Implement vde_vmnet management

Lima uses ~/.lima/_config/networks.yaml to define managed networks
for instances. By default "shared", "bridged", and "host" are defined.
They can be referenced from `lima.yaml` via e.g. `lima://shared`.

The networks will be automatically started by lime as long as any
instance referencing them are running, and once the last instance
using a network is stopped, the network is brought down as well.

A new command `limactl sudoers` can be used to write a sudoers file
to allow lima to start/stop the daemons via `sudo`. Lima does not
support prompting for a sudo password; either the sudoers file must
be maintained, or the user must have password-less sudo configured.

Every time the `networks.yaml` configuration is changed, the sudoers
file must be regenerated to match.

Signed-off-by: Jan Dubois <[email protected]>

Author: jandubois

cmd/limactl/delete.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"os"
 
+	"github.com/lima-vm/lima/pkg/networks"
 	"github.com/lima-vm/lima/pkg/store"
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
@@ -42,7 +43,7 @@ func deleteAction(cmd *cobra.Command, args []string) error {
 		}
 		logrus.Infof("Deleted %q (%q)", instName, inst.Dir)
 	}
-	return nil
+	return networks.Reconcile(cmd.Context(), "")
 }
 
 func deleteInstance(inst *store.Instance, force bool) error {

cmd/limactl/main.go

@@ -5,6 +5,7 @@ import (
 	"os"
 	"strings"
 
+	"github.com/lima-vm/lima/pkg/store"
 	"github.com/lima-vm/lima/pkg/version"
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
@@ -38,6 +39,11 @@ func newApp() *cobra.Command {
 		if os.Geteuid() == 0 {
 			return errors.New("must not run as the root")
 		}
+		// Make sure either $HOME or $LIMA_HOME is defined, so we don't need
+		// to check for errors later
+		if _, err := store.LimaDir(); err != nil {
+			return err
+		}
 		return nil
 	}
 	rootCmd.AddCommand(
@@ -48,6 +54,7 @@ func newApp() *cobra.Command {
 		newListCommand(),
 		newDeleteCommand(),
 		newValidateCommand(),
+		newSudoersCommand(),
 		newPruneCommand(),
 		newHostagentCommand(),
 	)

cmd/limactl/start.go

@@ -12,6 +12,7 @@ import (
 	"github.com/AlecAivazis/survey/v2"
 	"github.com/containerd/containerd/identifiers"
 	"github.com/lima-vm/lima/pkg/limayaml"
+	"github.com/lima-vm/lima/pkg/networks"
 	"github.com/lima-vm/lima/pkg/osutil"
 	"github.com/lima-vm/lima/pkg/start"
 	"github.com/lima-vm/lima/pkg/store"
@@ -228,6 +229,10 @@ func startAction(cmd *cobra.Command, args []string) error {
 		logrus.Warnf("expected status %q, got %q", store.StatusStopped, inst.Status)
 	}
 	ctx := cmd.Context()
+	err = networks.Reconcile(ctx, inst.Name)
+	if err != nil {
+		return err
+	}
 	return start.Start(ctx, inst)
 }
 

cmd/limactl/stop.go

@@ -11,6 +11,7 @@ import (
 	"time"
 
 	hostagentapi "github.com/lima-vm/lima/pkg/hostagent/api"
+	"github.com/lima-vm/lima/pkg/networks"
 	"github.com/lima-vm/lima/pkg/store"
 	"github.com/lima-vm/lima/pkg/store/filenames"
 	"github.com/sirupsen/logrus"
@@ -47,10 +48,14 @@ func stopAction(cmd *cobra.Command, args []string) error {
 	}
 	if force {
 		stopInstanceForcibly(inst)
-		return nil
+	} else {
+		err = stopInstanceGracefully(inst)
 	}
-
-	return stopInstanceGracefully(inst)
+	// TODO: should we also reconcile networks if graceful stop returned an error?
+	if err == nil {
+		err = networks.Reconcile(cmd.Context(), "")
+	}
+	return err
 }
 
 func stopInstanceGracefully(inst *store.Instance) error {

cmd/limactl/sudoers.go

@@ -0,0 +1,56 @@
+package main
+
+import (
+	"errors"
+	"fmt"
+	"github.com/lima-vm/lima/pkg/networks"
+	"github.com/spf13/cobra"
+)
+
+func newSudoersCommand() *cobra.Command {
+	sudoersCommand := &cobra.Command{
+		Use:               "sudoers [SUDOERSFILE]",
+		Short:             "Generate /etc/sudoers.d/lima file.",
+		Args:              cobra.MaximumNArgs(1),
+		RunE:              sudoersAction,
+	}
+	sudoersCommand.Flags().Bool("check", false,
+		"check that the sudoers file is up-to-date with $LIMA_HOME/_config/networks.yaml")
+	return sudoersCommand
+}
+
+func sudoersAction(cmd *cobra.Command, args []string) error {
+	check, err := cmd.Flags().GetBool("check")
+	if err != nil {
+		return err
+	}
+	if check	{
+		var file string
+		switch len(args) {
+		case 0:
+			config, err := networks.Config()
+			if err != nil {
+				return err
+			}
+			file = config.Paths.Sudoers
+			if file == "" {
+				return errors.New("no sudoers file defined in ~/.lima/_config/networks.yaml")
+			}
+		case 1:
+			file = args[0]
+		default:
+			return errors.New("can check only a single sudoers file")
+		}
+		if err := networks.CheckSudoers(file); err != nil {
+			return err
+		}
+		fmt.Printf("%q is up-to-date\n", file)
+		return nil
+	}
+	sudoers, err := networks.Sudoers()
+	if err != nil {
+		return err
+	}
+	fmt.Print(sudoers)
+	return nil
+}

