From nobody Mon Jun 17 20:45:56 2024 X-Original-To: freebsd-virtualization@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4W323P0znCz5PZmx for ; Mon, 17 Jun 2024 20:46:09 +0000 (UTC) (envelope-from mp@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4W323P0nKCz4T2C for ; Mon, 17 Jun 2024 20:46:09 +0000 (UTC) (envelope-from mp@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1718657169; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=ErHiaY5f7XUCsYjLHgiDj/yJLMlem8jIv/VY3Evn7lQ=; b=v0bI7etZz/8sE4UpKEs2ar2+MRcdBvjjEbFd6VmmZUQBqVolW+sRHGQJN4JLx0QbwGlY4y QqsDBzfHaD+GbfY2+K5UjPxdSpMlmeY5I8YawERRci9hZOhwfSz6WGCijlkvSPV+PmqGZC u+whEmVvTIMSK0kk52jBmHRGt88/LjFdAOw7GiAuJRTndv+pbbljySbem79+DaQU9Nz2bT B7rdNh1DKr8wxPuy2IbYFV+VpmiO6535ox1rTEH1aONB2znrpXhBLqltUBa3tMvlWAoZsS +FaXwevmNqriiUiOChlDevCe7C2TFAbhMbVE/doZcQrIGYL6pvYnyGuvrAAD8w== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1718657169; a=rsa-sha256; cv=none; b=g71nHoh4H3P7es2tKsi/GBGS4e3qIxBbbPbG4bsO3RHrQ4eC2xnLaEWu4JVLVia900XizQ arxf4MlXBEO0izjMUY+CE3ZL5O+//xF9Updjyld65peNt+OVo7OtFheG9Qb2wk5GgN3WXB HVTpO8OwihcWon7ei6ZwjCmPfCq6sBWZpfDyCSGYgl2GBHGh+2kZPQN2PRu9aLaeVXBWzq MgecBx+NiaBuctupn75OZP1R0+sGngWmr+A6u44QPiDIhlOLaiisHFvl/3Ca9thzZNhC57 mOvlsC1FUkhgds3vVLk7+PSwTVDxuwDKJx/ROD5D+9qaPWt7U3W3bAtL/chD9g== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1718657169; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=ErHiaY5f7XUCsYjLHgiDj/yJLMlem8jIv/VY3Evn7lQ=; b=OcOfPhI2/JlPJ2TNszLQlFJHVDaFQi0DqK9Tp7v/neP8C/2C9HkbW5VjevtBYepdj/eGmR h1EdBJlu0zLL3OZd4ON5S5CS7NvqKkECQGfeRvtb+fsgvFNae5S1OPn/hk8AR8IcZmQG4h 9EavpE635R/RBKEpRJNzge3vbNv3vaPjE9mTb2EiJhtevSSE5k4Ki0c6pTsGFXoIddG2sv 6cwmZ9bZjZS4Si6vruF/7k5yXSGG6RQzXLjCRZxnAJCxjMCReq+wM38SQZRfKHEBTY6qL/ t6LF66r4DrLkTnyBrOd4JPzXKLpEKE3jX9+6tgD2c/fgeqqEdkkIp06sNMDOJg== Received: from mail-yb1-f171.google.com (mail-yb1-f171.google.com [209.85.219.171]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) (Authenticated sender: mp) by smtp.freebsd.org (Postfix) with ESMTPSA id 4W323P0PwpzYZx for ; Mon, 17 Jun 2024 20:46:09 +0000 (UTC) (envelope-from mp@freebsd.org) Received: by mail-yb1-f171.google.com with SMTP id 3f1490d57ef6-e0272692096so13463276.1 for ; Mon, 17 Jun 2024 13:46:09 -0700 (PDT) X-Forwarded-Encrypted: i=1; AJvYcCULHr8twKttlr1cDUwPwAuSJeh9ZaoxXkAdCXUDiuDoSkUwmx+DKAp2zLa9EBEl9ef6ODxAa4JeegTEcN0k8rzqbQ4EtcKITHz7Ad5rHD1J1y/+ X-Gm-Message-State: AOJu0YxIWgX7PuGQVPcQQvuA08BN+Vb8cJKEBbTOwMKm4eL4rCpjOzuC fm3sGzwr9zNx0i8RSp1qyHrw8j49rQo+RQspdE2VUIZVMoww/fpJuftxKUJh2lcFU4gssnUBZ/i tt2WEknprXau1tslWHmhkrW/Wsl6DRn0rpu1k6A== X-Google-Smtp-Source: AGHT+IEtAMwg3+wRtcRf0/8EdPH2S8dkNhaVUMxCHGiuo5Sf2PZ1ej/ti3JkSAyqfgHuBH6EMD6dfNzSI+Z0WQNxUDU= X-Received: by 2002:a25:ac60:0:b0:de6:5f4:5429 with SMTP id 3f1490d57ef6-dff1549186dmr9492212276.46.1718657168182; Mon, 17 Jun 2024 13:46:08 -0700 (PDT) List-Id: Discussion List-Archive: https://lists.freebsd.org/archives/freebsd-virtualization List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-virtualization@freebsd.org Sender: owner-freebsd-virtualization@FreeBSD.org MIME-Version: 1.0 References: <86a551c1-7f10-450d-a282-b33f959ed93e@app.fastmail.com> In-Reply-To: From: Mark Peek Date: Mon, 17 Jun 2024 13:45:56 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: How to launch a bhyve vm as normal user,without being root To: Mario Marietto Cc: Mark Peek , Dave Cottlehuber , Odhiambo Washington , freebsd-virtualization Content-Type: multipart/alternative; boundary="000000000000003450061b1c0e9d" --000000000000003450061b1c0e9d Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable I was just responding... Works for me using the full path to the command. You should try as well with the full path to the command. $ ls -l /bhyve/12-Win-11-vm12 -rwxr-xr-x 1 root wheel 22 Jun 17 13:25 /bhyve/12-Win-11-vm12 $ cat !$ cat /bhyve/12-Win-11-vm12 #!/bin/sh echo $USER $ ls -l /bhyve/12-Win-11-vm12 -rwxr-xr-x 1 root wheel 22 Jun 17 13:25 /bhyve/12-Win-11-vm12 $ cat /bhyve/12-Win-11-vm12 #!/bin/sh echo $USER $ cat /usr/local/etc/doas.conf permit nopass :wheel as root cmd /bhyve/12-Win-11-vm12 $ doas /bhyve/12-Win-11-vm12 root $ doas 12-Win-11-vm12 doas: Operation not permitted This last failure is likely an issue with how PATH interacts with doas. You should move this to another mailing list as this is more about "doas" than "bhyve". On Mon, Jun 17, 2024 at 1:44=E2=80=AFPM Mario Marietto wrote: > I had an illumination and I found how it works : > > [marietto@marietto /bhyve]=3D=3D> doas /bhyve/12-Win-11-vm12 > > But why ? > > > On Mon, Jun 17, 2024 at 10:15=E2=80=AFPM Mario Marietto > wrote: > >> nano /usr/local/etc/doas.conf : >> >> permit nopass :wheel as root cmd bhyve-win >> permit nopass :wheel as root cmd bhyve-lin >> permit nopass :wheel as root cmd /bhyve/12-Win-11-vm12 >> >> [marietto@marietto /bhyve]=3D=3D> doas 12-Win-11-vm12 >> doas: Operation not permitted >> >> On Mon, Jun 17, 2024 at 9:50=E2=80=AFPM Mark Peek wrote= : >> >>> Likely because you don't have this in the doas.conf file: >>> >>> permit nopass :wheel as root cmd /bhyve/12-Win-11-vm12 >>> >>> >>> On Mon, Jun 17, 2024 at 11:35=E2=80=AFAM Mario Marietto >>> wrote: >>> >>>> If I keep the bhyve scripts in /usr/sbin,it works. But I want to keep >>>> the bhyve scripts in /bhyve and I don't want to keep them in /usr/sbin= . For >>>> this reason I've added the path /bhyve to /home/marietto/.zshrc like t= his : >>>> >>>> # ~/.zshrc >>>> >>>> # zsh autocompletion for sudo and doas >>>> zstyle ":completion:*:(sudo|su|doas):*" command-path /usr/local/bin >>>> /usr/local/sbin /usr/sbin /usr/bin /bin /sbin /bhyve >>>> >>>> and in /root/.zshrc : >>>> >>>> # zsh autocompletion for sudo and doas >>>> zstyle ":completion:*:(sudo|su|doas):*" command-path /usr/local/bin >>>> /usr/local/sbin /usr/sbin /usr/bin /bin /sbin /bhyve >>>> >>>> but when I try to run the vm like this : >>>> >>>> [marietto@marietto /bhyve]=3D=3D> doas 12-Win-11-vm12 >>>> >>>> it says : >>>> >>>> doas: 12-Win-11-vm12: command not found >>>> >>>> and when I do : >>>> >>>> [marietto@marietto /bhyve]=3D=3D> doas ./12-Win-11-vm12 >>>> >>>> it says : >>>> >>>> doas: Operation not permitted >>>> >>>> Why ? >>>> >>>> >>>> On Mon, Jun 17, 2024 at 7:53=E2=80=AFPM Mark Peek wro= te: >>>> >>>>> Likely need to add this as it is what you are passing to doas as the >>>>> command to execute: >>>>> >>>>> permit nopass :wheel as root cmd /usr/sbin/12-Win-11-vm12 >>>>> >>>>> Mark >>>>> >>>>> On Mon, Jun 17, 2024 at 10:40=E2=80=AFAM Mario Marietto < >>>>> marietto2008@gmail.com> wrote: >>>>> > >>>>> > [marietto@marietto /bhyve]=3D=3D> sudo cp 12-Win-11-vm12 /usr/sbin >>>>> > >>>>> > [marietto@marietto /bhyve]=3D=3D> nano /usr/sbin/12-Win-11-vm12 >>>>> > >>>>> > #!