Execute add/remove registry entries in elevated mode with hyperv

Adding/removing a key in the Windows registry requires elevated rights.
For this reason, using podman with hyperv had the contraint to run it as
admin otherwise it was not possible to init/rm a hyperv machine.

This patch adds a couple of functions to add/remove registry entries in
bulk in privileged mode. When creating/deleting a machine the user is asked only once
to elevate the rights to perform the action.

Signed-off-by: lstocchi <[email protected]>

Author: lstocchi

pkg/machine/hyperv/stubber.go

@@ -55,26 +55,31 @@ func (h HyperVStubber) CreateVM(opts define.CreateVMOpts, mc *vmconfigs.MachineC
 		Memory:   uint64(mc.Resources.Memory),
 	}
 
-	networkHVSock, err := vsock.NewHVSockRegistryEntry(mc.Name, vsock.Network)
+	networkHVSock, err := vsock.CreateHVSockRegistryEntry(mc.Name, vsock.Network)
 	if err != nil {
 		return err
 	}
 
 	mc.HyperVHypervisor.NetworkVSock = *networkHVSock
 
-	// Add vsock port numbers to mounts
-	err = createShares(mc)
+	// Create vsock port numbers to mounts
+	sharesVsock, err := createShares(mc)
 	if err != nil {
 		return err
 	}
 
-	removeShareCallBack := func() error {
-		return removeShares(mc)
+	// Add all vsock
+	err = vsock.AddHVSockRegistryEntries(append([]vsock.HVSockRegistryEntry{
+		mc.HyperVHypervisor.ReadyVsock,
+		mc.HyperVHypervisor.NetworkVSock,
+	}, sharesVsock...))
+	if err != nil {
+		return err
 	}
-	callbackFuncs.Add(removeShareCallBack)
 
 	removeRegistrySockets := func() error {
-		removeNetworkAndReadySocketsFromRegistry(mc)
+		sockets := getVsockShares(mc)
+		removeSocketsFromRegistry(mc, sockets)
 		return nil
 	}
 	callbackFuncs.Add(removeRegistrySockets)
@@ -144,7 +149,7 @@ func (h HyperVStubber) Remove(mc *vmconfigs.MachineConfig) ([]string, func() err
 
 	rmFunc := func() error {
 		// Tear down vsocks
-		removeNetworkAndReadySocketsFromRegistry(mc)
+		removeSocketsFromRegistry(mc, []vsock.HVSockRegistryEntry{})
 
 		// Remove ignition registry entries - not a fatal error
 		// for vm removal
@@ -358,7 +363,7 @@ func (h HyperVStubber) PrepareIgnition(mc *vmconfigs.MachineConfig, ignBuilder *
 	// simply be derived. So we create the HyperVConfig here.
 	mc.HyperVHypervisor = new(vmconfigs.HyperVConfig)
 	var ignOpts ignition.ReadyUnitOpts
-	readySock, err := vsock.NewHVSockRegistryEntry(mc.Name, vsock.Events)
+	readySock, err := vsock.CreateHVSockRegistryEntry(mc.Name, vsock.Events)
 	if err != nil {
 		return nil, err
 	}
@@ -461,17 +466,16 @@ func resizeDisk(newSize strongunits.GiB, imagePath *define.VMFile) error {
 	return nil
 }
 
-// removeNetworkAndReadySocketsFromRegistry removes the Network and Ready sockets
+// removeSocketsFromRegistry removes the Network, Ready and others (passed by the caller) sockets
 // from the Windows Registry
-func removeNetworkAndReadySocketsFromRegistry(mc *vmconfigs.MachineConfig) {
-	// Remove the HVSOCK for networking
-	if err := mc.HyperVHypervisor.NetworkVSock.Remove(); err != nil {
-		logrus.Errorf("unable to remove registry entry for %s: %q", mc.HyperVHypervisor.NetworkVSock.KeyName, err)
-	}
-
-	// Remove the HVSOCK for events
-	if err := mc.HyperVHypervisor.ReadyVsock.Remove(); err != nil {
-		logrus.Errorf("unable to remove registry entry for %s: %q", mc.HyperVHypervisor.ReadyVsock.KeyName, err)
+func removeSocketsFromRegistry(mc *vmconfigs.MachineConfig, others []vsock.HVSockRegistryEntry) {
+	// remove all sockets from registry
+	err := vsock.RemoveHVSockRegistryEntries(append([]vsock.HVSockRegistryEntry{
+		mc.HyperVHypervisor.ReadyVsock,
+		mc.HyperVHypervisor.NetworkVSock,
+	}, others...))
+	if err != nil {
+		logrus.Errorf("unable to remove registry entries: %q", err)
 	}
 }
 

pkg/machine/hyperv/volumes.go

@@ -40,6 +40,27 @@ func removeShares(mc *vmconfigs.MachineConfig) error {
 	return removalErr
 }
 
