Site Navigation

Date:      Mon, 17 Jun 2024 22:43:33 +0200
From:      Mario Marietto <marietto2008@gmail.com>
To:        Mark Peek <mp@freebsd.org>
Cc:        Dave Cottlehuber <dch@skunkwerks.at>, Odhiambo Washington <odhiambo@gmail.com>,  freebsd-virtualization <freebsd-virtualization@freebsd.org>
Subject:   Re: How to launch a bhyve vm as normal user,without being root
Message-ID:  <CA%2B1FSij4Xb2b7Mt-TbYMs7%2B2Z4NgfEu7gcaGENJohdAKSGKXGA@mail.gmail.com>
In-Reply-To: <CA%2B1FSijS1O8aL6GVwRx0Mt4PETvbL1C0oMgs79pQBtUg4jV8FA@mail.gmail.com>
References:  <CA%2B1FSiimo=-0s80QeGMuLnJAzxi53-V6s303YuW36UkYnqfB-g@mail.gmail.com> <CAAdA2WPrtG_VaLuE8UfBwxanyfNzgLqeBCvpJMvRETdcUSmMEg@mail.gmail.com> <CA%2B1FSijLiq0WMdCvJfQC%2BvtBxXc6iSMD6WQAMavGpg%2BsmCuTFg@mail.gmail.com> <86a551c1-7f10-450d-a282-b33f959ed93e@app.fastmail.com> <CA%2B1FSighjAkOAtzyX3HBy4h0ZnTVckjF9adnWMpAR3m=xW0dUA@mail.gmail.com> <CAGGgMJfoAHFv2uJBzz%2BcJ-pe0tUX=BVaCxM3y5SU-cUxGHcs9A@mail.gmail.com> <CA%2B1FSihHFejcobwVdGhtus4P8uRDkPyXDhQtrBCp-EWxPz=MPg@mail.gmail.com> <CAGGgMJd%2BZh6G%2B0jmCe_%2Bfxof8-RD3AiwhnDuejo84Lm56qZm1A@mail.gmail.com> <CA%2B1FSijS1O8aL6GVwRx0Mt4PETvbL1C0oMgs79pQBtUg4jV8FA@mail.gmail.com>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

--000000000000f68df5061b1c06c6
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

I had an illumination and I found how it works :

[marietto@marietto /bhyve]=3D=3D> doas /bhyve/12-Win-11-vm12

But why ?


On Mon, Jun 17, 2024 at 10:15=E2=80=AFPM Mario Marietto <marietto2008@gmail=
.com>
wrote:

