feat(homebrew,kubernetes): switch default Docker runtime from docker-desktop to colima#9
Merged
Conversation
…desktop to colima Docker Desktop's cask postinstall hook tries to sudo-write to multiple /usr/local/* directories that do not exist on a fresh Apple Silicon Mac. PR #7 fixed one (/usr/local/cli-plugins); the very next bootstrap run hit the next (/usr/local/bin). Patching each path one at a time is whack-a-mole. Switch the default Docker runtime to **colima** (#8): - colima runs entirely in user space (Lima VM at ~/.colima/), no /usr/local/* writes, no sudo prompts during cask install - Matches the convention already in use on other LLMKube hosts - Smaller resident memory footprint than Docker Desktop -- useful on Macs that also serve a 30B-class model locally via mlx-server Changes: - roles/homebrew/defaults/main.yml: homebrew_casks defaults to []. Add colima + docker + docker-compose + docker-buildx to the homebrew_cli_packages list. Docs callout in the comment explains the switch + how to opt back into docker-desktop via group_vars. - roles/kubernetes/defaults/main.yml: new file. colima_cpu (4), colima_memory_gib (6), colima_disk_gib (60) defaults sized for a single-node kind cluster plus a couple of small workloads. Each overridable via group_vars or --extra-vars. - roles/kubernetes/tasks/main.yml: replace 'Ensure Docker Desktop is running' (open -ga Docker) with a colima status check + a conditional that respects the new sizing defaults. Idempotent: skips when colima is already running. - README.md: 'What it sets up' section now describes colima as the default Docker provider. New 'Docker Desktop on Apple Silicon (opt-in only)' callout documents how to opt back in and the two caveats (cli-plugins handled by the pre-task; /usr/local/bin needs manual sudo mkdir + chown). Backward compat: - PR #7's pre-create-cli-plugins task stays in place (its clause already no-ops when homebrew_casks lacks docker / docker-desktop). Users opting into the cask still get that workaround for free. Verification: - ansible-playbook --syntax-check: clean - CI's macos-homebrew job exercises the homebrew role end-to-end on a fresh GitHub-hosted Apple Silicon runner -- the changed cli list + the cleared casks list both get installed cleanly Fixes #8
CI's macos-homebrew job caught it: community.general.homebrew_cask errors with 'You must select a cask to install' when given an empty list. With this PR's switch to colima the default homebrew_casks list is [], so the task needs a 'when:' guard to skip when nothing is requested. Add 'when: homebrew_casks | length > 0' on the cask install task. Users who opt back into Docker Desktop (or any other cask) via group_vars continue to get the full install path.
This was referenced May 24, 2026
Closed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Switch the default Docker runtime in
llmkube-bootstrapfromDocker Desktop to colima. Resolves the class of bug where
the docker-desktop cask postinstall hook tries to
sudo mkdirmultiple
/usr/local/*directories that do not exist on a freshApple Silicon Mac.
Why
Fixes #8.
PR #7 patched
/usr/local/cli-plugins. The next./bootstrap.shrun on a fresh Mac Studio (2026-05-23) hit the same class of bug
on
/usr/local/bin:docker-desktop wants to write to many
/usr/local/*paths. Patchingeach one with a pre-task is whack-a-mole. The class of bug exists
because docker-desktop was designed for Intel Macs (where
/usr/local/*is the user-writable Homebrew prefix); on AppleSilicon
/usr/local/is root-owned and Homebrew lives at/opt/homebrew/, so everysudo mkdirin the cask postinstall isa foot-gun.
colima eliminates the entire class:
~/.colima/, no/usr/local/*writes)kindconsumes transparentlyMini's OpenClaw stack runs Docker via colima)
Macs that also serve a 30B-class model via mlx-server
How
roles/homebrew/defaults/main.ymlhomebrew_casksdefaults to[](was[docker])colima,docker,docker-compose,docker-buildxThe CLI tools talk to colima's Docker socket. No Desktop app is
installed, no
/usr/local/*paths are touched.roles/kubernetes/defaults/main.yml(new)VM sizing knobs, tunable via group_vars or
--extra-vars:Tuned for a single-node kind cluster plus a couple of small
workloads — enough headroom that
kind create clusterdoesn't OOM,not so much that we steal RAM from mlx-server.
roles/kubernetes/tasks/main.ymlReplace the Docker Desktop start sequence (
open -ga Docker+docker inforetry loop) with a colima status check + a conditionalcolima start --cpu N --memory N --disk N. Idempotent: skips whencolima is already running.
The
docker inforetry stays — it now confirms colima's Dockersocket is reachable rather than Docker Desktop's.
README.mdDocker provider
documents the override path for users who specifically want Docker
Desktop, including the two
/usr/local/*caveats and thesudo mkdir -p /usr/local/bin && chownworkaround for the/usr/local/bincaseBackward compat
PR #7's
Pre-create /usr/local/cli-pluginspre-task stays in place.Its
when:clause already no-ops whenhomebrew_caskslacksdocker/docker-desktop. Users who explicitly opt into DockerDesktop in their group_vars still get the cli-plugins workaround
for free; only the
/usr/local/binpath needs a manual sudo touch.Verification
Local:
ansible-playbook --syntax-check: cleancolima_cpu/colima_memory_gib/colima_disk_gibflow into thecolima startinvocationCI:
yamllint,ansible-lint,shellcheck,macos-check,macos-homebrewall run on every PRmacos-homebrewis the high-leverage check: it runsansible-playbook ... --tags 'always,system,homebrew'against afresh GitHub-hosted Apple Silicon runner. With this PR's defaults
it should install colima + the CLI tools + zero casks and exit
cleanly. Any breakage in the cask removal / CLI additions surfaces
there.
Live (post-merge):
./bootstrap.shon the Mac Studio. Expected: colimainstalls, starts, kind cluster comes up, LLMKube operator
deploys, no sudo prompts beyond the BECOME pass (from PR fix(homebrew): pre-create /usr/local/cli-plugins for docker cask; modernize fact refs #7's
pre-task, which is now inert because docker-desktop is no longer
in defaults).
Related
Checklist
ansible-playbook --syntax-checkpasses locallydocker_desktop/open -ga Dockerreferences remain