+func getVsockShares(mc *vmconfigs.MachineConfig) []vsock.HVSockRegistryEntry {
+	entries := []vsock.HVSockRegistryEntry{}
+
+	for _, mount := range mc.Mounts {
+		if mount.VSockNumber == nil {
+			// nothing to do if the vsock number was never defined
+			continue
+		}
+
+		vsockReg, err := vsock.LoadHVSockRegistryEntry(*mount.VSockNumber)
+		if err != nil {
+			logrus.Debugf("Vsock %d for mountpoint %s does not have a valid registry entry, skipping removal", *mount.VSockNumber, mount.Target)
+			continue
+		}
+
+		entries = append(entries, *vsockReg)
+	}
+
+	return entries
+}
+
 func startShares(mc *vmconfigs.MachineConfig) error {
 	for _, mount := range mc.Mounts {
 		var args []string
@@ -70,14 +91,16 @@ func startShares(mc *vmconfigs.MachineConfig) error {
 	return nil
 }
 
-func createShares(mc *vmconfigs.MachineConfig) (err error) {
+func createShares(mc *vmconfigs.MachineConfig) ([]vsock.HVSockRegistryEntry, error) {
+	vsockEntries := []vsock.HVSockRegistryEntry{}
 	for _, mount := range mc.Mounts {
-		testVsock, err := vsock.NewHVSockRegistryEntry(mc.Name, vsock.Fileserver)
+		testVsock, err := vsock.CreateHVSockRegistryEntry(mc.Name, vsock.Fileserver)
 		if err != nil {
-			return err
+			return nil, err
 		}
+		vsockEntries = append(vsockEntries, *testVsock)
 		mount.VSockNumber = &testVsock.Port
 		logrus.Debugf("Going to share directory %s via 9p on vsock %d", mount.Source, testVsock.Port)
 	}
-	return nil
+	return vsockEntries, nil
 }

pkg/machine/hyperv/vsock/vsock.go

@@ -7,10 +7,13 @@ import (
 	"fmt"
 	"io"
 	"net"
+	"os"
+	"os/exec"
 	"strings"
 
 	"github.com/Microsoft/go-winio"
 	"github.com/containers/podman/v5/pkg/machine/sockets"
+	"github.com/containers/podman/v5/pkg/machine/wsl/wutil"
 	"github.com/containers/podman/v5/utils"
 	"github.com/sirupsen/logrus"
 	"golang.org/x/sys/windows/registry"
@@ -83,7 +86,7 @@ type HVSockRegistryEntry struct {
 }
 
 // Add creates a new Windows registry entry with string values from the
-// HVSockRegistryEntry.
+// HVSockRegistryEntry. Must have elevated rights.
 func (hv *HVSockRegistryEntry) Add() error {
 	if err := hv.validate(); err != nil {
 		return err
@@ -186,9 +189,9 @@ func findOpenHVSockPort() (uint64, error) {
 	return 0, errors.New("unable to find a free port for hvsock use")
 }
 
