feat(macadam): only install macadam when vm features are used

cdrage · cdrage · commit 6b38132a28b9 · 2025-12-19T15:55:26.000-05:00
### What does this PR do? Macadam is used to run VM's, this was previously activated on boot and would install macadam immediately by showing a sudo prompt. This PR adds "lazy" installing functionality where we only prompt if VM features are clicked / used. This PR: * Moves the init functionality to only happen when creating a VM * The VM monitoring loop is triggered either at the beginning (if macadam is already installed) or after create VM is used which would be the first point a VM is accessed / used * Adds documentation as well as screenshot ### Screenshot / video of UI  ### What issues does this PR fix or reference?  Closes #2171 ### How to test this PR?  1. REMOVE MACADAM (macOS): ```sh ~ $ whereis macadam macadam: /opt/macadam/bin/macadam ~ $ sudo rm -rf /opt/macadam Password: ``` If you are on Linux, it must be removed at: `/usr/local/bin/macadam` 2. Start bootc extension, you should NO LONGER receive the sudo prompt. 3. Go to **Disk Images > Create VM** 4. Expect the sudo prompt to appear to install 5. Be able to create virtual machine / list VM functionality like usual. Signed-off-by: Charlie Drage <charlie@charliedrage.com>
diff --git a/README.md b/README.md
@@ -189,6 +189,12 @@ RUN echo "root:root" | chpasswd
 
 ![](https://raw.githubusercontent.com/podman-desktop/podman-desktop-extension-bootc/main/docs/img/vm.gif)
 
+> **Note (macOS and Linux):** When performing virtual machine operations (create, start, stop, delete) for the first time, you will be prompted for your password to install the [macadam](https://github.com/crc-org/macadam) binary. This is a one-time installation that enables VM management. On macOS, the binary is installed to `/opt/macadam/bin/macadam`. On Linux, the binary will be installed automatically, but if issues occur it can be [installed manually](#linux-only-unable-to-create-virtual-machine).
+
+![Escalated privileges prompt](https://raw.githubusercontent.com/podman-desktop/podman-desktop-extension-bootc/main/docs/img/escalated_privileges.png)
+
+> **Note (Windows):** Windows support is currently _not supported_ due to Hyper-V limitations (must run as a privileged user), WSL2 support is _not supported_ due to Windows using a custom kernel for Virtual Machine usage which is incompatible with bootc-based images.
+
 ## Advanced usage
 
 ![](https://raw.githubusercontent.com/podman-desktop/podman-desktop-extension-bootc/main/docs/img/balena_etcher.png)
diff --git a/docs/img/escalated_privileges.png b/docs/img/escalated_privileges.png
diff --git a/packages/backend/src/extension.spec.ts b/packages/backend/src/extension.spec.ts
@@ -18,7 +18,7 @@
 
 import { afterEach, beforeEach, expect, test, vi, describe } from 'vitest';
 import * as podmanDesktopApi from '@podman-desktop/api';
-import { activate, deactivate, openBuildPage } from './extension';
+import { activate, deactivate, openBuildPage, getJSONMachineListByProvider } from './extension';
 import * as fs from 'node:fs';
 import os from 'node:os';
 
@@ -30,6 +30,10 @@ const mocks = vi.hoisted(() => ({
   logErrorMock: vi.fn(),
   consoleLogMock: vi.fn(),
   consoleWarnMock: vi.fn(),
+  consoleErrorMock: vi.fn(),
+  macadamInitMock: vi.fn(),
+  macadamListVmsMock: vi.fn(),
+  existsSyncMock: vi.fn(),
 }));
 
 vi.mock('../package.json', () => ({
@@ -38,6 +42,19 @@ vi.mock('../package.json', () => ({
   },
 }));
 
+// Mock the fs module to control existsSync behavior since we're checking for binary existences
+vi.mock('node:fs', async importOriginal => {
+  const actual = await importOriginal<typeof fs>();
+  return {
+    ...actual,
+    default: {
+      ...actual,
+      existsSync: mocks.existsSyncMock,
+    },
+    existsSync: mocks.existsSyncMock,
+  };
+});
+
 vi.mock('@podman-desktop/api', async () => {
   return {
     version: '1.8.0',
@@ -47,6 +64,9 @@ vi.mock('@podman-desktop/api', async () => {
           logUsage: mocks.logUsageMock,
           logError: mocks.logErrorMock,
         }) as unknown as podmanDesktopApi.TelemetryLogger,
+      isMac: false,
+      isWindows: false,
+      isLinux: false,
     },
     commands: {
       registerCommand: vi.fn(),
@@ -86,14 +106,20 @@ vi.mock('@podman-desktop/api', async () => {
   };
 });
 
