Date: Mon, 17 Jun 2024 12:50:06 -0700 From: Mark Peek <mp@freebsd.org> To: Mario Marietto <marietto2008@gmail.com> Cc: Mark Peek <mp@freebsd.org>, Dave Cottlehuber <dch@skunkwerks.at>, Odhiambo Washington <odhiambo@gmail.com>, freebsd-virtualization <freebsd-virtualization@freebsd.org> Subject: Re: How to launch a bhyve vm as normal user,without being root Message-ID: <CAGGgMJd%2BZh6G%2B0jmCe_%2Bfxof8-RD3AiwhnDuejo84Lm56qZm1A@mail.gmail.com> In-Reply-To: <CA%2B1FSihHFejcobwVdGhtus4P8uRDkPyXDhQtrBCp-EWxPz=MPg@mail.gmail.com> References: <CA%2B1FSiimo=-0s80QeGMuLnJAzxi53-V6s303YuW36UkYnqfB-g@mail.gmail.com> <CAAdA2WPrtG_VaLuE8UfBwxanyfNzgLqeBCvpJMvRETdcUSmMEg@mail.gmail.com> <CA%2B1FSijLiq0WMdCvJfQC%2BvtBxXc6iSMD6WQAMavGpg%2BsmCuTFg@mail.gmail.com> <86a551c1-7f10-450d-a282-b33f959ed93e@app.fastmail.com> <CA%2B1FSighjAkOAtzyX3HBy4h0ZnTVckjF9adnWMpAR3m=xW0dUA@mail.gmail.com> <CAGGgMJfoAHFv2uJBzz%2BcJ-pe0tUX=BVaCxM3y5SU-cUxGHcs9A@mail.gmail.com> <CA%2B1FSihHFejcobwVdGhtus4P8uRDkPyXDhQtrBCp-EWxPz=MPg@mail.gmail.com>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] Likely because you don't have this in the doas.conf file: permit nopass :wheel as root cmd /bhyve/12-Win-11-vm12 On Mon, Jun 17, 2024 at 11:35 AM Mario Marietto <marietto2008@gmail.com> wrote: > If I keep the bhyve scripts in /usr/sbin,it works. But I want to keep the > bhyve scripts in /bhyve and I don't want to keep them in /usr/sbin. For > this reason I've added the path /bhyve to /home/marietto/.zshrc like this : > > # ~/.zshrc > > # zsh autocompletion for sudo and doas > zstyle ":completion:*:(sudo|su|doas):*" command-path /usr/local/bin > /usr/local/sbin /usr/sbin /usr/bin /bin /sbin /bhyve > > and in /root/.zshrc : > > # zsh autocompletion for sudo and doas > zstyle ":completion:*:(sudo|su|doas):*" command-path /usr/local/bin > /usr/local/sbin /usr/sbin /usr/bin /bin /sbin /bhyve > > but when I try to run the vm like this : > > [marietto@marietto /bhyve]==> doas 12-Win-11-vm12 > > it says : > > doas: 12-Win-11-vm12: command not found > > and when I do : > > [marietto@marietto /bhyve]==> doas ./12-Win-11-vm12 > > it says : > > doas: Operation not permitted > > Why ? > > > On Mon, Jun 17, 2024 at 7:53 PM Mark Peek <mp@freebsd.org> wrote: > >> Likely need to add this as it is what you are passing to doas as the >> command to execute: >> >> permit nopass :wheel as root cmd /usr/sbin/12-Win-11-vm12 >> >> Mark >> >> On Mon, Jun 17, 2024 at 10:40 AM Mario Marietto <marietto2008@gmail.com> >> wrote: >> > >> > [marietto@marietto /bhyve]==> sudo cp 12-Win-11-vm12 /usr/sbin >> > >> > [marietto@marietto /bhyve]==> nano /usr/sbin/12-Win-11-vm12 >> > >> > #!/bin/sh >> > >> > bhyve-win -S -c sockets=4,cores=2,threads=1 -m 8G -w -H \ >> > -S -c sockets=4,cores=2,threads=1 -m 8G -w -H \ >> > -s 0,hostbridge \ >> > -s 1,ahci-hd,/mnt/da4p2/bhyve/img/Windows/Windows11.img,bootindex=1 \ >> > -s 2,ahci-hd,/dev/$vmdisk5 \ >> > -s 8:0,passthru,2/0/0 \ >> > -s 8:1,passthru,2/0/1 \ >> > -s 8:2,passthru,2/0/2 \ >> > -s 8:3,passthru,2/0/3 \ >> > -s 13,virtio-net,tap12 \ >> > -s 29,fbuf,tcp=0.0.0.0:5912,w=1600,h=950,wait \ >> > -s 30,xhci,tablet \ >> > -s 31,lpc \ >> > -l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI_CODE.fd \ >> > vm0:12 < /dev/null & sleep 2 && vncviewer 0:12 >> > >> > [marietto@marietto /bhyve]==> sudo chmod 0755 /usr/sbin/12-Win-11-vm12 >> > >> > [marietto@marietto /bhyve]==> sudo nano /usr/local/etc/doas.conf >> > >> > permit nopass :wheel as root cmd /usr/sbin/bhyve-win >> > permit nopass :wheel as root cmd /usr/sbin/bhyve-lin >> > >> > [marietto@marietto /bhyve]==> doas /usr/sbin/12-Win-11-vm12 >> > doas: Operation not permitted >> > >> > BUT : >> > >> > [marietto@marietto /bhyve]==> sudo nano /usr/sbin/hallo >> > >> > #!/bin/sh >> > echo hallo $USER >> > >> > [marietto@marietto /bhyve]==> sudo chmod 0755 /usr/sbin/hallo >> > >> > [marietto@marietto /bhyve]==> sudo nano /usr/local/etc/doas.conf >> > >> > permit nopass :wheel as root cmd hallo >> > >> > [marietto@marietto /bhyve]==> doas hallo >> > >> > BOOM ! it works : >> > >> > hallo root >> > >> > On Mon, Jun 17, 2024 at 6:54 PM Dave Cottlehuber <dch@skunkwerks.at> >> wrote: >> >> >> >> On Mon, 17 Jun 2024, at 14:12, Mario Marietto wrote: >> >> > Nice idea,but it does not work : >> >> > >> >> > nano /home/marietto/.zshrc >> >> > >> >> > # ~/.zshrc >> >> >> >> Hi Mario, I think your zsh stuff is getting in the way >> >> here. Your zshrc function is not visible to the root user, >> >> as doas cleans up all the env and so your function is unknown. >> >> >> >> So start off with something without bhyve, make sure you are in >> >> wheel group, and add a shell script called >> >> /usr/local/bin/hallo: >> >> >> >> ``` >> >> #!/bin/sh >> >> echo hallo $USER >> >> ``` >> >> >> >> chmod 0755 /usr/local/bin/hallo >> >> >> >> ``` >> >> # /usr/local/etc/doas.conf (per doas.conf manpage) >> >> permit nopass :wheel as root cmd /usr/local/bin/hallo >> >> ``` >> >> >> >> $ doas /usr/local/bin/hallo >> >> hallo root >> >> >> >> then replace your bhyve commands in the hallo script. >> >> >> >> Off the top of my head there's no reason for bhyve to need >> >> anything different to hallo script. >> >> A+ >> >> Dave >> > >> > >> > >> > -- >> > Mario. >> > > > -- > Mario. > [-- Attachment #2 --] <div dir="ltr">Likely because you don't have this in the doas.conf file:<div><br></div><div><font face="monospace" style="background-color:rgb(255,255,255)" color="#000000">permit nopass :wheel as root cmd /bhyve/12-Win-11-vm12<br></font></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Jun 17, 2024 at 11:35 AM Mario Marietto <<a href="mailto:marietto2008@gmail.com">marietto2008@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><div><div><div id="m_-1165728036884468405gmail-:po"><div id="m_-1165728036884468405gmail-:o1"><div dir="ltr"><div>If I keep the bhyve scripts in /usr/sbin,it works. But I want to keep the bhyve scripts in /bhyve and I don't want to keep them in /usr/sbin. For this reason I've added the path /bhyve to /home/marietto/.zshrc like this :<br></div><span><div><br></div><div># ~/.zshrc</div><br># zsh autocompletion for sudo and doas<br><div>zstyle ":completion:*:(sudo|su|doas):*" command-path /usr/local/bin /usr/local/sbin /usr/sbin /usr/bin /bin /sbin /bhyve</div><div><br></div></span><div>and in /root/.zshrc :</div><span><div><div><br></div># zsh autocompletion for sudo and doas<br><div>zstyle ":completion:*:(sudo|su|doas):*" command-path /usr/local/bin /usr/local/sbin /usr/sbin /usr/bin /bin /sbin /bhyve</div></div><div><br></div></span><div>but when I try to run the vm like this :</div><span><div></div><div><br></div><div></div><div></div><div>[marietto@marietto /bhyve]==> doas 12-Win-11-vm12<br></div><div><br></div></span><div>it says :</div><span><div><br></div><div>doas: 12-Win-11-vm12: command not found</div><div><br></div></span><div>and when I do :</div><div><br></div><div><span>[marietto@marietto /bhyve]==> doas ./12-Win-11-vm12</span></div><div><br></div><div>it says :</div><div><br></div><div>doas: Operation not permitted</div><div><br></div><div>Why ?</div></div></div></div></div></div></div><div><div><div role="list"><div role="listitem" aria-expanded="true"><div><div><div><div id="m_-1165728036884468405gmail-:um"><div><div><div><div id="m_-1165728036884468405gmail-:q6"><table role="presentation"><tbody><tr><td><br></td></tr></tbody></table></div></div></div></div></div></div></div></div></div></div></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Jun 17, 2024 at 7:53 PM Mark Peek <<a href="mailto:mp@freebsd.org" target="_blank">mp@freebsd.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Likely need to add this as it is what you are passing to doas as the<br> command to execute:<br> <br> permit nopass :wheel as root cmd /usr/sbin/12-Win-11-vm12<br> <br> Mark<br> <br> On Mon, Jun 17, 2024 at 10:40 AM Mario Marietto <<a href="mailto:marietto2008@gmail.com" target="_blank">marietto2008@gmail.com</a>> wrote:<br> ><br> > [marietto@marietto /bhyve]==> sudo cp 12-Win-11-vm12 /usr/sbin<br> ><br> > [marietto@marietto /bhyve]==> nano /usr/sbin/12-Win-11-vm12<br> ><br> > #!/bin/sh<br> ><br> > bhyve-win -S -c sockets=4,cores=2,threads=1 -m 8G -w -H \<br> > -S -c sockets=4,cores=2,threads=1 -m 8G -w -H \<br> > -s 0,hostbridge \<br> > -s 1,ahci-hd,/mnt/da4p2/bhyve/img/Windows/Windows11.img,bootindex=1 \<br> > -s 2,ahci-hd,/dev/$vmdisk5 \<br> > -s 8:0,passthru,2/0/0 \<br> > -s 8:1,passthru,2/0/1 \<br> > -s 8:2,passthru,2/0/2 \<br> > -s 8:3,passthru,2/0/3 \<br> > -s 13,virtio-net,tap12 \<br> > -s 29,fbuf,tcp=<a href="http://0.0.0.0:5912" rel="noreferrer" target="_blank">0.0.0.0:5912</a>,w=1600,h=950,wait \<br> > -s 30,xhci,tablet \<br> > -s 31,lpc \<br> > -l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI_CODE.fd \<br> > vm0:12 < /dev/null & sleep 2 && vncviewer 0:12<br> ><br> > [marietto@marietto /bhyve]==> sudo chmod 0755 /usr/sbin/12-Win-11-vm12<br> ><br> > [marietto@marietto /bhyve]==> sudo nano /usr/local/etc/doas.conf<br> ><br> > permit nopass :wheel as root cmd /usr/sbin/bhyve-win<br> > permit nopass :wheel as root cmd /usr/sbin/bhyve-lin<br> ><br> > [marietto@marietto /bhyve]==> doas /usr/sbin/12-Win-11-vm12<br> > doas: Operation not permitted<br> ><br> > BUT :<br> ><br> > [marietto@marietto /bhyve]==> sudo nano /usr/sbin/hallo<br> ><br> > #!/bin/sh<br> > echo hallo $USER<br> ><br> > [marietto@marietto /bhyve]==> sudo chmod 0755 /usr/sbin/hallo<br> ><br> > [marietto@marietto /bhyve]==> sudo nano /usr/local/etc/doas.conf<br> ><br> > permit nopass :wheel as root cmd hallo<br> ><br> > [marietto@marietto /bhyve]==> doas hallo<br> ><br> > BOOM ! it works :<br> ><br> > hallo root<br> ><br> > On Mon, Jun 17, 2024 at 6:54 PM Dave Cottlehuber <<a href="mailto:dch@skunkwerks.at" target="_blank">dch@skunkwerks.at</a>> wrote:<br> >><br> >> On Mon, 17 Jun 2024, at 14:12, Mario Marietto wrote:<br> >> > Nice idea,but it does not work :<br> >> ><br> >> > nano /home/marietto/.zshrc<br> >> ><br> >> > # ~/.zshrc<br> >><br> >> Hi Mario, I think your zsh stuff is getting in the way<br> >> here. Your zshrc function is not visible to the root user,<br> >> as doas cleans up all the env and so your function is unknown.<br> >><br> >> So start off with something without bhyve, make sure you are in<br> >> wheel group, and add a shell script called<br> >> /usr/local/bin/hallo:<br> >><br> >> ```<br> >> #!/bin/sh<br> >> echo hallo $USER<br> >> ```<br> >><br> >> chmod 0755 /usr/local/bin/hallo<br> >><br> >> ```<br> >> # /usr/local/etc/doas.conf (per doas.conf manpage)<br> >> permit nopass :wheel as root cmd /usr/local/bin/hallo<br> >> ```<br> >><br> >> $ doas /usr/local/bin/hallo<br> >> hallo root<br> >><br> >> then replace your bhyve commands in the hallo script.<br> >><br> >> Off the top of my head there's no reason for bhyve to need<br> >> anything different to hallo script.<br> >> A+<br> >> Dave<br> ><br> ><br> ><br> > --<br> > Mario.<br> </blockquote></div><br clear="all"><br><span class="gmail_signature_prefix">-- </span><br><div dir="ltr" class="gmail_signature">Mario.<br></div> </blockquote></div>help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAGGgMJd%2BZh6G%2B0jmCe_%2Bfxof8-RD3AiwhnDuejo84Lm56qZm1A>