Date: Mon, 17 Jun 2024 13:45:56 -0700 From: Mark Peek <mp@freebsd.org> To: Mario Marietto <marietto2008@gmail.com> Cc: Mark Peek <mp@freebsd.org>, Dave Cottlehuber <dch@skunkwerks.at>, Odhiambo Washington <odhiambo@gmail.com>, freebsd-virtualization <freebsd-virtualization@freebsd.org> Subject: Re: How to launch a bhyve vm as normal user,without being root Message-ID: <CAGGgMJeRvrtML4LoBe1NyQHwMGPmD0vV7tous0_HDZWVANUD1A@mail.gmail.com> In-Reply-To: <CA%2B1FSij4Xb2b7Mt-TbYMs7%2B2Z4NgfEu7gcaGENJohdAKSGKXGA@mail.gmail.com> References: <CA%2B1FSiimo=-0s80QeGMuLnJAzxi53-V6s303YuW36UkYnqfB-g@mail.gmail.com> <CAAdA2WPrtG_VaLuE8UfBwxanyfNzgLqeBCvpJMvRETdcUSmMEg@mail.gmail.com> <CA%2B1FSijLiq0WMdCvJfQC%2BvtBxXc6iSMD6WQAMavGpg%2BsmCuTFg@mail.gmail.com> <86a551c1-7f10-450d-a282-b33f959ed93e@app.fastmail.com> <CA%2B1FSighjAkOAtzyX3HBy4h0ZnTVckjF9adnWMpAR3m=xW0dUA@mail.gmail.com> <CAGGgMJfoAHFv2uJBzz%2BcJ-pe0tUX=BVaCxM3y5SU-cUxGHcs9A@mail.gmail.com> <CA%2B1FSihHFejcobwVdGhtus4P8uRDkPyXDhQtrBCp-EWxPz=MPg@mail.gmail.com> <CAGGgMJd%2BZh6G%2B0jmCe_%2Bfxof8-RD3AiwhnDuejo84Lm56qZm1A@mail.gmail.com> <CA%2B1FSijS1O8aL6GVwRx0Mt4PETvbL1C0oMgs79pQBtUg4jV8FA@mail.gmail.com> <CA%2B1FSij4Xb2b7Mt-TbYMs7%2B2Z4NgfEu7gcaGENJohdAKSGKXGA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] I was just responding... Works for me using the full path to the command. You should try as well with the full path to the command. $ ls -l /bhyve/12-Win-11-vm12 -rwxr-xr-x 1 root wheel 22 Jun 17 13:25 /bhyve/12-Win-11-vm12 $ cat !$ cat /bhyve/12-Win-11-vm12 #!/bin/sh echo $USER $ ls -l /bhyve/12-Win-11-vm12 -rwxr-xr-x 1 root wheel 22 Jun 17 13:25 /bhyve/12-Win-11-vm12 $ cat /bhyve/12-Win-11-vm12 #!/bin/sh echo $USER $ cat /usr/local/etc/doas.conf permit nopass :wheel as root cmd /bhyve/12-Win-11-vm12 $ doas /bhyve/12-Win-11-vm12 root $ doas 12-Win-11-vm12 doas: Operation not permitted This last failure is likely an issue with how PATH interacts with doas. You should move this to another mailing list as this is more about "doas" than "bhyve". On Mon, Jun 17, 2024 at 1:44 PM Mario Marietto <marietto2008@gmail.com> wrote: > I had an illumination and I found how it works : > > [marietto@marietto /bhyve]==> doas /bhyve/12-Win-11-vm12 > > But why ? > > > On Mon, Jun 17, 2024 at 10:15 PM Mario Marietto <marietto2008@gmail.com> > wrote: > >> nano /usr/local/etc/doas.conf : >> >> permit nopass :wheel as root cmd bhyve-win >> permit nopass :wheel as root cmd bhyve-lin >> permit nopass :wheel as root cmd /bhyve/12-Win-11-vm12 >> >> [marietto@marietto /bhyve]==> doas 12-Win-11-vm12 >> doas: Operation not permitted >> >> On Mon, Jun 17, 2024 at 9:50 PM Mark Peek <mp@freebsd.org> wrote: >> >>> Likely because you don't have this in the doas.conf file: >>> >>> permit nopass :wheel as root cmd /bhyve/12-Win-11-vm12 >>> >>> >>> On Mon, Jun 17, 2024 at 11:35 AM Mario Marietto <marietto2008@gmail.com> >>> wrote: >>> >>>> If I keep the bhyve scripts in /usr/sbin,it works. But I want to keep >>>> the bhyve scripts in /bhyve and I don't want to keep them in /usr/sbin. For >>>> this reason I've added the path /bhyve to /home/marietto/.zshrc like this : >>>> >>>> # ~/.zshrc >>>> >>>> # zsh autocompletion