Date: Mon, 17 Jun 2024 13:45:56 -0700 From: Mark Peek <mp@freebsd.org> To: Mario Marietto <marietto2008@gmail.com> Cc: Mark Peek <mp@freebsd.org>, Dave Cottlehuber <dch@skunkwerks.at>, Odhiambo Washington <odhiambo@gmail.com>, freebsd-virtualization <freebsd-virtualization@freebsd.org> Subject: Re: How to launch a bhyve vm as normal user,without being root Message-ID: <CAGGgMJeRvrtML4LoBe1NyQHwMGPmD0vV7tous0_HDZWVANUD1A@mail.gmail.com> In-Reply-To: <CA%2B1FSij4Xb2b7Mt-TbYMs7%2B2Z4NgfEu7gcaGENJohdAKSGKXGA@mail.gmail.com> References: <CA%2B1FSiimo=-0s80QeGMuLnJAzxi53-V6s303YuW36UkYnqfB-g@mail.gmail.com> <CAAdA2WPrtG_VaLuE8UfBwxanyfNzgLqeBCvpJMvRETdcUSmMEg@mail.gmail.com> <CA%2B1FSijLiq0WMdCvJfQC%2BvtBxXc6iSMD6WQAMavGpg%2BsmCuTFg@mail.gmail.com> <86a551c1-7f10-450d-a282-b33f959ed93e@app.fastmail.com> <CA%2B1FSighjAkOAtzyX3HBy4h0ZnTVckjF9adnWMpAR3m=xW0dUA@mail.gmail.com> <CAGGgMJfoAHFv2uJBzz%2BcJ-pe0tUX=BVaCxM3y5SU-cUxGHcs9A@mail.gmail.com> <CA%2B1FSihHFejcobwVdGhtus4P8uRDkPyXDhQtrBCp-EWxPz=MPg@mail.gmail.com> <CAGGgMJd%2BZh6G%2B0jmCe_%2Bfxof8-RD3AiwhnDuejo84Lm56qZm1A@mail.gmail.com> <CA%2B1FSijS1O8aL6GVwRx0Mt4PETvbL1C0oMgs79pQBtUg4jV8FA@mail.gmail.com> <CA%2B1FSij4Xb2b7Mt-TbYMs7%2B2Z4NgfEu7gcaGENJohdAKSGKXGA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--000000000000003450061b1c0e9d Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable I was just responding... Works for me using the full path to the command. You should try as well with the full path to the command. $ ls -l /bhyve/12-Win-11-vm12 -rwxr-xr-x 1 root wheel 22 Jun 17 13:25 /bhyve/12-Win-11-vm12 $ cat !$ cat /bhyve/12-Win-11-vm12 #!/bin/sh echo $USER $ ls -l /bhyve/12-Win-11-vm12 -rwxr-xr-x 1 root wheel 22 Jun 17 13:25 /bhyve/12-Win-11-vm12 $ cat /bhyve/12-Win-11-vm12 #!/bin/sh echo $USER $ cat /usr/local/etc/doas.conf permit nopass :wheel as root cmd /bhyve/12-Win-11-vm12 $ doas /bhyve/12-Win-11-vm12 root $ doas 12-Win-11-vm12 doas: Operation not permitted This last failure is likely an issue with how PATH interacts with doas. You should move this to another mailing list as this is more about "doas" than "bhyve". On Mon, Jun 17, 2024 at 1:44=E2=80=AFPM Mario Marietto <marietto2008@gmail.= com> wrote: > I had an illumination and I found how it works : > > [marietto@marietto /bhyve]=3D=3D> doas /bhyve/12-Win-11-vm12 > > But why ? > > > On Mon, Jun 17, 2024 at 10:15=E2=80=AFPM Mario Marietto <marietto2008@gma= il.com> > wrote: > >> nano /usr/local/etc/doas.conf : >> >> permit nopass :wheel as root cmd bhyve-win >> permit nopass :wheel as root cmd bhyve-lin >> permit nopass :wheel as root cmd /bhyve/12-Win-11-vm12 >> >> [marietto@marietto /bhyve]=3D=3D> doas 12-Win-11-vm12 >> doas: Operation not permitted >> >> On Mon, Jun 17, 2024 at 9:50=E2=80=AFPM Mark Peek <mp@freebsd.org> wrote= : >> >>> Likely because you don't have this in the doas.conf file: >>> >>> permit nopass :wheel as root