From nobody Tue Jun 18 08:09:45 2024
X-Original-To: freebsd-virtualization@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4W3KDv4dxXz5NZ9M
	for <freebsd-virtualization@mlmmj.nyi.freebsd.org>; Tue, 18 Jun 2024 08:10:23 +0000 (UTC)
	(envelope-from marietto2008@gmail.com)
Received: from mail-pj1-x1032.google.com (mail-pj1-x1032.google.com [IPv6:2607:f8b0:4864:20::1032])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "smtp.gmail.com", Issuer "WR4" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4W3KDv2M2nz4ns6
	for <freebsd-virtualization@freebsd.org>; Tue, 18 Jun 2024 08:10:23 +0000 (UTC)
	(envelope-from marietto2008@gmail.com)
Authentication-Results: mx1.freebsd.org;
	none
Received: by mail-pj1-x1032.google.com with SMTP id 98e67ed59e1d1-2c6e94131cfso481156a91.3
        for <freebsd-virtualization@freebsd.org>; Tue, 18 Jun 2024 01:10:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1718698222; x=1719303022; darn=freebsd.org;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=2tVYk65pVaoyKkfABNhRC/CJUoXUaiYz19/jdIuTE1s=;
        b=l+1GpFHNyPWTSYPSBU+Rc89Z+wS3hZVkrWDv+1px3agOW8JEsL4xXhQIdI0Tx0ThR6
         IAYjU2EEpVwJg/8lK5u8ymECvsslAebzQWIlN7I99fFUfkXVHo8oK6+ou9SXiQlE58Zw
         piUheltgmQrOvEotv50gYJYlNKX7qlYr6uiFYdTj1Tp3VRq5d092kKGB1UN/r3xlkz4H
         r1+cDNyaWxe7PlhnwtVciYrR6uK0zB9+yjw35YKGR+Tu1yDgamxOx3tbu2QoEduKucuY
         9+LabZmRzjQwOvufQffBiapX/dm0wUrFJvLqJxc+kwXPlkamb8Hvn0+nSH7t1L/0Jkrp
         LkDw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1718698222; x=1719303022;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=2tVYk65pVaoyKkfABNhRC/CJUoXUaiYz19/jdIuTE1s=;
        b=F5Yr/UlnGojYhOmspwm+Qe2qg8SawemP7Cx8kM/UVgoyaH5VZ6BmIUxJlCuDSif94s
         DWBqFN52a0gjqkojdSV6gZD7Zc0vWAwm1r4bUUTDtdzWOQZCIy/8Fz91HAQyzA6I1AfN
         qi+f7u2HckW/GzhI9R8BopXIf8C6rU/04f6LPBMZrNwn6iRp1he75VyLI51Ywu2YfdS8
         okS+M5rRC1SnN9m1KiRtCOCAe5uyqPa1xzDYOX7HZQVYBAgxdK8sohzTYsEqCIJn8NT4
         0xjSXpUfVY8Apmr+CE068+fE5oPIgktqnKfeP4YzghQFVzYpSNwTaTQO2rTKw/G4CJnQ
         7DQQ==
X-Gm-Message-State: AOJu0YxpNtjVStUCGHURQuKnY1AqpgVAKd8TKLtNJuR2Xa8H5DlRFbXl
