Unable to launch podman machine on macOS with podman 5.0-rc3

svelez commented 6 months ago

Issue Description

When trying to start podman machine that was initialized with default variable, the command fails with an error.

Steps to reproduce the issue

Install podman from arm pkg file provided in github releases
podman machine init
podman machine start

Describe the results you received

error with message

Starting machine "podman-machine-default"
Error: vfkit exited unexpectedly with exit code 1

Describe the results you expected

The start command successfully completes so that I can start issuing other podman commands

podman info output

❯ podman info
OS: darwin/arm64
provider: applehv
version: 5.0.0-rc3

Cannot connect to Podman. Please verify your connection to the Linux system using `podman system connection list`, or try `podman machine init` and `podman machine start` to manage a new Linux VM
Error: unable to connect to Podman socket: failed to connect: dial tcp 127.0.0.1:56250: connect: connection refused

Podman in a container

No

Privileged Or Rootless

Rootless

Upstream Latest Release

Yes

Additional environment details

Lots of experimentation (starting, stopping, installing, uninstalling) with docker, and podman from homebrew

Additional information

❯ sw_vers
ProductName:        macOS
ProductVersion:     14.3.1
BuildVersion:       23D60

Seems to be an issue with the build of vfkit. If I manually launch gvproxy and vfkit using parameters indicated in debug output of podman machine start then I see

Error: Error Domain=VZErrorDomain Code=2 Description="Invalid virtual machine configuration. The process doesn’t have the “com.apple.security.virtualization” entitlement." UserInfo={
    NSLocalizedFailure = "Invalid virtual machine configuration.";
    NSLocalizedFailureReason = "The process doesn\U2019t have the \U201ccom.apple.security.virtualization\U201d entitlement.";
}
Usage:
  vfkit [flags]

Flags:
  -b, --bootloader strings      bootloader configuration (default [])
  -c, --cpus uint               number of virtual CPUs (default 1)
  -d, --device stringArray      devices
      --gui                     display the contents of the virtual machine onto a graphical user interface
  -h, --help                    help for vfkit
  -i, --initrd string           path to the virtual machine initrd
  -k, --kernel string           path to the virtual machine linux kernel
  -C, --kernel-cmdline string   linux kernel command line
      --log-level string        set log level
  -m, --memory uint             virtual machine RAM size in mibibytes (default 512)
      --restful-uri string      URI address for RestFul services (default "none://")
  -t, --timesync string         sync guest time when host wakes up from sleep
  -v, --version                 version for vfkit

Error Domain=VZErrorDomain Code=2 Description="Invalid virtual machine configuration. The process doesn’t have the “com.apple.security.virtualization” entitlement." UserInfo={
    NSLocalizedFailure = "Invalid virtual machine configuration.";
    NSLocalizedFailureReason = "The process doesn\U2019t have the \U201ccom.apple.security.virtualization\U201d entitlement.";
}

google search indicates the following command should mention the com.apple.security.virtualization entitlement, but it does not:

❯ codesign -d --entitlements - /opt/podman/bin/vfkit
Executable=/opt/podman/bin/vfkit

svelez commented 6 months ago

Note.. manually worked around this by signing the binary myself using a self-signed cert:

❯ cat vz.entitlements
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.virtualization</key>
    <true/>
</dict>
</plist>

❯ cp /opt/podman/bin/vfkit .
❯ codesign --entitlements vz.entitlements -f -s test-code-signing vfkit
❯ sudo cp vfkit /opt/podman/bin/vfkit

Luap99 commented 6 months ago

Duplicate of #21842

containers / podman