network
- macOS 26+: Users can create additional isolated networks using
container network create, with each network isolated from others
Network Configuration and Runtime Flow
The networking stack follows a specific initialization sequence when starting containers:
container system startlaunchescontainer-apiservercontainer-apiserverspawns the container-network-vmnet XPC helper- Container creation triggers
container-runtime-linux(the per-container helper) - The runtime helper contacts the XPC service to allocate network interfaces (IP, MAC, gateway)
- The VM boots with the allocated interface; traffic traverses the vmnet virtual NIC to reach the host network or other isolated networks
Configuration options include:
--network: Attach to a specific network (e.g.,--network foo)--networkwith MAC/MTU: Specify custom MAC addresses or MTU sizes (e.g.,--network foo,mac=02:42:ac:11:00:02)- Default subnet:
192.168.64.1/24(configurable inconfig.toml)
Practical Examples
Start the container system to initialize the network infrastructure:
# Start the container system (spawns the network XPC helper)
$ container system start
List and create networks:
# List available networks (shows "default" on macOS 15/26)
$ container network list
default
# Create a new isolated network (macOS 26+ only)
$ container network create foo --subnet 192.168.100.0/24
Run a container with custom network configuration:
# Run a container attached to the custom network with a specific MAC address
$ container run -d --name web \
--network foo,mac=02:42:ac:11:00:02 \
nginx:latest
Inspect the allocated network interface:
# Inspect the allocated network interface for the running container
$ container inspect web --format json | jq '.networks[0]'
{
"network": "foo",
"address": "192.168.100.2/24",
"gateway": "192.168.100.1",
"macAddress": "02:42:ac:11:00:02"
}
Summary
- vmnet integration: Apple's container runtime uses the macOS vmnet framework to create virtual network interfaces for Linux VMs, implemented in
NetworkVmnetHelper.swift - XPC architecture: The
container-network-vmnethelper service handles IP, MAC, and route allocation separately from the main runtime - Plugin model: Networking is pluggable via
NetworkConfiguration.swift, with vmnet as the default and support for custom plugins via--plugin - Interface strategies:
RuntimeLinuxHelper+Start.swiftimplementsIsolatedInterfaceStrategyfor standard VMs andNonisolatedInterfaceStrategyfor macOS 26+ reserved interfaces - Version limitations: macOS 15 supports only a single default network with no container-to-container communication, while macOS 26+ enables multiple isolated networks via
container network create - Configuration: Default subnet is
192.168.64.1/24, customizable in~/.config/container/config.toml
Frequently Asked Questions
What is the default network subnet in Apple's container runtime?
The default network subnet is 192.168.64.1/24. You can override this default in the user configuration file at ~/.config/container/config.toml, or specify custom subnets when creating isolated networks on macOS 26+ using container network create.
Why can't containers communicate with each other on macOS 15?
On macOS 15, the vmnet framework limitation restricts the runtime to a single default network that does not support container-to-container communication. Each container can reach the host and external networks, but direct inter-container traffic is blocked by the framework's architecture.
How do I create isolated networks for container groups?
On macOS 26+, use the container network create command to establish isolated networks. For example, container network create foo --subnet 192.168.100.0/24 creates a new network namespace. Containers attached to this network via --network foo are isolated from containers on other networks, though they share the same virtualized infrastructure.
What role does the XPC helper service play in container networking?
The container-network-vmnet XPC helper acts as a privileged network daemon. When container-apiserver starts, it launches this helper to allocate IP addresses, MAC addresses, and gateway routes for each container VM. This separation allows the unprivileged container runtime to request network resources without requiring direct access to the vmnet framework.
Have a question about this repo?
These articles cover the highlights, but your codebase questions are specific. Give your agent direct access to the source. Share this with your agent to get started:
curl -s "https://instagit.com/install.md" Maintain an open-source project? Get it listed too →