Skip to content

feat: add Apple Silicon support via Rosetta emulation#70

Open
rkoster wants to merge 4 commits intomainfrom
feat/apple-silicon-support
Open

feat: add Apple Silicon support via Rosetta emulation#70
rkoster wants to merge 4 commits intomainfrom
feat/apple-silicon-support

Conversation

@rkoster
Copy link
Copy Markdown
Owner

@rkoster rkoster commented Mar 6, 2026

Summary

Add workarounds for running instant-bosh on Apple Silicon Macs using Colima with Rosetta x86_64 emulation.

Problem

Two main issues prevent instant-bosh from working on Apple Silicon with Rosetta:

Director Container:

  • BPM seccomp filters fail on arm64 kernel (error loading seccomp filter: invalid argument)
  • PostgreSQL refuses to run as root (required when BPM privileged mode is enabled)

Stemcell VMs:

  • MemoryDenyWriteExecute=yes in systemd services conflicts with Rosetta JIT compilation, causing systemd-journald, systemd-resolved, auditd, etc. to crash

Solution

Director Patches (apple-silicon/director/)

Dockerfile that patches BOSH release templates at build time:

  • Adds privileged: true to all BPM configs (disables seccomp)
  • Drops privileges to vcap user in startup scripts for postgres, director, nats, health_monitor, etc.

Stemcell Patches (apple-silicon/stemcell/)

Dockerfile that creates systemd drop-in overrides:

  • Disables MemoryDenyWriteExecute, SystemCallFilter, etc. for affected services
  • Masks systemd-binfmt.service to preserve host binfmt_misc registrations

Usage

# Start Colima with Rosetta
./apple-silicon/start-colima-rosetta.sh

# Build patched images
./apple-silicon/director/build.sh ghcr.io/rkoster/instant-bosh:sha-6de5b3c
./apple-silicon/stemcell/build.sh ubuntu-noble latest

# Start with patched director
export IBOSH_IMAGE=ghcr.io/rkoster/instant-bosh:sha-6de5b3c-apple-silicon
ibosh start

# Upload patched stemcell and deploy
ibosh upload-stemcell ghcr.io/rkoster/ubuntu-noble-stemcell:latest-apple-silicon
bosh -d zookeeper deploy test/manifest/zookeeper.yml

Testing

Successfully deployed a 5-node zookeeper cluster with all VMs in running state.

rkoster added 2 commits March 6, 2026 16:20
@rkoster
feat: add Apple Silicon support via Rosetta emulation
d3f0803 
Add workarounds for running instant-bosh on Apple Silicon Macs using
Colima with Rosetta x86_64 emulation.

Director patches (director/Dockerfile):
- Enable BPM privileged mode to bypass seccomp filter failures
- Drop privileges to vcap user in startup scripts (required for postgres)

Stemcell patches (stemcell/Dockerfile):
- Disable MemoryDenyWriteExecute and other systemd security features
  that conflict with Rosetta JIT compilation
- Mask systemd-binfmt to preserve host binfmt_misc registrations

Includes build scripts and documentation.
@rkoster
fix: resolve nginx permission issues for blobstore and director uploads
a9a7d4d 
- Add wait-for-postgres-role.sh to handle race condition with postgres role creation
- Preserve environment variables when dropping privileges to vcap user
- Fix blobstore tmp directory permissions for nginx worker (nobody user)
- Fix director nginx tmp directory permissions
- Change upload_store_access to all:rw for uploaded files
- Use vcap user for oid2name check in create-database.erb
@rkoster rkoster mentioned this pull request Mar 6, 2026
Open
3 tasks
rkoster added 2 commits March 11, 2026 11:05
@rkoster
refactor: use BPM with Rosetta detection instead of privileged mode
98d3c8a 
Replace the complex privileged mode + privilege dropping approach with a
cleaner solution that compiles BPM from a branch with Rosetta emulation
detection (cloudfoundry/bpm-release#201).

Changes:
- Dockerfile: Multi-stage build compiles BPM with sysfeat package that
  detects Rosetta via /proc/sys/fs/binfmt_misc/rosetta
- build.sh: Add BPM_BRANCH and BPM_REPO env vars for flexibility
- README.md: Add Requirements section documenting that Colima with
  VZ+Rosetta is required and Podman Machine is NOT supported (uses
  QEMU instead of Rosetta, see containers/podman#28181)

This approach only disables seccomp (the actual problem) without
granting additional privileges or requiring privilege dropping scripts.
@rkoster
feat: add Podman Rosetta setup script for Apple Silicon
32c294a 
Add script to enable Rosetta emulation in Podman 5.6+ on macOS Tahoe,
based on the fix documented in the Podman blog post. This allows running
x86_64 instant-bosh containers on Apple Silicon Macs using Podman.

Ref: https://blog.podman.io/2025/08/podman-5-6-released-rosetta-status-update/
@rkoster
Copy link
Copy Markdown
Owner Author

rkoster commented Mar 11, 2026

postgres workaround won't be needed after: cloudfoundry/bosh#2687 gets released

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rkoster