Skip to content

Bootstrap fails on macOS Docker Desktop (arm64) — /leash/bootstrap.ready EACCES despite Cedar permits #73

Description

@ammobasher
  • Host: macOS 15 (Darwin 25.3.0), Apple Silicon (arm64)
  • Container runtime: Docker Desktop (daemon running and verified)
  • Leash: version 1.1.7 (git hash 5bf1c64, build 2026-03-11), installed via npm install -g @strongdm/leash

Symptom

leash --policy <file> claude consistently fails during bootstrap with:

```
target container terminated before bootstrap completed (state=exited (exit=1)).
Recent docker logs (powercampus):
leash-entry: waiting for leash certificate
leash-entry: installing CA certificate
leash-entry: updating CA certificates
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
leash-error: failed to signal bootstrap completion: create temp marker: open /leash/bootstrap.ready.NNN: permission denied
```

The CA cert install (which exercises Cedar permits on /etc/, /lib/, /usr/sbin/) succeeds — the failure is specifically when leash-entry (inside the target container) tries to write /leash/bootstrap.ready.NNN into the shared /leash volume.

Verbose output

```
event=runner.private-dir.ready mode="0700" path="/var/folders/86/.../T/leash.PowerCampus.NNN/private" source="created"
Updated Cedar policy from .../leash-cedar-policy.cedar
Auto-mounted /Users//.claude (claude) -> /root/.claude (scope=project)
Auto-mounted /Users//.claude.json (claude-config) -> /root/.claude.json (scope=project)
event=runner.container-config role=target mounts=["/leash", ".../", "/root/.claude", "/root/.claude.json"] env=[...]
event=runner.container-config role=leash mounts=["/sys/fs/cgroup", "/log", "/cfg", "/leash", "/leash-private"] env=[...]
Leash CA certificate is available at /var/folders/86/.../T/leash.PowerCampus.NNN/leash-NNNN/ca-cert.pem
```

The shared /leash bind-mounts from /var/folders/.../T/leash.PowerCampus.NNN/... on the macOS host. The runner creates this temp dir at mode 0700 (observed for the sibling /private dir).

Diagnosis

This appears to be a Docker Desktop bind-mount UID translation issue, not a Cedar policy issue:

  • BOOT.md says the marker write happens during the Bootstrap phase, before LSM enforcement attaches in Activation — so Cedar should not be the blocker at this step.
  • The host temp dir is owned by uid 501 (the operator's user) at mode 0700.
  • The target container's leash-entry process gets POSIX EACCES on the write into the bind-mounted /leash.

This is consistent with Docker Desktop's bind-mount UID translation failing to grant write access despite the container process having an effective UID that "should" be able to write (and despite normal Linux Docker semantics where container-root can write to host-mounted dirs regardless of host-side mode).

Workarounds tried — none worked

  1. Cedar permit Dir::"/leash/" for FileOpen, FileOpenReadOnly, FileOpenReadWrite actions. Same EACCES. (Confirms Cedar isn't the blocker.)
  2. LEASH_HOME=$HOME/.leash-state with chmod 0777 on that dir. Same EACCES.
  3. Verified no stale containers / orphan processes / leftover volumes between attempts.

Adjacent context

Minimal repro

  1. Install Leash 1.1.7 on macOS arm64 with Docker Desktop.
  2. Create a Cedar policy that permits Dir::"/leash/" for all FileOpen* actions, plus the usual /bin, /usr, /lib, /etc etc. dirs needed to get past the CA cert install (without those, the failure looks like libc.so.6: cannot open shared object file).
  3. Run leash -V --policy <that file> claude in any project directory.
  4. Bootstrap fails at the marker-write step.

Happy to share the full policy file or capture additional -V output if useful.


Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions