Make a ~/vmshare folder on the host for sharing with VMs.
$ brew install --cask virtualbuddyIn VirtualBuddy, create a new VM with the "+" button in the toolbar.
- I chose macOS Tahoe 26.1 RC.
- I named it "Tahoe 26.1".
- Select to automatically configure the display.
- Attach your shared folder.
- When it's done, dismiss the window.
Launch it and go through setup.
After setup, find the VirtualBuddy helper app and run it. It should hook up clipboard and file sharing.
Power off the working VM. In VirtualBuddy, right-click it and Duplicate. Change its name to something that makes it clear it is a snapshot or template.
$ brew install --cask virtualbuddyIn VirtualBuddy, create a new VM with the "+" button in the toolbar.
- I chose Fedora 42.1.1.
- I named it "Fedora 42".
- For the moment, enter 1024x768 for your display resolution. This will keep the installer at a readable size for a Retina screen.
- There was a bug here: Typing a number didn't affect given dimension until I also typed return.
- Attach your shared folder.
- If you'll run intel binaries in the VM, share Rosetta.
- When it's done, dismiss the window.
Launch it and go through the installer.
- You can use the graphical installer.
- For some step, if you don't know what to choose, take the default.
- For the software selection, I chose Fedora Workstation with no additions.
- I made the root and regular users.
When it's done, approve restart, full-screen the window, and sign in.
Click through or skip the tour.
Right-click the desktop and choose Display Settings, then select a new resolution, and choose 200% scale for a retina display. That's good enough for now.
Besides display resolution, I changed these settings from their defaults:
- In Settings, Mouse & Touchpad:
- Scroll Direction: Natural
- In Settings, Accessibility, Typing, Repeat Keys:
- Delay: All the way left, then right-arrow 10 times
You should already be able to copy and paste between your machine and the VM.
Open a terminal.
$ sudo mkdir -p /mnt/VirtualBuddyShared
$ sudo vi /etc/fstabAppend:
# VirtualBuddy shared folder
VirtualBuddyShared /mnt/VirtualBuddyShared virtiofs rw 0 0
Use it:
$ sudo systemctl daemon-reload
$ sudo mount /mnt/VirtualBuddySharedThen in the Files app, I tried to visit /mnt/VirtualBuddyShared in order to drag vmshare to save it in the sidebar. I can jump directly into vmshare by path, but Files won't display its parent. Other apps seem OK though.
If you're going to use the VM in a window, you can enable automatically configuring the display in the VM settings while shut down. But I find that every window resize resets the scale to 100% which is not readable.
In full screen, if you want the VM to look sharp despite not using a native resolution in macOS:
- Shut down the VM.
- In your Mac's Display settings, select your display panel's native resolution.
- In VirtualBuddy, edit the virtual machine settings and enable automatically configuring the display. This will offer the size of the window's content area as an available screen resolution, which is why we needed your Mac's resolution set to the size that matches the hardware.
- Start the VM and sign in.
- Right-click the desktop and choose Display Settings, then select the resolution matching your hardware.
- For me that's 3024x1898, which doesn't exactly match my 3024x1964 panel. On a notched MacBook, the full-screened VM begins only beneath the notch.
- Having picked the resolution, it should look sharp.
- Make a note of those dimensions.
- Power off again.
- In the virtual machine settings, enter the dimensions and disable automatically configuring the display. This will keep this resolution setting available so you don't have to fiddle with it again. The tradeoff is your boot menu is impossibly small.
- Set your Mac's resolution back to what you prefer. The VM should be unaffected.
The headline feature of OpenSnitch is interactive outbound connection filtering.
Follow its instructions to install. We'll need the aarch64 RPM package for the daemon and the RPM package for the GUI.
On this system, yum is an alias to dnf5, which doesn't have a localinstall command. Instead, use dnf5 install.
To enable the system tray icon, install this Gnome extension.
Run the OpenSnitch GUI from the system launcher. At least one pop-up about unpermitted activity will probably appear, but set them aside. You can toggle whether OpenSnitch's filtering is enabled with the button in the corner.
In its preferences:
- In the Nodes tab, I switched Default action when the GUI is disconnected to Deny. This means traffic is controlled from boot even if you just ssh in and don't use the graphical login.
- In the Pop-ups tab, I switched Default target to "by command line" for finer granularity.
- I also changed the timeout to 100 seconds from 30.
- I also set the pop-up to start in advanced mode, which is what the + button reveals.
When a popup appears, by default it will make a Deny rule that expires in 12 hours. To clear such a rule before it expires, you can find it in the Temporary section of the Rules tab.
When a new event looks like it's from a regular daemon, I usually check the boxes for the user ID, destination port, and maybe the destination domain, then Allow.
You can also deny for now, see similar events roll into the Events tab, then right-click one to make a new rule about it, and delete the temporary rule. But I prefer to use the popup so I don't have to name the rule.
When making a Deny rule I tend to use fewer criteria, like, this process talking to that telemetry domain is enough to disable broadly.
You can save your rules out as a folder of json files to import them in other setups. The vmshare folder is good for that.
Enable sshd, requiring key pair authentication.
$ sudo touch /etc/ssh/sshd_config.d/01-vm-ingress.conf
$ sudo chmod 600 /etc/ssh/sshd_config.d/01-vm-ingress.confPopulate that file with:
PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication no
PermitRootLogin no
AllowUsers <vm username>
Start sshd.
$ systemctl enable sshdAt this point you could try to connect with ssh, but the server will refuse, because it doesn't know any public keys to permit.
On the host, I made a new key pair unique to the host-vm relationship. I used a non-default filename, id_ed25519_for_vm:
$ ssh-keygen -t ed25519 -C "<some email address>"
$ ssh-add --apple-use-keychain ~/.ssh/id_ed25519_for_vm
$ cp ~/.ssh/id_ed25519_for_vm.pub ~/vmshare/On the vm:
$ mkdir ~/.ssh
$ chmod 700 ~/.ssh
$ cp /mnt/VirtualBuddyShared/vmshare/id_ed25519_for_vm.pub ~/.ssh/authorized_keys
$ chmod 600 ~/.ssh/authorized_keys
$ systemctl restart sshdNow you can ssh from the host to <user>@<vm name>.local.
Power off the working VM. In VirtualBuddy, right-click it and Duplicate. Change its name to something that makes it clear it is a snapshot or template.
As of 2025.
Keep handy:
- https://blog.edwardloveall.com/local-macos-debian-12-with-utm
- https://docs.getutm.app/guest-support/linux/
I chose Debian 12 and got the regular, non-mac image:
$ brew install --cask utmIn UTM, create a new VM with File > New.
- Choose to virtualize, not emulate.
- Select the ISO you downloaded.
- I chose to enable hardware OpenGL acceleration.
- 8GB was enough storage for me.
- Select your ~/vmshare folder.
- For a name, I chose "Debian 12".
- I chose to open VM settings, but the only change I made was to pick an icon.
Launch it and go through the installer.
- You can use the graphical installer.
- For some step, if you don't know what to choose, take the default.
- For the hostname and domain name, I chose "debian-12" and "debian-12.local" to match the VM name.
- When you choose a disk to partition, if there are two, use the bigger one.
- If you choose a package mirror domain, think of a nearby university and look for its name or initials.
- For packages to install, I chose the desktop environment, Gnome, ssh server, and standard system utilities.
When it restarts after setup, during the boot menu screen, use the power icon button in the toolbar to stop the VM. Then remove the ISO.
Launch the VM again, full-screen the window, and sign in.
Click through the Welcome window. I disabled location services.
Right-click the desktop and choose Display Settings, then select a resolution that looks sharp. I chose 1360x768, which is just barely cropped from my laptop's 1366x768.
Using the VM in a window is doable, but changing the window size makes you type your password again due to what looks like a momentary screen lock condition. I was happier leaving it at a fixed resolution in full screen.
Besides display resolution, I changed these settings from their defaults:
- In Settings, Mouse & Touchpad:
- Natural scrolling: On
- In Settings, Accessibility, Typing, Repeat Keys:
- Delay: All the way left, then right-arrow 10 times
- In Terminal preferences:
- Theme variant: Dark
Open a terminal.
$ su
# apt install spice-vdagentRestart here, and you'll be able to copy and paste between your machine and the VM.
Open a terminal.
$ su
# mkdir -p /mnt/utm
# vi /etc/fstabAppend:
# UTM Shared Folder
share /mnt/utm 9p trans=virtio,version=9p2000.L,rw,_netdev,nofail,auto 0 0
Use it:
# systemctl daemon-reload
# mount /mnt/utmBut you can't edit the existing files in there yet. We want the files coming from the host's user to map to the vm's user and vice versa. For that we can use bindfs to make another mount point.
^D to end su
$ ls -na /mnt/utmObserve the user and group ids of the share, probably 20 and 501. You might need to add a file in here from the host.
$ idObserve your own user and group ids, probably 1000 and 1000.
$ su
# apt install bindfs
# mkdir -p /mnt/vmshare
# vi /etc/fstabAppend, editing IDs as needed:
# bindfs mount to remap UID/GID
/mnt/utm /mnt/vmshare fuse.bindfs map=501/1000:@20/@1000,x-systemd.requires=/mnt/utm,_netdev,nofail,auto 0 0
Use it:
# systemctl daemon-reload
# mount /mnt/vmshareThen in the Files app, go to /mnt and drag vmshare to save it in the sidebar.
Power off the working VM. In UTM, right-click it and Clone. Edit it and name it something that makes it clear it is a snapshot or template.