pkg/limayaml/validate.go

@@ -177,7 +177,14 @@ func validateNetwork(yNetwork Network) error {
 		// The field is called VDE.VNL in anticipation of QEMU upgrading VDE2 to VDEplug4,
 		// but right now the only valid value on macOS is a path to the vde_switch socket directory,
 		// optionally with vde:// prefix.
-		if !strings.Contains(vde.VNL, "://") || strings.HasPrefix(vde.VNL, "vde://") {
+		// TODO: use networks.LimaSchema after solving circular dependency
+		if strings.HasPrefix(vde.VNL, "lima://") {
+			// TODO: validate network names? Problem is we can't use "networks" or "store" packages here...
+			//name := strings.TrimPrefix(vde.VNL, networks.LimaScheme)
+			//if _, ok := networkConfig.Networks[name]; !ok {
+			//	return fmt.Errorf("field `%s.vnl` references undefined network %q", field, name)
+			//}
+		} else if !strings.Contains(vde.VNL, "://") || strings.HasPrefix(vde.VNL, "vde://") {
 			vdeSwitch := strings.TrimPrefix(vde.VNL, "vde://")
 			if fi, err := os.Stat(vdeSwitch); err != nil {
 				// negligible when the instance is stopped

pkg/networks/commands.go

@@ -0,0 +1,84 @@
+package networks
+
+import (
+	"fmt"
+	"github.com/lima-vm/lima/pkg/store"
+)
+
+const (
+	Switch = "switch"
+	VMNet  = "vmnet"
+)
+
+// Commands in `sudoers` cannot use quotes, so all arguments are printed via "%s"
+// and not "%q". config.Paths.* entries must not include any whitespace!
+
+func (config *NetworksConfig) Check(name string) error {
+	if _, ok := config.Networks[name]; ok {
+		return nil
+	}
+	return fmt.Errorf("network %q is not defined", name)
+}
+
+func (config *NetworksConfig) VDESock(name string) string {
+	return fmt.Sprintf("%s/%s.ctl", config.Paths.VarRun, name)
+}
+
+func (config *NetworksConfig) PIDFile(name, daemon string) string {
+	return fmt.Sprintf("%s/%s_%s.pid", config.Paths.VarRun, name, daemon)
+}
+
+func (config *NetworksConfig) LogFile(name, daemon, stream string) string {
+	networksDir, _ := store.LimaNetworksDir()
+	return fmt.Sprintf("%s/%s_%s.%s.log", networksDir, name, daemon, stream)
+}
+
+func (config *NetworksConfig) DaemonUser(daemon string) string {
+	switch daemon {
+	case Switch:
+		return "daemon"
+	case VMNet:
+		return "root"
+	}
+	panic("daemonuser")
+}
+
+func (config *NetworksConfig) DaemonGroup(daemon string) string {
+	switch daemon {
+	case Switch:
+		return config.Group
+	case VMNet:
+		return "wheel"
+	}
+	panic("daemongroup")
+}
+
+func (config *NetworksConfig) MkdirCmd() string {
+	return fmt.Sprintf("/bin/mkdir -m 775 -p %s", config.Paths.VarRun)
+}
+
+func (config *NetworksConfig) StartCmd(name, daemon string) string {
+	var cmd string
+	switch daemon {
+	case Switch:
+		cmd = fmt.Sprintf("%s --pidfile=%s --sock=%s --group=%s --dirmode=0770 --nostdin",
+			config.Paths.VDESwitch, config.PIDFile(name, Switch), config.VDESock(name), config.Group)
+	case VMNet:
+		nw := config.Networks[name]
+		cmd = fmt.Sprintf("%s --pidfile=%s --vde-group=%s --vmnet-mode=%s",
+			config.Paths.VDEVMNet, config.PIDFile(name, VMNet), config.Group, nw.Mode)
+		switch nw.Mode {
+		case ModeBridged:
+			cmd += fmt.Sprintf(" --vmnet-interface=%s", nw.Interface)
+		case ModeHost, ModeShared:
+			cmd += fmt.Sprintf(" --vmnet-gateway=%s --vmnet-dhcp-end=%s --vmnet-mask=%s",
+				nw.Gateway, nw.DHCPEnd, nw.NetMask)
+		}
+		cmd += " " + config.VDESock(name)
+	}
+	return cmd
+}
+
+func (config *NetworksConfig) StopCmd(name, daemon string) string {
+	return fmt.Sprintf("/usr/bin/pkill -F %s", config.PIDFile(name, daemon))
+}