for sudo and doas >>>> zstyle ":completion:*:(sudo|su|doas):*" command-path /usr/local/bin >>>> /usr/local/sbin /usr/sbin /usr/bin /bin /sbin /bhyve >>>> >>>> and in /root/.zshrc : >>>> >>>> # zsh autocompletion for sudo and doas >>>> zstyle ":completion:*:(sudo|su|doas):*" command-path /usr/local/bin >>>> /usr/local/sbin /usr/sbin /usr/bin /bin /sbin /bhyve >>>> >>>> but when I try to run the vm like this : >>>> >>>> [marietto@marietto /bhyve]==> doas 12-Win-11-vm12 >>>> >>>> it says : >>>> >>>> doas: 12-Win-11-vm12: command not found >>>> >>>> and when I do : >>>> >>>> [marietto@marietto /bhyve]==> doas ./12-Win-11-vm12 >>>> >>>> it says : >>>> >>>> doas: Operation not permitted >>>> >>>> Why ? >>>> >>>> >>>> On Mon, Jun 17, 2024 at 7:53 PM Mark Peek <mp@freebsd.org> wrote: >>>> >>>>> Likely need to add this as it is what you are passing to doas as the >>>>> command to execute: >>>>> >>>>> permit nopass :wheel as root cmd /usr/sbin/12-Win-11-vm12 >>>>> >>>>> Mark >>>>> >>>>> On Mon, Jun 17, 2024 at 10:40 AM Mario Marietto < >>>>> marietto2008@gmail.com> wrote: >>>>> > >>>>> > [marietto@marietto /bhyve]==> sudo cp 12-Win-11-vm12 /usr/sbin >>>>> > >>>>> > [marietto@marietto /bhyve]==> nano /usr/sbin/12-Win-11-vm12 >>>>> > >>>>> > #!/bin/sh >>>>> > >>>>> > bhyve-win -S -c sockets=4,cores=2,threads=1 -m 8G -w -H \ >>>>> > -S -c sockets=4,cores=2,threads=1 -m 8G -w -H \ >>>>> > -s 0,hostbridge \ >>>>> > -s 1,ahci-hd,/mnt/da4p2/bhyve/img/Windows/Windows11.img,bootindex=1 \ >>>>> > -s 2,ahci-hd,/dev/$vmdisk5 \ >>>>> > -s 8:0,passthru,2/0/0 \ >>>>> > -s 8:1,passthru,2/0/1 \ >>>>> > -s 8:2,passthru,2/0/2 \ >>>>> > -s 8:3,passthru,2/0/3 \ >>>>> > -s 13,virtio-net,tap12 \ >>>>> > -s 29,fbuf,tcp=0.0.0.0:5912,w=1600,h=950,wait \ >>>>> > -s 30,xhci,tablet \ >>>>> > -s 31,lpc \ >>>>> > -l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI_CODE.fd \ >>>>> > vm0:12 < /dev/null & sleep 2 && vncviewer 0:12 >>>>> > >>>>> > [marietto@marietto /bhyve]==> sudo chmod 0755 >>>>> /usr/sbin/12-Win-11-vm12 >>>>> > >>>>> > [marietto@marietto /bhyve]==> sudo nano /usr/local/etc/doas.conf >>>>> > >>>>> > permit nopass :wheel as root cmd /usr/sbin/bhyve-win >>>>> > permit nopass :wheel as root cmd /usr/sbin/bhyve-lin >>>>> > >>>>> > [marietto@marietto /bhyve]==> doas /usr/sbin/12-Win-11-vm12 >>>>> > doas: Operation not permitted >>>>> > >>>>> > BUT : >>>>> > >>>>> > [marietto@marietto /bhyve]==> sudo nano /usr/sbin/hallo >>>>> > >>>>> > #!/bin/sh >>>>> > echo hallo $USER >>>>> > >>>>> > [marietto@marietto /bhyve]==> sudo chmod 0755 /usr/sbin/hallo >>>>> > >>>>> > [marietto@marietto /bhyve]==> sudo nano /usr/local/etc/doas.conf >>>>> > >>>>> > permit nopass :wheel as root cmd hallo >>>>> > >>>>> > [marietto@marietto /bhyve]==> doas hallo >>>>> > >>>>> > BOOM ! it works : >>>>> > >>>>> > hallo root >>>>> > >>>>> > On Mon, Jun 17, 2024 at 6:54 PM Dave Cottlehuber <dch@skunkwerks.at> >>>>> wrote: >>>>> >> >>>>> >> On Mon, 17 Jun 2024, at 14:12, Mario Marietto wrote: >>>>> >> > Nice idea,but it does not work : >>>>> >> > >>>>> >> > nano /home/marietto/.zshrc >>>>> >> > >>>>> >> > # ~/.zshrc >>>>> >> >>>>> >> Hi Mario, I think your zsh stuff is getting in the way >>>>> >> here. Your zshrc function is not visible to the root user, >>>>> >> as doas cleans up all the env and so your function is unknown. >>>>> >> >>>>> >> So start off with something without bhyve, make sure you are in >>>>> >> wheel group, and add a shell script called >>>>> >> /usr/local/bin/hallo: >>>>> >> >>>>> >> ``` >>>>> >> #!