Molecule with Docker on Mac M2 causes Com.apple.Virtualization.VirtualMachine crashed when gather_facts is enabled

iamroddo · December 14, 2023, 10:49am

I’m running a Molecule test against a container running in Docker Desktop locally. When I set gather_facts to true in converge.yml Docker crashes hard with the error Com.apple.Virtualization.VirtualMachine crashed covering the screen, with no option to click it away, restart is the only recovery.

My molecule.yml file is below.

---
dependency:
  name: galaxy
driver:
  name: docker
platforms:
  - name: instance
    image: registry.access.redhat.com/ubi8/ubi-init
    command: ""
    privileged: true
    pre_build_image: true
    platform: amd64
provisioner:
  name: ansible
verifier:
  name: ansible

I have Docker Desktop version 4.25.2 and the following package versions
- molecule==6.0.2
- molecule-plugins==23.5.0
- ansible-core==2.15.7
- docker==6.1.3

chris · December 14, 2023, 1:50pm

I don’t run Docker locally and I also don’t use OSX so this suggestion might not be of any use… but what happens if you set privileged: false?

Incidently molecule 6.0.3 was released yesterday.

iamroddo · December 14, 2023, 9:15pm

Using molecule 6.0.3 and also docker 7.0.0 libraries didn’t help. I’m suspecting this might have something that the ubi7 image is amd64 and to make it work I set the platform to amd64. My Mac has an arm64 M2 chip so some sort of emulation has to happen. I wonder if this is failing badly.

iamroddo · December 15, 2023, 3:29pm

I found some consistency. The crash happens when the image used by Molecule is UBI which is only AMD64 ie no ARM64 image. I needed to set privileged: true in order to get systemd to work. When I set privileged: false the crash doesn’t happen, but my use case can’t be tested. I found that if I use colima (GitHub - abiosoft/colima: Container runtimes on macOS (and Linux) with minimal setup) instead of Docker Desktop, this issue goes away.

chris · December 15, 2023, 3:45pm

Indeed, I discovered that as well when working out how to run Molecule in Docker containers via GitLab CI.

iamroddo · December 15, 2023, 4:45pm

@chris Did you come across a way of making systemd function in a container without enabling privileged? I wouldn’t mind switching that off.

felixfontein · December 15, 2023, 4:57pm

Just as a note in case someone reading this isn’t aware of it: privileged: true is similar to running something with sudo - you basically give the container full access to the machine, and code running in it can escape from the container. So only use it if you’re really sure it’s OK and safe.

chris · December 15, 2023, 5:07pm

I found this RedHat article from 2016 but I haven’t tried it…

system · January 14, 2024, 5:07pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.