Apple’s New Containerization Feature Allows Kali Linux Integration on macOS

Apple quietly slipped a game-changing developer feature into its WWDC 25 announcements: a native containerization stack that lets Macs run Open Container Initiative (OCI) images inside ultra-lightweight virtual machines.

In practice, that means you can launch a full Kali Linux environment on macOS “Sequoia” 15 today, and you won’t need Docker Desktop when macOS “Tahoe” 26 ships this fall. Here’s what it’s like to spin up Kali with Apple’s fresh “Container” command-line tool.

Container is the user-facing CLI. Under the hood, it calls the new Swift-based Containerization framework, which talks to Virtualization.framework.

Every container gets its own minimal VM created via Hypervisor.framework, delivering stronger isolation than Docker’s single-VM model while keeping startup times below one second.

In effect, Apple has built a macOS analogue to Microsoft’s WSL 2, except each container lives in its own micro-VM instead of sharing one kernel.

Getting Set Up in Minutes

On an Apple-silicon Mac running macOS 15.5 or later, install the CLI with a single Homebrew command:

textbrew install --cask container

After installation, start the background service:

textcontainer system start

The first launch prompts you to download a slim Kata Containers kernel; accept the prompt, and you’re ready to run.

Because Apple’s runtime is OCI-compliant, the official kalilinux/kali-rolling image from Docker Hub works out of the box. A clean interactive session is just one command away:

textcontainer run --rm -it kalilinux/kali-rolling

Seconds later you’re dropped into a Kali root shell, complete with the latest 6.12 aarch64 kernel. Need workspace persistence? Mount the current directory just as you would with Docker:

textcontainer run --rm -it -v $(pwd):/mnt -w /mnt kalilinux/kali-rolling

Early models from Apple’s developer docs show sub-second cold starts and near-native I/O, thanks to per-container VMs that bypass heavy translation layers.

The strict VM boundary removes the “everything shares one VM” lateral-movement risk that plagues Docker Desktop on macOS, a point Apple emphasized in its WWDC session.

Networking in macOS 15 is still rough: containers sometimes launch without an IP address or lose DNS resolution. Apple lists the issue as “under investigation,” promising full networking parity in Tahoe 26 betas. Intel Macs are also left out; Apple Silicon and the upcoming Tahoe release are the official targets.

Kali’s mantra is “penetration testing from anywhere.” Until now, Mac users have had to juggle heavyweight VMs or Docker Desktop’s resource-hungry LinuxKit VM, Kali Team said.

Apple’s native solution slashes the overhead, cuts cold-start latency, and hardens isolation, all while keeping the familiar Docker-style workflow. That makes Kali a first-class citizen on macOS for red teams and hobbyists alike.

Containerization ships as a developer preview today and will be fully integrated when macOS 26 Tahoe lands, likely in September.

With Apple promising continued open-source development on GitHub and Kali maintaining official arm64 images, the gap between Mac hardware and Linux tooling just got dramatically smaller. Security researchers who usually carry extra laptops may soon find that one Mac will be enough for their needs.

Experience faster, more accurate phishing detection and enhanced protection for your business with real-time sandbox analysis-> Try ANY.RUN now