/bin/sh >>>>> > >>>>> > bhyve-win -S -c sockets=3D4,cores=3D2,threads=3D1 -m 8G -w -H \ >>>>> > -S -c sockets=3D4,cores=3D2,threads=3D1 -m 8G -w -H \ >>>>> > -s 0,hostbridge \ >>>>> > -s 1,ahci-hd,/mnt/da4p2/bhyve/img/Windows/Windows11.img,bootindex= =3D1 \ >>>>> > -s 2,ahci-hd,/dev/$vmdisk5 \ >>>>> > -s 8:0,passthru,2/0/0 \ >>>>> > -s 8:1,passthru,2/0/1 \ >>>>> > -s 8:2,passthru,2/0/2 \ >>>>> > -s 8:3,passthru,2/0/3 \ >>>>> > -s 13,virtio-net,tap12 \ >>>>> > -s 29,fbuf,tcp=3D0.0.0.0:5912,w=3D1600,h=3D950,wait \ >>>>> > -s 30,xhci,tablet \ >>>>> > -s 31,lpc \ >>>>> > -l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI_CODE.fd \ >>>>> > vm0:12 < /dev/null & sleep 2 && vncviewer 0:12 >>>>> > >>>>> > [marietto@marietto /bhyve]=3D=3D> sudo chmod 0755 >>>>> /usr/sbin/12-Win-11-vm12 >>>>> > >>>>> > [marietto@marietto /bhyve]=3D=3D> sudo nano /usr/local/etc/doas.con= f >>>>> > >>>>> > permit nopass :wheel as root cmd /usr/sbin/bhyve-win >>>>> > permit nopass :wheel as root cmd /usr/sbin/bhyve-lin >>>>> > >>>>> > [marietto@marietto /bhyve]=3D=3D> doas /usr/sbin/12-Win-11-vm12 >>>>> > doas: Operation not permitted >>>>> > >>>>> > BUT : >>>>> > >>>>> > [marietto@marietto /bhyve]=3D=3D> sudo nano /usr/sbin/hallo >>>>> > >>>>> > #!/bin/sh >>>>> > echo hallo $USER >>>>> > >>>>> > [marietto@marietto /bhyve]=3D=3D> sudo chmod 0755 /usr/sbin/hallo >>>>> > >>>>> > [marietto@marietto /bhyve]=3D=3D> sudo nano /usr/local/etc/doas.con= f >>>>> > >>>>> > permit nopass :wheel as root cmd hallo >>>>> > >>>>> > [marietto@marietto /bhyve]=3D=3D> doas hallo >>>>> > >>>>> > BOOM ! it works : >>>>> > >>>>> > hallo root >>>>> > >>>>> > On Mon, Jun 17, 2024 at 6:54=E2=80=AFPM Dave Cottlehuber >>>>> wrote: >>>>> >> >>>>> >> On Mon, 17 Jun 2024, at 14:12, Mario Marietto wrote: >>>>> >> > Nice idea,but it does not work : >>>>> >> > >>>>> >> > nano /home/marietto/.zshrc >>>>> >> > >>>>> >> > # ~/.zshrc >>>>> >> >>>>> >> Hi Mario, I think your zsh stuff is getting in the way >>>>> >> here. Your zshrc function is not visible to the root user, >>>>> >> as doas cleans up all the env and so your function is unknown. >>>>> >> >>>>> >> So start off with something without bhyve, make sure you are in >>>>> >> wheel group, and add a shell script called >>>>> >> /usr/local/bin/hallo: >>>>> >> >>>>> >> ``` >>>>> >> #!/bin/sh >>>>> >> echo hallo $USER >>>>> >> ``` >>>>> >> >>>>> >> chmod 0755 /usr/local/bin/hallo >>>>> >> >>>>> >> ``` >>>>> >> # /usr/local/etc/doas.conf (per doas.conf manpage) >>>>> >> permit nopass :wheel as root cmd /usr/local/bin/hallo >>>>> >> ``` >>>>> >> >>>>> >> $ doas /usr/local/bin/hallo >>>>> >> hallo root >>>>> >> >>>>> >> then replace your bhyve commands in the hallo script. >>>>> >> >>>>> >> Off the top of my head there's no reason for bhyve to need >>>>> >> anything different to hallo script. >>>>> >> A+ >>>>> >> Dave >>>>> > >>>>> > >>>>> > >>>>> > -- >>>>> > Mario. >>>>> >>>> >>>> >>>> -- >>>> Mario. >>>> >>> >> >> -- >> Mario. >> > > > -- > Mario. > --000000000000003450061b1c0e9d Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I was just responding...

