Hi, is there any ETA on when we can see support for nested virtualization in MacOS VMs? Running Docker specifically would be nice.

In the latest 26.5, when creating a VM we can no longer disable SIP. We have confirmed we're using the proper admin user (anka) and its proper password (same one we log into the GUI with). It just keeps asking for the password as if it's wrong. It's critical we can disable SIP for VMs like we have been in previous versions.

Hi, I have two issues going on: Creation of macOS VMs requires autologin is enabled: Mon Apr 13 11:27:18 20 anka.log (ankahv) 511: pid 511: installing /Users/veertu/Library/Application Support/Veertu/Anka/img_lib/UniversalMac_15.6.1_24G90_Restore.ipsw... Mon Apr 13 11:27:20 40 anka.log (install) 511: (null): installation failed: Error Domain=VZErrorDomain Code=10007 "The virtual machine failed to start." UserInfo={NSLocalizedFailure=An error occurred during installation., NSLocalizedFailureReason=The virtual machine failed to start., NSUnderlyingError=0xca2c0ced0 {Error Domain=VZErrorDomain Code=-9 "The virtual machine encountered a security error." UserInfo={NSLocalizedFailure=Unable to access security information., NSLocalizedFailureReason=The virtual machine encountered a security error., NSUnderlyingError=0xca3029320 {Error Domain=NSPOSIXErrorDomain Code=22 "Invalid argument" UserInfo={NSLocalizedFailureReason=Failed to get current host key., NSUnderlyingError=0xca30292f0 {Error Domain=NSPOSIXErrorDomain Code=22 "Invalid argument" UserInfo=0xca2a88040 (not displayed)}}}}}} Mon Apr 13 11:27:20 40 anka.log (install) 511: (null): virtual machine stopped with error: Error Domain=VZErrorDomain Code=4 "Transition from state “error” to state “stopping” is invalid." UserInfo={NSLocalizedFailure=Invalid virtual machine state transition., NSLocalizedFailureReason=Transition from state “error” to state “stopping” is invalid.} Mon Apr 13 11:27:20 40 anka.log (install) 511: failed to install macOS: Error Domain=VZErrorDomain Code=10007 "The virtual machine failed to start." UserInfo={NSLocalizedFailure=An error occurred during installation., NSLocalizedFailureReason=The virtual machine failed to start., NSUnderlyingError=0xca2c0ced0 {Error Domain=VZErrorDomain Code=-9 "The virtual machine encountered a security error." UserInfo={NSLocalizedFailure=Unable to access security information., NSLocalizedFailureReason=The virtual machine encountered a security error., NSUnderlyingError=0xca3029320 {Error Domain=NSPOSIXErrorDomain Code=22 "Invalid argument" UserInfo={NSLocalizedFailureReason=Failed to get current host key., NSUnderlyingError=0xca30292f0 {Error Domain=NSPOSIXErrorDomain Code=22 "Invalid argument" UserInfo=0xca2a88040 (not displayed)}}}}}} Running a macOS 26.x VM fails for similar reasons, yet running a 15.x VM works fine: Mon Apr 13 11:20:10 20 0f5d4fe7-edac-4f6d-aebb-f185702f2c25.log (ankahv) 474: pid 474: session started on host 26.4.1 Mon Apr 13 11:20:10 40 0f5d4fe7-edac-4f6d-aebb-f185702f2c25.log (ankahv) 474: 0f5d4fe7-edac-4f6d-aebb-f185702f2c25: failed to start: Error Domain=VZErrorDomain Code=-9 "The virtual machine encountered a security error." UserInfo={NSLocalizedFailure=Unable to access security information., NSLocalizedFailureReason=The virtual machine encountered a security error., NSUnderlyingError=0x76f049e00 {Error Domain=NSPOSIXErrorDomain Code=22 "Invalid argument" UserInfo={NSLocalizedFailureReason=Failed to get current host key., NSUnderlyingError=0x76f049e60 {Error Domain=NSPOSIXErrorDomain Code=22 "Invalid argument" UserInfo={NSLocalizedFailureReason=Failed to create new HostKey., NSUnderlyingError=0x76f049dd0 {Error Domain=NSPOSIXErrorDomain Code=22 "Invalid argument" UserInfo=0x76ec49d60 (not displayed)}}}}}} Mon Apr 13 11:20:10 40 0f5d4fe7-edac-4f6d-aebb-f185702f2c25.log (ankanet) 474: failed to receive packets: Connection reset by peer This is super painful for us to manage since some of our users can't have autologin enabled (like major banks under strict MDM requirements). Or, AWS EC2 Macs which have no VNC enabled at all by default. What's the trick here to make sure we can consistently use virtualization without autologin?

