From nobody Mon Jun 17 19:50:06 2024 X-Original-To: freebsd-virtualization@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4W30py0npwz5PVQW for ; Mon, 17 Jun 2024 19:50:18 +0000 (UTC) (envelope-from mp@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4W30py04dWz4NTS for ; Mon, 17 Jun 2024 19:50:18 +0000 (UTC) (envelope-from mp@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1718653818; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=+gkJaoLv8GZrsNmqMATNO/IVWssiZoq7FPbkRe80C1k=; b=Mx5vCywKLqPN7duKmcJ9VzYyAf882TtoQ242c6XEozzkg4SN0O62R6hNjXyAvYEMQOMEyl EOiDGPv5cXp8p1zew1t2hhb861lNcmBcIX1nWIXt56A9YvKIPTHalnQUD8oZG98lWvLYMC c2cNuJJ/Tg9LGe75XjpPTgynxbLI5jKP0dM3Ux5OHSmiXk94IAs56TjdmlSY/BSMmqaV92 KEaNLhyvmxoSYKbwJ4vyk+StlJ06r19bt0xDjDoph45ckqRo7E1RYyg9HHqp2sjjvFAOpQ r72XAGmzraB26CnQtjHY1WeSPdV5LvxoN71Y8I5vKoGFEGnDG0Msv+iAKpMyrw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1718653818; a=rsa-sha256; cv=none; b=tjUgievxL8igmrL/7CBaIfio2hAHQ4epr8Q49/aHs2f8G5huImMexnaJFYlUDENR8tlB2O ZXfyXPIakBV3rdGWqpHaW8wZOZj3T/mWn3nGkHXTlwkOAMeXqW0YcsiaMjmmqainpxOgxh aYvxbbs0pOtOi1TKmv3W5Rl7+PpupCH70U3j3CAcZLtoSucAjFue7KBbTtGdnVLLwdgAiT 921mr4HH+pKnYJ+Ypnb+RhR9oKoocXLfDSFOiPgT+s1vev4uiohRJDLTKtILqK4pyZQcOM nzf6JelZyawYX4KRugK49yG2dkLLwHmEl9a9YVtTDGllckNrU618g7QzZYz8Cg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1718653818; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=+gkJaoLv8GZrsNmqMATNO/IVWssiZoq7FPbkRe80C1k=; b=Fqfq2/0WZVafReBj/osOXLgVhWtb0Qw9N/zOuB3PJTRNVHK3hn/+k/8we4Q/xTua6xkTl0 S5eYVcQrTXMZqDg493+X37cMvppm7KgtJNNNAXTy+vJtSqdueKvwCdA5lHfjsl8AkiBzZN 7gpZ8jMUhibqPMvXm9crQUccOPkrNmBl8cI0IfGoUysaywdvn7XEygO/p5S40v6kFnSl8/ xo1gv3eLj7bVqyN5wvJp/dZSMjwTH6oyFJ/s1cnddzV2QmFyEZn9OShH5gbkHdI8Ur6ZpZ IbcqhgCg7SgOWnUMliglO0ttb4uaVgEatfuyZ03347WI8/KMUreg2I95gXlLiw== Received: from mail-yb1-f173.google.com (mail-yb1-f173.google.com [209.85.219.173]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) (Authenticated sender: mp) by smtp.freebsd.org (Postfix) with ESMTPSA id 4W30px6b17zXL1 for ; Mon, 17 Jun 2024 19:50:17 +0000 (UTC) (envelope-from mp@freebsd.org) Received: by mail-yb1-f173.google.com with SMTP id 3f1490d57ef6-dfab4779d95so4707990276.0 for ; Mon, 17 Jun 2024 12:50:17 -0700 (PDT) X-Forwarded-Encrypted: i=1; AJvYcCVK+QFFcEAuSNHJNMc/4A3qMg7U44tC4VD5OKg0WP2yZKc9DFDZmgwnTAhd++SsS1IGp5qf2wTpsB5ZjHyTkfEaiS3DrMD2hzXb57tj6wUw3IQX X-Gm-Message-State: AOJu0YxX7jwuj8KUm1hfmdmmnXoCG106qDJEmV0H1WDKMROdaagDJWec fM+Fu+nfxfUy214NL+ZVgsK+ETTRrv3BTdXfb/mfMF4w/72lpQPLEfTyiYlFMrKfw/6LYJ2q3IH JELCt7GylISfUkI8pr3KVwZeth45Gewpk0L18Xw== X-Google-Smtp-Source: AGHT+IFFwqNmSRnFZvUzynUJk5GHqZEIrcLmhPm1l1FrfFOnQqQgwpVyRQTC94z5POgYRCzg9C16IxnyudCzWQ1N1Mo= X-Received: by 2002:a25:b314:0:b0:dfc:e373:5402 with SMTP id 3f1490d57ef6-dff154ce45amr10952823276.57.1718653817478; Mon, 17 Jun 2024 12:50:17 -0700 (PDT) List-Id: Discussion List-Archive: https://lists.freebsd.org/archives/freebsd-virtualization List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-virtualization@freebsd.org Sender: owner-freebsd-virtualization@FreeBSD.org MIME-Version: 1.0 References: <86a551c1-7f10-450d-a282-b33f959ed93e@app.fastmail.com> In-Reply-To: From: Mark Peek Date: Mon, 17 Jun 2024 12:50:06 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: How to launch a bhyve vm as normal user,without being root To: Mario Marietto Cc: Mark Peek , Dave Cottlehuber , Odhiambo Washington , freebsd-virtualization Content-Type: multipart/alternative; boundary="000000000000488282061b1b46c2" --000000000000488282061b1b46c2 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Likely because you don't have this in the doas.conf file: permit nopass :wheel as root cmd /bhyve/12-Win-11-vm12 On Mon, Jun 17, 2024 at 11:35=E2=80=AFAM Mario Marietto wrote: > If I keep the bhyve scripts in /usr/sbin,it works. But I want to keep the > bhyve scripts in /bhyve and I don't want to keep them in /usr/sbin. For > this reason I've added the path /bhyve to /home/marietto/.zshrc like this= : > > # ~/.zshrc > > # zsh autocompletion for sudo and doas > zstyle ":completion:*:(sudo|su|doas):*" command-path /usr/local/bin > /usr/local/sbin /usr/sbin /usr/bin /bin /sbin /bhyve > > and in /root/.zshrc : > > # zsh autocompletion for sudo and doas > zstyle ":completion:*:(sudo|su|doas):*" command-path /usr/local/bin > /usr/local/sbin /usr/sbin /usr/bin /bin /sbin /bhyve > > but when I try to run the vm like this : > > [marietto@marietto /bhyve]=3D=3D> doas 12-Win-11-vm12 > > it says : > > doas: 12-Win-11-vm12: command not found > > and when I do : > > [marietto@marietto /bhyve]=3D=3D> doas ./12-Win-11-vm12 > > it says : > > doas: Operation not permitted > > Why ? > > > On Mon, Jun 17, 2024 at 7:53=E2=80=AFPM Mark Peek wrote: > >> Likely need to add this as it is what you are passing to doas as the >> command to execute: >> >> permit nopass :wheel as root cmd /usr/sbin/12-Win-11-vm12 >> >> Mark >> >> On Mon, Jun 17, 2024 at 10:40=E2=80=AFAM Mario Marietto >> wrote: >> > >> > [marietto@marietto /bhyve]=3D=3D> sudo cp 12-Win-11-vm12 /usr/sbin >> > >> > [marietto@marietto /bhyve]=3D=3D> nano /usr/sbin/12-Win-11-vm12 >> > >> > #!/bin/sh >> > >> > bhyve-win -S -c sockets=3D4,cores=3D2,threads=3D1 -m 8G -w -H \ >> > -S -c sockets=3D4,cores=3D2,threads=3D1 -m 8G -w -H \ >> > -s 0,hostbridge \ >> > -s 1,ahci-hd,/mnt/da4p2/bhyve/img/Windows/Windows11.img,bootindex=3D1 = \ >> > -s 2,ahci-hd,/dev/$vmdisk5 \ >> > -s 8:0,passthru,2/0/0 \ >> > -s 8:1,passthru,2/0/1 \ >> > -s 8:2,passthru,2/0/2 \ >> > -s 8:3,passthru,2/0/3 \ >> > -s 13,virtio-net,tap12 \ >> > -s 29,fbuf,tcp=3D0.0.0.0:5912,w=3D1600,h=3D950,wait \ >> > -s 30,xhci,tablet \ >> > -s 31,lpc \ >> > -l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI_CODE.fd \ >> > vm0:12 < /dev/null & sleep 2 && vncviewer 0:12 >> > >> > [marietto@marietto /bhyve]=3D=3D> sudo chmod 0755 /usr/sbin/12-Win-11-= vm12 >> > >> > [marietto@marietto /bhyve]=3D=3D> sudo nano /usr/local/etc/doas.conf >> > >> > permit nopass :wheel as root cmd /usr/sbin/bhyve-win >> > permit nopass :wheel as root cmd /usr/sbin/bhyve-lin >> > >> > [marietto@marietto /bhyve]=3D=3D> doas /usr/sbin/12-Win-11-vm12 >> > doas: Operation not permitted >> > >> > BUT : >> > >> > [marietto@marietto /bhyve]=3D=3D> sudo nano /usr/sbin/hallo >> > >> > #!/bin/sh >> > echo hallo $USER >> > >> > [marietto@marietto /bhyve]=3D=3D> sudo chmod 0755 /usr/sbin/hallo >> > >> > [marietto@marietto /bhyve]=3D=3D> sudo nano /usr/local/etc/doas.conf >> > >> > permit nopass :wheel as root cmd hallo >> > >> > [marietto@marietto /bhyve]=3D=3D> doas hallo >> > >> > BOOM ! it works : >> > >> > hallo root >> > >> > On Mon, Jun 17, 2024 at 6:54=E2=80=AFPM Dave Cottlehuber >> wrote: >> >> >> >> On Mon, 17 Jun 2024, at 14:12, Mario Marietto wrote: >> >> > Nice idea,but it does not work : >> >> > >> >> > nano /home/marietto/.zshrc >> >> > >> >> > # ~/.zshrc >> >> >> >> Hi Mario, I think your zsh stuff is getting in the way >> >> here. Your zshrc function is not visible to the root user, >> >> as doas cleans up all the env and so your function is unknown. >> >> >> >> So start off with something without bhyve, make sure you are in >> >> wheel group, and add a shell script called >> >> /usr/local/bin/hallo: >> >> >> >> ``` >> >> #!/bin/sh >> >> echo hallo $USER >> >> ``` >> >> >> >> chmod 0755 /usr/local/bin/hallo >> >> >> >> ``` >> >> # /usr/local/etc/doas.conf (per doas.conf manpage) >> >> permit nopass :wheel as root cmd /usr/local/bin/hallo >> >> ``` >> >> >> >> $ doas /usr/local/bin/hallo >> >> hallo root >> >> >> >> then replace your bhyve commands in the hallo script. >> >> >> >> Off the top of my head there's no reason for bhyve to need >> >> anything different to hallo script. >> >> A+ >> >> Dave >> > >> > >> > >> > -- >> > Mario. >> > > > -- > Mario. > --000000000000488282061b1b46c2 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Likely because you don't have this in the doas.conf fi= le:

