Site Navigation

Date:      Mon, 17 Jun 2024 20:34:52 +0200
From:      Mario Marietto <marietto2008@gmail.com>
To:        Mark Peek <mp@freebsd.org>
Cc:        Dave Cottlehuber <dch@skunkwerks.at>, Odhiambo Washington <odhiambo@gmail.com>,  freebsd-virtualization <freebsd-virtualization@freebsd.org>
Subject:   Re: How to launch a bhyve vm as normal user,without being root
Message-ID:  <CA%2B1FSihHFejcobwVdGhtus4P8uRDkPyXDhQtrBCp-EWxPz=MPg@mail.gmail.com>
In-Reply-To: <CAGGgMJfoAHFv2uJBzz%2BcJ-pe0tUX=BVaCxM3y5SU-cUxGHcs9A@mail.gmail.com>
References:  <CA%2B1FSiimo=-0s80QeGMuLnJAzxi53-V6s303YuW36UkYnqfB-g@mail.gmail.com> <CAAdA2WPrtG_VaLuE8UfBwxanyfNzgLqeBCvpJMvRETdcUSmMEg@mail.gmail.com> <CA%2B1FSijLiq0WMdCvJfQC%2BvtBxXc6iSMD6WQAMavGpg%2BsmCuTFg@mail.gmail.com> <86a551c1-7f10-450d-a282-b33f959ed93e@app.fastmail.com> <CA%2B1FSighjAkOAtzyX3HBy4h0ZnTVckjF9adnWMpAR3m=xW0dUA@mail.gmail.com> <CAGGgMJfoAHFv2uJBzz%2BcJ-pe0tUX=BVaCxM3y5SU-cUxGHcs9A@mail.gmail.com>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

[-- Attachment #1 --]
If I keep the bhyve scripts in /usr/sbin,it works. But I want to keep the
bhyve scripts in /bhyve and I don't want to keep them in /usr/sbin. For
this reason I've added the path /bhyve to /home/marietto/.zshrc like this :

# ~/.zshrc

# zsh autocompletion for sudo and doas
zstyle ":completion:*:(sudo|su|doas):*" command-path /usr/local/bin
/usr/local/sbin /usr/sbin /usr/bin /bin /sbin /bhyve

and in /root/.zshrc :

# zsh autocompletion for sudo and doas
zstyle ":completion:*:(sudo|su|doas):*" command-path /usr/local/bin
/usr/local/sbin /usr/sbin /usr/bin /bin /sbin /bhyve

but when I try to run the vm like this :

[marietto@marietto /bhyve]==> doas 12-Win-11-vm12

it says :

doas: 12-Win-11-vm12: command not found

and when I do :

[marietto@marietto /bhyve]==> doas ./12-Win-11-vm12

it says :

doas: Operation not permitted

Why ?


On Mon, Jun 17, 2024 at 7:53 PM Mark Peek <mp@freebsd.org> wrote:

