Bridged Network Support

[fkorotkov]

We got approved for the com.apple.vm.networking entitlement so now we can use VZBridgedNetworkDeviceAttachment.

FYI @naikrovek @magnusviri

[naikrovek]

oh, wow, nice

[magnusviri]

This is great! I just switched my workflow to use Tart as well!

[cosmoshepcat]

now if apple would just support snapshots in their virtual framework :)

[fkorotkov]

@cosmoshepcat you mean snapshot like in #147?

[cosmoshepcat]

@cosmoshepcat you mean snapshot like in #147?

sort of, what i meant is apple does not have any such core vm snapshot feature in the virtualization framework that I know of. this is why other commercial products like parallels etc cannot take vm snapshots like they do on intel versions/previous versions of their software since they now rely on the api framework for silicon m1 support.

i do not know apples roadmap for such features if any

[fkorotkov]

We had to revert the entitlements in #247 since they require an embedded provisioning profile and we haven't yet figure out how to do it for a CLI toll and not an *.App.

[fkorotkov]

From this doc:

Some macOS products, like daemons and command-line tools, ship as a standalone executable. A standalone executable can’t claim a restricted entitlement because there’s no place to embed the provisioning profile that authorizes that claim. If your standalone executable needs to do this, wrap it in an app-like structure. For an example of this, see Signing a Daemon with a Restricted Entitlement.

If your standalone executable needs to do this, wrap it in an app-like structure. part is very concerning since Tart is a single binary at the moment. Hopefully there is another way...

[fkorotkov]

It seems the only way right now to embed a provisioning profile is to distribute Tart as an *.App and install it in /Applications. 😪🤷‍♂️

[cosmoshepcat]

apple... :(

[edigaryev]

If your standalone executable needs to do this, wrap it in an app-like structure

What if we would ship an App as an option, though?

Seems like it would be possible to handle this via Homebrew. Here's an example of vlc installed via brew:

% cat /opt/homebrew/Caskroom/vlc/3.0.17.3/vlc.wrapper.sh
#!/bin/sh
exec '/Applications/VLC.app/Contents/MacOS/VLC' "$@"

Also some non-Homebrew apps that are CLIs:

% ls -l /usr/local/bin/prlctl
lrwxr-xr-x@ 1 root  wheel  68 Aug 24 23:09 /usr/local/bin/prlctl -> /Applications/Parallels Desktop.app/Contents/MacOS/parallels_wrapper

% ls -l /usr/local/bin/docker
lrwxr-xr-x  1 root  wheel  54 Aug 16 21:11 /usr/local/bin/docker -> /Applications/Docker.app/Contents/Resources/bin/docker

[fkorotkov]

@edigaryev, yeah, I thought about the same. Maybe even start Tart.App and see a list of local VMs to launch in the UI. 🤔 But changing how we release Tart is a task for another day and looks like a hack. I'd prefer to wait a bit and see if it's really the only option. I've created mitchellh/gon#65 to see if maybe someone solved the problem.

[torarnv]

It's possible to embed Info.plists by adding -sectcreate __TEXT __info_plist Info.plist to the linker flags. Perhaps the provisioning profile can be embedded in a similar way?

[naikrovek]

@cosmoshepcat you mean snapshot like in #147?

sort of, what i meant is apple does not have any such core vm snapshot feature in the virtualization framework that I know of. this is why other commercial products like parallels etc cannot take vm snapshots like they do on intel versions/previous versions of their software since they now rely on the api framework for silicon m1 support.

i do not know apples roadmap for such features if any

the APFS filesystem may already do what you are expecting by itself.

i create a VM which i never launch once it is set up. call it a template. when i want to launch a VM, i clone the template and launch the clone. only changes on top the template are persisted in the clone VM disk - the entire disk is not copied. the clone disk contains only what differs from the template VM and consumes very little actual disk space.

i REALLY wish Windows had something like this…

does this info help you?

[magnusviri]

So is --net-bridged supposed to work now? I just tried it and it doesn't work for me.

Error: Invalid virtual machine configuration. Using VZBridgedNetworkDeviceAttachment in a process that lacks the “com.apple.vm.networking” entitlement.

I made sure I used the Tart 0.36.3 pkg from Github and not Homebrew.

[fkorotkov]

Unfortunately, it's not working. See #243 (comment). In order to embed a provisioning profile we need to repack Tart as Tart.App which we'll do in #305. We haven't found another way to embed a provisioning profiles. Might need to hide the flag until then 🤔

[magnusviri]

Sounds good. I'm subscribed to 305 so I'll look forward to its release. If it takes too long to make the app, I seriously wouldn't mind just having an app that did nothing just so I could get the bridged networking. I can't use tart effectively on my laptop until then (I am using it on a Mac Mini).

[fmoc]

Will this feature allow bridging to multiple network interfaces? See #384 (comment) for more information.

[edigaryev]

Will this feature allow bridging to multiple network interfaces? See #384 (comment) for more information.

It's possible to attach multiple network interfaces with Virtualization.Framework, however, we haven't tested how it works with bridged networks yet due to the entitlement limitation.

[larry-brewer]

I'd love to tackle this issue and set up a blank wrapper mac app.

How would I go about running my PR on Tart's CI so that I can sign it with Tart's profile with the entitlement?
Does Tart's CI have the updated provisioning profile with the entitlement?

[fkorotkov]

--net-bridged is finally working in 1.0.0. Please give it a try! There is some hacky things involved. 😅