permit nopass :wheel as root cmd /bhyve/= 12-Win-11-vm12


On Mon, Jun 17, 2024 at 11:35= =E2=80=AFAM Mario Marietto <ma= rietto2008@gmail.com> wrote:
If I keep the bhyve scripts in /usr/sbin,it works. But I want= to keep the bhyve scripts in /bhyve and I don't want to keep them in /= usr/sbin. For this reason I've added the path /bhyve to /home/marietto/= .zshrc like this :

# ~/.zshrc

#= zsh autocompletion for sudo and doas
zstyle ":completion:*:(s= udo|su|doas):*" command-path /usr/local/bin /usr/local/sbin /usr/sbin = /usr/bin /bin /sbin /bhyve

and in /root/.zs= hrc :

# zsh autocompletion for sudo and doas=
zstyle ":completion:*:(sudo|su|doas):*" command-path /us= r/local/bin /usr/local/sbin /usr/sbin /usr/bin /bin /sbin /bhyve

but when I try to run the vm like this :
<= span>

[marietto@mariett= o /bhyve]=3D=3D> doas 12-Win-11-vm12

it says :

doas: 12-Win-11-vm12: command not= found

and when I do :

=
[marietto@marietto /bhyve]=3D=3D> doas ./12-Win-11-vm12

it says :

doas: Operati= on not permitted

Why ?