/bin/sh >>>>> >> echo hallo $USER >>>>> >> ``` >>>>> >> >>>>> >> chmod 0755 /usr/local/bin/hallo >>>>> >> >>>>> >> ``` >>>>> >> # /usr/local/etc/doas.conf (per doas.conf manpage) >>>>> >> permit nopass :wheel as root cmd /usr/local/bin/hallo >>>>> >> ``` >>>>> >> >>>>> >> $ doas /usr/local/bin/hallo >>>>> >> hallo root >>>>> >> >>>>> >> then replace your bhyve commands in the hallo script. >>>>> >> >>>>> >> Off the top of my head there's no reason for bhyve to need >>>>> >> anything different to hallo script. >>>>> >> A+ >>>>> >> Dave >>>>> > >>>>> > >>>>> > >>>>> > -- >>>>> > Mario. >>>>> >>>> >>>> >>>> -- >>>> Mario. >>>> >>> >> >> -- >> Mario. >> > > > -- > Mario. > [-- Attachment #2 --] <div dir="ltr"><div>I was just responding...</div><div><br></div><div>Works for me using the full path to the command. You should try as well with the full path to the command.</div><div><br></div>$ ls -l /bhyve/12-Win-11-vm12<br>-rwxr-xr-x 1 root wheel 22 Jun 17 13:25 /bhyve/12-Win-11-vm12<br>$ cat !$<br>cat /bhyve/12-Win-11-vm12<br>#!/bin/sh<br><br>echo $USER<br>$ ls -l /bhyve/12-Win-11-vm12<br>-rwxr-xr-x 1 root wheel 22 Jun 17 13:25 /bhyve/12-Win-11-vm12<br>$ cat /bhyve/12-Win-11-vm12<br>#!/bin/sh<br><br>echo $USER<br>$ cat /usr/local/etc/doas.conf<br>permit nopass :wheel as root cmd /bhyve/12-Win-11-vm12<br>$ doas /bhyve/12-Win-11-vm12<br>root<div>$ doas 12-Win-11-vm12<br>doas: Operation not permitted<br><div><br></div><div>This last failure is likely an issue with how PATH interacts with doas. You should move this to another mailing list as this is more about "doas" than "bhyve".</div><div><br></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Jun 17, 2024 at 1:44 PM Mario Marietto <<a href="mailto:marietto2008@gmail.com">marietto2008@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>I had an illumination and I found how it works :<br></div><div></div><div><br></div><div>[marietto@marietto /bhyve]==> doas /bhyve/12-Win-11-vm12</div><div><br></div><div>But why ? <br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Jun 17, 2024 at 10:15 PM Mario Marietto <<a href="mailto:marietto2008@gmail.com" target="_blank">marietto2008@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>nano /usr/local/etc/doas.conf :</div><div><br></div><div>permit nopass :wheel as root cmd bhyve-win<br>permit nopass :wheel as root cmd bhyve-lin<br>permit nopass :wheel as root cmd /bhyve/12-Win-11-vm12</div><div><br></div><div>[marietto@marietto /bhyve]==> doas 12-Win-11-vm12</div>doas: Operation not permitted</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Jun 17, 2024 at 9:50 PM Mark Peek <<a href="mailto:mp@freebsd.org" target="_blank">mp@freebsd.