Closed CMBulthuis closed 1 year ago
Hello @jandubois when checking the contributions I noticed you worked a lot on the network integration between Rancher Desktopo and Lima. I am interested in your opinion for my proposal to use launchd for vde_vmet. Kind regards, Chris
This issue seems to be related to: #1615
@jandubois do you have any idea when you will be able to have a look at this issue?
If everything goes well, we'll have a release later this week that should allow you to run Rancher Desktop without sudo
(but also without vde_vmnet).
Starting/stopping the vmnet daemons via a privileged helper process will come later.
@jandubois do you plan to implement vmnet using launchd like my proposal or are there other plans? Depending on the ideas I can maybe help with the solution.
@CMBulthuis We don't want to use launchd, but a privileged helper process because we may need to perform other privileged operations, e.g. creating/updating /var/run/docker.sock
. We don't have that specced out yet though, and probably won't get to it until sometime in June, as we are planning some refactoring in the engine backend first.
Thank you for your offer to help, but I'm not sure how you can get started on this until we actually know how this is supposed to fit in.
If you need this for your own setup, then you should be able to do this with the upcoming 1.3.0 release by disabling administrative access and creating a ~/Library/Application\ Support/rancher-desktop/lima/_config/override.yaml
file (totally untested):
env:
K3S_EXEC: "--flannel-iface rd0"
networks:
- interface: rd0
vnl: vde:///var/run/vde.ctl
And of course your launch daemons would have to prepare the vde interface. Note that you can use a PTP connection with vde_vmnet, so you don't need a vde_switch. In case you try this, please let me know if this actually works! 😄
@jandubois I understand your decision to create a privileged helper process. It gives more freedom to use it in other situations were elevated access is required. I will keep track of the overall Epic about sudo handling and if I see something I can help with I will get in touch.
Thanks for the advice together with version 1.3.0. Will have a look if it can help us in the meantime.
Hi @jandubois, Just a checkup. Is their progress on the privileged helper process? If I can help either by testing or developing let me know. Kind regards, Chris
@CMBulthuis I work for the same organisation and I don't seem to have (as much) issues anymore running sudoless 1.4.1 rancher desktop on my m1 mac w. Cyberark EPM, give it a try :)
Hi @CMBulthuis,
This work is currently on hold for the current release cycle, as we are doing major internal refactoring of the the engine, and the GUI priority is a new modal preferences dialog that allow you to make all the settings changes you want, and apply them all at once. Since some people also take time off over the summer, we don't have the capacity to work on the privileged helper stuff simultaneously.
Note that there is also new development on the Lima side, with https://github.com/lima-vm/socket_vmnet hopefully replacing vde_vmnet soon, but not yet ready yet, as it only supports a single interface per VM right now. So there are additional considerations for how the helper process needs to work, to accommodate this.
Sorry for the not-so-great news, but those are the constraints. We still very much plan to do this; it is just taking a little longer than we hoped for!
@CMBulthuis I work for the same organisation and I don't seem to have (as much) issues anymore running sudoless 1.4.1 rancher desktop on my m1 mac w. Cyberark EPM, give it a try :)
That sound good, will try it. What is your experience with networking from docker and kubernetes to your local system?
For retrieving elevated/root access on MAC books we moved away from CyberArk EPM to another tool which also provides functionality to deal with sudoers files. I will Close this issue.
Hi,
I made an Enhancement Request to CyberARK for supporting --non-interactive on EPM. Since agent 24.7, you need to open a case to CyberARK, if you want activate the support of --non-interactive and it's work :)
Problem Description
I am working at a company where security is im portant and we monitor root/admin usage on MacBooks using CyberArk EPM. Using a sudoers files is not possible with CyberArk EPM. With the current setup of Rancher Desktop and Lima /private/etc/sudoers.d/zzzzz-rancher-desktop-lima is required to run the vde switch and vmnet processes. To overcome this I created a setup to run vde switch / vmnet using launchd.
Proposed Solution
Use launchd to run vde switch / vmnet.
I created a proposal for this setup which is tested on an Intel Mac without CyberArk EPM and a M1 Mac with CyberArk EPM. I am interested in your feedback, see draft pull request in my forked repository https://github.com/CMBulthuis/rancher-desktop/pull/2.
Note: The pull request is on current version of the rancher-sandbox/rancher-desktop main branch. I can also create a pull request against rancher-sandbox/rancher-desktop repo from my forked repo if that is the preferred methode.
Additional Information
I tried removing sudoers file zzzzz-rancher-desktop-lima only run into integration issue with Lima. During stop/start of Rancher Desktop Lima will pkill the vde vmnet and switch processes:
If the idea to use launchd is excepted I am thinking about the following additional improvements:
Preflight Checklist