> nano /usr/local/etc/doas.conf :
>
> permit nopass :wheel as root cmd bhyve-win
> permit nopass :wheel as root cmd bhyve-lin
> permit nopass :wheel as root cmd /bhyve/12-Win-11-vm12
>
> [marietto@marietto /bhyve]=3D=3D> doas 12-Win-11-vm12
> doas: Operation not permitted
>
> On Mon, Jun 17, 2024 at 9:50=E2=80=AFPM Mark Peek <mp@freebsd.org> wrote:
>
>> Likely because you don't have this in the doas.conf file:
>>
>> permit nopass :wheel as root cmd /bhyve/12-Win-11-vm12
>>
>>
>> On Mon, Jun 17, 2024 at 11:35=E2=80=AFAM Mario Marietto <marietto2008@gm=
ail.com>
>> wrote:
>>
>>> If I keep the bhyve scripts in /usr/sbin,it works. But I want to keep
>>> the bhyve scripts in /bhyve and I don't want to keep them in /usr/sbin.=
 For
>>> this reason I've added the path /bhyve to /home/marietto/.zshrc like th=
is :
>>>
>>> # ~/.zshrc
>>>
>>> # zsh autocompletion for sudo and doas
>>> zstyle ":completion:*:(sudo|su|doas):*" command-path /usr/local/bin
>>> /usr/local/sbin /usr/sbin /usr/bin /bin /sbin /bhyve
>>>
>>> and in /root/.zshrc :
>>>
>>> # zsh autocompletion for sudo and doas
>>> zstyle ":completion:*:(sudo|su|doas):*" command-path /usr/local/bin
>>> /usr/local/sbin /usr/sbin /usr/bin /bin /sbin /bhyve
>>>
>>> but when I try to run the vm like this :
>>>
>>> [marietto@marietto /bhyve]=3D=3D> doas 12-Win-11-vm12
>>>
>>> it says :
>>>
>>> doas: 12-Win-11-vm12: command not found
>>>
>>> and when I do :
>>>
>>> [marietto@marietto /bhyve]=3D=3D> doas ./12-Win-11-vm12
>>>
>>> it says :
>>>
>>> doas: Operation not permitted
>>>
>>> Why ?
>>>
>>>
>>> On Mon, Jun 17, 2024 at 7:53=E2=80=AFPM Mark Peek <mp@freebsd.org> wrot=
e:
>>>
>>>> Likely need to add this as it is what you are passing to doas as the
>>>> command to execute:
>>>>
>>>> permit nopass :wheel as root cmd /usr/sbin/12-Win-11-vm12
>>>>
>>>> Mark
>>>>
>>>> On Mon, Jun 17, 2024 at 10:40=E2=80=AFAM Mario Marietto <marietto2008@=
gmail.com>
>>>> wrote:
>>>> >
>>>> > [marietto@marietto /bhyve]=3D=3D> sudo cp 12-Win-11-vm12 /usr/sbin
>>>> >
>>>> > [marietto@marietto /bhyve]=3D=3D> nano /usr/sbin/12-Win-11-vm12
>>>> >
>>>> > #!/bin/sh
>>>> >
>>>> > bhyve-win -S -c sockets=3D4,cores=3D2,threads=3D1 -m 8G -w -H \
>>>> > -S -c sockets=3D4,cores=3D2,threads=3D1 -m 8G -w -H \
>>>> > -s 0,hostbridge \
>>>> > -s 1,ahci-hd,/mnt/da4p2/bhyve/img/Windows/Windows11.img,bootindex=3D=
1 \
>>>> > -s 2,ahci-hd,/dev/$vmdisk5 \
>>>> > -s 8:0,passthru,2/0/0 \
>>>> > -s 8:1,passthru,2/0/1 \
>>>> > -s 8:2,passthru,2/0/2 \
>>>> > -s 8:3,passthru,2/0/3 \
>>>> > -s 13,virtio-net,tap12 \
>>>> > -s 29,fbuf,tcp=3D0.0.0.0:5912,w=3D1600,h=3D950,wait \
>>>> > -s 30,xhci,tablet \
>>>> > -s 31,lpc \
>>>> > -l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI_CODE.fd \
>>>> > vm0:12 < /dev/null & sleep 2 && vncviewer 0:12
>>>> >
>>>> > [marietto@marietto /bhyve]=3D=3D> sudo chmod 0755
>>>> /usr/sbin/12-Win-11-vm12
>>>> >
>>>> > [marietto@marietto /bhyve]=3D=3D> sudo nano /usr/local/etc/doas.conf
>>>> >
>>>> > permit nopass :wheel as root cmd /usr/sbin/bhyve-win
>>>> > permit nopass :wheel as root cmd /usr/sbin/bhyve-lin
>>>> >
>>>> > [marietto@marietto /bhyve]=3D=3D> doas /usr/sbin/12-Win-11-vm12
>>>> > doas: Operation not permitted
>>>> >
>>>> > BUT :
>>>> >
>>>> > [marietto@marietto /bhyve]=3D=3D> sudo nano /usr/sbin/hallo
>>>> >
>>>> > #!/bin/sh
>>>> > echo hallo $USER
>>>> >
>>>> > [marietto@marietto /bhyve]=3D=3D> sudo chmod 0755 /usr/sbin/hallo
>>>> >
>>>> > [marietto@marietto /bhyve]=3D=3D> sudo nano /usr/local/etc/doas.conf
>>>> >
>>>> > permit nopass :wheel as root cmd hallo
>>>> >
>>>> > [marietto@marietto /bhyve]=3D=3D> doas hallo
>>>> >
>>>> > BOOM ! it works :
>>>> >
>>>> > hallo root
>>>> >
>>>> > On Mon, Jun 17, 2024 at 6:54=E2=80=AFPM Dave Cottlehuber <dch@skunkw=
erks.at>
>>>> wrote:
>>>> >>
>>>> >> On Mon, 17 Jun 2024, at 14:12, Mario Marietto wrote:
>>>> >> > Nice idea,but it does not work :
>>>> >> >
>>>> >> > nano /home/marietto/.zshrc
>>>> >> >
>>>> >> > # ~/.zshrc
>>>> >>
>>>> >> Hi Mario, I think your zsh stuff is getting in the way
>>>> >> here. Your zshrc function is not visible to the root user,
>>>> >> as doas cleans up all the env and so your function is unknown.
>>>> >>
>>>> >> So start off with something without bhyve, make sure you are in
>>>> >> wheel group, and add a shell script called
>>>> >> /usr/local/bin/hallo:
>>>> >>
>>>> >> ```
>>>> >> #!/bin/sh
>>>> >> echo hallo $USER
>>>> >> ```
>>>> >>
>>>> >> chmod 0755 /usr/local/bin/hallo
>>>> >>
>>>> >> ```
>>>> >> # /usr/local/etc/doas.conf (per doas.conf manpage)
>>>> >> permit nopass :wheel as root cmd /usr/local/bin/hallo
>>>> >> ```
>>>> >>
>>>> >> $ doas /usr/local/bin/hallo
>>>> >> hallo root
>>>> >>
>>>> >> then replace your bhyve commands in the hallo script.
>>>> >>
>>>> >> Off the top of my head there's no reason for bhyve to need
>>>> >> anything different to hallo script.
>>>> >> A+
>>>> >> Dave
>>>> >
>>>> >
>>>> >
>>>> > --
>>>> > Mario.
>>>>
>>>
>>>
>>> --
>>> Mario.
>>>
>>
>
> --
> Mario.
>