Wor= ks for me using the full path to the command. You should try as well with t= he full path to the command.

$ ls -l /bhyve/12-Win-11-v= m12
-rwxr-xr-x =C2=A01 root wheel 22 Jun 17 13:25 /bhyve/12-Win-11-vm12<= br>$ cat !$
cat /bhyve/12-Win-11-vm12
#!/bin/sh

echo $USER
= $ ls -l /bhyve/12-Win-11-vm12
-rwxr-xr-x =C2=A01 root wheel 22 Jun 17 13= :25 /bhyve/12-Win-11-vm12
$ cat /bhyve/12-Win-11-vm12
#!/bin/sh
echo $USER
$ cat /usr/local/etc/doas.conf
permit nopass :wheel as r= oot cmd /bhyve/12-Win-11-vm12
$ doas /bhyve/12-Win-11-vm12
root
$= doas 12-Win-11-vm12
doas: Operation not permitted

This last failure is likely an issue with how PATH interacts with=C2=A0do= as. You should move this to another mailing list as this is more about &quo= t;doas" than "bhyve".


On Mon, Jun = 17, 2024 at 1:44=E2=80=AFPM Mario Marietto <marietto2008@gmail.com> wrote:
I had an illumina= tion and I found how it works :

[ma= rietto@marietto /bhyve]=3D=3D> doas /bhyve/12-Win-11-vm12

=
But why ?


On Mon, Jun 17, 2024 at 10:15= =E2=80=AFPM Mario Marietto <marietto2008@gmail.com> wrote:
nano /usr/local= /etc/doas.conf :

permit nopass :wheel as root cmd = bhyve-win
permit nopass :wheel as root cmd bhyve-lin
permit nopass :w= heel as root cmd /bhyve/12-Win-11-vm12

[marietto@m= arietto /bhyve]=3D=3D> doas 12-Win-11-vm12
doas: Operation not perm= itted

On Mon, Jun 17, 2024 at 9:50=E2=80=AFPM Mark Peek <mp@freebsd.org> wrote:
=
Likely b= ecause you don't have this in the doas.conf file:

permit nopass :wheel as root cmd /bhyve/12-Win-11-vm12
=


On Mon, Jun 17, 2024 at 11:35=E2=80=AFAM Mario Mariett= o <marietto2= 008@gmail.com> wrote:
If I keep the b= hyve scripts in /usr/sbin,it works. But I want to keep the bhyve scripts in= /bhyve and I don't want to keep them in /usr/sbin. For this reason I&#= 39;ve added the path /bhyve to /home/marietto/.zshrc like this :
<= span>

# ~/.zshrc

# zsh autocompletion for sudo = and doas
zstyle ":completion:*:(sudo|su|doas):*" command-= path /usr/local/bin /usr/local/sbin /usr/sbin /usr/bin /bin /sbin /bhyve

and in /root/.zshrc :
# zsh autocompletion for sudo and doas
zstyle ":comple= tion:*:(sudo|su|doas):*" command-path /usr/local/bin /usr/local/sbin /= usr/sbin /usr/bin /bin /sbin /bhyve

b= ut when I try to run the vm like this :

[marietto@marietto /bhyve]=3D=3D> doas 12-W= in-11-vm12

it says :
doas: 12-Win-11-vm12: command not found

and when I do :

[marietto@marietto= /bhyve]=3D=3D> doas ./12-Win-11-vm12

it= says :

doas: Operation not permitted
Why ?
=
<= /table>
On Mon, Jun 17, 2024 at 7:53=E2=80=AFPM Mark Peek <mp@freebsd.org> wrote:
<= blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-l= eft:1px solid rgb(204,204,204);padding-left:1ex">Likely need to add this as= it is what you are passing to doas as the
command to execute:

permit nopass :wheel as root cmd /usr/sbin/12-Win-11-vm12

Mark

On Mon, Jun 17, 2024 at 10:40=E2=80=AFAM Mario Marietto <marietto2008@gmail.com>= wrote:
>
> [marietto@marietto /bhyve]=3D=3D> sudo cp 12-Win-11-vm12 /usr/sbin<= br> >
> [marietto@marietto /bhyve]=3D=3D> nano /usr/sbin/12-Win-11-vm12
>
> #!/bin/sh
>
> bhyve-win -S -c sockets=3D4,cores=3D2,threads=3D1 -m 8G -w -H \
> -S -c sockets=3D4,cores=3D2,threads=3D1 -m 8G -w -H \
> -s 0,hostbridge \
> -s 1,ahci-hd,/mnt/da4p2/bhyve/img/Windows/Windows11.img,bootindex=3D1 = \
> -s 2,ahci-hd,/dev/$vmdisk5 \
> -s 8:0,passthru,2/0/0 \
> -s 8:1,passthru,2/0/1 \
> -s 8:2,passthru,2/0/2 \
> -s 8:3,passthru,2/0/3 \
> -s 13,virtio-net,tap12 \
> -s 29,fbuf,tcp=3D0.0.0.0:5912,w=3D1600,h=3D950,wait \
> -s 30,xhci,tablet \
> -s 31,lpc \
> -l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI_CODE.fd \
> vm0:12 < /dev/null & sleep 2 && vncviewer 0:12
>
> [marietto@marietto /bhyve]=3D=3D> sudo chmod 0755 /usr/sbin/12-Win-= 11-vm12
>
> [marietto@marietto /bhyve]=3D=3D> sudo nano /usr/local/etc/doas.con= f
>
> permit nopass :wheel as root cmd /usr/sbin/bhyve-win
> permit nopass :wheel as root cmd /usr/sbin/bhyve-lin
>
> [marietto@marietto /bhyve]=3D=3D> doas /usr/sbin/12-Win-11-vm12
> doas: Operation not permitted
>
> BUT :
>
> [marietto@marietto /bhyve]=3D=3D> sudo nano /usr/sbin/hallo
>
> #!/bin/sh
> echo hallo $USER
>
> [marietto@marietto /bhyve]=3D=3D> sudo chmod 0755 /usr/sbin/hallo >
> [marietto@marietto /bhyve]=3D=3D> sudo nano /usr/local/etc/doas.con= f
>
> permit nopass :wheel as root cmd hallo
>
> [marietto@marietto /bhyve]=3D=3D> doas hallo
>
> BOOM ! it works :
>
> hallo root
>
> On Mon, Jun 17, 2024 at 6:54=E2=80=AFPM Dave Cottlehuber <dch@skunkwerks.at> w= rote:
>>
>> On Mon, 17 Jun 2024, at 14:12, Mario Marietto wrote:
>> > Nice idea,but it does not work :
>> >
>> > nano /home/marietto/.zshrc
>> >
>> > # ~/.zshrc
>>
>> Hi Mario, I think your zsh stuff is getting in the way
>> here. Your zshrc function is not visible to the root user,
>> as doas cleans up all the env and so your function is unknown.
>>
>> So start off with something without bhyve, make sure you are in >> wheel group, and add a shell script called
>> /usr/local/bin/hallo:
>>
>> ```
>> #!/bin/sh
>> echo hallo $USER
>> ```
>>
>> chmod 0755 /usr/local/bin/hallo
>>
>> ```
>> # /usr/local/etc/doas.conf (per doas.conf manpage)
>> permit nopass :wheel as root cmd /usr/local/bin/hallo
>> ```
>>
>> $ doas /usr/local/bin/hallo
>> hallo root
>>
>> then replace your bhyve commands in the hallo script.
>>
>> Off the top of my head there's no reason for bhyve to need
>> anything different to hallo script.
>> A+
>> Dave
>
>
>
> --
> Mario.


--
Mario.


--
Mario.


--
Mario.
--000000000000003450061b1c0e9d--