Skip to content

Instantly share code, notes, and snippets.

@fullkomnun

fullkomnun/README.md

Last active March 6, 2026 05:23
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save fullkomnun/88326ebca4189249a92bef919d0b766a to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save fullkomnun/88326ebca4189249a92bef919d0b766a to your computer and use it in GitHub Desktop.
Download ZIP
Fixing podman machine for Rossetta on Apple Silicon arm64 for Rust cross platform compilation in container (via Claude)
Raw
README.md

Podman Rosetta on Apple Silicon: Silent Failures and How to Fix Them

The Problem

Podman 5.1.0+ documentation states that Rosetta is "enabled by default" on Apple Silicon Macs. However, the configuration flag (Rosetta: true in podman machine inspect) can show as enabled while Rosetta is not actually working. This silent failure causes x86_64 containers to fall back to QEMU user-mode emulation, which crashes during memory-intensive workloads like Rust compilation with errors like:

error: rustc interrupted by SIGSEGV, printing backtrace
qemu: uncaught target signal 11 (Segmentation fault) - core dumped

Root Cause Analysis

The Rosetta activation chain has multiple points of failure:

1. Configuration vs Reality Disconnect

When you run podman machine inspect --format '{{.Rosetta}}', you're reading a configuration flag, not the actual runtime state. The flag being true means:

  • The hypervisor (AppleHV/vfkit) is configured to expose the Rosetta VirtioFS share
  • The VM image includes Rosetta activation scripts

It does not guarantee:

  • Rosetta is installed on the macOS host
  • The VirtioFS mount succeeded
  • The binfmt handler was registered

2. The Activation Service Dependency

Inside the Podman machine (Fedora CoreOS), Rosetta activation depends on a systemd service chain:

rosetta-activation.service
  → ConditionPathExists=/etc/containers/enable-rosetta
  → Mounts VirtioFS at /var/mnt (or /mnt on older images)
  → Registers binfmt handler

The critical failure point: The rosetta-activation.service has a condition:

ConditionPathExists=/etc/containers/enable-rosetta

If this file doesn't exist, the service is silently skipped with no error. The journal shows:

rosetta-activation.service was skipped because of an unmet condition check
(ConditionPathExists=/etc/containers/enable-rosetta)

3. Known Scenarios That Cause This

Scenario Result
Machine created before Podman 5.1.0, then Podman upgraded Config says true, but VM image lacks proper setup
Machine created before Rosetta installed on host VirtioFS tag exposed but empty/unmountable
Machine upgraded via rpm-ostree without full reprovisioning Trigger file may be missing
Fresh machine on Podman 5.7.x (Homebrew) Should work, but edge cases exist

4. The Misleading Diagnostics

The standard diagnostic commands don't reveal the problem:

# This says true even when broken
podman machine inspect --format '{{.Rosetta}}'
# Output: true

# This shows Rosetta is "supported" but not whether it's active
podman info

You must check inside the VM:

podman machine ssh

# This file determines if activation runs
ls -la /etc/containers/enable-rosetta

# This shows if Rosetta is actually registered
ls -la /proc/sys/fs/binfmt_misc/rosetta

# This shows what's handling x86_64 (should NOT exist if Rosetta is working)
ls -la /proc/sys/fs/binfmt_misc/qemu-x86_64

How Rosetta SHOULD Be Configured

When working correctly:

# On macOS host
podman machine inspect --format '{{.Rosetta}}'
# true

# Inside VM
podman machine ssh

# VirtioFS mount
mount | grep rosetta
# rosetta on /var/mnt type virtiofs (rw,relatime,context=system_u:object_r:nfs_t:s0)

# Rosetta binary available
ls -la /var/mnt/rosetta
# -rwxr-xr-x. 1 core core 1660888 ... /var/mnt/rosetta

# binfmt handler registered
cat /proc/sys/fs/binfmt_misc/rosetta
# enabled
# interpreter /var/mnt/rosetta
# flags: OCF
# ...

