feature: use Rosetta AOT Caching with CDI

This change introduces device configuration to enable Rosetta AOT Caching in Docker VMs.

- Modify Rosetta Caching Options from Abstract Socket to Unix Domain Socket:
  Unix Domain Socket can be mounted within a container using the Container Device Interface (CDI) mechanism.
  This requires merging the following pull request: Code-Hex/vz#195.

- Register Rosettad AOT Caching Daemon as a service:
  - `/etc/systemd/system/rosettad.service` on systemd
  - `/etc/init.d/rosettad` on OpenRC

- Add "lima.io/rosetta=cached" device specification to `/etc/cdi/rosetta.yaml`
  see: https://github.com/cncf-tags/container-device-interface/blob/main/SPEC.md

- Add `{~/.config,/etc}/docker/daemon.json` to `docker{,-rootful}.yaml`
  - `.features.cdi = true` to enable CDI
  - `.features."containerd-snapshotter" = true` to enable multi-arch builds

To enable Rosetta AOT Caching in docker, use `--device=lima.io/rosetta=cached`.
see: https://docs.docker.com/build/building/cdi/

Signed-off-by: Norio Nomura <norio.nomura@gmail.com>

Author: norio-nomura

go.mod

@@ -135,3 +135,7 @@ require (
 	sigs.k8s.io/structured-merge-diff/v4 v4.5.0 // indirect
 	sigs.k8s.io/yaml v1.4.0 // indirect
 )
+
+// To use Roseetta AOT Caching with CDI, it requires to fix vz.NewLinuxRosettaUnixSocketCachingOptions.
+// see: https://github.com/Code-Hex/vz/pull/195
+replace github.com/Code-Hex/vz/v3 => github.com/norio-nomura/vz/v3 v3.7.1-0.20250815045701-95b4b8c6ff35

go.sum

@@ -4,8 +4,6 @@ github.com/AlecAivazis/survey/v2 v2.3.7 h1:6I/u8FvytdGsgonrYsVn2t8t4QiRnh6QSTqkk
 github.com/AlecAivazis/survey/v2 v2.3.7/go.mod h1:xUTIdE4KCOIjsBAE1JYsUPoCqYdZ1reCfTwbto0Fduo=
 github.com/Code-Hex/go-infinity-channel v1.0.0 h1:M8BWlfDOxq9or9yvF9+YkceoTkDI1pFAqvnP87Zh0Nw=
 github.com/Code-Hex/go-infinity-channel v1.0.0/go.mod h1:5yUVg/Fqao9dAjcpzoQ33WwfdMWmISOrQloDRn3bsvY=
-github.com/Code-Hex/vz/v3 v3.7.0 h1:VEkfq5TVKnv85M81gQVPzLH9JzHrUJN/QQMpDZ+odPA=
-github.com/Code-Hex/vz/v3 v3.7.0/go.mod h1:1LsW0jqW0r0cQ+IeR4hHbjdqOtSidNCVMWhStMHGho8=
 github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
 github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
 github.com/Netflix/go-expect v0.0.0-20220104043353-73e0943537d2 h1:+vx7roKuyA63nhn5WAunQHLTznkw5W8b1Xc0dNjp83s=
@@ -197,6 +195,8 @@ github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9G
 github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
+github.com/norio-nomura/vz/v3 v3.7.1-0.20250815045701-95b4b8c6ff35 h1:HHEmYEMeSeJ+rGWZu2QQOnQAPAmzTMEzn2EeW77RHV4=
+github.com/norio-nomura/vz/v3 v3.7.1-0.20250815045701-95b4b8c6ff35/go.mod h1:1LsW0jqW0r0cQ+IeR4hHbjdqOtSidNCVMWhStMHGho8=
 github.com/nxadm/tail v1.4.11 h1:8feyoE3OzPrcshW5/MJ4sGESc5cqmGkGCWlco4l0bqY=
 github.com/nxadm/tail v1.4.11/go.mod h1:OTaG3NK980DZzxbRq6lEuzgU+mug70nY11sMd4JXXHc=
 github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE=

