1.17.0 doesn't work with Mac OS Sequoia 15.2 M4 Pro

[vikrantk365]

Actual Behavior

Localstack latest container when used with Rancher Desktop 1.17.0 and Mac OD Sequoia 15.2 doesn't work with either QEMU and VZ (with or without Rosetta support), doesn't work. It just prints Restarting process (received exit code -6). This happens with or without enabling Kubernetes. (M4 Pro)

Steps to Reproduce

Use testcontainers and localstack with above versions for Rancher Desktop and Mac OS.

Result

Restarting process (received exit code -6)

Expected Behavior

Container should start without error

Additional Information

No response

Rancher Desktop Version

1.17.0

Rancher Desktop K8s Version

[disabled]

Which container engine are you using?

dockerd (moby)

What operating system are you using?

macOS

Operating System / Build Version

macOS Sequoia 15.2

What CPU architecture are you using?

arm64 (Apple Silicon)

Linux only: what package format did you use to install Rancher Desktop?

None

Windows User Only

No response

[jandubois]

Use testcontainers and localstack with above versions for Rancher Desktop and Mac OS.

Please provide more information on the individual steps and versions needed to reproduce this.

Did this work with an earlier version of Rancher Desktop? Did this work with an earlier version of localstack? Does it work on a different computer? Can you include log files?

[vikrantk365]

I'm trying Rancher Desktop for the first time. But it did work on intel mac for my friend.

here is what localstack container prints

A fatal error has been detected by the Java Runtime Environment:\n#\n# SIGILL (0x4) at pc=0x0000ffff90540c5c, pid=32, tid=33\n#\n# JRE version: (21.0.5+11) (build )\n# Java VM: OpenJDK 64-Bit Server VM (21.0.5+11-LTS, mixed mode, tiered, compressed oops, compressed class ptrs, g1 gc, linux-aarch64)\n# Problematic frame:\n# j java.lang.System.registerNatives()V+0 java.base\n#\n# Core dump will be written. Default location: /opt/code/localstack/core\n#\n# An error report file with more information is saved as:\n# /opt/code/localstack/hs_err_pid32.log\n[0.050s][warning][os] Loading hsdis library failed\n#\n# The crash happened outside the Java Virtual Machine in native code.\n# See problematic frame for where to report the bug.\n#\n'

[clydeespeno]

I am also facing a similar issue. I am also on Apple M4 Pro Silicon and on macOs 15.2.

I fails on execution against the JVM on versions 21+

My Rancher Desktop environment is:

• version: 1.17.0
• vm:volume:mountype = virtiofs
• vm:emulation:vm-type = vz
• vm:emulation:vz-option:enable-rosetta-support = true
• container-engine = dockerd (moby)

What I'm trying to do
I am building a custom keycloak image using the following Dockerfile:

# uses jdk 21
FROM quay.io/keycloak/keycloak:26.0.7 AS builder

# JDBC wrapper
ADD --chown=keycloak:keycloak https://github.com/awslabs/aws-advanced-jdbc-wrapper/releases/download/2.3.1/aws-
# configure the base image to use postgres
ENV KC_DB=postgres

ENV KC_HTTP_RELATIVE_PATH=/
ENV KC_HEALTH_ENABLED=true
ENV KC_METRICS_ENABLED=true

# temporarily disable persistent-user-sessions
# https://github.com/keycloak/keycloak/issues/35602
# https://github.com/keycloak/keycloak/issues/35047
RUN /opt/keycloak/bin/kc.sh build --features-disabled="persistent-user-sessions"
RUN /opt/keycloak/bin/kc.sh show-config

FROM quay.io/keycloak/keycloak:26.0.7

COPY --from=builder /opt/keycloak/ /opt/keycloak/

It fails with:

docker build .

=> ERROR [builder 5/6] RUN /opt/keycloak/bin/kc.sh build --features-disabled="persistent-user-sessions"   0.3s
------                                                                                                          
 > [builder 5/6] RUN /opt/keycloak/bin/kc.sh build --features-disabled="persistent-user-sessions":              
0.243 #                                                                                                         
0.243 # A fatal error has been detected by the Java Runtime Environment:                                        
0.243 #                                                                                                         
0.243 #  SIGILL (0x4) at pc=0x0000ffff77a3ec5c, pid=1, tid=80                                                   
0.243 #
0.243 # JRE version:  (21.0.5+11) (build )
0.243 # Java VM: OpenJDK 64-Bit Server VM (21.0.5+11-LTS, mixed mode, sharing, tiered, compressed oops, compressed class ptrs, g1 gc, linux-aarch64)
0.243 # Problematic frame:
0.243 # j  java.lang.System.registerNatives()V+0 java.base
0.243 #
0.243 # Core dump will be written. Default location: //core
0.243 #
0.243 # An error report file with more information is saved as:
0.243 # /tmp/hs_err_pid1.log
0.243 [0.012s][warning][os] Loading hsdis library failed
0.250 #
0.250 # The crash happened outside the Java Virtual Machine in native code.
0.250 # See problematic frame for where to report the bug.
0.250 #
0.251 
0.251 [error occurred during error reporting (), id 0x5, SIGTRAP (0x5) at pc=0x0000ffff8fc87070]

Dockerfile.redhat:18
--------------------
  16 |     # https://github.com/keycloak/keycloak/issues/35602
  17 |     # https://github.com/keycloak/keycloak/issues/35047
  18 | >>> RUN /opt/keycloak/bin/kc.sh build --features-disabled="persistent-user-sessions"
  19 |     RUN /opt/keycloak/bin/kc.sh show-config
  20 |     

Anything that runs java fails. It minimally fails with:

FROM quay.io/keycloak/keycloak:26.0.7 AS builder
RUN java -version

docker build .

=> ERROR [2/2] RUN java -version                                                                          0.3s
------                                                                                                          
 > [2/2] RUN java -version:                                                                                     
0.250 #                                                                                                         
0.250 # A fatal error has been detected by the Java Runtime Environment:
0.250 #
0.250 #  SIGILL (0x4) at pc=0x0000ffff7fa3ec5c, pid=1, tid=6
0.250 #
0.250 # JRE version:  (21.0.5+11) (build )
0.250 # Java VM: OpenJDK 64-Bit Server VM (21.0.5+11-LTS, mixed mode, sharing, tiered, compressed oops, compressed class ptrs, g1 gc, linux-aarch64)
0.250 # Problematic frame:
0.250 # j  java.lang.System.registerNatives()V+0 [email protected]
0.250 #
0.250 # Core dump will be written. Default location: //core
0.250 #
0.250 # An error report file with more information is saved as:
0.250 # /tmp/hs_err_pid1.log
0.254 [0.013s][warning][os] Loading hsdis library failed
0.259 #
0.259 # The crash happened outside the Java Virtual Machine in native code.
0.259 # See problematic frame for where to report the bug.
0.259 #
0.259 
0.259 [error occurred during error reporting (), id 0x5, SIGTRAP (0x5) at pc=0x0000ffff9871d070]

Dockerfile:3
--------------------
   1 |     FROM quay.io/keycloak/keycloak:26.0.7 AS builder
   2 |     
   3 | >>> RUN java -version
   4 |     
--------------------
ERROR: failed to solve: process "/bin/sh -c java -version" did not complete successfully: exit code: 127

tried with other java image providers too, same issue:

FROM ghcr.io/graalvm/jdk-community:21

RUN java -version

 > [2/2] RUN java -version:                                                                                     
0.202 #                                                                                                         
0.202 # A fatal error has been detected by the Java Runtime Environment:                                        
0.202 #                                                                                                         
0.202 #  SIGILL (0x4) at pc=0x0000ffff7ebfa79c, pid=1, tid=6                                                    
0.202 #
0.202 # JRE version:  (21.0.2+13) (build )
0.202 # Java VM: OpenJDK 64-Bit Server VM (21.0.2+13-jvmci-23.1-b30, mixed mode, sharing, tiered, jvmci, jvmci compiler, compressed oops, compressed class ptrs, g1 gc, linux-aarch64)
0.202 # Problematic frame:
0.202 # j  java.lang.System.registerNatives()V+0 java.base
0.202 #
0.202 # Core dump will be written. Default location: /app/core
0.202 #
0.202 # An error report file with more information is saved as:
0.202 # /app/hs_err_pid1.log
0.206 [0.016s][warning][os] Loading hsdis library failed
0.210 #
0.210 # The crash happened outside the Java Virtual Machine in native code.
0.210 # See problematic frame for where to report the bug.
0.210 #
0.210 
0.210 [error occurred during error reporting (), id 0x5, SIGTRAP (0x5) at pc=0x0000ffff98b100f0]

jdk 17 works fine

FROM ghcr.io/graalvm/jdk-community:17

RUN java -XshowSettings:vm -version

docker build  . --progress=plain --no-cache
#0 building with "rancher-desktop" instance using docker driver

#1 [internal] load build definition from Dockerfile.redhat
#1 transferring dockerfile: 173B done
#1 DONE 0.0s

#2 [internal] load metadata for ghcr.io/graalvm/jdk-community:17
#2 DONE 0.7s

#3 [internal] load .dockerignore
#3 transferring context: 2B done
#3 DONE 0.0s

#4 [1/3] FROM ghcr.io/graalvm/jdk-community:17@sha256:53b72a7e5d1227a75f324694b9fc9f539fa6a2ebf3cfdc1243befb1e071daf1d
#4 CACHED

#5 [2/3] RUN echo 'hello'
#5 0.144 hello
#5 DONE 0.1s

#6 [3/3] RUN java -XshowSettings:vm -version
#6 0.336 VM settings:
#6 0.337     Max. Heap Size (Estimated): 1.94G
#6 0.337     Using VM: OpenJDK 64-Bit Server VM
#6 0.337 
#6 0.337 openjdk version "17.0.9" 2023-10-17
#6 0.337 OpenJDK Runtime Environment GraalVM CE 17.0.9+9.1 (build 17.0.9+9-jvmci-23.0-b22)
#6 0.337 OpenJDK 64-Bit Server VM GraalVM CE 17.0.9+9.1 (build 17.0.9+9-jvmci-23.0-b22, mixed mode, sharing)
#6 DONE 0.3s

#7 exporting to image
#7 exporting layers done
#7 writing image sha256:fc095ed042bc6b7b899e3860995888f33ba0d1a4f71a31211d05b55debbc17b3 done
#7 DONE 0.0s

[clydeespeno]

This issue is caused by: https://bugs.openjdk.org/browse/JDK-8345296

The issue is reported here too corretto/corretto-21#85.

As a workaround, I updated my build scripts to also accommodate optionally setting JAVA_TOOL_OPTIONS when trying to build on m4.

JAVA_TOOL_OPTIONS="-XX:UseSVE=0"

[jandubois]

@clydeespeno Thank you for these links. The best description I found of the issue is

Comparing /proc/cpuinfo between M2 and M4, it shows a new SVE2 present as per the ID_AA64ZFR0_EL1.SVEver == 0b0001 id register field. So on M4, it looks like macOS 15.2 exposes this feature to guests. IIUC Apple hardware does not implement SVE/SVE2, only SME. ID_AA64PFR0_EL1.SVE == 0b0000 but Linux gets confused and still reports SVE2 to apps (HWCAP) from the ZFR0 register. JDK makes use of the INCB instruction, Linux traps it and since FEAT_SVE is not present, it issues a SIGILL.

(copied from https://forum.parallels.com/threads/parallels-desktop-for-mac-computers-with-apple-silicon-m4-chips.365676/page-8#post-936357)

We could maybe figure out a workaround for QEMU (by falling back to a generic aarch64 CPU when running on M4, but that will disable any special hardware support from the M4 CPU). But there is nothing we can do for VZ emulation.

So I think the best you can do for now is to use the workaround to disable SVE in the Java option, and hope that either Oracle or Apple will provide a fix for this.

The way I read the various threads it sounds like Apple only exposed the SVE bit to the host in macOS 15.2, so maybe they will hide it again in 15.3 if the hardware doesn't actually implement SVE support.

There doesn't seem to be anything we can reasonably do about this in Rancher Desktop, so I will close this issue.

[vikrantk365]

Ok finally got it working with x86 image of localstack instead of arm64 image (which was causing the issue)
I deleted arm64 image of localstack and pulled x86 image docker pull --platform=linux/amd64.
Then used with VZ and it worked.

Thank you @jandubois for your response!

[JK-Richardson]

Just commenting that I had the same problem as @vikrantk365 and his solution to use the linux/amd64 image seems to work on my machine which is a M4 Pro/Sequouia 15.2