# QEMU should NOT be registered for x86_64
ls /proc/sys/fs/binfmt_misc/qemu-x86_64
# ls: cannot access '/proc/sys/fs/binfmt_misc/qemu-x86_64': No such file or directory

# Process check shows Rosetta
podman run -d --rm --name test --platform linux/amd64 alpine sleep 30
podman top test
# Shows: /var/mnt/rosetta /usr/bin/sleep sleep 30

Manual Fix Procedure

Prerequisites

  1. Install Rosetta on macOS host:

    softwareupdate --install-rosetta --agree-to-license

    (Requires admin privileges)

  2. Ensure Podman machine is running:

    podman machine start

Step 1: Create the Trigger File

podman machine ssh
sudo touch /etc/containers/enable-rosetta

Step 2: Verify the VirtioFS Mount

# Check if already mounted
mount | grep rosetta

# If not mounted, the rosetta tag should exist
cat /sys/fs/virtiofs/*/tag 2>/dev/null | grep rosetta

# Mount it (Fedora CoreOS uses /var/mnt)
sudo mount -t virtiofs -o context=system_u:object_r:nfs_t:s0 rosetta /var/mnt

Step 3: Unregister QEMU Handler (if present)

# Check if QEMU is registered
if [ -f /proc/sys/fs/binfmt_misc/qemu-x86_64 ]; then
    echo -1 | sudo tee /proc/sys/fs/binfmt_misc/qemu-x86_64
fi

Step 4: Register Rosetta binfmt Handler

# Determine rosetta path (usually /var/mnt/rosetta or /mnt/rosetta)
ROSETTA_PATH="/var/mnt/rosetta"

# Register
echo ":rosetta:M::\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x3e\x00:\xff\xff\xff\xff\xff\xfe\xfe\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:${ROSETTA_PATH}:OCF" | sudo tee /proc/sys/fs/binfmt_misc/register

Step 5: Make Persistent

# Create binfmt.d config
echo ":rosetta:M::\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x3e\x00:\xff\xff\xff\xff\xff\xfe\xfe\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/var/mnt/rosetta:OCF" | sudo tee /etc/binfmt.d/rosetta.conf

# The trigger file is already created in Step 1

Step 6: Verify

# Exit VM
exit

# Test
podman run --rm --platform linux/amd64 alpine uname -m
# Should output: x86_64

# Verify using Rosetta (not QEMU)
podman run -d --rm --name test --platform linux/amd64 alpine sleep 10
podman top test
# Should show /var/mnt/rosetta in the command
podman stop test

Nuclear Option: Recreate the Machine

If the VirtioFS tag isn't exposed or other fundamental issues exist:

# On macOS
softwareupdate --install-rosetta --agree-to-license

# Remove and recreate
podman machine stop
podman machine rm

# Recreate (inherits Rosetta from config)
podman machine init --cpus 4 --memory 14336 --disk-size 50
podman machine start

# Verify
podman machine inspect --format '{{.Rosetta}}'
podman machine ssh ls -la /proc/sys/fs/binfmt_misc/rosetta

Why This Happens (Technical Details)

Fedora CoreOS /mnt Symlink

On Fedora CoreOS, /mnt is a symlink to /var/mnt:

ls -la /mnt
# lrwxrwxrwx. 1 root root 8 ... /mnt -> /var/mnt

Some Rosetta documentation and older scripts reference /mnt/lima-rosetta or /mnt/rosetta, but:

  • systemd mount units fail with "not canonical path" errors if you use /mnt/...
  • The actual mount point should be /var/mnt

The VirtioFS Tag

The hypervisor (vfkit via AppleHV) exposes a VirtioFS share with the tag rosetta. You can verify it exists:

cat /sys/fs/virtiofs/*/tag
# rosetta
# (other tags for host shares)

If rosetta isn't in this list, the hypervisor isn't configured correctly, which means the machine needs recreation.

binfmt_misc Registration

The binfmt handler tells Linux "when you see an x86_64 ELF binary, run it through this interpreter." The registration string:

:rosetta:M::\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x3e\x00:\xff\xff\xff\xff\xff\xfe\xfe\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/var/mnt/rosetta:OCF

Breakdown:

  • :rosetta: - handler name
  • M:: - magic number matching (not extension-based)
  • \x7fELF\x02\x01\x01... - ELF header pattern for x86_64
  • \xff\xff... - mask for matching
  • :/var/mnt/rosetta: - interpreter path
  • OCF - flags (O=open-binary, C=credentials, F=fix-binary)

Recommendations for Podman Project

  1. Improve diagnostics: podman machine inspect should show actual binfmt status, not just config flag
  2. Add health check: podman machine start should verify Rosetta is working when configured
  3. Better error messages: The silent ConditionPathExists skip should be logged more prominently
  4. Documentation: Clarify that rosetta=true in config doesn't guarantee functionality

References

Raw
podman-rosetta-fix.sh
#!/bin/bash
# podman-rosetta-fix.sh
# Diagnose and fix Rosetta enablement for Podman on Apple Silicon
#
# Problem: Podman 5.1.0+ claims Rosetta is "enabled by default" but the
# actual binfmt registration can silently fail, leaving QEMU as the fallback.
# This causes SIGSEGV crashes during heavy workloads like Rust compilation.
set -euo pipefail
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m' # No Color
log_info() { echo -e "${BLUE}[INFO]${NC} $1"; }
log_ok() { echo -e "${GREEN}[OK]${NC} $1"; }
log_warn() { echo -e "${YELLOW}[WARN]${NC} $1"; }
log_error() { echo -e "${RED}[ERROR]${NC} $1"; }
# Check if we're running on macOS
check_host() {
if [[ "$(uname)" != "Darwin" ]]; then
log_error "This script must be run on macOS"
exit 1
fi
if [[ "$(uname -m)" != "arm64" ]]; then
log_error "This script is for Apple Silicon (arm64) only"
exit 1
fi
log_ok "Running on Apple Silicon macOS"
}
# Check if Rosetta is installed on host
check_host_rosetta() {
log_info "Checking host Rosetta installation..."
if /usr/libexec/rosetta/oahd --version &>/dev/null || pgrep -x oahd >/dev/null 2>&1; then
log_ok "Rosetta is installed on host"
return 0
else
log_warn "Rosetta may not be installed on host"
echo " Run: softwareupdate --install-rosetta --agree-to-license"
echo " (requires admin privileges)"
return 1
fi
}
# Check Podman machine status
check_machine_running() {
log_info "Checking Podman machine status..."
if ! command -v podman &>/dev/null; then
log_error "Podman is not installed"
exit 1
fi
local state
state=$(podman machine inspect --format '{{.State}}' 2>/dev/null || echo "none")
if [[ "$state" != "running" ]]; then
log_error "Podman machine is not running (state: $state)"
echo " Run: podman machine start"
exit 1
fi
log_ok "Podman machine is running"
}
# Check Rosetta config flag
check_rosetta_config() {
log_info "Checking Rosetta configuration flag..."
local rosetta_flag
rosetta_flag=$(podman machine inspect --format '{{.Rosetta}}' 2>/dev/null || echo "unknown")
if [[ "$rosetta_flag" == "true" ]]; then
log_ok "Rosetta flag is enabled in config"
return 0
else
log_warn "Rosetta flag is '$rosetta_flag' in config"
echo " This may require recreating the machine with Rosetta enabled"
return 1
fi
}
# Run diagnostic inside VM
diagnose_vm() {
log_info "Running diagnostics inside VM..."
echo ""
# Check virtiofs tag
echo "=== VirtioFS Tags ==="
podman machine ssh "cat /sys/fs/virtiofs/*/tag 2>/dev/null" || echo "(none found)"
echo ""
# Check mounts
echo "=== Rosetta Mount ==="
local mount_info
mount_info=$(podman machine ssh "mount | grep rosetta" 2>/dev/null || echo "(not mounted)")
echo "$mount_info"
echo ""
# Check binfmt
echo "=== binfmt_misc Handlers ==="
podman machine ssh "ls -la /proc/sys/fs/binfmt_misc/" 2>/dev/null || echo "(error reading)"
echo ""
# Check for rosetta binary
echo "=== Rosetta Binary Location ==="
local rosetta_paths=("/var/mnt/rosetta" "/mnt/rosetta" "/mnt/lima-rosetta/rosetta")
for path in "${rosetta_paths[@]}"; do
if podman machine ssh "test -f $path && echo 'Found: $path'" 2>/dev/null; then
ROSETTA_PATH="$path"
break
fi
done
if [[ -z "${ROSETTA_PATH:-}" ]]; then
# Check if mounted at /var/mnt
if podman machine ssh "test -f /var/mnt/rosetta" 2>/dev/null; then
ROSETTA_PATH="/var/mnt/rosetta"
echo "Found: $ROSETTA_PATH"
else
echo "(rosetta binary not found)"
fi
fi
echo ""
# Check systemd services
echo "=== Rosetta Activation Service ==="
podman machine ssh "systemctl status rosetta-activation.service 2>/dev/null" || echo "(service not found or failed)"
echo ""
# Check for the trigger file
echo "=== Enable Rosetta Trigger File ==="