pkg/networks/config.go

@@ -0,0 +1,81 @@
+package networks
+
+import (
+	_ "embed"
+	"errors"
+	"fmt"
+	"gopkg.in/yaml.v2"
+	"os"
+	"path/filepath"
+	"strings"
+	"sync"
+
+	"github.com/lima-vm/lima/pkg/store"
+	"github.com/lima-vm/lima/pkg/store/filenames"
+)
+
+//go:embed networks.yaml
+var defaultConfig []byte
+
+var cache struct {
+	sync.Once
+	config NetworksConfig
+	err    error
+}
+
+// load() loads the _config/networks.yaml file.
+func load() {
+	cache.Do(func() {
+		var configDir string
+		configDir, cache.err = store.LimaConfigDir()
+		if cache.err != nil {
+			return
+		}
+		configFile := filepath.Join(configDir, filenames.NetworksConfig)
+		_, cache.err = os.Stat(configFile)
+		if cache.err != nil {
+			if !errors.Is(cache.err, os.ErrNotExist) {
+				return
+			}
+			cache.err = os.MkdirAll(configDir, 0700)
+			if cache.err != nil {
+				cache.err = fmt.Errorf("could not create %q directory: %w", configDir, cache.err)
+				return
+			}
+			cache.err = os.WriteFile(configFile, defaultConfig, 0644)
+			if cache.err != nil {
+				return
+			}
+		}
+		var b []byte
+		b, cache.err = os.ReadFile(configFile)
+		if cache.err != nil {
+			return
+		}
+		cache.err = yaml.Unmarshal(b, &cache.config)
+		if cache.err != nil {
+			cache.err = fmt.Errorf("cannot parse %q: %w", configFile, cache.err)
+		}
+	})
+}
+
+// Config returns the network config from the _config/networks.yaml file.
+func Config() (NetworksConfig, error) {
+	load()
+	return cache.config, cache.err
+}
+
+func VDESock(name string) (string, error) {
+	if strings.HasPrefix(name, LimaScheme) {
+		load()
+		if cache.err != nil {
+			return "", cache.err
+		}
+		name = strings.TrimPrefix(name, LimaScheme)
+		if err := cache.config.Check(name); err != nil {
+			return "", err
+		}
+		return cache.config.VDESock(name), nil
+	}
+	return name, nil
+}

pkg/networks/networks.go

@@ -0,0 +1,34 @@
+package networks
+
+import "net"
+
+const (
+	LimaScheme = "lima://"
+)
+
+type NetworksConfig struct {
+	Paths    Paths              `yaml:"paths"`
+	Group    string             `yaml:"group,omitempty"` // default: "staff"
+	Networks map[string]Network `yaml:"networks"`
+}
+
+type Paths struct {
+	VDESwitch string `yaml:"vdeSwitch"`
+	VDEVMNet  string `yaml:"vdeVMNet"`
+	VarRun    string `yaml:"varRun"`
+	Sudoers   string `yaml:"sudoers"`
+}
+
+const (
+	ModeHost    = "host"
+	ModeShared  = "shared"
+	ModeBridged = "bridged"
+)
+
+type Network struct {
+	Mode      string `yaml:"mode"`                // "host", "shared", or "bridged"
+	Interface string `yaml:"interface,omitempty"` // only used by "bridged" networks
+	Gateway   net.IP `yaml:"gateway,omitempty"`   // only used by "host" and "shared" networks
+	DHCPEnd   net.IP `yaml:"dhcpEnd,omitempty"`   // default: same as Gateway, last byte is 254
+	NetMask   net.IP `yaml:"netmask,omitempty"`   // default: 255.255.255.0
+}

pkg/networks/networks.yaml

@@ -0,0 +1,30 @@
+# Paths to vde executables. Because vde_vmnet is invoked via sudo it should be
+# installed where only root can modify/replace it. This means also none of the
+# parent directories should be writable by the user.
+#
+# The var_run directory also must not be writable by the user because it will
+# include the vde_vmnet pid files. Those will be terminated via sudo, so replacing
+# the pid files would allow killing of arbitrary privileged processes.
+paths:
+  vdeSwitch: /opt/vde/bin/vde_switch
+  vdeVMNet: /opt/vde/bin/vde_vmnet
+  varRun: /var/run/lima
+  sudoers: /etc/sudoers.d/lima
+
+group: staff
+
+networks:
+  shared:
+    mode: shared
+    gateway: 192.168.105.1
+    dhcpEnd: 192.168.105.254
+    netmask: 255.255.255.0
+  bridged:
+    mode: bridged
+    interface: en0
+    # bridged mode doesn't have a gateway; dhcp is managed by outside network
+  host:
+    mode: host
+    gateway: 192.168.106.1
+    dhcpEnd: 192.168.106.254
+    netmask: 255.255.255.0