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Likely because you don't have this in the doas.conf file:<div><br></div><div><font face="monospace" style="background-color:rgb(255,255,255)" color="#000000">permit nopass :wheel as root cmd /bhyve/12-Win-11-vm12<br></font></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Jun 17, 2024 at 11:35 AM Mario Marietto <<a href="mailto:marietto2008@gmail.com" target="_blank">marietto2008@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><div><div><div id="m_-4778425480339096771m_-9169965968015393723m_5208458890051620345m_-1165728036884468405gmail-:po"><div id="m_-4778425480339096771m_-9169965968015393723m_5208458890051620345m_-1165728036884468405gmail-:o1"><div dir="ltr"><div>If I keep the bhyve scripts in /usr/sbin,it works. But I want to keep the bhyve scripts in /bhyve and I don't want to keep them in /usr/sbin. For this reason I've added the path /bhyve to /home/marietto/.zshrc like this :<br></div><span><div><br></div><div># ~/.zshrc</div><br># zsh autocompletion for sudo and doas<br><div>zstyle ":completion:*:(sudo|su|doas):*" command-path /usr/local/bin /usr/local/sbin /usr/sbin /usr/bin /bin /sbin /bhyve</div><div><br></div></span><div>and in /root/.zshrc :</div><span><div><div><br></div># zsh autocompletion for sudo and doas<br><div>zstyle ":completion:*:(sudo|su|doas):*" command-path /usr/local/bin /usr/local/sbin /usr/sbin /usr/bin /bin /sbin /bhyve</div></div><div><br></div></span><div>but when I try to run the vm like this :</div><span><div></div><div><br></div><div></div><div></div><div>[marietto@marietto /bhyve]==> doas 12-Win-11-vm12<br></div><div><br></div></span><div>it says :</div><span><div><br></div><div>doas: 12-Win-11-vm12: command not found</div><div><br></div></span><div>and when I do :</div><div><br></div><div><span>[marietto@marietto /bhyve]==> doas ./12-Win-11-vm12</span></div><div><br></div><div>it says :</div><div><br></div><div>doas: Operation not permitted</div><div><br></div><div>Why ?</div></div></div></div></div></div></div><div><div><div role="list"><div role="listitem" aria-expanded="true"><div><div><div><div id="m_-4778425480339096771m_-9169965968015393723m_5208458890051620345m_-1165728036884468405gmail-:um"><div><div><div><div id="m_-4778425480339096771m_-9169965968015393723m_5208458890051620345m_-1165728036884468405gmail-:q6"><table role="presentation"><tbody><tr><td><br></td></tr></tbody></table></div></div></div></div></div></div></div></div></div></div></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Jun 17, 2024 at 7:53 PM Mark Peek <<a href="mailto:mp@freebsd.org" target="_blank">mp@freebsd.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Likely need to add this as it is what you are passing to doas as the<br> command to execute:<br> <br> permit nopass :wheel as root cmd /usr/sbin/12-Win-11-vm12<br> <br> Mark<br> <br> On Mon, Jun 17, 2024 at 10:40 AM Mario Marietto <<a href="mailto:marietto2008@gmail.com" target="_blank">marietto2008@gmail.com</a>> wrote:<br> ><br> > [marietto@marietto /bhyve]==> sudo cp 12-Win-11-vm12 /usr/sbin<br> ><br> > [marietto@marietto /bhyve]==> nano /usr/sbin/12-Win-11-vm12<br> ><br> > #!