Architecture

OrbStack uses a lightweight Linux virtual machine with a shared kernel to minimize overhead and save resources, similar to WSL 2 (Windows Subsystem for Linux). This flexible architecture comes with many advantages such as high efficiency, low resource usage, seamless integration with macOS, and more.

Services built from scratch

Vertical integration plays a key role in OrbStack's advantages and seamless integration. All important services have been purpose-built from scratch to work with each other, tailored to the specific needs of OrbStack and its virtual environment, instead of using off-the-shelf programs. Low-level Linux tuning and optimizations are also included to make everything work efficiently.

Services are written in a mix of Swift, Go, Rust, and C.

Low-level VM optimizations

The lightweight virtual machine is heavily tuned with both low-level and high-level optimizations to improve performance, save power, and minimize resource usage. This includes novel optimizations built specifically for OrbStack, macOS, and Apple Silicon.

We use Rosetta to emulate x86 programs on Apple Silicon, which is much faster than the commonly-used QEMU.

OrbStack builds on top of a modern base (VirtioFS) with custom dynamic caching and optimizations to provide fast bind mounts and access to Mac files.

We also provide low-latency, bidirectional file sharing for container images, volumes, and machines through a mount at ~/OrbStack.

Docker

A Docker engine runs alongside Linux machines in the OrbStack VM. This allows you to run containers and machines at the same time with low resource usage.

The engine's server socket is forwarded to macOS. This design is similar to other apps, but simpler and more specialized to reduce overhead.

Linux machines

OrbStack runs full-blown Linux machines that work almost exactly like traditional virtual machines, all while sharing the same kernel. Init systems including systemd, OpenRC, and runit are fully functional, allowing you to run services as usual. 15 distros are available and support for custom distros is planned.

Strictly speaking, OrbStack machines are not independent VMs, but they're virtually indistinguishable for most intents and purposes — just with better integration. This is why we choose to call them "machines".

This architecture brings unparalleled efficiency and flexibility: machines can be created and destroyed in under a minute, and you can run dozens of machines simultaneously without breaking a sweat.

Network

Access to the outside network is provided by a custom virtual network stack with tuning around it for performance. NAT is used for IPv4 and IPv6, and a custom DNS server forwards DNS queries to macOS. This setup makes it possible to follow VPN and DNS settings.

Containers and machines are connected to unified bridge networks, allowing them to communicate with each other and with macOS directly by IP address. Host networking is also available.

Event-based port forwarding makes servers instantly available at localhost on macOS.

Security

Linux machines are considered trusted because OrbStack provides integration with macOS, but support for isolated machines without integration is planned. You can run containers using systemd-nspawn or LXD to get an isolated environment.

Internal OrbStack services are protected by a firewall to ensure that untrusted code running in containers cannot tamper with them.

On Apple Silicon, KASLR (Kernel Address Space Layout Randomization) protection is augmented by a security feature that doesn't incur the overhead of KPTI mitigations, speeding up system calls without degrading security.

Architecture ​

Services built from scratch ​

Low-level VM optimizations ​

File sharing ​

Docker ​

Linux machines ​

Network ​

Security ​