From nobody Mon Jun 17 18:34:52 2024
X-Original-To: freebsd-virtualization@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4W2z8h2rb0z5PNct
	for <freebsd-virtualization@mlmmj.nyi.freebsd.org>; Mon, 17 Jun 2024 18:35:32 +0000 (UTC)
	(envelope-from marietto2008@gmail.com)
Received: from mail-pg1-x535.google.com (mail-pg1-x535.google.com [IPv6:2607:f8b0:4864:20::535])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "smtp.gmail.com", Issuer "WR4" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4W2z8g6GBKz4Fk2;
	Mon, 17 Jun 2024 18:35:31 +0000 (UTC)
	(envelope-from marietto2008@gmail.com)
Authentication-Results: mx1.freebsd.org;
	none
Received: by mail-pg1-x535.google.com with SMTP id 41be03b00d2f7-6e3741519d7so3196710a12.2;
        Mon, 17 Jun 2024 11:35:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1718649330; x=1719254130; darn=freebsd.org;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=dw/eCWTIoN6aJrxpcIppLTwhRSDI3y41HOgvkZAZbwQ=;
        b=jQb0iLP2gVn9ExlVN5t0oiW1zOjNPsWYjsGCo2mGbdJGyKaBSe24P7srqfwd3XFEJb
         8KM4NuDRntd4eKgJ08v2DG5WujxIpsTbfDnukGy1XcXMHFkkC/AxFNDKuuHTFvcRach+
         L0kGDAlJ71ICOhN2FVfcvEPeDwzh4b1j72eCt/4UFPZyPwSVFnyUXQjDKOC1nwKpmRM4
         mCuAXUKwxJzF/O6/7o+hhL7AkMYnAayw5cEZEuNKE584yfzh5Xk/7xQ0Rogjs3AWOe+Q
         hm+FVm+hoDd4N4PsnLfJGVpIZRm47iyk5PiSDkRWaofvZVAWD3c8qa84GdEPPX5xcWua
         kGdA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1718649330; x=1719254130;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=dw/eCWTIoN6aJrxpcIppLTwhRSDI3y41HOgvkZAZbwQ=;
        b=Bnz8DOImF3Mw0pjCDP1b+pZv0AjNoWR8H01LXxIpFp/guGscIwaveglw+nMeeNh3/8
         sRf60ifKW4Vi51stBf9Fd+igJusrWSuqU6x60CexQRI5iNxL8Pq/yDbv1Ar5v2ifgSiW
         XRfxsgIrtqw4Nk/KW4NqhzFbYgGTYFiPDPjTLLqSmmQ09EmjDkzVxKCOW5zqBVLp8Dw2
         1BNRRFoLtBva4OsibaFl56bv/03wC/wT0Qof8aR73UI106pQ9cm8P0DJu4muSVnWrG95
         GFqMoA6oNIJUeYW1ococRizI0bPCrIENfJxqoXd1HxzRiAITuBw29yUrX9qF4xDML33H
         njGw==
X-Forwarded-Encrypted: i=1; AJvYcCXqVPfRNW/jJCtHATc1iKs+cevsArvO98EiFeuknGX8LAgbppCiVH9zWZQKY/rPjMj7zBBIeKLbAJKP3tzKYTY93kPHVlN28gAu3/7hTeCpUKuh
X-Gm-Message-State: AOJu0YzaX4VSxuqahWIUYxX2F9DzpL0vDgGByHIdJmAeC6qnziMd2lan
	idCNlp2Jf/8eDT8+7jtUBSU5l0Rum/nT7g07o6ioffQZ0eSaCoCWocOoSeMr5BaGfBDIQBmt9s9
	fZUxh5g7jaC3EoXkWGRvpRkDuNYu3tkWl
X-Google-Smtp-Source: AGHT+IHq/8y1rPIi7/JOax4llFH8P7RuY/4MtcPpry2CsRStT5o0SOukEw9HaBHRqv68YDlFYmg4WnYXkgIzsZKu0bw=
X-Received: by 2002:a17:90a:db55:b0:2c3:2592:110c with SMTP id
 98e67ed59e1d1-2c4dbb43e62mr9869391a91.36.1718649329572; Mon, 17 Jun 2024
 11:35:29 -0700 (PDT)
List-Id: Discussion <freebsd-virtualization.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-virtualization
List-Help: <mailto:virtualization+help@freebsd.org>
List-Post: <mailto:virtualization@freebsd.org>
List-Subscribe: <mailto:virtualization+subscribe@freebsd.org>
List-Unsubscribe: <mailto:virtualization+unsubscribe@freebsd.org>
X-BeenThere: freebsd-virtualization@freebsd.org
Sender: owner-freebsd-virtualization@FreeBSD.org
MIME-Version: 1.0
References: <CA+1FSiimo=-0s80QeGMuLnJAzxi53-V6s303YuW36UkYnqfB-g@mail.gmail.com>
 <CAAdA2WPrtG_VaLuE8UfBwxanyfNzgLqeBCvpJMvRETdcUSmMEg@mail.gmail.com>
 <CA+1FSijLiq0WMdCvJfQC+vtBxXc6iSMD6WQAMavGpg+smCuTFg@mail.gmail.com>
 <86a551c1-7f10-450d-a282-b33f959ed93e@app.fastmail.com> <CA+1FSighjAkOAtzyX3HBy4h0ZnTVckjF9adnWMpAR3m=xW0dUA@mail.gmail.com>
 <CAGGgMJfoAHFv2uJBzz+cJ-pe0tUX=BVaCxM3y5SU-cUxGHcs9A@mail.gmail.com>
In-Reply-To: <CAGGgMJfoAHFv2uJBzz+cJ-pe0tUX=BVaCxM3y5SU-cUxGHcs9A@mail.gmail.com>
From: Mario Marietto <marietto2008@gmail.com>
Date: Mon, 17 Jun 2024 20:34:52 +0200
Message-ID: <CA+1FSihHFejcobwVdGhtus4P8uRDkPyXDhQtrBCp-EWxPz=MPg@mail.gmail.com>
Subject: Re: How to launch a bhyve vm as normal user,without being root
To: Mark Peek <mp@freebsd.org>
Cc: Dave Cottlehuber <dch@skunkwerks.at>, Odhiambo Washington <odhiambo@gmail.com>, 
	freebsd-virtualization <freebsd-virtualization@freebsd.org>
Content-Type: multipart/alternative; boundary="000000000000c863f1061b1a3aa0"
X-Spamd-Bar: ----
X-Rspamd-Pre-Result: action=no action;
	module=replies;
	Message is reply to one we originated
X-Spamd-Result: default: False [-4.00 / 15.00];
	REPLY(-4.00)[];
	ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]
X-Rspamd-Queue-Id: 4W2z8g6GBKz4Fk2

--000000000000c863f1061b1a3aa0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

If I keep the bhyve scripts in /usr/sbin,it works. But I want to keep the
bhyve scripts in /bhyve and I don't want to keep them in /usr/sbin. For
this reason I've added the path /bhyve to /home/marietto/.zshrc like this :

# ~/.zshrc

# zsh autocompletion for sudo and doas
zstyle ":completion:*:(sudo|su|doas):*" command-path /usr/local/bin
/usr/local/sbin /usr/sbin /usr/bin /bin /sbin /bhyve

and in /root/.zshrc :

# zsh autocompletion for sudo and doas
zstyle ":completion:*:(sudo|su|doas):*" command-path /usr/local/bin
/usr/local/sbin /usr/sbin /usr/bin /bin /sbin /bhyve

but when I try to run the vm like this :

[marietto@marietto /bhyve]=3D=3D> doas 12-Win-11-vm12

it says :

doas: 12-Win-11-vm12: command not found

and when I do :

[marietto@marietto /bhyve]=3D=3D> doas ./12-Win-11-vm12

it says :

doas: Operation not permitted

Why ?


On Mon, Jun 17, 2024 at 7:53=E2=80=AFPM Mark Peek <mp@freebsd.org> wrote:

> Likely need to add this as it is what you are passing to doas as the
> command to execute:
>
> permit nopass :wheel as root cmd /usr/sbin/12-Win-11-vm12
>
> Mark
>
> On Mon, Jun 17, 2024 at 10:40=E2=80=AFAM Mario Marietto <marietto2008@gma=
il.com>
> wrote:
> >
> > [marietto@marietto /bhyve]=3D=3D> sudo cp 12-Win-11-vm12 /usr/sbin
> >
> > [marietto@marietto /bhyve]=3D=3D> nano /usr/sbin/12-Win-11-vm12
> >
> > #!/bin/sh
> >
> > bhyve-win -S -c sockets=3D4,cores=3D2,threads=3D1 -m 8G -w -H \
> > -S -c sockets=3D4,cores=3D2,threads=3D1 -m 8G -w -H \
> > -s 0,hostbridge \
> > -s 1,ahci-hd,/mnt/da4p2/bhyve/img/Windows/Windows11.img,bootindex=3D1 \
> > -s 2,ahci-hd,/dev/$vmdisk5 \
> > -s 8:0,passthru,2/0/0 \
> > -s 8:1,passthru,2/0/1 \
> > -s 8:2,passthru,2/0/2 \
> > -s 8:3,passthru,2/0/3 \
> > -s 13,virtio-net,tap12 \
> > -s 29,fbuf,tcp=3D0.0.0.0:5912,w=3D1600,h=3D950,wait \
> > -s 30,xhci,tablet \
> > -s 31,lpc \
> > -l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI_CODE.fd \
> > vm0:12 < /dev/null & sleep 2 && vncviewer 0:12
> >
> > [marietto@marietto /bhyve]=3D=3D> sudo chmod 0755 /usr/sbin/12-Win-11-v=
m12
> >
> > [marietto@marietto /bhyve]=3D=3D> sudo nano /usr/local/etc/doas.conf
> >
> > permit nopass :wheel as root cmd /usr/sbin/bhyve-win
> > permit nopass :wheel as root cmd /usr/sbin/bhyve-lin
> >
> > [marietto@marietto /bhyve]=3D=3D> doas /usr/sbin/12-Win-11-vm12
> > doas: Operation not permitted
> >
> > BUT :
> >
> > [marietto@marietto /bhyve]=3D=3D> sudo nano /usr/sbin/hallo
> >
> > #!/bin/sh
> > echo hallo $USER
> >
> > [marietto@marietto /bhyve]=3D=3D> sudo chmod 0755 /usr/sbin/hallo
> >
> > [marietto@marietto /bhyve]=3D=3D> sudo nano /usr/local/etc/doas.conf
> >
> > permit nopass :wheel as root cmd hallo
> >
> > [marietto@marietto /bhyve]=3D=3D> doas hallo
> >
> > BOOM ! it works :
> >
> > hallo root
> >
> > On Mon, Jun 17, 2024 at 6:54=E2=80=AFPM Dave Cottlehuber <dch@skunkwerk=
s.at>
> wrote:
> >>
> >> On Mon, 17 Jun 2024, at 14:12, Mario Marietto wrote:
> >> > Nice idea,but it does not work :
> >> >
> >> > nano /home/marietto/.zshrc
> >> >
> >> > # ~/.zshrc
> >>
> >> Hi Mario, I think your zsh stuff is getting in the way
> >> here. Your zshrc function is not visible to the root user,
> >> as doas cleans up all the env and so your function is unknown.
> >>
> >> So start off with something without bhyve, make sure you are in
> >> wheel group, and add a shell script called
> >> /usr/local/bin/hallo:
> >>
> >> ```
> >> #!/bin/sh
> >> echo hallo $USER
> >> ```
> >>
> >> chmod 0755 /usr/local/bin/hallo
> >>
> >> ```
> >> # /usr/local/etc/doas.conf (per doas.conf manpage)
> >> permit nopass :wheel as root cmd /usr/local/bin/hallo
> >> ```
> >>
> >> $ doas /usr/local/bin/hallo
> >> hallo root
> >>
> >> then replace your bhyve commands in the hallo script.
> >>
> >> Off the top of my head there's no reason for bhyve to need
> >> anything different to hallo script.
> >> A+
> >> Dave
> >
> >
> >
> > --
> > Mario.
>


--=20
Mario.

