docker-slim doesn't work on macos aarch64 (arm on m1) with an aarch64 docker image

[elliots]

Expected Behavior

Run docker-slim against an aarch64 docker image, it runs.

---

Actual Behavior

Fails to run... log message:

cmd=build info=event.error status='received' data='SensorError{Op:sensor.fanotify.Run/fanapi.Initialize,Kind:call.error,Wrapped:{Type=syscall.Errno,Info=function not implemented,Line:43,File:github.com/docker-slim/docker-slim/pkg/app/sensor/monitors/fanotify/monitor.go}}'

The issue I think is that there is no arm build of docker-slim-sensor?

---

Steps to Reproduce the Problem

1. install using brew (or zip)
2. run docker-slim on an aarch64 image

---

Specifications

• Version: latest
• Platform: macos aarch64

---

Fix (build it yourself)

• git clone git clone [email protected]:docker-slim/docker-slim.git
• cd docker-slim
• GOOS=linux go build -o /usr/local/bin/docker-slim-sensor cmd/docker-slim-sensor/main.go

[kcq]

Thank you @elliots for opening the issue! Investigating... will update soon.

[kcq]

@elliots Wonder about the repro steps... You mention downloading zip as a potential way to repro. The mac zip on the github page shouldn't work on M1 because the main app isn't built for darwin arm64 and the sensor is not built for linux arm64. Curious what kind of error message(s) you got trying to use the downloaded zip.

The brew installer seems to have a build for M1, but I'm not quite sure how they do the build for their binary package installations and the formula doesn't explicitly set the architecture... Do you mind running file on the docker-slim and docker-slim-sensor you get with brew?

[elliots]

I tried both brew and zip, its possible it was a different error for the sensor with the zip and I didn't notice (x86 docker-slim will work fine though with rosetta)

The brew installed version actually is aarch64, which means that isn't the issue.

➜ file bin/docker-slim
bin/docker-slim: Mach-O 64-bit executable arm64

➜ file bin/docker-slim-sensor
bin/docker-slim-sensor: ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, Go BuildID=URIQ-ncu99UHova0s6Xx/rh_UfBbiVaSn5oIczBVV/H_9yEdLuDBvvheWRt6gB/-0tqU5DbG3U0QT-DrNnN, stripped

But when I run I get

cmd=build info=param.http.probe message='using default probe' 
cmd=build info=exec message='updating continue-after mode to probe&exec' 
cmd=build state=started
cmd=build info=params tags='' target='atlas-magic' continue.mode='probe&exec' rt.as.user='true' keep.perms='true' 
cmd=build state=image.inspection.start
cmd=build info=image id='sha256:d571b9324a16b9b07b962d65195aebacf2f5d7c405094555ec53da909d740563' size.bytes='2799916012' size.human='2.8 GB' 
cmd=build info=image.stack index='0' name='atlas-magic.fat:latest' id='sha256:d571b9324a16b9b07b962d65195aebacf2f5d7c405094555ec53da909d740563' 
cmd=build state=image.inspection.done
cmd=build state=container.inspection.start
cmd=build info=container status='created' name='dockerslimk_90361_20210712045559' id='68e9111489530e9bca211df1836eda9cc11ebec8ba64c3691a3a97b5b65d1350' 
cmd=build info=cmd.startmonitor status='sent' 
cmd=build info=event.error status='received' data='SensorError{Op:sensor.fanotify.Run/fanapi.Initialize,Kind:call.error,Wrapped:{Type=syscall.Errno,Info=function not implemented,Line:43,File:github.com/docker-slim/docker-slim/pkg/app/sensor/monitors/fanotify/monitor.go}}' 
cmd=build state=exited code=-124 version=darwin|Transformer|1.36.1|latest|latest component=container.inspector 

Some other things i just tried:

• moving the brew installed binaries to /usr/local/bin
• adding homebrew dir (/opt/homebrew) to the list of allowed mount points in docker mac ui

I then built just docker-slim again myself with go build -o /usr/local/bin/docker-slim cmd/docker-slim/main.go and it started working.

:/

My locally built binary:

✦ ➜ file /usr/local/bin/docker-slim
/usr/local/bin/docker-slim: Mach-O 64-bit executable arm64

Not sure what's going on. Maybe something to do with (self) signing?

[kcq]

That's a lot of useful information... Thank you for confirming the sensor architecture @elliots ! There's a chance that your local Go version is different from the Go version used to compile the sensor. What version of Go do you have installed on your machine?

[elliots]

What version of Go do you have installed on your machine?

➜ go version
go version go1.16.5 darwin/arm64

[kcq]

Thanks @elliots ! Can you also check the Go compiler version for the docker-slim-sensor you got with brew? go version ./docker-slim-sensor should do it (strings ./docker-slim | grep 'go1\.' might do it too).

[elliots]

➜ go version /opt/homebrew/Cellar/docker-slim/1.36.1/bin/docker-slim-sensor 
/opt/homebrew/Cellar/docker-slim/1.36.1/bin/docker-slim-sensor: go1.16.5

[kcq]

Thanks @elliots ! The old(er) Go version theory doesn't seem like the reason... Let's try something different then :) I'll create an M1 build to see if that works.

[kcq]

@elliots try using this https://downloads.dockerslim.com/releases/1.36.1/dist_mac_m1.zip Let me know if it work or how it fails

[elliots]

@elliots try using this https://downloads.dockerslim.com/releases/1.36.1/dist_mac_m1.zip Let me know if it work or how it fails

That build worked.

[ryanobjc]

I've been having the same problem, and alas this build did not work for me, here is my output:

ryan@macbookprom1 dist_mac_m1 % ./docker-slim build --target rn:rust --tag rn:rust1 --http-probe=false docker-slim: message='join the Gitter channel to ask questions or to share your feedback' info='https://gitter.im/docker-slim/community' docker-slim: message='join the Discord server to ask questions or to share your feedback' info='https://discord.gg/9tDyxYS' docker-slim: message='Github discussions' info='https://github.com/docker-slim/docker-slim/discussions' cmd=build info=exec message='changing continue-after from probe to nothing because http-probe is disabled' cmd=build info=exec message='changing continue-after to enter' cmd=build state=started cmd=build info=params tags='rn:rust1' target='rn:rust' continue.mode='enter' rt.as.user='true' keep.perms='true' cmd=build state=image.inspection.start cmd=build info=image size.human='81 MB' id='sha256:9f438f6bdda481f499e7c1d798dd9bfe272a2651a2ac5adc4d1b26eaaa379b30' size.bytes='81130718' cmd=build info=image.stack id='sha256:9f438f6bdda481f499e7c1d798dd9bfe272a2651a2ac5adc4d1b26eaaa379b30' index='0' name='rn:rust' cmd=build state=image.inspection.done cmd=build state=container.inspection.start cmd=build info=container status='created' name='dockerslimk_35050_20210719162638' id='f810202199b2d55eabb186cea759157fc752db4ab550b5736be105ceb61895b8' cmd=build info=cmd.startmonitor status='sent' cmd=build info=event.error status='received' data='SensorError{Op:sensor.fanotify.Run/fanapi.Initialize,Kind:call.error,Wrapped:{Type=syscall.Errno,Info=function not implemented,Line:43,File:github.com/docker-slim/docker-slim@/pkg/app/sensor/monitors/fanotify/monitor.go}}' cmd=build state=exited code=-124 component=container.inspector version=darwin|Transformer|1.36.1-10-gc32a539|c32a5396dfb7240fb92f885987666bfdec9bbc9e|2021-07-12_05:40:12AM

[kcq]

@ryanobjc it's possible docker-slim is not picking up the right sensor volume and an older sensor version gets loaded. Try deleting all sensor volumes. You can find the sensor volumes with the docker volume ls command. Then you'll need to delete all volumes that start with docker-slim-sensor.

[ryanobjc]

Oh yes that was it, now it works, thanks :-)

[kcq]

Oh yes that was it, now it works, thanks :-)

The volume detection bug should've been addressed already... need to investigate why it's still happening.