We're trying to create 26.4 beta and RC VMs on 15.x and 26.3 host OS' without success. We see Tue Mar 17 17:27:36 40 anka.log (install) 45803: failed to install macOS: Error Domain=VZErrorDomain Code=10006 "Installation requires a software update." UserInfo={NSLocalizedFailure=A software update is required to complete the installation., NSLocalizedFailureReason=Installation requires a software update.} Yet, if we create it the same way on 26.4 beta host OS, it works. We've tried the usual tricks of installing latest Xcode and preparing it (accepting license, etc). But, they don't work on 26.3 and 15.x. What's the trick to get the creation of 26.4 to work on <= 26.3 host OS?

I'm trying to find the installer for Metal Toolchain 26. It seems to fix an issue I have but I don't want to have to install Xcode 26 just to get the toolchain installed. Is this possible?

We're seeing a pretty big problem with 15.x hosts and using SSH to execute builds. Yet this works just fine in the terminal over VNC. We see similar limitations with SSH and Virtualization too. They look related, but don't know. Xcode 16.4 15.4.1 Host OS Mac Mini M1. Let me know what else is needed. + xcodebuild -workspace /Users/veertu/anka-arm/./Anka.xcworkspace . . . build build /Users/veertu/anka-arm/build/Build/Products/Release/libpolicy.dylib: errSecInternalComponent Command CodeSign failed with a nonzero exit code ** BUILD FAILED ** /Users/veertu/anka-arm/build/Build/Products/Release/libpolicy.dylib: errSecInternalComponent Command CodeSign failed with a nonzero exit code ** BUILD FAILED ** Watching the Console logs I see . . . codesign CSSM Exception: -2147415840 CSSMERR_CSP_NO_USER_INTERACTION codesign error while checking integrity, denying access: CSSM CSSMERR_CSP_NO_USER_INTERACTION error 14:53:57.404848-0500 codesign SecKeyCreateSignature failed: Error Domain=NSOSStatusErrorDomain Code=-25308 "CSSM Exception: -2147415840 CSSMERR_CSP_NO_USER_INTERACTION" (errKCInteractionNotAllowed / errSecInteractionNotAllowed: / Interaction is not allowed with the Security Server.) UserInfo={numberOfErrorsDeep=0, NSDescription=CSSM Exception: -2147415840 CSSMERR_CSP_NO_USER_INTERACTION} default 14:53:57.405567-0500 codesign MacOS error: -2070 . . .

The VM gets a NAT IP just fine, but it doesn't have access through the proxy so I'm guessing 15.x macOS setup has a bug where it can't break out of a loop trying to phone home back to macOS. FBID: FB15689777 This is not an issue for 14.x VMs. It's also seen across different Virtualization tools.

https://feedbackassistant.apple.com/feedback/15645457 Metal passthrough on intel VMs causes com.apple.screensharing.menuextra to crash and screensharing to exit Create a 15.1 VM with metal passthrough on 15.0.1 or 15.1 host, enable Screen Sharing, then try connecting to with VNC after restarting the machine. I'm using Anka to create the VM. You'll see VNC work (open vnc://192.168.64.3:5900), then a few seconds in show "Reconnecting...", then work, then go to "Reconnecting..." for ~5m until it eventually works consistently. You'll see launchd showing exits/failures (see screenshots) You'll see diagnostic reports showing things like: Thread 0 Crashed:: Dispatch queue: com.apple.RenderBox.Encoder 0 libsystem_kernel.dylib 0x7ff801da5b52 __pthread_kill + 10 1 libsystem_pthread.dylib 0x7ff801ddff85 pthread_kill + 262 2 libsystem_c.dylib 0x7ff801d00b19 abort + 126 3 libsystem_c.dylib 0x7ff801cffddc __assert_rtn + 314 4 Metal 0x7ff80d045d72 MTLReportFailure.cold.1 + 41 5 Metal 0x7ff80d01fa2a MTLReportFailure + 513 6 Metal 0x7ff80cfb74e0 +[MTLLoader sliceIDForDevice:legacyDriverVersion:airntDriverVersion:] + 200 7 Metal 0x7ff80cf265c9 +[_MTLBinaryArchive(MTLBinaryArchiveInternal) deserializeBinaryArchiveHeader:fileData:device:] + 89 8 Metal 0x7ff80cf10f0c -[_MTLBinaryArchive loadFromURL:error:] + 537 9 Metal 0x7ff80cf10288 -[_MTLBinaryArchive initWithOptions:device:url:error:] + 844 10 RenderBox 0x7ff9041a15fd RB::(anonymous namespace)::load_library_archive(NSBundle*,

We're creating macOS VMs on both 15.x and 14.x hosts and only the 14.x created VMs can run on both 15 and 14 hosts. If we create the VMs on 15.x, something is done by Virtualization that prevents it from running on 14.x. We've tried digging in and don't see anything that our code is doing that's special. What is Apple doing to the VMs created on 15.x hosts that's special here?

