Support for Virtualization.Framework for macOS 13

[balajiv113]

This PR provides support for using Virtualization.Framework as a optional driver.

The following are the changes done related to using drivers,

• Driver interface
• Migrate current QEMU implementation to driver
• New driver vz for Virtualization.Framework

The following are the features of lima, the vz driver should provide support for below,

• Running VM (Using both disk img and iso)*
• Slirp network for guest to host communication (uses gvisor-tap-vsock)
• Host to guest network (uses vz NAT gateway)*
• Directory sharing, supports reverse-sshfs and virtiofs (newly added)
• Port forwarding
• Host DNS resolver
• Display (Deferring it for now as it requires runtime.LockOsThread() to be called in the beginning of hostagent start cmd)

Notes

• Vz driver internally converts qcow to raw image using (qemu-img convert). This is because vz only supports raw disk
• Need to provide yaml configuration for NAT

Know Issues

• Serial log doesn't contain system boot logs
• Gvisor-tap-vsock will throw some errors like [e.connection](tcpproxy:) during start-up (This is because of port 22 Forwards being tried before VM is ready) [Not a failure/blocker just info message thrown, but we can look into fixing in a follow-up to call ssh forward manually]
• When vz vm stops, it doesn't trigger hostagent stop [Fixed]

Testing
Tested the following templates with driver: vz. All test are done on macOS 13 intel as of now.

• almalinux.yaml
• alpine.yaml
• apptainer.yaml
• archlinux.yaml
• buildkit.yaml
• centos-stream.yaml
• debian.yaml
• docker.yaml
• faasd.yaml
• fedora.yaml
• k3s.yaml
• k8s.yaml
• nomad.yaml
• opensuse.yaml
• oraclelinux.yaml
• podman.yaml
• rocky.yaml
• ubuntu.yaml
• vmnet.yaml

[AkihiroSuda]

The default must remain qemu

[AkihiroSuda]

You can create examples/vz.yaml for the VZ example. (Maybe under experimental dir?)

[balajiv113]

Yes yes that make sense. Will put it under experimental directory.

[balajiv113]

Done.

[AkihiroSuda]

?

[AkihiroSuda]

Please describe in https://github.com/lima-vm/lima/blob/master/docs/internal.md

Also, perhaps the filename should be something like vz-identifier?

[balajiv113]

Done

[AkihiroSuda]

?

[balajiv113]

Done

[AkihiroSuda]

This looks a misnomer.
This starts the network stack that originates from gvisor, but does not start gvisor (sandboxed kernel) actually

[AkihiroSuda]

Maybe StartGVisorNetstack? StartNetstack? StartGvisorNet?

[balajiv113]

Done

[AkihiroSuda]

Should this be called like VMType for consistency with MountType?

[AkihiroSuda]

Also please create a document like docs/vmtype.md or docs/vz.md to explain the usage, requirements, and limitations of vz

[balajiv113]

Isn't VMType kind of gives a wrong meaning (Type of VM like linux etc).

How about DriverType ?

[AkihiroSuda]

Type of VM like linux etc

We only support Linux.
Eventually we may support FreeBSD (if somebody contributes), but that will be probably called "type of guest", not "type of VM"

[balajiv113]

Done the VMType change only for yaml config related places.
Do let me know if you want to change the word driver everywhere (like driver interface, implementations etc).

Will add doc related things as next step.

[AkihiroSuda]

Thanks, "driver" in the interface and impl is ok

[AkihiroSuda]

Perhaps just runtime.GOOS != "windows"

[balajiv113]

Done

[AkihiroSuda]

Can we use switch{} for newState comparisons?

[balajiv113]

Done

[AkihiroSuda]

Did you mean gvisor network?

[balajiv113]

Yes, updated the comments

[AkihiroSuda]

os.WriteFile may suffice

[balajiv113]

Done

[AkihiroSuda]

vz.yaml should not have Docker.
You may create docker-vz.yaml separately though

[AkihiroSuda]

But anyway no need to keep docker-vz.yaml separately when we have limactl start --set K=V or maybe limactl start --vm-type vz

• limactl: start: introduce --set <stringArray> flag to pin static config values instead of creating custom config file #1145

[balajiv113]

Sure. Then i will keep a default example alone in vz.yaml

[balajiv113]

@AkihiroSuda
For NAT network type, shall i go ahead with network.NAT: true/false or network.socket: NAT ?

[AkihiroSuda]

What do you mean by "NAT"?

[AkihiroSuda]

Anyway probably it should be a separate PR

[balajiv113]

For host to guest network, the below code uses https://developer.apple.com/documentation/virtualization/vznatnetworkdeviceattachment provided from virtualization.framework itself.

This doesn't require sudo access.

[AkihiroSuda]

Would it be possible to just use vznat by default and drop gvisor netstack ?

If vznat has to be optional, probably it should be like network.VZNAT: true/false(EDIT: see #1161 (comment)) (separate PR would be preferrable)

[balajiv113]

Yes that should work but with vzNAT there will be other issues like VPN won't be working.

Also i faced issues with calls to host dns resolver via UDP didn't work

[AkihiroSuda]

Thanks, let's keep using gvisor netstack by default, and revisit VZNAT in a separate PR

[AkihiroSuda]

The network.Socket value does not seem consumed

[AkihiroSuda]

I expected it could be supported via VZFileHandleNetworkDeviceAttachment , but seems incompatible with QEMU:
https://developer.apple.com/documentation/virtualization/vzfilehandlenetworkdeviceattachment?language=objc

So we have to error out when network.Socket is non-empty

[balajiv113]

I think we can support it, maybe some extra support might be needed from socker_vmnet as well. I will try to support this in a different PR.

