Date: Mon, 17 Jun 2024 12:50:06 -0700 From: Mark Peek <mp@freebsd.org> To: Mario Marietto <marietto2008@gmail.com> Cc: Mark Peek <mp@freebsd.org>, Dave Cottlehuber <dch@skunkwerks.at>, Odhiambo Washington <odhiambo@gmail.com>, freebsd-virtualization <freebsd-virtualization@freebsd.org> Subject: Re: How to launch a bhyve vm as normal user,without being root Message-ID: <CAGGgMJd%2BZh6G%2B0jmCe_%2Bfxof8-RD3AiwhnDuejo84Lm56qZm1A@mail.gmail.com> In-Reply-To: <CA%2B1FSihHFejcobwVdGhtus4P8uRDkPyXDhQtrBCp-EWxPz=MPg@mail.gmail.com> References: <CA%2B1FSiimo=-0s80QeGMuLnJAzxi53-V6s303YuW36UkYnqfB-g@mail.gmail.com> <CAAdA2WPrtG_VaLuE8UfBwxanyfNzgLqeBCvpJMvRETdcUSmMEg@mail.gmail.com> <CA%2B1FSijLiq0WMdCvJfQC%2BvtBxXc6iSMD6WQAMavGpg%2BsmCuTFg@mail.gmail.com> <86a551c1-7f10-450d-a282-b33f959ed93e@app.fastmail.com> <CA%2B1FSighjAkOAtzyX3HBy4h0ZnTVckjF9adnWMpAR3m=xW0dUA@mail.gmail.com> <CAGGgMJfoAHFv2uJBzz%2BcJ-pe0tUX=BVaCxM3y5SU-cUxGHcs9A@mail.gmail.com> <CA%2B1FSihHFejcobwVdGhtus4P8uRDkPyXDhQtrBCp-EWxPz=MPg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--000000000000488282061b1b46c2 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Likely because you don't have this in the doas.conf file: permit nopass :wheel as root cmd /bhyve/12-Win-11-vm12 On Mon, Jun 17, 2024 at 11:35=E2=80=AFAM Mario Marietto <marietto2008@gmail= .com> wrote: > If I keep the bhyve scripts in /usr/sbin,it works. But I want to keep the > bhyve scripts in /bhyve and I don't want to keep them in /usr/sbin. For > this reason I've added the path /bhyve to /home/marietto/.zshrc like this= : > > # ~/.zshrc > > # zsh autocompletion for sudo and doas > zstyle ":completion:*:(sudo|su|doas):*" command-path /usr/local/bin > /usr/local/sbin /usr/sbin /usr/bin /bin /sbin /bhyve > > and in /root/.zshrc : > > # zsh autocompletion for sudo and doas > zstyle ":completion:*:(sudo|su|doas):*" command-path /usr/local/bin > /usr/local/sbin /usr/sbin /usr/bin /bin /sbin /bhyve > > but when I try to run the vm like this : > > [marietto@marietto /bhyve]=3D=3D> doas 12-Win-11-vm12 > > it says : > > doas: 12-Win-11-vm12: command not found > > and when I do : > > [marietto@marietto /bhyve]=3D=3D> doas ./12-Win-11-vm12 > > it says : > > doas: Operation not permitted > > Why ? > > > On Mon, Jun 17, 2024 at 7:53=E2=80=AFPM Mark Peek <mp@freebsd.org> wrote: > >> Likely need to add this as it is what you are passing to doas as the >> command to execute: >> >> permit nopass :wheel as root cmd /usr/sbin/12-Win-11-vm12 >> >> Mark >> >> On Mon, Jun 17, 2024 at 10:40=E2=80=AFAM Mario Marietto <marietto2008@gm= ail.com> >> wrote: >> > >> > [marietto@marietto /bhyve]=3D=3D> sudo cp 12-Win-11-vm12 /usr/sbin >> > >> > [marietto@marietto /bhyve]=3D=3D> nano /usr/sbin/12-Win-11-vm12 >> > >> > #!/bin/sh >> > >> > bhyve-win -S -c sockets=3D4,cores=3D2,threads=3D1 -m 8G -w -H \ >> > -S -c sockets=3D4,cores=3D2,threads=3D1 -m 8G -w -H \ >> > -s 0,hostbridge \ >> > -s 1,ahci-hd,/mnt/da4p2/bhyve/img/Windows/Windows11.img,bootindex=3D1 = \ >> > -s 2,ahci-hd,/dev/$vmdisk5 \ >> > -s 8:0,passthru,2/0/0 \ >> > -s 8:1,passthru,2/0/1 \ >> > -s 8:2,passthru,2/0/2 \ >> > -s 8:3,passthru,2/0/3 \ >> > -s 13,virtio-net,tap12 \ >> > -s 29,fbuf,tcp=3D0.0.0.0:5912,w=3D1600,h=3D950,wait \ >> > -s 30,xhci,tablet \ >> > -s 31,lpc \ >> > -l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI_CODE.fd \ >> > vm0:12 < /dev/null & sleep 2 && vncviewer 0:12 >> > >> > [marietto@marietto /bhyve]=3D=3D> sudo chmod 0755 /usr/sbin/12-Win-11-= vm12 >> > >> > [marietto@marietto /bhyve]=3D=3D> sudo nano /usr/local/etc/doas.conf >> > >> > permit nopass :wheel as root cmd /usr/sbin/bhyve-win >> > permit nopass :wheel as root cmd /usr/sbin/bhyve-lin >> > >> > [marietto@marietto /bhyve]=3D=3D> doas /usr/sbin/12-Win-11-vm12 >> > doas: Operation not permitted >> > >> > BUT : >> > >> > [marietto@marietto /bhyve]=3D=3D> sudo nano /usr/sbin/hallo >> > >> > #!/bin/sh >> > echo hallo $USER >> > >> > [marietto@marietto /bhyve]=3D=3D> sudo chmod 0755 /usr/sbin/hallo >> > >> > [marietto@marietto /bhyve]=3D=3D> sudo nano /usr/local/etc/doas.conf >> > >> > permit nopass :wheel as root cmd hallo >> > >> > [marietto@marietto /bhyve]=3D=3D> doas hallo >> > >> > BOOM ! it works : >> > >> > hallo root >> > >> > On Mon, Jun 17, 2024 at 6:54=E2=80=AFPM Dave Cottlehuber <dch@skunkwer= ks.at> >> wrote: >> >> >> >> On Mon, 17 Jun 2024, at 14:12, Mario Marietto wrote: >> >> > Nice idea,but it does not work : >> >> > >> >> > nano /home/marietto/.zshrc >> >> > >> >> > # ~/.zshrc >> >> >> >> Hi Mario, I think your zsh stuff is getting in the way >> >> here. Your zshrc function is not visible to the root user, >> >> as doas cleans up all the env and so your function is unknown. >> >> >> >> So start off with something without bhyve, make sure you are in >> >> wheel group, and add a shell script called >> >> /usr/local/bin/hallo: >> >> >> >> ``` >> >> #!/bin/sh >> >> echo hallo $USER >> >> ``` >> >> >> >> chmod 0755 /usr/local/bin/hallo >> >> >> >> ``` >> >> # /usr/local/etc/doas.conf (per doas.conf manpage) >> >> permit nopass :wheel as root cmd /usr/local/bin/hallo >> >> ``` >> >> >> >> $ doas /usr/local/bin/hallo >> >> hallo root >> >> >> >> then replace your bhyve commands in the hallo script. >> >> >> >> Off the top of my head there's no reason for bhyve to need >> >> anything different to hallo script. >> >> A+ >> >> Dave >> > >> > >> > >> > -- >> > Mario. >> > > > -- > Mario. > --000000000000488282061b1b46c2 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable <div dir=3D"ltr">Likely because you don't have this in the doas.conf fi= le:<div><br></div><div><font face=3D"monospace" style=3D"background-color:r= gb(255,255,255)" color=3D"#000000">permit nopass :wheel as root cmd /bhyve/= 12-Win-11-vm12<br></font></div><div><br></div></div><br><div class=3D"gmail= _quote"><div dir=3D"ltr" class=3D"gmail_attr">On Mon, Jun 17, 2024 at 11:35= =E2=80=AFAM Mario Marietto <<a href=3D"mailto:marietto2008@gmail.com">ma= rietto2008@gmail.com</a>> wrote:<br></div><blockquote class=3D"gmail_quo= te" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204= );padding-left:1ex"><div dir=3D"ltr"><div><div><div><div id=3D"m_-116572803= 6884468405gmail-:po"><div id=3D"m_-1165728036884468405gmail-:o1"><div dir= =3D"ltr"><div>If I keep the bhyve scripts in /usr/sbin,it works. But I want= to keep the bhyve scripts in /bhyve and I don't want to keep them in /= usr/sbin. For this reason I've added the path /bhyve to /home/marietto/= .zshrc like this :<br></div><span><div><br></div><div># ~/.zshrc</div><br>#= zsh autocompletion for sudo and doas<br><div>zstyle ":completion:*:(s= udo|su|doas):*" command-path /usr/local/bin /usr/local/sbin /usr/sbin = /usr/bin /bin /sbin /bhyve</div><div><br></div></span><div>and in /root/.zs= hrc :</div><span><div><div><br></div># zsh autocompletion for sudo and doas= <br><div>zstyle ":completion:*:(sudo|su|doas):*" command-path /us= r/local/bin /usr/local/sbin /usr/sbin /usr/bin /bin /sbin /bhyve</div></div= ><div><br></div></span><div>but when I try to run the vm like this :</div><= span><div></div><div><br></div><div></div><div></div><div>[marietto@mariett= o /bhyve]=3D=3D> doas 12-Win-11-vm12<br></div><div><br></div></span><div= >it says :</div><span><div><br></div><div>doas: 12-Win-11-vm12: command not= found</div><div><br></div></span><div>and when I do :</div><div><br></div>= <div><span>[marietto@marietto /bhyve]=3D=3D> doas ./12-Win-11-vm12</span= ></div><div><br></div><div>it says :</div><div><br></div><div>doas: Operati= on not permitted</div><div><br></div><div>Why ?</div></div></div></div></di= v></div></div><div><div><div role=3D"list"><div role=3D"listitem" aria-expa= nded=3D"true"><div><div><div><div id=3D"m_-1165728036884468405gmail-:um"><d= iv><div><div><div id=3D"m_-1165728036884468405gmail-:q6"><table role=3D"pre= sentation"><tbody><tr><td><br></td></tr></tbody></table></div></div></div><= /div></div></div></div></div></div></div></div></div></div><br><div class= =3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Mon, Jun 17, 2024= at 7:53=E2=80=AFPM Mark Peek <<a href=3D"mailto:mp@freebsd.org" target= =3D"_blank">mp@freebsd.org</a>> wrote:<br></div><blockquote class=3D"gma= il_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,2= 04,204);padding-left:1ex">Likely need to add this as it is what you are pas= sing to doas as the<br> command to execute:<br> <br> permit nopass :wheel as root cmd /usr/sbin/12-Win-11-vm12<br> <br> Mark<br> <br> On Mon, Jun 17, 2024 at 10:40=E2=80=AFAM Mario Marietto <<a href=3D"mail= to:marietto2008@gmail.com" target=3D"_blank">marietto2008@gmail.com</a>>= wrote:<br> ><br> > [marietto@marietto /bhyve]=3D=3D> sudo cp 12-Win-11-vm12 /usr/sbin<= br> ><br> > [marietto@marietto /bhyve]=3D=3D> nano /usr/sbin/12-Win-11-vm12<br> ><br> > #!