From e198d52e2434e16124528157540471f577126c05 Mon Sep 17 00:00:00 2001
From: Norio Nomura <norio.nomura@gmail.com>
Date: Mon, 18 Aug 2025 18:33:34 +0900
Subject: [PATCH 1/2] feature: use Rosetta AOT Caching with CDI

This change introduces device configuration to enable Rosetta AOT Caching in Docker VMs.

- Modify Rosetta Caching Options from Abstract Socket to Unix Domain Socket:
  Unix Domain Socket can be mounted within a container using the Container Device Interface (CDI) mechanism.
  This requires merging the following pull request: https://github.com/Code-Hex/vz/pull/195.

- Register Rosettad AOT Caching Daemon as a service:
  - `/etc/systemd/system/rosettad.service` on systemd
  - `/etc/init.d/rosettad` on OpenRC

- Add "lima.io/rosetta=cached" device specification to `{~/.config,/etc}/cdi/rosetta.yaml`
  see: https://github.com/cncf-tags/container-device-interface/blob/main/SPEC.md

- Add `{~/.config,/etc}/docker/daemon.json` to `docker{,-rootful}.yaml`
  - `.features.cdi = true` to enable CDI

- Add `enable_cdi = true` to `{~/.config,/etc}/containerd/config.toml`

To enable Rosetta AOT Caching in docker, use `--device=lima.io/rosetta=cached`.
see: https://docs.docker.com/build/building/cdi/

Signed-off-by: Norio Nomura <norio.nomura@gmail.com>

# Conflicts:
#	templates/docker-rootful.yaml
---
 .../boot/40-install-containerd.sh             |  4 +
 pkg/driver/vz/boot/05-rosetta-volume.sh       | 78 +++++++++++++++++++
 .../vz/rosetta_directory_share_arm64.go       |  2 +-
 templates/docker-rootful.yaml                 |  4 +-
 templates/docker.yaml                         |  4 +-
 5 files changed, 89 insertions(+), 3 deletions(-)

