Skip to content

feat: add VZVmnetNetworkDeviceAttachment support (macOS 26.0) #205

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
norio-nomura wants to merge 14 commits into
base: main
Choose a base branch
from
Open

feat: add VZVmnetNetworkDeviceAttachment support (macOS 26.0) #205

norio-nomura wants to merge 14 commits into from
+6,406 −73

Conversation

@norio-nomura
Copy link
Contributor

@norio-nomura norio-nomura commented Nov 22, 2025
edited
Loading

feat: add VZVmnetNetworkDeviceAttachment support (macOS 26.0)

VZVmnetNetworkDeviceAttachment is an API that creates vmnet devices on VMs added in macOS 26.

see: https://developer.apple.com/documentation/virtualization/vzvmnetnetworkdeviceattachment?language=objc

It does not require the com.apple.vm.networking entitlement nor root privileges.
HostMode and SharedMode are supported.
In order for multiple VMs to communicate with each other in SharedMode, they must be started in the same executable and the same VmnetNetwork must be passed to NewVmnetNetworkDeviceAttachment() to create an attachment.

This change adds:

  • vz.VmnetNetworkDeviceAttachment represents VZVmnetNetworkDeviceAttachment in Go

  • vmnet package to use vmnet APIs that added on macOS 26.0

    • Return represents vmnet_return_t as error
      • ErrSuccess, ErrFailure, ...
    • Mode represents operating_modes_t
      • HostMode, SharedMode
    • NetworkConfiguration represents vmnet_network_configuration_t
    • Network represents vmnet_network_ref
    • Interface represents interface_ref
    • *FileAdaptorForInterfaces support File Handle based network device APIs on QEMU, krunkit, and vz.NewFileHandleNetworkDeviceAttachment

  • vz_test.TestVmnetSharedModeAllowsCommunicationBetweenMultipleVMs

  • vz_test.TestVmnetSharedModeWithConfiguringIPv4

  • pkg/xpc package that providing <xpc/xpc.h> APIs to support implementing Mach service server and client

  • vz_test.TestVmnetNetworkShareModeSharingOverXpc
    TestVmnetNetworkShareModeSharingOverXpc tests sharing vmnet.Network in SharedMode over XPC communication.
    This test registers test executable as an Mach service and launches it using launchctl.
    The launched Mach service provides vmnet.Network serialization to clients upon request, after booting
    a VM using the provided vmnet.Network to ensure the network is functional on the server side.
    The client boots VM using the provided vmnet.Network serialization.

Edit: on macOS 26.2, "the same executable" restriction seems to be relaxed.

  • VZVmnetNetworkDeviceAttachment seems to allow connecting to subnet created by a different executable.
  • vmnet_interface_start_with_network seems to allow connecting to subnet created by an executable at same path? (may changing CDHash not affect?)
  • I don't know how far the restrictions have been relaxed.

Which issue(s) this PR fixes:

Mentioned in #198 (comment)

@norio-nomura norio-nomura changed the title feat: add VmnetNetworkDeviceAttachment support (macOS 26.0) feat: add VZVmnetNetworkDeviceAttachment support (macOS 26.0) Nov 22, 2025
@norio-nomura norio-nomura force-pushed the feat-add-vmnet-network-device-attachment branch 2 times, most recently from 6617c8f to 6a1f741 Compare November 22, 2025 12:34
norio-nomura added a commit to norio-nomura/lima that referenced this pull request Nov 22, 2025
@norio-nomura
feat: add VZVmnetNetworkDeviceAttachment support on macOS 26+
07eebec 
Based on `VMNET_SHARED_MODE`, and `VMNET_HOST_MODE`
```yaml
networks:
- vzShared: true
- vzHost: true
```
But, to sharing network between multiple VMs, `VZVmnetNetworkDeviceAttachment` requires VMs are launched by same process.

It depends on Code-Hex/vz#205

Signed-off-by: Norio Nomura <[email protected]>
@norio-nomura norio-nomura mentioned this pull request Nov 22, 2025
Draft
AkihiroSuda
AkihiroSuda reviewed Nov 22, 2025
View reviewed changes
@nirs
Copy link

nirs commented Nov 24, 2025

This can be used by multiple processes like this:

  1. Start a network process create the vmnet_network_ref, starting a xpc listener
  2. Start vm process, obtaining the vmnet_network_ref from the xpc server
  3. Start more vms using same vmnet_network_ref...
  4. Wait until vms exit
  5. Terminate network process

@norio-nomura norio-nomura force-pushed the feat-add-vmnet-network-device-attachment branch from 5a7a116 to 72cc1d4 Compare November 26, 2025 02:58
@norio-nomura
Copy link
Contributor Author

norio-nomura commented Nov 28, 2025

This can be used by multiple processes like this:

In this procedure, I confirmed that VMs launched from multiple processes can share networks with each other. 👍🏻
It seems that it can be reproduced in the unit test, so I will try to make a unit test.

@norio-nomura norio-nomura force-pushed the feat-add-vmnet-network-device-attachment branch from 72cc1d4 to 9506cbd Compare December 2, 2025 03:56
@norio-nomura
Copy link
Contributor Author

norio-nomura commented Dec 2, 2025

It seems that it can be reproduced in the unit test, so I will try to make a unit test.

Added unit test and pkg/xpc.

@norio-nomura norio-nomura marked this pull request as draft December 2, 2025 04:01
@norio-nomura
Copy link
Contributor Author

norio-nomura commented Dec 2, 2025
edited
Loading

Added unit test and pkg/xpc.

I'll try this added xpc package with lima to make it work. Until then, it's a draft.

@norio-nomura norio-nomura force-pushed the feat-add-vmnet-network-device-attachment branch 5 times, most recently from 7bf24c1 to 007c2a5 Compare December 3, 2025 07:26
norio-nomura added a commit to norio-nomura/lima that referenced this pull request Dec 3, 2025
@norio-nomura
feat: add VZVmnetNetworkDeviceAttachment support on macOS 26+
8125323 
Based on `VMNET_SHARED_MODE`, and `VMNET_HOST_MODE`
```yaml
networks:
- vzShared: true
- vzHost: true
```
But, to sharing network between multiple VMs, `VZVmnetNetworkDeviceAttachment` requires VMs are launched by same process.

It depends on Code-Hex/vz#205

Signed-off-by: Norio Nomura <[email protected]>
@norio-nomura norio-nomura force-pushed the feat-add-vmnet-network-device-attachment branch 2 times, most recently from aba95bd to ba619f5 Compare December 4, 2025 03:51
@norio-nomura norio-nomura force-pushed the feat-add-vmnet-network-device-attachment branch 2 times, most recently from d3fad75 to 7a58378 Compare December 15, 2025 03:39
norio-nomura added a commit to norio-nomura/lima that referenced this pull request Dec 15, 2025
@norio-nomura
feat: add VZVmnetNetworkDeviceAttachment support on macOS 26+
0f6d2d9 
Based on `VMNET_SHARED_MODE`, and `VMNET_HOST_MODE`
```yaml
networks:
- vzShared: true
- vzHost: true
```
But, to sharing network between multiple VMs, `VZVmnetNetworkDeviceAttachment` requires VMs are launched by same process.

It depends on Code-Hex/vz#205

Signed-off-by: Norio Nomura <[email protected]>
@norio-nomura norio-nomura force-pushed the feat-add-vmnet-network-device-attachment branch from 7a58378 to 33858c0 Compare December 16, 2025 14:25
nirs
nirs reviewed Dec 16, 2025
View reviewed changes
Copy link

@nirs nirs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did not review most of this change, just the stange part of about marking bridged mode as depracated.

nirs
nirs reviewed Dec 16, 2025
View reviewed changes
@norio-nomura norio-nomura force-pushed the feat-add-vmnet-network-device-attachment branch from f048f6e to 3b512d7 Compare December 17, 2025 00:10
norio-nomura added a commit to norio-nomura/lima that referenced this pull request Dec 17, 2025
@norio-nomura
feat: add VZVmnetNetworkDeviceAttachment support on macOS 26+
8ef8be5 
Based on `VMNET_SHARED_MODE`, and `VMNET_HOST_MODE`
```yaml
networks:
- vzShared: true
- vzHost: true
```
But, to sharing network between multiple VMs, `VZVmnetNetworkDeviceAttachment` requires VMs are launched by same process.

