Date: Mon, 17 Jun 2024 22:43:33 +0200 From: Mario Marietto <marietto2008@gmail.com> To: Mark Peek <mp@freebsd.org> Cc: Dave Cottlehuber <dch@skunkwerks.at>, Odhiambo Washington <odhiambo@gmail.com>, freebsd-virtualization <freebsd-virtualization@freebsd.org> Subject: Re: How to launch a bhyve vm as normal user,without being root Message-ID: <CA%2B1FSij4Xb2b7Mt-TbYMs7%2B2Z4NgfEu7gcaGENJohdAKSGKXGA@mail.gmail.com> In-Reply-To: <CA%2B1FSijS1O8aL6GVwRx0Mt4PETvbL1C0oMgs79pQBtUg4jV8FA@mail.gmail.com> References: <CA%2B1FSiimo=-0s80QeGMuLnJAzxi53-V6s303YuW36UkYnqfB-g@mail.gmail.com> <CAAdA2WPrtG_VaLuE8UfBwxanyfNzgLqeBCvpJMvRETdcUSmMEg@mail.gmail.com> <CA%2B1FSijLiq0WMdCvJfQC%2BvtBxXc6iSMD6WQAMavGpg%2BsmCuTFg@mail.gmail.com> <86a551c1-7f10-450d-a282-b33f959ed93e@app.fastmail.com> <CA%2B1FSighjAkOAtzyX3HBy4h0ZnTVckjF9adnWMpAR3m=xW0dUA@mail.gmail.com> <CAGGgMJfoAHFv2uJBzz%2BcJ-pe0tUX=BVaCxM3y5SU-cUxGHcs9A@mail.gmail.com> <CA%2B1FSihHFejcobwVdGhtus4P8uRDkPyXDhQtrBCp-EWxPz=MPg@mail.gmail.com> <CAGGgMJd%2BZh6G%2B0jmCe_%2Bfxof8-RD3AiwhnDuejo84Lm56qZm1A@mail.gmail.com> <CA%2B1FSijS1O8aL6GVwRx0Mt4PETvbL1C0oMgs79pQBtUg4jV8FA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] I had an illumination and I found how it works : [marietto@marietto /bhyve]==> doas /bhyve/12-Win-11-vm12 But why ? On Mon, Jun 17, 2024 at 10:15 PM Mario Marietto <marietto2008@gmail.com> wrote: > nano /usr/local/etc/doas.conf : > > permit nopass :wheel as root cmd bhyve-win > permit nopass :wheel as root cmd bhyve-lin > permit nopass :wheel as root cmd /bhyve/12-Win-11-vm12 > > [marietto@marietto /bhyve]==> doas 12-Win-11-vm12 > doas: Operation not permitted > > On Mon, Jun 17, 2024 at 9:50 PM Mark Peek <mp@freebsd.org> wrote: > >> Likely because you don't have this in the doas.conf file: >> >> permit nopass :wheel as root cmd /bhyve/12-Win-11-vm12 >> >> >> On Mon, Jun 17, 2024 at 11:35 AM Mario Marietto <marietto2008@gmail.com> >> wrote: >> >>> If I keep the bhyve scripts in /usr/sbin,it works. But I want to keep >>> the bhyve scripts in /bhyve and I don't want to keep them in /usr/sbin. For >>> this reason I've added the path /bhyve to /home/marietto/.zshrc like this : >>> >>> # ~/.zshrc >>> >>> # zsh autocompletion for sudo and doas >>> zstyle ":completion:*:(sudo|su|doas):*" command-path /usr/local/bin >>> /usr/local/sbin /usr/sbin /usr/bin /bin /sbin /bhyve >>> >>> and in /root/.zshrc : >>> >>> # zsh autocompletion for sudo and doas >>> zstyle ":completion:*:(sudo|su|doas):*" command-path /usr/local/bin >>> /usr/local/sbin /usr/sbin /usr/bin /bin /sbin /bhyve >>> >>> but when I try to run the vm like this : >>> >>> [marietto@marietto /bhyve]==> doas 12-Win-11-vm12 >>> >>> it says : >>> >>> doas: 12-Win-11-vm12: command not found >>> >>> and when I do : >>> >>> [marietto@marietto /bhyve]==> doas ./12-Win-11-vm12 >>> >>> it says : >>> >>> doas: Operation not permitted >>> >>> Why ? >>> >>> >>> On Mon, Jun 17, 2024 at 7:53 PM Mark Peek <mp@freebsd.org> wrote: >>> >>>> Likely need to add this as it is what you are passing to doas as the >>>> command to execute: >>>> >>>> permit nopass :wheel as root cmd /usr/sbin/12-Win-11-vm12 >>>> >>>> Mark >>>> >>>> On Mon, Jun 17, 2024 at 10:40 AM Mario Marietto <marietto2008@gmail.com> >>>> wrote: >>>> > >>>> > [marietto@marietto /bhyve]==> sudo cp 12-Win-11-vm12 /usr/sbin >>>> > >>>> > [marietto@marietto /bhyve]==> nano /usr/sbin/12-Win-11-vm12 >>>> > >>>> > #!