prevent starting/stopping legacy Hyper-v machines when not elevated

Podman 5.x and earlier required to run as admin to work with Hyper-v. Starting from Podman 6 this is not mandatory anymore as Registry entries are handled differently. However, it may happen the user have a legacy machine running when switching to Podman 6 or starts an old machine in elevated mode and then tries to stop it as a normal user with Podman 6. If that happens the system will end up in a corrupted state as the gvproxy process will not be stopped. To prevent such scenario and issues, this commit maintains the original behavior Podman 5.x has. Legacy Hyper-v machines needs to be handled with elevated rights. Signed-off-by: lstocchi <lstocchi@redhat.com>
2026-03-13 08:01:19 +08:00 · 2026-01-07 12:42:55 +01:00
parent 740ddd9fdc
commit d2ea5a3fd0
2 changed files with 23 additions and 1 deletions
--- a/pkg/machine/hyperv/hutil.go
+++ b/pkg/machine/hyperv/hutil.go
@@ -15,6 +15,7 @@ var (
 	ErrHypervRegistryInitRequiresElevation   = errors.New("the first time Podman initializes a Hyper-V machine, it requires admin rights. Please run Podman as an administrator")
 	ErrHypervRegistryRemoveRequiresElevation = errors.New("removing this Hyper-V machine requires admin rights to clean up the Windows Registry. Please run Podman as an administrator")
 	ErrHypervRegistryUpdateRequiresElevation = errors.New("this machine's configuration requires additional Hyper-V networking (hvsock) entries in the Windows Registry. Please run Podman as an administrator")
+	ErrHypervLegacyMachineRequiresElevation  = errors.New("starting or stopping Hyper-V machines created with Podman 5.x or earlier requires admin rights. Please run Podman as an administrator")
 )

 func HasHyperVAdminRights() bool {
--- a/pkg/machine/hyperv/stubber.go
+++ b/pkg/machine/hyperv/stubber.go
@@ -265,6 +265,21 @@ func (h HyperVStubber) canRemove(mc *vmconfigs.MachineConfig) error {
 	return ErrHypervRegistryRemoveRequiresElevation
 }

+// canStartOrStop checks if the machine can be started or stopped.
+// Legacy machines require admin rights to start or stop.
+func (h HyperVStubber) canStartOrStop(mc *vmconfigs.MachineConfig) error {
+	if windows.HasAdminRights() {
+		return nil
+	}
+
+	// if machine is legacy (machineName field), require admin rights to start or stop
+	if isLegacyMachine(mc) {
+		return ErrHypervLegacyMachineRequiresElevation
+	}
+
+	return nil
+}
+
 // countMachinesWithToolname counts only machines that have a toolname field with value "podman".
 func (h HyperVStubber) countMachinesWithToolname() (int, error) {
 	dirs, err := env.GetMachineDirs(h.VMType())
@@ -345,7 +360,9 @@ func (h HyperVStubber) StartNetworking(mc *vmconfigs.MachineConfig, cmd *gvproxy
 }

 func (h HyperVStubber) StartVM(mc *vmconfigs.MachineConfig) (func() error, func() error, error) {
-	var err error
+	if err := h.canStartOrStop(mc); err != nil {
+		return nil, nil, err
+	}

 	_, vm, err := GetVMFromMC(mc)
 	if err != nil {
@@ -412,6 +429,10 @@ func (h HyperVStubber) State(mc *vmconfigs.MachineConfig, _ bool) (define.Status
 }

 func (h HyperVStubber) StopVM(mc *vmconfigs.MachineConfig, hardStop bool) error {
+	if err := h.canStartOrStop(mc); err != nil {
+		return err
+	}
+
 	vmm := hypervctl.NewVirtualMachineManager()
 	vm, err := vmm.GetMachine(mc.Name)
 	if err != nil {