Open avoidik opened 1 day ago
@jandubois it won't work if a user is not a member of the admin group, although is listed in the sudoers file and is an owner of the directory, here is a relevant error message (with the sudoers
line removed in the networks.yaml
file):
$ limactl start --name docker-cri-aarch64 --arch aarch64 --cpus 2 --memory 4 --disk 20 --vm-type vz --tty=false template://vmnet
INFO[0000] Terminal is not available, proceeding without opening an editor
WARN[0000] `vmType: vz` is experimental
FATA[0000] networks.yaml field `paths.socketVMNet` error: dir "/opt/homebrew/Cellar/socket_vmnet/1.1.4" owner XXXis not an admin
$ ls -ld /opt/homebrew/Cellar/socket_vmnet/1.1.4
drwxr-xr-x@ 11 user.name admin 352 Sep 26 21:42 /opt/homebrew/Cellar/socket_vmnet/1.1.4
$ echo $USER
user.name
$ id -u
XXX
this check is in this line: https://github.com/lima-vm/lima/blob/619a4cad33af3c02dc71db82a437c4a3a908d434/pkg/networks/validate.go#L103
since I'm a sudoer user already, I'm able to change the homebrew's socket_vmnet directory owner to an admin, so that the check passes, however it then complains that the entire directories chain up to / should be owned by a root (or any user which is a member of the admin group)
$ sudo chown -R root:admin /opt/homebrew/Cellar/socket_vmnet/1.1.4
$ limactl start --name docker-cri-aarch64 --arch aarch64 --cpus 2 --memory 4 --disk 20 --vm-type vz --tty=false template://vmnet
INFO[0000] Terminal is not available, proceeding without opening an editor
WARN[0000] `vmType: vz` is experimental
FATA[0000] networks.yaml field `paths.socketVMNet` error: dir "/opt/homebrew/Cellar/socket_vmnet" owner XXXis not an admin
$ sudo chown -R root:admin /opt/homebrew/Cellar/socket_vmnet/
$ limactl start --name docker-cri-aarch64 --arch aarch64 --cpus 2 --memory 4 --disk 20 --vm-type vz --tty=false template://vmnet
INFO[0000] Terminal is not available, proceeding without opening an editor
WARN[0000] `vmType: vz` is experimental
FATA[0000] networks.yaml field `paths.socketVMNet` error: dir "/opt/homebrew/Cellar" owner XXXis not an admin
however it then complains that the entire directories chain up to / should be owned by a root (or any user which is a member of the admin group)
Yes, this is necessary to keep this feature secure. I've shown in https://github.com/lima-vm/lima/issues/1437#issuecomment-2380858664 how you can enable password-less sudo and remove the configuration setting for the sudoers
file. Then limactl start
will no longer verify the security of the daemon executable because you allow execution of any binary by root anyways.
hello,
with this merge request I'd like to introduce an option to be able to relax socket_vmnet verification logic
regards