diff --git a/pkg/cidata/cidata.TEMPLATE.d/boot/40-install-containerd.sh b/pkg/cidata/cidata.TEMPLATE.d/boot/40-install-containerd.sh
index aa7843b2c28..0ab8e364de5 100644
--- a/pkg/cidata/cidata.TEMPLATE.d/boot/40-install-containerd.sh
+++ b/pkg/cidata/cidata.TEMPLATE.d/boot/40-install-containerd.sh
@@ -45,6 +45,8 @@ if [ "${LIMA_CIDATA_CONTAINERD_SYSTEM}" = 1 ]; then
 	mkdir -p /etc/containerd /etc/buildkit
 	cat >"/etc/containerd/config.toml" <<EOF
   version = 2
+  [plugins."io.containerd.grpc.v1.cri"]
+    enable_cdi = true
   [proxy_plugins]
     [proxy_plugins."stargz"]
       type = "snapshot"
@@ -67,6 +69,8 @@ if [ "${LIMA_CIDATA_CONTAINERD_USER}" = 1 ]; then
 		mkdir -p "${LIMA_CIDATA_HOME}/.config/containerd"
 		cat >"${LIMA_CIDATA_HOME}/.config/containerd/config.toml" <<EOF
   version = 2
+  [plugins."io.containerd.grpc.v1.cri"]
+    enable_cdi = true
   [proxy_plugins]
     [proxy_plugins."fuse-overlayfs"]
       type = "snapshot"
diff --git a/pkg/driver/vz/boot/05-rosetta-volume.sh b/pkg/driver/vz/boot/05-rosetta-volume.sh
index 9fa517aeb17..e7cd0d787ad 100755
--- a/pkg/driver/vz/boot/05-rosetta-volume.sh
+++ b/pkg/driver/vz/boot/05-rosetta-volume.sh
@@ -31,3 +31,81 @@ else
 	# remove binfmt.d(5) configuration if it exists
 	[ ! -f "$binfmtd_conf" ] || rm "$binfmtd_conf"
 fi
+
+if [ -x /mnt/lima-rosetta/rosettad ]; then
+	CACHE_DIRECTORY=/var/cache/rosettad
+	DEFAULT_SOCKET=${CACHE_DIRECTORY}/uds/rosetta.sock
+	EXPECTED_SOCKET=/run/rosettad/rosetta.sock
+
+	# Create rosettad service
+	if [ -f /sbin/openrc-run ]; then
+		cat >/etc/init.d/rosettad <<EOF
+#!/sbin/openrc-run
+name="rosettad"
+description="Rosetta AOT Caching Daemon"
+required_dirs=/mnt/lima-rosetta
+required_files=/mnt/lima-rosetta/rosettad
+command=/mnt/lima-rosetta/rosettad
+command_args="daemon ${CACHE_DIRECTORY}"
+command_background=true
+pidfile="/run/rosettad.pid"
+start_pre() {
+	# To detect creation of the socket by rosettad, remove the old socket before starting
+	test ! -e "${DEFAULT_SOCKET}" || rm -f "${DEFAULT_SOCKET}"
+}
+start_post() {
+	# Set the socket permission to world-writable
+	while ! chmod -f go+w "${DEFAULT_SOCKET}"; do sleep 1; done
+	# Create the symlink as expected by the configuration to enable Rosetta AOT caching
+	mkdir -p "$(dirname "${EXPECTED_SOCKET}")"
+	ln -sf "${DEFAULT_SOCKET}" "${EXPECTED_SOCKET}"
+}
+EOF
+		chmod 755 /etc/init.d/rosettad
+		rc-update add rosettad default
+		rc-service rosettad start
+	else
+		cat >/etc/systemd/system/rosettad.service <<EOF
+[Unit]
+Description=Rosetta AOT Caching Daemon
+RequiresMountsFor=/mnt/lima-rosetta
+[Service]
+RuntimeDirectory=rosettad
+CacheDirectory=rosettad
+# To detect creation of the socket by rosettad, remove the old socket
+ExecStartPre=sh -c "test ! -e \"${DEFAULT_SOCKET}\" || rm -f \"${DEFAULT_SOCKET}\""
+ExecStart=/mnt/lima-rosetta/rosettad daemon "${CACHE_DIRECTORY}"
+# Set the socket permission to world-writable and create the symlink as expected by the configuration to enable Rosetta AOT caching.
