vfkit: Add Rosetta support for deploying amd64 images on Apple silicon #22140
Conversation
|
/ok-to-test |
|
/cc @afbjorklund |
|
@cfergeau can you review? |
With the new vmnet network[1] and rosetta[2] in minikube we can use
minikube on macOS. This change replace macOS defaults to use minikube
with vfkit driver and vmnet-shared network.
With this change the vm.yaml environment starts in 16 seconds, 5 times
faster than lima. The regional-dr environment starts in 324 seconds,
about 1.3 times faster than lima.
Example run with minimal environment:
% drenv start envs/vm.yaml
2025-12-13 18:58:13,469 INFO [vm] Starting environment
2025-12-13 18:58:13,547 INFO [cluster] Starting minikube cluster
2025-12-13 18:58:29,953 INFO [cluster] Cluster started in 16.41 seconds
2025-12-13 18:58:29,955 INFO [cluster/0] Running addons/example/start
2025-12-13 18:58:41,240 INFO [cluster/0] addons/example/start completed in 11.28 seconds
2025-12-13 18:58:41,241 INFO [cluster/0] Running addons/example/test
2025-12-13 18:58:41,471 INFO [cluster/0] addons/example/test completed in 0.23 seconds
2025-12-13 18:58:41,471 INFO [vm] Environment started in 28.00 seconds
Example run with full environment:
% drenv start envs/regional-dr.yaml
2025-12-13 19:11:14,075 INFO [rdr] Starting environment
2025-12-13 19:11:14,116 INFO [dr2] Starting minikube cluster
2025-12-13 19:11:14,116 INFO [dr1] Starting minikube cluster
2025-12-13 19:11:14,121 INFO [hub] Starting minikube cluster
2025-12-13 19:11:29,211 INFO [dr1] Cluster started in 15.09 seconds
...
2025-12-13 19:11:32,399 INFO [hub] Cluster started in 18.28 seconds
...
2025-12-13 19:11:36,296 INFO [dr2] Cluster started in 22.18 seconds
...
2025-12-13 19:16:38,669 INFO [rdr] Dumping ramen e2e config to '/Users/nir/.config/drenv/rdr'
2025-12-13 19:16:38,761 INFO [rdr] Environment started in 324.69 seconds
Note: This change requires local minikube build since the rosetta
support is not merged yet.
[1] kubernetes/minikube#20501
[2] kubernetes/minikube#22140
Signed-off-by: Nir Soffer <nsoffer@redhat.com>
With the new vmnet network[1] and rosetta[2] in minikube we can use
minikube on macOS. This change replace macOS defaults to use minikube
with vfkit driver and vmnet-shared network.
With this change the vm.yaml environment starts in 16 seconds, 5 times
faster than lima. The regional-dr environment starts in 324 seconds,
about 1.3 times faster than lima.
Example run with minimal environment:
% drenv start envs/vm.yaml
2025-12-13 18:58:13,469 INFO [vm] Starting environment
2025-12-13 18:58:13,547 INFO [cluster] Starting minikube cluster
2025-12-13 18:58:29,953 INFO [cluster] Cluster started in 16.41 seconds
2025-12-13 18:58:29,955 INFO [cluster/0] Running addons/example/start
2025-12-13 18:58:41,240 INFO [cluster/0] addons/example/start completed in 11.28 seconds
2025-12-13 18:58:41,241 INFO [cluster/0] Running addons/example/test
2025-12-13 18:58:41,471 INFO [cluster/0] addons/example/test completed in 0.23 seconds
2025-12-13 18:58:41,471 INFO [vm] Environment started in 28.00 seconds
Example run with full environment:
% drenv start envs/regional-dr.yaml
2025-12-13 19:11:14,075 INFO [rdr] Starting environment
2025-12-13 19:11:14,116 INFO [dr2] Starting minikube cluster
2025-12-13 19:11:14,116 INFO [dr1] Starting minikube cluster
2025-12-13 19:11:14,121 INFO [hub] Starting minikube cluster
2025-12-13 19:11:29,211 INFO [dr1] Cluster started in 15.09 seconds
...
2025-12-13 19:11:32,399 INFO [hub] Cluster started in 18.28 seconds
...
2025-12-13 19:11:36,296 INFO [dr2] Cluster started in 22.18 seconds
...
2025-12-13 19:16:38,669 INFO [rdr] Dumping ramen e2e config to '/Users/nir/.config/drenv/rdr'
2025-12-13 19:16:38,761 INFO [rdr] Environment started in 324.69 seconds
Note: This change requires local minikube build since the rosetta
support is not merged yet.
[1] kubernetes/minikube#20501
[2] kubernetes/minikube#22140
Signed-off-by: Nir Soffer <nsoffer@redhat.com>
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
|
/ok-to-test |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
|
Latest push rebased on master to split the rebase from the actual changes. |
This comment has been minimized.
This comment has been minimized.
|
@cfergeau I addressed the comments:
|
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
|
This KVM_Linux fail with the known issue when TestISO are run after the context deadline was exceeded: The interesting part is that this test did not time out after 90 minutes - so this is not an issue with the global test timeout. Maybe this an issue with the context we use in these tests: |
|
@nirs , I was trying yout patch locally, but I can't get I am seeing this: $ minikube delete --all --purge
$ minikube start ... --rosetta ..
...
🔄 Successfully unblocked bootpd process from firewall, retrying
🔥 Creating vfkit VM (CPUs=2, Memory=6144MB, Disk=20000MB) ...