-// NewHVSockRegistryEntry is a constructor to make a new registry entry in Windows.  After making the new
-// object, you must call the add() method to *actually* add it to the Windows registry.
-func NewHVSockRegistryEntry(machineName string, purpose HVSockPurpose) (*HVSockRegistryEntry, error) {
+// CreateHVSockRegistryEntry is a constructor to make an instance of a registry entry in Windows. After making the new
+// object, you must call the add() method or AddHVSockRegistryEntries(...) to *actually* add it to the Windows registry.
+func CreateHVSockRegistryEntry(machineName string, purpose HVSockPurpose) (*HVSockRegistryEntry, error) {
 	// a so-called wildcard entry ... everything from FACB -> 6D3 is MS special sauce
 	// for a " linux vm".  this first segment is hexi for the hvsock port number
 	// 00000400-FACB-11E6-BD58-64006A7986D3
@@ -202,10 +205,96 @@ func NewHVSockRegistryEntry(machineName string, purpose HVSockPurpose) (*HVSockR
 		Port:        port,
 		MachineName: machineName,
 	}
+
+	return &r, nil
+}
+
+// NewHVSockRegistryEntry is a constructor to make a new registry entry in Windows.  After making the new
+// object, it calls the add() method to *actually* add it to the Windows registry.
+func NewHVSockRegistryEntry(machineName string, purpose HVSockPurpose) (*HVSockRegistryEntry, error) {
+	r, err := CreateHVSockRegistryEntry(machineName, purpose)
+	if err != nil {
+		return nil, err
+	}
+
 	if err := r.Add(); err != nil {
 		return nil, err
 	}
-	return &r, nil
+
+	return r, nil
+}
+
+// AddHVSockRegistryEntries allows to *actually* add multiple registry entries to the Windows registry
+// As adding an entry to the HKLM path in the Registry requires elevated privileges, this func can be used for bulk insertion so to
+// ask the user for elevated rights only once
+func AddHVSockRegistryEntries(entries []HVSockRegistryEntry) error {
+	// create a script which will be executed with elevated rights
+	script := ""
+	for _, entry := range entries {
+		if err := entry.validate(); err != nil {
+			return err
+		}
+		exists, err := entry.exists()
+		if err != nil {
+			return err
+		}
+		if exists {
+			return fmt.Errorf("%q: %s", ErrVSockRegistryEntryExists, entry.KeyName)
+		}
+		parentKey, err := registry.OpenKey(registry.LOCAL_MACHINE, VsockRegistryPath, registry.QUERY_VALUE)
+		defer func() {
+			if err := parentKey.Close(); err != nil {
+				logrus.Error(err)
+			}
+		}()
+		if err != nil {
+			return err
+		}
+
+		// for each entry it adds a purpose and machineName property
+		registryPath := fmt.Sprintf("HKLM:\\%s", VsockRegistryPath)
+		keyPath := fmt.Sprintf("%s\\%s", registryPath, entry.KeyName)
+
+		createRegistryKeyCmd := fmt.Sprintf("New-Item -Path '%s' -Name '%s'", registryPath, entry.KeyName)
+		addPurposePropertyCmd := fmt.Sprintf("New-ItemProperty -Path '%s' -Name '%s' -Value '%s' -PropertyType String", keyPath, HvsockPurpose, entry.Purpose.string())
+		addMachinePropertyCmd := fmt.Sprintf("New-ItemProperty -Path '%s' -Name '%s' -Value '%s' -PropertyType String", keyPath, HvsockMachineName, entry.MachineName)
+
+		script += fmt.Sprintf("%s; %s; %s;", createRegistryKeyCmd, addPurposePropertyCmd, addMachinePropertyCmd)
+	}
+
+	// launch the script in elevated mode
+	return launchElevated(script)
+}
+
+// RemoveHVSockRegistryEntries allows to *actually* remove multiple registry entries from the Windows registry
+// As removing an entry from the HKLM path in the Registry requires elevated privileges, this func can be used for bulk deletion so to
+// ask the user for elevated rights only once
+func RemoveHVSockRegistryEntries(entries []HVSockRegistryEntry) error {
+	// create a script which will be executed with elevated rights
+	script := ""
+	for _, entry := range entries {
+		// for each entry it calculate the path and the script to remove it
+		registryPath := fmt.Sprintf("HKLM:\\%s", VsockRegistryPath)
+		keyPath := fmt.Sprintf("%s\\%s", registryPath, entry.KeyName)
+
+		removeRegistryKeyCmd := fmt.Sprintf("Remove-Item -Path '%s' -Force -Recurse", keyPath)
+
+		script += fmt.Sprintf("%s;", removeRegistryKeyCmd)
+	}
+
+	// launch the script in elevated mode
+	return launchElevated(script)
+}
+
+func launchElevated(args string) error {
+	psPath, err := exec.LookPath("powershell.exe")
+	if err != nil {
+		return err
+	}
+
+	d, _ := os.Getwd()
+
+	return wutil.LaunchElevatedWait(psPath, d, args)
 }
 
 func portToKeyName(port uint64) string {

pkg/machine/provider/platform_windows.go

@@ -34,9 +34,6 @@ func Get() (vmconfigs.VMProvider, error) {
 	case define.WSLVirt:
 		return new(wsl.WSLStubber), nil
 	case define.HyperVVirt:
-		if !wsl.HasAdminRights() {
-			return nil, fmt.Errorf("hyperv machines require admin authority")
-		}
 		return new(hyperv.HyperVStubber), nil
 	default:
 		return nil, fmt.Errorf("unsupported virtualization provider: `%s`", resolvedVMType.String())

pkg/machine/wsl/machine.go

@@ -35,14 +35,6 @@ var (
 	vmtype = define.WSLVirt
 )
 
-type ExitCodeError struct {
-	code uint
-}
-
-func (e *ExitCodeError) Error() string {
-	return fmt.Sprintf("Process failed with exit code: %d", e.code)
-}
-
 //nolint:unused
 func getConfigPath(name string) (string, error) {
 	return getConfigPathExt(name, "json")
@@ -374,8 +366,8 @@ func launchElevate(operation string) error {
 	}
 	err := relaunchElevatedWait()
 	if err != nil {
-		if eerr, ok := err.(*ExitCodeError); ok {
-			if eerr.code == ErrorSuccessRebootRequired {
+		if eerr, ok := err.(*wutil.ExitCodeError); ok {
+			if eerr.Code == ErrorSuccessRebootRequired {
 				fmt.Println("Reboot is required to continue installation, please reboot at your convenience")
 				return nil
 			}