cmd /bhyve/12-Win-11-vm12 >>> >>> >>> On Mon, Jun 17, 2024 at 11:35=E2=80=AFAM Mario Marietto <marietto2008@g= mail.com> >>> wrote: >>> >>>> If I keep the bhyve scripts in /usr/sbin,it works. But I want to keep >>>> the bhyve scripts in /bhyve and I don't want to keep them in /usr/sbin= . For >>>> this reason I've added the path /bhyve to /home/marietto/.zshrc like t= his : >>>> >>>> # ~/.zshrc >>>> >>>> # zsh autocompletion for sudo and doas >>>> zstyle ":completion:*:(sudo|su|doas):*" command-path /usr/local/bin >>>> /usr/local/sbin /usr/sbin /usr/bin /bin /sbin /bhyve >>>> >>>> and in /root/.zshrc : >>>> >>>> # zsh autocompletion for sudo and doas >>>> zstyle ":completion:*:(sudo|su|doas):*" command-path /usr/local/bin >>>> /usr/local/sbin /usr/sbin /usr/bin /bin /sbin /bhyve >>>> >>>> but when I try to run the vm like this : >>>> >>>> [marietto@marietto /bhyve]=3D=3D> doas 12-Win-11-vm12 >>>> >>>> it says : >>>> >>>> doas: 12-Win-11-vm12: command not found >>>> >>>> and when I do : >>>> >>>> [marietto@marietto /bhyve]=3D=3D> doas ./12-Win-11-vm12 >>>> >>>> it says : >>>> >>>> doas: Operation not permitted >>>> >>>> Why ? >>>> >>>> >>>> On Mon, Jun 17, 2024 at 7:53=E2=80=AFPM Mark Peek <mp@freebsd.org> wro= te: >>>> >>>>> Likely need to add this as it is what you are passing to doas as the >>>>> command to execute: >>>>> >>>>> permit nopass :wheel as root cmd /usr/sbin/12-Win-11-vm12 >>>>> >>>>> Mark >>>>> >>>>> On Mon, Jun 17, 2024 at 10:40=E2=80=AFAM Mario Marietto < >>>>> marietto2008@gmail.com> wrote: >>>>> > >>>>> > [marietto@marietto /bhyve]=3D=3D> sudo cp 12-Win-11-vm12 /usr/sbin >>>>> > >>>>> > [marietto@marietto /bhyve]=3D=3D> nano /usr/sbin/12-Win-11-vm12 >>>>> > >>>>> > #!/bin/sh >>>>> > >>>>> > bhyve-win -S -c sockets=3D4,cores=3D2,threads=3D1 -m 8G -w -H \ >>>>> > -S -c sockets=3D4,cores=3D2,threads=3D1 -m 8G -w -H \ >>>>> > -s 0,hostbridge \ >>>>> > -s 1,ahci-hd,/mnt/da4p2/bhyve/img/Windows/Windows11.img,bootindex= =3D1 \ >>>>> > -s 2,ahci-hd,/dev/$vmdisk5 \ >>>>> > -s 8:0,passthru,2/0/0 \ >>>>> > -s 8:1,passthru,2/0/1 \ >>>>> > -s 8:2,passthru,2/0/2 \ >>>>> > -s 8:3,passthru,2/0/3 \ >>>>> > -s 13,virtio-net,tap12 \ >>>>> > -s 29,fbuf,tcp=3D0.0.0.0:5912,w=3D1600,h=3D950,wait \ >>>>> > -s 30,xhci,tablet \ >>>>> > -s 31,lpc \ >>>>> > -l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI_CODE.fd \ >>>>> > vm0:12 < /dev/null & sleep 2 && vncviewer 0:12 >>>>> > >>>>> > [marietto@marietto /bhyve]=3D=3D> sudo chmod 0755 >>>>> /usr/sbin/12-Win-11-vm12 >>>>> > >>>>> > [marietto@marietto /bhyve]=3D=3D> sudo nano /usr/local/etc/doas.con= f >>>>> > >>>>> > permit nopass :wheel as root cmd /usr/sbin/bhyve-win >>>>> > permit nopass :wheel as root cmd /usr/sbin/bhyve-lin >>>>> > >>>>> > [marietto@marietto /bhyve]=3D=3D> doas /usr/sbin/12-Win-11-vm12 >>>>> > doas: Operation not permitted >>>>> > >>>>> > BUT : >>>>> > >>>>> > [marietto@marietto /bhyve]=3D=3D> sudo nano /usr/sbin/hallo >>>>> > >>>>> > #!