From nobody Mon Jun 17 20:15:20 2024 X-Original-To: freebsd-virtualization@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4W31Nb3HFsz5PXJF for ; Mon, 17 Jun 2024 20:15:59 +0000 (UTC) (envelope-from marietto2008@gmail.com) Received: from mail-pj1-x1030.google.com (mail-pj1-x1030.google.com [IPv6:2607:f8b0:4864:20::1030]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4W31Nb16VRz4QZG; Mon, 17 Jun 2024 20:15:59 +0000 (UTC) (envelope-from marietto2008@gmail.com) Authentication-Results: mx1.freebsd.org; none Received: by mail-pj1-x1030.google.com with SMTP id 98e67ed59e1d1-2c4f0f9230eso2364284a91.2; Mon, 17 Jun 2024 13:15:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1718655357; x=1719260157; darn=freebsd.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=cyAssLhc59Qp7CiwqucMiPQUI2qVkL6MG9SIyp0VMFE=; b=ME8mQREueHvXF85g/ZahKwbOmQqoDsPvSh1Ks3Zm7haPXk4UPBJqocW58LbDpBlNop UtLAKApDxbddx6UN/NYFDa2j2auzhUqdnIQ61N8v0LS0drvayYJdEKC/X+nAc4+6+v8T uXmHE5kmuoUnxkdfrDtZU0WSGTW9jkEN0ORrSBE9v2KWS7Ez24Vu3sz+157xjMpZ0FMm qCxCqqzdtQ+g/VaiONE6bYwjAamskC0SxA2RIMiKToiOJAIxQNtm7/TtCHt92KazJUlc 2daBWkxYXxcCXumDmexJKqCoja+iWIqi2m924ERCe28BYpzImZ9dyslaRa5nGjxNw84W XOmQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1718655357; x=1719260157; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=cyAssLhc59Qp7CiwqucMiPQUI2qVkL6MG9SIyp0VMFE=; b=sTw7W+M8FLnn3w470LTbcObhh/2rRIR2mQ/UKA1/LNSPe1OGu2zowf286C82hoQGK7 1nB+Zo1RyPlfF/B4a0EppQTeFDyHgKz6M9jY8LR9w8Qb1bg3yv7/4JZ1NBABiYL6AAAl 14ZusY6gjnTRk71NH+VwuCNippNAEs/i2stvuySs0PX9R+eI5Eh49uFYigZEBQvDW3yz X5X47F+53XuCtCIAQSwo9lhSvs/BcvIG5dHwmVxLX1mabknWva/DwpkgptJz/T+NjgIL ovAg4NXI2pK/HNzbAUJbdH15YB60tDo/9lQ4Oc15wOidwk3kxlLO2HrcBhYFBDxeb5b2 iAJw== X-Forwarded-Encrypted: i=1; AJvYcCU6t1cq1uptKKIjBBXLjE20Q725cx349hJFsDI0nd2/LH8wIJZf7CDGgrdlKZ3KMUWDqN9mwK+bmrzYacvWyhEmWOjQ1qWqIDcf8/jLGGhQma2K X-Gm-Message-State: AOJu0YylyiXzmoJ2NjoVv5sO56S9PztGlBHHxo3L1m9f1f8BqkralNoX 9Vyrl8843QfIbyZYSbVhc/3YjJJ5BtOxv/T8BYm1ZWK+VzhnMhf/Zj0m6aGlXcsbGJc8/MTa8fr uILWuMYNWeUJnx4iLxz3+xy4MpaQyGeq/vZE= X-Google-Smtp-Source: AGHT+IH/U4MRYwmhZpu5TgmCaSLKeaYRtvYJR/H7arojFDOpFQyvqOStAsXM4xcKBfILnnUhTc99LK/CePkmzrF1U0k= X-Received: by 2002:a17:90a:a016:b0:2c6:dc3b:d6fd with SMTP id 98e67ed59e1d1-2c6dc3bd8a0mr529032a91.31.1718655356838; Mon, 17 Jun 2024 13:15:56 -0700 (PDT) List-Id: Discussion List-Archive: https://lists.freebsd.org/archives/freebsd-virtualization List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-virtualization@freebsd.org Sender: owner-freebsd-virtualization@FreeBSD.org MIME-Version: 1.0 References: <86a551c1-7f10-450d-a282-b33f959ed93e@app.fastmail.com> In-Reply-To: From: Mario Marietto Date: Mon, 17 Jun 2024 22:15:20 +0200 Message-ID: Subject: Re: How to launch a bhyve vm as normal user,without being root To: Mark Peek Cc: Dave Cottlehuber , Odhiambo Washington , freebsd-virtualization Content-Type: multipart/alternative; boundary="0000000000000929fd061b1ba2cb" X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US] X-Rspamd-Queue-Id: 4W31Nb16VRz4QZG --0000000000000929fd061b1ba2cb Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable nano /usr/local/etc/doas.conf : permit nopass :wheel as root cmd bhyve-win permit nopass :wheel as root cmd bhyve-lin permit nopass :wheel as root cmd /bhyve/12-Win-11-vm12 [marietto@marietto /bhyve]=3D=3D> doas 12-Win-11-vm12 doas: Operation not permitted On Mon, Jun 17, 2024 at 9:50=E2=80=AFPM Mark Peek wrote: > Likely because you don't have this in the doas.conf file: > > permit nopass :wheel as root cmd /bhyve/12-Win-11-vm12 > > > On Mon, Jun 17, 2024 at 11:35=E2=80=AFAM Mario Marietto > wrote: > >> If I keep the bhyve scripts in /usr/sbin,it works. But I want to keep th= e >> bhyve scripts in /bhyve and I don't want to keep them in /usr/sbin. For >> this reason I've added the path /bhyve to /home/marietto/.zshrc like thi= s : >> >> # ~/.zshrc >> >> # zsh autocompletion for sudo and doas >> zstyle ":completion:*:(sudo|su|doas):*" command-path /usr/local/bin >> /usr/local/sbin /usr/sbin /usr/bin /bin /sbin /bhyve >> >> and in /root/.zshrc : >> >> # zsh autocompletion for sudo and doas >> zstyle ":completion:*:(sudo|su|doas):*" command-path /usr/local/bin >> /usr/local/sbin /usr/sbin /usr/bin /bin /sbin /bhyve >> >> but when I try to run the vm like this : >> >> [marietto@marietto /bhyve]=3D=3D> doas 12-Win-11-vm12 >> >> it says : >> >> doas: 12-Win-11-vm12: command not found >> >> and when I do : >> >> [marietto@marietto /bhyve]=3D=3D> doas ./12-Win-11-vm12 >> >> it says : >> >> doas: Operation not permitted >> >> Why ? >> >> >> On Mon, Jun 17, 2024 at 7:53=E2=80=AFPM Mark Peek wrote= : >> >>> Likely need to add this as it is what you are passing to doas as the >>> command to execute: >>> >>> permit nopass :wheel as root cmd /usr/sbin/12-Win-11-vm12 >>> >>> Mark >>> >>> On Mon, Jun 17, 2024 at 10:40=E2=80=AFAM Mario Marietto >>> wrote: >>> > >>> > [marietto@marietto /bhyve]=3D=3D> sudo cp 12-Win-11-vm12 /usr/sbin >>> > >>> > [marietto@marietto /bhyve]=3D=3D> nano /usr/sbin/12-Win-11-vm12 >>> > >>> > #!/bin/sh >>> > >>> > bhyve-win -S -c sockets=3D4,cores=3D2,threads=3D1 -m 8G -w -H \ >>> > -S -c sockets=3D4,cores=3D2,threads=3D1 -m 8G -w -H \ >>> > -s 0,hostbridge \ >>> > -s 1,ahci-hd,/mnt/da4p2/bhyve/img/Windows/Windows11.img,bootindex=3D1= \ >>> > -s 2,ahci-hd,/dev/$vmdisk5 \ >>> > -s 8:0,passthru,2/0/0 \ >>> > -s 8:1,passthru,2/0/1 \ >>> > -s 8:2,passthru,2/0/2 \ >>> > -s 8:3,passthru,2/0/3 \ >>> > -s 13,virtio-net,tap12 \ >>> > -s 29,fbuf,tcp=3D0.0.0.0:5912,w=3D1600,h=3D950,wait \ >>> > -s 30,xhci,tablet \ >>> > -s 31,lpc \ >>> > -l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI_CODE.fd \ >>> > vm0:12 < /dev/null & sleep 2 && vncviewer 0:12 >>> > >>> > [marietto@marietto /bhyve]=3D=3D> sudo chmod 0755 /usr/sbin/12-Win-11= -vm12 >>> > >>> > [marietto@marietto /bhyve]=3D=3D> sudo nano /usr/local/etc/doas.conf >>> > >>> > permit nopass :wheel as root cmd /usr/sbin/bhyve-win >>> > permit nopass :wheel as root cmd /usr/sbin/bhyve-lin >>> > >>> > [marietto@marietto /bhyve]=3D=3D> doas /usr/sbin/12-Win-11-vm12 >>> > doas: Operation not permitted >>> > >>> > BUT : >>> > >>> > [marietto@marietto /bhyve]=3D=3D> sudo nano /usr/sbin/hallo >>> > >>> > #!/bin/sh >>> > echo hallo $USER >>> > >>> > [marietto@marietto /bhyve]=3D=3D> sudo chmod 0755 /usr/sbin/hallo >>> > >>> > [marietto@marietto /bhyve]=3D=3D> sudo nano /usr/local/etc/doas.conf >>> > >>> > permit nopass :wheel as root cmd hallo >>> > >>> > [marietto@marietto /bhyve]=3D=3D> doas hallo >>> > >>> > BOOM ! it works : >>> > >>> > hallo root >>> > >>> > On Mon, Jun 17, 2024 at 6:54=E2=80=AFPM Dave Cottlehuber >>> wrote: >>> >> >>> >> On Mon, 17 Jun 2024, at 14:12, Mario Marietto wrote: >>> >> > Nice idea,but it does not work : >>> >> > >>> >> > nano /home/marietto/.zshrc >>> >> > >>> >> > # ~/.zshrc >>> >> >>> >> Hi Mario, I think your zsh stuff is getting in the way >>> >> here. Your zshrc function is not visible to the root user, >>> >> as doas cleans up all the env and so your function is unknown. >>> >> >>> >> So start off with something without bhyve, make sure you are in >>> >> wheel group, and add a shell script called >>> >> /usr/local/bin/hallo: >>> >> >>> >> ``` >>> >> #!/bin/sh >>> >> echo hallo $USER >>> >> ``` >>> >> >>> >> chmod 0755 /usr/local/bin/hallo >>> >> >>> >> ``` >>> >> # /usr/local/etc/doas.conf (per doas.conf manpage) >>> >> permit nopass :wheel as root cmd /usr/local/bin/hallo >>> >> ``` >>> >> >>> >> $ doas /usr/local/bin/hallo >>> >> hallo root >>> >> >>> >> then replace your bhyve commands in the hallo script. >>> >> >>> >> Off the top of my head there's no reason for bhyve to need >>> >> anything different to hallo script. >>> >> A+ >>> >> Dave >>> > >>> > >>> > >>> > -- >>> > Mario. >>> >> >> >> -- >> Mario. >> > --=20 Mario. --0000000000000929fd061b1ba2cb Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
nano /usr/local/etc/doas.conf :

<= div>permit nopass :wheel as root cmd bhyve-win
permit nopass :wheel as r= oot cmd bhyve-lin
permit nopass :wheel as root cmd /bhyve/12-Win-11-vm12=

[marietto@marietto /bhyve]=3D=3D> doas 12-Win-= 11-vm12
doas: Operation not permitted
On Mon, Jun 17, 2024 at 9:50=E2= =80=AFPM Mark Peek <mp@freebsd.org= > wrote:
Likely because you don't have this in the doas.conf file:<= div>
permit nopass :wheel as root cmd /bhyve/12-W= in-11-vm12


On Mon, Jun 17, 2024 at 11:35=E2= =80=AFAM Mario Marietto <marietto2008@gmail.com> wrote:
If I = keep the bhyve scripts in /usr/sbin,it works. But I want to keep the bhyve = scripts in /bhyve and I don't want to keep them in /usr/sbin. For this = reason I've added the path /bhyve to /home/marietto/.zshrc like this :<= br>

# ~/.zshrc

# zsh autocompletion= for sudo and doas
zstyle ":completion:*:(sudo|su|doas):*"= ; command-path /usr/local/bin /usr/local/sbin /usr/sbin /usr/bin /bin /sbin= /bhyve

and in /root/.zshrc :

# zsh autocompletion for sudo and doas
zstyle &qu= ot;:completion:*:(sudo|su|doas):*" command-path /usr/local/bin /usr/lo= cal/sbin /usr/sbin /usr/bin /bin /sbin /bhyve

but when I try to run the vm like this :

[marietto@marietto /bhyve]=3D=3D>= doas 12-Win-11-vm12

it says :

doas: 12-Win-11-vm12: command not found
and when I do :

[mariett= o@marietto /bhyve]=3D=3D> doas ./12-Win-11-vm12

it says :

doas: Operation not permitted

Why ?
=
=
=

On Mon, Jun 17, 2024 at 7:53=E2=80=AFPM Mark Peek <mp@freebsd.org> wrote:
Likely need to add this as it= is what you are passing to doas as the
command to execute:

permit nopass :wheel as root cmd /usr/sbin/12-Win-11-vm12

Mark

On Mon, Jun 17, 2024 at 10:40=E2=80=AFAM Mario Marietto <marietto2008@gmail.com>= wrote:
>
> [marietto@marietto /bhyve]=3D=3D> sudo cp 12-Win-11-vm12 /usr/sbin<= br> >
> [marietto@marietto /bhyve]=3D=3D> nano /usr/sbin/12-Win-11-vm12
>
> #!/bin/sh
>
> bhyve-win -S -c sockets=3D4,cores=3D2,threads=3D1 -m 8G -w -H \
> -S -c sockets=3D4,cores=3D2,threads=3D1 -m 8G -w -H \
> -s 0,hostbridge \
> -s 1,ahci-hd,/mnt/da4p2/bhyve/img/Windows/Windows11.img,bootindex=3D1 = \
> -s 2,ahci-hd,/dev/$vmdisk5 \
> -s 8:0,passthru,2/0/0 \
> -s 8:1,passthru,2/0/1 \
> -s 8:2,passthru,2/0/2 \
> -s 8:3,passthru,2/0/3 \
> -s 13,virtio-net,tap12 \
> -s 29,fbuf,tcp=3D0.0.0.0:5912,w=3D1600,h=3D950,wait \
> -s 30,xhci,tablet \
> -s 31,lpc \
> -l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI_CODE.fd \
> vm0:12 < /dev/null & sleep 2 && vncviewer 0:12
>
> [marietto@marietto /bhyve]=3D=3D> sudo chmod 0755 /usr/sbin/12-Win-= 11-vm12
>
> [marietto@marietto /bhyve]=3D=3D> sudo nano /usr/local/etc/doas.con= f
>
> permit nopass :wheel as root cmd /usr/sbin/bhyve-win
> permit nopass :wheel as root cmd /usr/sbin/bhyve-lin
>
> [marietto@marietto /bhyve]=3D=3D> doas /usr/sbin/12-Win-11-vm12
> doas: Operation not permitted
>
> BUT :
>
> [marietto@marietto /bhyve]=3D=3D> sudo nano /usr/sbin/hallo
>
> #!/bin/sh
> echo hallo $USER
>
> [marietto@marietto /bhyve]=3D=3D> sudo chmod 0755 /usr/sbin/hallo >
> [marietto@marietto /bhyve]=3D=3D> sudo nano /usr/local/etc/doas.con= f
>
> permit nopass :wheel as root cmd hallo
>
> [marietto@marietto /bhyve]=3D=3D> doas hallo
>
> BOOM ! it works :
>
> hallo root
>
> On Mon, Jun 17, 2024 at 6:54=E2=80=AFPM Dave Cottlehuber <dch@skunkwerks.at> w= rote:
>>
>> On Mon, 17 Jun 2024, at 14:12, Mario Marietto wrote:
>> > Nice idea,but it does not work :
>> >
>> > nano /home/marietto/.zshrc
>> >
>> > # ~/.zshrc
>>
>> Hi Mario, I think your zsh stuff is getting in the way
>> here. Your zshrc function is not visible to the root user,
>> as doas cleans up all the env and so your function is unknown.
>>
>> So start off with something without bhyve, make sure you are in >> wheel group, and add a shell script called
>> /usr/local/bin/hallo:
>>
>> ```
>> #!/bin/sh
>> echo hallo $USER
>> ```
>>
>> chmod 0755 /usr/local/bin/hallo
>>
>> ```
>> # /usr/local/etc/doas.conf (per doas.conf manpage)
>> permit nopass :wheel as root cmd /usr/local/bin/hallo
>> ```
>>
>> $ doas /usr/local/bin/hallo
>> hallo root
>>
>> then replace your bhyve commands in the hallo script.
>>
>> Off the top of my head there's no reason for bhyve to need
>> anything different to hallo script.
>> A+
>> Dave
>
>
>
> --
> Mario.


--
Mario.


--
Mario.
--0000000000000929fd061b1ba2cb--