--=20
Mario.

--000000000000f68df5061b1c06c6
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>I had an illumination and I found how it works :<br><=
/div><div></div><div><br></div><div>[marietto@marietto /bhyve]=3D=3D&gt; do=
as /bhyve/12-Win-11-vm12</div><div><br></div><div>But why ? <br></div><div>=
<br></div></div><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gm=
ail_attr">On Mon, Jun 17, 2024 at 10:15=E2=80=AFPM Mario Marietto &lt;<a hr=
ef=3D"mailto:marietto2008@gmail.com">marietto2008@gmail.com</a>&gt; wrote:<=
br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8e=
x;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr"=
><div>nano /usr/local/etc/doas.conf :</div><div><br></div><div>permit nopas=
s :wheel as root cmd bhyve-win<br>permit nopass :wheel as root cmd bhyve-li=
n<br>permit nopass :wheel as root cmd /bhyve/12-Win-11-vm12</div><div><br><=
/div><div>[marietto@marietto /bhyve]=3D=3D&gt; doas 12-Win-11-vm12</div>doa=
s: Operation not permitted</div><br><div class=3D"gmail_quote"><div dir=3D"=
ltr" class=3D"gmail_attr">On Mon, Jun 17, 2024 at 9:50=E2=80=AFPM Mark Peek=
 &lt;<a href=3D"mailto:mp@freebsd.org" target=3D"_blank">mp@freebsd.org</a>=
&gt; wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px =
0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div=
 dir=3D"ltr">Likely because you don&#39;t have this in the doas.conf file:<=
div><br></div><div><font face=3D"monospace" style=3D"background-color:rgb(2=
55,255,255)" color=3D"#000000">permit nopass :wheel as root cmd /bhyve/12-W=
in-11-vm12<br></font></div><div><br></div></div><br><div class=3D"gmail_quo=
te"><div dir=3D"ltr" class=3D"gmail_attr">On Mon, Jun 17, 2024 at 11:35=E2=
=80=AFAM Mario Marietto &lt;<a href=3D"mailto:marietto2008@gmail.com" targe=
t=3D"_blank">marietto2008@gmail.com</a>&gt; wrote:<br></div><blockquote cla=
ss=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid =
rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr"><div><div><div><div id=
=3D"m_-9169965968015393723m_5208458890051620345m_-1165728036884468405gmail-=
:po"><div id=3D"m_-9169965968015393723m_5208458890051620345m_-1165728036884=
468405gmail-:o1"><div dir=3D"ltr"><div>If I keep the bhyve scripts in /usr/=
sbin,it works. But I want to keep the bhyve scripts in /bhyve and I don&#39=
;t want to keep them in /usr/sbin. For this reason I&#39;ve added the path =
/bhyve to /home/marietto/.zshrc like this :<br></div><span><div><br></div><=
div># ~/.zshrc</div><br># zsh autocompletion for sudo and doas<br><div>zsty=
le &quot;:completion:*:(sudo|su|doas):*&quot; command-path /usr/local/bin /=
usr/local/sbin /usr/sbin /usr/bin /bin /sbin /bhyve</div><div><br></div></s=
pan><div>and in /root/.zshrc :</div><span><div><div><br></div># zsh autocom=
pletion for sudo and doas<br><div>zstyle &quot;:completion:*:(sudo|su|doas)=
:*&quot; command-path /usr/local/bin /usr/local/sbin /usr/sbin /usr/bin /bi=
n /sbin /bhyve</div></div><div><br></div></span><div>but when I try to run =