if podman machine ssh "test -f /etc/containers/enable-rosetta && echo 'EXISTS'" 2>/dev/null; then
echo "/etc/containers/enable-rosetta EXISTS"
else
echo "/etc/containers/enable-rosetta MISSING (this prevents auto-activation)"
fi
echo ""
}
# Determine actual emulation being used
check_actual_emulation() {
log_info "Testing actual x86_64 emulation method..."
# Check if rosetta binfmt is registered
if podman machine ssh "test -f /proc/sys/fs/binfmt_misc/rosetta" 2>/dev/null; then
log_ok "Rosetta binfmt handler is registered"
echo ""
echo "=== Rosetta binfmt details ==="
podman machine ssh "cat /proc/sys/fs/binfmt_misc/rosetta"
return 0
elif podman machine ssh "test -f /proc/sys/fs/binfmt_misc/qemu-x86_64" 2>/dev/null; then
log_warn "QEMU x86_64 handler is active (not Rosetta)"
echo " This will cause SIGSEGV crashes during heavy Rust compilation"
return 1
else
log_error "No x86_64 emulation handler found"
return 1
fi
}
# Apply fix
apply_fix() {
log_info "Applying Rosetta fix..."
# Find rosetta binary location
local rosetta_path=""
# Check common mount points
if podman machine ssh "test -f /var/mnt/rosetta" 2>/dev/null; then
rosetta_path="/var/mnt/rosetta"
elif podman machine ssh "test -f /mnt/rosetta" 2>/dev/null; then
rosetta_path="/mnt/rosetta"
else
# Try to mount it
log_info "Attempting to mount Rosetta VirtioFS..."
# Check if virtiofs tag exists
if ! podman machine ssh "cat /sys/fs/virtiofs/*/tag 2>/dev/null | grep -q rosetta"; then
log_error "Rosetta VirtioFS tag not available from hypervisor"
echo " This usually means:"
echo " 1. Rosetta is not installed on the macOS host"
echo " 2. The Podman machine was created before Rosetta was enabled"
echo ""
echo " Solution: Recreate the machine after installing Rosetta:"
echo " softwareupdate --install-rosetta --agree-to-license"
echo " podman machine rm"
echo " podman machine init"
echo " podman machine start"
return 1
fi
# Mount at /var/mnt (Fedora CoreOS standard)
podman machine ssh "sudo mount -t virtiofs -o context=system_u:object_r:nfs_t:s0 rosetta /var/mnt" 2>/dev/null || true
if podman machine ssh "test -f /var/mnt/rosetta" 2>/dev/null; then
rosetta_path="/var/mnt/rosetta"
log_ok "Mounted Rosetta at /var/mnt"
else
log_error "Failed to mount Rosetta VirtioFS"
return 1
fi
fi
log_ok "Rosetta binary found at: $rosetta_path"
# Create trigger file
log_info "Creating enable-rosetta trigger file..."
podman machine ssh "sudo touch /etc/containers/enable-rosetta"
# Check if rosetta binfmt already registered
if podman machine ssh "test -f /proc/sys/fs/binfmt_misc/rosetta" 2>/dev/null; then
log_ok "Rosetta binfmt already registered"
return 0
fi
# Unregister qemu-x86_64 if present (to avoid conflicts)
if podman machine ssh "test -f /proc/sys/fs/binfmt_misc/qemu-x86_64" 2>/dev/null; then
log_info "Unregistering QEMU x86_64 handler..."
podman machine ssh "echo -1 | sudo tee /proc/sys/fs/binfmt_misc/qemu-x86_64 >/dev/null" || true
fi
# Register Rosetta binfmt
log_info "Registering Rosetta binfmt handler..."
local binfmt_string=":rosetta:M::\\x7fELF\\x02\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x3e\\x00:\\xff\\xff\\xff\\xff\\xff\\xfe\\xfe\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xfe\\xff\\xff\\xff:${rosetta_path}:OCF"
podman machine ssh "echo '$binfmt_string' | sudo tee /proc/sys/fs/binfmt_misc/register >/dev/null"
if podman machine ssh "test -f /proc/sys/fs/binfmt_misc/rosetta" 2>/dev/null; then
log_ok "Rosetta binfmt handler registered successfully"
else
log_error "Failed to register Rosetta binfmt handler"
return 1
fi
}
# Make fix persistent
make_persistent() {
log_info "Making Rosetta configuration persistent..."
local rosetta_path=""