--000000000000c863f1061b1a3aa0
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div class=3D"gmail-adn gmail-ads"><div class=3D"gmail-gs"=
><div class=3D"gmail-"><div id=3D"gmail-:po" class=3D"gmail-ii gmail-gt"><d=
iv id=3D"gmail-:o1" class=3D"gmail-a3s gmail-aiL"><div dir=3D"ltr"><div>If =
I keep the bhyve scripts in /usr/sbin,it works. But I want to keep the bhyv=
e scripts in /bhyve and I don&#39;t want to keep them in /usr/sbin. For thi=
s reason I&#39;ve added the path /bhyve to /home/marietto/.zshrc like this =
:<br></div><span class=3D"gmail-im"><div><br></div><div># ~/.zshrc</div><br=
># zsh autocompletion for sudo and doas<br><div>zstyle &quot;:completion:*:=
(sudo|su|doas):*&quot; command-path /usr/local/bin /usr/local/sbin /usr/sbi=
n /usr/bin /bin /sbin /bhyve</div><div><br></div></span><div>and in /root/.=
zshrc :</div><span class=3D"gmail-im"><div><div><br></div># zsh autocomplet=
ion for sudo and doas<br><div>zstyle &quot;:completion:*:(sudo|su|doas):*&q=
uot; command-path /usr/local/bin /usr/local/sbin /usr/sbin /usr/bin /bin /s=
bin /bhyve</div></div><div><br></div></span><div>but when I try to run the =
vm like this :</div><span class=3D"gmail-im"><div></div><div><br></div><div=
></div><div></div><div>[marietto@marietto /bhyve]=3D=3D&gt; doas 12-Win-11-=
vm12<br></div><div><br></div></span><div>it says :</div><span class=3D"gmai=
l-im"><div><br></div><div>doas: 12-Win-11-vm12: command not found</div><div=
><br></div></span><div>and when I do :</div><div><br></div><div><span class=
=3D"gmail-im">[marietto@marietto /bhyve]=3D=3D&gt; doas ./12-Win-11-vm12</s=
pan></div><div><br></div><div>it says :</div><div><br></div><div>doas: Oper=
ation not permitted</div><div><br></div><div>Why ?</div></div></div></div><=
/div></div></div><div class=3D"gmail-nH"><div class=3D"gmail-aHU gmail-hx">=
<div role=3D"list" class=3D"gmail-bh"><div class=3D"gmail-h7 gmail-bg gmail=
-ie" role=3D"listitem" aria-expanded=3D"true" tabindex=3D"-1"><div class=3D=
"gmail-Bk"><div class=3D"gmail-G3 gmail-G2"><div><div id=3D"gmail-:um"><div=
 class=3D"gmail-gA gmail-gt gmail-acV"><div class=3D"gmail-gB gmail-xu"><di=
v class=3D"gmail-ip gmail-iq"><div id=3D"gmail-:q6"><table class=3D"gmail-c=
f gmail-wS" role=3D"presentation"><tbody><tr><td class=3D"gmail-amr"><br></=
td></tr></tbody></table></div></div></div></div></div></div></div></div></d=
iv></div></div></div></div><br><div class=3D"gmail_quote"><div dir=3D"ltr" =
class=3D"gmail_attr">On Mon, Jun 17, 2024 at 7:53=E2=80=AFPM Mark Peek &lt;=
<a href=3D"mailto:mp@freebsd.org">mp@freebsd.org</a>&gt; wrote:<br></div><b=
lockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-le=
ft:1px solid rgb(204,204,204);padding-left:1ex">Likely need to add this as =
it is what you are passing to doas as the<br>
command to execute:<br>
<br>
permit nopass :wheel as root cmd /usr/sbin/12-Win-11-vm12<br>
<br>
Mark<br>
<br>
On Mon, Jun 17, 2024 at 10:40=E2=80=AFAM Mario Marietto &lt;<a href=3D"mail=
to:marietto2008@gmail.com" target=3D"_blank">marietto2008@gmail.com</a>&gt;=
 wrote:<br>
&gt;<br>
&gt; [marietto@marietto /bhyve]=3D=3D&gt; sudo cp 12-Win-11-vm12 /usr/sbin<=
br>
&gt;<br>
&gt; [marietto@marietto /bhyve]=3D=3D&gt; nano /usr/sbin/12-Win-11-vm12<br>
&gt;<br>
&gt; #!/bin/sh<br>
&gt;<br>
&gt; bhyve-win -S -c sockets=3D4,cores=3D2,threads=3D1 -m 8G -w -H \<br>
&gt; -S -c sockets=3D4,cores=3D2,threads=3D1 -m 8G -w -H \<br>