<= /div>

On Mon, Jun 17, 2024= at 7:53=E2=80=AFPM Mark Peek <mp@freebsd.org> wrote:
Likely need to add this as it is what you are pas= sing to doas as the
command to execute:

permit nopass :wheel as root cmd /usr/sbin/12-Win-11-vm12

Mark

On Mon, Jun 17, 2024 at 10:40=E2=80=AFAM Mario Marietto <marietto2008@gmail.com>= wrote:
>
> [marietto@marietto /bhyve]=3D=3D> sudo cp 12-Win-11-vm12 /usr/sbin<= br> >
> [marietto@marietto /bhyve]=3D=3D> nano /usr/sbin/12-Win-11-vm12
>
> #!/bin/sh
>
> bhyve-win -S -c sockets=3D4,cores=3D2,threads=3D1 -m 8G -w -H \
> -S -c sockets=3D4,cores=3D2,threads=3D1 -m 8G -w -H \
> -s 0,hostbridge \
> -s 1,ahci-hd,/mnt/da4p2/bhyve/img/Windows/Windows11.img,bootindex=3D1 = \
> -s 2,ahci-hd,/dev/$vmdisk5 \
> -s 8:0,passthru,2/0/0 \
> -s 8:1,passthru,2/0/1 \
> -s 8:2,passthru,2/0/2 \
> -s 8:3,passthru,2/0/3 \
> -s 13,virtio-net,tap12 \
> -s 29,fbuf,tcp=3D0.0.0.0:5912,w=3D1600,h=3D950,wait \
> -s 30,xhci,tablet \
> -s 31,lpc \
> -l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI_CODE.fd \
> vm0:12 < /dev/null & sleep 2 && vncviewer 0:12
>
> [marietto@marietto /bhyve]=3D=3D> sudo chmod 0755 /usr/sbin/12-Win-= 11-vm12
>
> [marietto@marietto /bhyve]=3D=3D> sudo nano /usr/local/etc/doas.con= f
>
> permit nopass :wheel as root cmd /usr/sbin/bhyve-win
> permit nopass :wheel as root cmd /usr/sbin/bhyve-lin
>
> [marietto@marietto /bhyve]=3D=3D> doas /usr/sbin/12-Win-11-vm12
> doas: Operation not permitted
>
> BUT :
>
> [marietto@marietto /bhyve]=3D=3D> sudo nano /usr/sbin/hallo
>
> #!/bin/sh
> echo hallo $USER
>
> [marietto@marietto /bhyve]=3D=3D> sudo chmod 0755 /usr/sbin/hallo >
> [marietto@marietto /bhyve]=3D=3D> sudo nano /usr/local/etc/doas.con= f
>
> permit nopass :wheel as root cmd hallo
>
> [marietto@marietto /bhyve]=3D=3D> doas hallo
>
> BOOM ! it works :
>
> hallo root
>
> On Mon, Jun 17, 2024 at 6:54=E2=80=AFPM Dave Cottlehuber <dch@skunkwerks.at> w= rote:
>>
>> On Mon, 17 Jun 2024, at 14:12, Mario Marietto wrote:
>> > Nice idea,but it does not work :
>> >
>> > nano /home/marietto/.zshrc
>> >
>> > # ~/.zshrc
>>
>> Hi Mario, I think your zsh stuff is getting in the way
>> here. Your zshrc function is not visible to the root user,
>> as doas cleans up all the env and so your function is unknown.
>>
>> So start off with something without bhyve, make sure you are in >> wheel group, and add a shell script called
>> /usr/local/bin/hallo:
>>
>> ```
>> #!/bin/sh
>> echo hallo $USER
>> ```
>>
>> chmod 0755 /usr/local/bin/hallo
>>
>> ```
>> # /usr/local/etc/doas.conf (per doas.conf manpage)
>> permit nopass :wheel as root cmd /usr/local/bin/hallo
>> ```
>>
>> $ doas /usr/local/bin/hallo
>> hallo root
>>
>> then replace your bhyve commands in the hallo script.
>>
>> Off the top of my head there's no reason for bhyve to need
>> anything different to hallo script.
>> A+
>> Dave
>
>
>
> --
> Mario.


--
Mario.
--000000000000488282061b1b46c2--