Podman on macOS arm64 pulls amd64 variant for multi‑arch image despite arm64 host and manifest #28171
Description
Issue Description
On macOS Apple Silicon (arm64) with a freshly created Podman machine (arm64), podman pull consistently retrieves the amd64 variant of a multi‑arch image (kubernetesui/metrics-scraper:v1.0.8), even though the manifest includes an arm64 entry and the host platform is linux/arm64. This results in the image being stored and run as amd64 under emulation instead of using the native arm64 variant.
Impact
- On Apple Silicon, this causes Podman to run non‑native
amd64images even when nativearm64variants are available, with worse performance and confusing warnings. - Undermines the expectation that “multi‑arch image + arm64 host ⇒ arm64 by default” without requiring manual
--archon every pull.
Questions
- Is this a known limitation of current multi‑arch selection, or is this considered a bug?
- Should
podman pullonarm64always prefer thearm64manifest when available, and fail (or at least require an explicit--arch) if the selected image does not match the host arch? - Is there any supported global configuration to prefer
arm64for pulls onarm64hosts, or is--arch arm64currently the only reliable workaround?
Steps to reproduce the issue
- On macOS arm64 with a fresh Podman machine:
podman machine init --now- Confirm Podman sees arm64:
podman info | grep -i -E 'arch|os'You should see OsArch: darwin/arm64 and inside the VM arch: arm64, OsArch: linux/arm64.
- Inspect the manifest for
kubernetesui/metrics-scraper:v1.0.8:
podman manifest inspect docker.io/kubernetesui/metrics-scraper:v1.0.8 \
| jq '.manifests[].platform'This shows (abridged):
{ "architecture": "amd64", "os": "linux" }
{ "architecture": "arm", "os": "linux" }
{ "architecture": "arm64", "os": "linux" }
{ "architecture": "ppc64le","os": "linux" }
{ "architecture": "s390x", "os": "linux" }So an arm64 variant exists.
- Pull the image without any --arch / --platform override:
podman rmi docker.io/kubernetesui/metrics-scraper:v1.0.8 || true
podman pull docker.io/kubernetesui/metrics-scraper:v1.0.8Output includes:
Trying to pull docker.io/kubernetesui/metrics-scraper:v1.0.8...
...
WARNING: image platform (linux/amd64) does not match the expected platform (linux/arm64)
- Inspect the pulled image:
podman image inspect docker.io/kubernetesui/metrics-scraper:v1.0.8 \
| jq -r '..Architecture'Actual result:
amd64
So Podman chose/stored the amd64 variant.
Describe the results you received
- podman pull logs:
WARNING: image platform (linux/amd64) does not match the expected platform (linux/arm64)
- podman image inspect shows:
"Architecture": "amd64",for kubernetesui/metrics-scraper:v1.0.8, meaning Podman is actually pulling and storing the amd64 variant on an arm64 host, despite an arm64 variant being available in the manifest.
This leads to containers running under amd64 emulation on Apple Silicon when the native arm64 image exists.
Describe the results you expected
On an arm64 host/Podman machine where:
podman inforeports arch:arm64,OsArch: linux/arm64, and- The image manifest includes an
arm64entry,
I would expect:
- podman
pull docker.io/kubernetesui/metrics-scraper:v1.0.8to select thearm64manifest entry and store the image asArchitecture: arm64. - No “
image platform (linux/amd64) does not match the expected platform (linux/arm64)” warning in this scenario.
In other words, the native host architecture should be preferred by default for multi‑arch images.