/bin/sh >>>> > >>>> > bhyve-win -S -c sockets=4,cores=2,threads=1 -m 8G -w -H \ >>>> > -S -c sockets=4,cores=2,threads=1 -m 8G -w -H \ >>>> > -s 0,hostbridge \ >>>> > -s 1,ahci-hd,/mnt/da4p2/bhyve/img/Windows/Windows11.img,bootindex=1 \ >>>> > -s 2,ahci-hd,/dev/$vmdisk5 \ >>>> > -s 8:0,passthru,2/0/0 \ >>>> > -s 8:1,passthru,2/0/1 \ >>>> > -s 8:2,passthru,2/0/2 \ >>>> > -s 8:3,passthru,2/0/3 \ >>>> > -s 13,virtio-net,tap12 \ >>>> > -s 29,fbuf,tcp=0.0.0.0:5912,w=1600,h=950,wait \ >>>> > -s 30,xhci,tablet \ >>>> > -s 31,lpc \ >>>> > -l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI_CODE.fd \ >>>> > vm0:12 < /dev/null & sleep 2 && vncviewer 0:12 >>>> > >>>> > [marietto@marietto /bhyve]==> sudo chmod 0755 >>>> /usr/sbin/12-Win-11-vm12 >>>> > >>>> > [marietto@marietto /bhyve]==> sudo nano /usr/local/etc/doas.conf >>>> > >>>> > permit nopass :wheel as root cmd /usr/sbin/bhyve-win >>>> > permit nopass :wheel as root cmd /usr/sbin/bhyve-lin >>>> > >>>> > [marietto@marietto /bhyve]==> doas /usr/sbin/12-Win-11-vm12 >>>> > doas: Operation not permitted >>>> > >>>> > BUT : >>>> > >>>> > [marietto@marietto /bhyve]==> sudo nano /usr/sbin/hallo >>>> > >>>> > #!/bin/sh >>>> > echo hallo $USER >>>> > >>>> > [marietto@marietto /bhyve]==> sudo chmod 0755 /usr/sbin/hallo >>>> > >>>> > [marietto@marietto /bhyve]==> sudo nano /usr/local/etc/doas.conf >>>> > >>>> > permit nopass :wheel as root cmd hallo >>>> > >>>> > [marietto@marietto /bhyve]==> doas hallo >>>> > >>>> > BOOM ! it works : >>>> > >>>> > hallo root >>>> > >>>> > On Mon, Jun 17, 2024 at 6:54 PM Dave Cottlehuber <dch@skunkwerks.at> >>>> wrote: >>>> >> >>>> >> On Mon, 17 Jun 2024, at 14:12, Mario Marietto wrote: >>>> >> > Nice idea,but it does not work : >>>> >> > >>>> >> > nano /home/marietto/.zshrc >>>> >> > >>>> >> > # ~/.zshrc >>>> >> >>>> >> Hi Mario, I think your zsh stuff is getting in the way >>>> >> here. Your zshrc function is not visible to the root user, >>>> >> as doas cleans up all the env and so your function is unknown. >>>> >> >>>> >> So start off with something without bhyve, make sure you are in >>>> >> wheel group, and add a shell script called >>>> >> /usr/local/bin/hallo: >>>> >> >>>> >> ``` >>>> >> #!/bin/sh >>>> >> echo hallo $USER >>>> >> ``` >>>> >> >>>> >> chmod 0755 /usr/local/bin/hallo >>>> >> >>>> >> ``` >>>> >> # /usr/local/etc/doas.conf (per doas.conf manpage) >>>> >> permit nopass :wheel as root cmd /usr/local/bin/hallo >>>> >> ``` >>>> >> >>>> >> $ doas /usr/local/bin/hallo >>>> >> hallo root >>>> >> >>>> >> then replace your bhyve commands in the hallo script. >>>> >> >>>> >> Off the top of my head there's no reason for bhyve to need >>>> >> anything different to hallo script. >>>> >> A+ >>>> >> Dave >>>> > >>>> > >>>> > >>>> > -- >>>> > Mario. >>>> >>> >>> >>> -- >>> Mario. >>> >> > > -- > Mario. > -- Mario. [-- Attachment #2 --] <div dir="ltr"><div>I had an illumination and I found how it works :<br></div><div></div><div><br></div><div>[marietto@marietto /bhyve]==> doas /bhyve/12-Win-11-vm12</div><div><br></div><div>But why ? <br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Jun 17, 2024 at 10:15 PM Mario Marietto <<a href="mailto:marietto2008@gmail.com">marietto2008@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>nano /usr/local/etc/doas.conf :</div><div><br></div><div>permit nopass :wheel as root cmd bhyve-win<br>permit nopass :wheel as root cmd bhyve-lin<br>permit nopass :wheel as root cmd /bhyve/12-Win-11-vm12</div><div><br></div><div>[marietto@marietto /bhyve]==> doas 12-Win-11-vm12</div>doas: Operation not permitted</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Jun 17, 2024 at 9:50 PM Mark Peek <<a href="mailto:mp@freebsd.org" target="_blank">mp@freebsd.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Likely because you don't have this in the doas.conf file:<div><br></div><div><font face="monospace" style="background-color:rgb(255,255,255)" color="#000000">permit nopass :wheel as root cmd /bhyve/12-Win-11-vm12<br></font></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Jun 17, 2024 at 11:35 AM Mario Marietto <<a href="mailto:marietto2008@gmail.com" target="_blank">marietto2008@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><div><div><div id="m_-9169965968015393723m_5208458890051620345m_-1165728036884468405gmail-:po"><div id="m_-9169965968015393723m_5208458890051620345m_-1165728036884468405gmail-:o1"><div dir="ltr"><div>If I keep the bhyve scripts in /usr/sbin,it works. But I want to keep the bhyve scripts in /bhyve and I don't want to keep them in /usr/sbin. For this reason I've added the path /bhyve to /home/marietto/.zshrc like this :<br></div><span><div><br></div><div># ~/.zshrc</div><br># zsh autocompletion for sudo and doas<br><div>zstyle ":completion:*:(sudo|su|doas):*" command-path /usr/local/bin /usr/local/sbin /usr/sbin /usr/bin /bin /sbin /bhyve</div><div><br></div></span><div>and in /root/.zshrc :</div><span><div><div><br></div># zsh autocompletion for sudo and doas<br><div>zstyle ":completion:*:(sudo|su|doas):*" command-path /usr/local/bin /usr/local/sbin /usr/sbin /usr/bin /bin /sbin /bhyve</div></div><div><br></div></span><div>but when I try to run the vm like this :</div><span><div></div><div><br></div><div></div><div></div><div>[marietto@marietto /bhyve]==> doas 12-Win-11-vm12<br></div><div><br></div></span><div>it says :</div><span><div><br></div><div>doas: 12-Win-11-vm12: command not found</div><div><br></div></span><div>and when I do :</div><div><br></div><div><span>[marietto@marietto /bhyve]==> doas ./12-Win-11-vm12</span></div><div><br></div><div>it says :</div><div><br></div><div>doas: Operation not permitted</div><div><br></div><div>Why ?</div></div></div></div></div></div></div><div><div><div role="list"><div role="listitem" aria-expanded="true"><div><div><div><div id="m_-9169965968015393723m_5208458890051620345m_-1165728036884468405gmail-:um"><div><div><div><div id="m_-9169965968015393723m_5208458890051620345m_-1165728036884468405gmail-:q6"><table role="presentation"><tbody><tr><td><br></td></tr></tbody></table></div></div></div></div></div></div></div></div></div></div></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Jun 17, 2024 at 7:53 PM Mark Peek <<a href="mailto:mp@freebsd.org" target="_blank">mp@freebsd.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Likely need to add this as it is what you are passing to doas as the<br> command to execute:<br> <br> permit nopass :wheel as root cmd /usr/sbin/12-Win-11-vm12<br> <br> Mark<br> <br> On Mon, Jun 17, 2024 at 10:40 AM Mario Marietto <<a href="mailto:marietto2008@gmail.com" target="_blank">marietto2008@gmail.com</a>> wrote:<br> ><br> > [marietto@marietto /bhyve]==> sudo cp 12-Win-11-vm12 /usr/sbin<br> ><br> > [marietto@marietto /bhyve]==> nano /usr/sbin/12-Win-11-vm12<br> ><br> > #!