VM drivers for supporting macOS guests (`vz`, `host-user`)

[AkihiroSuda]

Supporting macOS guests will be useful for running untrusted packages or AI-generated scripts

Driver vz

The current vz driver could be extended to support macOS guests, however, setting up an instance cannot be easily automated.

The first invocation of limactl start --vm-type=vz template://macos will forcibly open the GUI screen, and ask the user to do the following tasks manually:

• Accept EULA
• Create a user account with the specified name
• Skip the iCloud stuff
• Open the System Settings, and enable SSH
• Run a script in the virtual CD-ROM to set up ~/.ssh/authorized_keys etc.
• Shutdown the VM

Shell

Same as the current vz for Linux guests.

Filesystem

Same as the current vz for Linux guests.

Network

Same as the current vz for Linux guests.

Port forwarding

TBD. Periodically run lsof to scan the ports?

GPU

Depends on Apple's will.

Driver host-user

The new "host-user" driver (tentative) will incorporate https://github.com/AkihiroSuda/alcless so as to create a pseudo-sandbox account using the plain old su/sudo.
(su and sudo have to be mixed together; see https://github.com/AkihiroSuda/alcless/blob/master/README.md#faqs)

The main advantage of this driver is the native access to the host GPU.
This driver may lose its raisondetre when Apple implements GPU passthrough in vz.

Shell

Unlike other drivers, limactl shell can be implemented without using SSH.

Filesystem

• Step 1: No support for mounts.
• Step 2: Extend limactl shell to support alcless-style sync?
• Step 3: Support mounts using FSKit (Apple's FUSE)

Network

(Natively available)

Port forwarding

(Natively available)

GPU

(Natively available)

[AkihiroSuda]

cc @unsuman FYI, if you still have time after completing the implementation of the driver infra and the krun driver

[unsuman]

cc @unsuman FYI, if you still have time after completing the implementation of the driver infra and the krun driver

Of course 👍🏻

[afbjorklund]

Adding macOS guests sounds like a rather odd thing for the Lima project, even more so than adding FreeBSD guests.

• Support for FreeBSD guests ? #1508

[AkihiroSuda]

Adding macOS guests sounds like a rather odd thing for the Lima project, even more so than adding FreeBSD guests.

How is it different from FreeBSD?

[afbjorklund]

The FreeBSD support allowed running containers with runj, but for macOS it seems to be more about Homebrew?

Also the Linux and FreeBSD support is available on all platforms, where as the macOS guests only on macOS hosts.

[jandubois]

Adding macOS guests sounds like a rather odd thing for the Lima project, even more so than adding FreeBSD guests.

I don't know. if this can be done through the new driver interface using an external driver, I think it would be a good validation that the interface can handle non-standard driver implementations.

I do think it would be better if it could be maintained in a separate repo, but don't see why it can't be part of the Lima project.

[afbjorklund]

I gave it some more thought, and I think that providing a small sandbox for isolation might not be a bad thing.

Then we could offer the same thing on Linux with KVM, and use something like firecracker for basic isolation...