pkg/cidata/cidata.TEMPLATE.d/boot/05-rosetta-volume.sh

@@ -31,3 +31,76 @@ else
 	# remove binfmt.d(5) configuration if it exists
 	[ ! -f "$binfmtd_conf" ] || rm "$binfmtd_conf"
 fi
+
+if [ -x /mnt/lima-rosetta/rosettad ]; then
+	CACHE_DIRECTORY=/var/cache/rosettad
+	DEFAULT_SOCKET=${CACHE_DIRECTORY}/uds/rosetta.sock
+	EXPECTED_SOCKET=/run/rosettad/rosetta.sock
+
+	# Create rosettad service
+	if [ -f /sbin/openrc-run ]; then
+		cat >/etc/init.d/rosettad <<EOF
+#!/sbin/openrc-run
+name="rosettad"
+description="Rosetta AOT Caching Daemon"
+required_dirs=/mnt/lima-rosetta
+required_files=/mnt/lima-rosetta/rosettad
+command=/mnt/lima-rosetta/rosettad
+command_args="daemon ${CACHE_DIRECTORY}"
+command_background=true
+pidfile="/run/rosettad.pid"
+start_pre() {
+	# To detect creation of the socket by rosettad, remove the old socket before starting
+	test ! -e "${DEFAULT_SOCKET}" || rm -f "${DEFAULT_SOCKET}"
+}
+start_post() {
+	# Set the socket permission to world-writable
+	while ! chmod -f go+w "${DEFAULT_SOCKET}"; do sleep 1; done
+	# Create the symlink as expected by the configuration to enable Rosetta AOT caching
+	mkdir -p "$(dirname "${EXPECTED_SOCKET}")"
+	ln -sf "${DEFAULT_SOCKET}" "${EXPECTED_SOCKET}"
+}
+EOF
+		chmod 755 /etc/init.d/rosettad
+		rc-update add rosettad default
+		rc-service rosettad start
+	else
+		cat > /etc/systemd/system/rosettad.service <<EOF
+[Unit]
+Description=Rosetta AOT Caching Daemon
+RequiresMountsFor=/mnt/lima-rosetta
+[Service]
+RuntimeDirectory=rosettad
+CacheDirectory=rosettad
+# To detect creation of the socket by rosettad, remove the old socket
+ExecStartPre=sh -c "test ! -e \"${DEFAULT_SOCKET}\" || rm -f \"${DEFAULT_SOCKET}\""
+ExecStart=/mnt/lima-rosetta/rosettad daemon "${CACHE_DIRECTORY}"
+# Set the socket permission to world-writable and create the symlink as expected by the configuration to enable Rosetta AOT caching.
+ExecStartPost=sh -c "while ! chmod -f go+w \"${DEFAULT_SOCKET}\"; do sleep 1; done; ln -sf \"${DEFAULT_SOCKET}\" \"${EXPECTED_SOCKET}\""
+OOMPolicy=continue
+OOMScoreAdjust=-500
+[Install]
+WantedBy=default.target
+EOF
+		systemctl is-enabled rosettad || systemctl enable --now rosettad
+	fi
+
+	# Create CDI configuration for Rosetta
+	mkdir -p /etc/cdi /var/run/cdi /etc/buildkit/cdi
+	cat > /etc/cdi/rosetta.yaml <<EOF
+cdiVersion: "0.6.0"
+kind: "lima.io/rosetta"
+devices:
+- name: cached
+  containerEdits:
+    mounts:
+    - hostPath: /var/cache/rosettad/uds/rosetta.sock
+      containerPath: /run/rosettad/rosetta.sock
+      options: [bind]
+annotations:
+  org.mobyproject.buildkit.device.autoallow: true
+EOF
+else
+	# Remove CDI configuration for Rosetta AOT Caching
+	[ ! -f /etc/cdi/rosetta.yaml ] || rm /etc/cdi/rosetta.yaml
+fi

pkg/driver/vz/rosetta_directory_share_arm64.go

@@ -44,7 +44,7 @@ func createRosettaDirectoryShareConfiguration() (*vz.VirtioFileSystemDeviceConfi
 		return nil, fmt.Errorf("failed to get macOS product version: %w", err)
 	}
 	if !macOSProductVersion.LessThan(*semver.New("14.0.0")) {
-		cachingOption, err := vz.NewLinuxRosettaAbstractSocketCachingOptions("rosetta")
+		cachingOption, err := vz.NewLinuxRosettaUnixSocketCachingOptions("/run/rosettad/rosetta.sock")
 		if err != nil {
 			return nil, fmt.Errorf("failed to create a new rosetta directory share caching option: %w", err)
 		}

templates/docker-rootful.yaml

@@ -38,6 +38,18 @@ provision:
       SocketUser={{.User}}
     EOF
     fi
+    daemon_json="/etc/docker/daemon.json"
+    if [ ! -f "${daemon_json}" ]; then
+      mkdir -p "$(dirname "${daemon_json}")"
+      cat > "${daemon_json}" <<EOF
+    {
+      "features": {
+        "cdi": true,
+        "containerd-snapshotter": true
+      }
+    }
+    EOF
+    fi
     export DEBIAN_FRONTEND=noninteractive
     curl -fsSL https://get.docker.com | sh
 probes:

templates/docker.yaml

@@ -39,6 +39,18 @@ provision:
   script: |
     #!/bin/bash
     set -eux -o pipefail
+    daemon_json="{{.Home}}/.config/docker/daemon.json"
+    if [ ! -f "${daemon_json}" ]; then
+      mkdir -p "$(dirname "${daemon_json}")"
+      cat > "${daemon_json}" <<EOF
+    {
+      "features": {
+        "cdi": true,
+        "containerd-snapshotter": true
+      }
+    }
+    EOF
+    fi
     systemctl --user start dbus
     dockerd-rootless-setuptool.sh install
     docker context use rootless