> Likely need to add this as it is what you are passing to doas as the
> command to execute:
>
> permit nopass :wheel as root cmd /usr/sbin/12-Win-11-vm12
>
> Mark
>
> On Mon, Jun 17, 2024 at 10:40 AM Mario Marietto <marietto2008@gmail.com>
> wrote:
> >
> > [marietto@marietto /bhyve]==> sudo cp 12-Win-11-vm12 /usr/sbin
> >
> > [marietto@marietto /bhyve]==> nano /usr/sbin/12-Win-11-vm12
> >
> > #!/bin/sh
> >
> > bhyve-win -S -c sockets=4,cores=2,threads=1 -m 8G -w -H \
> > -S -c sockets=4,cores=2,threads=1 -m 8G -w -H \
> > -s 0,hostbridge \
> > -s 1,ahci-hd,/mnt/da4p2/bhyve/img/Windows/Windows11.img,bootindex=1 \
> > -s 2,ahci-hd,/dev/$vmdisk5 \
> > -s 8:0,passthru,2/0/0 \
> > -s 8:1,passthru,2/0/1 \
> > -s 8:2,passthru,2/0/2 \
> > -s 8:3,passthru,2/0/3 \
> > -s 13,virtio-net,tap12 \
> > -s 29,fbuf,tcp=0.0.0.0:5912,w=1600,h=950,wait \
> > -s 30,xhci,tablet \
> > -s 31,lpc \
> > -l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI_CODE.fd \
> > vm0:12 < /dev/null & sleep 2 && vncviewer 0:12
> >
> > [marietto@marietto /bhyve]==> sudo chmod 0755 /usr/sbin/12-Win-11-vm12
> >
> > [marietto@marietto /bhyve]==> sudo nano /usr/local/etc/doas.conf
> >
> > permit nopass :wheel as root cmd /usr/sbin/bhyve-win
> > permit nopass :wheel as root cmd /usr/sbin/bhyve-lin
> >
> > [marietto@marietto /bhyve]==> doas /usr/sbin/12-Win-11-vm12
> > doas: Operation not permitted
> >
> > BUT :
> >
> > [marietto@marietto /bhyve]==> sudo nano /usr/sbin/hallo
> >
> > #!/bin/sh
> > echo hallo $USER
> >
> > [marietto@marietto /bhyve]==> sudo chmod 0755 /usr/sbin/hallo
> >
> > [marietto@marietto /bhyve]==> sudo nano /usr/local/etc/doas.conf
> >
> > permit nopass :wheel as root cmd hallo
> >
> > [marietto@marietto /bhyve]==> doas hallo
> >
> > BOOM ! it works :
> >
> > hallo root
> >
> > On Mon, Jun 17, 2024 at 6:54 PM Dave Cottlehuber <dch@skunkwerks.at>
> wrote:
> >>
> >> On Mon, 17 Jun 2024, at 14:12, Mario Marietto wrote:
> >> > Nice idea,but it does not work :
> >> >
> >> > nano /home/marietto/.zshrc
> >> >
> >> > # ~/.zshrc
> >>
> >> Hi Mario, I think your zsh stuff is getting in the way
> >> here. Your zshrc function is not visible to the root user,
> >> as doas cleans up all the env and so your function is unknown.
> >>
> >> So start off with something without bhyve, make sure you are in
> >> wheel group, and add a shell script called
> >> /usr/local/bin/hallo:
> >>
> >> ```
> >> #!/bin/sh
> >> echo hallo $USER
> >> ```
> >>
> >> chmod 0755 /usr/local/bin/hallo
> >>
> >> ```
> >> # /usr/local/etc/doas.conf (per doas.conf manpage)
> >> permit nopass :wheel as root cmd /usr/local/bin/hallo
> >> ```
> >>
> >> $ doas /usr/local/bin/hallo
> >> hallo root
> >>
> >> then replace your bhyve commands in the hallo script.
> >>
> >> Off the top of my head there's no reason for bhyve to need
> >> anything different to hallo script.
> >> A+
> >> Dave
> >
> >
> >
> > --
> > Mario.
>


-- 
Mario.

