Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

running as root no longer works in Sequoia #921

Open
sepich opened this issue Oct 22, 2024 · 4 comments
Open

running as root no longer works in Sequoia #921

sepich opened this issue Oct 22, 2024 · 4 comments

Comments

@sepich
Copy link

sepich commented Oct 22, 2024

tart run -h has such lines:

        To work with block devices, the easiest way is to modify their permissions (e.g. by using "sudo chown $USER /dev/diskX") or to run the Tart binary as root, which affects
        locating Tart VMs.

        To work around this pass TART_HOME explicitly:

        sudo TART_HOME="$HOME/.tart" tart run sonoma --disk=/dev/disk0

Unfortunately it is no longer works for macOS v15 VMs:

$ tart create tart-15 --from-ipsw latest
Looking up the latest supported IPSW...
Fetching UniversalMac_15.0.1_24A348_Restore.ipsw...
100%
Computing digest for /Users/jetbrains/.tart/tmp/72A6ECC8-CCA8-4E6E-8F9E-8598CE608B31.ipsw...
100%
Installing OS...
100%

$ sudo TART_HOME="$HOME/.tart" tart run tart-15
Error Domain=VZErrorDomain Code=1 "The virtual machine failed to start." UserInfo={NSLocalizedFailure=Internal Virtualization error., NSLocalizedFailureReason=The virtual machine failed to start.}

# this one works fine
$ tart run tart-15
^CStopping VM...

And interesting that macOS v14 VMs still work as root.
Host OS is v15.0.1.
So it seems something new, related to v15 VMs specifics.
Do you know some workarounds how we can still run VM as root?

Problem with running as user is the new permission of v15 for "access to local network" which could only be granted in UI on all the hosts:
https://forums.developer.apple.com/forums/thread/760964
And processes running as root are excluded from that.
@edigaryev
Copy link
Collaborator

edigaryev commented Oct 23, 2024
edited
Loading

Tried reproducing this on macOS Sequoia 15.0.1 host to no avail:

% tart create tart-15 --from-ipsw ~/UniversalMac_15.0.1_24A348_Restore.ipsw   
Installing OS...
100%
% sudo TART_HOME="$HOME/.tart" tart run tart-15
[GUI window with installer greeting appears]

Error Domain=VZErrorDomain Code=1 "The virtual machine failed to start." UserInfo={NSLocalizedFailure=Internal Virtualization error., NSLocalizedFailureReason=The virtual machine failed to start.}

You might get some more details about this error by inspecting the Console's output.

@edigaryev
Copy link
Collaborator

Also, at which point does the new "Local Network" permission becomes an issue for you?

I have ran Tart on various workloads on the new Sequoia and never had any issues with this new permission because Tart itself doesn't contact local/private IP ranges.

On the other hand, we've seen reports for software that does so, for example, cirruslabs/gitlab-tart-executor#86, but not for Tart directly.

@sepich
Copy link
Author

sepich commented Oct 23, 2024

Tried reproducing this on macOS Sequoia 15.0.1 host to no avail

That's interesting, thank you for information. Do you have an xcode or MobileDevice framework installed? Which version?

Tested on local MacBook M3 15.0.1 (dirty), and couple M1/M2 macMinis 15.0.1 of buildfarm (clean), all fail the same. MacMinis have clean macOS install with only brew and xcode commandline tools.

$ pkgutil --pkg-info=com.apple.pkg.CLTools_Executables
package-id: com.apple.pkg.CLTools_Executables
version: 16.0.0.0.1.1724870825

more details about this error by inspecting the Console's output

I'm attaching logs and DiagnosticReport. Would be grateful if you can take a look and say if you see some issues there.
Archive.zip

For me it seems the error related to:

error	17:33:37.537384+0200	ctkd	<sepk:* kid=0000000000000000>: (com.apple.Virtualization.VirtualMachine<82844>) unable to generate key: error e00002e2(-536870174) ACL=<SecAccessControlRef: cku;ock(true);odel(true);osgn(true);oa(true);okd(true)> params=<AKSp:{acmh:###,ag:[],ed:{acl:{ock:true,odel:true,osgn:true,oa:true,okd:true}}}>
error	17:33:37.537621+0200	com.apple.Virtualization.VirtualMachine	SecKeyCreateRandomKey_ios failed: Error Domain=NSOSStatusErrorDomain Code=-25308 "Failed to generate keypair" (errKCInteractionNotAllowed / errSecInteractionNotAllowed: / Interaction is not allowed with the Security Server.) UserInfo={numberOfErrorsDeep=0, NSDescription=Failed to generate keypair, NSUnderlyingError=0x153e202c0 {Error Domain=NSOSStatusErrorDomain Code=-25308 "<sepk:* kid=0000000000000000>: unable to generate key" UserInfo={NSDebugDescription=<sepk:* kid=0000000000000000>: unable to generate key, AKSError=-536870174}}}
error	17:33:37.537682+0200	com.apple.Virtualization.VirtualMachine	AVPIdentity: <private>:69: <private>
error	17:33:37.537722+0200	com.apple.Virtualization.VirtualMachine	AVPIdentity: <private>:205: <private>

Keychain? Maybe you have ideas for me to try?

at which point does the new "Local Network" permission becomes an issue for you?

VM images are large, and pulling via Inet is slow. We use registry in local network and macMinis with 10G interface.

@sepich
Copy link
Author

sepich commented Oct 24, 2024

The issue is narrowed a bit:

  • it works as root when started from Terminal.app in UI
  • it does not work when started as root from ssh/LaunchDaemon on the same host

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@edigaryev @sepich