feat: Add limactl vz-vmnet-shared

It shares `VmnetNetwork` serialization between VMs using SharedMode.
- `limactl vz-vmnet-shared --enable-mach-service`: register Mach service and launch
- `limactl vz-vmnet-shared --enable-mach-service=false`: unregister Mach service

When the `limactl` executable file is updated due to rebuilds, etc., the VM using the serialization data held by the Mach server before the update cannot be booted.
It is necessary to add a version check and restart the service as appropriate.
Also, it seems that it cannot be used with an external vz driver.

Signed-off-by: Norio Nomura <[email protected]>

Author: norio-nomura

cmd/limactl/main.go

@@ -208,6 +208,7 @@ func newApp() *cobra.Command {
 		newNetworkCommand(),
 		newCloneCommand(),
 		newRenameCommand(),
+		newVzVmnetSharedCommand(),
 	)
 	addPluginCommands(rootCmd)
 

cmd/limactl/vz-vmnet-shared.go

@@ -0,0 +1,27 @@
+// SPDX-FileCopyrightText: Copyright The Lima Authors
+// SPDX-License-Identifier: Apache-2.0
+
+package main
+
+import (
+	"github.com/spf13/cobra"
+)
+
+func newVzVmnetSharedCommand() *cobra.Command {
+	newCommand := &cobra.Command{
+		Use:               "vz-vmnet-shared",
+		Short:             "Run vz-vmnet-shared",
+		Args:              cobra.ExactArgs(0),
+		RunE:              newVzVmnetSharedAction,
+		ValidArgsFunction: newVzVmnetSharedComplete,
+		Hidden:            true,
+	}
+	newCommand.Flags().Bool("enable-mach-service", false, "Enable Mach service")
+	newCommand.Flags().String("mach-service", "", "Run as Mach service")
+	newCommand.Flags().MarkHidden("mach-service")
+	return newCommand
+}
+
+func newVzVmnetSharedComplete(cmd *cobra.Command, _ []string, _ string) ([]string, cobra.ShellCompDirective) {
+	return bashCompleteInstanceNames(cmd)
+}

cmd/limactl/vz-vmnet-shared_darwin.go

@@ -0,0 +1,41 @@
+// SPDX-FileCopyrightText: Copyright The Lima Authors
+// SPDX-License-Identifier: Apache-2.0
+
+package main
+
+import (
+	"errors"
+	"os"
+	"os/signal"
+	"syscall"
+
+	"github.com/coreos/go-semver/semver"
+	"github.com/spf13/cobra"
+
+	"github.com/lima-vm/lima/v2/pkg/osutil"
+	"github.com/lima-vm/lima/v2/pkg/vzvmnetshared"
+)
+
+func newVzVmnetSharedAction(cmd *cobra.Command, args []string) error {
+	macOSProductVersion, err := osutil.ProductVersion()
+	if err != nil {
+		return err
+	}
+	if macOSProductVersion.LessThan(*semver.New("26.0.0")) {
+		return errors.New("vz-vmnet-shared requires macOS 26 or higher to run")
+	}
+
+	if !cmd.HasLocalFlags() {
+		return cmd.Help()
+	}
+
+	ctx, cancel := signal.NotifyContext(cmd.Context(), os.Interrupt, syscall.SIGTERM)
+	defer cancel()
+
+	if machServiceName, _ := cmd.Flags().GetString("mach-service"); machServiceName != "" {
+		return vzvmnetshared.RunMachService(ctx, machServiceName)
+	} else if enableMachService, _ := cmd.Flags().GetBool("enable-mach-service"); enableMachService {
+		return vzvmnetshared.RegisterMachService(ctx)
+	}
+	return vzvmnetshared.UnregisterMachService(ctx)
+}

cmd/limactl/vz-vmnet-shared_nodarwin.go

@@ -0,0 +1,16 @@
+//go:build !darwin
+
+// SPDX-FileCopyrightText: Copyright The Lima Authors
+// SPDX-License-Identifier: Apache-2.0
+
+package main
+
+import (
+	"errors"
+
+	"github.com/spf13/cobra"
+)
+
+func newVzVmnetSharedAction(_ *cobra.Command, _ []string) error {
+	return errors.New("vz-vmnet-shared command is only supported on macOS")
+}

go.mod

@@ -148,4 +148,4 @@ require (
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect
 )
 
-replace github.com/Code-Hex/vz/v3 => github.com/norio-nomura/vz/v3 v3.7.2-0.20251122122159-6617c8faa123
+replace github.com/Code-Hex/vz/v3 => github.com/norio-nomura/vz/v3 v3.7.2-0.20251203072611-007c2a5b352c

go.sum

@@ -207,8 +207,8 @@ github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee h1:W5t00kpgFd
 github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
-github.com/norio-nomura/vz/v3 v3.7.2-0.20251122122159-6617c8faa123 h1:3Xzg1W5gel17So2d2NSA+flx6yoyknx5nG9Pb6eZU6s=
-github.com/norio-nomura/vz/v3 v3.7.2-0.20251122122159-6617c8faa123/go.mod h1:+0IVfZY7N/7Vv5KpZWbEgTRK6jMg4s7DVM+op2hdyrs=
+github.com/norio-nomura/vz/v3 v3.7.2-0.20251203072611-007c2a5b352c h1:0QGVXjk6/KA2G5yLQZGKZf9GB8caGCMS5H3sy0zPoH0=
+github.com/norio-nomura/vz/v3 v3.7.2-0.20251203072611-007c2a5b352c/go.mod h1:+0IVfZY7N/7Vv5KpZWbEgTRK6jMg4s7DVM+op2hdyrs=
 github.com/nxadm/tail v1.4.11 h1:8feyoE3OzPrcshW5/MJ4sGESc5cqmGkGCWlco4l0bqY=
 github.com/nxadm/tail v1.4.11/go.mod h1:OTaG3NK980DZzxbRq6lEuzgU+mug70nY11sMd4JXXHc=
 github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE=

pkg/driver/vz/vm_darwin.go

@@ -11,6 +11,7 @@ import (
 	"fmt"
 	"io/fs"
 	"net"
+	"net/netip"
 	"os"
 	"path/filepath"
 	"runtime"
@@ -37,6 +38,7 @@ import (
 	"github.com/lima-vm/lima/v2/pkg/networks/usernet"
 	"github.com/lima-vm/lima/v2/pkg/osutil"
 	"github.com/lima-vm/lima/v2/pkg/store"
+	"github.com/lima-vm/lima/v2/pkg/vzvmnetshared"
 )
 
 // diskImageCachingMode is set to DiskImageCachingModeCached so as to avoid disk corruption on ARM:
@@ -374,11 +376,8 @@ func attachNetwork(ctx context.Context, inst *limatype.Instance, vmConfig *vz.Vi
 			}
 			configurations = append(configurations, networkConfig)
 		} else if nw.VZShared != nil && *nw.VZShared {
-			config, err := vz.NewVmnetNetworkConfiguration(vz.SharedMode)
-			if err != nil {
-				return err
-			}
-			network, err := vz.NewVmnetNetwork(config)
+			subnet := netip.MustParsePrefix("192.168.107.0/24")
+			network, err := vzvmnetshared.RequestSharedVmnetNetwork(ctx, subnet)
 			if err != nil {
 				return err
 			}

pkg/vzvmnetshared/io.lima-vm.vz.vmnet.shared.plist

@@ -0,0 +1,29 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+    <dict>
+        <key>Label</key>
+        <string>{{.Label}}</string>
+        <key>ProgramArguments</key>
+        <array>
+            {{- range $arg := .ProgramArguments}}
+            <string>{{$arg}}</string>
+            {{- end}}
+        </array>
+        <key>RunAtLoad</key>
+        <true/>
+        <key>WorkingDirectory</key>
+        <string>{{ .WorkingDirectory }}</string>
+        <key>StandardErrorPath</key>
+        <string>{{ .WorkingDirectory }}/stderr.log</string>
+        <key>StandardOutPath</key>
+        <string>{{ .WorkingDirectory }}/stdout.log</string>
+        <key>MachServices</key>
+        <dict>
+            {{- range $service := .MachServices}}
+            <key>{{$service}}</key>
+            <true/>
+            {{- end}}
+        </dict>
+    </dict>
+</plist>

