https://rancher.com/ logo
Join Slack
Powered by
This message was deleted.
# rancher-desktop
a
This message was deleted.
q
Is there some easy way to see my settings? the 
validate
command doesn't validate an override file...
f
Is this not working for you? Seems to work fine for me:
Copy code
$ echo "mountType: 9p" > ~/Library/Application\ Support/rancher-desktop/lima/_config/override.yaml
$ rdctl start
INFO[0000] About to launch /usr/bin/open -a /Applications/Rancher <http://Desktop.app|Desktop.app> ...
$ rdctl shell mount | grep 9p
mount0 on /Users/jan/Library/Caches/rancher-desktop/k3s type 9p (ro,dirsync,relatime,fscache,cachetag=4294938123,access=client,trans=virtio)
mount1 on /Users/jan/Library/Logs/rancher-desktop type 9p (rw,dirsync,relatime,mmap,access=client,trans=virtio)
mount2 on /Users/jan type 9p (rw,dirsync,relatime,mmap,access=client,trans=virtio)
mount3 on /tmp/rancher-desktop type 9p (rw,dirsync,relatime,mmap,access=client,trans=virtio)
Of course waiting for the VM to start before running the shell command
q
Copy code
jsoref@jsoref-mbp ~ % cat  ~/Library/Application\ Support/rancher-desktop/lima/_config/override.yaml
mountType: 9p
jsoref@jsoref-mbp ~ % rdctl shell mount | grep 9p

mount0 on /Users/jsoref/Library/Caches/rancher-desktop/k3s type 9p (ro,dirsync,relatime,fscache,cachetag=4294937672,access=client,trans=virtio)
mount1 on /Users/jsoref/Library/Logs/rancher-desktop type 9p (rw,dirsync,relatime,mmap,access=client,trans=virtio)
mount2 on /Users/jsoref type 9p (rw,dirsync,relatime,mmap,access=client,trans=virtio)
mount3 on /tmp/rancher-desktop type 9p (rw,dirsync,relatime,mmap,access=client,trans=virtio)
f
Ok, I'm confused. You wrote: "And I'd like to use the 9p stuff...", and this shows that you are using 
9p
q
I'm using 
git@github.com:mastodon/mastodon.git
as my start point
it has a 
docker-compose.yml
file
when i try to docker compose up the 
redis
and 
postgres
things, they fail miserably
f
Oh, this is not really about 9p then 🙂
q
this lets me use the containers:
Copy code
diff --git a/docker-compose.yml b/docker-compose.yml
index c534286c7..06a76b26b 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -8,8 +8,8 @@ services:
       - internal_network
     healthcheck:
       test: ['CMD', 'pg_isready', '-U', 'postgres']
-    volumes:
-      - ./postgres14:/var/lib/postgresql/data
+    #volumes:
+    #  - ./postgres14:/var/lib/postgresql/data
     environment:
       - 'POSTGRES_HOST_AUTH_METHOD=trust'

@@ -20,8 +20,8 @@ services:
       - internal_network
     healthcheck:
       test: ['CMD', 'redis-cli', 'ping']
-    volumes:
-      - ./redis:/data
+    # volumes:
+    #   - ./redis:/data

   # es:
   #   restart: always
Well, my very naive understanding is that w/o 9p, permissions are guaranteed to fail miserably
But that w/ 9p, there's a chance that permissions inside the container could work even if the inside owner doesn't match the outside owner
insert some handwaving for all terminology -- please pretend i'm an end user who just wants things to work 🪄
f
It is all still a mess. You may need to specify the security model and caching mechanism to get the behaviour you want, see e.g. chown/chmod on mounted directory: Permission denied · Issue #231 · lima-vm/lima
q
location
is an inside path?
f
Inside and outside are the same by default. Only very recent lima versions allow you to specify an alternate 
mountPoint
for the inside path
q
🤯
ok, there are 3 perspectives available: macOS, lima, docker-container
location
is macOS?
f
The idea behind Lima was that you shouldn't need to know about the "inside"; it should look like it runs directly on the host; the rest is behind the magic curtain.
location
is on the host, and inside the VM, but not the container.
q
ok
f
Copy code
mounts:
  - location: ~/Library/Caches/rancher-desktop/k3s
    writable: false
  - location: ~/Library/Logs/rancher-desktop
    writable: true
  - location: "~"
    writable: true
  - location: /tmp/rancher-desktop
    writable: true
q
notably as a macOS user, seeing a 
/opt
path feels more like a container path than a host path
which is why it was easy for me to pick from my perspective the wrong of 2 choices (host=macOS, container)
Examples should really be written using macOS to hint to people that they're host paths and not container paths 🙂
f
I think you would only need to modify the caching and security settings for 
~
q
Copy code
jsoref@jsoref-mbp mastodon % cat ~/Library/Application\ Support/rancher-desktop/lima/_config/override.yaml
mountType: 9p
mounts:
  - location: "~"
    9p:
      securityModel: mapped-xattr
      cache: "mmap"
f
Copy code
mountType: 9p
mounts:
- location: "~"
  9p:
    securityModel: mapped-xattr
    cache: "mmap"
q
and now i need to ask rancher ot restart?
f
Yes
q
And there's no button for that? 🙂
f
I don't think so; it is not a common operation
q
(I'm pretty sure there's a button for 
reset
)
f
There is a 
Factory Reset
button on the trouble-shooting page...
q
yeah...
hmm, restarting rancher resulted in it asking for permissions
f
Weird; did you change anything else?
q
that's nice and all, but I'd kinda like to know on start why did rancher decide it needed permissions again (i.e. is it upgrading?)
"i dunno!"
the diagnostics page should really link me to the logs folder
f
I think it shows the operations it needs to do; you just have to expand them by pressing the triangle
q
yeah, but that's not meaningful
it doesn't explain how it got to that state, just what it's technically doing to do to get out of it
f
I really want to get out of having to ask for admin passwords at all, except during installation. It should all be done by a privileged helper process instead.
1
q
it's pretty annoying, but, frankly, a bunch of apps do it, so i'm more or less used to cursing all of them
f
It makes it impossible to automate (well, very hard), which is one reason I want it gone 😄 (for automated testing)
q
wireshark, virtualbox (beta),
well, yeah, i'm not saying you shouldn't fix it, just that i'm used to a bunch of things being annoying
my favorite is that system preferences will randomly remind me that virtualbox is on the list
f
The whole 
/etc/sudoers.d
thing is such a bad idea. At least I know now to avoid it in the future
q
please don't ask me "where the list is", why would I want to be able to answer that
what went wrong w/ sudoers.d?
f
Rules are processed in reverse order, and a generic rule can override a more specific rule. Which is the reason our file is called 
zzzzzz-rancher-desktop-lima
q
oh so you randomly lose to someone else's rule
right...
i remember this headache
f
But that is just a hack. There are also potential race conditions that you cannot really avoid. Probably hard to exploit, but feels bad.
q
welp, the alternative tends to be a helper app that gets into a confused state and insists on running but then fails to do anything so the next time its real app starts, it forces you back through the flow which ... see circle
cocoapacket analyzer is the one I was thinking about
f
Yeah, but at least with the helper app you are in full control; so you can debug and fix things
q
The email I sent to the author:
Copy code
I was running 2.0.0 on some version of macOS... I've since upgraded to
Ventura 13.1. When I opened Cocoa Packet Analyzer and selected Check
for Updates, it offered an update to 2.0.7.

I let it install and restart and then was prompted to upgrade the
background helper. I click ok, enter my password, and then am prompted
to let it restart to use it.

Failed to bless helper. Error: -60006

Please relaunch CPA and try again!

It appears to be a perpetual loop.

----

I've trashed my app and downloaded a fresh one from
<https://www.tastycocoabytes.com/#offcanvasDownloads> and it still has
the same issue.

It's also rather painful to quit as the various modal-ish dialogs do
not cooperate with please quit requests.
f
😞
q
The author replied w/ a correct way to fix it:
Copy code
thanks a lot for reporting. Sorry for the inconvience! I assume you have been updating from a version < 2.0.4 and ended up in the install-restart loop :(

try issuing these commands in Terminal. It will be resetting the authorizationdb and remove the capture daemon:


sudo security authorizationdb remove com.tastycocoabytes.CPA.subscribeClient
sudo security authorizationdb remove com.tastycocoabytes.CPA.unsubscribeClient
sudo security authorizationdb remove com.tastycocoabytes.CPA.stopCapture
sudo security authorizationdb remove com.tastycocoabytes.CPA.startCapture

sudo rm /Library/LaunchDaemons/com.tastycocoabytes.cpasniffd.plist
sudo rm /Library/PrivilegedHelperTools/com.tastycocoabytes.cpasniffd
sudo killall -9 com.tastycocoabytes.cpasniffd

Afterwards CPA should be able to install the daemon. I changed the upgrade code for the daemon in 2.0.4 so hopefully this should not happen again.

Sorry for the rude english in the modal dialog. You are right it should be more pleasant!!!

If it still doesnt work please let me know!
that probably hints at where you need to put your magic evil, but, of course, please avoid stupid loops 😉
f
Anyways, I'm kind of short of time, catching up after being offline for 2 weeks. Does the 
override.yaml
work for you?
q
lemme try running a container and see how it feels
ok, the containers seem happy. so, yay.
is there an argument against using:
Copy code
mountType: 9p
mounts:
  - location: "~"
    9p:
      securityModel: mapped-xattr
      cache: "mmap"
by default in 1.8.0?
f
There is a matrix somewhere about all the possible combinations, and I find it hard to pick one in particular. Some settings have problems with permissions; others don't work with symlinks; there was no clear winner from my point of view.
😢 1
q
does 9p have issues w/ symlinks?
f
We need to make the settings configurable, at least via 
rdctl
at first, but eventually via the UI and let the user make a decision
Yes, some security models don't support symlinks
q
that sounds really exciting 😞
how infeasible would it be to have something like:
Copy code
mounts:
  - location: "~"
    limaMount: "/mapped-xattr/Users/..."
    9p:
      securityModel: mapped-xattr
      cache: "mmap"
  - location: "~"
    limaMount: "/sec-model-2/Users/..."
    9p:
      securityModel: sec-model-2
      cache: "mmap"
f
Might be slightly out of date, but this is what I was looking for: Add virtfs/9p mounts, instead of sshocker/sshfs by afbjorklund · Pull Request #726 · lima-vm/lima
q
then users wouldn't need to throw a ui wrench at it, but could just for a given container pick the path they like
f
I don't know how overlapping mounts work with 9p, but with reverse-sshfs they don't work
q
why would it see them that way?
f
What would seem which way?
q
the idea being that in lima each has a distinct mount point
it isn't really "overlapping" in the way I'd imagine an overlap
i mean, i get that x different critters will want to be able to read/write the underlying path, but, there's also any other app running on the host which could also do that anyway...
f
q
I think that's a different overlap (one I also considered asking about, but didn't try to here)
f
Note that you would also have multiple caches for the same host directories, which wouldn't know about each other
If you use write-through to the host, without caching, the performance would be terrible
q
I can live w/ that. a given container will only use a single path map, and a user is unlikely to have multiple containers touching the same path at the same time -- and if they do, that's a problem of their own making
I'm imagining parallel mount directories in lima, so they aren't overlapping, which i think is different from 302
f
Many PHP users are using Mutagen | Cloud-based development using your local tools because all the file sharing mechanisms are too slow for their huge numbers of files
Things become more interesting by throwing virtiofs into the mix as well, but that too seems to have performance issues
I will try to dive into this to get an up-to-date status, but not right now
👍 1
So, are things working for you now, or not?
q
Anyway, thanks, for our basic use case which is generally a single container running a database managing a single directory where the user is pinned, things work
f
(Note that your config does not support symlinks)
q
thankfully none of the databases i'm touching are likely to deal w/ symlinks
although, hmm, i guess if we use symlinks anywhere else they'll explode?
f
I think they will just look like regular files, so they should work fine, as long as you are only reading them. But this is from memory, so I might be wrong.
And it means you can have loops in your filesystem that you won't be able to detect because the symlink now looks like a regular file/directory.
Until you run into the mac path length issue 🙂
Alright, glad to hear it is working; I have to take care of other stuff now
1
55 Views
Open in Slack
PreviousNext
Powered by