[-- Attachment #2 --]
<div dir="ltr"><div class="gmail-adn gmail-ads"><div class="gmail-gs"><div class="gmail-"><div id="gmail-:po" class="gmail-ii gmail-gt"><div id="gmail-:o1" class="gmail-a3s gmail-aiL"><div dir="ltr"><div>If I keep the bhyve scripts in /usr/sbin,it works. But I want to keep the bhyve scripts in /bhyve and I don&#39;t want to keep them in /usr/sbin. For this reason I&#39;ve added the path /bhyve to /home/marietto/.zshrc like this :<br></div><span class="gmail-im"><div><br></div><div># ~/.zshrc</div><br># zsh autocompletion for sudo and doas<br><div>zstyle &quot;:completion:*:(sudo|su|doas):*&quot; command-path /usr/local/bin /usr/local/sbin /usr/sbin /usr/bin /bin /sbin /bhyve</div><div><br></div></span><div>and in /root/.zshrc :</div><span class="gmail-im"><div><div><br></div># zsh autocompletion for sudo and doas<br><div>zstyle &quot;:completion:*:(sudo|su|doas):*&quot; command-path /usr/local/bin /usr/local/sbin /usr/sbin /usr/bin /bin /sbin /bhyve</div></div><div><br></div></span><div>but when I try to run the vm like this :</div><span class="gmail-im"><div></div><div><br></div><div></div><div></div><div>[marietto@marietto /bhyve]==&gt; doas 12-Win-11-vm12<br></div><div><br></div></span><div>it says :</div><span class="gmail-im"><div><br></div><div>doas: 12-Win-11-vm12: command not found</div><div><br></div></span><div>and when I do :</div><div><br></div><div><span class="gmail-im">[marietto@marietto /bhyve]==&gt; doas ./12-Win-11-vm12</span></div><div><br></div><div>it says :</div><div><br></div><div>doas: Operation not permitted</div><div><br></div><div>Why ?</div></div></div></div></div></div></div><div class="gmail-nH"><div class="gmail-aHU gmail-hx"><div role="list" class="gmail-bh"><div class="gmail-h7 gmail-bg gmail-ie" role="listitem" aria-expanded="true" tabindex="-1"><div class="gmail-Bk"><div class="gmail-G3 gmail-G2"><div><div id="gmail-:um"><div class="gmail-gA gmail-gt gmail-acV"><div class="gmail-gB gmail-xu"><div class="gmail-ip gmail-iq"><div id="gmail-:q6"><table class="gmail-cf gmail-wS" role="presentation"><tbody><tr><td class="gmail-amr"><br></td></tr></tbody></table></div></div></div></div></div></div></div></div></div></div></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Jun 17, 2024 at 7:53 PM Mark Peek &lt;<a href="mailto:mp@freebsd.org">mp@freebsd.org</a>&gt; wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Likely need to add this as it is what you are passing to doas as the<br>
command to execute:<br>
<br>
permit nopass :wheel as root cmd /usr/sbin/12-Win-11-vm12<br>
<br>
Mark<br>
<br>
On Mon, Jun 17, 2024 at 10:40 AM Mario Marietto &lt;<a href="mailto:marietto2008@gmail.com" target="_blank">marietto2008@gmail.com</a>&gt; wrote:<br>
&gt;<br>
&gt; [marietto@marietto /bhyve]==&gt; sudo cp 12-Win-11-vm12 /usr/sbin<br>
&gt;<br>
&gt; [marietto@marietto /bhyve]==&gt; nano /usr/sbin/12-Win-11-vm12<br>
&gt;<br>
&gt; #!/bin/sh<br>
&gt;<br>
&gt; bhyve-win -S -c sockets=4,cores=2,threads=1 -m 8G -w -H \<br>
&gt; -S -c sockets=4,cores=2,threads=1 -m 8G -w -H \<br>
&gt; -s 0,hostbridge \<br>
&gt; -s 1,ahci-hd,/mnt/da4p2/bhyve/img/Windows/Windows11.img,bootindex=1 \<br>
&gt; -s 2,ahci-hd,/dev/$vmdisk5 \<br>
&gt; -s 8:0,passthru,2/0/0 \<br>