-vi.mock(import('@crc-org/macadam.js'), () => ({
-  Macadam: vi.fn(),
+vi.mock('@crc-org/macadam.js', () => ({
+  Macadam: vi.fn(
+    class {
+      init = mocks.macadamInitMock;
+      listVms = mocks.macadamListVmsMock;
+    },
+  ),
 }));
 
 beforeEach(() => {
   vi.clearAllMocks();
   console.log = mocks.consoleLogMock;
   console.warn = mocks.consoleWarnMock;
+  console.error = mocks.consoleErrorMock;
 });
 
 afterEach(() => {
@@ -107,6 +133,65 @@ const fakeContext = {
   storagePath: os.tmpdir(),
 } as unknown as podmanDesktopApi.ExtensionContext;
 
+describe('test ensureMacadamInitialized doesnt double init', () => {
+  beforeEach(() => {
+    vi.spyOn(fs.promises, 'readFile').mockImplementation(() => {
+      return Promise.resolve('<html></html>');
+    });
+    (podmanDesktopApi.version as string) = '1.8.0';
+  });
+
+  test('should propagate init error when lazy initializing via getJSONMachineListByProvider', async () => {
+    vi.mocked(podmanDesktopApi.env).isMac = true;
+    vi.mocked(podmanDesktopApi.env).isWindows = false;
+    mocks.existsSyncMock.mockReturnValue(false);
+    mocks.macadamInitMock.mockRejectedValue(new Error('Init failed'));
+
+    await activate(fakeContext);
+
+    const result = await getJSONMachineListByProvider('applehv');
+    expect(result.error).toContain('Init failed');
+    expect(mocks.macadamListVmsMock).not.toHaveBeenCalled();
+  });
+
+  test('should lazily initialize macadam when listing VMs and binary was not installed at activation', async () => {
+    vi.mocked(podmanDesktopApi.env).isMac = true;
+    vi.mocked(podmanDesktopApi.env).isWindows = false;
+    mocks.existsSyncMock.mockReturnValue(false);
+    mocks.macadamInitMock.mockResolvedValue(undefined);
+    mocks.macadamListVmsMock.mockResolvedValue([]);
+
+    // First activate without binary existing
+    await activate(fakeContext);
+    expect(mocks.macadamInitMock).not.toHaveBeenCalled();
+
+    // trigger getJSONMachineListByProvider which would call init / list since the binary did not exist at activation
+    await getJSONMachineListByProvider('applehv');
+
+    // Make sure that init and listVms were called (meaning init was triggered and is going to install)
+    expect(mocks.macadamInitMock).toHaveBeenCalled();
+    expect(mocks.macadamListVmsMock).toHaveBeenCalled();
+  });
+
+  test('should not re-initialize macadam if already initialized', async () => {
+    vi.mocked(podmanDesktopApi.env).isMac = true;
+    vi.mocked(podmanDesktopApi.env).isWindows = false;
+    mocks.existsSyncMock.mockReturnValue(true);
+    mocks.macadamInitMock.mockResolvedValue(undefined);
+    mocks.macadamListVmsMock.mockResolvedValue([]);
+
+    // Activate with binary existing (will call init)
+    await activate(fakeContext);
+    expect(mocks.macadamInitMock).toHaveBeenCalledTimes(1);
+
+    // Run getJSONMachineListByProvider again!
+    await getJSONMachineListByProvider('applehv');
+
+    // Should NOT re-call init since we already activated it before, so we stick to 1
+    expect(mocks.macadamInitMock).toHaveBeenCalledTimes(1);
+  });
+});
+
 test('check activate', async () => {
   vi.spyOn(fs.promises, 'readFile').mockImplementation(() => {
     return Promise.resolve('<html></html>');
@@ -194,3 +279,77 @@ test('check command triggers webview and redirects', async () => {
   expect(podmanDesktopApi.navigation.navigateToWebview).toHaveBeenCalled();
   expect(postMessageMock).toHaveBeenCalledWith({ body: 'build/latest', id: 'navigate-build' });
 });
+
+describe('lazy macadam initialization', () => {
+  beforeEach(() => {
+    vi.spyOn(fs.promises, 'readFile').mockImplementation(() => {
+      return Promise.resolve('<html></html>');
+    });
+    (podmanDesktopApi.version as string) = '1.8.0';
+  });
+
+  test('macOs: should NOT initialize macadam on activate when binary does not exist', async () => {
+    vi.mocked(podmanDesktopApi.env).isMac = true;
+    vi.mocked(podmanDesktopApi.env).isWindows = false;
+    mocks.existsSyncMock.mockReturnValue(false);
+
+    await activate(fakeContext);
+
+    expect(mocks.macadamInitMock).not.toHaveBeenCalled();
+  });
+
+  test('macOS: should initialize macadam on activate when binary exists', async () => {
+    vi.mocked(podmanDesktopApi.env).isMac = true;
+    vi.mocked(podmanDesktopApi.env).isWindows = false;
+    mocks.existsSyncMock.mockReturnValue(true);
+    mocks.macadamInitMock.mockResolvedValue(undefined);
+
+    await activate(fakeContext);
+
+    expect(mocks.macadamInitMock).toHaveBeenCalled();
+  });
+
+  test('linux: should NOT initialize macadam on activate when binary does not exist', async () => {
+    vi.mocked(podmanDesktopApi.env).isMac = false;
+    vi.mocked(podmanDesktopApi.env).isWindows = false;
+    vi.mocked(podmanDesktopApi.env).isLinux = true;
+    mocks.existsSyncMock.mockReturnValue(false);
+
+    await activate(fakeContext);
+
+    expect(mocks.macadamInitMock).not.toHaveBeenCalled();
+  });
+
+  test('linux: should initialize macadam on activate when binary exists', async () => {
+    vi.mocked(podmanDesktopApi.env).isMac = false;
+    vi.mocked(podmanDesktopApi.env).isWindows = false;
+    vi.mocked(podmanDesktopApi.env).isLinux = true;
+    mocks.existsSyncMock.mockReturnValue(true);
+    mocks.macadamInitMock.mockResolvedValue(undefined);
+
+    await activate(fakeContext);
+
+    expect(mocks.macadamInitMock).toHaveBeenCalled();
+  });
+
+  test('windows: should skip macadam initialization on activate, since macadam isnt added yet', async () => {
+    vi.mocked(podmanDesktopApi.env).isMac = false;
+    vi.mocked(podmanDesktopApi.env).isWindows = true;
+    vi.mocked(podmanDesktopApi.env).isLinux = false;
+
+    await activate(fakeContext);
+
+    expect(mocks.macadamInitMock).not.toHaveBeenCalled();
+  });
+
+  test('mac: should handle macadam init error gracefully during activate', async () => {
+    vi.mocked(podmanDesktopApi.env).isMac = true;
+    vi.mocked(podmanDesktopApi.env).isWindows = false;
+    mocks.existsSyncMock.mockReturnValue(true);
+    mocks.macadamInitMock.mockRejectedValue(new Error('Init failed'));
+
+    await activate(fakeContext);
+
+    expect(mocks.consoleErrorMock).toHaveBeenCalledWith('Error initializing macadam', expect.any(Error));
+  });
+});
diff --git a/packages/backend/src/extension.ts b/packages/backend/src/extension.ts
@@ -27,6 +27,7 @@ import { Messages } from '/@shared/src/messages/Messages';
 import { satisfies, minVersion, coerce } from 'semver';
 import { engines } from '../package.json';
 import * as macadamJSPackage from '@crc-org/macadam.js';
+import { MACADAM_MACOS_PATH } from '@crc-org/macadam.js/dist/consts';
 import { isHyperVEnabled, isWSLEnabled } from './macadam/win/utils';
 import { getErrorMessage, verifyContainerProivder } from './macadam/utils';
 import { LoggerDelegator } from './macadam/logger';
@@ -47,6 +48,14 @@ const currentConnections = new Map<string, extensionApi.Disposable>();
 let wslAndHypervEnabledContextValue = false;
 const WSL_HYPERV_ENABLED_KEY = 'macadam.wslHypervEnabled';
 
+// Macadam binary paths - used to check if already installed
+// MACADAM_MACOS_PATH is exported from macadam.js, Linux path is hardcoded in the library
+const MACADAM_BINARY_PATH_MACOS = `${MACADAM_MACOS_PATH}/macadam`;
+const MACADAM_BINARY_PATH_LINUX = '/usr/local/bin/macadam';
+let macadamInitialized = false;
+let macadamProvider: extensionApi.Provider | undefined;
+let macadamExtensionContext: ExtensionContext | undefined;
+
 const listeners = new Set<StatusHandler>();
 
 export interface BinaryInfo {
@@ -178,17 +187,29 @@ export async function activate(extensionContext: ExtensionContext): Promise<void
 
   if (!isWindows()) {
     macadam = new macadamJSPackage.Macadam(macadamName);
-    try {
-      await macadam.init();
-    } catch (error) {
-      console.error('Error initializing macadam', error);
-    }
 
     const provider = await createProvider(extensionContext);
 
-    monitorMachines(provider, extensionContext).catch((error: unknown) => {
-      console.error('Error while monitoring machines', error);
-    });
+    // Store references for ensureMacadamInitialized() to use later
+    macadamProvider = provider;
+    macadamExtensionContext = extensionContext;
+
+    // Only initialize and start monitoring if macadam binary is already installed.
+    // This avoids prompting for sudo on extension activation (macOS).
+    // If not installed, init() will be called lazily when user performs a VM operation.
+    const macadamBinaryPath = extensionApi.env.isMac ? MACADAM_BINARY_PATH_MACOS : MACADAM_BINARY_PATH_LINUX;
+    if (fs.existsSync(macadamBinaryPath)) {
+      try {
+        await macadam.init();
+        macadamInitialized = true;
+      } catch (error) {
+        console.error('Error initializing macadam', error);
+      }
+
+      monitorMachines(provider, extensionContext).catch((error: unknown) => {
+        console.error('Error while monitoring machines', error);
+      });
+    }
   }
 }
 
@@ -234,6 +255,31 @@ export async function getConfigurationValue<T>(property: string): Promise<T | un
   return extensionApi.configuration.getConfiguration('bootc').get<T>(property);
 }
 
+// Ensures macadam is initialized before VM operations.
+// This allows deferring the sudo prompt until the user actually tries to use VM features,
+// rather than prompting on extension activation.
+// Exported so MacadamHandler can trigger monitoring after VM creation.
+export async function ensureMacadamInitialized(): Promise<void> {
+  if (macadamInitialized) {
+    return;
+  }
+
+  try {
+    await macadam.init();
+    macadamInitialized = true;
+
+    // Start monitoring now that macadam is initialized
+    if (macadamProvider && macadamExtensionContext) {
+      monitorMachines(macadamProvider, macadamExtensionContext).catch((error: unknown) => {
+        console.error('Error while monitoring machines', error);
+      });
+    }
+  } catch (error) {
+    console.error('Error initializing macadam', error);
+    throw error;
+  }
+}
+
 async function getJSONMachineList(): Promise<MachineJSONListOutput> {
   const vmProviders: (string | undefined)[] = [];
 
@@ -284,6 +330,7 @@ export async function getJSONMachineListByProvider(vmProvider?: string): Promise
   let stdout: macadamJSPackage.VmDetails[] = [];
   let stderr = '';
   try {
+    await ensureMacadamInitialized();
     stdout = await macadam.listVms({ containerProvider: verifyContainerProivder(vmProvider ?? '') });
   } catch (err: unknown) {
     stderr = `${err}`;
@@ -305,6 +352,7 @@ async function startMachine(
   const startTime = performance.now();
 
   try {
+    await ensureMacadamInitialized();
     await macadam.startVm({
       name: machineInfo.name,
       containerProvider: verifyContainerProivder(machineInfo.vmType),
@@ -334,6 +382,7 @@ async function stopMachine(
   const telemetryRecords: Record<string, unknown> = {};
   telemetryRecords.provider = 'macadam';
   try {
+    await ensureMacadamInitialized();
     await macadam.stopVm({
       name: machineInfo.name,
       containerProvider: verifyContainerProivder(machineInfo.vmType),
@@ -365,6 +414,7 @@ async function registerProviderFor(
       await stopMachine(provider, machineInfo, context, logger);
     },
     delete: async (logger): Promise<void> => {
+      await ensureMacadamInitialized();
       await macadam.removeVm({
         name: machineInfo.name,
         containerProvider: verifyContainerProivder(machineInfo.vmType),
diff --git a/packages/backend/src/macadam.spec.ts b/packages/backend/src/macadam.spec.ts
@@ -21,6 +21,11 @@ import { MacadamHandler } from './macadam';
 import * as macadam from '@crc-org/macadam.js';
 import * as extensionApi from '@podman-desktop/api';
 
+// Mock ensureMacadamInitialized from extension.ts
+vi.mock('./extension', () => ({
+  ensureMacadamInitialized: vi.fn().mockResolvedValue(undefined),
+}));
+
 const TELEMETRY_LOGGER_MOCK: extensionApi.TelemetryLogger = {
   logUsage: vi.fn(),
 } as unknown as extensionApi.TelemetryLogger;
diff --git a/packages/backend/src/macadam.ts b/packages/backend/src/macadam.ts
@@ -20,6 +20,7 @@ import type { CreateVmOptions, VmDetails } from '@crc-org/macadam.js';
 import { macadamName } from './constants';
 import * as extensionApi from '@podman-desktop/api';
 import { isWSLEnabled } from './macadam/win/utils';
+import { ensureMacadamInitialized } from './extension';
 
 interface StderrError extends Error {
   stderr?: string;
@@ -65,6 +66,11 @@ export class MacadamHandler {
           await this.macadam.createVm(options);
           telemetryData.success = true;
           progress.report({ increment: 100 });
+
+          // Trigger the extension.ts monitoring loop now that macadam is initialized
+          // and a VM has been created. This ensures the new VM appears in the Resources list after creation.
+          // Creating a VM is the area where macadam is first initialized and the "install macadam" sudo prompt pops up.
+          await ensureMacadamInitialized();
         },
       )
       .catch((e: unknown) => {
