Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No read access to /etc/hosts on mac prevent lima from created a vm for colima. #2915

Closed
paulbhart opened this issue Nov 15, 2024 · 4 comments
Closed

No read access to /etc/hosts on mac prevent lima from created a vm for colima. #2915

paulbhart opened this issue Nov 15, 2024 · 4 comments
Labels
invalid This doesn't seem right

Comments

@paulbhart
Copy link

Description

Background;
on work mac's the permissions of /etc/host is -rw-r----- root/wheel.
on my personal mac the permissons are /etc/hosts -rw-r--r-- root/wheel.

On my work mac I have older version of colima/lima (0.7.6/0.23.2).

But a coworker attempted to install the latest colima and it failed

I then went to my personal mac and installed the latest and it works. So I chmod'ed my /etc/hosts to match work and colima/lima failed.

Here is the configuration info

for my personal mac.
❯ sw_vers
ProductName: macOS
ProductVersion: 14.4
BuildVersion: 23E214

❯ brew info lima
==> lima: stable 1.0.1 (bottled), HEAD
Linux virtual machines
https://lima-vm.io/

❯ brew info colima
==> colima: stable 0.8.0 (bottled), HEAD
Container runtimes on MacOS (and Linux) with minimal setup
https://github.com/abiosoft/colima/blob/main/README.md

the colima command I am doing is
colima start --arch aarch64 --vm-type=vz --vz-rosetta --cpu 4 --memory 4 --disk 200 --kubernetes --very-verbose

TRAC[0000] cmd ["limactl" "info"]
TRAC[0000] cmd ["system_profiler" "-json" "SPHardwareDataType"]
TRAC[0000] cmd ["limactl" "list" "colima" "--json"]
INFO[0000] starting colima
INFO[0000] runtime: docker+k3s
TRAC[0000] cmd ["limactl" "list" "colima" "--json"]
TRAC[0000] cmd ["/opt/homebrew/bin/colima" "daemon" "status" "default"]
TRAC[0000] cmd ["/opt/homebrew/bin/colima" "daemon" "stop" "default"]
TRAC[0000] cmd ["/opt/homebrew/bin/colima" "daemon" "start" "default" "--inotify" "--inotify-runtime" "docker" "--inotify-dir" "/Users/paulhart/" "--inotify-dir" "/tmp/colima/" "--very-verbose"]
TRAC[0000] cmd ["/opt/homebrew/bin/colima" "daemon" "status" "default"]
TRAC[0001] cmd ["/opt/homebrew/bin/colima" "daemon" "status" "default"]
TRAC[0001] cmd ["pgrep" "oahd"]
TRAC[0001] cmd ["system_profiler" "-json" "SPHardwareDataType"]
INFO[0001] starting ... context=vm
TRAC[0001] cmd ["limactl" "start" "colima"]

Using the existing instance "colima"

it never returns.

So I wne to run the lima command directly.

❯ limactl start colima
INFO[0000] Creating an instance "colima" from template://default (Not from template://colima)
WARN[0000] This form is deprecated. Use limactl create --name=colima template://default instead
? Creating an instance "colima" Proceed with the current configuration
INFO[0003] Starting the instance "colima" with VM driver "vz"
INFO[0003] Attempting to download the image arch=aarch64 digest="sha256:d71df0bcca6c3d2e7530517d3885f1d007fd9210d40ce2054db36af2a2176c38" location="https://cloud-images.ubuntu.com/releases/24.10/release-20241023/ubuntu-24.10-server-cloudimg-arm64.img"
Downloading the image (ubuntu-24.10-server-cloudimg-arm64.img)
592.71 MiB / 592.71 MiB [-----------------------------------] 100.00% 7.70 MiB/s
INFO[0080] Downloaded the image from "https://cloud-images.ubuntu.com/releases/24.10/release-20241023/ubuntu-24.10-server-cloudimg-arm64.img"
INFO[0080] Converting "/Users/paulhart/.lima/colima/basedisk" (qcow2) to a raw disk "/Users/paulhart/.lima/colima/diffdisk"
3.50 GiB / 3.50 GiB [---------------------------------------] 100.00% 1.75 GiB/s
INFO[0083] Expanding to 100GiB
INFO[0083] Attempting to download the nerdctl archive arch=aarch64 digest="sha256:fe085381a09aa240ae5d1e0bbef1beccfb7c1d6dbb98bdc55bd416581d46ebc8" location="https://github.com/containerd/nerdctl/releases/download/v2.0.0/nerdctl-full-2.0.0-linux-arm64.tar.gz"
Downloading the nerdctl archive (nerdctl-full-2.0.0-linux-arm64.tar.gz)
195.48 MiB / 195.48 MiB [----------------------------------] 100.00% 24.01 MiB/s
INFO[0099] Downloaded the nerdctl archive from "https://github.com/containerd/nerdctl/releases/download/v2.0.0/nerdctl-full-2.0.0-linux-arm64.tar.gz"
INFO[0099] [hostagent] hostagent socket created at /Users/paulhart/.lima/colima/ha.sock
INFO[0099] [hostagent] Starting VZ (hint: to watch the boot progress, see "/Users/paulhart/.lima/colima/serial*.log")
FATA[0099] exiting, status={Running:false Degraded:false Exiting:true Errors:[] SSHLocalPort:0} (hint: see "/Users/paulhart/.lima/colima/ha.stderr.log")

❯ cat /Users/paulhart/.lima/colima/ha.stderr.log
{"level":"debug","msg":"ResolveVMType: resolved VMType "vz" (existing instance, with "/Users/paulhart/.lima/colima/vz-identifier")","time":"2024-11-15T17:17:28-05:00"}
{"level":"debug","msg":"Creating iso file /Users/paulhart/.lima/colima/cidata.iso","time":"2024-11-15T17:17:28-05:00"}
{"level":"debug","msg":"Using /var/folders/02/8j5fywjn4ync9vysg6lrxydw0000gn/T/diskfs_iso1887838669 as workspace","time":"2024-11-15T17:17:28-05:00"}
{"level":"debug","msg":"Failed to detect CPU features. Assuming that AES acceleration is available on this Apple silicon.","time":"2024-11-15T17:17:29-05:00"}
{"level":"debug","msg":"OpenSSH version 9.6.1 detected","time":"2024-11-15T17:17:29-05:00"}
{"level":"debug","msg":"AES accelerator seems available, prioritizing [email protected] and [email protected]","time":"2024-11-15T17:17:29-05:00"}
{"level":"info","msg":"hostagent socket created at /Users/paulhart/.lima/colima/ha.sock","time":"2024-11-15T17:17:29-05:00"}
{"level":"info","msg":"Starting VZ (hint: to watch the boot progress, see "/Users/paulhart/.lima/colima/serial*.log")","time":"2024-11-15T17:17:29-05:00"}
{"level":"debug","msg":"Start udp DNS listening on: 127.0.0.1:65184","time":"2024-11-15T17:17:29-05:00"}
{"level":"debug","msg":"Using search domains: [guest3505.lowes.com]","time":"2024-11-15T17:17:29-05:00"}
{"level":"debug","msg":"Start tcp DNS listening on: 127.0.0.1:58617","time":"2024-11-15T17:17:29-05:00"}
{"level":"fatal","msg":"cannot add network services: open /etc/hosts: permission denied","time":"2024-11-15T17:17:29-05:00"}
@jandubois
Copy link
Member

Denying read-access to /etc/hosts is pretty weird, and I can't think of any reason one would do that. Can you verify that this isn't just a misconfiguration?

There error seems to come from https://github.com/containers/gvisor-tap-vsock/blob/2be6b3f09e60e5969380359ae122a15620f0411c/pkg/virtualnetwork/virtualnetwork.go#L71-L74, but I can't tell which of the functions addServices calls would require access to /etc/hosts.

I would consider this an unsupported configuration.

@nirs
Copy link
Member

nirs commented Nov 16, 2024

@paulbhart this error happened after you fixed the permission on /etc/hosts?

{"level":"fatal","msg":"cannot add network services: open /etc/hosts: permission denied","time":"2024-11-15T17:17:29-05:00"}

@paulbhart
Copy link
Author

@nirs when the permissions allowed user to read the hosts file there are no errors. i have no idea why the company has looked down /etc/hosts to be non readable but i am trying to talk to the folks in charge of laptop configuration

@nirs nirs added the invalid This doesn't seem right label Nov 28, 2024
@nirs
Copy link
Member

nirs commented Nov 28, 2024

Mark as invalid based on #2915 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
invalid This doesn't seem right
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jandubois @nirs @paulbhart