[AkihiroSuda]

Every switch{} should have default:

[balajiv113]

Done. By default doing a debug log.

[AkihiroSuda]

Warnings should be printed for ignored YAML propertries: https://github.com/containerd/nerdctl/blob/c1a4159035b77a4a739a503b98139a17ac3440b8/pkg/composer/serviceparser/serviceparser.go#L38

Can be another PR though

[balajiv113]

Sure. Will take care of this in follow-up PR

[balajiv113]

Added errors for not supported one like legacyBios. As vm will not even start with this as true.
For other things will take it up in a follow-up PR like networks, mount as 9p etc.

[Code-Hex]

nits: I think Stat is better because if the file exists, it will not be closed until it is GC'd.

[balajiv113]

Done

[Code-Hex]

I think error handling would be required to check version compatibility. Given that lima-vm will be built with the latest OS, handling of vz.ErrBuildTargetOSVersion is unnecessary. (maybe)
https://github.com/Code-Hex/vz#version-compatibility-check

[balajiv113]

@Code-Hex
Lima will only support macOS 13 based EFILoader. Not the old ones. With that, i believe we don't need to do any check right ?
If either the driver is disabled / os version is incompatible, vz already throws a appropriate error. Am i missing something ?

[Code-Hex]

@balajiv113 Right. However, will be returned error might be not helpful for user side. So I meant to return an error with message which is helpful that this driver cannot use below macOS 13. (Or better logging?)

[balajiv113]

Sure will add that as well

[balajiv113]

Done

[shyim]

does it make sense to register there also NewLinuxRosettaDirectoryShare

So we have Rosetta inside VZ? https://github.com/Code-Hex/vz/blob/c436fc367107393c6eda419ff0f69903f674c118/shared_directory_arm64.go#L63

[AkihiroSuda]

Can be another PR

[balajiv113]

Done testing with all the templates,
There are 2 open issues that we might need to address before merging,

1. templates with legacyBoot: true is not working with vz driver. If any pointer please do suggest.
2. kernel boot logs are not coming via serial attachment with UEFI. @Code-Hex, please do suggest if am missing something.

[AkihiroSuda]

No need to support legacy BIOS (in this PR, at least).
Could you document that restriction in a documentation like docs/vmtype.md ?

Also please consider squashing commits

[Code-Hex]

@balajiv113 I believe it's correct behavior that It's started up and it does not appear kernel early messages on the serial attachment because the console is provided via virtio-pci (not UART). This is undocumented officially.

Note that Virtualization.framework provides all IO as virtio-pci, including the console (i.e. not a UART).

https://github.com/evansm7/vftool#kernelsnotes

However, as noted on the wiki, some messages are displayed.

It's not possible to capture early boot messages with it. It starts working around the time /dev is populated. (by using mdev, sdev, etc.)

https://github.com/Code-Hex/vz/wiki#linux-kernel-requirements

[AkihiroSuda]

@chancez Thanks, could you open your rosetta PR after merging this base PR?

One consideration, if we're going add VM-type specific configuration (options specific to VZ or Qemu), perhaps vmType should be made into a object with values.

We already have VM-specific configs in the top-level struct, so I guess we are too late to make that change 😞

lima/examples/default.yaml

Lines 212 to 219 in 06a4b33

	# Specify desired QEMU CPU type for each arch.
	# You can see what options are available for host emulation with: `qemu-system-$(arch) -cpu help`.
	# Setting of instructions is supported like this: "qemu64,+ssse3".
	cpuType:
	# 🟢 Builtin default: "cortex-a72" (or "host" when running on aarch64 host)
	aarch64: null
	# 🟢 Builtin default: "qemu64" (or "host" when running on x86_64 host)
	x86_64: null

lima/examples/default.yaml

Lines 226 to 233 in 06a4b33

	video:
	# QEMU display, e.g., "none", "cocoa", "sdl", "gtk", "default".
	# Choosing "none" will hide the video output, and not show any window.
	# Choosing "default" will pick the first available of: gtk, sdl, cocoa.
	# As of QEMU v6.2, enabling this is known to have negative impact
	# on performance on macOS hosts: https://gitlab.com/qemu-project/qemu/-/issues/334
	# 🟢 Builtin default: "none"
	display: null

[chancez]

@chancez Thanks, could you open your rosetta PR after merging this base PR?

Yeah I'll make a PR with some adjustments to make it closer to "ready" and we can discuss the rest a bit further in that PR.

[AkihiroSuda]

Sorry, needs another rebase

[balajiv113]

Done the rebase.
Also addressed @chancez comments about QEMU log during delete instance and also updated printf with infof

[abiosoft]

Is this outrightly not supported by the driver, and with no workarounds?

[AkihiroSuda]

Expected to be added as "vznat" network in a separate PR
#1147 (comment)

[jandubois]

I've been testing this PR today on an M1 machine running Ventura, and I saw this error when starting template://experimental/vz:

ERRO[0296] [hostagent] r.CreateEndpoint() = connection was refused

Which seems to originate from https://github.com/containers/gvisor-tap-vsock/blob/main/pkg/services/forwarder/tcp.go#L45.

Is this expected? There was no additional information in ha.stderr.log.

[jandubois]

This is being added as an experimental feature, so the implementation can be revised later at any time, but I'd like to make sure that we are fine with the YAML property (Just vmType: "vz")

I'm fine with the vmType property, and fine with merging it now, and refining it later.

I've not had time to review the code in detail, but so far it all looks good, and most importantly: works. I've only tested on M1 so far, but should be able to get remote access to an Intel Ventura machine for testing as well.