	qwyxcZcWN481L+VVyk4Gcz7XSU4BIMYtMDGzjc+K2QTCPTakcLQNbyQl9rUm2aUjEi9Rcj4C88O
	Ge0CNREzGvPVgA586grVXviVQu/o8vNWCXGk=
X-Google-Smtp-Source: AGHT+IHRV/vqPMmkv4NnakvDSmoDoL+b7Iz/HcnX8F3DKZTh3zDj4KICx1RgwkzRtbdQriww4yAYKlGChGzmcSJPvPA=
X-Received: by 2002:a17:90b:8d5:b0:2c2:cefc:abe2 with SMTP id
 98e67ed59e1d1-2c4dbb41b40mr14132473a91.31.1718698221782; Tue, 18 Jun 2024
 01:10:21 -0700 (PDT)
List-Id: Discussion <freebsd-virtualization.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-virtualization
List-Help: <mailto:virtualization+help@freebsd.org>
List-Post: <mailto:virtualization@freebsd.org>
List-Subscribe: <mailto:virtualization+subscribe@freebsd.org>
List-Unsubscribe: <mailto:virtualization+unsubscribe@freebsd.org>
X-BeenThere: freebsd-virtualization@freebsd.org
Sender: owner-freebsd-virtualization@FreeBSD.org
MIME-Version: 1.0
References: <CA+1FSiimo=-0s80QeGMuLnJAzxi53-V6s303YuW36UkYnqfB-g@mail.gmail.com>
 <CAAdA2WPrtG_VaLuE8UfBwxanyfNzgLqeBCvpJMvRETdcUSmMEg@mail.gmail.com>
 <CA+1FSijLiq0WMdCvJfQC+vtBxXc6iSMD6WQAMavGpg+smCuTFg@mail.gmail.com>
 <CAAdA2WMw49ySJWY4OMOh+tuEK7gUwjq2a92dsrpaAfYbkx_Upg@mail.gmail.com>
 <CA+1FSig=GAH0OSSVwbYSgG_XYjGcqV2g4X4cMCm777et=Vgg5w@mail.gmail.com> <CAAdA2WMUX6E6VPhbtR9=Z9fp4_1e47A=izpiCBNDLsCU7zdtUA@mail.gmail.com>
In-Reply-To: <CAAdA2WMUX6E6VPhbtR9=Z9fp4_1e47A=izpiCBNDLsCU7zdtUA@mail.gmail.com>
From: Mario Marietto <marietto2008@gmail.com>
Date: Tue, 18 Jun 2024 10:09:45 +0200
Message-ID: <CA+1FSihqrtz+W_X+Sc4dKPjQimMGtkmyQYDvdUWE0+4L=MdL8g@mail.gmail.com>
Subject: Re: How to launch a bhyve vm as normal user,without being root
To: Odhiambo Washington <odhiambo@gmail.com>
Cc: FreeBSD virtualization <freebsd-virtualization@freebsd.org>
Content-Type: multipart/alternative; boundary="000000000000fc5089061b259c17"
X-Spamd-Bar: ----
X-Rspamd-Pre-Result: action=no action;
	module=replies;
	Message is reply to one we originated
X-Spamd-Result: default: False [-4.00 / 15.00];
	REPLY(-4.00)[];
	ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]
X-Rspamd-Queue-Id: 4W3KDv2M2nz4ns6