😿 Failed to start vfkit VM. Running "minikube delete" may fix it: creating host: create host timed out in 360.000000 seconds
❌ Exiting due to DRV_CREATE_TIMEOUT: Failed to start host: creating host: create host timed out in 360.000000 seconds
💡 Suggestion: Try 'minikube delete', and disable any conflicting VPN or firewall software
🍿 Related issue: https://github.com/kubernetes/minikube/issues/7072
$ echo $?
52
$
|
You hide the details, so I must guess from the partial output. You are using vment-helper on managed Mac, and did not get IP address. minikube wrongly try to "unblock" bootpd which does not have any affect and fail with the wrong error. If you try without --rosetta you will probably get the same result. One known issue is connecting to your company VPN. For me after connecting to the VPN and disconnecting, the vment network is always broken and the only way to recover is to reboot. If you did not connect to the VPN since boot, this workaround that usually works: It this does not work reboot usually fix the issue. |
|
@nirs, with your hint, I got minikube start to complete now, and running the test binary in the vm succeeds: % ./out/minikube ssh
$ /mnt/rosetta/test
✅ Running amd64 binary on Linux minikube 6.6.95 #1 SMP PREEMPT Tue Dec 16 02:19:13 UTC 2025 aarch64 GNU/Linux
$ so this seems all fine. |
| startCmd.Flags().String(qemuFirmwarePath, "", "Path to the qemu firmware file. Defaults: For Linux, the default firmware location. For macOS, the brew installation location. For Windows, C:\\Program Files\\qemu\\share") | ||
|
|
||
| // vfkit | ||
| startCmd.Flags().Bool(rosetta, false, "Enable Rosetta to support apps built for Intel processor on a Mac with Apple silicon (vfkit driver only)") |
There was a problem hiding this comment.
does it also support running images built for x86 on all container runtimes ?
or is it only for binaries ? if also images, should mention in the help text.
it would be nice to check or verify (
suggestion, add an integration test that pulls an x86 image and runs it on silicon)
and test be skipped on anything but macos arm64
(could be a subset of functional test)
if dont wanna add ftest, can also just add manual verification and add to the PR description.
There was a problem hiding this comment.
does it also support running images built for x86 on all container runtimes ? or is it only for binaries ? if also images, should mention in the help text.
It works for running any executable, on the host or in a container. I'm using the same language used by apple to describe the feature (apps built for Intel processors). Should we replace "apps" with container images since minikube is about containers?
it would be nice to check or verify
I tested running executable in the guest (example in the message), and running ramen testing clusters (containerd runtime) which include several amd64 images (ocm, ramen).
The ramen PR RamenDR/ramen#2356 shows example run with this PR.
( suggestion, add an integration test that pulls an x86 image and runs it on silicon) and test be skipped on anything but macos arm64 (could be a subset of functional test)
if dont wanna add ftest, can also just add manual verification and add to the PR description.
I want to add a test that will do this:
- created executable like the example as part of the test
- run it using the virtiofs mount
- create a container image including the executable by building inside minikube, or in podman
- load the image into minikube
- start a pod with the image
I'll open an issue for working on the test, since it more work than the actual feature.
Add --rosetta flag enabling Rosetta[1] for running apps built for Intel processor on Mac with Apple silicon. An example use case is deploying open-cluster-management that do not provide arm64 builds yet. If Rosetta is not installed on the host, it will be installed on the first time starting a cluster. When running in non-interactive mode automatic install is disabled and if Rosetta is not installed start will fail. The --rosetta flag is ignored with a warning if enabled on Mac with Intel processor. [1] https://developer.apple.com/documentation/virtualization/running-intel-binaries-in-linux-vms-with-rosetta
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
|
/ok-to-test |
|
kvm2 driver with docker runtime DetailsTimes for minikube start: 38.9s 37.7s 38.6s 38.9s 41.4s Times for minikube (PR 22140) ingress: 15.7s 15.7s 16.2s 15.7s 15.7s docker driver with docker runtime DetailsTimes for minikube ingress: 10.6s 11.6s 10.6s 10.6s 10.6s Times for minikube start: 20.9s 24.3s 25.0s 24.5s 24.3s docker driver with containerd runtime DetailsTimes for minikube start: 19.2s 19.2s 21.4s 18.2s 21.4s Times for minikube (PR 22140) ingress: 23.1s 23.1s 23.1s 23.1s 23.1s |
|
@nirs: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: medyagh, nirs The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Here are the number of top 10 failed tests in each environments with lowest flake rate.
Besides the following environments also have failed tests:
To see the flake rates of all tests by environment, click here. |
Add --rosetta flag enabling Rosetta[1] for running apps built for Intel processor on Mac with Apple silicon. An example use case is deploying open-cluster-management that do not provide arm64 builds yet.
If Rosetta is not installed on the host, it will be installed on the first time starting a cluster. When running in non-interactive mode automatic install is disabled and if Rosetta is not installed start will fail.
The --rosetta flag is ignored with a warning if enabled on Mac with Intel processor.
Testing amd64 executable on Apple silicon
Testing with container images
I tested the PR with ramen regional DR environment, using containerd runtime. We deploy several adm64 only container images like open-cluster-management and ramen.
RamenDR/ramen#2356
[1] https://developer.apple.com/documentation/virtualization/running-intel-binaries-in-linux-vms-with-rosetta
Fixes #20559