Add documentation about managed networks

jandubois · jandubois · commit a4920c1907fa · 2021-09-19T18:41:17.000-07:00
Signed-off-by: Jan Dubois &lt;jan.dubois@suse.com&gt;
diff --git a/docs/network.md b/docs/network.md
@@ -28,21 +28,89 @@ the host and other guests.
 To enable `vde_vmnet` (in addition the user-mode network), add the following lines to the YAML after installing `vde_vmnet`.
 
 ```yaml
-network:
-  # The instance can get routable IP addresses from the vmnet framework using
-  # https://github.com/lima-vm/vde_vmnet. Both vde_switch and vde_vmnet
-  # daemons must be running before the instance is started. The interface type
-  # (host, shared, or bridged) is configured in vde_vmnet and not lima.
-  vde:
-    # vnl (virtual network locator) points to the vde_switch socket directory,
-    # optionally with vde:// prefix
-    - vnl: "vde:///var/run/vde.ctl"
-      # MAC address of the instance; lima will pick one based on the instance name,
-      # so DHCP assigned ip addresses should remain constant over instance restarts.
-      macAddress: ""
-      # Interface name, defaults to "vde0", "vde1", etc.
-      name: ""
+networks:
+  # vnl (virtual network locator) points to the vde_switch socket directory,
+  # optionally with vde:// prefix
+  # - vnl: "vde:///var/run/vde.ctl"
+  #   # VDE Switch port number (not TCP/UDP port number). Set to 65535 for PTP mode.
+  #   # Default: 0
+  #   switchPort: 0
+  #   # MAC address of the instance; lima will pick one based on the instance name,
+  #   # so DHCP assigned ip addresses should remain constant over instance restarts.
+  #   macAddress: ""
+  #   # Interface name, defaults to "lima0", "lima1", etc.
+  #   interface: ""
 ```
 
 The IP address range is typically `192.168.105.0/24`, but depends on the configuration of `vde_vmnet`.
 See [the documentation of `vde_vmnet`](https://github.com/lima-vm/vde_vmnet) for further information.
+
+## Managed VMNet networks (via vde_vmnet)
+
+Starting with version v0.7.0 lima can manage the networking daemons automatically. Networks are defined in
+`$LIMA_HOME/_config/networks.yaml`. If this file doesn't already exist, it will be created with these default
+settings:
+
+```yaml
+# Paths to vde executables. Because vde_vmnet is invoked via sudo it should be
+# installed where only root can modify/replace it. This means also none of the
+# parent directories should be writable by the user.
+#
+# The varRun directory also must not be writable by the user because it will
+# include the vde_vmnet pid files. Those will be terminated via sudo, so replacing
+# the pid files would allow killing of arbitrary privileged processes. varRun
+# however MUST be writable by the daemon user.
+#
+# None of the paths segments may be symlinks, why it has to be /private/var
+# instead of /var etc.
+paths:
+  vdeSwitch: /opt/vde/bin/vde_switch
+  vdeVMNet: /opt/vde/bin/vde_vmnet
+  varRun: /private/var/run/lima
+  sudoers: /private/etc/sudoers.d/lima
+
+group: staff
+
+networks:
+  shared:
+    mode: shared
+    gateway: 192.168.105.1
+    dhcpEnd: 192.168.105.254
+    netmask: 255.255.255.0
+  bridged:
+    mode: bridged
+    interface: en0
+    # bridged mode doesn't have a gateway; dhcp is managed by outside network
+  host:
+    mode: host
+    gateway: 192.168.106.1
+    dhcpEnd: 192.168.106.254
+    netmask: 255.255.255.0
+```
+
+Instances can then reference these networks from their `lima.yaml` file:
+
+```yaml
+networks:
+  # Lima can manage daemons for networks defined in $LIMA_HOME/_config/networks.yaml
+  # automatically. Both vde_switch and vde_vmnet binaries must be installed into
+  # secure locations only alterable by the "root" user.
+  # - lima: shared
+  #   # MAC address of the instance; lima will pick one based on the instance name,
+  #   # so DHCP assigned ip addresses should remain constant over instance restarts.
+  #   macAddress: ""
+  #   # Interface name, defaults to "lima0", "lima1", etc.
+  #   interface: ""
+```
+
+The network daemons are started automatically when the first instance referencing them is started,
+and will stop automatically once the last instance has stopped. Daemon logs will be stored in the
+`$LIMA_HOME/_networks` directory.
+
+Since the commands to start and stop the `vde_vmnet` daemon requires root, the user either must
+have password-less `sudo` enabled, or add the required commands to a `sudoers` file. This can
+be done via:
+
+```shell
+limactl sudoers | sudo tee /etc/sudoers.d/lima
+```
diff --git a/pkg/limayaml/default.yaml b/pkg/limayaml/default.yaml
@@ -121,23 +121,34 @@ video:
   # Default: "none"
   display: "none"
 