--000000000000fc5089061b259c17
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

This is mine :

# permit :wheel
# permit nopass keepenv marietto
# permit nopass keepenv root as root

permit nopass marietto cmd qemu-system-x86_64-debian_fs
permit nopass marietto cmd qemu-system-x86_64_debian_now
permit nopass marietto cmd qemu-system-x86_64_debian_proxy
permit nopass marietto cmd qemu-system-x86_64_debian_warp
permit nopass marietto cmd qemu-system-x86_64-debian_tuxler
permit nopass marietto cmd zpool
permit nopass marietto cmd mount
permit nopass marietto cmd fsck

permit nopass marietto as root cmd /usr/sbin/bhyve-win
permit nopass marietto as root cmd /usr/sbin/bhyve-lin
permit nopass marietto as root cmd /bhyve/12-Win-11-vm12
permit nopass marietto as root cmd /bhyve/01-Ubuntu-2310-vm1
permit nopass marietto as root cmd /bhyve/10-Debian-Now_wine-tkg-vm10
permit nopass marietto as root cmd /bhyve/02-Ubuntu-2310-vm2-hidden

I prefer to run as root only some specific applications.


On Tue, Jun 18, 2024 at 8:53=E2=80=AFAM Odhiambo Washington <odhiambo@gmail=
.com>
wrote:

> ######/usr/local/etc/doas.conf#########################
> permit :wheel
> permit nopass keepenv :wheel
> permit alice as root
> permit keepenv bob as root
> permit cindy as root cmd pkg args update
> permit cindy as root cmd pkg args upgrade
> permit nolog david as root cmd id
> permit www as root cmd pfctl
> permit nopass *wash* as root cmd bhyve
>
> ####### /usr/local/bhyve-vms/scripts/debian.sh##############
> #!/usr/bin/env bash
> if ! kldstat | grep -w vmm.ko
> then
>         kldload -v vmm
> fi
> if ! kldstat | grep -w nmdm.ko
> then
>         kldload -v nmdm
> fi
> /usr/sbin/bhyve -S -c sockets=3D2,cores=3D2,threads=3D2 -m 4G -w -H -A \
> -s 0,hostbridge \
> -s 4,ahci-hd,/usr/local/bhyve-vms/Debian/debian.img,bootindex=3D1 \
> -s 5,virtio-net,tap3 \
> -s 7,virtio-9p,sharename=3D/ \
> -s 8,hda,play=3D/dev/dsp,rec=3D/dev/dsp \
> -s 29,fbuf,tcp=3D0.0.0.0:5904,w=3D1600,h=3D950 \
> -s 30,xhci,tablet \
> -s 31,lpc -l com1,stdio \
> -l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.fd \
> debian
>
> And all I do is `doas /usr/local/bhyve-vms/scripts/debian.sh`.
>
>
> On Mon, Jun 17, 2024 at 6:46=E2=80=AFPM Mario Marietto <marietto2008@gmai=
l.com>
> wrote:
>
>> Can you paste here the contents of doas.conf and debian.sh ? thanks.
>>
>> On Mon, Jun 17, 2024 at 5:35=E2=80=AFPM Odhiambo Washington <odhiambo@gm=
ail.com>
>> wrote:
>>
>>>
>>>
>>> On Mon, Jun 17, 2024 at 5:13=E2=80=AFPM Mario Marietto <marietto2008@gm=
ail.com>
>>> wrote:
>>>
>>>> Nice idea,but it does not work :
>>>>
>>>
>>> It worked for me!
>>>
>>> I created a bash script file named debian.sh which contained all the
>>> bhyve args to create the VM, then I just did:
>>>
>>> doas debian.sh
>>>
>>> And I actually successfully installed the VM and it's running
>>>
>>>
>>> --
>>> Best regards,
>>> Odhiambo WASHINGTON,
>>> Nairobi,KE
>>> +254 7 3200 0004/+254 7 2274 3223
>>>  In an Internet failure case, the #1 suspect is a constant: DNS.
>>> "Oh, the cruft.", egrep -v '^$|^.*#' =C2=AF\_(=E3=83=84)_/=C2=AF :-)
>>> [How to ask smart questions:
>>> http://www.catb.org/~esr/faqs/smart-questions.html]
>>>
>>
>>
>> --
>> Mario.
>>
>
>
> --
> Best regards,
> Odhiambo WASHINGTON,
> Nairobi,KE
> +254 7 3200 0004/+254 7 2274 3223
>  In an Internet failure case, the #1 suspect is a constant: DNS.
> "Oh, the cruft.", egrep -v '^$|^.*#' =C2=AF\_(=E3=83=84)_/=C2=AF :-)
> [How to ask smart questions:
> http://www.catb.org/~esr/faqs/smart-questions.html]
>


--=20
Mario.

--000000000000fc5089061b259c17
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>This is mine :</div><div><br></div><div># permit :whe=
el</div># permit nopass keepenv marietto<br># permit nopass keepenv root as=
 root<br><br>permit nopass marietto cmd qemu-system-x86_64-debian_fs<br>per=
mit nopass marietto cmd qemu-system-x86_64_debian_now<br>permit nopass mari=
etto cmd qemu-system-x86_64_debian_proxy<br>permit nopass marietto cmd qemu=
-system-x86_64_debian_warp<br>permit nopass marietto cmd qemu-system-x86_64=
-debian_tuxler<br>permit nopass marietto cmd zpool<br>permit nopass mariett=
o cmd mount<br>permit nopass marietto cmd fsck<br><br>permit nopass mariett=
o as root cmd /usr/sbin/bhyve-win<br>permit nopass marietto as root cmd /us=
r/sbin/bhyve-lin<br>permit nopass marietto as root cmd /bhyve/12-Win-11-vm1=
2<br>permit nopass marietto as root cmd /bhyve/01-Ubuntu-2310-vm1<br>permit=
 nopass marietto as root cmd /bhyve/10-Debian-Now_wine-tkg-vm10<br><div>per=
mit nopass marietto as root cmd /bhyve/02-Ubuntu-2310-vm2-hidden</div><div>=
<br></div><div>I prefer to run as root only some specific applications. <br=
></div><br></div><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"g=
mail_attr">On Tue, Jun 18, 2024 at 8:53=E2=80=AFAM Odhiambo Washington &lt;=
<a href=3D"mailto:odhiambo@gmail.com">odhiambo@gmail.com</a>&gt; wrote:<br>=
</div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;b=
order-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr"><d=
iv>######/usr/local/etc/doas.conf#########################<br>permit :wheel=
<br>permit nopass keepenv :wheel<br>permit alice as root<br>permit keepenv =
bob as root<br>permit cindy as root cmd pkg args update<br>permit cindy as =
root cmd pkg args upgrade<br>permit nolog david as root cmd id<br>permit ww=
w as root cmd pfctl<br>permit nopass <b>wash</b> as root cmd bhyve<br></div=
><div><br></div><div>####### /usr/local/bhyve-vms/scripts/debian.sh########=
######</div><div>#!/usr/bin/env bash<br>if ! kldstat | grep -w vmm.ko<br>th=
en<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 kldload -v vmm<br>fi<br>if ! kldstat | gr=
ep -w nmdm.ko<br>then<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 kldload -v nmdm<br>fi<=
br>/usr/sbin/bhyve -S -c sockets=3D2,cores=3D2,threads=3D2 -m 4G -w -H -A \=
<br>-s 0,hostbridge \<br>-s 4,ahci-hd,/usr/local/bhyve-vms/Debian/debian.im=
g,bootindex=3D1 \<br>-s 5,virtio-net,tap3 \<br>-s 7,virtio-9p,sharename=3D/=
 \<br>-s 8,hda,play=3D/dev/dsp,rec=3D/dev/dsp \<br>-s 29,fbuf,tcp=3D<a href=
=3D"http://0.0.0.0:5904" target=3D"_blank">0.0.0.0:5904</a>,w=3D1600,h=3D95=
0 \<br>-s 30,xhci,tablet \<br>-s 31,lpc -l com1,stdio \<br>-l bootrom,/usr/=
local/share/uefi-firmware/BHYVE_UEFI.fd \<br>debian<br></div><div><br></div=
><div>And all I do is `doas /usr/local/bhyve-vms/scripts/debian.sh`.</div><=
div><br></div></div><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=
=3D"gmail_attr">On Mon, Jun 17, 2024 at 6:46=E2=80=AFPM Mario Marietto &lt;=
<a href=3D"mailto:marietto2008@gmail.com" target=3D"_blank">marietto2008@gm=
ail.com</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"=
margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-lef=
t:1ex"><div dir=3D"ltr">Can you paste here the contents of doas.conf and de=
bian.sh ? thanks.<br></div><br><div class=3D"gmail_quote"><div dir=3D"ltr" =
class=3D"gmail_attr">On Mon, Jun 17, 2024 at 5:35=E2=80=AFPM Odhiambo Washi=
ngton &lt;<a href=3D"mailto:odhiambo@gmail.com" target=3D"_blank">odhiambo@=
gmail.com</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" style=
=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding=
-left:1ex"><div dir=3D"ltr"><div dir=3D"ltr"><br></div><br><div class=3D"gm=
ail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Mon, Jun 17, 2024 at 5:=
13=E2=80=AFPM Mario Marietto &lt;<a href=3D"mailto:marietto2008@gmail.com" =
target=3D"_blank">marietto2008@gmail.com</a>&gt; wrote:<br></div><blockquot=
e class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px s=
olid rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr"><div>Nice idea,but=
 it does not work :</div></div></blockquote><div><br></div><div>It worked f=
or me!</div><div><br></div><div>I created a bash script file named debian.s=
h which contained all the bhyve args to create the VM, then I just did:</di=
v><div><br></div><div>doas debian.sh</div><div><br></div><div>And I actuall=
y successfully installed the VM and it&#39;s running</div><div><br></div></=
div><div><br></div><span class=3D"gmail_signature_prefix">-- </span><br><di=
v dir=3D"ltr" class=3D"gmail_signature"><div dir=3D"ltr"><div dir=3D"ltr"><=
div>Best regards,<br>Odhiambo WASHINGTON,<br>Nairobi,KE<br>+254 7 3200 0004=
/+254 7 2274 3223</div><div><span style=3D"color:rgb(34,34,34)">=C2=A0In=C2=
=A0</span><span style=3D"color:rgb(34,34,34)">an Internet failure case, the=
 #1 suspect is a constant: DNS.</span><br>&quot;<span style=3D"font-size:12=
.8px">Oh, the cruft.</span><span style=3D"font-size:12.8px">&quot;,=C2=A0</=
span><span style=3D"font-size:12.8px">egrep -v &#39;^$|^.*#&#39;=C2=A0</spa=
n><span style=3D"background-color:rgb(34,34,34);color:rgb(238,238,238);font=
-family:&quot;Lucida Console&quot;,Consolas,&quot;Courier New&quot;,monospa=
ce;font-size:13.6px">=C2=AF\_(=E3=83=84)_/=C2=AF</span><span style=3D"font-=
size:12.8px">=C2=A0:-)</span></div><div><span style=3D"font-size:12.8px">[H=
ow to ask smart questions:=C2=A0</span><span style=3D"font-size:12.8px"><a =
href=3D"http://www.catb.org/~esr/faqs/smart-questions.html" target=3D"_blan=
k">http://www.catb.org/~esr/faqs/smart-questions.html</a>]</span></div></di=
v></div></div></div>
</blockquote></div><br clear=3D"all"><br><span class=3D"gmail_signature_pre=
fix">-- </span><br><div dir=3D"ltr" class=3D"gmail_signature">Mario.<br></d=
iv>
</blockquote></div><br clear=3D"all"><div><br></div><span class=3D"gmail_si=
gnature_prefix">-- </span><br><div dir=3D"ltr" class=3D"gmail_signature"><d=
iv dir=3D"ltr"><div dir=3D"ltr"><div>Best regards,<br>Odhiambo WASHINGTON,<=
br>Nairobi,KE<br>+254 7 3200 0004/+254 7 2274 3223</div><div><span style=3D=
"color:rgb(34,34,34)">=C2=A0In=C2=A0</span><span style=3D"color:rgb(34,34,3=
4)">an Internet failure case, the #1 suspect is a constant: DNS.</span><br>=
&quot;<span style=3D"font-size:12.8px">Oh, the cruft.</span><span style=3D"=
font-size:12.8px">&quot;,=C2=A0</span><span style=3D"font-size:12.8px">egre=
p -v &#39;^$|^.*#&#39;=C2=A0</span><span style=3D"background-color:rgb(34,3=
4,34);color:rgb(238,238,238);font-family:&quot;Lucida Console&quot;,Consola=
s,&quot;Courier New&quot;,monospace;font-size:13.6px">=C2=AF\_(=E3=83=84)_/=
=C2=AF</span><span style=3D"font-size:12.8px">=C2=A0:-)</span></div><div><s=
pan style=3D"font-size:12.8px">[How to ask smart questions:=C2=A0</span><sp=
an style=3D"font-size:12.8px"><a href=3D"http://www.catb.org/~esr/faqs/smar=
t-questions.html" target=3D"_blank">http://www.catb.org/~esr/faqs/smart-que=
stions.html</a>]</span></div></div></div></div>
</blockquote></div><br clear=3D"all"><br><span class=3D"gmail_signature_pre=
fix">-- </span><br><div dir=3D"ltr" class=3D"gmail_signature">Mario.<br></d=
iv>

--000000000000fc5089061b259c17--