Native Incus for Apple Silicon

Incus on your Mac, the native way.

bladerunner runs a full Incus daemon in a Debian 13 VM built directly on Apple’s Virtualization.framework — no Lima, no Colima, no QEMU layer in between. brew install, br start, and you’re running containers and VMs on Apple Silicon. Then br web opens the Incus dashboard already signed in with your SSH key.

View on GitHub →

Apple Silicon · macOS 13+ · M1–M4 · v0.4.7

br — zsh — 80×24
$ brew install stuffbucket/tap/bladerunner signed with Virtualization entitlement $ br start booting Debian 13 (trixie)… cloud-init: installing incus… Incus ready · https://127.0.0.1:18443 SSH · 127.0.0.1:6022 $ br web → opening dashboard, signed in with your SSH key
Incus web UI, logged in via SSH-key single sign-on

The marquee feature

Open the dashboard already logged in.

br web opens the Incus dashboard and you land already logged in — no password, no client-cert prompt, no OIDC setup. bladerunner proves possession of the same SSH key you use for br ssh and hands the browser a session. (Approving from another terminal? br web approve works too.)

br — zsh
$ br web # no password · no cert prompt · no OIDC

What you get

Fewer moving parts. More Incus.

Browser sign-on with your SSH key

br web opens the Incus dashboard and you land already logged in — no password, no client-cert prompt, no OIDC setup. bladerunner proves possession of the same SSH key you use for br ssh and hands the browser a session. (Approving from another terminal? br web approve works too.)

Native Apple Virtualization.framework

Built straight on Apple’s Virtualization.framework via Code-Hex/vz — no nested Lima/Colima orchestration, no QEMU translation overhead. The binary is auto-signed with the Virtualization entitlement when you install from Homebrew.

Debian 13 guest, Incus bootstrapped for you

Boots a Debian 13 (trixie) genericcloud image and brings up the Incus daemon via cloud-init. incus and incus-client ship in trixie main, so there are no third-party apt repos to trust. Ubuntu and other cloud images are reachable with --image-url.

Localhost everything, over vsock

SSH and the Incus HTTPS API are forwarded to localhost through virtio-vsock — SSH on 127.0.0.1:6022, the Incus API and UI on https://127.0.0.1:18443. No bridge to configure, no firewall holes to poke.

Save, restore, and auto-start

br save pauses the guest, snapshots its machine state to disk, and resumes; br restore brings it right back. Commands offer to boot the VM when it isn’t running, so you rarely have to think about lifecycle. Nested virtualization is on by default, so Incus VMs work out of the box.

Optional bridged L2 networking

Want the VM to have a real presence on your network? Run with --network-mode bridged --bridge-interface en0 for transparent layer-2 networking (requires the additional VM networking entitlement).

A terminal UI that respects your terminal

Live progress for long-running steps, rotating structured logs with stage-level observability, and a startup report with all your VM, network, and access details — rendered with a clean charm/lipgloss interface.

From zero

From zero to Incus in five steps.

  1. 01

    Install. The binary is automatically code-signed with the required Virtualization entitlement during install.

    br — zsh
    $ brew install stuffbucket/tap/bladerunner
  2. 02

    Start the VM. First boot takes a few minutes while cloud-init installs and configures Incus. A startup report is printed and saved to ~/.local/state/bladerunner/startup-report.json.

    br — zsh
    $ br start
  3. 03

    Open the web UI — already signed in. Lands you in the Incus dashboard authenticated with your SSH key.

    br — zsh
    $ br web
  4. 04

    SSH in. Show connection details, or connect directly on the forwarded port.

    br — zsh
    $ br ssh # show connection details $ ssh -p 6022 incus@127.0.0.1
  5. 05

    Snapshot and resume. Pause and snapshot the machine state, then bring it right back.

    br — zsh
    $ br save # pause, snapshot machine state, resume $ br restore # bring the VM back from saved state

Requirements

Apple Silicon (M1–M4), macOS 13+ (Ventura or later). Save/restore needs macOS 14+. Intel Macs are not supported.

How it differs

Without the Lima/Colima layer underneath.

bladerunner gives you the core of a colima --runtime incus setup without the Lima/Colima orchestration layer underneath. Instead of stacking a VM manager on top of QEMU on top of your Mac, it talks to Apple’s Virtualization.framework directly: architecture-aware Debian defaults, Incus bootstrapped via cloud-init, and SSH + the Incus API forwarded to localhost over vsock. The result is fewer moving parts, a faster path to a working Incus, and one extra trick neither tool offers — opening the Incus web dashboard already authenticated with your SSH key.

Typical colima --runtime incus

  • your Mac
  • QEMU
  • Lima
  • Colima
  • Incus

bladerunner

  • your Mac
  • Virtualization.framework
  • Incus

Run Incus on your Mac. One command.

$ brew install stuffbucket/tap/bladerunner
GitHub ↗