From nobody Mon Jun 17 20:43:33 2024 X-Original-To: freebsd-virtualization@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4W32185k8Yz5PZsC for ; Mon, 17 Jun 2024 20:44:12 +0000 (UTC) (envelope-from marietto2008@gmail.com) Received: from mail-pg1-x532.google.com (mail-pg1-x532.google.com [IPv6:2607:f8b0:4864:20::532]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4W32180nhzz4SXg; Mon, 17 Jun 2024 20:44:12 +0000 (UTC) (envelope-from marietto2008@gmail.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20230601 header.b=dkhEsha8; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of marietto2008@gmail.com designates 2607:f8b0:4864:20::532 as permitted sender) smtp.mailfrom=marietto2008@gmail.com Received: by mail-pg1-x532.google.com with SMTP id 41be03b00d2f7-6e3ff7c4cc8so3509992a12.3; Mon, 17 Jun 2024 13:44:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1718657050; x=1719261850; darn=freebsd.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=XLQOnqyOhuKqq9nHTthHrYYn5a38IsqVmiwgr8Mu+/k=; b=dkhEsha8E7IhZQBYUWb6SGVneIwAyNaZsWDkPM6hybztnGcWyhOzSvwHC8ehcvXift +Vcaq5Yz/3AV7tWWTCAGGmsD9a/YNdK5B9IrNjJpikjunUBBRn9y8Z7z+Bw8QxdF5KtV QWIcVpFPWgUXDkmfRqi8hXz8iyR9QQ68xShj2Z0TYD29ZI5r70YPjNsCg7AsckDXotyp C2nPpRDvMfQKz3CqswC77M8EBNvxHB9LUOcEHZKIH3kCq1qH4Q0Coan7jh1jgXHd8oG6 w96gnIl7FnvkN9Q+jBm4mxBUtBcANO0hbIk8BeBzDZBJZvqoSdKVe4bNDx7rwCal6z7K DfYw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1718657050; x=1719261850; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=XLQOnqyOhuKqq9nHTthHrYYn5a38IsqVmiwgr8Mu+/k=; b=nygwkL8FHJTq3RuH/LR0EG2U2nsLLzZ3djnU+jYRtoMwbrvN2vbx64v6goraViltTJ IZploExhB5JsIgqr4IVR/A9pxLwbcG5aIRler0p0JnvxuxCb8mwbkQ7/b7Q1uMLmk8TI pJ1nV+Wyxiqgh2Dpdu2iAQ7cdh6+xXkp7pn8RNrpcLQB2l5+Mu2ARf7V+swMD1RBf+D2 B/7qA0AcvlWG7v3WYuDBN+tuklXD7bGXqf1Gg0t3eMipxx1FaxWtETERhPtKrpD9cICh ipcx2C810ucfA4ipBI495QkrzbVefNzkmTU7jfrcaFCGqST3qfjSd/j3hyWJ20kdHH1j Rsbw== X-Forwarded-Encrypted: i=1; AJvYcCWPpSpGq3uhQOIXIBVCxRQ3YZiQgxgtMpXBqEXpULONshH6bCu13tdzv3U9PqUDXvd/8VbpiTHFegNNGbsoVJEmAeQbv2T7KWr9Dfg0Cn8clf40 X-Gm-Message-State: AOJu0YzdCtKriaUTm46gGsmpozSXmgn58g7aZJqdx/VYgXOfDZufqLh6 l31S8kPjnZZ4pNAyD/jtYcqlvEKwFhX5Kp136FDYQWqFxMxD9FmDSkS1qYdD/AabJr1bxGTtqaW 0RLmW31O/PC3YFGvsmKHQqw/9VQywYnZ1uH8= X-Google-Smtp-Source: AGHT+IF9Q6OC0uZ2OQsNjeYEfE6F8toBiK3Vr82Ba+Jh0rQEy3/QkztEWhtiSKSyoxiKAz0vAiCY4udjs9NRyzLqbqQ= X-Received: by 2002:a17:90b:4a8d:b0:2c4:e333:35e9 with SMTP id 98e67ed59e1d1-2c4e3333826mr7510908a91.30.1718657050116; Mon, 17 Jun 2024 13:44:10 -0700 (PDT) List-Id: Discussion List-Archive: https://lists.freebsd.org/archives/freebsd-virtualization List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-virtualization@freebsd.org Sender: owner-freebsd-virtualization@FreeBSD.org MIME-Version: 1.0 References: <86a551c1-7f10-450d-a282-b33f959ed93e@app.fastmail.com> In-Reply-To: From: Mario Marietto Date: Mon, 17 Jun 2024 22:43:33 +0200 Message-ID: Subject: Re: How to launch a bhyve vm as normal user,without being root To: Mark Peek Cc: Dave Cottlehuber , Odhiambo Washington , freebsd-virtualization Content-Type: multipart/alternative; boundary="000000000000f68df5061b1c06c6" X-Spamd-Bar: - X-Spamd-Result: default: False [-1.88 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; URI_COUNT_ODD(1.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000]; HTTP_TO_IP(1.00)[]; NEURAL_HAM_SHORT(-0.88)[-0.878]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20230601]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; TO_DN_ALL(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com]; RCVD_TLS_LAST(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEMAIL_CC(0.00)[skunkwerks.at,gmail.com,freebsd.org]; FREEMAIL_FROM(0.00)[gmail.com]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; MISSING_XM_UA(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; MID_RHS_MATCH_FROMTLD(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; MLMMJ_DEST(0.00)[freebsd-virtualization@freebsd.org]; RCVD_COUNT_ONE(0.00)[1]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::532:from]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim] X-Rspamd-Queue-Id: 4W32180nhzz4SXg --000000000000f68df5061b1c06c6 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable I had an illumination and I found how it works : [marietto@marietto /bhyve]=3D=3D> doas /bhyve/12-Win-11-vm12 But why ? On Mon, Jun 17, 2024 at 10:15=E2=80=AFPM Mario Marietto wrote: > nano /usr/local/etc/doas.conf : > > permit nopass :wheel as root cmd bhyve-win > permit nopass :wheel as root cmd bhyve-lin > permit nopass :wheel as root cmd /bhyve/12-Win-11-vm12 > > [marietto@marietto /bhyve]=3D=3D> doas 12-Win-11-vm12 > doas: Operation not permitted > > On Mon, Jun 17, 2024 at 9:50=E2=80=AFPM Mark Peek wrote: > >> Likely because you don't have this in the doas.conf file: >> >> permit nopass :wheel as root cmd /bhyve/12-Win-11-vm12 >> >> >> On Mon, Jun 17, 2024 at 11:35=E2=80=AFAM Mario Marietto >> wrote: >> >>> If I keep the bhyve scripts in /usr/sbin,it works. But I want to keep >>> the bhyve scripts in /bhyve and I don't want to keep them in /usr/sbin.= For >>> this reason I've added the path /bhyve to /home/marietto/.zshrc like th= is : >>> >>> # ~/.zshrc >>> >>> # zsh autocompletion for sudo and doas >>> zstyle ":completion:*:(sudo|su|doas):*" command-path /usr/local/bin >>> /usr/local/sbin /usr/sbin /usr/bin /bin /sbin /bhyve >>> >>> and in /root/.zshrc : >>> >>> # zsh autocompletion for sudo and doas >>> zstyle ":completion:*:(sudo|su|doas):*" command-path /usr/local/bin >>> /usr/local/sbin /usr/sbin /usr/bin /bin /sbin /bhyve >>> >>> but when I try to run the vm like this : >>> >>> [marietto@marietto /bhyve]=3D=3D> doas 12-Win-11-vm12 >>> >>> it says : >>> >>> doas: 12-Win-11-vm12: command not found >>> >>> and when I do : >>> >>> [marietto@marietto /bhyve]=3D=3D> doas ./12-Win-11-vm12 >>> >>> it says : >>> >>> doas: Operation not permitted >>> >>> Why ? >>> >>> >>> On Mon, Jun 17, 2024 at 7:53=E2=80=AFPM Mark Peek wrot= e: >>> >>>> Likely need to add this as it is what you are passing to doas as the >>>> command to execute: >>>> >>>> permit nopass :wheel as root cmd /usr/sbin/12-Win-11-vm12 >>>> >>>> Mark >>>> >>>> On Mon, Jun 17, 2024 at 10:40=E2=80=AFAM Mario Marietto >>>> wrote: >>>> > >>>> > [marietto@marietto /bhyve]=3D=3D> sudo cp 12-Win-11-vm12 /usr/sbin >>>> > >>>> > [marietto@marietto /bhyve]=3D=3D> nano /usr/sbin/12-Win-11-vm12 >>>> > >>>> > #!/bin/sh >>>> > >>>> > bhyve-win -S -c sockets=3D4,cores=3D2,threads=3D1 -m 8G -w -H \ >>>> > -S -c sockets=3D4,cores=3D2,threads=3D1 -m 8G -w -H \ >>>> > -s 0,hostbridge \ >>>> > -s 1,ahci-hd,/mnt/da4p2/bhyve/img/Windows/Windows11.img,bootindex=3D= 1 \ >>>> > -s 2,ahci-hd,/dev/$vmdisk5 \ >>>> > -s 8:0,passthru,2/0/0 \ >>>> > -s 8:1,passthru,2/0/1 \ >>>> > -s 8:2,passthru,2/0/2 \ >>>> > -s 8:3,passthru,2/0/3 \ >>>> > -s 13,virtio-net,tap12 \ >>>> > -s 29,fbuf,tcp=3D0.0.0.0:5912,w=3D1600,h=3D950,wait \ >>>> > -s 30,xhci,tablet \ >>>> > -s 31,lpc \ >>>> > -l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI_CODE.fd \ >>>> > vm0:12 < /dev/null & sleep 2 && vncviewer 0:12 >>>> > >>>> > [marietto@marietto /bhyve]=3D=3D> sudo chmod 0755 >>>> /usr/sbin/12-Win-11-vm12 >>>> > >>>> > [marietto@marietto /bhyve]=3D=3D> sudo nano /usr/local/etc/doas.conf >>>> > >>>> > permit nopass :wheel as root cmd /usr/sbin/bhyve-win >>>> > permit nopass :wheel as root cmd /usr/sbin/bhyve-lin >>>> > >>>> > [marietto@marietto /bhyve]=3D=3D> doas /usr/sbin/12-Win-11-vm12 >>>> > doas: Operation not permitted >>>> > >>>> > BUT : >>>> > >>>> > [marietto@marietto /bhyve]=3D=3D> sudo nano /usr/sbin/hallo >>>> > >>>> > #!/bin/sh >>>> > echo hallo $USER >>>> > >>>> > [marietto@marietto /bhyve]=3D=3D> sudo chmod 0755 /usr/sbin/hallo >>>> > >>>> > [marietto@marietto /bhyve]=3D=3D> sudo nano /usr/local/etc/doas.conf >>>> > >>>> > permit nopass :wheel as root cmd hallo >>>> > >>>> > [marietto@marietto /bhyve]=3D=3D> doas hallo >>>> > >>>> > BOOM ! it works : >>>> > >>>> > hallo root >>>> > >>>> > On Mon, Jun 17, 2024 at 6:54=E2=80=AFPM Dave Cottlehuber >>>> wrote: >>>> >> >>>> >> On Mon, 17 Jun 2024, at 14:12, Mario Marietto wrote: >>>> >> > Nice idea,but it does not work : >>>> >> > >>>> >> > nano /home/marietto/.zshrc >>>> >> > >>>> >> > # ~/.zshrc >>>> >> >>>> >> Hi Mario, I think your zsh stuff is getting in the way >>>> >> here. Your zshrc function is not visible to the root user, >>>> >> as doas cleans up all the env and so your function is unknown. >>>> >> >>>> >> So start off with something without bhyve, make sure you are in >>>> >> wheel group, and add a shell script called >>>> >> /usr/local/bin/hallo: >>>> >> >>>> >> ``` >>>> >> #!/bin/sh >>>> >> echo hallo $USER >>>> >> ``` >>>> >> >>>> >> chmod 0755 /usr/local/bin/hallo >>>> >> >>>> >> ``` >>>> >> # /usr/local/etc/doas.conf (per doas.conf manpage) >>>> >> permit nopass :wheel as root cmd /usr/local/bin/hallo >>>> >> ``` >>>> >> >>>> >> $ doas /usr/local/bin/hallo >>>> >> hallo root >>>> >> >>>> >> then replace your bhyve commands in the hallo script. >>>> >> >>>> >> Off the top of my head there's no reason for bhyve to need >>>> >> anything different to hallo script. >>>> >> A+ >>>> >> Dave >>>> > >>>> > >>>> > >>>> > -- >>>> > Mario. >>>> >>> >>> >>> -- >>> Mario. >>> >> > > -- > Mario. > --=20 Mario. --000000000000f68df5061b1c06c6 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I had an illumination and I found how it works :
<= /div>

[marietto@marietto /bhyve]=3D=3D> do= as /bhyve/12-Win-11-vm12

But why ?
=

On Mon, Jun 17, 2024 at 10:15=E2=80=AFPM Mario Marietto <marietto2008@gmail.com> wrote:<= br>
nano /usr/local/etc/doas.conf :

permit nopas= s :wheel as root cmd bhyve-win
permit nopass :wheel as root cmd bhyve-li= n
permit nopass :wheel as root cmd /bhyve/12-Win-11-vm12

<= /div>
[marietto@marietto /bhyve]=3D=3D> doas 12-Win-11-vm12
doa= s: Operation not permitted

On Mon, Jun 17, 2024 at 9:50=E2=80=AFPM Mark Peek= <mp@freebsd.org= > wrote:
Likely because you don't have this in the doas.conf file:<= div>
permit nopass :wheel as root cmd /bhyve/12-W= in-11-vm12


On Mon, Jun 17, 2024 at 11:35=E2= =80=AFAM Mario Marietto <marietto2008@gmail.com> wrote:
If I keep the bhyve scripts in /usr/= sbin,it works. But I want to keep the bhyve scripts in /bhyve and I don'= ;t want to keep them in /usr/sbin. For this reason I've added the path = /bhyve to /home/marietto/.zshrc like this :

<= div># ~/.zshrc

# zsh autocompletion for sudo and doas
zsty= le ":completion:*:(sudo|su|doas):*" command-path /usr/local/bin /= usr/local/sbin /usr/sbin /usr/bin /bin /sbin /bhyve

and in /root/.zshrc :

# zsh autocom= pletion for sudo and doas
zstyle ":completion:*:(sudo|su|doas)= :*" command-path /usr/local/bin /usr/local/sbin /usr/sbin /usr/bin /bi= n /sbin /bhyve

but when I try to run = the vm like this :

[marietto@marietto /bhyve]=3D=3D> doas 12-Win-11-vm12
<= div>
it says :

doas: 12= -Win-11-vm12: command not found

and when I = do :

[marietto@marietto /bhyve]=3D=3D> do= as ./12-Win-11-vm12

it says :
doas: Operation not permitted

Why ?


On Mon, Jun 17, 2024 at 7:53=E2=80=AFPM Mark Peek <mp@freebsd.org> wrote= :
Likely need to= add this as it is what you are passing to doas as the
command to execute:

permit nopass :wheel as root cmd /usr/sbin/12-Win-11-vm12

Mark

On Mon, Jun 17, 2024 at 10:40=E2=80=AFAM Mario Marietto <marietto2008@gmail.com>= wrote:
>
> [marietto@marietto /bhyve]=3D=3D> sudo cp 12-Win-11-vm12 /usr/sbin<= br> >
> [marietto@marietto /bhyve]=3D=3D> nano /usr/sbin/12-Win-11-vm12
>
> #!/bin/sh
>
> bhyve-win -S -c sockets=3D4,cores=3D2,threads=3D1 -m 8G -w -H \
> -S -c sockets=3D4,cores=3D2,threads=3D1 -m 8G -w -H \
> -s 0,hostbridge \
> -s 1,ahci-hd,/mnt/da4p2/bhyve/img/Windows/Windows11.img,bootindex=3D1 = \
> -s 2,ahci-hd,/dev/$vmdisk5 \
> -s 8:0,passthru,2/0/0 \
> -s 8:1,passthru,2/0/1 \
> -s 8:2,passthru,2/0/2 \
> -s 8:3,passthru,2/0/3 \
> -s 13,virtio-net,tap12 \
> -s 29,fbuf,tcp=3D0.0.0.0:5912,w=3D1600,h=3D950,wait \
> -s 30,xhci,tablet \
> -s 31,lpc \
> -l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI_CODE.fd \
> vm0:12 < /dev/null & sleep 2 && vncviewer 0:12
>
> [marietto@marietto /bhyve]=3D=3D> sudo chmod 0755 /usr/sbin/12-Win-= 11-vm12
>
> [marietto@marietto /bhyve]=3D=3D> sudo nano /usr/local/etc/doas.con= f
>
> permit nopass :wheel as root cmd /usr/sbin/bhyve-win
> permit nopass :wheel as root cmd /usr/sbin/bhyve-lin
>
> [marietto@marietto /bhyve]=3D=3D> doas /usr/sbin/12-Win-11-vm12
> doas: Operation not permitted
>
> BUT :
>
> [marietto@marietto /bhyve]=3D=3D> sudo nano /usr/sbin/hallo
>
> #!/bin/sh
> echo hallo $USER
>
> [marietto@marietto /bhyve]=3D=3D> sudo chmod 0755 /usr/sbin/hallo >
> [marietto@marietto /bhyve]=3D=3D> sudo nano /usr/local/etc/doas.con= f
>
> permit nopass :wheel as root cmd hallo
>
> [marietto@marietto /bhyve]=3D=3D> doas hallo
>
> BOOM ! it works :
>
> hallo root
>
> On Mon, Jun 17, 2024 at 6:54=E2=80=AFPM Dave Cottlehuber <dch@skunkwerks.at> w= rote:
>>
>> On Mon, 17 Jun 2024, at 14:12, Mario Marietto wrote:
>> > Nice idea,but it does not work :
>> >
>> > nano /home/marietto/.zshrc
>> >
>> > # ~/.zshrc
>>
>> Hi Mario, I think your zsh stuff is getting in the way
>> here. Your zshrc function is not visible to the root user,
>> as doas cleans up all the env and so your function is unknown.
>>
>> So start off with something without bhyve, make sure you are in >> wheel group, and add a shell script called
>> /usr/local/bin/hallo:
>>
>> ```
>> #!/bin/sh
>> echo hallo $USER
>> ```
>>
>> chmod 0755 /usr/local/bin/hallo
>>
>> ```
>> # /usr/local/etc/doas.conf (per doas.conf manpage)
>> permit nopass :wheel as root cmd /usr/local/bin/hallo
>> ```
>>
>> $ doas /usr/local/bin/hallo
>> hallo root
>>
>> then replace your bhyve commands in the hallo script.
>>
>> Off the top of my head there's no reason for bhyve to need
>> anything different to hallo script.
>> A+
>> Dave
>
>
>
> --
> Mario.


--
Mario.


--
Mario.


--
Mario.
--000000000000f68df5061b1c06c6--