Container image security scanning doesn't work for Silicon macOS

[almet]

We added security scanning for the images shipped for ARM64, but it's currently failing due to the fact Docker is not installed in the runners.

Docker is installable (see the instructions in this issue) but doesn't come installed by default.

Doing this would also check that the latest Docker Desktop is able to load the container image, which also has some value.

One other option is to use colima, which is already installed in the mac runners.

[apyrgio]

What! You can run Docker Desktop or Colima in our macOS runners? This means that we can run our tests without the dummy isolation provider! That's amazing (although Colima is technically not supported, which is another issue).

As for the error at hand, I'm not sure that Docker is involved. What I see is that the grep | cut code does not work on macOS for some reason. I'm saying this because this is the artifact that the CI job attempts to download:

https://github.com/freedomofpress/dangerzone/releases/download//container--arm64.tar.gz

(the version field seems to be missing)

[almet]

As for the error at hand, I'm not sure that Docker is involved. What I see is that the grep | cut code does not work on macOS for some reason. I'm saying this because this is the artifact that the CI job attempts to download:

Now, that's weird. I'm pretty sure I saw it not being able to run load the image at some point over the course of the weekend (not the error I linked though, you're right).

It might be due to grep and cut not being the gnu ones.

About being able to run colima (or Docker Desktop!), yep I'm following the same lines, it could enable us to run the CI on macOS as well, which would be satisfying! (This is would solve #520 also!)

EDIT: opened #1009 to track this more broadly.

[almet]

The issue was about the fact that shell parameter expansion doesn't work cross shell, and especially not on macOS. Using bash there unmasked the actual issue about docker.

From my experiments, using colima as a replacement to docker doesn't seem to work out of the box unfortunately.

[apyrgio]

The issue was about the fact that shell parameter expansion doesn't work cross shell, and especially not on macOS. Using bash there unmasked the actual issue about docker.

Cool, thanks for the dig. If you have the error for Docker, it might be worth pasting here.

[almet]

Here is the error I see after running brew install colima docker qemu && colima start.

time="2024-11-26T11:15:13Z" level=info msg="Terminal is not available, proceeding without opening an editor"
time="2024-11-26T11:15:14Z" level=info msg="Starting the instance \"colima\" with VM driver \"qemu\""
time="2024-11-26T11:15:14Z" level=info msg="QEMU binary \"/opt/homebrew/bin/qemu-system-aarch64\" seems properly signed with the \"com.apple.security.hypervisor\" entitlement"
time="2024-11-26T11:15:14Z" level=info msg="Attempting to download the image" arch=aarch64 digest= location=/Users/runner/Library/Caches/colima/caches/c3056771d27045a9b7b665f5ddbbac4e311078337847c505226bd184c8191d0c.raw
time="2024-11-26T11:15:14Z" level=info msg="Downloaded the image from \"/Users/runner/Library/Caches/colima/caches/c3056771d27045a9b7b665f5ddbbac4e311078337847c505226bd184c8191d0c.raw\""
time="2024-11-26T11:15:14Z" level=info msg="[hostagent] hostagent socket created at /Users/runner/.colima/_lima/colima/ha.sock"
time="2024-11-26T11:15:14Z" level=info msg="[hostagent] Using system firmware (\"/opt/homebrew/share/qemu/edk2-aarch64-code.fd\")"
time="2024-11-26T11:15:14Z" level=info msg="[hostagent] Starting QEMU (hint: to watch the boot progress, see \"/Users/runner/.colima/_lima/colima/serial*.log\")"
time="2024-11-26T11:15:14Z" level=info msg="SSH Local Port: 49213"
time="2024-11-26T11:15:14Z" level=info msg="[hostagent] Waiting for the essential requirement 1 of 4: \"ssh\""
time="2024-11-26T11:15:14Z" level=info msg="[hostagent] Driver stopped due to error: \"signal: abort trap\""
time="2024-11-26T11:15:14Z" level=info msg="[hostagent] Shutting down the host agent"
time="2024-11-26T11:15:14Z" level=fatal msg="error starting vm: error at 'creating and starting': exit status 1"
time="2024-11-26T11:15:14Z" level=warning msg="[hostagent] failed to exit SSH master" error="failed to execute `ssh -O exit -p 49213 127.0.0.1`, out=\"Control socket connect(/Users/runner/.colima/_lima/colima/ssh.sock): No such file or directory\\r\\n\": exit status 255"
time="2024-11-26T11:15:14Z" level=info msg="[hostagent] Shutting down QEMU with the power button"
time="2024-11-26T11:15:14Z" level=warning msg="[hostagent] Failed to remove SSH binding for port 49213"
time="2024-11-26T11:15:14Z" level=warning msg="[hostagent] failed to open the QMP socket \"/Users/runner/.colima/_lima/colima/qmp.sock\", forcibly killing QEMU" error="dial unix /Users/runner/.colima/_lima/colima/qmp.sock: connect: connection refused"
time="2024-11-26T11:15:14Z" level=info msg="[hostagent] QEMU has already exited"
time="2024-11-26T11:15:14Z" level=fatal msg="exiting, status={Running:false Degraded:false Exiting:true Errors:[] SSHLocalPort:0} (hint: see \"/Users/runner/.colima/_lima/colima/ha.stderr.log\")"

ssh connections seem to not work properly. I want to finish post 0.8.0 tasks, so I'm leaving it as-is for now and will resume later on.

FWIW, there is a test/macos-runner branch with the current experiments on the matter if anybody want to continue on the subject.