cannot receive inotify on shared directories when using AppleHV #22343
Description
Issue Description
When the host modifies/deletes a file, the guest/container cannot receive inotify, resulting in the file watch inside the container not taking effect. The actual impact is that features like code hot reloading do not work properly.
After extensive testing, I have concluded the following:
- It is not related to the container, as
inotifycannot be received in the machine’s virtual environment either. - It is not specific to the Fedora Core Linux distribution, as it also occurs in other distributions.
- It may not be related to
virtiofs. As of 2021, virtiofs has already supportedinotify, as seen here: https://lwn.net/Articles/874000/ - Similar issues have also been observed in the colima and lima virtual machine tools.
- Docker for Mac and Orbstack support inotify, but I am unsure of their implementation as their code is closed-source 🤷♂️
Regarding point 4, relevant discussions and code can be found here:
• lima-vm/lima#615
• lima-vm/lima#1913
• https://github.com/abiosoft/colima/blob/main/daemon/process/inotify/events.go
However, the solutions provided by lima and colima are not perfect as they cannot simulate DELETE events. They can only simulate creation/modification events.
Regarding point 5, I came across a brief introduction in Docker’s blog: https://www.docker.com/blog/deep-dive-into-new-docker-desktop-filesharing-implementation/ (it seems to be for Windows, and I am unsure if the same solution applies to macOS). The approach of Docker seems to be creating an intermediate layer to deceive the virtual machine, in order to successfully simulate the DELETE event using rm -rf.
Steps to reproduce the issue
# Host
podman machine ssh
# Guest
cd ~
curl -L -O https://github.com/watchexec/watchexec/releases/download/v1.25.1/watchexec-1.25.1-x86_64-unknown-linux-musl.tar.xz
tar -xvf watchexec-1.25.1-x86_64-unknown-linux-musl.tar.xz
sudo cp ./watchexec-1.25.1-x86_64-unknown-linux-musl/watchexec /usr/local/bin/
mkdir -p /private/tmp/test
cd /private/tmp/test
watchexec -r --emit-events-to=stdio --only-emit-events
# Host
cd /tmp/test
touch new_file
echo "modify" >> new_file
rm -rf new_file15-11.19.15.mp4
Describe the results you received
No inotify events received.
Describe the results you expected
I can receive inotify messages for create/modify/delete operations.
podman info output
Version: v5.0.1
Details
host:
arch: amd64
buildahVersion: 1.35.3
cgroupControllers:
- cpu
- io
- memory
- pids
cgroupManager: systemd
cgroupVersion: v2
conmon:
package: conmon-2.1.10-1.fc39.x86_64
path: /usr/bin/conmon
version: 'conmon version 2.1.10, commit: '
cpuUtilization:
idlePercent: 99.94
systemPercent: 0.03
userPercent: 0.03
cpus: 8
databaseBackend: sqlite
distribution:
distribution: fedora
variant: coreos
version: "39"
eventLogger: journald
freeLocks: 2047
hostname: localhost.localdomain
idMappings:
gidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 100000
size: 1000000
uidmap:
- container_id: 0
host_id: 502
size: 1
- container_id: 1
host_id: 100000
size: 1000000
kernel: 6.7.9-200.fc39.x86_64
linkmode: dynamic
logDriver: journald
memFree: 679960576
memTotal: 2054959104
networkBackend: netavark
networkBackendInfo:
backend: netavark
dns:
package: aardvark-dns-1.10.0-1.fc39.x86_64
path: /usr/libexec/podman/aardvark-dns
version: aardvark-dns 1.10.0
package: netavark-1.10.3-1.fc39.x86_64
path: /usr/libexec/podman/netavark
version: netavark 1.10.3
ociRuntime:
name: crun
package: crun-1.14.4-1.fc39.x86_64
path: /usr/bin/crun
version: |-
crun version 1.14.4
commit: a220ca661ce078f2c37b38c92e66cf66c012d9c1
rundir: /run/user/502/crun
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
os: linux
pasta:
executable: /usr/bin/pasta
package: passt-0^20240326.g4988e2b-1.fc39.x86_64
version: |
pasta 0^20240326.g4988e2b-1.fc39.x86_64
Copyright Red Hat
GNU General Public License, version 2 or later
<https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
remoteSocket:
exists: true
path: /run/user/502/podman/podman.sock
security:
apparmorEnabled: false
capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
rootless: true
seccompEnabled: true
seccompProfilePath: /usr/share/containers/seccomp.json
selinuxEnabled: true
serviceIsRemote: true
slirp4netns:
executable: /usr/bin/slirp4netns
package: slirp4netns-1.2.2-1.fc39.x86_64
version: |-
slirp4netns version 1.2.2
commit: 0ee2d87523e906518d34a6b423271e4826f71faf
libslirp: 4.7.0
SLIRP_CONFIG_VERSION_MAX: 4
libseccomp: 2.5.3
swapFree: 0
swapTotal: 0
uptime: 3h 17m 2.00s (Approximately 0.12 days)
variant: ""
plugins:
authorization: null
log:
- k8s-file
- none
- passthrough
- journald
network:
- bridge
- macvlan
- ipvlan
volume:
- local
registries:
search:
- docker.io
store:
configFile: /var/home/core/.config/containers/storage.conf
containerStore:
number: 1
paused: 0
running: 0
stopped: 1
graphDriverName: overlay
graphOptions: {}
graphRoot: /var/home/core/.local/share/containers/storage
graphRootAllocated: 106769133568
graphRootUsed: 3979911168
graphStatus:
Backing Filesystem: xfs
Native Overlay Diff: "true"
Supports d_type: "true"
Supports shifting: "false"
Supports volatile: "true"
Using metacopy: "false"
imageCopyTmpDir: /var/tmp
imageStore:
number: 1
runRoot: /run/user/502/containers
transientStore: false
volumePath: /var/home/core/.local/share/containers/storage/volumes
version:
APIVersion: 5.0.1
Built: 1711929600
BuiltTime: Mon Apr 1 08:00:00 2024
GitCommit: ""
GoVersion: go1.21.8
Os: linux
OsArch: linux/amd64
Version: 5.0.1Podman in a container
No
Privileged Or Rootless
None
Upstream Latest Release
Yes
Additional environment details
AppleHV
Additional information
I suspect this is a bug in the Apple virtualization.framework.