/bin/sh<br> ><br> > bhyve-win -S -c sockets=4,cores=2,threads=1 -m 8G -w -H \<br> > -S -c sockets=4,cores=2,threads=1 -m 8G -w -H \<br> > -s 0,hostbridge \<br> > -s 1,ahci-hd,/mnt/da4p2/bhyve/img/Windows/Windows11.img,bootindex=1 \<br> > -s 2,ahci-hd,/dev/$vmdisk5 \<br> > -s 8:0,passthru,2/0/0 \<br> > -s 8:1,passthru,2/0/1 \<br> > -s 8:2,passthru,2/0/2 \<br> > -s 8:3,passthru,2/0/3 \<br> > -s 13,virtio-net,tap12 \<br> > -s 29,fbuf,tcp=<a href="http://0.0.0.0:5912" rel="noreferrer" target="_blank">0.0.0.0:5912</a>,w=1600,h=950,wait \<br> > -s 30,xhci,tablet \<br> > -s 31,lpc \<br> > -l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI_CODE.fd \<br> > vm0:12 < /dev/null & sleep 2 && vncviewer 0:12<br> ><br> > [marietto@marietto /bhyve]==> sudo chmod 0755 /usr/sbin/12-Win-11-vm12<br> ><br> > [marietto@marietto /bhyve]==> sudo nano /usr/local/etc/doas.conf<br> ><br> > permit nopass :wheel as root cmd /usr/sbin/bhyve-win<br> > permit nopass :wheel as root cmd /usr/sbin/bhyve-lin<br> ><br> > [marietto@marietto /bhyve]==> doas /usr/sbin/12-Win-11-vm12<br> > doas: Operation not permitted<br> ><br> > BUT :<br> ><br> > [marietto@marietto /bhyve]==> sudo nano /usr/sbin/hallo<br> ><br> > #!/bin/sh<br> > echo hallo $USER<br> ><br> > [marietto@marietto /bhyve]==> sudo chmod 0755 /usr/sbin/hallo<br> ><br> > [marietto@marietto /bhyve]==> sudo nano /usr/local/etc/doas.conf<br> ><br> > permit nopass :wheel as root cmd hallo<br> ><br> > [marietto@marietto /bhyve]==> doas hallo<br> ><br> > BOOM ! it works :<br> ><br> > hallo root<br> ><br> > On Mon, Jun 17, 2024 at 6:54 PM Dave Cottlehuber <<a href="mailto:dch@skunkwerks.at" target="_blank">dch@skunkwerks.at</a>> wrote:<br> >><br> >> On Mon, 17 Jun 2024, at 14:12, Mario Marietto wrote:<br> >> > Nice idea,but it does not work :<br> >> ><br> >> > nano /home/marietto/.zshrc<br> >> ><br> >> > # ~/.zshrc<br> >><br> >> Hi Mario, I think your zsh stuff is getting in the way<br> >> here. Your zshrc function is not visible to the root user,<br> >> as doas cleans up all the env and so your function is unknown.<br> >><br> >> So start off with something without bhyve, make sure you are in<br> >> wheel group, and add a shell script called<br> >> /usr/local/bin/hallo:<br> >><br> >> ```<br> >> #!/bin/sh<br> >> echo hallo $USER<br> >> ```<br> >><br> >> chmod 0755 /usr/local/bin/hallo<br> >><br> >> ```<br> >> # /usr/local/etc/doas.conf (per doas.conf manpage)<br> >> permit nopass :wheel as root cmd /usr/local/bin/hallo<br> >> ```<br> >><br> >> $ doas /usr/local/bin/hallo<br> >> hallo root<br> >><br> >> then replace your bhyve commands in the hallo script.<br> >><br> >> Off the top of my head there's no reason for bhyve to need<br> >> anything different to hallo script.<br> >> A+<br> >> Dave<br> ><br> ><br> ><br> > --<br> > Mario.<br> </blockquote></div><br clear="all"><br><span class="gmail_signature_prefix">-- </span><br><div dir="ltr" class="gmail_signature">Mario.<br></div> </blockquote></div> </blockquote></div><br clear="all"><br><span class="gmail_signature_prefix">-- </span><br><div dir="ltr" class="gmail_signature">Mario.<br></div> </blockquote></div><br clear="all"><br><span class="gmail_signature_prefix">-- </span><br><div dir="ltr" class="gmail_signature">Mario.<br></div>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CA%2B1FSij4Xb2b7Mt-TbYMs7%2B2Z4NgfEu7gcaGENJohdAKSGKXGA>