guestagent: run as the root

cmd/lima-guestagent/daemon_linux.go

@@ -5,7 +5,8 @@ import (
 	"net"
 	"net/http"
 	"os"
-	"path/filepath"
+	"os/user"
+	"strconv"
 	"time"
 
 	"github.com/AkihiroSuda/lima/pkg/guestagent"
@@ -22,13 +23,11 @@ var daemonCommand = &cli.Command{
 		&cli.StringFlag{
 			Name:  "socket",
 			Usage: "socket",
-			Value: func() string {
-				if xrd := os.Getenv("XDG_RUNTIME_DIR"); xrd != "" {
-					return filepath.Join(xrd, "lima-guestagent.sock")
-				}
-				logrus.Warn("$XDG_RUNTIME_DIR is not set, cannot determine the socket name")
-				return ""
-			}(),
+			Value: "/run/lima-guestagent.sock",
+		},
+		&cli.StringFlag{
+			Name:  "socket-owner",
+			Usage: "socket owner user",
 		},
 		&cli.DurationFlag{
 			Name:  "tick",
@@ -48,9 +47,6 @@ func daemonAction(clicontext *cli.Context) error {
 	if tick == 0 {
 		return errors.New("tick must be specified")
 	}
-	if os.Geteuid() == 0 {
-		return errors.New("must not run as the root")
-	}
 	logrus.Infof("event tick: %v", tick)
 
 	newTicker := func() (<-chan time.Time, func()) {
@@ -76,6 +72,23 @@ func daemonAction(clicontext *cli.Context) error {
 	if err != nil {
 		return err
 	}
+	if socketOwner := clicontext.String("socket-owner"); socketOwner != "" {
+		u, err := user.Lookup(socketOwner)
+		if err != nil {
+			return err
+		}
+		uid, err := strconv.Atoi(u.Uid)
+		if err != nil {
+			return err
+		}
+		gid, err := strconv.Atoi(u.Gid)
+		if err != nil {
+			return err
+		}
+		if err := os.Chown(socket, uid, gid); err != nil {
+			return err
+		}
+	}
 	logrus.Infof("serving the guest agent on %q", socket)
 	return srv.Serve(l)
 }

cmd/lima-guestagent/main_linux.go

@@ -1,7 +1,6 @@
 package main
 
 import (
-	"errors"
 	"os"
 	"strings"
 
@@ -31,14 +30,10 @@ func newApp() *cli.App {
 		if clicontext.Bool("debug") {
 			logrus.SetLevel(logrus.DebugLevel)
 		}
-		if os.Geteuid() == 0 {
-			return errors.New("must not run as the root")
-		}
 		return nil
 	}
 	app.Commands = []*cli.Command{
 		daemonCommand,
-		installSystemdCommand,
 	}
 	return app
 }

docs/internal.md

@@ -33,7 +33,7 @@ SSH:
 - `ssh.sock`: SSH control master socket
 
 Guest agent:
-- `ga.sock`: Forwarded to `/run/user/$UID/lima-guestagent.sock` in the guest, via SSH
+- `ga.sock`: Forwarded to `/run/lima-guestagent.sock` in the guest, via SSH
 
 Host agent:
 - `ha.pid`: hostagent PID

pkg/cidata/cidata.TEMPLATE.d/boot/25-guestagent-base.sh

@@ -15,10 +15,6 @@ install -m 755 "${LIMA_CIDATA_MNT}"/lima-guestagent /usr/local/bin/lima-guestage
 
 # Launch the guestagent service
 if [ -f /etc/alpine-release ]; then
-	# Create directory for the lima-guestagent socket (normally done by systemd)
-	mkdir -p /run/user/"${LIMA_CIDATA_UID}"
-	chown "${LIMA_CIDATA_USER}" /run/user/"${LIMA_CIDATA_UID}"
-	chmod 700 /run/user/"${LIMA_CIDATA_UID}"
 	# Install the openrc lima-guestagent service script
 	cat >/etc/init.d/lima-guestagent <<'EOF'
 #!/sbin/openrc-run
@@ -27,18 +23,29 @@ supervisor=supervise-daemon
 name="lima-guestagent"
 description="Forward ports to the lima-hostagent"
 
-export XDG_RUNTIME_DIR="/run/user/${LIMA_CIDATA_UID}"
 command=/usr/local/bin/lima-guestagent
-command_args="daemon"
+command_args="daemon --socket-owner=${LIMA_CIDATA_USER}"
 command_background=true
-command_user="${LIMA_CIDATA_USER}:${LIMA_CIDATA_USER}"
-pidfile="${XDG_RUNTIME_DIR}/lima-guestagent.pid"
+pidfile="/run/lima-guestagent.pid"
 EOF
 	chmod 755 /etc/init.d/lima-guestagent
 
 	rc-update add lima-guestagent default
 	rc-service lima-guestagent start
 else
-	until [ -e "/run/user/${LIMA_CIDATA_UID}/systemd/private" ]; do sleep 3; done
-	sudo -iu "${LIMA_CIDATA_USER}" "XDG_RUNTIME_DIR=/run/user/${LIMA_CIDATA_UID}" lima-guestagent install-systemd
+	mkdir -p /usr/local/lib/systemd/system
+	cat >/usr/local/lib/systemd/system/lima-guestagent.service <<EOF
+[Unit]
+Description=lima-guestagent
+
+[Service]
+ExecStart=/usr/local/bin/lima-guestagent daemon --socket-owner=${LIMA_CIDATA_USER}
+Type=simple
+Restart=on-failure
+
+[Install]
+WantedBy=default.target
+EOF
+	systemctl daemon-reload
+	systemctl enable --now lima-guestagent.service
 fi

pkg/hostagent/hostagent.go

@@ -281,8 +281,7 @@ func (a *HostAgent) watchGuestAgentEvents(ctx context.Context) {
 	// TODO: use vSock (when QEMU for macOS gets support for vSock)
 
 	localUnix := filepath.Join(a.instDir, filenames.GuestAgentSock)
-	// guest should have same UID as the host (specified in cidata)
-	remoteUnix := fmt.Sprintf("/run/user/%d/lima-guestagent.sock", os.Getuid())
+	const remoteUnix = "/run/lima-guestagent.sock"
 
 	for {
 		if !isGuestAgentSocketAccessible(ctx, localUnix) {

pkg/hostagent/requirements.go

@@ -106,16 +106,15 @@ fi
 		description: "the guest agent to be running",
 		script: `#!/bin/bash
 set -eux -o pipefail
-sock="/run/user/$(id -u)/lima-guestagent.sock"
+sock="/run/lima-guestagent.sock"
 if ! timeout 30s bash -c "until [ -S \"${sock}\" ]; do sleep 3; done"; then
 	echo >&2 "lima-guestagent is not installed yet"
 	exit 1
 fi
 `,
-		debugHint: `The guest agent (/run/user/$UID/lima-guestagent.sock) does not seem running.
+		debugHint: `The guest agent (/run/lima-guestagent.sock) does not seem running.
 Make sure that you are using an officially supported image.
 Also see "/var/log/cloud-init-output.log" in the guest.
-A possible workaround is to run "lima-guestagent install-systemd" in the guest.
 `,
 	})
 	return req