It depends on Code-Hex/vz#205

Signed-off-by: Norio Nomura <[email protected]>
@norio-nomura norio-nomura marked this pull request as ready for review December 17, 2025 05:20
@norio-nomura
xpc: Use internal/objc
826b088 
Signed-off-by: Norio Nomura <[email protected]>
@norio-nomura
Copy link
Contributor Author

norio-nomura commented Jan 5, 2026
edited
Loading

I'll add:

nirs
nirs reviewed Jan 6, 2026
View reviewed changes
vmnet/vmnet_darwin.go
// This is only supported on macOS 26 and newer, error will be returned on older versions.
// - https://developer.apple.com/documentation/vmnet/vmnet_network_create_with_serialization(_:_:)?language=objc
func NewNetworkWithSerialization(serialization unsafe.Pointer) (*Network, error) {
func NewNetworkWithSerialization(serialization xpc.Object) (*Network, error) {
Copy link

@nirs nirs Jan 6, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With this change, if I have xpc_object_t I got from a xpc service, I need to wrap it like this, right?

// serialization is xpc_object_t
network, err := NewNetworkWithSerialization(xpc.NewObject(serialization))

So we did not really got rid of the unsafe.Pointer - I think we cannot avoid this since this is the only way to integrate with code retuning xpc_object_t. The vmnet interface vment_network_create_with_serialization() accepts xpc_object_t so we cannot implement it without accepting xpc_object.

But I think this wrapping makes sense to minimize the scope of a raw xpc_object_t.

@norio-nomura @Code-Hex ?

nirs added a commit to nirs/vmnet-broker that referenced this pull request Jan 6, 2026
@nirs
go: Update to latest github.com/norio-nomura/vz
2355b93 
Update to consume API changes in the vz PR[1] commit[2].

- vment.NewNetworkWithSerialization() accepts now xpc.Object interface
  instead of xpc_object_t. We can wrap the raw xpc_object_t with
  xpc.NewObject().
- Updated dependencies

[1] Code-Hex/vz#205
[2] norio-nomura/vz@9c98b6b
nirs added a commit to nirs/vmnet-broker that referenced this pull request Jan 6, 2026
@nirs
go: Update to latest github.com/norio-nomura/vz
d62e938 
Update to consume API changes in the vz PR[1] commit[2].

- vment.NewNetworkWithSerialization() accepts now xpc.Object interface
  instead of xpc_object_t. We can wrap the raw xpc_object_t with
  xpc.NewObject().
- Updated dependencies

[1] Code-Hex/vz#205
[2] norio-nomura/vz@9c98b6b
@nirs
Copy link

nirs commented Jan 6, 2026

I tested the latest version, it works for me.

@norio-nomura
xpc: Change Fd from int to uintptr
2e2d3a7 
Signed-off-by: Norio Nomura <[email protected]>
@norio-nomura
xpc: Remove calling ReleaseOnCleanup() in xpcObject.retain()
3a32863 
Call `ReleaseOnCleanup()` explicitly if needed.

Signed-off-by: Norio Nomura <[email protected]>
@norio-nomura norio-nomura force-pushed the feat-add-vmnet-network-device-attachment branch 4 times, most recently from 16c89d9 to c68bc89 Compare January 10, 2026 00:17
nirs added a commit to nirs/vmnet-broker that referenced this pull request Jan 10, 2026
@nirs
go: Update to latest github.com/norio-nomura/vz
4f88a89 
Update to consume API changes in the vz PR[1] commit[2].

- vment.Network.Raw() removed

[1] Code-Hex/vz#205
[2] norio-nomura/vz@c68bc89
@norio-nomura norio-nomura force-pushed the feat-add-vmnet-network-device-attachment branch from c68bc89 to f92e6f3 Compare January 14, 2026 07:04
norio-nomura added a commit to norio-nomura/lima that referenced this pull request Jan 14, 2026
@norio-nomura
feat: add VZVmnetNetworkDeviceAttachment support on macOS 26+
cf7420a 
Based on `VMNET_SHARED_MODE`, and `VMNET_HOST_MODE`
```yaml
networks:
- vzShared: true
- vzHost: true
```
But, to sharing network between multiple VMs, `VZVmnetNetworkDeviceAttachment` requires VMs are launched by same process.

