search

lima-vm / lima

Linux virtual machines, with a focus on running containers
https://lima-vm.io/
Apache License 2.0
15.07k stars 591 forks source link

add option to relax socket_vmnet validation #2662

Open avoidik opened 1 day ago

avoidik commented 1 day ago

hello,

with this merge request I'd like to introduce an option to be able to relax socket_vmnet verification logic

regards

avoidik commented 11 hours ago

@jandubois it won't work if a user is not a member of the admin group, although is listed in the sudoers file and is an owner of the directory, here is a relevant error message (with the sudoers line removed in the networks.yaml file):

$ limactl start --name docker-cri-aarch64 --arch aarch64 --cpus 2 --memory 4 --disk 20 --vm-type vz --tty=false template://vmnet
INFO[0000] Terminal is not available, proceeding without opening an editor
WARN[0000] `vmType: vz` is experimental
FATA[0000] networks.yaml field `paths.socketVMNet` error: dir "/opt/homebrew/Cellar/socket_vmnet/1.1.4" owner XXXis not an admin
$ ls -ld /opt/homebrew/Cellar/socket_vmnet/1.1.4
drwxr-xr-x@ 11 user.name  admin  352 Sep 26 21:42 /opt/homebrew/Cellar/socket_vmnet/1.1.4
$ echo $USER
user.name
$ id -u
XXX

this check is in this line: https://github.com/lima-vm/lima/blob/619a4cad33af3c02dc71db82a437c4a3a908d434/pkg/networks/validate.go#L103

since I'm a sudoer user already, I'm able to change the homebrew's socket_vmnet directory owner to an admin, so that the check passes, however it then complains that the entire directories chain up to / should be owned by a root (or any user which is a member of the admin group)

$ sudo chown -R root:admin /opt/homebrew/Cellar/socket_vmnet/1.1.4
$ limactl start --name docker-cri-aarch64 --arch aarch64 --cpus 2 --memory 4 --disk 20 --vm-type vz --tty=false template://vmnet
INFO[0000] Terminal is not available, proceeding without opening an editor
WARN[0000] `vmType: vz` is experimental
FATA[0000] networks.yaml field `paths.socketVMNet` error: dir "/opt/homebrew/Cellar/socket_vmnet" owner XXXis not an admin
$ sudo chown -R root:admin /opt/homebrew/Cellar/socket_vmnet/
$ limactl start --name docker-cri-aarch64 --arch aarch64 --cpus 2 --memory 4 --disk 20 --vm-type vz --tty=false template://vmnet
INFO[0000] Terminal is not available, proceeding without opening an editor
WARN[0000] `vmType: vz` is experimental
FATA[0000] networks.yaml field `paths.socketVMNet` error: dir "/opt/homebrew/Cellar" owner XXXis not an admin
jandubois commented 15 minutes ago

however it then complains that the entire directories chain up to / should be owned by a root (or any user which is a member of the admin group)

Yes, this is necessary to keep this feature secure. I've shown in https://github.com/lima-vm/lima/issues/1437#issuecomment-2380858664 how you can enable password-less sudo and remove the configuration setting for the sudoers file. Then limactl start will no longer verify the security of the daemon executable because you allow execution of any binary by root anyways.