the vm like this :</div><span><div></div><div><br></div><div></div><div></d=
iv><div>[marietto@marietto /bhyve]=3D=3D&gt; doas 12-Win-11-vm12<br></div><=
div><br></div></span><div>it says :</div><span><div><br></div><div>doas: 12=
-Win-11-vm12: command not found</div><div><br></div></span><div>and when I =
do :</div><div><br></div><div><span>[marietto@marietto /bhyve]=3D=3D&gt; do=
as ./12-Win-11-vm12</span></div><div><br></div><div>it says :</div><div><br=
></div><div>doas: Operation not permitted</div><div><br></div><div>Why ?</d=
iv></div></div></div></div></div></div><div><div><div role=3D"list"><div ro=
le=3D"listitem" aria-expanded=3D"true"><div><div><div><div id=3D"m_-9169965=
968015393723m_5208458890051620345m_-1165728036884468405gmail-:um"><div><div=
><div><div id=3D"m_-9169965968015393723m_5208458890051620345m_-116572803688=
4468405gmail-:q6"><table role=3D"presentation"><tbody><tr><td><br></td></tr=
></tbody></table></div></div></div></div></div></div></div></div></div></di=
v></div></div></div><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=
=3D"gmail_attr">On Mon, Jun 17, 2024 at 7:53=E2=80=AFPM Mark Peek &lt;<a hr=
ef=3D"mailto:mp@freebsd.org" target=3D"_blank">mp@freebsd.org</a>&gt; wrote=
:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.=
8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Likely need to=
 add this as it is what you are passing to doas as the<br>
command to execute:<br>
<br>
permit nopass :wheel as root cmd /usr/sbin/12-Win-11-vm12<br>
<br>
Mark<br>
<br>
On Mon, Jun 17, 2024 at 10:40=E2=80=AFAM Mario Marietto &lt;<a href=3D"mail=
to:marietto2008@gmail.com" target=3D"_blank">marietto2008@gmail.com</a>&gt;=
 wrote:<br>
&gt;<br>
&gt; [marietto@marietto /bhyve]=3D=3D&gt; sudo cp 12-Win-11-vm12 /usr/sbin<=
br>
&gt;<br>
&gt; [marietto@marietto /bhyve]=3D=3D&gt; nano /usr/sbin/12-Win-11-vm12<br>
&gt;<br>
&gt; #!/bin/sh<br>
&gt;<br>
&gt; bhyve-win -S -c sockets=3D4,cores=3D2,threads=3D1 -m 8G -w -H \<br>
&gt; -S -c sockets=3D4,cores=3D2,threads=3D1 -m 8G -w -H \<br>
&gt; -s 0,hostbridge \<br>
&gt; -s 1,ahci-hd,/mnt/da4p2/bhyve/img/Windows/Windows11.img,bootindex=3D1 =
\<br>
&gt; -s 2,ahci-hd,/dev/$vmdisk5 \<br>
&gt; -s 8:0,passthru,2/0/0 \<br>
&gt; -s 8:1,passthru,2/0/1 \<br>
&gt; -s 8:2,passthru,2/0/2 \<br>
&gt; -s 8:3,passthru,2/0/3 \<br>
&gt; -s 13,virtio-net,tap12 \<br>
&gt; -s 29,fbuf,tcp=3D<a href=3D"http://0.0.0.0:5912" rel=3D"noreferrer" ta=
rget=3D"_blank">0.0.0.0:5912</a>,w=3D1600,h=3D950,wait \<br>
&gt; -s 30,xhci,tablet \<br>
&gt; -s 31,lpc \<br>
&gt; -l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI_CODE.fd \<br>
&gt; vm0:12 &lt; /dev/null &amp; sleep 2 &amp;&amp; vncviewer 0:12<br>
&gt;<br>
&gt; [marietto@marietto /bhyve]=3D=3D&gt; sudo chmod 0755 /usr/sbin/12-Win-=
11-vm12<br>
&gt;<br>
&gt; [marietto@marietto /bhyve]=3D=3D&gt; sudo nano /usr/local/etc/doas.con=
f<br>
&gt;<br>
&gt; permit nopass :wheel as root cmd /usr/sbin/bhyve-win<br>
