Skip to content

feat: use vzNAT for vz networking, gate socket_vmnet behind config for qemu#1749

Open
ayush-panta wants to merge 1 commit into
mainfrom
socket-vmnet-config
Open

feat: use vzNAT for vz networking, gate socket_vmnet behind config for qemu#1749
ayush-panta wants to merge 1 commit into
mainfrom
socket-vmnet-config

Conversation

@ayush-panta

@ayush-panta ayush-panta commented May 22, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Issue #, if available: Closes #1173

Description of changes:

Eliminates the requirement for root privilege during finch vm init for the default (vz) VM type by using vzNAT for networking instead of socket_vmnet.

Previously, finch vm init unconditionally installed socket_vmnet to /opt/finch/ (requiring sudo) regardless of VM type. This caused silent hangs in non-interactive environments (AI terminals, CI, clamshell mode) where the sudo prompt cannot be fulfilled.

Summary of changes:

  • vz (default): Automatically configures vzNAT: true in the Lima default config. This provides host-to-VM IP access via Apple's Virtualization framework without any privilege escalation. The VM gets a lima0 interface (a secondary network interface providing direct IP connectivity from the host) powered by vzNAT instead of socket_vmnet.
  • qemu: socket_vmnet installation is now gated behind a new socketVMNet: true config option in finch.yaml. Without it, qemu uses SLIRP networking (port forwarding still works). When enabled, socket_vmnet creates the lima0 interface via a privileged daemon, giving the VM a routable IP on a shared virtual network (192.168.105.0/24).
  • Adds a warning message before sudo operations when socket_vmnet is being installed, so users in non-interactive contexts get a clear message instead of a silent hang.

Note: lima0 is the secondary network interface inside the VM that provides direct IP access from the macOS host. Without it, the VM is only reachable via port forwarding on localhost. With vzNAT (vz) or socket_vmnet (qemu), lima0 gets an IP address that the host can reach directly.

Testing done:

  • finch vm init with vz (default): no sudo prompt, vzNAT configured, lima0 created, VM reachable from host via IPv6 ping

  • finch vm init with qemu (no socketVMNet): no sudo prompt, no socket_vmnet, no lima0, port forwarding works (finch run -p 8080:80 nginx && curl localhost:8080)

  • finch vm init with qemu + socketVMNet: true: warning shown, sudo prompt appears, socket_vmnet installs, lima0 created, VM reachable from host via IPv6 ping

  • finch vm stop && finch vm start with socket_vmnet: no re-prompt (NOPASSWD sudoers rule works)

  • Unit tests added for dependency gating logic (4 test cases, all pass)

  • Existing vmnet unit tests pass

  • I've reviewed the guidance in CONTRIBUTING.md

License Acceptance

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@ayush-panta ayush-panta force-pushed the socket-vmnet-config branch 3 times, most recently from d242adb to a5937eb Compare May 22, 2026 21:16
@ayush-panta ayush-panta marked this pull request as draft June 1, 2026 16:43
@ayush-panta
feat: use vzNAT for vz networking, gate socket_vmnet behind config fo…
4c1ca06 
…r qemu

Signed-off-by: ayush-panta <ayushkp@amazon.com>
@ayush-panta ayush-panta force-pushed the socket-vmnet-config branch from a5937eb to 4c1ca06 Compare June 1, 2026 16:55
@ayush-panta ayush-panta marked this pull request as ready for review June 1, 2026 18:51
@ayush-panta ayush-panta mentioned this pull request Jun 1, 2026
Open
@ayush-panta ayush-panta changed the title feat: gate socket_vmnet install behind sharedNetworking config feat: use vzNAT for vz networking, gate socket_vmnet behind config for qemu Jun 1, 2026
Swapnanil-Gupta
Swapnanil-Gupta reviewed Jun 2, 2026
View reviewed changes
Comment thread pkg/config/lima_config_applier.go
// Configure vzNAT networking for vz (no sudo required, always enabled)
if lca.cfg.VMType != nil && *lca.cfg.VMType == "vz" {
limaCfg.Networks = append(limaCfg.Networks, limatype.Network{
VZNAT: pointer.Bool(true),

@Swapnanil-Gupta Swapnanil-Gupta Jun 2, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we try disabling vmnet by default and only enabling it for both vz (through vzNAT) and qemu (via socket_vmnet) when vmnet: true in finch config for consistency? And then rename the config flag to vmnet?

Comment thread pkg/dependency/vmnet/binaries_unix.go
func (bin *binaries) Install() error {
if bin.l != nil {
bin.l.Infof("Shared networking setup requires sudo. If this hangs " +
"(may be the case in non-interactive sesh or clamshell mode), " +

@Swapnanil-Gupta Swapnanil-Gupta Jun 2, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we try to detect interactive mode?
Also nit: maybe we can shorten this message?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Swapnanil-Gupta Swapnanil-Gupta Swapnanil-Gupta left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Feature] Support vzNAT for vz VM type

2 participants

@ayush-panta @Swapnanil-Gupta