/bin/sh<br> ><br> > bhyve-win -S -c sockets=4,cores=2,threads=1 -m 8G -w -H \<br> > -S -c sockets=4,cores=2,threads=1 -m 8G -w -H \<br> > -s 0,hostbridge \<br> > -s 1,ahci-hd,/mnt/da4p2/bhyve/img/Windows/Windows11.img,bootindex=1 \<br> > -s 2,ahci-hd,/dev/$vmdisk5 \<br> > -s 8:0,passthru,2/0/0 \<br> > -s 8:1,passthru,2/0/1 \<br> > -s 8:2,passthru,2/0/2 \<br> > -s 8:3,passthru,2/0/3 \<br> > -s 13,virtio-net,tap12 \<br> > -s 29,fbuf,tcp=<a href="http://0.0.0.0:5912" rel="noreferrer" target="_blank">0.0.0.0:5912</a>,w=1600,h=950,wait \<br> > -s 30,xhci,tablet \<br> > -s 31,lpc \<br> > -l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI_CODE.fd \<br> > vm0:12 < /dev/null & sleep 2 && vncviewer 0:12<br> ><br> > [marietto@marietto /bhyve]==> sudo chmod 0755 /usr/sbin/12-Win-11-vm12<br> ><br> > [marietto@marietto /bhyve]==> sudo nano /usr/local/etc/doas.conf<br> ><br> > permit nopass :wheel as root cmd /usr/sbin/bhyve-win<br> > permit nopass :wheel as root cmd /usr/sbin/bhyve-lin<br> ><br> > [marietto@marietto /bhyve]==> doas /usr/sbin/12-Win-11-vm12<br> > doas: Operation not permitted<br> ><br> > BUT :<br> ><br> > [marietto@marietto /bhyve]==> sudo nano /usr/sbin/hallo<br> ><br> > #!/bin/sh<br> > echo hallo $USER<br> ><br> > [marietto@marietto /bhyve]==> sudo chmod 0755 /usr/sbin/hallo<br> ><br> > [marietto@marietto /bhyve]==> sudo nano /usr/local/etc/doas.conf<br> ><br> > permit nopass :wheel as root cmd hallo<br> ><br> > [marietto@marietto /bhyve]==> doas hallo<br> ><br> > BOOM ! it works :<br> ><br> > hallo root<br> ><br> > On Mon, Jun 17, 2024 at 6:54 PM Dave Cottlehuber <<a href="mailto:dch@skunkwerks.at" target="_blank">dch@skunkwerks.at</a>> wrote:<br> >><br> >> On Mon, 17 Jun 2024, at 14:12, Mario Marietto wrote:<br> >> > Nice idea,but it does not work :<br> >> ><br> >> > nano /home/marietto/.zshrc<br> >> ><br> >> > # ~/.zshrc<br> >><br> >> Hi Mario, I think your zsh stuff is getting in the way<br> >> here. Your zshrc function is not visible to the root user,<br> >> as doas cleans up all the env and so your function is unknown.<br> >><br> >> So start off with something without bhyve, make sure you are in<br> >> wheel group, and add a shell script called<br> >> /usr/local/bin/hallo:<br> >><br> >> ```<br> >> #!/bin/sh<br> >> echo hallo $USER<br> >> ```<br> >><br> >> chmod 0755 /usr/local/bin/hallo<br> >><br> >> ```<br> >> # /usr/local/etc/doas.conf (per doas.conf manpage)<br> >> permit nopass :wheel as root cmd /usr/local/bin/hallo<br> >> ```<br> >><br> >> $ doas /usr/local/bin/hallo<br> >> hallo root<br> >><br> >> then replace your bhyve commands in the hallo script.<br> >><br> >> Off the top of my head there's no reason for bhyve to need<br> >> anything different to hallo script.<br> >> A+<br> >> Dave<br> ><br> ><br> ><br> > --<br> > Mario.<br> </blockquote></div><br clear="all"><br><span class="gmail_signature_prefix">-- </span><br><div dir="ltr" class="gmail_signature">Mario.<br></div> </blockquote></div> </blockquote></div><br clear="all"><br><span class="gmail_signature_prefix">-- </span><br><div dir="ltr" class="gmail_signature">Mario.<br></div> </blockquote></div><br clear="all"><br><span class="gmail_signature_prefix">-- </span><br><div dir="ltr" class="gmail_signature">Mario.<br></div> </blockquote></div>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAGGgMJeRvrtML4LoBe1NyQHwMGPmD0vV7tous0_HDZWVANUD1A>