autologin required inconsistent for virtualization

App & System Services Core OS
nathan-pierce-veertu OP
Created 3d
Replies 11
Boosts 3
Views 137
Participants 2

Hi, I have two issues going on:

  1. Creation of macOS VMs requires autologin is enabled:
Mon Apr 13 11:27:18 20 anka.log (ankahv) 511: pid 511: installing /Users/veertu/Library/Application Support/Veertu/Anka/img_lib/UniversalMac_15.6.1_24G90_Restore.ipsw...
Mon Apr 13 11:27:20 40 anka.log (install) 511: (null): installation failed: Error Domain=VZErrorDomain Code=10007 "The virtual machine failed to start." UserInfo={NSLocalizedFailure=An error occurred during installation., NSLocalizedFailureReason=The virtual machine failed to start., NSUnderlyingError=0xca2c0ced0 {Error Domain=VZErrorDomain Code=-9 "The virtual machine encountered a security error." UserInfo={NSLocalizedFailure=Unable to access security information., NSLocalizedFailureReason=The virtual machine encountered a security error., NSUnderlyingError=0xca3029320 {Error Domain=NSPOSIXErrorDomain Code=22 "Invalid argument" UserInfo={NSLocalizedFailureReason=Failed to get current host key., NSUnderlyingError=0xca30292f0 {Error Domain=NSPOSIXErrorDomain Code=22 "Invalid argument" UserInfo=0xca2a88040 (not displayed)}}}}}}
Mon Apr 13 11:27:20 40 anka.log (install) 511: (null): virtual machine stopped with error: Error Domain=VZErrorDomain Code=4 "Transition from state “error” to state “stopping” is invalid." UserInfo={NSLocalizedFailure=Invalid virtual machine state transition., NSLocalizedFailureReason=Transition from state “error” to state “stopping” is invalid.}
Mon Apr 13 11:27:20 40 anka.log (install) 511: failed to install macOS: Error Domain=VZErrorDomain Code=10007 "The virtual machine failed to start." UserInfo={NSLocalizedFailure=An error occurred during installation., NSLocalizedFailureReason=The virtual machine failed to start., NSUnderlyingError=0xca2c0ced0 {Error Domain=VZErrorDomain Code=-9 "The virtual machine encountered a security error." UserInfo={NSLocalizedFailure=Unable to access security information., NSLocalizedFailureReason=The virtual machine encountered a security error., NSUnderlyingError=0xca3029320 {Error Domain=NSPOSIXErrorDomain Code=22 "Invalid argument" UserInfo={NSLocalizedFailureReason=Failed to get current host key., NSUnderlyingError=0xca30292f0 {Error Domain=NSPOSIXErrorDomain Code=22 "Invalid argument" UserInfo=0xca2a88040 (not displayed)}}}}}}
  1. Running a macOS 26.x VM fails for similar reasons, yet running a 15.x VM works fine:
Mon Apr 13 11:20:10 20 0f5d4fe7-edac-4f6d-aebb-f185702f2c25.log (ankahv) 474: pid 474: session started on host 26.4.1
Mon Apr 13 11:20:10 40 0f5d4fe7-edac-4f6d-aebb-f185702f2c25.log (ankahv) 474: 0f5d4fe7-edac-4f6d-aebb-f185702f2c25: failed to start: Error Domain=VZErrorDomain Code=-9 "The virtual machine encountered a security error." UserInfo={NSLocalizedFailure=Unable to access security information., NSLocalizedFailureReason=The virtual machine encountered a security error., NSUnderlyingError=0x76f049e00 {Error Domain=NSPOSIXErrorDomain Code=22 "Invalid argument" UserInfo={NSLocalizedFailureReason=Failed to get current host key., NSUnderlyingError=0x76f049e60 {Error Domain=NSPOSIXErrorDomain Code=22 "Invalid argument" UserInfo={NSLocalizedFailureReason=Failed to create new HostKey., NSUnderlyingError=0x76f049dd0 {Error Domain=NSPOSIXErrorDomain Code=22 "Invalid argument" UserInfo=0x76ec49d60 (not displayed)}}}}}}
Mon Apr 13 11:20:10 40 0f5d4fe7-edac-4f6d-aebb-f185702f2c25.log (ankanet) 474: failed to receive packets: Connection reset by peer

This is super painful for us to manage since some of our users can't have autologin enabled (like major banks under strict MDM requirements). Or, AWS EC2 Macs which have no VNC enabled at all by default.

What's the trick here to make sure we can consistently use virtualization without autologin?

Answered by nathan-pierce-veertu in 884753022

AHA, fixed. I had to do these on the host. Something was wrong with the host's password I guess 🤷 

sysadminctl -oldPassword "${PW}" -newPassword "${PW}"

security unlock-keychain -p "${PW}" ~/Library/Keychains/login.keychain-db
Replies  11
Boosts  3
Views  137
Participants  2
nathan-pierce-veertu OP
3d

FB: FB22492511

1
DTS Engineer OP
Apple
2d

Are you talking about auto login on the guest? Or the host?

