running as root no longer works in Sequoia

[sepich]

tart run -h has such lines:

        To work with block devices, the easiest way is to modify their permissions (e.g. by using "sudo chown $USER /dev/diskX") or to run the Tart binary as root, which affects
        locating Tart VMs.

        To work around this pass TART_HOME explicitly:

        sudo TART_HOME="$HOME/.tart" tart run sonoma --disk=/dev/disk0

Unfortunately it is no longer works for macOS v15 VMs:

$ tart create tart-15 --from-ipsw latest
Looking up the latest supported IPSW...
Fetching UniversalMac_15.0.1_24A348_Restore.ipsw...
100%
Computing digest for /Users/jetbrains/.tart/tmp/72A6ECC8-CCA8-4E6E-8F9E-8598CE608B31.ipsw...
100%
Installing OS...
100%

$ sudo TART_HOME="$HOME/.tart" tart run tart-15
Error Domain=VZErrorDomain Code=1 "The virtual machine failed to start." UserInfo={NSLocalizedFailure=Internal Virtualization error., NSLocalizedFailureReason=The virtual machine failed to start.}

# this one works fine
$ tart run tart-15
^CStopping VM...

And interesting that macOS v14 VMs still work as root.
Host OS is v15.0.1.
So it seems something new, related to v15 VMs specifics.
Do you know some workarounds how we can still run VM as root?

Problem with running as user is the new permission of v15 for "access to local network" which could only be granted in UI on all the hosts:
https://forums.developer.apple.com/forums/thread/760964
And processes running as root are excluded from that.

[edigaryev]

Tried reproducing this on macOS Sequoia 15.0.1 host to no avail:

% tart create tart-15 --from-ipsw ~/UniversalMac_15.0.1_24A348_Restore.ipsw   
Installing OS...
100%
% sudo TART_HOME="$HOME/.tart" tart run tart-15
[GUI window with installer greeting appears]

Error Domain=VZErrorDomain Code=1 "The virtual machine failed to start." UserInfo={NSLocalizedFailure=Internal Virtualization error., NSLocalizedFailureReason=The virtual machine failed to start.}

You might get some more details about this error by inspecting the Console's output.

[edigaryev]

Also, at which point does the new "Local Network" permission becomes an issue for you?

I have ran Tart on various workloads on the new Sequoia and never had any issues with this new permission because Tart itself doesn't contact local/private IP ranges.

On the other hand, we've seen reports for software that does so, for example, cirruslabs/gitlab-tart-executor#86, but not for Tart directly.

[sepich]

Tried reproducing this on macOS Sequoia 15.0.1 host to no avail

That's interesting, thank you for information. Do you have an xcode or MobileDevice framework installed? Which version?

Tested on local MacBook M3 15.0.1 (dirty), and couple M1/M2 macMinis 15.0.1 of buildfarm (clean), all fail the same. MacMinis have clean macOS install with only brew and xcode commandline tools.

$ pkgutil --pkg-info=com.apple.pkg.CLTools_Executables
package-id: com.apple.pkg.CLTools_Executables
version: 16.0.0.0.1.1724870825

more details about this error by inspecting the Console's output

I'm attaching logs and DiagnosticReport. Would be grateful if you can take a look and say if you see some issues there.
Archive.zip

For me it seems the error related to:

error	17:33:37.537384+0200	ctkd	<sepk:* kid=0000000000000000>: (com.apple.Virtualization.VirtualMachine<82844>) unable to generate key: error e00002e2(-536870174) ACL=<SecAccessControlRef: cku;ock(true);odel(true);osgn(true);oa(true);okd(true)> params=<AKSp:{acmh:###,ag:[],ed:{acl:{ock:true,odel:true,osgn:true,oa:true,okd:true}}}>
error	17:33:37.537621+0200	com.apple.Virtualization.VirtualMachine	SecKeyCreateRandomKey_ios failed: Error Domain=NSOSStatusErrorDomain Code=-25308 "Failed to generate keypair" (errKCInteractionNotAllowed / errSecInteractionNotAllowed: / Interaction is not allowed with the Security Server.) UserInfo={numberOfErrorsDeep=0, NSDescription=Failed to generate keypair, NSUnderlyingError=0x153e202c0 {Error Domain=NSOSStatusErrorDomain Code=-25308 "<sepk:* kid=0000000000000000>: unable to generate key" UserInfo={NSDebugDescription=<sepk:* kid=0000000000000000>: unable to generate key, AKSError=-536870174}}}
error	17:33:37.537682+0200	com.apple.Virtualization.VirtualMachine	AVPIdentity: <private>:69: <private>
error	17:33:37.537722+0200	com.apple.Virtualization.VirtualMachine	AVPIdentity: <private>:205: <private>

Keychain? Maybe you have ideas for me to try?

at which point does the new "Local Network" permission becomes an issue for you?

VM images are large, and pulling via Inet is slow. We use registry in local network and macMinis with 10G interface.

[sepich]

The issue is narrowed a bit:

• it works as root when started from Terminal.app in UI
• it does not work when started as root from ssh/LaunchDaemon on the same host

[hblockx]

We may have a similar issue with orchard + tart. Since wie reinstalled tart on 15.1 it has issues with orchard ssh commands, it returns the error: "no route found". Orchard also sometimes is throwing the user dialog regarding allowing local networking but it doesn't seem to help allowing it there.

[hblockx]

for us this is happening exactly the same:
"The issue is narrowed a bit:

it works as root when started from Terminal.app in UI
it does not work when started as root from ssh/LaunchDaemon on the same host"
Just with calling orchard worker instead of tart directly.

[timpeeters]

Process started via LaunchAgent/Daemon no longer has access to local network. Giving permissions via the dialog indeed does not seem to fix the issue.

Not sure but this might be related? Upgrading Go might fix it.
golang/go#68678

If interested I can submit a PR to bump Go?

[hblockx]

Actually I rebuilt orchard with uuid linking "external" and afterwards everything is working fine. It is for sure related.

[fkorotkov]

I guess we can close this issue now as both Cirrus CLI and Orchard were rebuilt with Go 1.23.3.