&gt; -s 8:1,passthru,2/0/1 \<br>
&gt; -s 8:2,passthru,2/0/2 \<br>
&gt; -s 8:3,passthru,2/0/3 \<br>
&gt; -s 13,virtio-net,tap12 \<br>
&gt; -s 29,fbuf,tcp=<a href="http://0.0.0.0:5912" rel="noreferrer" target="_blank">0.0.0.0:5912</a>,w=1600,h=950,wait \<br>
&gt; -s 30,xhci,tablet \<br>
&gt; -s 31,lpc \<br>
&gt; -l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI_CODE.fd \<br>
&gt; vm0:12 &lt; /dev/null &amp; sleep 2 &amp;&amp; vncviewer 0:12<br>
&gt;<br>
&gt; [marietto@marietto /bhyve]==&gt; sudo chmod 0755 /usr/sbin/12-Win-11-vm12<br>
&gt;<br>
&gt; [marietto@marietto /bhyve]==&gt; sudo nano /usr/local/etc/doas.conf<br>
&gt;<br>
&gt; permit nopass :wheel as root cmd /usr/sbin/bhyve-win<br>
&gt; permit nopass :wheel as root cmd /usr/sbin/bhyve-lin<br>
&gt;<br>
&gt; [marietto@marietto /bhyve]==&gt; doas /usr/sbin/12-Win-11-vm12<br>
&gt; doas: Operation not permitted<br>
&gt;<br>
&gt; BUT :<br>
&gt;<br>
&gt; [marietto@marietto /bhyve]==&gt; sudo nano /usr/sbin/hallo<br>
&gt;<br>
&gt; #!/bin/sh<br>
&gt; echo hallo $USER<br>
&gt;<br>
&gt; [marietto@marietto /bhyve]==&gt; sudo chmod 0755 /usr/sbin/hallo<br>
&gt;<br>
&gt; [marietto@marietto /bhyve]==&gt; sudo nano /usr/local/etc/doas.conf<br>
&gt;<br>
&gt; permit nopass :wheel as root cmd hallo<br>
&gt;<br>
&gt; [marietto@marietto /bhyve]==&gt; doas hallo<br>
&gt;<br>
&gt; BOOM ! it works :<br>
&gt;<br>
&gt; hallo root<br>
&gt;<br>
&gt; On Mon, Jun 17, 2024 at 6:54 PM Dave Cottlehuber &lt;<a href="mailto:dch@skunkwerks.at" target="_blank">dch@skunkwerks.at</a>&gt; wrote:<br>
&gt;&gt;<br>
&gt;&gt; On Mon, 17 Jun 2024, at 14:12, Mario Marietto wrote:<br>
&gt;&gt; &gt; Nice idea,but it does not work :<br>
&gt;&gt; &gt;<br>
&gt;&gt; &gt; nano /home/marietto/.zshrc<br>
&gt;&gt; &gt;<br>
&gt;&gt; &gt; # ~/.zshrc<br>
&gt;&gt;<br>
&gt;&gt; Hi Mario, I think your zsh stuff is getting in the way<br>
&gt;&gt; here. Your zshrc function is not visible to the root user,<br>
&gt;&gt; as doas cleans up all the env and so your function is unknown.<br>
&gt;&gt;<br>
&gt;&gt; So start off with something without bhyve, make sure you are in<br>
&gt;&gt; wheel group, and add a shell script called<br>
&gt;&gt; /usr/local/bin/hallo:<br>
&gt;&gt;<br>
&gt;&gt; ```<br>
&gt;&gt; #!/bin/sh<br>
&gt;&gt; echo hallo $USER<br>
&gt;&gt; ```<br>
&gt;&gt;<br>
&gt;&gt; chmod 0755 /usr/local/bin/hallo<br>
&gt;&gt;<br>
&gt;&gt; ```<br>
&gt;&gt; # /usr/local/etc/doas.conf (per doas.conf manpage)<br>
&gt;&gt; permit nopass :wheel as root cmd /usr/local/bin/hallo<br>
&gt;&gt; ```<br>
&gt;&gt;<br>
&gt;&gt; $ doas /usr/local/bin/hallo<br>
&gt;&gt; hallo root<br>
&gt;&gt;<br>
&gt;&gt; then replace your bhyve commands in the hallo script.<br>
&gt;&gt;<br>
&gt;&gt; Off the top of my head there&#39;s no reason for bhyve to need<br>
&gt;&gt; anything different to hallo script.<br>
&gt;&gt; A+<br>
&gt;&gt; Dave<br>
&gt;<br>
&gt;<br>
&gt;<br>
&gt; --<br>
&gt; Mario.<br>
</blockquote></div><br clear="all"><br><span class="gmail_signature_prefix">-- </span><br><div dir="ltr" class="gmail_signature">Mario.<br></div>

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CA%2B1FSihHFejcobwVdGhtus4P8uRDkPyXDhQtrBCp-EWxPz=MPg>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact