Add limactl protect <INSTANCE> to prohibit accidental removal

Fix issue 1595

Signed-off-by: Akihiro Suda <[email protected]>

cmd/limactl/delete.go

@@ -49,6 +49,9 @@ func deleteAction(cmd *cobra.Command, args []string) error {
 }
 
 func deleteInstance(ctx context.Context, inst *store.Instance, force bool) error {
+	if inst.Protected {
+		return fmt.Errorf("instance is protected to prohibit accidental removal (Hint: use `limactl unprotect`)")
+	}
 	if !force && inst.Status != store.StatusStopped {
 		return fmt.Errorf("expected status %q, got %q", store.StatusStopped, inst.Status)
 	}

cmd/limactl/main.go

@@ -116,6 +116,8 @@ func newApp() *cobra.Command {
 		newUsernetCommand(),
 		newGenDocCommand(),
 		newSnapshotCommand(),
+		newProtectCommand(),
+		newUnprotectCommand(),
 	)
 	return rootCmd
 }

cmd/limactl/protect.go

@@ -0,0 +1,48 @@
+package main
+
+import (
+	"errors"
+	"fmt"
+
+	"github.com/lima-vm/lima/pkg/store"
+	"github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+)
+
+func newProtectCommand() *cobra.Command {
+	var protectCommand = &cobra.Command{
+		Use:   "protect INSTANCE [INSTANCE, ...]",
+		Short: "Protect an instance to prohibit accidental removal",
+		Long: `Protect an instance to prohibit accidental removal via the 'limactl delete' command.
+The instance is not being protected against removal via '/bin/rm', Finder, etc.`,
+		Args:              WrapArgsError(cobra.MinimumNArgs(1)),
+		RunE:              protectAction,
+		ValidArgsFunction: protectBashComplete,
+	}
+	return protectCommand
+}
+
+func protectAction(_ *cobra.Command, args []string) error {
+	var errs []error
+	for _, instName := range args {
+		inst, err := store.Inspect(instName)
+		if err != nil {
+			errs = append(errs, fmt.Errorf("failed to inspect instance %q: %w", instName, err))
+			continue
+		}
+		if inst.Protected {
+			logrus.Warnf("Instance %q is already protected. Skipping.", instName)
+			continue
+		}
+		if err := inst.Protect(); err != nil {
+			errs = append(errs, fmt.Errorf("failed to protect instance %q: %w", instName, err))
+			continue
+		}
+		logrus.Infof("Protected %q", instName)
+	}
+	return errors.Join(errs...)
+}
+
+func protectBashComplete(cmd *cobra.Command, _ []string, _ string) ([]string, cobra.ShellCompDirective) {
+	return bashCompleteInstanceNames(cmd)
+}

cmd/limactl/unprotect.go

@@ -0,0 +1,46 @@
+package main
+
+import (
+	"errors"
+	"fmt"
+
+	"github.com/lima-vm/lima/pkg/store"
+	"github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+)
+
+func newUnprotectCommand() *cobra.Command {
+	var unprotectCommand = &cobra.Command{
+		Use:               "unprotect INSTANCE [INSTANCE, ...]",
+		Short:             "Unprotect an instance",
+		Args:              WrapArgsError(cobra.MinimumNArgs(1)),
+		RunE:              unprotectAction,
+		ValidArgsFunction: unprotectBashComplete,
+	}
+	return unprotectCommand
+}
+
+func unprotectAction(_ *cobra.Command, args []string) error {
+	var errs []error
+	for _, instName := range args {
+		inst, err := store.Inspect(instName)
+		if err != nil {
+			errs = append(errs, fmt.Errorf("failed to inspect instance %q: %w", instName, err))
+			continue
+		}
+		if !inst.Protected {
+			logrus.Warnf("Instance %q isn't protected. Skipping.", instName)
+			continue
+		}
+		if err := inst.Unprotect(); err != nil {
+			errs = append(errs, fmt.Errorf("failed to unprotect instance %q: %w", instName, err))
+			continue
+		}
+		logrus.Infof("Unprotected %q", instName)
+	}
+	return errors.Join(errs...)
+}
+
+func unprotectBashComplete(cmd *cobra.Command, _ []string, _ string) ([]string, cobra.ShellCompDirective) {
+	return bashCompleteInstanceNames(cmd)
+}

pkg/store/filenames/filenames.go

@@ -56,6 +56,8 @@ const (
 
 	// SocketDir is the default location for forwarded sockets with a relative paths in HostSocket
 	SocketDir = "sock"
+
+	Protected = "protected" // empty file; used by `limactl protect`
 )
 
 // Filenames used under a disk directory

pkg/store/instance.go

@@ -55,6 +55,7 @@ type Instance struct {
 	Errors          []error            `json:"errors,omitempty"`
 	Config          *limayaml.LimaYAML `json:"config,omitempty"`
 	SSHAddress      string             `json:"sshAddress,omitempty"`
+	Protected       bool               `json:"protected"`
 }
 
 func (inst *Instance) LoadYAML() (*limayaml.LimaYAML, error) {
@@ -139,6 +140,11 @@ func Inspect(instName string) (*Instance, error) {
 		inst.Disk = 0
 	}
 
+	protected := filepath.Join(instDir, filenames.Protected)
+	if _, err := os.Lstat(protected); !errors.Is(err, os.ErrNotExist) {
+		inst.Protected = true
+	}
+
 	inspectStatus(instDir, inst, y)
 
 	tmpl, err := template.New("format").Parse(y.Message)
@@ -394,3 +400,27 @@ func PrintInstances(w io.Writer, instances []*Instance, format string, options *
 	}
 	return nil
 }
+
+// Protect protects the instance to prohibit accidental removal.
+// Protect does not return an error even when the instance is already protected.
+func (inst *Instance) Protect() error {
+	protected := filepath.Join(inst.Dir, filenames.Protected)
+	// TODO: Do an equivalent of `chmod +a "everyone deny delete,delete_child,file_inherit,directory_inherit"`
+	// https://github.com/lima-vm/lima/issues/1595
+	if err := os.WriteFile(protected, nil, 0400); err != nil {
+		return err
+	}
+	inst.Protected = true
+	return nil
+}
+
+// Unprotect unprotects the instance.
+// Unprotect does not return an error even when the instance is already unprotected.
+func (inst *Instance) Unprotect() error {
+	protected := filepath.Join(inst.Dir, filenames.Protected)
+	if err := os.RemoveAll(protected); err != nil {
+		return err
+	}
+	inst.Protected = false
+	return nil
+}

website/content/en/docs/dev/Internals/_index.md

@@ -31,6 +31,7 @@ An instance directory contains the following files:
 
 Metadata:
 - `lima.yaml`: the YAML
+- `protected`: empty file, used by `limactl protect`
 
 cloud-init:
 - `cidata.iso`: cloud-init ISO9660 image. See [`cidata.iso`](#cidataiso).