Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add missing vfkit entitlement #21843

Merged
merged 3 commits into from
Feb 27, 2024
Merged

Add missing vfkit entitlement #21843

merged 3 commits into from
Feb 27, 2024

Conversation

cfergeau
Copy link
Contributor

The vfkit binary shipped with podman 5.0-rc3 can't start virtual machines, see
#21842
The entitlements are overwritten during the signing process.

Does this PR introduce a user-facing change?

This fixes an issue with the `vfkit` hypervisor causing this problem on Apple hardware:

$ podman machine start
Starting machine "podman-machine-default"
Error: vfkit exited unexpectedly with exit code 1

@cfergeau cfergeau mentioned this pull request Feb 27, 2024
Closed
@cfergeau
Copy link
Contributor Author

cfergeau commented Feb 27, 2024
edited
Loading

I don't know how to test podman macos installer builds, so this most likely needs some minor adjustments.

I've now tested this with :

cd contrib/pkginstaller
make ARCH=amd64 NO_CODESIGN=1 pkginstaller
codesign -d --entitlements -- ./root/podman/bin/vfkit

Luap99
Luap99 reviewed Feb 27, 2024
View reviewed changes
Copy link
Member

@Luap99 Luap99 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ashley-cui @baude PTAL

contrib/pkginstaller/Makefile Show resolved Hide resolved
contrib/pkginstaller/vfkit.entitlements Outdated Show resolved Hide resolved
@cfergeau
macos installer: Default to using ad-hoc signing
74b8787 
When there is no signing identity to pass to the macOS `codesign` tool,
we can use `-` instead as the identity to perform ad-hoc signing.

From `man codesign`:
> If identity is the single letter "-" (dash), ad-hoc signing is
> performed.  Ad-hoc signing does not use an identity at all

This makes it easier to test the sign() code-path in package.sh as
we'll run the same code regardless of `NO_CODESIGN` being set or not.

Signed-off-by: Christophe Fergeau <[email protected]>
@cfergeau
macos-installer: Remove hvf.entitlements
15734f8 
That's a left-over from 8794776

Signed-off-by: Christophe Fergeau <[email protected]>
@cfergeau cfergeau force-pushed the entitlements branch 2 times, most recently from 8b26a13 to 24d3cc8 Compare February 27, 2024 16:47
@cfergeau
macos installer: Add vfkit entitlement
9f5c20f 
vfkit needs the com.apple.security.virtualization entitlement or it
wont' be able to start virtual machines:

Error: Error Domain=VZErrorDomain Code=2 Description="Invalid virtual machine configuration. The process doesn’t have the “com.apple.security.virtualization” entitlement." UserInfo={
    NSLocalizedFailure = "Invalid virtual machine configuration.";
    NSLocalizedFailureReason = "The process doesn\U2019t have the \U201ccom.apple.security.virtualization\U201d entitlement.";
}

This fixes containers#21842

Signed-off-by: Christophe Fergeau <[email protected]>
@ashley-cui
Copy link
Member

LGTM

@rhatdan
Copy link
Member

rhatdan commented Feb 27, 2024

/approve
/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Feb 27, 2024
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Feb 27, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cfergeau, rhatdan

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 27, 2024
@packit-as-a-service Packit-as-a-Service
Copy link

Cockpit tests failed for commit 94c219f160c085d354b5427ae1310386c43e3e6a. @martinpitt, @jelly, @mvollmer please check.

@openshift-merge-bot openshift-merge-bot bot merged commit abd681a into containers:main Feb 27, 2024
90 of 93 checks passed
@stale-locking-app stale-locking-app bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label May 28, 2024
@stale-locking-app stale-locking-app bot locked as resolved and limited conversation to collaborators May 28, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@Luap99 Luap99 Luap99 left review comments

Assignees

@rhatdan rhatdan

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. release-note
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@cfergeau @ashley-cui @rhatdan @Luap99