+ExecStartPost=sh -c "while ! chmod -f go+w \"${DEFAULT_SOCKET}\"; do sleep 1; done; ln -sf \"${DEFAULT_SOCKET}\" \"${EXPECTED_SOCKET}\""
+OOMPolicy=continue
+OOMScoreAdjust=-500
+[Install]
+WantedBy=default.target
+EOF
+		systemctl is-enabled rosettad || systemctl enable --now rosettad
+	fi
+
+	# Create CDI configuration for Rosetta
+	mkdir -p /etc/cdi /var/run/cdi /etc/buildkit/cdi
+	cat >/etc/cdi/rosetta.yaml <<EOF
+cdiVersion: "0.6.0"
+kind: "lima-vm.io/rosetta"
+devices:
+- name: cached
+  containerEdits:
+    mounts:
+    - hostPath: /var/cache/rosettad/uds/rosetta.sock
+      containerPath: /run/rosettad/rosetta.sock
+      options: [bind]
+annotations:
+  org.mobyproject.buildkit.device.autoallow: true
+EOF
+	# nerdctl requires user-specific CDI configuration directories
+	mkdir -p "${LIMA_CIDATA_HOME}/.config/cdi"
+	ln -sf /etc/cdi/rosetta.yaml "${LIMA_CIDATA_HOME}/.config/cdi/"
+	chown -R "${LIMA_CIDATA_USER}" "${LIMA_CIDATA_HOME}/.config"
+else
+	# Remove CDI configuration for Rosetta AOT Caching
+	[ ! -f /etc/cdi/rosetta.yaml ] || rm /etc/cdi/rosetta.yaml
+	[ ! -d "${LIMA_CIDATA_HOME}/.config/cdi/rosetta.yaml" ] || rm "${LIMA_CIDATA_HOME}/.config/cdi/rosetta.yaml"
+fi
diff --git a/pkg/driver/vz/rosetta_directory_share_arm64.go b/pkg/driver/vz/rosetta_directory_share_arm64.go
index d2ff803d85a..3b71dec7e84 100644
--- a/pkg/driver/vz/rosetta_directory_share_arm64.go
+++ b/pkg/driver/vz/rosetta_directory_share_arm64.go
@@ -44,7 +44,7 @@ func createRosettaDirectoryShareConfiguration() (*vz.VirtioFileSystemDeviceConfi
 		return nil, fmt.Errorf("failed to get macOS product version: %w", err)
 	}
 	if !macOSProductVersion.LessThan(*semver.New("14.0.0")) {
-		cachingOption, err := vz.NewLinuxRosettaAbstractSocketCachingOptions("rosetta")
+		cachingOption, err := vz.NewLinuxRosettaUnixSocketCachingOptions("/run/rosettad/rosetta.sock")
 		if err != nil {
 			return nil, fmt.Errorf("failed to create a new rosetta directory share caching option: %w", err)
 		}
diff --git a/templates/docker-rootful.yaml b/templates/docker-rootful.yaml
index c402bbf7a83..4d948eb253e 100644
--- a/templates/docker-rootful.yaml
+++ b/templates/docker-rootful.yaml
@@ -38,7 +38,9 @@ provision:
   expression: .Socket.SocketUser="{{.User}}"
 - mode: yq
   path: "/etc/docker/daemon.json"
-  expression: .features.containerd-snapshotter = {{.Param.containerdSnapshotter}}
+  expression: |
+    .features.cdi = true |
+    .features.containerd-snapshotter = {{.Param.containerdSnapshotter}}
 probes:
 - script: |
     #!/bin/bash
diff --git a/templates/docker.yaml b/templates/docker.yaml
index 9932f7c3900..669357374ba 100644
--- a/templates/docker.yaml
+++ b/templates/docker.yaml
@@ -37,7 +37,9 @@ provision:
     apt-get install -y uidmap dbus-user-session
 - mode: yq
   path: "{{.Home}}/.config/docker/daemon.json"
-  expression: .features.containerd-snapshotter = {{.Param.containerdSnapshotter}}
+  expression: |
+    .features.cdi = true |
+    .features.containerd-snapshotter = {{.Param.containerdSnapshotter}}
   owner: "{{.User}}"
 - mode: user
   script: |