-network:
-  # The instance can get routable IP addresses from the vmnet framework using
-  # https://github.com/lima-vm/vde_vmnet. Both vde_switch and vde_vmnet
-  # daemons must be running before the instance is started. The interface type
-  # (host, shared, or bridged) is configured in vde_vmnet and not lima.
-  vde:
-    # vnl (virtual network locator) points to the vde_switch socket directory,
-    # optionally with vde:// prefix
-    # - vnl: "vde:///var/run/vde.ctl"
-    #   # VDE Switch port number (not TCP/UDP port number). Set to 65535 for PTP mode.
-    #   # Default: 0
-    #   switchPort: 0
-    #   # MAC address of the instance; lima will pick one based on the instance name,
-    #   # so DHCP assigned ip addresses should remain constant over instance restarts.
-    #   macAddress: ""
-    #   # Interface name, defaults to "vde0", "vde1", etc.
-    #   name: ""
+# The instance can get routable IP addresses from the vmnet framework using
+# https://github.com/lima-vm/vde_vmnet.
+networks:
+  # Lima can manage daemons for networks defined in $LIMA_HOME/_config/networks.yaml
+  # automatically. Both vde_switch and vde_vmnet binaries must be installed into
+  # secure locations only alterable by the "root" user.
+  # - lima: shared
+  #   # MAC address of the instance; lima will pick one based on the instance name,
+  #   # so DHCP assigned ip addresses should remain constant over instance restarts.
+  #   macAddress: ""
+  #   # Interface name, defaults to "lima0", "lima1", etc.
+  #   interface: ""
+  #
+  # Lima can also connect to "unmanaged" vde networks addressed by "vnl". This
+  # means that the daemons will not be controlled by Lima, but must be started
+  # before the instance.  The interface type (host, shared, or bridged) is
+  # configured in vde_vmnet and not in lima.
+  # vnl (virtual network locator) points to the vde_switch socket directory,
+  # optionally with vde:// prefix
+  # - vnl: "vde:///var/run/vde.ctl"
+  #   # VDE Switch port number (not TCP/UDP port number). Set to 65535 for PTP mode.
+  #   # Default: 0
+  #   switchPort: 0
+  #   # MAC address of the instance; lima will pick one based on the instance name,
+  #   # so DHCP assigned ip addresses should remain constant over instance restarts.
+  #   macAddress: ""
+  #   # Interface name, defaults to "lima0", "lima1", etc.
+  #   interface: ""
 
 # Port forwarding rules. Forwarding between ports 22 and ssh.localPort cannot be overridden.
 # Rules are checked sequentially until the first one matches.
diff --git a/pkg/networks/networks.yaml b/pkg/networks/networks.yaml
@@ -2,9 +2,13 @@
 # installed where only root can modify/replace it. This means also none of the
 # parent directories should be writable by the user.
 #
-# The var_run directory also must not be writable by the user because it will
+# The varRun directory also must not be writable by the user because it will
 # include the vde_vmnet pid files. Those will be terminated via sudo, so replacing
-# the pid files would allow killing of arbitrary privileged processes.
+# the pid files would allow killing of arbitrary privileged processes. varRun
+# however MUST be writable by the daemon user.
+#
+# None of the paths segments may be symlinks, why it has to be /private/var
+# instead of /var etc.
 paths:
   vdeSwitch: /opt/vde/bin/vde_switch
   vdeVMNet: /opt/vde/bin/vde_vmnet