&gt; -s 0,hostbridge \<br>
&gt; -s 1,ahci-hd,/mnt/da4p2/bhyve/img/Windows/Windows11.img,bootindex=3D1 =
\<br>
&gt; -s 2,ahci-hd,/dev/$vmdisk5 \<br>
&gt; -s 8:0,passthru,2/0/0 \<br>
&gt; -s 8:1,passthru,2/0/1 \<br>
&gt; -s 8:2,passthru,2/0/2 \<br>
&gt; -s 8:3,passthru,2/0/3 \<br>
&gt; -s 13,virtio-net,tap12 \<br>
&gt; -s 29,fbuf,tcp=3D<a href=3D"http://0.0.0.0:5912" rel=3D"noreferrer" ta=
rget=3D"_blank">0.0.0.0:5912</a>,w=3D1600,h=3D950,wait \<br>
&gt; -s 30,xhci,tablet \<br>
&gt; -s 31,lpc \<br>
&gt; -l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI_CODE.fd \<br>
&gt; vm0:12 &lt; /dev/null &amp; sleep 2 &amp;&amp; vncviewer 0:12<br>
&gt;<br>
&gt; [marietto@marietto /bhyve]=3D=3D&gt; sudo chmod 0755 /usr/sbin/12-Win-=
11-vm12<br>
&gt;<br>
&gt; [marietto@marietto /bhyve]=3D=3D&gt; sudo nano /usr/local/etc/doas.con=
f<br>
&gt;<br>
&gt; permit nopass :wheel as root cmd /usr/sbin/bhyve-win<br>
&gt; permit nopass :wheel as root cmd /usr/sbin/bhyve-lin<br>
&gt;<br>
&gt; [marietto@marietto /bhyve]=3D=3D&gt; doas /usr/sbin/12-Win-11-vm12<br>
&gt; doas: Operation not permitted<br>
&gt;<br>
&gt; BUT :<br>
&gt;<br>
&gt; [marietto@marietto /bhyve]=3D=3D&gt; sudo nano /usr/sbin/hallo<br>
&gt;<br>
&gt; #!/bin/sh<br>
&gt; echo hallo $USER<br>
&gt;<br>
&gt; [marietto@marietto /bhyve]=3D=3D&gt; sudo chmod 0755 /usr/sbin/hallo<b=
r>
&gt;<br>
&gt; [marietto@marietto /bhyve]=3D=3D&gt; sudo nano /usr/local/etc/doas.con=
f<br>
&gt;<br>
&gt; permit nopass :wheel as root cmd hallo<br>
&gt;<br>
&gt; [marietto@marietto /bhyve]=3D=3D&gt; doas hallo<br>
&gt;<br>
&gt; BOOM ! it works :<br>
&gt;<br>
&gt; hallo root<br>
&gt;<br>
&gt; On Mon, Jun 17, 2024 at 6:54=E2=80=AFPM Dave Cottlehuber &lt;<a href=
=3D"mailto:dch@skunkwerks.at" target=3D"_blank">dch@skunkwerks.at</a>&gt; w=
rote:<br>
&gt;&gt;<br>
&gt;&gt; On Mon, 17 Jun 2024, at 14:12, Mario Marietto wrote:<br>
&gt;&gt; &gt; Nice idea,but it does not work :<br>
&gt;&gt; &gt;<br>
&gt;&gt; &gt; nano /home/marietto/.zshrc<br>
&gt;&gt; &gt;<br>
&gt;&gt; &gt; # ~/.zshrc<br>
&gt;&gt;<br>
&gt;&gt; Hi Mario, I think your zsh stuff is getting in the way<br>
&gt;&gt; here. Your zshrc function is not visible to the root user,<br>
&gt;&gt; as doas cleans up all the env and so your function is unknown.<br>
&gt;&gt;<br>
&gt;&gt; So start off with something without bhyve, make sure you are in<br=
>
&gt;&gt; wheel group, and add a shell script called<br>
&gt;&gt; /usr/local/bin/hallo:<br>
&gt;&gt;<br>
&gt;&gt; ```<br>
&gt;&gt; #!/bin/sh<br>
&gt;&gt; echo hallo $USER<br>
&gt;&gt; ```<br>
&gt;&gt;<br>
&gt;&gt; chmod 0755 /usr/local/bin/hallo<br>
&gt;&gt;<br>
&gt;&gt; ```<br>
&gt;&gt; # /usr/local/etc/doas.conf (per doas.conf manpage)<br>
&gt;&gt; permit nopass :wheel as root cmd /usr/local/bin/hallo<br>
&gt;&gt; ```<br>
&gt;&gt;<br>
&gt;&gt; $ doas /usr/local/bin/hallo<br>
&gt;&gt; hallo root<br>
&gt;&gt;<br>
&gt;&gt; then replace your bhyve commands in the hallo script.<br>
&gt;&gt;<br>
&gt;&gt; Off the top of my head there&#39;s no reason for bhyve to need<br>
&gt;&gt; anything different to hallo script.<br>
&gt;&gt; A+<br>
&gt;&gt; Dave<br>
&gt;<br>
&gt;<br>
&gt;<br>
&gt; --<br>
&gt; Mario.<br>
</blockquote></div><br clear=3D"all"><br><span class=3D"gmail_signature_pre=
fix">-- </span><br><div dir=3D"ltr" class=3D"gmail_signature">Mario.<br></d=
iv>

--000000000000c863f1061b1a3aa0--