/bin/sh<br> ><br> > bhyve-win -S -c sockets=3D4,cores=3D2,threads=3D1 -m 8G -w -H \<br> > -S -c sockets=3D4,cores=3D2,threads=3D1 -m 8G -w -H \<br> > -s 0,hostbridge \<br> > -s 1,ahci-hd,/mnt/da4p2/bhyve/img/Windows/Windows11.img,bootindex=3D1 = \<br> > -s 2,ahci-hd,/dev/$vmdisk5 \<br> > -s 8:0,passthru,2/0/0 \<br> > -s 8:1,passthru,2/0/1 \<br> > -s 8:2,passthru,2/0/2 \<br> > -s 8:3,passthru,2/0/3 \<br> > -s 13,virtio-net,tap12 \<br> > -s 29,fbuf,tcp=3D<a href=3D"http://0.0.0.0:5912" rel=3D"noreferrer" ta= rget=3D"_blank">0.0.0.0:5912</a>,w=3D1600,h=3D950,wait \<br> > -s 30,xhci,tablet \<br> > -s 31,lpc \<br> > -l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI_CODE.fd \<br> > vm0:12 < /dev/null & sleep 2 && vncviewer 0:12<br> ><br> > [marietto@marietto /bhyve]=3D=3D> sudo chmod 0755 /usr/sbin/12-Win-= 11-vm12<br> ><br> > [marietto@marietto /bhyve]=3D=3D> sudo nano /usr/local/etc/doas.con= f<br> ><br> > permit nopass :wheel as root cmd /usr/sbin/bhyve-win<br> > permit nopass :wheel as root cmd /usr/sbin/bhyve-lin<br> ><br> > [marietto@marietto /bhyve]=3D=3D> doas /usr/sbin/12-Win-11-vm12<br> > doas: Operation not permitted<br> ><br> > BUT :<br> ><br> > [marietto@marietto /bhyve]=3D=3D> sudo nano /usr/sbin/hallo<br> ><br> > #!/bin/sh<br> > echo hallo $USER<br> ><br> > [marietto@marietto /bhyve]=3D=3D> sudo chmod 0755 /usr/sbin/hallo<b= r> ><br> > [marietto@marietto /bhyve]=3D=3D> sudo nano /usr/local/etc/doas.con= f<br> ><br> > permit nopass :wheel as root cmd hallo<br> ><br> > [marietto@marietto /bhyve]=3D=3D> doas hallo<br> ><br> > BOOM ! it works :<br> ><br> > hallo root<br> ><br> > On Mon, Jun 17, 2024 at 6:54=E2=80=AFPM Dave Cottlehuber <<a href= =3D"mailto:dch@skunkwerks.at" target=3D"_blank">dch@skunkwerks.at</a>> w= rote:<br> >><br> >> On Mon, 17 Jun 2024, at 14:12, Mario Marietto wrote:<br> >> > Nice idea,but it does not work :<br> >> ><br> >> > nano /home/marietto/.zshrc<br> >> ><br> >> > # ~/.zshrc<br> >><br> >> Hi Mario, I think your zsh stuff is getting in the way<br> >> here. Your zshrc function is not visible to the root user,<br> >> as doas cleans up all the env and so your function is unknown.<br> >><br> >> So start off with something without bhyve, make sure you are in<br= > >> wheel group, and add a shell script called<br> >> /usr/local/bin/hallo:<br> >><br> >> ```<br> >> #!/bin/sh<br> >> echo hallo $USER<br> >> ```<br> >><br> >> chmod 0755 /usr/local/bin/hallo<br> >><br> >> ```<br> >> # /usr/local/etc/doas.conf (per doas.conf manpage)<br> >> permit nopass :wheel as root cmd /usr/local/bin/hallo<br> >> ```<br> >><br> >> $ doas /usr/local/bin/hallo<br> >> hallo root<br> >><br> >> then replace your bhyve commands in the hallo script.<br> >><br> >> Off the top of my head there's no reason for bhyve to need<br> >> anything different to hallo script.<br> >> A+<br> >> Dave<br> ><br> ><br> ><br> > --<br> > Mario.<br> </blockquote></div><br clear=3D"all"><br><span class=3D"gmail_signature_pre= fix">-- </span><br><div dir=3D"ltr" class=3D"gmail_signature">Mario.<br></d= iv> </blockquote></div> --000000000000488282061b1b46c2--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAGGgMJd%2BZh6G%2B0jmCe_%2Bfxof8-RD3AiwhnDuejo84Lm56qZm1A>