if podman machine ssh "test -f /var/mnt/rosetta" 2>/dev/null; then
rosetta_path="/var/mnt/rosetta"
elif podman machine ssh "test -f /mnt/rosetta" 2>/dev/null; then
rosetta_path="/mnt/rosetta"
else
log_warn "Could not determine Rosetta path for persistent config"
return 1
fi
# Create binfmt.d config
local binfmt_config=":rosetta:M::\\x7fELF\\x02\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x3e\\x00:\\xff\\xff\\xff\\xff\\xff\\xfe\\xfe\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xfe\\xff\\xff\\xff:${rosetta_path}:OCF"
podman machine ssh "echo '$binfmt_config' | sudo tee /etc/binfmt.d/rosetta.conf >/dev/null"
log_ok "Created /etc/binfmt.d/rosetta.conf"
# Note about the trigger file
log_info "Trigger file /etc/containers/enable-rosetta is already created"
}
# Verify fix
verify_fix() {
log_info "Verifying Rosetta is working..."
echo ""
# Run a test container
log_info "Running test container (alpine uname -m)..."
local result
result=$(podman run --rm --platform linux/amd64 alpine uname -m 2>/dev/null || echo "FAILED")
if [[ "$result" == "x86_64" ]]; then
log_ok "Test passed: x86_64 container executed successfully"
else
log_error "Test failed: got '$result'"
return 1
fi
# Check which handler is being used
log_info "Checking process uses Rosetta (not QEMU)..."
# Run a sleep process and check its execution
podman run -d --rm --name rosetta-test --platform linux/amd64 alpine sleep 30 >/dev/null 2>&1 || true
sleep 1
local top_output
top_output=$(podman top rosetta-test 2>/dev/null || echo "")
if echo "$top_output" | grep -q "rosetta\|/var/mnt/rosetta\|/mnt/rosetta"; then
log_ok "Confirmed: Process is running via Rosetta"
elif echo "$top_output" | grep -q "qemu"; then
log_warn "Process appears to be running via QEMU (not Rosetta)"
else
log_info "Could not determine emulation method from process list"
fi
podman stop rosetta-test >/dev/null 2>&1 || true
echo ""
log_ok "Rosetta verification complete"
}
# Print summary
print_summary() {
echo ""
echo "=============================================="
echo " SUMMARY"
echo "=============================================="
echo ""
if podman machine ssh "test -f /proc/sys/fs/binfmt_misc/rosetta" 2>/dev/null; then
log_ok "Rosetta is now active for x86_64 emulation"
echo ""
echo "Your Rust cross-compilation should now work without SIGSEGV crashes."
echo ""
echo "Test with:"
echo " podman build --platform linux/amd64 ."
else
log_error "Rosetta is NOT active"
echo ""
echo "You may need to recreate the Podman machine:"
echo " 1. Ensure Rosetta is installed: softwareupdate --install-rosetta"
echo " 2. Remove machine: podman machine rm"
echo " 3. Recreate: podman machine init"
echo " 4. Start: podman machine start"
echo " 5. Re-run this script to verify"
fi
echo ""
}
# Main
main() {
echo "=============================================="
echo " Podman Rosetta Diagnostic and Fix Tool"
echo "=============================================="
echo ""
local mode="${1:-diagnose}"
check_host
check_host_rosetta || true
check_machine_running
check_rosetta_config || true
echo ""
case "$mode" in
diagnose)
diagnose_vm
check_actual_emulation || true
echo ""
echo "Run with 'fix' argument to apply fixes:"
echo " $0 fix"
;;
fix)
diagnose_vm
if check_actual_emulation; then
log_ok "Rosetta is already working correctly"
else
apply_fix
make_persistent
verify_fix
fi
print_summary
;;
verify)
verify_fix
;;
*)
echo "Usage: $0 [diagnose|fix|verify]"
echo ""
echo " diagnose - Show diagnostic information (default)"
echo " fix - Apply fixes and make persistent"
echo " verify - Verify Rosetta is working"
exit 1
;;
esac
}
main "$@"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment