[SREP-3695] feat: add a warning message if mac users run podman without rosetta

[feichashao]

What type of PR is this?

• fix (Bug Fix)
• feat (New Feature)
• docs (Documentation)
• test (Test Coverage)
• chore (Clean Up / Maintenance Tasks)
• other (Anything that doesn't fit the above)

What this PR does / Why we need it?

This PR adds a warning message to the mac users who run podman without rosetta.

We encountered compatibility issues where podman container exits with seg fault if running an x86_64 image on mac M1/M2/M3. Enabling rosetta can solve the compatibility issue.

Which Jira/Github issue(s) does this PR fix?

https://redhat.atlassian.net/browse/SREP-3695

Special notes for your reviewer

Unit Test Coverage

Guidelines

• If it's a new sub-command or new function to an existing sub-command, please cover at least 50% of the code
• If it's a bug fix for an existing sub-command, please cover 70% of the code

Test coverage checks

• Added unit tests
• Created jira card to add unit test
• This PR may not need unit tests

Pre-checks (if applicable)

• Ran unit tests locally
• Validated the changes in a cluster
• Included documentation changes with PR
• Backward compatible

/label tide/merge-method-squash

Summary by CodeRabbit

• New Features

  • Added a macOS (Apple Silicon) pre-start hint that warns when Rosetta appears absent.
  • The warning is non-blocking and appears before launching the console container on macOS; Linux behavior is unchanged.
  • Check runs early to improve startup transparency while still allowing the container to start.

• Tests

  • Added architecture-aware tests ensuring the Rosetta check runs on Apple Silicon and not on other platforms.

[coderabbitai]

Walkthrough

Adds a macOS (Apple Silicon) non-fatal Rosetta detection that runs a podman machine ssh inspection of binfmt_misc at the start of (*podmanMac).RunConsoleContainer and logs a warning only when the command succeeds and output lacks rosetta; Linux path unchanged.

Changes

Cohort / File(s)	Summary
Rosetta detection & integration pkg/container/container_podman.go	Added unexported checkRosettaEnabled which executes podman machine ssh to inspect binfmt_misc and emits a logger.Warnf only if the command succeeds and the output does not contain rosetta. Called at the start of (*podmanMac).RunConsoleContainer on macOS; Linux path unchanged.
Tests (arch-aware) pkg/container/container_test.go	Added runtime-aware Ginkgo contexts and assertions: on arm64 expect a preflight podman machine ssh command capture (Rosetta check) before the container-run command; on non-arm64 expect no Rosetta-check capture. Adjusted existing console-container test to allow capturedCommands >= 1 and assert against the last captured command’s args and --env entries.

Sequence Diagram

sequenceDiagram
    participant App as Application
    participant Console as RunConsoleContainer
    participant Check as checkRosettaEnabled
    participant SSH as PodmanMachineSSH
    participant Binfmt as binfmt_misc

    App->>Console: Start console container (macOS/arm64)
    Console->>Check: Invoke Rosetta check
    Check->>SSH: Execute `podman machine ssh` (inspect binfmt_misc)
    SSH->>Binfmt: Query binfmt registrations
    Binfmt-->>SSH: Return registrations
    SSH-->>Check: Return output
    alt contains "rosetta"
        Check-->>Console: No warning (proceed)
    else missing "rosetta"
        Check->>Check: Log warning about missing Rosetta
        Check-->>Console: Return (proceed)
    end
    Console->>Console: Start container process (original run)

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: adding a warning message for macOS users running Podman without Rosetta, which aligns with the primary purpose of the PR.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Review rate limit: 9/10 reviews remaining, refill in 6 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: feichashao

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [feichashao]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/container/container_podman.go`:
- Around line 16-25: checkRosettaEnabled currently calls createCommand(PODMAN,
"machine", "ssh", ...) synchronously which can block startup and also runs on
non-Apple Silicon macOS; modify checkRosettaEnabled to first short-circuit
unless runtime.GOOS == "darwin" && runtime.GOARCH == "arm64", then execute the
podman ssh check with a cancellable context/timeout (use context.WithTimeout and
exec.CommandContext or a createCommandContext helper) so the command is killed
after a short deadline and cannot hang RunConsoleContainer; alternatively
refactor RunConsoleContainer to accept a context and use CommandContext there,
but ensure checkRosettaEnabled uses a context timeout and captures stdout/stderr
non-blockingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: f12c2bb5-bc03-42e2-ad30-0290128a6bf8

📥 Commits

Reviewing files that changed from the base of the PR and between 14f1ee2 and 1c941f0.

📒 Files selected for processing (2)

• pkg/container/container_podman.go
• pkg/container/container_test.go

[codecov-commenter]

Codecov Report

❌ Patch coverage is 33.33333% with 8 lines in your changes missing coverage. Please review.
✅ Project coverage is 53.94%. Comparing base (c372261) to head (d3262ba).
⚠️ Report is 3 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/container/container_podman.go	33.33%	8 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #930      +/-   ##
==========================================
- Coverage   54.00%   53.94%   -0.07%     
==========================================
  Files          88       88              
  Lines        6662     6674      +12     
==========================================
+ Hits         3598     3600       +2     
- Misses       2596     2605       +9     
- Partials      468      469       +1     

Files with missing lines	Coverage Δ
pkg/container/container_podman.go	50.00% <33.33%> (-1.70%)	⬇️

... and 1 file with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

♻️ Duplicate comments (1)

pkg/container/container_podman.go (1)

15-31: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Rosetta preflight can still block startup, and the platform guard is incomplete.

Despite the “non-blocking” intent (Line 16), Line 28 runs podman machine ssh synchronously with no timeout, so Line 111 can hang RunConsoleContainer() if the command stalls. Also, the check should gate on both macOS and arm64 to match the feature scope.

Suggested fix

 import (
 	"bytes"
 	"encoding/base64"
 	"fmt"
 	"os"
 	"path/filepath"
 	"runtime"
 	"strings"
+	"time"

 	logger "github.com/sirupsen/logrus"
 )

 func checkRosettaEnabled() {
-	// Rosetta is only relevant on Apple Silicon (arm64); skip on Intel Macs
-	if runtime.GOARCH != "arm64" {
+	// Rosetta is only relevant on macOS Apple Silicon.
+	if runtime.GOOS != MACOS || runtime.GOARCH != "arm64" {
 		return
 	}

 	checkCmd := createCommand(PODMAN, "machine", "ssh", "ls /proc/sys/fs/binfmt_misc/")
 	var out bytes.Buffer
 	checkCmd.Stdout = &out
 	checkCmd.Stderr = nil

-	if err := checkCmd.Run(); err != nil {
-		// Silently skip if we can't check
-		return
-	}
+	done := make(chan error, 1)
+	go func() { done <- checkCmd.Run() }()
+
+	select {
+	case err := <-done:
+		if err != nil {
+			return
+		}
+	case <-time.After(3 * time.Second):
+		if checkCmd.Process != nil {
+			_ = checkCmd.Process.Kill()
+		}
+		return
+	}

 	if !strings.Contains(out.String(), "rosetta") {
 		logger.Warnf("Rosetta does not appear to be enabled in Podman. For better compatibility with x86_64 images on Apple Silicon, please configure Rosetta. See docs/macOS.md for setup instructions.")
 	}
 }

As per coding guidelines, **/*.go: “Check for proper error handling” and “Focus on Go best practices and idiomatic patterns.”

Also applies to: 109-112

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/container/container_podman.go` around lines 15 - 31, checkRosettaEnabled
currently only checks runtime.GOARCH and runs a synchronous podman SSH command
that can hang; change the guard to require both runtime.GOARCH == "arm64" and
runtime.GOOS == "darwin" and run the check with a context timeout so it cannot
block startup or RunConsoleContainer; create the command with a context (use
exec.CommandContext or update createCommand to accept a context), set Stdout/
Stderr to buffers, handle context.DeadlineExceeded by returning (or logging
non-fatal info) and avoid blocking on long-running Run(); ensure the function
name checkRosettaEnabled and PODMAN/createCommand references are updated
accordingly.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@pkg/container/container_podman.go`:
- Around line 15-31: checkRosettaEnabled currently only checks runtime.GOARCH
and runs a synchronous podman SSH command that can hang; change the guard to
require both runtime.GOARCH == "arm64" and runtime.GOOS == "darwin" and run the
check with a context timeout so it cannot block startup or RunConsoleContainer;
create the command with a context (use exec.CommandContext or update
createCommand to accept a context), set Stdout/ Stderr to buffers, handle
context.DeadlineExceeded by returning (or logging non-fatal info) and avoid
blocking on long-running Run(); ensure the function name checkRosettaEnabled and
PODMAN/createCommand references are updated accordingly.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 3f434bd7-85a6-4219-9562-3c2108803f53

📥 Commits

Reviewing files that changed from the base of the PR and between 1c941f0 and 543da63.

📒 Files selected for processing (2)

• pkg/container/container_podman.go
• pkg/container/container_test.go

🚧 Files skipped from review as they are similar to previous changes (1)

• pkg/container/container_test.go

[coderabbitai]

♻️ Duplicate comments (1)

pkg/container/container_podman.go (1)

15-31: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

checkRosettaEnabled is still blocking despite the non-blocking contract.

Line 16 says non-blocking, but Line 28 uses synchronous checkCmd.Run() with no timeout, so RunConsoleContainer() can still hang if podman machine ssh stalls.

Suggested fix (bounded wait, no indefinite hang)

 import (
 	"bytes"
 	"encoding/base64"
 	"fmt"
 	"os"
 	"path/filepath"
 	"runtime"
 	"strings"
+	"time"

 	logger "github.com/sirupsen/logrus"
 )
@@
-	if err := checkCmd.Run(); err != nil {
-		// Silently skip if we can't check
-		return
-	}
+	done := make(chan error, 1)
+	go func() { done <- checkCmd.Run() }()
+
+	select {
+	case err := <-done:
+		if err != nil {
+			// Silently skip if we can't check
+			return
+		}
+	case <-time.After(3 * time.Second):
+		if checkCmd.Process != nil {
+			_ = checkCmd.Process.Kill()
+		}
+		return
+	}

#!/bin/bash
set -euo pipefail

# Verify current Rosetta check is synchronous and lacks timeout/cancellation.
rg -n --type=go -C3 'func checkRosettaEnabled\(|checkCmd := createCommand\(|checkCmd\.Run\(\)|context\.WithTimeout|CommandContext'

As per coding guidelines **/*.go: "Check for proper error handling" and "Review security implications, especially for CLI tools."

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: b1f3977d-5a89-4951-87ea-4ee6ec3676f2

📥 Commits

Reviewing files that changed from the base of the PR and between 543da63 and d3262ba.

📒 Files selected for processing (1)

• pkg/container/container_podman.go

[openshift-ci]

@feichashao: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.