&gt; permit nopass :wheel as root cmd /usr/sbin/bhyve-lin<br>
&gt;<br>
&gt; [marietto@marietto /bhyve]=3D=3D&gt; doas /usr/sbin/12-Win-11-vm12<br>
&gt; doas: Operation not permitted<br>
&gt;<br>
&gt; BUT :<br>
&gt;<br>
&gt; [marietto@marietto /bhyve]=3D=3D&gt; sudo nano /usr/sbin/hallo<br>
&gt;<br>
&gt; #!/bin/sh<br>
&gt; echo hallo $USER<br>
&gt;<br>
&gt; [marietto@marietto /bhyve]=3D=3D&gt; sudo chmod 0755 /usr/sbin/hallo<b=
r>
&gt;<br>
&gt; [marietto@marietto /bhyve]=3D=3D&gt; sudo nano /usr/local/etc/doas.con=
f<br>
&gt;<br>
&gt; permit nopass :wheel as root cmd hallo<br>
&gt;<br>
&gt; [marietto@marietto /bhyve]=3D=3D&gt; doas hallo<br>
&gt;<br>
&gt; BOOM ! it works :<br>
&gt;<br>
&gt; hallo root<br>
&gt;<br>
&gt; On Mon, Jun 17, 2024 at 6:54=E2=80=AFPM Dave Cottlehuber &lt;<a href=
=3D"mailto:dch@skunkwerks.at" target=3D"_blank">dch@skunkwerks.at</a>&gt; w=
rote:<br>
&gt;&gt;<br>
&gt;&gt; On Mon, 17 Jun 2024, at 14:12, Mario Marietto wrote:<br>
&gt;&gt; &gt; Nice idea,but it does not work :<br>
&gt;&gt; &gt;<br>
&gt;&gt; &gt; nano /home/marietto/.zshrc<br>
&gt;&gt; &gt;<br>
&gt;&gt; &gt; # ~/.zshrc<br>
&gt;&gt;<br>
&gt;&gt; Hi Mario, I think your zsh stuff is getting in the way<br>
&gt;&gt; here. Your zshrc function is not visible to the root user,<br>
&gt;&gt; as doas cleans up all the env and so your function is unknown.<br>
&gt;&gt;<br>
&gt;&gt; So start off with something without bhyve, make sure you are in<br=
>
&gt;&gt; wheel group, and add a shell script called<br>
&gt;&gt; /usr/local/bin/hallo:<br>
&gt;&gt;<br>
&gt;&gt; ```<br>
&gt;&gt; #!/bin/sh<br>
&gt;&gt; echo hallo $USER<br>
&gt;&gt; ```<br>
&gt;&gt;<br>
&gt;&gt; chmod 0755 /usr/local/bin/hallo<br>
&gt;&gt;<br>
&gt;&gt; ```<br>
&gt;&gt; # /usr/local/etc/doas.conf (per doas.conf manpage)<br>
&gt;&gt; permit nopass :wheel as root cmd /usr/local/bin/hallo<br>
&gt;&gt; ```<br>
&gt;&gt;<br>
&gt;&gt; $ doas /usr/local/bin/hallo<br>
&gt;&gt; hallo root<br>
&gt;&gt;<br>
&gt;&gt; then replace your bhyve commands in the hallo script.<br>
&gt;&gt;<br>
&gt;&gt; Off the top of my head there&#39;s no reason for bhyve to need<br>
&gt;&gt; anything different to hallo script.<br>
&gt;&gt; A+<br>
&gt;&gt; Dave<br>
&gt;<br>
&gt;<br>
&gt;<br>
&gt; --<br>
&gt; Mario.<br>
</blockquote></div><br clear=3D"all"><br><span class=3D"gmail_signature_pre=
fix">-- </span><br><div dir=3D"ltr" class=3D"gmail_signature">Mario.<br></d=
iv>
</blockquote></div>
</blockquote></div><br clear=3D"all"><br><span class=3D"gmail_signature_pre=
fix">-- </span><br><div dir=3D"ltr" class=3D"gmail_signature">Mario.<br></d=
iv>
</blockquote></div><br clear=3D"all"><br><span class=3D"gmail_signature_pre=
fix">-- </span><br><div dir=3D"ltr" class=3D"gmail_signature">Mario.<br></d=
iv>

--000000000000f68df5061b1c06c6--

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CA%2B1FSij4Xb2b7Mt-TbYMs7%2B2Z4NgfEu7gcaGENJohdAKSGKXGA>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact