add VZ block device attachments on macOS

Author: pirate

cmd/limactl/editflags/editflags.go

@@ -67,6 +67,7 @@ func RegisterEdit(cmd *cobra.Command, commentPrefix string) {
 	flags.Bool("nested-virt", false, commentPrefix+"Enable nested virtualization")
 
 	flags.Bool("rosetta", false, commentPrefix+"Enable Rosetta (for vz instances)")
+	flags.StringSlice("block-device", nil, commentPrefix+"Host block devices to attach to a VZ VM on macOS, e.g. /dev/disk4")
 
 	flags.StringArray("set", []string{}, commentPrefix+"Modify the template inplace, using yq syntax. Can be passed multiple times.")
 
@@ -332,6 +333,25 @@ func YQExpressions(flags *flag.FlagSet, newInstance bool) ([]string, error) {
 			false,
 			false,
 		},
+		{
+			"block-device",
+			func(_ *flag.Flag) ([]string, error) {
+				paths, err := flags.GetStringSlice("block-device")
+				if err != nil {
+					return nil, err
+				}
+				devices := make([]string, len(paths))
+				for i, path := range paths {
+					if path == "" {
+						return nil, errors.New("block device path must not be empty")
+					}
+					devices[i] = strconv.Quote(path)
+				}
+				return []string{fmt.Sprintf(".vmOpts.vz.blockDevices += [%s] | .vmOpts.vz.blockDevices |= unique", strings.Join(devices, ","))}, nil
+			},
+			false,
+			false,
+		},
 		{"set", func(v *flag.Flag) ([]string, error) {
 			return v.Value.(flag.SliceValue).GetSlice(), nil
 		}, false, false},

cmd/limactl/editflags/editflags_test.go

@@ -225,6 +225,12 @@ func TestYQExpressions(t *testing.T) {
 			newInstance: false,
 			expected:    []string{`.nestedVirtualization = true`},
 		},
+		{
+			name:        "block-device",
+			args:        []string{"--block-device", "/dev/disk4", "--block-device", "/dev/disk5"},
+			newInstance: false,
+			expected:    []string{`.vmOpts.vz.blockDevices += ["/dev/disk4","/dev/disk5"] | .vmOpts.vz.blockDevices |= unique`},
+		},
 		{
 			name:        "invalid network",
 			args:        []string{"--network", "invalid"},

cmd/limactl/hidden_commands_darwin.go

@@ -0,0 +1,26 @@
+//go:build darwin && !no_vz
+
+// SPDX-FileCopyrightText: Copyright The Lima Authors
+// SPDX-License-Identifier: Apache-2.0
+
+package main
+
+import (
+	"github.com/spf13/cobra"
+
+	drv "github.com/lima-vm/lima/v2/pkg/driver/vz"
+)
+
+const sudoOpenBlockDeviceCommand = "sudo-open-block-device"
+
+func registerHiddenCommands(rootCmd *cobra.Command) {
+	rootCmd.AddCommand(&cobra.Command{
+		Use:    sudoOpenBlockDeviceCommand,
+		Short:  "Open a host block device for a VZ VM",
+		Args:   WrapArgsError(cobra.NoArgs),
+		Hidden: true,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			return drv.ServeSudoOpenBlockDevice(cmd.InOrStdin())
+		},
+	})
+}

cmd/limactl/hidden_commands_others.go

@@ -0,0 +1,12 @@
+//go:build !darwin || no_vz
+
+// SPDX-FileCopyrightText: Copyright The Lima Authors
+// SPDX-License-Identifier: Apache-2.0
+
+package main
+
+import "github.com/spf13/cobra"
+
+const sudoOpenBlockDeviceCommand = "sudo-open-block-device"
+
+func registerHiddenCommands(_ *cobra.Command) {}

cmd/limactl/main.go

@@ -32,7 +32,7 @@ const (
 )
 
 func main() {
-	if os.Geteuid() == 0 && (len(os.Args) < 2 || os.Args[1] != "generate-doc") {
+	if os.Geteuid() == 0 && (len(os.Args) < 2 || (os.Args[1] != "generate-doc" && os.Args[1] != sudoOpenBlockDeviceCommand)) {
 		fmt.Fprint(os.Stderr, "limactl: must not run as the root user\n")
 		os.Exit(1)
 	}
@@ -136,6 +136,9 @@ func newApp() *cobra.Command {
 			// allow commands that are used for packaging to run under rosetta to allow cross-architecture builds
 			return errors.New("limactl is running under rosetta, please reinstall lima with native arch")
 		}
+		if cmd.Name() == sudoOpenBlockDeviceCommand {
+			return nil
+		}
 
 		// Make sure either $HOME or $LIMA_HOME is defined, so we don't need
 		// to check for errors later
@@ -211,6 +214,7 @@ func newApp() *cobra.Command {
 		newRenameCommand(),
 		newWatchCommand(),
 	)
+	registerHiddenCommands(rootCmd)
 	addPluginCommands(rootCmd)
 
 	return rootCmd

cmd/limactl/sudoers_darwin.go

@@ -9,7 +9,6 @@ import (
 	"fmt"
 	"io"
 
-	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 
 	"github.com/lima-vm/lima/v2/pkg/networks"
@@ -21,11 +20,6 @@ func sudoersAction(cmd *cobra.Command, args []string) error {
 	if err != nil {
 		return err
 	}
-	// Make sure the current network configuration is secure
-	if err := nwCfg.Validate(); err != nil {
-		logrus.Infof("Please check %s for more information.", socketVMNetURL)
-		return err
-	}
 	check, err := cmd.Flags().GetBool("check")
 	if err != nil {
 		return err

pkg/driver/vz/block_device_darwin.go

@@ -0,0 +1,242 @@
+//go:build darwin && !no_vz
+
+// SPDX-FileCopyrightText: Copyright The Lima Authors
+// SPDX-License-Identifier: Apache-2.0
+
+package vz
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"net"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+
+	vzapi "github.com/Code-Hex/vz/v3"
+	"github.com/balajiv113/fd"
+	"github.com/sirupsen/logrus"
+
+	"github.com/lima-vm/lima/v2/pkg/limatype"
+	"github.com/lima-vm/lima/v2/pkg/limayaml"
+)
+
+const sudoOpenBlockDeviceCommand = "sudo-open-block-device"
+
+func ServeSudoOpenBlockDevice(r io.Reader) error {
+	return serveSudoOpenBlockDevice(r)
+}
+
+type sudoOpenBlockDeviceRequest struct {
+	DevicePath string `json:"devicePath"`
+	SocketPath string `json:"socketPath"`
+}
+
+func serveSudoOpenBlockDevice(r io.Reader) error {
+	var req sudoOpenBlockDeviceRequest
+	if err := json.NewDecoder(r).Decode(&req); err != nil {
+		return fmt.Errorf("failed to decode request: %w", err)
+	}
+	if err := req.validate(); err != nil {
+		return err
+	}
+
+	deviceFile, err := os.OpenFile(req.DevicePath, os.O_RDWR, 0)
+	if err != nil {
+		return fmt.Errorf("failed to open %q: %w", req.DevicePath, err)
+	}
+	defer deviceFile.Close()
+
+	fi, err := deviceFile.Stat()
+	if err != nil {
+		return fmt.Errorf("failed to stat %q: %w", req.DevicePath, err)
+	}
+	if fi.Mode()&os.ModeDevice == 0 {
+		return fmt.Errorf("%q is not a device node", req.DevicePath)
+	}
+
+	socketAddr, err := net.ResolveUnixAddr("unix", req.SocketPath)
+	if err != nil {
+		return fmt.Errorf("failed to resolve socket %q: %w", req.SocketPath, err)
+	}
+	conn, err := net.DialUnix("unix", nil, socketAddr)
+	if err != nil {
+		return fmt.Errorf("failed to connect to socket %q: %w", req.SocketPath, err)
+	}
+	defer conn.Close()
+
+	if err := fd.Put(conn, deviceFile); err != nil {
+		return fmt.Errorf("failed to send file descriptor for %q: %w", req.DevicePath, err)
+	}
+	return nil
+}
+
+func (r sudoOpenBlockDeviceRequest) validate() error {
+	if r.DevicePath == "" {
+		return errors.New("devicePath must not be empty")
+	}
+	if !filepath.IsAbs(r.DevicePath) {
+		return fmt.Errorf("devicePath %q must be an absolute path", r.DevicePath)
+	}
+	if filepath.Clean(r.DevicePath) != r.DevicePath {
+		return fmt.Errorf("devicePath %q must be normalized", r.DevicePath)
+	}
+	if !strings.HasPrefix(r.DevicePath, "/dev/") {
+		return fmt.Errorf("devicePath %q must be under /dev", r.DevicePath)
+	}
+
+	if r.SocketPath == "" {
+		return errors.New("socketPath must not be empty")
+	}
+	if !filepath.IsAbs(r.SocketPath) {
+		return fmt.Errorf("socketPath %q must be an absolute path", r.SocketPath)
+	}
+	if filepath.Clean(r.SocketPath) != r.SocketPath {
+		return fmt.Errorf("socketPath %q must be normalized", r.SocketPath)
+	}
+	return nil
+}
+
+func attachHostBlockDevices(ctx context.Context, inst *limatype.Instance, configurations []vzapi.StorageDeviceConfiguration) ([]vzapi.StorageDeviceConfiguration, error) {
+	var vzOpts limatype.VZOpts
+	if err := limayaml.Convert(inst.Config.VMOpts[limatype.VZ], &vzOpts, "vmOpts.vz"); err != nil {
+		return nil, err
+	}
+	if len(vzOpts.BlockDevices) == 0 {
+		return configurations, nil
+	}
+
+	for i, devicePath := range vzOpts.BlockDevices {
+		deviceFile, err := openHostBlockDevice(ctx, inst, devicePath, i)
+		if err != nil {
+			return nil, err
+		}
+		attachment, err := vzapi.NewDiskBlockDeviceStorageDeviceAttachment(deviceFile, false, vzapi.DiskSynchronizationModeFull)
+		if err != nil {
+			return nil, fmt.Errorf("failed to create block device attachment for %q: %w", devicePath, err)
+		}
+		device, err := vzapi.NewVirtioBlockDeviceConfiguration(attachment)
+		if err != nil {
+			return nil, fmt.Errorf("failed to create virtio block device for %q: %w", devicePath, err)
+		}
+		if err := device.SetBlockDeviceIdentifier(guestBlockDeviceIdentifier(devicePath)); err != nil {
+			return nil, fmt.Errorf("failed to set block device identifier for %q: %w", devicePath, err)
+		}
+		configurations = append(configurations, device)
+	}
+	return configurations, nil
+}
+
+func openHostBlockDevice(ctx context.Context, inst *limatype.Instance, devicePath string, index int) (*os.File, error) {
+	exe, err := os.Executable()
+	if err != nil {
+		return nil, err
+	}
+
+	socketPath := filepath.Join(inst.Dir, fmt.Sprintf("vz-block-device.%d.sock", index))
+	if err := os.RemoveAll(socketPath); err != nil {
+		return nil, err
+	}
+
+	listener, err := net.ListenUnix("unix", &net.UnixAddr{Name: socketPath, Net: "unix"})
+	if err != nil {
+		return nil, fmt.Errorf("failed to listen on %q: %w", socketPath, err)
+	}
+	listener.SetUnlinkOnClose(true)
+	defer func() {
+		_ = listener.Close()
+		_ = os.RemoveAll(socketPath)
+	}()
+
+	req := sudoOpenBlockDeviceRequest{
+		DevicePath: devicePath,
+		SocketPath: socketPath,
+	}
+	var stdin bytes.Buffer
+	if err := json.NewEncoder(&stdin).Encode(req); err != nil {
+		return nil, err
+	}
+
+	type receivedFD struct {
+		file *os.File
+		err  error
+	}
+	fdCh := make(chan receivedFD, 1)
+	go func() {
+		conn, err := listener.AcceptUnix()
+		if err != nil {
+			fdCh <- receivedFD{err: err}
+			return
+		}
+		defer conn.Close()
+
+		files, err := fd.Get(conn, 1, []string{filepath.Base(devicePath)})
+		if err != nil {
+			fdCh <- receivedFD{err: err}
+			return
+		}
+		if len(files) != 1 {
+			for _, file := range files {
+				_ = file.Close()
+			}
+			fdCh <- receivedFD{err: fmt.Errorf("expected 1 file descriptor for %q, got %d", devicePath, len(files))}
+			return
+		}
+		fdCh <- receivedFD{file: files[0]}
+	}()
+
+	var stdout, stderr bytes.Buffer
+	cmd := exec.CommandContext(ctx, "sudo", "--user", "root", "--group", "wheel", "--non-interactive", exe, sudoOpenBlockDeviceCommand)
+	cmd.Stdin = &stdin
+	cmd.Stdout = &stdout
+	cmd.Stderr = &stderr
+	logrus.Debugf("Opening block device %q via sudo helper: %v", devicePath, cmd.Args)
+	if err := cmd.Run(); err != nil {
+		_ = listener.Close()
+		received := <-fdCh
+		if received.file != nil {
+			_ = received.file.Close()
+		}
+		return nil, fmt.Errorf("failed to run %v: stdout=%q, stderr=%q: %w", cmd.Args, stdout.String(), stderr.String(), err)
+	}
+
+	received := <-fdCh
+	if received.err != nil {
+		return nil, fmt.Errorf("failed to receive file descriptor for %q: %w", devicePath, received.err)
+	}
+	vmNetworkFiles = append(vmNetworkFiles, received.file)
+	return received.file, nil
+}
+
+func guestBlockDeviceIdentifier(devicePath string) string {
+	base := filepath.Base(devicePath)
+	var b strings.Builder
+	b.Grow(len(base))
+	for _, r := range base {
+		switch {
+		case r >= 'a' && r <= 'z':
+			b.WriteRune(r)
+		case r >= 'A' && r <= 'Z':
+			b.WriteRune(r)
+		case r >= '0' && r <= '9':
+			b.WriteRune(r)
+		case r == '-', r == '_', r == '.':
+			b.WriteRune(r)
+		default:
+			b.WriteByte('-')
+		}
+	}
+	id := b.String()
+	if id == "" {
+		id = "block-device"
+	}
+	if len(id) > 20 {
+		id = id[:20]
+	}
+	return id
+}