pkg/vzvmnetshared/vzvmnetshared_darwin.go

@@ -0,0 +1,222 @@
+package vzvmnetshared
+
+import (
+	"bytes"
+	"context"
+	_ "embed"
+	"fmt"
+	"net/netip"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"text/template"
+
+	"github.com/Code-Hex/vz/v3"
+	"github.com/Code-Hex/vz/v3/pkg/xpc"
+
+	"github.com/lima-vm/lima/v2/pkg/limatype/dirnames"
+)
+
+//go:embed io.lima-vm.vz.vmnet.shared.plist
+var launchdTemplate string
+
+const (
+	launchdLabel    = "io.lima-vm.vz.vmnet.shared"
+	MachServiceName = launchdLabel + ".subnet"
+)
+
+// RegisterMachService registers the "io.lima-vm.vz.vmnet.shared" launchd service.
+//
+//   - It creates a launchd plist under ~/Library/LaunchAgents and bootstraps it.
+//   - The mach service "io.lima-vm.vz.vmnet.shared.subnet" is registered.
+//   - The working directory is $LIMA_HOME/_networks/vz-vmnet-shared.
+//   - It also creates a shell script named "io.lima-vm.vz.vmnet.shared.sh" that runs
+//     "limactl vz-vmnet-shared" to avoid launching "limactl" directly from launchd.
+//     macOS System Settings (General > Login Items & Extensions) shows the first
+//     element of ProgramArguments as the login item name; using a shell script with
+//     a fixed filename makes the item easier to identify.
+func RegisterMachService(ctx context.Context) error {
+	executablePath, workDir, scriptPath, launchdPlistPath, err := relatedPaths(launchdLabel)
+	if err != nil {
+		return err
+	}
+
+	// Create a shell script that runs "limactl vz-vmnet-shared"
+	scriptContent := "#!/bin/sh\nexec " + executablePath + " vz-vmnet-shared --mach-service='" + MachServiceName + "' \"$@\""
+	if err := os.WriteFile(scriptPath, []byte(scriptContent), 0o755); err != nil {
+		return fmt.Errorf("failed to write %q launch script: %w", scriptPath, err)
+	}
+
+	// Create launchd plist
+	params := struct {
+		Label            string
+		ProgramArguments []string
+		WorkingDirectory string
+		MachServices     []string
+	}{
+		Label:            launchdLabel,
+		ProgramArguments: []string{scriptPath},
+		WorkingDirectory: workDir,
+		MachServices:     []string{MachServiceName},
+	}
+	template, err := template.New("plist").Parse(launchdTemplate)
+	if err != nil {
+		return fmt.Errorf("failed to parse launchd plist template: %w", err)
+	}
+	var b bytes.Buffer
+	if err := template.Execute(&b, params); err != nil {
+		return fmt.Errorf("failed to execute launchd plist template: %w", err)
+	}
+	if err := os.WriteFile(launchdPlistPath, b.Bytes(), 0o644); err != nil {
+		return fmt.Errorf("failed to write launchd plist %q: %w", launchdPlistPath, err)
+	}
+
+	// Bootstrap launchd plist
+	cmd := exec.CommandContext(ctx, "launchctl", "bootstrap", serviceDomain(), launchdPlistPath)
+	if err := cmd.Run(); err != nil {
+		return fmt.Errorf("failed to execute bootstrap: %v: %w", cmd.Args, err)
+	}
+	return nil
+}
+
+// UnregisterMachService unregisters the "io.lima-vm.vz.vmnet.shared" launchd service.
+//
+//   - It unbootstraps the launchd plist.
+//   - It removes the launchd plist file under ~/Library/LaunchAgents.
+//   - It removes the shell script used to launch "limactl vz-vmnet-shared".
+func UnregisterMachService(ctx context.Context) error {
+	serviceTarget := serviceTarget(launchdLabel)
+	cmd := exec.CommandContext(ctx, "launchctl", "bootout", serviceTarget)
+	if err := cmd.Run(); err != nil {
+		return fmt.Errorf("failed to execute bootout: %v: %w", cmd.Args, err)
+	}
+	_, _, scriptPath, launchdPlistPath, err := relatedPaths(launchdLabel)
+	if err != nil {
+		return err
+	}
+	if err := os.Remove(launchdPlistPath); err != nil && !os.IsNotExist(err) {
+		return fmt.Errorf("failed to remove launchd plist %q: %w", launchdPlistPath, err)
+	}
+	if err := os.Remove(scriptPath); err != nil && !os.IsNotExist(err) {
+		return fmt.Errorf("failed to remove launch script file %q: %w", scriptPath, err)
+	}
+	return nil
+}
+
+func relatedPaths(launchdLabel string) (executablePath, workDir, scriptPath, plistPath string, err error) {
+	executablePath, err = os.Executable()
+	if err != nil {
+		return "", "", "", "", fmt.Errorf("failed to get executable path: %w", err)
+	}
+	networksDir, err := dirnames.LimaNetworksDir()
+	if err != nil {
+		return "", "", "", "", fmt.Errorf("failed to get Lima networks directory: %w", err)
