sudoers: add `/usr/libexec/ApplicationFirewall/socketfilterfw --unblock /usr/libexec/bootpd`

lima-vm / lima

Linux virtual machines, with a focus on running containers

https://lima-vm.io/

Apache License 2.0

15.14k stars 591 forks source link

sudoers: add `/usr/libexec/ApplicationFirewall/socketfilterfw --unblock /usr/libexec/bootpd` #1598

Open AkihiroSuda opened 1 year ago

AkihiroSuda commented 1 year ago

It looks like lima should run /usr/libexec/ApplicationFirewall/socketfilterfw --unblock /usr/libexec/bootpd every time when using socket_vmnet https://github.com/lima-vm/lima/issues/1259#issuecomment-1573051614

AkihiroSuda commented 1 year ago

The socketfilterfw(8) man page (on macOS 13.5) mentions --unblockapp, but does not seem to mention --unblock. Maybe --unblock is already deprecated?

AravindGopala commented 1 year ago

Hi @AkihiroSuda can we bump up the priority on this, I am not so keen on how to achieve this otherwise would have submitted a PR myself. Are we planning to call the command from commands.go file?

AkihiroSuda commented 1 year ago

Hi @AkihiroSuda can we bump up the priority on this, I am not so keen on how to achieve this otherwise would have submitted a PR myself.

Thanks

Are we planning to call the command from commands.go file?

Yes, probably

AkihiroSuda commented 1 year ago

Can anybody check if this is still required for macOS 14?

AravindGopala commented 1 year ago

[deleted]

AkihiroSuda commented 1 year ago

@AravindGopala Is this issue resolved with macOS 14?

AkihiroSuda commented 1 year ago

socketfilterfw seems still needed for some machines running on macOS 14: https://github.com/lima-vm/lima/issues/1259#issuecomment-1741868169

But I still can't repro the issue locally, and sudo /usr/libexec/ApplicationFirewall/socketfilterfw --add /usr/libexec/bootpd fails with "The file path you specified does not exist" error even though /usr/libexec/bootpd exists. A rumor is that socketfilterfw doesn't work on Japanese macOS: https://gist.github.com/techraf/ef5a6aae636f52eec09b?permalink_comment_id=2974356#gistcomment-2974356

AravindGopala commented 1 year ago

@AkihiroSuda sorry for the confusion, It looks like on Sonoma 14.0 macos on M1 Max macbook pro, the network sharing works without issues, also colima gets the ip everytime, I no longer have to run the socket filter commands at boot everytime like before so far [Its been four days I have updated to Sonoma, I will keep an eye, if I ever see the issue again], it looks like the issue is fixed for me.

On a side note the below commands do work for me here is USA even on Sonoma:

    sudo /usr/libexec/ApplicationFirewall/socketfilterfw --add /usr/libexec/bootpd
    sudo /usr/libexec/ApplicationFirewall/socketfilterfw --unblock /usr/libexec/bootpd

AravindGopala commented 1 year ago

Hi @AkihiroSuda, I can confirm that the issue came back for me after couple of reboots over the days, i.e the internet sharing no longer works and the VM fails to get the ip, I have manually run the command to fix it. So we need this PR.

    sudo /usr/libexec/ApplicationFirewall/socketfilterfw --add /usr/libexec/bootpd
    sudo /usr/libexec/ApplicationFirewall/socketfilterfw --unblock /usr/libexec/bootpd

AkihiroSuda commented 1 year ago

Is anyone interested in opening a PR?

I still can't use socketfilterfw by myself