Are you trying these operations from a GUI login session? Or doing something outside of a GUI login session, for example, from a launchd daemon?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
DTS Engineer OP
Apple
1d

I'm using SSH into the host itself to try to use virtualization tools to run macOS VMs.

OK. So lemme see if I understand this correctly:

  • You have a host Mac.
  • And a VM product that you can run as a command-line tool.
  • You’ve configured that product to run a Mac guest.
  • You SSH into that Mac to run your command-line tool.
  • You’re testing two configurations. In the first, the host is configured to autologin to the GUI. In that case you’re able to consistently start the VM.
  • In the second case…

Actually, I’m not sure about this. Is the second case, do you:

  • Manually log in to the host GUI, and then SSH in and run your test?
  • Or not log in to the GUI at all, and then SSH in and run your test?

ps It’s better to reply as a reply, rather than in the comments; see Quinn’s Top Ten DevForums Tips for this and other titbits.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
nathan-pierce-veertu OP
1d

No log in to the GUI at all, then run the tests.

0
nathan-pierce-veertu OP
1d

To further clarify: Unless autologin is enabled or we sign in to the GUI/VNC with a user, we can't do much of anything with macOS VMs.

0
DTS Engineer OP
Apple
19h

Virtualization is not daemon safe [1]:

% dyld_info -linked_dylibs /System/Library/Frameworks/Virtualization.framework/Versions/A/Virtualization
…
        weak-link      /System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
…

So if you use it from outside of a non-GUI login context you will inevitably encounter some weirdness. I think it’d be reasonable for you to file an enhancement request for documentation as to what is or isn’t expected to work in these contexts. And if you do that, please post your bug number, just for the record.

Having said that, I’ve been talking with some folks here and we have a theory as to what might be going on in this specific case. When you log in via SSH, it doesn’t unlock the keychain, and those errors you posted suggest that the keychain is involved. If you manually unlock the keychain, does that help?

Specifically:

  1. Boot the host Mac without autologin, so there’s no GUI login context.

  2. SSH into that Mac.

  3. From the SSH session, run this command:

    % security unlock-keychain                    
password to unlock default: *******

  4. Then try to perform your VM operations.

Does that help?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Per the definition in TN2083 Daemons and Agents.

0
nathan-pierce-veertu OP
18h

Hmm, yeah, I tried the unlock method already. That was a solution at some point according to google, but honestly I've never had to use it.

I tried and the error is still:

Thu Apr 16 10:07:11 40 5a27c75d-0a35-4aeb-9ec1-e77e77f66210.log (ankahv) 578: 5a27c75d-0a35-4aeb-9ec1-e77e77f66210: failed to start: Error Domain=VZErrorDomain Code=-9 "The virtual machine encountered a security error." UserInfo={NSLocalizedFailure=Unable to access security information., NSLocalizedFailureReason=The virtual machine encountered a security error., NSUnderlyingError=0x8df12c450 {Error Domain=NSPOSIXErrorDomain Code=22 "Invalid argument" UserInfo={NSLocalizedFailureReason=Failed to get current host key., NSUnderlyingError=0x8df12c030 {Error Domain=NSPOSIXErrorDomain Code=22 "Invalid argument" UserInfo={NSLocalizedFailureReason=Failed to create new HostKey., NSUnderlyingError=0x8df12c090 {Error Domain=NSPOSIXErrorDomain Code=22 "Invalid argument" UserInfo=0x8decadd40 (not displayed)}}}}}}

My concern is that this was fine and worked without issue, leading me to believe this is a regression not an enhancement request. We only started seeing this fail when we upgraded to 26.4.1 host OS.

Are there any other logs or tests I can run to help clarify this for the team?

0
nathan-pierce-veertu OP
17h

Ok, sorry about this. I just tried manually and it looks like the error message on a 15.x host is different and wasn't being caught on our end. Does not look like a regression anymore. And this is using unlock-keychain too.

I need to dig a bit more on my end. It's unclear to me how this has been working on AWS EC2 Mac since they don't have a logged in user to the GUI.

0
nathan-pierce-veertu OP
16h

Opened FB22523292 as suggestion

0
nathan-pierce-veertu OP
16h
Accepted Answer

AHA, fixed. I had to do these on the host. Something was wrong with the host's password I guess 🤷 

sysadminctl -oldPassword "${PW}" -newPassword "${PW}"

security unlock-keychain -p "${PW}" ~/Library/Keychains/login.keychain-db
0
DTS Engineer OP
Apple
47m

I’m glad you got your main issue resolved.

Regarding this:

Opened FB22523292 as suggestion

Hmmm, the title of that bug is “Support Virtualization without the host having a logged in user”, which makes it about this overall issue. That’s not what I suggested, which was:

file an enhancement request for documentation as to what is or isn’t expected to work in [non-GUI] contexts

The bug you filed is fine in and of itself, but it’s a much harder ‘ask’ than my suggestion, which was about improved documentation.

But nevermind, I’ve filed my own bug against the documentation (r. 174993212).

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
autologin required inconsistent for virtualization
First post date Last post date
 
 
Q