From 9d5b01257c97df61d59503b0095b2a2bde3a696e Mon Sep 17 00:00:00 2001
From: Norio Nomura <norio.nomura@gmail.com>
Date: Sat, 30 Aug 2025 15:01:21 +0900
Subject: [PATCH 2/2] Add documentation about Rosetta AOT Caching

Signed-off-by: Norio Nomura <norio.nomura@gmail.com>
---
 templates/docker-rootful.yaml                | 17 +++++++
 templates/docker.yaml                        | 17 +++++++
 website/content/en/docs/config/multi-arch.md | 49 ++++++++++++++++++++
 3 files changed, 83 insertions(+)

diff --git a/templates/docker-rootful.yaml b/templates/docker-rootful.yaml
index 4d948eb253e..3061d77fc85 100644
--- a/templates/docker-rootful.yaml
+++ b/templates/docker-rootful.yaml
@@ -69,5 +69,22 @@ message: |
   docker context use lima-{{.Name}}
   docker run hello-world
   ------
+  {{- if .Instance.Config.VMOpts.VZ.Rosetta.Enabled}}
+  Rosetta is enabled in this VM, so you can run x86_64 containers on Apple Silicon.
+  You can use Rosetta AOT Caching with the CDI spec:
+  - To run a container, add `--device=lima-vm.io/rosetta=cached` to your `docker run` command:
+    ------
+    docker run --platform=linux/amd64 --device=lima-vm.io/rosetta=cached ...
+    ------
+  - To build an image, add `# syntax=docker/dockerfile:1-labs` at the top of your Dockerfile,
+    and use `--device=lima-vm.io/rosetta=cached` in the `RUN` command:
+    ------
+    # syntax=docker/dockerfile:1-labs
+    FROM ...
+    ...
+    RUN --device=lima-vm.io/rosetta=cached <your amd64 command>
+    ------
+  See: https://lima-vm.io/docs/config/multi-arch/#rosetta-aot-caching
+  {{- end}}
 param:
   containerdSnapshotter: false
diff --git a/templates/docker.yaml b/templates/docker.yaml
index 669357374ba..de356d48cb2 100644
--- a/templates/docker.yaml
+++ b/templates/docker.yaml
@@ -76,5 +76,22 @@ message: |
   docker context use lima-{{.Name}}
   docker run hello-world
   ------
+  {{- if .Instance.Config.VMOpts.VZ.Rosetta.Enabled}}
+  Rosetta is enabled in this VM, so you can run x86_64 containers on Apple Silicon.
+  You can use Rosetta AOT Caching with the CDI spec:
+  - To run a container, add `--device=lima-vm.io/rosetta=cached` to your `docker run` command:
+    ------
+    docker run --platform=linux/amd64 --device=lima-vm.io/rosetta=cached ...
+    ------
+  - To build an image, add `# syntax=docker/dockerfile:1-labs` at the top of your Dockerfile,
+    and use `--device=lima-vm.io/rosetta=cached` in the `RUN` command:
+    ------
+    # syntax=docker/dockerfile:1-labs
+    FROM ...
+    ...
+    RUN --device=lima-vm.io/rosetta=cached <your amd64 command>
+    ------
+  See: https://lima-vm.io/docs/config/multi-arch/#rosetta-aot-caching
+  {{- end}}
 param:
   containerdSnapshotter: false
diff --git a/website/content/en/docs/config/multi-arch.md b/website/content/en/docs/config/multi-arch.md
index ee77f07228f..bbe90ede19e 100644
--- a/website/content/en/docs/config/multi-arch.md
+++ b/website/content/en/docs/config/multi-arch.md
@@ -86,3 +86,52 @@ rosetta:
 ```
 {{% /tab %}}
 {{< /tabpane >}}
+
+### [Enable Rosetta AOT Caching with CDI spec](#rosetta-aot-caching)
+| ⚡ Requirement | Lima >= 2.0, macOS >= 14.0, ARM |
+|-------------------|----------------------------------|
+
+Rosetta AOT Caching speeds up containers by saving translated binaries, so they don't need to be translated again.  
+Learn more: [WWDC2023 video](https://developer.apple.com/videos/play/wwdc2023/10007/?time=721)
+
+**How to use Rosetta AOT Caching:**
+
+- **Run a container:**  
+  Add `--device=lima-vm.io/rosetta=cached` to your `docker run` command:
+  ```bash
+  docker run --platform=linux/amd64 --device=lima-vm.io/rosetta=cached ...
+  ```
+
+- **Build an image:**  
+  Add `# syntax=docker/dockerfile:1-labs` at the top of your Dockerfile to enable the `--device` option.  
+  Use `--device=lima-vm.io/rosetta=cached` in your `RUN` command:
+  ```Dockerfile
+  # syntax=docker/dockerfile:1-labs
+  FROM ...
+  ...
+  RUN --device=lima-vm.io/rosetta=cached <your amd64 command>
+  ```
+
+- **Check if caching works:**  
+  Look for cache files in the VM:
+  ```bash
+  limactl shell {{.Name}} ls -la /var/cache/rosettad
+  docker run --platform linux/amd64 --device=lima-vm.io/rosetta=cached ubuntu echo hello
+  limactl shell {{.Name}} ls -la /var/cache/rosettad
+  # You should see *.aotcache files here
+  ```
+
+- **Check if Docker recognizes the CDI device:**  
+  Look for CDI info in the output of `docker info`:
+  ```console
+  docker info
+  ...
+  CDI spec directories:
+    /etc/cdi
+    /var/run/cdi
+  Discovered Devices:
+    cdi: lima-vm.io/rosetta=cached
+  ```
+
+- **Learn more about CDI:**  
+  [CDI spec documentation](https://github.com/cncf-tags/container-device-interface/blob/main/SPEC.md)