+	}
+	// Working directory
+	workDir = filepath.Join(networksDir, "vz-vmnet-shared")
+	if err := os.MkdirAll(workDir, 0o755); err != nil {
+		return "", "", "", "", fmt.Errorf("failed to create working directory %q: %w", workDir, err)
+	}
+	// Shell script path
+	scriptPath = filepath.Join(workDir, launchdLabel+".sh")
+	// Launchd plist path
+	userHomeDir, err := os.UserHomeDir()
+	if err != nil {
+		return "", "", "", "", fmt.Errorf("failed to get user home directory: %w", err)
+	}
+	plistPath = filepath.Join(userHomeDir, "Library", "LaunchAgents", launchdLabel+".plist")
+	return executablePath, workDir, scriptPath, plistPath, nil
+}
+
+func serviceDomain() string {
+	return fmt.Sprintf("gui/%d", os.Getuid())
+}
+
+func serviceTarget(launchdLabel string) string {
+	return fmt.Sprintf("%s/%s", serviceDomain(), launchdLabel)
+}
+
+// RunMachService runs the mach service at specified service name.
+//
+// It listens for incoming mach messages requesting a shared VmnetNetwork
+// for a given subnet, creates the VmnetNetwork if not already created,
+// and returns the serialized network object via mach IPC.
+func RunMachService(ctx context.Context, serviceName string) error {
+	serializationStore := make(map[netip.Prefix]*xpc.Object)
+	listener, err := xpc.NewListener(serviceName,
+		xpc.NewSessionHandler(
+			func(msg *xpc.Object) *xpc.Object {
+				errorReply := func(errMsg string, args ...any) *xpc.Object {
+					return msg.DictionaryCreateReply(
+						xpc.WithString("Error", fmt.Sprintf(errMsg, args...)),
+					)
+				}
+				// Handle the message
+				subnetStr := msg.DictionaryGetString("Subnet")
+				if subnetStr == "" {
+					return errorReply("missing Subnet key")
+				}
+				prefix, err := netip.ParsePrefix(subnetStr)
+				if err != nil {
+					return errorReply("failed to parse Subnet %q: %v", subnetStr, err)
+				}
+				// Modify the prefix to having IP that VmnetNetwork can accept.
+				prefix = netip.PrefixFrom(prefix.Masked().Addr().Next(), prefix.Bits())
+				serialization, ok := serializationStore[prefix]
+				if !ok {
+					if config, err := vz.NewVmnetNetworkConfiguration(vz.SharedMode); err != nil {
+						return errorReply("failed to create network configuration: %v", err)
+					} else if err := config.SetIPv4Subnet(prefix); err != nil {
+						return errorReply("failed to set IPv4 subnet: %v", err)
+					} else if newNetwork, err := vz.NewVmnetNetwork(config); err != nil {
+						return errorReply("failed to create VmnetNetwork: %v", err)
+					} else if rawSerialization, err := newNetwork.CopySerialization(); err != nil {
+						return errorReply("failed to copy network serialization: %v", err)
+					} else {
+						serialization = xpc.NewObject(rawSerialization)
+						serializationStore[prefix] = serialization
+					}
+				}
+				return msg.DictionaryCreateReply(
+					xpc.WithValue("Network", serialization),
+				)
+			},
+			nil,
+		),
+	)
+	if err != nil {
+		return err
+	}
+	listener.Activate()
+	<-ctx.Done()
+	return listener.Close()
+}
+
+// RequestSharedVmnetNetwork requests a shared VmnetNetwork for the given subnet
+// from the mach service "io.lima-vm.vz.vmnet.shared.subnet".
+func RequestSharedVmnetNetwork(ctx context.Context, subnet netip.Prefix) (*vz.VmnetNetwork, error) {
+	session, err := xpc.NewSession(MachServiceName)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create xpc session to %q: %w", MachServiceName, err)
+	}
+	defer session.Cancel()
+	reply, err := session.SendDictionaryWithReply(
+		ctx,
+		xpc.WithString("Subnet", subnet.String()),
+	)
+	if err != nil {
+		return nil, fmt.Errorf("failed to send xpc message to %q: %w", MachServiceName, err)
+	}
+	if errMsg := reply.DictionaryGetString("Error"); errMsg != "" {
+		return nil, fmt.Errorf("error from mach service %q: %s", MachServiceName, errMsg)
+	}
+	serialization := reply.DictionaryGetValue("Network")
+	if serialization == nil {
+		return nil, fmt.Errorf("no Network object in reply from %q", MachServiceName)
+	}
+	network, err := vz.NewVmnetNetworkWithSerialization(serialization.XpcObject)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create VmnetNetwork (%v) from serialization: %w", subnet, err)
+	}
+	return network, nil
+}