Only validate networks.yaml when a managed network is used

jandubois · jandubois · commit e1d81d2d3f34 · 2021-09-16T13:51:41.000-07:00
This allows running lima with the default networks.yaml even
when the vde daemons are not installed.

Similarly, don't throw an error when the sudoers file does not
exist as long as password-less sudo seems to work.

Signed-off-by: Jan Dubois &lt;jan.dubois@suse.com&gt;
diff --git a/cmd/limactl/sudoers.go b/cmd/limactl/sudoers.go
@@ -46,10 +46,17 @@ func sudoersAction(cmd *cobra.Command, args []string) error {
 		default:
 			return errors.New("can check only a single sudoers file")
 		}
-		if err := networks.CheckSudoers(file); err != nil {
+		config, err := networks.Config()
+		if err != nil {
 			return err
 		}
-		fmt.Printf("%q is up-to-date\n", file)
+		if err := config.Validate(); err != nil {
+			return err
+		}
+		if err := config.VerifySudoAccess(file); err != nil {
+			return err
+		}
+		fmt.Printf("%q is up-to-date (or sudo doesn't require a password)\n", file)
 		return nil
 	}
 	sudoers, err := networks.Sudoers()
diff --git a/pkg/limayaml/validate.go b/pkg/limayaml/validate.go
@@ -2,7 +2,6 @@ package limayaml
 
 import (
 	"fmt"
-	"github.com/lima-vm/lima/pkg/networks"
 	"net"
 	"os"
 	"path/filepath"
@@ -13,6 +12,7 @@ import (
 
 	"github.com/docker/go-units"
 	"github.com/lima-vm/lima/pkg/localpathutil"
+	"github.com/lima-vm/lima/pkg/networks"
 	"github.com/lima-vm/lima/pkg/osutil"
 	"github.com/lima-vm/lima/pkg/qemu/const"
 	"github.com/sirupsen/logrus"
diff --git a/pkg/networks/config.go b/pkg/networks/config.go
@@ -4,14 +4,14 @@ import (
 	_ "embed"
 	"errors"
 	"fmt"
-	"gopkg.in/yaml.v2"
 	"os"
 	"path/filepath"
 	"runtime"
 	"sync"
 
 	"github.com/lima-vm/lima/pkg/store/dirnames"
 	"github.com/lima-vm/lima/pkg/store/filenames"
+	"gopkg.in/yaml.v2"
 )
 
 //go:embed networks.yaml
@@ -56,7 +56,6 @@ func load() {
 		if cache.err != nil {
 			cache.err = fmt.Errorf("cannot parse %q: %w", configFile, cache.err)
 		}
-		cache.err = cache.config.validate()
 	})
 }
 
diff --git a/pkg/networks/networks.yaml b/pkg/networks/networks.yaml
@@ -9,7 +9,7 @@ paths:
   vdeSwitch: /opt/vde/bin/vde_switch
   vdeVMNet: /opt/vde/bin/vde_vmnet
   varRun: /private/var/run/lima
-  sudoers: /etc/sudoers.d/lima
+  sudoers: /private/etc/sudoers.d/lima
 
 group: staff
 
diff --git a/pkg/networks/reconcile/reconcile.go b/pkg/networks/reconcile/reconcile.go
@@ -122,29 +122,31 @@ func startDaemon(config *networks.NetworksConfig, ctx context.Context, name, dae
 	return nil
 }
 
-var sudoersCheck struct {
+var validation struct {
 	sync.Once
 	err error
 }
 
-func checkSudoers(config *networks.NetworksConfig) error {
-	sudoersCheck.Do(func() {
-		if config.Paths.Sudoers != "" {
-			sudoersCheck.err = networks.CheckSudoers(config.Paths.Sudoers)
+func validateConfig(config *networks.NetworksConfig) error {
+	validation.Do(func() {
+		// make sure all config.Paths.* are secure
+		validation.err = config.Validate()
+		if validation.err == nil {
+			validation.err = config.VerifySudoAccess(config.Paths.Sudoers)
 		}
 	})
-	return sudoersCheck.err
+	return validation.err
 }
 
 func startNetwork(config *networks.NetworksConfig, ctx context.Context, name string) error {
 	logrus.Debugf("Make sure %q network is running", name)
+	if err := validateConfig(config); err != nil {
+		return err
+	}
 	for _, daemon := range []string{networks.Switch, networks.VMNet} {
 		pid, _ := store.ReadPIDFile(config.PIDFile(name, daemon))
 		if pid == 0 {
 			logrus.Infof("Starting %s daemon for %q network", daemon, name)
-			if err := checkSudoers(config); err != nil {
-				return err
-			}
 			if err := startDaemon(config, ctx, name, daemon); err != nil {
 				return err
 			}
@@ -155,11 +157,13 @@ func startNetwork(config *networks.NetworksConfig, ctx context.Context, name str
 
 func stopNetwork(config *networks.NetworksConfig, name string) error {
 	logrus.Debugf("Make sure %q network is stopped", name)
+	// Don't call validateConfig() until we actually need to stop a daemon because
+	// stopNetwork() may be called even when the vde daemons are not installed.
 	for _, daemon := range []string{networks.VMNet, networks.Switch} {
 		pid, _ := store.ReadPIDFile(config.PIDFile(name, daemon))
 		if pid != 0 {
 			logrus.Infof("Stopping %s daemon for %q network", daemon, name)
-			if err := checkSudoers(config); err != nil {
+			if err := validateConfig(config); err != nil {
 				return err
 			}
 			err := sudo(config.DaemonUser(daemon), config.DaemonGroup(daemon), config.StopCmd(name, daemon))
diff --git a/pkg/networks/sudoers.go b/pkg/networks/sudoers.go
@@ -1,10 +1,14 @@
 package networks
 
 import (
+	"errors"
 	"fmt"
 	"os"
+	"os/exec"
 	"sort"
 	"strings"
+
+	"github.com/sirupsen/logrus"
 )
 
 func Sudoers() (string, error) {
@@ -38,9 +42,45 @@ func Sudoers() (string, error) {
 	return sb.String(), nil
 }
 
-func CheckSudoers(sudoersFile string) error {
+func (config *NetworksConfig) passwordLessSudo() error {
+	// Flush cached sudo password
+	cmd := exec.Command("sudo", "-k")
+	if err := cmd.Run(); err != nil {
+		return fmt.Errorf("failed to run %v: %w", cmd.Args, err)
+	}
+	// Verify that user/groups for both daemons work without a password, e.g.
+	// %admin ALL = (ALL:ALL) NOPASSWD: ALL
+	for _, daemon := range []string{Switch, VMNet} {
+		cmd = exec.Command("sudo", "--user", config.DaemonUser(daemon),
+			"--group", config.DaemonGroup(daemon), "--non-interactive", "true")
+		if err := cmd.Run(); err != nil {
+			return fmt.Errorf("failed to run %v: %w", cmd.Args, err)
+		}
+	}
+	return nil
+}
+
+func (config *NetworksConfig) VerifySudoAccess(sudoersFile string) error {
+	if sudoersFile == "" {
+		if err := config.passwordLessSudo(); err == nil {
+			logrus.Debug("sudo doesn't seem to require a password")
+			return nil
+		} else {
+			return fmt.Errorf("passwordLessSudo error: %w", err)
+		}
+	}
 	b, err := os.ReadFile(sudoersFile)
 	if err != nil {
+		// Default networks.yaml specifies /etc/sudoers.d/lima file. Don't throw an error when the
+		// file doesn't exist, as long as password-less sudo still works.
+		if errors.Is(err, os.ErrNotExist) {
+			if err := config.passwordLessSudo(); err == nil {
+				logrus.Debugf("%q does not exist, but sudo doesn't seem to require a password", sudoersFile)
+				return nil
+			} else {
+				logrus.Debugf("%q does not exist; passwordLessSudo error: %s", sudoersFile, err)
+			}
+		}
 		return fmt.Errorf("can't read %q: %s", sudoersFile, err)
 	}
 	sudoers, err := Sudoers()
diff --git a/pkg/networks/validate.go b/pkg/networks/validate.go
@@ -11,7 +11,7 @@ import (
 	"syscall"
 )
 
-func (config *NetworksConfig) validate() error {
+func (config *NetworksConfig) Validate() error {
 	// validate all paths.* values
 	paths := reflect.ValueOf(&config.Paths).Elem()
 	for i := 0; i < paths.NumField(); i++ {
@@ -31,7 +31,7 @@ func (config *NetworksConfig) validate() error {
 			if name == "sudoers" && errors.Is(err, os.ErrNotExist) {
 				continue
 			}
-			return fmt.Errorf("network.yaml field `paths.%s` error: %w", name, err)
+			return fmt.Errorf("networks.yaml field `paths.%s` error: %w", name, err)
 		}
 	}
 	// TODO: validate network definitions

Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,7 @@ import (`
`11`	`11`	`"syscall"`
`12`	`12`	`)`
`13`	`13`
`14`		`-func (config *NetworksConfig) validate() error {`
	`14`	`+func (config *NetworksConfig) Validate() error {`
`15`	`15`	`// validate all paths.* values`
`16`	`16`	`paths := reflect.ValueOf(&config.Paths).Elem()`
`17`	`17`	`for i := 0; i < paths.NumField(); i++ {`
`@@ -31,7 +31,7 @@ func (config *NetworksConfig) validate() error {`
`31`	`31`	`if name == "sudoers" && errors.Is(err, os.ErrNotExist) {`
`32`	`32`	`continue`
`33`	`33`	`}`
`34`		- return fmt.Errorf("network.yaml field `paths.%s` error: %w", name, err)
	`34`	+ return fmt.Errorf("networks.yaml field `paths.%s` error: %w", name, err)
`35`	`35`	`}`
`36`	`36`	`}`
`37`	`37`	`// TODO: validate network definitions`