From nobody Mon Jun 17 17:39:26 2024 X-Original-To: freebsd-virtualization@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4W2xwj3drrz5PHqk for ; Mon, 17 Jun 2024 17:40:05 +0000 (UTC) (envelope-from marietto2008@gmail.com) Received: from mail-pg1-x52b.google.com (mail-pg1-x52b.google.com [IPv6:2607:f8b0:4864:20::52b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4W2xwj1s0rz45gc for ; Mon, 17 Jun 2024 17:40:05 +0000 (UTC) (envelope-from marietto2008@gmail.com) Authentication-Results: mx1.freebsd.org; none Received: by mail-pg1-x52b.google.com with SMTP id 41be03b00d2f7-6fb2f398423so2767540a12.0 for ; Mon, 17 Jun 2024 10:40:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1718646003; x=1719250803; darn=freebsd.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=PQU/bcivLSK6z9ArOw8DGhHSMGiwbCcMdtkWRKEcN0o=; b=cDHHtgXTz1lIkDbP5bxjhElMayu/oI2kx4lb315G2q5uQ19MUgnPgYFgPxmj1d9Zg+ H+rykRjlzMgjXLOLgPqseIK+08cqEsTyBIxEaICQURI6Pd+KRIyg8a8JpD1pEyeOt24y 5fXLhgyEpULQ/4G9pTJBh/ajcOXz2U8MIlvrKRgu3J0QYJEJ7Wd98M3Z63HF/ub5+gZV Uizphrv3/prOBxMbyBJxRoH4PBycgCGoQXzxMnBJPaPZygnKRzbspTHZB/D0G4WPOk2q dBkOb/APRV4jYHtCiJYnPwyapjTjTg2HulX+vfGwxc1fPOYt9/6fL59YKhPD44SE4xXH uOWg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1718646003; x=1719250803; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=PQU/bcivLSK6z9ArOw8DGhHSMGiwbCcMdtkWRKEcN0o=; b=SqWYAOAmAULGY1JQ1DvSXC/y7T6OQVU5rlO1mXYL2i1N9/BBIjeGCOVcr8VY77xqa9 02UAb/RA8LxFqjEI5D6HBg0LNXOFaPNOsg+Bz9JFTRYL9nPyAT+leYKz39Fq+2a890Rq mrysMSryxIOJl1ark7SrDDAV8Me1qTT6EL3Hdi6MDZ26SNYnvWu4cdSGijC7lOa+odZh EQrXyrGymtcphFjpOx/cyS3/skRpx+bwm5ixer7JWcxgPOKwPbpoKg4Y36F9jL3Oo9Fy lY7n2nVQp0iShBuFBeBM1TTaQHmCMEtisv1VyrFuEGxWsVQrvwX3oeOhe8Zk6Zavwkan 0Drg== X-Forwarded-Encrypted: i=1; AJvYcCXicJZIDS7CqY6e64pqIrPbqDPGNjNxrafYjz409qyvVcmcnTF0dlSX6In/K9B71diQHX+6uyKVrPn9PX3MgqYDy2na/aTiWda/NTlYXAheE+72 X-Gm-Message-State: AOJu0Yz09MUmE2ggVI/8ErqwOvrBt4ToDQ/kqTqOM78cwAQghazxdDhN w0zGYMljR1dVZBtjr1ZqIOa5qzPmBjSomD9NGJtvhrVkTkHKiBYXPCMSc5K9eYTIf4uXFbkMDiy EXnyr/weRdsgmtPreTkN2ON3ol3o30I5JEPU= X-Google-Smtp-Source: AGHT+IGbe68Cr8k/rtD6vwLOPPh/OMuph41KbUaj6rey4AARD97pDuLdk1tfFxKbQpgvCcgKKy5PMCtHDRM2v+5W2j4= X-Received: by 2002:a17:90a:db55:b0:2c3:2592:110c with SMTP id 98e67ed59e1d1-2c4dbb43e62mr9738154a91.36.1718646003527; Mon, 17 Jun 2024 10:40:03 -0700 (PDT) List-Id: Discussion List-Archive: https://lists.freebsd.org/archives/freebsd-virtualization List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-virtualization@freebsd.org Sender: owner-freebsd-virtualization@FreeBSD.org MIME-Version: 1.0 References: <86a551c1-7f10-450d-a282-b33f959ed93e@app.fastmail.com> In-Reply-To: <86a551c1-7f10-450d-a282-b33f959ed93e@app.fastmail.com> From: Mario Marietto Date: Mon, 17 Jun 2024 19:39:26 +0200 Message-ID: Subject: Re: How to launch a bhyve vm as normal user,without being root To: Dave Cottlehuber Cc: Odhiambo Washington , freebsd-virtualization Content-Type: multipart/alternative; boundary="00000000000088fabc061b197457" X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US] X-Rspamd-Queue-Id: 4W2xwj1s0rz45gc --00000000000088fabc061b197457 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable [marietto@marietto /bhyve]=3D=3D> sudo cp 12-Win-11-vm12 /usr/sbin [marietto@marietto /bhyve]=3D=3D> nano /usr/sbin/12-Win-11-vm12 #!/bin/sh bhyve-win -S -c sockets=3D4,cores=3D2,threads=3D1 -m 8G -w -H \ -S -c sockets=3D4,cores=3D2,threads=3D1 -m 8G -w -H \ -s 0,hostbridge \ -s 1,ahci-hd,/mnt/da4p2/bhyve/img/Windows/Windows11.img,bootindex=3D1 \ -s 2,ahci-hd,/dev/$vmdisk5 \ -s 8:0,passthru,2/0/0 \ -s 8:1,passthru,2/0/1 \ -s 8:2,passthru,2/0/2 \ -s 8:3,passthru,2/0/3 \ -s 13,virtio-net,tap12 \ -s 29,fbuf,tcp=3D0.0.0.0:5912,w=3D1600,h=3D950,wait \ -s 30,xhci,tablet \ -s 31,lpc \ -l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI_CODE.fd \ vm0:12 < /dev/null & sleep 2 && vncviewer 0:12 [marietto@marietto /bhyve]=3D=3D> sudo chmod 0755 /usr/sbin/12-Win-11-vm12 [marietto@marietto /bhyve]=3D=3D> sudo nano /usr/local/etc/doas.conf permit nopass :wheel as root cmd /usr/sbin/bhyve-win permit nopass :wheel as root cmd /usr/sbin/bhyve-lin [marietto@marietto /bhyve]=3D=3D> doas /usr/sbin/12-Win-11-vm12 doas: Operation not permitted BUT : [marietto@marietto /bhyve]=3D=3D> sudo nano /usr/sbin/hallo #!/bin/sh echo hallo $USER [marietto@marietto /bhyve]=3D=3D> sudo chmod 0755 /usr/sbin/hallo [marietto@marietto /bhyve]=3D=3D> sudo nano /usr/local/etc/doas.conf permit nopass :wheel as root cmd hallo [marietto@marietto /bhyve]=3D=3D> doas hallo BOOM ! it works : hallo root On Mon, Jun 17, 2024 at 6:54=E2=80=AFPM Dave Cottlehuber wrote: > On Mon, 17 Jun 2024, at 14:12, Mario Marietto wrote: > > Nice idea,but it does not work : > > > > nano /home/marietto/.zshrc > > > > # ~/.zshrc > > Hi Mario, I think your zsh stuff is getting in the way > here. Your zshrc function is not visible to the root user, > as doas cleans up all the env and so your function is unknown. > > So start off with something without bhyve, make sure you are in > wheel group, and add a shell script called > /usr/local/bin/hallo: > > ``` > #!/bin/sh > echo hallo $USER > ``` > > chmod 0755 /usr/local/bin/hallo > > ``` > # /usr/local/etc/doas.conf (per doas.conf manpage) > permit nopass :wheel as root cmd /usr/local/bin/hallo > ``` > > $ doas /usr/local/bin/hallo > hallo root > > then replace your bhyve commands in the hallo script. > > Off the top of my head there's no reason for bhyve to need > anything different to hallo script. > A+ > Dave > --=20 Mario. --00000000000088fabc061b197457 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
[marietto@marietto /bhyve]=3D=3D> sudo cp 12-Win-1= 1-vm12 /usr/sbin

[marietto@marietto /bhyve]=3D=3D&= gt; nano /usr/sbin/12-Win-11-vm12

#!/bin/sh
<= div>
bhyve-win -S -c sockets=3D4,cores=3D2,threads=3D1 -m 8G = -w -H \
-S -c sockets=3D4,cores=3D2,threads=3D1 -m 8G -w -H \
-s 0,ho= stbridge \
-s 1,ahci-hd,/mnt/da4p2/bhyve/img/Windows/Windows11.img,booti= ndex=3D1 \
-s 2,ahci-hd,/dev/$vmdisk5 \
-s 8:0,passthru,2/0/0 \
-s= 8:1,passthru,2/0/1 \
-s 8:2,passthru,2/0/2 \
-s 8:3,passthru,2/0/3 \=
-s 13,virtio-net,tap12 \
-s 29,fbuf,tcp=3D0.0.0.0:5912,w=3D1600,h=3D950,wait \
-s 30,xhci,tablet \
-s= 31,lpc \
-l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI_CODE.fd \=
vm0:12 < /dev/null & sleep 2 && vncviewer 0:12

[marietto@marietto /bhyve]=3D=3D> sudo chmod 0755 /usr/sbin/12-Win-= 11-vm12

[marietto@marietto /bhyve]=3D=3D> sudo = nano /usr/local/etc/doas.conf

permit nopass :wheel= as root cmd /usr/sbin/bhyve-win
permit nopass :wheel as root cmd /usr/s= bin/bhyve-lin

[marietto@marietto /bhyve]=3D=3D> doas /usr/sbin/12-Win-11-vm12
doas: Operation not permitted

B= UT :

[marietto@marietto /bhyve]=3D=3D> sudo nan= o /usr/sbin/hallo

#!/bin/sh
echo hallo $USER

[marietto@marietto /bhyve]=3D=3D> sudo chmod 0755 /usr/sbin/hallo
<= div>
[marietto@marietto /bhyve]=3D=3D> sudo nano /usr/loca= l/etc/doas.conf

permit nopass :wheel as root c= md hallo

[marietto@marietto /bhyve]=3D=3D> doas= hallo

BOOM ! it works :

hallo root

On Mon, Jun 17, 2024 at 6:54=E2=80=AFPM Dave Cot= tlehuber <dch@skunkwerks.at>= wrote:
On Mon, = 17 Jun 2024, at 14:12, Mario Marietto wrote:
> Nice idea,but it does not work :
>
> nano /home/marietto/.zshrc
>
> # ~/.zshrc

Hi Mario, I think your zsh stuff is getting in the way
here. Your zshrc function is not visible to the root user,
as doas cleans up all the env and so your function is unknown.

So start off with something without bhyve, make sure you are in
wheel group, and add a shell script called
/usr/local/bin/hallo:

```
#!/bin/sh
echo hallo $USER
```

chmod 0755 /usr/local/bin/hallo

```
# /usr/local/etc/doas.conf (per doas.conf manpage)
permit nopass :wheel as root cmd /usr/local/bin/hallo
```

$ doas /usr/local/bin/hallo
hallo root

then replace your bhyve commands in the hallo script.

Off the top of my head there's no reason for bhyve to need
anything different to hallo script.
A+
Dave


--
Mario.
--00000000000088fabc061b197457--