vmnet: support detecting Homebrew's socket_vmnet path

On Homebrew environments, socket_vmnet is installed on:
- /usr/local/opt/socket_vmnet/Cellar/<VERSION>/bin/socket_vmnet (Intel)
- /opt/homebrew/opt/socket_vmnet/Cellar/<VERSION>/bin/socket_vmnet (ARM)

The binary is usually owned by a non-root admin user. (i.e., the homebrew user)
The group is typically set to "admin".

Homebrew/homebrew-core@636ac07

Signed-off-by: Akihiro Suda <[email protected]>

Author: AkihiroSuda

docs/network.md

@@ -53,11 +53,23 @@ The configuration steps are different across QEMU and VZ:
 ### QEMU
 #### Managed (192.168.105.0/24)
 
-Either [`socket_vmnet`](https://github.com/lima-vm/socket_vmnet) (since Lima v0.12) or [`vde_vmnet`](https://github.com/lima-vm/vde_vmnet) (Deprecated)
-is required for adding another guest IP that is accessible from the host and other guests.
+[`socket_vmnet`](https://github.com/lima-vm/socket_vmnet) is required for adding another guest IP that is accessible from the host and other guests.
 
-Starting with version v0.7.0 lima can manage the networking daemons automatically. Networks are defined in
-`$LIMA_HOME/_config/networks.yaml`. If this file doesn't already exist, it will be created with these default
+```bash
+# Install socket_vmnet
+brew install socket_vmnet
+
+# Set up the sudoers file for launching socket_vmnet from Lima
+limactl sudoers >etc_sudoers.d_lima
+sudo mv etc_sudoers.d_lima /etc/sudoers.d/lima
+```
+
+> **Note**
+>
+> Lima before v0.12 used `vde_vmnet` for managing the networks.
+> `vde_vmnet` is still supported but it is deprecated and no longer documented here.
+
+The networks are defined in `$LIMA_HOME/_config/networks.yaml`. If this file doesn't already exist, it will be created with these default
 settings:
 
 <details>
@@ -114,9 +126,8 @@ Instances can then reference these networks from their `lima.yaml` file:
 
 ```yaml
 networks:
-  # Lima can manage daemons for networks defined in $LIMA_HOME/_config/networks.yaml
-  # automatically. The socket_vmnet must be installed into
-  # secure locations only alterable by the "root" user.
+  # Lima can manage the socket_vmnet daemon for networks defined in $LIMA_HOME/_config/networks.yaml automatically.
+  # The socket_vmnet binary must be installed into a secure location only alterable by the admin.
   # The same applies to vde_switch and vde_vmnet for the deprecated VDE mode.
   # - lima: shared
   #   # MAC address of the instance; lima will pick one based on the instance name,
@@ -126,18 +137,10 @@ networks:
   #   interface: ""
 ```
 
-The network daemons are started automatically when the first instance referencing them is started,
+The network daemon is started automatically when the first instance referencing them is started,
 and will stop automatically once the last instance has stopped. Daemon logs will be stored in the
 `$LIMA_HOME/_networks` directory.
 
-Since the commands to start and stop the `socket_vmnet` daemon (or the `vde_vmnet` daemon) requires root, the user either must
-have password-less `sudo` enabled, or add the required commands to a `sudoers` file. This can
-be done via:
-
-```shell
-limactl sudoers | sudo tee /etc/sudoers.d/lima
-```
-
 #### Unmanaged
 For Lima >= 0.12:
 ```yaml

examples/vmnet.yaml

@@ -1,6 +1,12 @@
 # Example to enable vmnet.framework for QEMU.
 # VZ users should refer to experimental/vz.yaml
 
+# Usage:
+#   brew install socket_vmnet
+#   limactl sudoers >etc_sudoers.d_lima
+#   sudo mv etc_sudoers.d_lima /etc/sudoers.d/lima
+#   limactl start template://vmnet
+
 # This example requires Lima v0.7.0 or later.
 # Older versions of Lima were using a different syntax for supporting vmnet.framework.
 images:

pkg/networks/config.go

@@ -5,22 +5,62 @@ import (
 	"errors"
 	"fmt"
 	"os"
+	"os/exec"
 	"path/filepath"
 	"runtime"
 	"sync"
 
 	"github.com/goccy/go-yaml"
 	"github.com/lima-vm/lima/pkg/store/dirnames"
 	"github.com/lima-vm/lima/pkg/store/filenames"
+	"github.com/lima-vm/lima/pkg/textutil"
+	"github.com/sirupsen/logrus"
 )
 
-//go:embed networks.yaml
-var defaultConfig []byte
+//go:embed networks.TEMPLATE.yaml
+var defaultConfigTemplate string
+
+type defaultConfigTemplateArgs struct {
+	SocketVMNet string // "/opt/socket_vmnet/bin/socket_vmnet"
+}
+
+func defaultConfigBytes() ([]byte, error) {
+	args := defaultConfigTemplateArgs{
+		SocketVMNet: "/opt/socket_vmnet/bin/socket_vmnet", // the hard-code path before v0.14
+	}
+	candidates := []string{
+		"socket_vmnet",
+		"/usr/local/opt/socket_vmnet/bin/socket_vmnet",    // Homebrew (Intel)
+		"/opt/homebrew/opt/socket_vmnet/bin/socket_vmnet", // Homebrew (Intel)
+	}
+	for _, candidate := range candidates {
+		if p, err := exec.LookPath(candidate); err == nil {
+			realP, evalErr := filepath.EvalSymlinks(p)
+			if evalErr != nil {
+				return nil, evalErr
+			}
+			args.SocketVMNet = realP
+			break
+		} else if errors.Is(err, os.ErrNotExist) {
+			logrus.WithError(err).Debugf("Failed to look up socket_vmnet path %q", candidate)
+		} else {
+			logrus.WithError(err).Warnf("Failed to look up socket_vmnet path %q", candidate)
+		}
+	}
+	return textutil.ExecuteTemplate(defaultConfigTemplate, args)
+}
 
 func DefaultConfig() (YAML, error) {
 	var config YAML
-	err := yaml.UnmarshalWithOptions(defaultConfig, &config, yaml.Strict())
-	return config, err
+	defaultConfig, err := defaultConfigBytes()
+	if err != nil {
+		return config, err
+	}
+	err = yaml.UnmarshalWithOptions(defaultConfig, &config, yaml.Strict())
+	if err != nil {
+		return config, err
+	}
+	return config, nil
 }
 
 var cache struct {
@@ -56,6 +96,11 @@ func loadCache() {
 				cache.err = fmt.Errorf("could not create %q directory: %w", configDir, cache.err)
 				return
 			}
+			var defaultConfig []byte
+			defaultConfig, cache.err = defaultConfigBytes()
+			if cache.err != nil {
+				return
+			}
 			cache.err = os.WriteFile(configFile, defaultConfig, 0644)
 			if cache.err != nil {
 				return

pkg/networks/networks.yaml renamed to pkg/networks/networks.TEMPLATE.yaml

@@ -12,7 +12,7 @@
 paths:
 # socketVMNet requires Lima >= 0.12 .
 # socketVMNet has precedence over vdeVMNet.
-  socketVMNet: /opt/socket_vmnet/bin/socket_vmnet
+  socketVMNet: "{{.SocketVMNet}}"
 # vdeSwitch and vdeVMNet are DEPRECATED.
   vdeSwitch: /opt/vde/bin/vde_switch
   vdeVMNet: /opt/vde/bin/vde_vmnet

pkg/networks/sudoers.go

@@ -104,7 +104,9 @@ func (config *YAML) VerifySudoAccess(sudoersFile string) error {
 		return err
 	}
 	if string(b) != sudoers {
-		return fmt.Errorf("sudoers file %q is out of sync and must be regenerated", sudoersFile)
+		// Happens on upgrading socket_vmnet with Homebrew
+		return fmt.Errorf("sudoers file %q is out of sync and must be regenerated (Hint: run `%s sudoers >etc_sudoers.d_lima && sudo mv etc_sudoers.d_lima %q`)",
+			sudoersFile, os.Args[0], sudoersFile)
 	}
 	return nil
 }

pkg/networks/validate.go

@@ -10,6 +10,7 @@ import (
 	"strings"
 
 	"github.com/lima-vm/lima/pkg/osutil"
+	"github.com/sirupsen/logrus"
 )
 
 func (config *YAML) Validate() error {
@@ -103,7 +104,9 @@ func validatePath(path string, allowDaemonGroupWritable bool) error {
 		return err
 	}
 	if stat.Uid != root.Uid {
-		return fmt.Errorf(`%s %q is not owned by %q (uid: %d), but by uid %d`, file, path, root.User, root.Uid, stat.Uid)
+		// Not ideal, but very typical on Homebrew set up
+		logrus.Warnf(`%s %q is not owned by %q (uid: %d), but by uid %d (Hint: No action is necessary if uid %d is an admin, but beware that uid %d can take the root)`,
+			file, path, root.User, root.Uid, stat.Uid, stat.Uid, stat.Uid)
 	}
 	if allowDaemonGroupWritable {
 		daemon, err := osutil.LookupUser("daemon")
@@ -118,7 +121,8 @@ func validatePath(path string, allowDaemonGroupWritable bool) error {
 			return fmt.Errorf(`%s %q is not executable by the %q (gid: %d)" group`, file, path, daemon.User, daemon.Gid)
 		}
 	} else if fi.Mode()&020 != 0 && stat.Gid != root.Gid {
-		return fmt.Errorf(`%s %q is group-writable and group is not %q (gid: %d), but is gid: %d`,
+		// Not ideal, but very typical on Homebrew set up
+		logrus.Warnf(`%s %q is group-writable and group is not %q (gid: %d), but is gid: %d`,
 			file, path, root.User, root.Gid, stat.Gid)
 	}
 	if fi.Mode()&002 != 0 {