What is Apple’s new native containerization feature in macOS, and how does it change Kali Linux deployment for cybersecurity professionals?

Apple quietly introduced a powerful new feature at WWDC 2025 — a native containerization stack for macOS. This update allows developers and cybersecurity professionals to run Open Container Initiative (OCI) images, like Kali Linux, inside lightweight virtual machines (VMs), without needing Docker Desktop.

Let’s explore what this means, how it works, and why it matters.

What Is Apple’s New Container Feature?

The new tool, simply called container, is a command-line interface (CLI) for launching Linux containers directly on macOS Sequoia (version 15.5 or later). Instead of relying on Docker’s heavy VM setup, Apple uses its own Containerization.framework and Virtualization.framework to spin up isolated, fast-loading micro-VMs.

This means you can now run Kali Linux with better performance and security — all natively on your Mac.

Key Benefits of Apple’s Native Containers

How to Set Up Kali Linux on macOS Using Container

You can get started in just a few minutes:

1. Install the Container CLI

Make sure your Mac is Apple Silicon and running macOS 15.5 or newer. Then install via Homebrew:

brew install --cask container

2. Start the Container System

container system start

The tool will prompt you to download a slim Kata Containers kernel — just accept it.

3. Run Kali Linux Instantly

To open an interactive Kali shell:

container run --rm -it kalilinux/kali-rolling

4. For Persistent Workspace

To mount your current working directory inside the Kali container:

container run --rm -it -v $(pwd):/mnt -w /mnt kalilinux/kali-rolling

Why This Is a Big Deal for Cybersecurity Pros

Before this update, Mac users had to rely on:

• Full-blown VMs (e.g., using VirtualBox or UTM)

• Docker Desktop, which uses a shared Linux VM

• Dual-boot setups or remote environments

Apple’s native solution simplifies everything:

• No more bloated virtual machines

• Sub-second container launches

• Better performance and lower power usage

• Stronger isolation per container

• A cleaner and Docker-style CLI workflow

What Are the Limitations?

• Networking Issues: On macOS 15, containers may launch without an IP or lose DNS. Apple is working on this for the macOS 26 “Tahoe” release.

• Intel Macs Not Supported: Only Apple Silicon Macs are officially supported.

• Beta Stage: The feature is in developer preview and will fully launch in Fall 2025 with macOS 26.

Apple’s Version of WSL 2?

Yes — just like Microsoft’s WSL 2 lets you run Linux on Windows, Apple’s new containerization system does the same for macOS. However, Apple takes it a step further by isolating each container in its own VM, instead of sharing one.

This increases security significantly, especially for red teams, penetration testers, and security researchers who need to run risky tools without affecting the host system.

What This Means for Kali Linux Users on Mac

Kali Linux is the go-to OS for ethical hacking and security testing. With this update:

• You can run Kali natively and fast on macOS

• No need to manage Docker or install separate VMs

• Lower system overhead means longer battery life on MacBooks

It also means macOS becomes a true one-device platform for security pros, developers, and students learning ethical hacking.

Conclusion

Apple’s containerization stack is a huge step forward for developers and cybersecurity professionals on macOS. With OCI image support, full Linux integration, and strong security features, tools like Kali Linux now run with better performance, lighter footprint, and tighter isolation — all without Docker.

The developer preview is live now, and macOS 26 “Tahoe” will bring full networking and stability improvements in Fall 2025.

FAQs

What is Apple’s native containerization feature in macOS 15?

It’s a new developer tool that allows macOS to run OCI containers inside lightweight virtual machines, enabling fast, isolated environments like Kali Linux.

How do I install Apple’s Container CLI on macOS?

You can install it using Homebrew with the command: brew install --cask container.

Is Docker still required to run Kali Linux on macOS?

No, with Apple’s new native containerization, you no longer need Docker Desktop to run Kali Linux.

What macOS version is required to use this container feature?

You need macOS Sequoia 15.5 or later to use the new Container CLI.

Can I mount volumes with Apple’s container tool like Docker?

Yes, you can mount the current directory using the -v flag similar to Docker.

Does this new container method support Intel Macs?

No, this feature is exclusive to Apple Silicon Macs.

How is Apple’s containerization different from Docker?

Each container runs in its own lightweight VM for better isolation, unlike Docker, which shares one VM.

What kernel does Kali Linux run inside this container?

It runs the latest aarch64 Linux kernel (e.g., 6.12) provided by the kalilinux/kali-rolling image.

Is networking fully functional in these containers?

Not yet—Apple notes some issues with IP and DNS in macOS 15, with improvements expected in macOS 26.

Will macOS Tahoe 26 include full container support?

Yes, Apple says full container integration will come with macOS 26 this fall.

What’s the default image used to launch Kali in Apple containers?

The official kalilinux/kali-rolling image from Docker Hub.

How fast do these containers launch?

They offer sub-second cold starts thanks to lightweight VM architecture.

Is this tool open source?

Apple has committed to continuing development on GitHub.

Why is this important for red teamers?

It makes Kali Linux easily accessible on macOS with better performance and security, ideal for penetration testing.

Can I persist data inside containers?

Yes, use volume mounting with -v and set a working directory with -w.

What is the underlying framework powering this tool?

It’s built on Swift using Apple’s Containerization and Virtualization frameworks.

How does this compare to WSL 2 on Windows?

Like WSL 2, each environment runs in its own VM, but Apple’s approach offers stronger isolation by using separate micro-VMs.

What is the benefit of per-container VMs?

They eliminate lateral movement risks common in shared-VM systems like Docker Desktop.

Will this impact Docker Desktop adoption on macOS?

Yes, many developers may prefer Apple’s native, faster, and more secure solution.

Can I use other OCI images with this feature?

Yes, any OCI-compliant image should work out of the box.

Is this feature stable?

It’s currently in developer preview and expected to stabilize by macOS 26 release.

What command starts a container?

Use container run --rm -it kalilinux/kali-rolling to start a Kali session.

What’s Apple’s motivation behind this tool?

To improve security, speed, and developer experience for containerized apps on macOS.

Can this replace my VM-based Kali setup?

Yes, it offers a lighter, faster alternative to full VMs or Docker-based setups.

How does Apple ensure container isolation?

Each container uses a dedicated VM, reducing attack surface and system-wide exposure.

Is this available via Apple’s official developer tools?

Yes, it was announced at WWDC 25 and is part of macOS’s developer tools.

How does I/O performance compare to Docker?

Apple claims near-native I/O performance due to minimal translation layers.

Can this be used in enterprise environments?

Yes, once fully stable, it’s well-suited for secure, efficient enterprise workflows.

What is Kata Containers and why is it needed?

It’s a lightweight VM kernel that Apple uses for its container environments, downloaded during setup.

Does this mean Docker is obsolete on macOS?

Not yet, but Apple’s solution is a compelling alternative for many use cases.