podman info output
Client:
APIVersion: 5.7.1
BuildOrigin: pkginstaller
Built: 1765378421
BuiltTime: Wed Dec 10 09:53:41 2025
GitCommit: f845d14e941889ba4c071f35233d09b29d363c75
GoVersion: go1.25.5
Os: darwin
OsArch: darwin/arm64
Version: 5.7.1
host:
arch: arm64
buildahVersion: 1.42.2
cgroupControllers:
- cpu
- io
- memory
- pids
cgroupManager: systemd
cgroupVersion: v2
conmon:
package: conmon-2.1.13-2.fc43.aarch64
path: /usr/bin/conmon
version: 'conmon version 2.1.13, commit: '
cpuUtilization:
idlePercent: 98.88
systemPercent: 0.48
userPercent: 0.63
cpus: 4
databaseBackend: sqlite
distribution:
distribution: fedora
variant: coreos
version: "43"
emulatedArchitectures:
- linux/386
- linux/amd64
- linux/arm64be
eventLogger: journald
freeLocks: 2048
hostname: localhost.localdomain
idMappings:
gidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 100000
size: 1000000
uidmap:
- container_id: 0
host_id: 501
size: 1
- container_id: 1
host_id: 100000
size: 1000000
kernel: 6.17.7-300.fc43.aarch64
linkmode: dynamic
logDriver: journald
memFree: 1363410944
memTotal: 2038788096
networkBackend: netavark
networkBackendInfo:
backend: netavark
dns:
package: aardvark-dns-1.17.0-1.fc43.aarch64
path: /usr/libexec/podman/aardvark-dns
version: aardvark-dns 1.17.0
package: netavark-1.17.1-1.fc43.aarch64
path: /usr/libexec/podman/netavark
version: netavark 1.17.1
ociRuntime:
name: crun
package: crun-1.24-1.fc43.aarch64
path: /usr/bin/crun
version: |-
crun version 1.24
commit: 54693209039e5e04cbe3c8b1cd5fe2301219f0a1
rundir: /run/user/501/crun
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
os: linux
pasta:
executable: /usr/sbin/pasta
package: passt-0^20250919.g623dbf6-1.fc43.aarch64
version: |
pasta 0^20250919.g623dbf6-1.fc43.aarch64-pasta
Copyright Red Hat
GNU General Public License, version 2 or later
<https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
remoteSocket:
exists: true
path: unix:///run/user/501/podman/podman.sock
rootlessNetworkCmd: pasta
security:
apparmorEnabled: false
capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
rootless: true
seccompEnabled: true
seccompProfilePath: /usr/share/containers/seccomp.json
selinuxEnabled: true
serviceIsRemote: true
slirp4netns:
executable: /usr/sbin/slirp4netns
package: slirp4netns-1.3.1-3.fc43.aarch64
version: |-
slirp4netns version 1.3.1
commit: e5e368c4f5db6ae75c2fce786e31eef9da6bf236
libslirp: 4.9.1
SLIRP_CONFIG_VERSION_MAX: 6
libseccomp: 2.6.0
swapFree: 0
swapTotal: 0
uptime: 0h 38m 44.00s
variant: v8
plugins:
authorization: null
log:
- k8s-file
- none
- passthrough
- journald
network:
- bridge
- macvlan
- ipvlan
volume:
- local
registries:
search:
- docker.io
store:
configFile: /var/home/core/.config/containers/storage.conf
containerStore:
number: 0
paused: 0
running: 0
stopped: 0
graphDriverName: overlay
graphOptions: {}
graphRoot: /var/home/core/.local/share/containers/storage
graphRootAllocated: 106769133568
graphRootUsed: 4270579712
graphStatus:
Backing Filesystem: xfs
Native Overlay Diff: "true"
Supports d_type: "true"
Supports shifting: "false"
Supports volatile: "true"
Using metacopy: "false"
imageCopyTmpDir: /var/tmp
imageStore:
number: 1
runRoot: /run/user/501/containers
transientStore: false
volumePath: /var/home/core/.local/share/containers/storage/volumes
version:
APIVersion: 5.7.1
BuildOrigin: 'Copr: packit/containers-podman-27732'
Built: 1765238400
BuiltTime: Mon Dec 8 19:00:00 2025
GitCommit: f845d14e941889ba4c071f35233d09b29d363c75
GoVersion: go1.25.4 X:nodwarf5
Os: linux
OsArch: linux/arm64
Version: 5.7.1Podman in a container
No
Privileged Or Rootless
None
Upstream Latest Release
Yes
Additional environment details
No response
Additional information
No response