Merge pull request #4384 from AkihiroSuda/fix-4334

jandubois · web-flow · commit 68be6f2b9bfc · 2025-11-20T23:09:16.000-08:00
templates: fedora-43: disable ssh.overVsock as a workaround for SELinux issue
diff --git a/hack/test-templates.sh b/hack/test-templates.sh
@@ -336,30 +336,30 @@ if [[ -n ${CHECKS["ssh-over-vsock"]} ]]; then
 	if [[ "$(limactl ls "${NAME}" --yq .vmType)" == "vz" ]]; then
 		INFO "Testing SSH over vsock"
 		set -x
-		INFO "Testing LIMA_SSH_OVER_VSOCK=true environment"
+		INFO "Testing .ssh.overVsock=true configuration"
 		limactl stop "${NAME}"
 		# Detection of the SSH server on VSOCK may fail; however, a failing log indicates that controlling detection via the environment variable works as expected.
-		if ! LIMA_SSH_OVER_VSOCK=true limactl start "${NAME}" 2>&1 | grep -i -E "(started vsock forwarder|Failed to detect SSH server on vsock)"; then
+		if ! limactl start --set '.ssh.overVsock=true' "${NAME}" 2>&1 | grep -i -E "(started vsock forwarder|Failed to detect SSH server on vsock)"; then
 			set +x
 			diagnose "${NAME}"
-			ERROR "LIMA_SSH_OVER_VSOCK=true did not enable vsock forwarder"
+			ERROR ".ssh.overVsock=true did not enable vsock forwarder"
 			exit 1
 		fi
-		INFO 'Testing LIMA_SSH_OVER_VSOCK="" environment'
+		INFO 'Testing .ssh.overVsock=null configuration'
 		limactl stop "${NAME}"
 		# Detection of the SSH server on VSOCK may fail; however, a failing log indicates that controlling detection via the environment variable works as expected.
-		if ! LIMA_SSH_OVER_VSOCK="" limactl start "${NAME}" 2>&1 | grep -i -E "(started vsock forwarder|Failed to detect SSH server on vsock)"; then
+		if ! limactl start --set '.ssh.overVsock=null' "${NAME}" 2>&1 | grep -i -E "(started vsock forwarder|Failed to detect SSH server on vsock)"; then
 			set +x
 			diagnose "${NAME}"
-			ERROR "LIMA_SSH_OVER_VSOCK= did not enable vsock forwarder"
+			ERROR ".ssh.overVsock=null did not enable vsock forwarder"
 			exit 1
 		fi
-		INFO "Testing LIMA_SSH_OVER_VSOCK=false environment"
+		INFO "Testing .ssh.overVsock=false configuration"
 		limactl stop "${NAME}"
-		if ! LIMA_SSH_OVER_VSOCK=false limactl start "${NAME}" 2>&1 | grep -i "skipping detection of SSH server on vsock port"; then
+		if ! limactl start --set '.ssh.overVsock=false' "${NAME}" 2>&1 | grep -i "skipping detection of SSH server on vsock port"; then
 			set +x
 			diagnose "${NAME}"
-			ERROR "LIMA_SSH_OVER_VSOCK=false did not disable vsock forwarder"
+			ERROR ".ssh.overVsock=false did not disable vsock forwarder"
 			exit 1
 		fi
 		set +x
diff --git a/pkg/driver/krunkit/krunkit_driver_darwin_arm64.go b/pkg/driver/krunkit/krunkit_driver_darwin_arm64.go
@@ -64,6 +64,10 @@ func (l *LimaKrunkitDriver) CreateDisk(ctx context.Context) error {
 }
 
 func (l *LimaKrunkitDriver) Start(ctx context.Context) (chan error, error) {
+	if l.Instance.Config.SSH.OverVsock != nil && *l.Instance.Config.SSH.OverVsock {
+		logrus.Warn(".ssh.overVsock is not implemented yet for krunkit driver")
+	}
+
 	var err error
 	l.usernetClient, l.stopUsernet, err = startUsernet(ctx, l.Instance)
 	if err != nil {
diff --git a/pkg/driver/qemu/qemu_driver.go b/pkg/driver/qemu/qemu_driver.go
@@ -247,6 +247,10 @@ func (l *LimaQemuDriver) Start(_ context.Context) (chan error, error) {
 		}
 	}()
 
+	if l.Instance.Config.SSH.OverVsock != nil && *l.Instance.Config.SSH.OverVsock {
+		logrus.Warn(".ssh.overVsock is not implemented yet for QEMU driver")
+	}
+
 	qCfg := Config{
 		Name:         l.Instance.Name,
 		InstanceDir:  l.Instance.Dir,
diff --git a/pkg/driver/vz/vm_darwin.go b/pkg/driver/vz/vm_darwin.go
@@ -105,16 +105,11 @@ func startVM(ctx context.Context, inst *limatype.Instance, sshLocalPort int) (vm
 						defer close(notifySSHLocalPortAccessible)
 						usernetSSHLocalPort := sshLocalPort
 						useSSHOverVsock := true
-						if envVar := os.Getenv("LIMA_SSH_OVER_VSOCK"); envVar != "" {
-							b, err := strconv.ParseBool(envVar)
-							if err != nil {
-								logrus.WithError(err).Warnf("invalid LIMA_SSH_OVER_VSOCK value %q", envVar)
-							} else {
-								useSSHOverVsock = b
-							}
+						if inst.Config.SSH.OverVsock != nil {
+							useSSHOverVsock = *inst.Config.SSH.OverVsock
 						}
 						if !useSSHOverVsock {
-							logrus.Info("LIMA_SSH_OVER_VSOCK is false, skipping detection of SSH server on vsock port")
+							logrus.Info("ssh.overVsock is false, skipping detection of SSH server on vsock port")
 						} else if err := usernetClient.WaitOpeningSSHPort(ctx, inst); err == nil {
 							hostAddress := net.JoinHostPort(inst.SSHAddress, strconv.Itoa(usernetSSHLocalPort))
 							if err := wrapper.startVsockForwarder(ctx, 22, hostAddress); err == nil {
diff --git a/pkg/driver/vz/vz_driver_darwin.go b/pkg/driver/vz/vz_driver_darwin.go
@@ -140,6 +140,10 @@ func (l *LimaVzDriver) FillConfig(ctx context.Context, cfg *limatype.LimaYAML, _
 		cfg.MountType = ptr.Of(limatype.VIRTIOFS)
 	}
 
+	if cfg.SSH.OverVsock == nil {
+		cfg.SSH.OverVsock = ptr.Of(true)
+	}
+
 	var vzOpts limatype.VZOpts
 	if err := limayaml.Convert(cfg.VMOpts[limatype.VZ], &vzOpts, "vmOpts.vz"); err != nil {
 		logrus.WithError(err).Warnf("Couldn't convert %q", cfg.VMOpts[limatype.VZ])
diff --git a/pkg/driver/wsl2/wsl_driver_windows.go b/pkg/driver/wsl2/wsl_driver_windows.go
@@ -220,6 +220,11 @@ func (l *LimaWslDriver) Delete(ctx context.Context) error {
 }
 
 func (l *LimaWslDriver) Start(ctx context.Context) (chan error, error) {
+	if l.Instance.Config.SSH.OverVsock != nil && *l.Instance.Config.SSH.OverVsock {
+		// Probably never supportable for WSL2
+		logrus.Warn(".ssh.overVsock is not supported for WSL2 driver")
+	}
+
 	logrus.Infof("Starting WSL VM")
 	status, err := getWslStatus(ctx, l.Instance.Name)
 	if err != nil {
diff --git a/pkg/limatype/lima_yaml.go b/pkg/limatype/lima_yaml.go
@@ -196,6 +196,8 @@ type SSH struct {
 	ForwardAgent      *bool `yaml:"forwardAgent,omitempty" json:"forwardAgent,omitempty" jsonschema:"nullable"`           // default: false
 	ForwardX11        *bool `yaml:"forwardX11,omitempty" json:"forwardX11,omitempty" jsonschema:"nullable"`               // default: false
 	ForwardX11Trusted *bool `yaml:"forwardX11Trusted,omitempty" json:"forwardX11Trusted,omitempty" jsonschema:"nullable"` // default: false
+
+	OverVsock *bool `yaml:"overVsock,omitempty" json:"overVsock,omitempty" jsonschema:"nullable"` // default: depends on VMType
 }
 
 type Firmware struct {
diff --git a/pkg/limayaml/defaults.go b/pkg/limayaml/defaults.go
@@ -375,6 +375,26 @@ func FillDefault(ctx context.Context, y, d, o *limatype.LimaYAML, filePath strin
 		y.SSH.ForwardX11Trusted = ptr.Of(false)
 	}
 
+	if y.SSH.OverVsock == nil {
+		y.SSH.OverVsock = d.SSH.OverVsock
+	}
+	if o.SSH.OverVsock != nil {
+		y.SSH.OverVsock = o.SSH.OverVsock
+	}
+	// y.SSH.OverVsock default value depends on the driver; filled in driver-specific FillDefault()
+
+	// The deprecated environment variable LIMA_SSH_OVER_VSOCK takes precedence over .ssh.overVsock
+	if envVar := os.Getenv("LIMA_SSH_OVER_VSOCK"); envVar != "" {
+		logrus.Warn("The environment variable LIMA_SSH_OVER_VSOCK is deprecated in favor of the YAML field .ssh.overVsock")
+		b, err := strconv.ParseBool(envVar)
+		if err != nil {
+			logrus.WithError(err).Warnf("invalid LIMA_SSH_OVER_VSOCK value %q", envVar)
+		} else {
+			logrus.Debugf("Overriding ssh.overVsock from %v to %v via LIMA_SSH_OVER_VSOCK", y.SSH.OverVsock, &b)
+			y.SSH.OverVsock = ptr.Of(b)
+		}
+	}
+
 	hosts := make(map[string]string)
 	// Values can be either names or IP addresses. Name values are canonicalized in the hostResolver.
 	maps.Copy(hosts, d.HostResolver.Hosts)
diff --git a/templates/_images/fedora-43.yaml b/templates/_images/fedora-43.yaml
@@ -9,6 +9,12 @@ images:
 
 # No RISC-V release yet for Fedora 43: https://download.fedoraproject.org/pub/alt/risc-v/release/
 
+ssh:
+  # ssh.overVsock does not work with Fedora 43 due to a SELinux policy issue
+  # https://github.com/lima-vm/lima/issues/4334#issuecomment-3561294333
+  # avc:  denied  { getattr } for  pid=1355 comm="sshd-auth" scontext=system_u:system_r:sshd_auth_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=vsock_socket permissive=1
+  overVsock: false
+
 # # NOTE: Intel Mac with macOS prior to 15.5 requires setting vmType to qemu
 # # https://github.com/lima-vm/lima/issues/3334
 # vmType: qemu
diff --git a/templates/default.yaml b/templates/default.yaml
@@ -138,6 +138,9 @@ ssh:
   # Trust forwarded X11 clients
   # 🟢 Builtin default: false
   forwardX11Trusted: null
+  # Enable SSH over vsock.
+  # 🟢 Builtin default: true for vz, false for other vmTypes
+  overVsock: null
 
 caCerts:
   # If set to `true`, this will remove all the default trusted CA certificates that
diff --git a/website/content/en/docs/config/environment-variables.md b/website/content/en/docs/config/environment-variables.md
@@ -114,6 +114,7 @@ This page documents the environment variables used in Lima.
   export LIMA_SSH_OVER_VSOCK=true
   ```
 - **Note**: This variable is effective only if the VM is VZ based and systemd is v256 or later (e.g. Ubuntu 24.10+).
+- **Deprecated**: This variable is deprecated in favor of the YAML field `.ssh.overVsock` (since v2.0.2).
 
 ### `LIMA_SSH_PORT_FORWARDER`
 
diff --git a/website/content/en/docs/config/port.md b/website/content/en/docs/config/port.md
@@ -48,10 +48,10 @@ LIMA_SSH_PORT_FORWARDER=true limactl start
 If VM is VZ based and systemd is v256 or later (e.g. Ubuntu 24.10+), Lima uses AF_VSOCK for communication between host and guest.
 SSH based port forwarding is much faster when using AF_VSOCK compared to traditional virtual network based port forwarding.
 
-To disable this feature, set `LIMA_SSH_OVER_VSOCK` to `false`:
+To disable this feature, set `.ssh.overVsock` to `false`:
 
 ```bash
-export LIMA_SSH_OVER_VSOCK=false
+limactl start --set '.ssh.overVsock=false'
 ```
 
 ### Using GRPC
diff --git a/website/content/en/docs/releases/deprecated.md b/website/content/en/docs/releases/deprecated.md
@@ -8,6 +8,7 @@ The following features are deprecated:
 - `limactl show-ssh` command: deprecated in v0.18.0 (Use `ssh -F ~/.lima/default/ssh.config lima-default` instead)
 - Ansible provisioning mode: deprecated in Lima v1.1.0 (Use `ansible-playbook playbook.yaml` after the start instead)
 - `limactl --yes` flag: deprecated in Lima v2.0.0 (Use `limactl (clone|rename|edit|shell) --start` instead)
+- Environment variable `LIMA_SSH_OVER_VSOCK`: deprecated in Lima v2.0.2 (Use the YAML property `.ssh.overVsock`)
 
 ## Removed features
 - YAML property `network`: deprecated in [Lima v0.7.0](https://github.com/lima-vm/lima/commit/07e68230e70b21108d2db3ca5e0efd0e43842fbd)

Original file line number	Diff line number	Diff line change
`@@ -196,6 +196,8 @@ type SSH struct {`
`196`	`196`	ForwardAgent *bool `yaml:"forwardAgent,omitempty" json:"forwardAgent,omitempty" jsonschema:"nullable"` // default: false
`197`	`197`	ForwardX11 *bool `yaml:"forwardX11,omitempty" json:"forwardX11,omitempty" jsonschema:"nullable"` // default: false
`198`	`198`	ForwardX11Trusted *bool `yaml:"forwardX11Trusted,omitempty" json:"forwardX11Trusted,omitempty" jsonschema:"nullable"` // default: false
	`199`	`+`
	`200`	+ OverVsock *bool `yaml:"overVsock,omitempty" json:"overVsock,omitempty" jsonschema:"nullable"` // default: depends on VMType
`199`	`201`	`}`
`200`	`202`
`201`	`203`	`type Firmware struct {`