add VZ block device attachments on macOS

Signed-off-by: Nick Sweeting <git@sweeting.me>

Author: pirate

cmd/limactl/editflags/editflags.go

@@ -67,6 +67,7 @@ func RegisterEdit(cmd *cobra.Command, commentPrefix string) {
 	flags.Bool("nested-virt", false, commentPrefix+"Enable nested virtualization")
 
 	flags.Bool("rosetta", false, commentPrefix+"Enable Rosetta (for vz instances)")
+	flags.StringSlice("block-device", nil, commentPrefix+"Host block devices to attach to a VZ VM on macOS, e.g. /dev/disk4")
 
 	flags.StringArray("set", []string{}, commentPrefix+"Modify the template inplace, using yq syntax. Can be passed multiple times.")
 
@@ -332,6 +333,25 @@ func YQExpressions(flags *flag.FlagSet, newInstance bool) ([]string, error) {
 			false,
 			false,
 		},
+		{
+			"block-device",
+			func(_ *flag.Flag) ([]string, error) {
+				paths, err := flags.GetStringSlice("block-device")
+				if err != nil {
+					return nil, err
+				}
+				devices := make([]string, len(paths))
+				for i, path := range paths {
+					if path == "" {
+						return nil, errors.New("block device path must not be empty")
+					}
+					devices[i] = strconv.Quote(path)
+				}
+				return []string{fmt.Sprintf(".vmOpts.vz.blockDevices += [%s] | .vmOpts.vz.blockDevices |= unique", strings.Join(devices, ","))}, nil
+			},
+			false,
+			false,
+		},
 		{"set", func(v *flag.Flag) ([]string, error) {
 			return v.Value.(flag.SliceValue).GetSlice(), nil
 		}, false, false},

cmd/limactl/editflags/editflags_test.go

@@ -225,6 +225,12 @@ func TestYQExpressions(t *testing.T) {
 			newInstance: false,
 			expected:    []string{`.nestedVirtualization = true`},
 		},
+		{
+			name:        "block-device",
+			args:        []string{"--block-device", "/dev/disk4", "--block-device", "/dev/disk5"},
+			newInstance: false,
+			expected:    []string{`.vmOpts.vz.blockDevices += ["/dev/disk4","/dev/disk5"] | .vmOpts.vz.blockDevices |= unique`},
+		},
 		{
 			name:        "invalid network",
 			args:        []string{"--network", "invalid"},

cmd/limactl/main.go

@@ -32,7 +32,7 @@ const (
 )
 
 func main() {
-	if os.Geteuid() == 0 && (len(os.Args) < 2 || os.Args[1] != "generate-doc") {
+	if os.Geteuid() == 0 && (len(os.Args) < 2 || (os.Args[1] != "generate-doc" && !isPrivilegedHelperCommand(os.Args[1]))) {
 		fmt.Fprint(os.Stderr, "limactl: must not run as the root user\n")
 		os.Exit(1)
 	}
@@ -136,6 +136,9 @@ func newApp() *cobra.Command {
 			// allow commands that are used for packaging to run under rosetta to allow cross-architecture builds
 			return errors.New("limactl is running under rosetta, please reinstall lima with native arch")
 		}
+		if isPrivilegedHelperCommand(cmd.Name()) {
+			return nil
+		}
 
 		// Make sure either $HOME or $LIMA_HOME is defined, so we don't need
 		// to check for errors later
@@ -211,6 +214,7 @@ func newApp() *cobra.Command {
 		newRenameCommand(),
 		newWatchCommand(),
 	)
+	registerHiddenCommands(rootCmd)
 	addPluginCommands(rootCmd)
 
 	return rootCmd

cmd/limactl/sudo_open_block_device_command_darwin.go

@@ -0,0 +1,28 @@
+//go:build darwin && !no_vz
+
+// SPDX-FileCopyrightText: Copyright The Lima Authors
+// SPDX-License-Identifier: Apache-2.0
+
+package main
+
+import (
+	"github.com/spf13/cobra"
+
+	drv "github.com/lima-vm/lima/v2/pkg/driver/vz"
+)
+
+func isPrivilegedHelperCommand(name string) bool {
+	return name == drv.SudoOpenBlockDeviceCommand
+}
+
+func registerHiddenCommands(rootCmd *cobra.Command) {
+	rootCmd.AddCommand(&cobra.Command{
+		Use:    drv.SudoOpenBlockDeviceCommand,
+		Short:  "Open a host block device for a VZ VM",
+		Args:   WrapArgsError(cobra.NoArgs),
+		Hidden: true,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			return drv.ServeSudoOpenBlockDevice(cmd.InOrStdin())
+		},
+	})
+}

cmd/limactl/sudo_open_block_device_command_others.go

@@ -0,0 +1,14 @@
+//go:build !darwin || no_vz
+
+// SPDX-FileCopyrightText: Copyright The Lima Authors
+// SPDX-License-Identifier: Apache-2.0
+
+package main
+
+import "github.com/spf13/cobra"
+
+func isPrivilegedHelperCommand(string) bool {
+	return false
+}
+
+func registerHiddenCommands(_ *cobra.Command) {}

cmd/limactl/sudoers.go

@@ -27,7 +27,8 @@ To validate the existing /etc/sudoers.d/lima file:
 $ limactl sudoers --check /etc/sudoers.d/lima
 `,
 		Short: "Generate the content of the /etc/sudoers.d/lima file",
-		Long: fmt.Sprintf(`Generate the content of the /etc/sudoers.d/lima file for enabling vmnet.framework support (socket_vmnet) on macOS.
+		Long: fmt.Sprintf(`Generate the content of the /etc/sudoers.d/lima file for macOS host helpers that require privilege escalation.
+This includes vmnet.framework support (socket_vmnet) and VZ block-device attachment with --block-device.
 The content is written to stdout, NOT to the file.
 This command must not run as the root user.
 See %s for the usage.`, socketVMNetURL),

cmd/limactl/sudoers_darwin.go

@@ -8,11 +8,13 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"os"
 
-	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 
+	drv "github.com/lima-vm/lima/v2/pkg/driver/vz"
 	"github.com/lima-vm/lima/v2/pkg/networks"
+	pkgsudoers "github.com/lima-vm/lima/v2/pkg/sudoers"
 )
 
 func sudoersAction(cmd *cobra.Command, args []string) error {
@@ -21,11 +23,6 @@ func sudoersAction(cmd *cobra.Command, args []string) error {
 	if err != nil {
 		return err
 	}
-	// Make sure the current network configuration is secure
-	if err := nwCfg.Validate(); err != nil {
-		logrus.Infof("Please check %s for more information.", socketVMNetURL)
-		return err
-	}
 	check, err := cmd.Flags().GetBool("check")
 	if err != nil {
 		return err
@@ -41,10 +38,15 @@ func sudoersAction(cmd *cobra.Command, args []string) error {
 	default:
 		return fmt.Errorf("unexpected arguments %v", args)
 	}
-	sudoers, err := networks.Sudoers()
+	networkSudoers, err := networks.Sudoers()
+	if err != nil {
+		return err
+	}
+	blockDeviceSudoers, err := drv.BlockDeviceSudoers(nwCfg.Group)
 	if err != nil {
 		return err
 	}
+	sudoers := pkgsudoers.AssembleSudoersFragments(networkSudoers, blockDeviceSudoers)
 	fmt.Fprint(cmd.OutOrStdout(), sudoers)
 	return nil
 }
@@ -63,9 +65,38 @@ func verifySudoAccess(ctx context.Context, nwCfg networks.Config, args []string,
 	default:
 		return errors.New("can check only a single sudoers file")
 	}
-	if err := nwCfg.VerifySudoAccess(ctx, file); err != nil {
+	if err := verifySudoersFile(ctx, nwCfg, file); err != nil {
 		return err
 	}
 	fmt.Fprintf(stdout, "%q is up-to-date (or sudo doesn't require a password)\n", file)
 	return nil
 }
+
+func verifySudoersFile(ctx context.Context, nwCfg networks.Config, file string) error {
+	hint := fmt.Sprintf("run `%s sudoers >etc_sudoers.d_lima && sudo install -o root etc_sudoers.d_lima %q`)",
+		os.Args[0], file)
+	b, err := os.ReadFile(file)
+	if err != nil {
+		if errors.Is(err, os.ErrNotExist) {
+			if err := nwCfg.VerifySudoAccess(ctx, ""); err == nil {
+				if err := pkgsudoers.Run(ctx, "root", "wheel", nil, nil, nil, "", "true"); err == nil {
+					return nil
+				}
+			}
+		}
+		return fmt.Errorf("can't read %q: %w: (Hint: %s)", file, err, hint)
+	}
+	networkSudoers, err := networks.Sudoers()
+	if err != nil {
+		return err
+	}
+	blockDeviceSudoers, err := drv.BlockDeviceSudoers(nwCfg.Group)
+	if err != nil {
+		return err
+	}
+	sudoers := pkgsudoers.AssembleSudoersFragments(networkSudoers, blockDeviceSudoers)
+	if string(b) != sudoers {
+		return fmt.Errorf("sudoers file %q is out of sync and must be regenerated (Hint: %s)", file, hint)
+	}
+	return nil
+}

pkg/driver/external/client/client.go

@@ -10,6 +10,7 @@ import (
 	"github.com/sirupsen/logrus"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials/insecure"
+	"google.golang.org/grpc/resolver"
 
 	pb "github.com/lima-vm/lima/v2/pkg/driver/external"
 )
@@ -32,8 +33,8 @@ func NewDriverClient(socketPath string, logger *logrus.Logger) (*DriverClient, e
 		grpc.WithTransportCredentials(insecure.NewCredentials()),
 	}
 
-	//nolint:staticcheck // grpc.Dial is used for compatibility reasons
-	conn, err := grpc.Dial("unix://"+socketPath, opts...)
+	resolver.SetDefaultScheme("passthrough")
+	conn, err := grpc.NewClient("", opts...)
 	if err != nil {
 		logger.Errorf("failed to dial gRPC driver client connection: %v", err)
 		return nil, err