It depends on Code-Hex/vz#205

Signed-off-by: Norio Nomura <[email protected]>
@norio-nomura
Copy link
Contributor Author

norio-nomura commented Jan 14, 2026

I think the approximately necessary APIs have been added.
Do I need to add tests to the xpc package?

@Code-Hex
Copy link
Owner

Code-Hex commented Jan 14, 2026

@norio-nomura Does the xpc package need to be public? If it fits within internal, I don't think we need to add tests.

@norio-nomura
Copy link
Contributor Author

norio-nomura commented Jan 14, 2026

@norio-nomura Does the xpc package need to be public? If it fits within internal, I don't think we need to add tests.

It depends on the xpc package to make MachService at lima-vm/lima#4394.
The xpc package realizes the sharing of vmnet.Network serialization and the sharing of File Descriptor used to communicate with vmnet.Interface.

@nirs
Copy link

nirs commented Jan 14, 2026

@norio-nomura Does the xpc package need to be public? If it fits within internal, I don't think we need to add tests.

We need the xpc.NewObject() for creating a vment_network_ref with serialization. Here is an example usage in vmnet-broker test vm:
https://github.com/nirs/vmnet-broker/blob/6ba05b6ba38b15524c5cb833f223e0b91aa70376/go/cmd/test.go#L197

If vmnet.NewNetworkWithSerialization() will accept xpc_object_t (unsafe.Pointer), the xpc package is not needed in this project and can be part of Lima or available as separate package.

@norio-nomura
Copy link
Contributor Author

norio-nomura commented Jan 15, 2026

Unit tests added to xpc.
Previously, when I tried vmnet_network_configuration_add_port_forwarding_rule, it didn't work well, so vmnet_interface_add_ip_port_forwarding_rule related to Interface has not been implemented, but I want to make it a separate PR to support them in the future.

@norio-nomura norio-nomura marked this pull request as ready for review January 15, 2026 00:56
norio-nomura added a commit to norio-nomura/lima that referenced this pull request Jan 15, 2026
@norio-nomura
feat: add VZVmnetNetworkDeviceAttachment support on macOS 26+
899c69d 
Based on `VMNET_SHARED_MODE`, and `VMNET_HOST_MODE`
```yaml
networks:
- vzShared: true
- vzHost: true
```
But, to sharing network between multiple VMs, `VZVmnetNetworkDeviceAttachment` requires VMs are launched by same process.

It depends on Code-Hex/vz#205

Signed-off-by: Norio Nomura <[email protected]>

# Conflicts:
#	go.sum
@norio-nomura
vmnet: Add Interface related APIs and *FileAdaptorForInterfaces
866d700 
Signed-off-by: Norio Nomura <[email protected]>

`vmnet`: Fix golangci-lint-v2 violations

Signed-off-by: Norio Nomura <[email protected]>

`vmnet`: if iface.EnableVirtioHeader { packetSize += virtioNetHdrSize }

Signed-off-by: Norio Nomura <[email protected]>
@norio-nomura
vmnet: Remove object
50b9c97 
Signed-off-by: Norio Nomura <[email protected]>
@norio-nomura
vmnet_test.go: Add vmnet.Datagram*FileAdaptorForInterface to test
c0692d9 
Use `*FileAdaptorForInterface` APIs in `TestVmnetSharedModeAllowsCommunicationBetweenMultipleVMs`:
- `vmnet.DatagramFileAdaptorForInterface`
- `vmnet.DatagramNextFileAdaptorForInterface`
Since they are compatible with `vz.NewFileHandleNetworkDeviceAttachment`.

Signed-off-by: Norio Nomura <[email protected]>
@norio-nomura
xpc: Add unit tests
7420c05 
- Fix `NewArray` with empty slices.
- Change `New*` to return actual typed instance instead of `Object`

Signed-off-by: Norio Nomura <[email protected]>
@norio-nomura norio-nomura force-pushed the feat-add-vmnet-network-device-attachment branch from 701968f to 7420c05 Compare January 16, 2026 04:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Code-Hex Code-Hex Code-Hex left review comments

@AkihiroSuda AkihiroSuda AkihiroSuda left review comments

+1 more reviewer

@nirs nirs nirs left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@norio-nomura @nirs @AkihiroSuda @Code-Hex