Hello, here is what I'm doing: I creating AWS macOS instance I then set up a /Library/LaunchDaemon plist file that runs a bash script: &amp;#9;&lt;?xml version="1.0" encoding="UTF-8"?&gt; &amp;#9;&lt;!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "XXXXX/DTDs/PropertyList-1.0.dtd"&gt; &amp;#9;&lt;plist version="1.0"&gt; &amp;#9;&lt;dict&gt; &amp;#9;&amp;#9;&lt;key&gt;Label&lt;/key&gt; &amp;#9;&amp;#9;&lt;string&gt;aws-ec2-mac-amis.cloud-connect&lt;/string&gt; &amp;#9;&amp;#9;&lt;key&gt;ProgramArguments&lt;/key&gt; &amp;#9;&amp;#9;&lt;array&gt; &amp;#9;&amp;#9;&amp;#9;&lt;string&gt;/usr/bin/env&lt;/string&gt; &amp;#9;&amp;#9;&amp;#9;&lt;string&gt;/Users/ec2-user/aws-ec2-mac-amis/cloud-connect.bash&lt;/string&gt; &amp;#9;&amp;#9;&lt;/array&gt; &amp;#9;&amp;#9;&lt;key&gt;RunAtLoad&lt;/key&gt; &amp;#9;&amp;#9;&lt;true/&gt; &amp;#9;&amp;#9;&lt;key&gt;WorkingDirectory&lt;/key&gt; &amp;#9;&amp;#9;&lt;string&gt;/Users/ec2-user&lt;/string&gt; &amp;#9;&amp;#9;&lt;key&gt;StandardErrorPath&lt;/key&gt; &amp;#9;&amp;#9;&lt;string&gt;/var/log/cloud-connect.log&lt;/string&gt; &amp;#9;&amp;#9;&lt;key&gt;StandardOutPath&lt;/key&gt; &amp;#9;&amp;#9;&lt;string&gt;/var/log/cloud-connect.log&lt;/string&gt; &amp;#9;&amp;#9;&lt;key&gt;EnableTransactions&lt;/key&gt; &amp;#9;&amp;#9;&lt;true/&gt; &amp;#9;&amp;#9;&lt;key&gt;ExitTimeOut&lt;/key&gt; &amp;#9;&amp;#9;&lt;string&gt;300&lt;/string&gt; &amp;#9;&lt;/dict&gt; &amp;#9;&lt;/plist&gt; I've tried this same list without EnableTransactions and there is no difference. This works and my bash script runs just fine: #!/bin/bash set -exo pipefail [[ ! $EUID -eq 0 ]] &amp;&amp; echo "RUN AS ROOT!" &amp;&amp; exit 1 SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &gt;/dev/null 2&gt;&amp;1 &amp;&amp; pwd )" cd $SCRIPT_DIR echo "Waiting for networking..." while ! ping -c 1 -n github.com &amp;&gt; /dev/null; do sleep 1; done git pull . ./_helpers.bash disjoin() { &amp;#9;set -x &amp;#9;/usr/local/bin/ankacluster disjoin &amp; &amp;#9;CERTS="" &amp;#9;[[ ! -z "$CLOUD_CONNECT_CERT" ]] &amp;&amp; CERTS="--cert $CLOUD_CONNECT_CERT" &amp;#9;[[ ! -z "$CLOUD_CONNECT_KEY" ]] &amp;&amp; CERTS="$CERTS --cert-key $CLOUD_CONNECT_KEY" &amp;#9;[[ ! -z "$CLOUD_CONNECT_CA" ]] &amp;&amp; CERTS="$CERTS --cacert $CLOUD_CONNECT_CA" &amp;#9;NODE_ID="$(curl -s $CERTS "${ANKA_CONTROLLER_ADDRESS}/api/v1/node" | jq -r ".body | .[] | select(.node_name==\"$(hostname)\") | .node_id")" &amp;#9;curl -s $CERTS -X DELETE "${ANKA_CONTROLLER_ADDRESS}/api/v1/node" -H "Content-Type: application/json" -d "{\"node_id\": \"$NODE_ID\"}" } Grab the ENVS the user sets in user-data if [[ ! -e $CLOUD_CONNECT_PLIST_PATH ]]; then &amp;#9;mkdir -p $LAUNCH_LOCATION cat &gt; $CLOUD_CONNECT_PLIST_PATH &lt;&lt;EOD &amp;#9;&lt;?xml version="1.0" encoding="UTF-8"?&gt; &amp;#9;&lt;!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"&gt; &amp;#9;&lt;plist version="1.0"&gt; &amp;#9;&lt;dict&gt; &amp;#9;&amp;#9;&lt;key&gt;Label&lt;/key&gt; &amp;#9;&amp;#9;&lt;string&gt;aws-ec2-mac-amis.cloud-connect&lt;/string&gt; &amp;#9;&amp;#9;&lt;key&gt;ProgramArguments&lt;/key&gt; &amp;#9;&amp;#9;&lt;array&gt; &amp;#9;&amp;#9;&amp;#9;&lt;string&gt;/usr/bin/env&lt;/string&gt; &amp;#9;&amp;#9;&amp;#9;&lt;string&gt;/Users/ec2-user/aws-ec2-mac-amis/cloud-connect.bash&lt;/string&gt; &amp;#9;&amp;#9;&lt;/array&gt; &amp;#9;&amp;#9;&lt;key&gt;RunAtLoad&lt;/key&gt; &amp;#9;&amp;#9;&lt;true/&gt; &amp;#9;&amp;#9;&lt;key&gt;WorkingDirectory&lt;/key&gt; &amp;#9;&amp;#9;&lt;string&gt;/Users/ec2-user&lt;/string&gt; &amp;#9;&amp;#9;&lt;key&gt;StandardErrorPath&lt;/key&gt; &amp;#9;&amp;#9;&lt;string&gt;/var/log/cloud-connect.log&lt;/string&gt; &amp;#9;&amp;#9;&lt;key&gt;StandardOutPath&lt;/key&gt; &amp;#9;&amp;#9;&lt;string&gt;/var/log/cloud-connect.log&lt;/string&gt; &amp;#9;&amp;#9;&lt;key&gt;EnableTransactions&lt;/key&gt; &amp;#9;&amp;#9;&lt;true/&gt; &amp;#9;&amp;#9;&lt;key&gt;ExitTimeOut&lt;/key&gt; &amp;#9;&amp;#9;&lt;string&gt;300&lt;/string&gt; &amp;#9;&lt;/dict&gt; &amp;#9;&lt;/plist&gt; EOD &amp;#9;launchctl load -w $CLOUD_CONNECT_PLIST_PATH else &amp;#9;echo "$(date) ($(whoami)): Attempting join..." &amp;#9;Check if user-data exists &amp;#9;[[ ! -z "$(curl -s XXXX/latest/user-data | grep 404)" ]] &amp;&amp; echo "Could not find required ANKA_CONTROLLER_ADDRESS in instance user-data!" &amp;&amp; exit 1 &amp;#9;create user ENVs for this session &amp;#9;$(curl -s XXXX/latest/user-data | sed 's/\"//g') &amp;#9;IF the user wants to change the IP address for the registry domain name (if they want to use a second EC2 registry for better speed), handle setting the /etc/hosts &amp;#9;if [[ ! -z "$ANKA_REGISTRY_OVERRIDE_IP" &amp;&amp; ! -z "$ANKA_REGISTRY_OVERRIDE_DOMAIN" ]]; then &amp;#9;&amp;#9;&amp;#9;modify_hosts $ANKA_REGISTRY_OVERRIDE_DOMAIN $ANKA_REGISTRY_OVERRIDE_IP &amp;#9;fi &amp;#9;Ensure that anytime the script stops, we disjoin first &amp;#9;/usr/local/bin/ankacluster join $ANKA_CONTROLLER_ADDRESS $ANKA_JOIN_ARGS &amp;#9;trap disjoin 0 Disjoin after we joined properly to avoid unloading prematurely &amp;#9;set +x &amp;#9;while true; do &amp;#9;&amp;#9;sleep 1 &amp; &amp;#9;&amp;#9;wait $! &amp;#9;done fi I see the process running, and the host has connected to the remote server's controller: root&amp;#9;&amp;#9;&amp;#9;&amp;#9;&amp;#9;&amp;#9;46851&amp;#9; 0.0&amp;#9;0.0&amp;#9;4283172&amp;#9; 1120&amp;#9; ??&amp;#9;Ss&amp;#9;&amp;#9;8:49PM&amp;#9; 0:00.09 /bin/bash /Users/ec2-user/aws-ec2-mac-amis/cloudconnect.bash However, when I terminate the AWS instance, the process stays running and the bash script's trap is never attempted (at least according to the logs). This could very well be an AWS specific issue, however, I wanted to check here and see if I was potentially missing something important. Some things that do work: I can sudo shutdown -r now inside of the host and it disjoins properly before the host shuts down. I can sudo launchctl -w unload inside of the host and it disjoins properly, too.