/bin/sh >>>>> > echo hallo $USER >>>>> > >>>>> > [marietto@marietto /bhyve]=3D=3D> sudo chmod 0755 /usr/sbin/hallo >>>>> > >>>>> > [marietto@marietto /bhyve]=3D=3D> sudo nano /usr/local/etc/doas.con= f >>>>> > >>>>> > permit nopass :wheel as root cmd hallo >>>>> > >>>>> > [marietto@marietto /bhyve]=3D=3D> doas hallo >>>>> > >>>>> > BOOM ! it works : >>>>> > >>>>> > hallo root >>>>> > >>>>> > On Mon, Jun 17, 2024 at 6:54=E2=80=AFPM Dave Cottlehuber <dch@skunk= werks.at> >>>>> wrote: >>>>> >> >>>>> >> On Mon, 17 Jun 2024, at 14:12, Mario Marietto wrote: >>>>> >> > Nice idea,but it does not work : >>>>> >> > >>>>> >> > nano /home/marietto/.zshrc >>>>> >> > >>>>> >> > # ~/.zshrc >>>>> >> >>>>> >> Hi Mario, I think your zsh stuff is getting in the way >>>>> >> here. Your zshrc function is not visible to the root user, >>>>> >> as doas cleans up all the env and so your function is unknown. >>>>> >> >>>>> >> So start off with something without bhyve, make sure you are in >>>>> >> wheel group, and add a shell script called >>>>> >> /usr/local/bin/hallo: >>>>> >> >>>>> >> ``` >>>>> >> #!/bin/sh >>>>> >> echo hallo $USER >>>>> >> ``` >>>>> >> >>>>> >> chmod 0755 /usr/local/bin/hallo >>>>> >> >>>>> >> ``` >>>>> >> # /usr/local/etc/doas.conf (per doas.conf manpage) >>>>> >> permit nopass :wheel as root cmd /usr/local/bin/hallo >>>>> >> ``` >>>>> >> >>>>> >> $ doas /usr/local/bin/hallo >>>>> >> hallo root >>>>> >> >>>>> >> then replace your bhyve commands in the hallo script. >>>>> >> >>>>> >> Off the top of my head there's no reason for bhyve to need >>>>> >> anything different to hallo script. >>>>> >> A+ >>>>> >> Dave >>>>> > >>>>> > >>>>> > >>>>> > -- >>>>> > Mario. >>>>> >>>> >>>> >>>> -- >>>> Mario. >>>> >>> >> >> -- >> Mario. >> > > > -- > Mario. > --000000000000003450061b1c0e9d Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable <div dir=3D"ltr"><div>I was just responding...</div><div><br></div><div>Wor= ks for me using the full path to the command. You should try as well with t= he full path to the command.</div><div><br></div>$ ls -l /bhyve/12-Win-11-v= m12<br>-rwxr-xr-x =C2=A01 root wheel 22 Jun 17 13:25 /bhyve/12-Win-11-vm12<= br>$ cat !$<br>cat /bhyve/12-Win-11-vm12<br>#!/bin/sh<br><br>echo $USER<br>= $ ls -l /bhyve/12-Win-11-vm12<br>-rwxr-xr-x =C2=A01 root wheel 22 Jun 17 13= :25 /bhyve/12-Win-11-vm12<br>$ cat /bhyve/12-Win-11-vm12<br>#!/bin/sh<br><b= r>echo $USER<br>$ cat /usr/local/etc/doas.conf<br>permit nopass :wheel as r= oot cmd /bhyve/12-Win-11-vm12<br>$ doas /bhyve/12-Win-11-vm12<br>root<div>$= doas 12-Win-11-vm12<br>doas: Operation not permitted<br><div><br></div><di= v>This last failure is likely an issue with how PATH interacts with=C2=A0do= as. You should move this to another mailing list as this is more about &quo= t;doas" than "bhyve".</div><div><br></div></div></div><br><d= iv class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Mon, Jun = 17, 2024 at 1:44=E2=80=AFPM Mario Marietto <<a href=3D"mailto:marietto20= 08@gmail.com">marietto2008@gmail.com</a>> wrote:<br></div><blockquote cl= ass=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid= rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr"><div>I had an illumina= tion and I found how it works :<br></div><div></div><div><br></div><div>[ma= rietto@marietto /bhyve]=3D=3D> doas /bhyve/12-Win-11-vm12</div><div><br>= </div><div>But why ? <br></div><div><br></div></div><br><div class=3D"gmail= _quote"><div dir=3D"ltr" class=3D"gmail_attr">On Mon, Jun 17, 2024 at 10:15= =E2=80=AFPM Mario Marietto <<a href=3D"mailto:marietto2008@gmail.com" ta= rget=3D"_blank">marietto2008@gmail.com</a>> wrote:<br></div><blockquote = class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px sol= id rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr"><div>nano /usr/local= /etc/doas.conf :</div><div><br></div><div>permit nopass :wheel as root cmd = bhyve-win<br>permit nopass :wheel as root cmd bhyve-lin<br>permit nopass :w= heel as root cmd /bhyve/12-Win-11-vm12</div><div><br></div><div>[marietto@m= arietto /bhyve]=3D=3D> doas 12-Win-11-vm12</div>doas: Operation not perm= itted</div><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_a= ttr">On Mon, Jun 17, 2024 at 9:50=E2=80=AFPM Mark Peek <<a href=3D"mailt= o:mp@freebsd.org" target=3D"_blank">mp@freebsd.org</a>> wrote:<br></div>= <blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-= left:1px solid rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr">Likely b= ecause you don't have this in the doas.conf file:<div><br></div><div><f= ont face=3D"monospace" style=3D"background-color:rgb(255,255,255)" color=3D= "#000000">permit nopass :wheel as root cmd /bhyve/12-Win-11-vm12<br></font>= </div><div><br></div></div><br><div class=3D"gmail_quote"><div dir=3D"ltr" = class=3D"gmail_attr">On Mon, Jun 17, 2024 at 11:35=E2=80=AFAM Mario Mariett= o <<a href=3D"mailto:marietto2008@gmail.com" target=3D"_blank">marietto2= 008@gmail.com</a>> wrote:<br></div><blockquote class=3D"gmail_quote" sty= le=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);paddi= ng-left:1ex"><div dir=3D"ltr"><div><div><div><div id=3D"m_-4778425480339096= 771m_-9169965968015393723m_5208458890051620345m_-1165728036884468405gmail-:= po"><div id=3D"m_-4778425480339096771m_-9169965968015393723m_52084588900516= 20345m_-1165728036884468405gmail-:o1"><div dir=3D"ltr"><div>If I keep the b= hyve scripts in /usr/sbin,it works. But I want to keep the bhyve scripts in= /bhyve and I don't want to keep them in /usr/sbin. For this reason I&#= 39;ve added the path /bhyve to /home/marietto/.zshrc like this :<br></div><= span><div><br></div><div># ~/.zshrc</div><br># zsh autocompletion for sudo = and doas<br><div>zstyle ":completion:*:(sudo|su|doas):*" command-= path /usr/local/bin /usr/local/sbin /usr/sbin /usr/bin /bin /sbin /bhyve</d= iv><div><br></div></span><div>and in /root/.zshrc :</div><span><div><div><b= r></div># zsh autocompletion for sudo and doas<br><div>zstyle ":comple= tion:*:(sudo|su|doas):*" command-path /usr/local/bin /usr/local/sbin /= usr/sbin /usr/bin /bin /sbin /bhyve</div></div><div><br></div></span><div>b= ut when I try to run the vm like this :</div><span><div></div><div><br></di= v><div></div><div></div><div>[marietto@marietto /bhyve]=3D=3D> doas 12-W= in-11-vm12<br></div><div><br></div></span><div>it says :</div><span><div><b= r></div><div>doas: 12-Win-11-vm12: command not found</div><div><br></div></= span><div>and when I do :</div><div><br></div><div><span>[marietto@marietto= /bhyve]=3D=3D> doas ./12-Win-11-vm12</span></div><div><br></div><div>it= says :</div><div><br></div><div>doas: Operation not permitted</div><div><b= r></div><div>Why ?</div></div></div></div></div></div></div><div><div><div = role=3D"list"><div role=3D"listitem" aria-expanded=3D"true"><div><div><div>= <div id=3D"m_-4778425480339096771m_-9169965968015393723m_520845889005162034= 5m_-1165728036884468405gmail-:um"><div><div><div><div id=3D"m_-477842548033= 9096771m_-9169965968015393723m_5208458890051620345m_-1165728036884468405gma= il-:q6"><table role=3D"presentation"><tbody><tr><td><br></td></tr></tbody><= /table></div></div></div></div></div></div></div></div></div></div></div></= div></div><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_at= tr">On Mon, Jun 17, 2024 at 7:53=E2=80=AFPM Mark Peek <<a href=3D"mailto= :mp@freebsd.org" target=3D"_blank">mp@freebsd.org</a>> wrote:<br></div><= blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-l= eft:1px solid rgb(204,204,204);padding-left:1ex">Likely need to add this as= it is what you are passing to doas as the<br> command to execute:<br> <br> permit nopass :wheel as root cmd /usr/sbin/12-Win-11-vm12<br> <br> Mark<br> <br> On Mon, Jun 17, 2024 at 10:40=E2=80=AFAM Mario Marietto <<a href=3D"mail= to:marietto2008@gmail.com" target=3D"_blank">marietto2008@gmail.com</a>>= wrote:<br> ><br> > [marietto@marietto /bhyve]=3D=3D> sudo cp 12-Win-11-vm12 /usr/sbin<= br> ><br> > [marietto@marietto /bhyve]=3D=3D> nano /usr/sbin/12-Win-11-vm12<br> ><br> > #!/bin/sh<br> ><br> > bhyve-win -S -c sockets=3D4,cores=3D2,threads=3D1 -m 8G -w -H \<br> > -S -c sockets=3D4,cores=3D2,threads=3D1 -m 8G -w -H \<br> > -s 0,hostbridge \<br> > -s 1,ahci-hd,/mnt/da4p2/bhyve/img/Windows/Windows11.img,bootindex=3D1 = \<br> > -s 2,ahci-hd,/dev/$vmdisk5 \<br> > -s 8:0,passthru,2/0/0 \<br> > -s 8:1,passthru,2/0/1 \<br> > -s 8:2,passthru,2/0/2 \<br> > -s 8:3,passthru,2/0/3 \<br> > -s 13,virtio-net,tap12 \<br> > -s 29,fbuf,tcp=3D<a href=3D"http://0.0.0.0:5912" rel=3D"noreferrer" ta= rget=3D"_blank">0.0.0.0:5912</a>,w=3D1600,h=3D950,wait \<br> > -s 30,xhci,tablet \<br> > -s 31,lpc \<br> > -l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI_CODE.fd \<br> > vm0:12 < /dev/null & sleep 2 && vncviewer 0:12<br> ><br> > [marietto@marietto /bhyve]=3D=3D> sudo chmod 0755 /usr/sbin/12-Win-= 11-vm12<br> ><br> > [marietto@marietto /bhyve]=3D=3D> sudo nano /usr/local/etc/doas.con= f<br> ><br> > permit nopass :wheel as root cmd /usr/sbin/bhyve-win<br> > permit nopass :wheel as root cmd /usr/sbin/bhyve-lin<br> ><br> > [marietto@marietto /bhyve]=3D=3D> doas /usr/sbin/12-Win-11-vm12<br> > doas: Operation not permitted<br> ><br> > BUT :<br> ><br> > [marietto@marietto /bhyve]=3D=3D> sudo nano /usr/sbin/hallo<br> ><br> > #!/bin/sh<br> > echo hallo $USER<br> ><br> > [marietto@marietto /bhyve]=3D=3D> sudo chmod 0755 /usr/sbin/hallo<b= r> ><br> > [marietto@marietto /bhyve]=3D=3D> sudo nano /usr/local/etc/doas.con= f<br> ><br> > permit nopass :wheel as root cmd hallo<br> ><br> > [marietto@marietto /bhyve]=3D=3D> doas hallo<br> ><br> > BOOM ! it works :<br> ><br> > hallo root<br> ><br> > On Mon, Jun 17, 2024 at 6:54=E2=80=AFPM Dave Cottlehuber <<a href= =3D"mailto:dch@skunkwerks.at" target=3D"_blank">dch@skunkwerks.at</a>> w= rote:<br> >><br> >> On Mon, 17 Jun 2024, at 14:12, Mario Marietto wrote:<br> >> > Nice idea,but it does not work :<br> >> ><br> >> > nano /home/marietto/.zshrc<br> >> ><br> >> > # ~/.zshrc<br> >><br> >> Hi Mario, I think your zsh stuff is getting in the way<br> >> here. Your zshrc function is not visible to the root user,<br> >> as doas cleans up all the env and so your function is unknown.<br> >><br> >> So start off with something without bhyve, make sure you are in<br= > >> wheel group, and add a shell script called<br> >> /usr/local/bin/hallo:<br> >><br> >> ```<br> >> #!/bin/sh<br> >> echo hallo $USER<br> >> ```<br> >><br> >> chmod 0755 /usr/local/bin/hallo<br> >><br> >> ```<br> >> # /usr/local/etc/doas.conf (per doas.conf manpage)<br> >> permit nopass :wheel as root cmd /usr/local/bin/hallo<br> >> ```<br> >><br> >> $ doas /usr/local/bin/hallo<br> >> hallo root<br> >><br> >> then replace your bhyve commands in the hallo script.<br> >><br> >> Off the top of my head there's no reason for bhyve to need<br> >> anything different to hallo script.<br> >> A+<br> >> Dave<br> ><br> ><br> ><br> > --<br> > Mario.<br> </blockquote></div><br clear=3D"all"><br><span class=3D"gmail_signature_pre= fix">-- </span><br><div dir=3D"ltr" class=3D"gmail_signature">Mario.<br></d= iv> </blockquote></div> </blockquote></div><br clear=3D"all"><br><span class=3D"gmail_signature_pre= fix">-- </span><br><div dir=3D"ltr" class=3D"gmail_signature">Mario.<br></d= iv> </blockquote></div><br clear=3D"all"><br><span class=3D"gmail_signature_pre= fix">-- </span><br><div dir=3D"ltr" class=3D"gmail_signature">Mario.<br></d= iv> </blockquote></div> --000000000000003450061b1c0e9d--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAGGgMJeRvrtML4LoBe1NyQHwMGPmD0vV7tous0_HDZWVANUD1A>