Only allow Rootless runs of Podman Machine

Podman Machine crashes if run as root. When creating the machine, we write the ignition so that the UID of the core user matches the UID of the user on the host. We by default, create the root user on the machine with UID 0. If the user on the host is root, the core UID and the Root UID collide, causing a the VM not to boot.

[NO NEW TESTS NEEDED]

Signed-off-by: Ashley Cui <acui@redhat.com>

cmd/podman/machine/init.go

@@ -20,6 +20,7 @@ var (
 		Use:               "init [options] [NAME]",
 		Short:             "Initialize a virtual machine",
 		Long:              "initialize a virtual machine ",
+		PersistentPreRunE: rootlessOnly,
 		RunE:              initMachine,
 		Args:              cobra.MaximumNArgs(1),
 		Example:           `podman machine init myvm`,

cmd/podman/machine/inspect.go

@@ -20,6 +20,7 @@ var (
 		Use:               "inspect [options] [MACHINE...]",
 		Short:             "Inspect an existing machine",
 		Long:              "Provide details on a managed virtual machine",
+		PersistentPreRunE: rootlessOnly,
 		RunE:              inspect,
 		Example:           `podman machine inspect myvm`,
 		ValidArgsFunction: autocompleteMachine,

cmd/podman/machine/list.go

@@ -27,6 +27,7 @@ var (
 		Aliases:           []string{"ls"},
 		Short:             "List machines",
 		Long:              "List managed virtual machines.",
+		PersistentPreRunE: rootlessOnly,
 		RunE:              list,
 		Args:              validate.NoArgs,
 		ValidArgsFunction: completion.AutocompleteNone,

cmd/podman/machine/machine.go

@@ -5,6 +5,7 @@ package machine
 
 import (
 	"errors"
+	"fmt"
 	"net"
 	"os"
 	"path/filepath"
@@ -17,6 +18,7 @@ import (
 	"github.com/containers/podman/v4/cmd/podman/validate"
 	"github.com/containers/podman/v4/libpod/events"
 	"github.com/containers/podman/v4/pkg/machine"
+	"github.com/containers/podman/v4/pkg/rootless"
 	"github.com/containers/podman/v4/pkg/util"
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
@@ -162,3 +164,10 @@ func closeMachineEvents(cmd *cobra.Command, _ []string) error {
 	}
 	return nil
 }
+
+func rootlessOnly(cmd *cobra.Command, args []string) error {
+	if !rootless.IsRootless() {
+		return fmt.Errorf("cannot run command %q as root", cmd.CommandPath())
+	}
+	return nil
+}

cmd/podman/machine/rm.go

@@ -20,6 +20,7 @@ var (
 		Use:               "rm [options] [MACHINE]",
 		Short:             "Remove an existing machine",
 		Long:              "Remove a managed virtual machine ",
+		PersistentPreRunE: rootlessOnly,
 		RunE:              rm,
 		Args:              cobra.MaximumNArgs(1),
 		Example:           `podman machine rm myvm`,

cmd/podman/machine/set.go

@@ -18,6 +18,7 @@ var (
 		Use:               "set [options] [NAME]",
 		Short:             "Sets a virtual machine setting",
 		Long:              "Sets an updatable virtual machine setting",
+		PersistentPreRunE: rootlessOnly,
 		RunE:              setMachine,
 		Args:              cobra.MaximumNArgs(1),
 		Example:           `podman machine set --rootful=false`,

cmd/podman/machine/ssh.go

@@ -20,6 +20,7 @@ var (
 		Use:               "ssh [options] [NAME] [COMMAND [ARG ...]]",
 		Short:             "SSH into an existing machine",
 		Long:              "SSH into a managed virtual machine ",
+		PersistentPreRunE: rootlessOnly,
 		RunE:              ssh,
 		Example: `podman machine ssh myvm
   podman machine ssh myvm echo hello`,

cmd/podman/machine/start.go

@@ -18,6 +18,7 @@ var (
 		Use:               "start [MACHINE]",
 		Short:             "Start an existing machine",
 		Long:              "Start a managed virtual machine ",
+		PersistentPreRunE: rootlessOnly,
 		RunE:              start,
 		Args:              cobra.MaximumNArgs(1),
 		Example:           `podman machine start myvm`,

cmd/podman/machine/stop.go

@@ -17,6 +17,7 @@ var (
 		Use:               "stop [MACHINE]",
 		Short:             "Stop an existing machine",
 		Long:              "Stop a managed virtual machine ",
+		PersistentPreRunE: rootlessOnly,
 		RunE:              stop,
 		Args:              cobra.MaximumNArgs(1),
 		Example:           `podman machine stop myvm`,

docs/source/markdown/podman-machine-init.1.md

@@ -10,9 +10,12 @@ podman\-machine\-init - Initialize a new virtual machine
 
 Initialize a new virtual machine for Podman.
 
-Podman on macOS requires a virtual machine. This is because containers are Linux -
+Rootless only.
+
+Podman on MacOS and Windows requires a virtual machine. This is because containers are Linux -
 containers do not run on any other OS because containers' core functionality are
-tied to the Linux kernel.
+tied to the Linux kernel. Podman machine must be used to manage MacOS and Windows machines,
+but can be optionally used on Linux.
 
 **podman machine init** initializes a new Linux virtual machine where containers are run.
 SSH keys are automatically generated to access the VM, and system connections to the root account

docs/source/markdown/podman-machine-inspect.1.md

@@ -13,6 +13,8 @@ Inspect one or more virtual machines
 Obtain greater detail about Podman virtual machines.  More than one virtual machine can be
 inspected at once.
 
+Rootless only.
+
 ## OPTIONS
 #### **--format**
 

docs/source/markdown/podman-machine-list.1.md

@@ -12,9 +12,12 @@ podman\-machine\-list - List virtual machines
 
 List Podman managed virtual machines.
 
-Podman on macOS requires a virtual machine. This is because containers are Linux -
+Podman on MacOS and Windows requires a virtual machine. This is because containers are Linux -
-containers do not run on any other OS because containers' core functionality is
+containers do not run on any other OS because containers' core functionality are
-tied to the Linux kernel.
+tied to the Linux kernel. Podman machine must be used to manage MacOS and Windows machines,
+but can be optionally used on Linux.
+
+Rootless only.
 
 ## OPTIONS
 

docs/source/markdown/podman-machine-rm.1.md

@@ -16,6 +16,7 @@ generated for that VM are also removed as is its image file on the filesystem.
 Users get a display of what will be deleted and are required to confirm unless the option `--force`
 is used.
 
+Rootless only.
 
 ## OPTIONS
 

docs/source/markdown/podman-machine-set.1.md

@@ -10,6 +10,8 @@ podman\-machine\-set - Sets a virtual machine setting
 
 Change a machine setting.
 
+Rootless only.
+
 ## OPTIONS
 
 #### **--cpus**=*number*

docs/source/markdown/podman-machine-ssh.1.md

@@ -16,6 +16,8 @@ with the virtual machine is established.
 
 The exit code from ssh command will be forwarded to the podman machine ssh caller, see [Exit Codes](#Exit-Codes).
 
+Rootless only.
+
 ## OPTIONS
 
 #### **--help**

docs/source/markdown/podman-machine-start.1.md

@@ -10,9 +10,12 @@ podman\-machine\-start - Start a virtual machine
 
 Starts a virtual machine for Podman.
 
-Podman on macOS requires a virtual machine. This is because containers are Linux -
+Rootless only.
+
+Podman on MacOS and Windows requires a virtual machine. This is because containers are Linux -
 containers do not run on any other OS because containers' core functionality are
-tied to the Linux kernel.
+tied to the Linux kernel. Podman machine must be used to manage MacOS and Windows machines,
+but can be optionally used on Linux.
 
 Only one Podman managed VM can be active at a time. If a VM is already running,
 `podman machine start` will return an error.

docs/source/markdown/podman-machine-stop.1.md

@@ -10,9 +10,12 @@ podman\-machine\-stop - Stop a virtual machine
 
 Stops a virtual machine.
 
-Podman on macOS requires a virtual machine. This is because containers are Linux -
+Rootless only.
+
+Podman on MacOS and Windows requires a virtual machine. This is because containers are Linux -
 containers do not run on any other OS because containers' core functionality are
-tied to the Linux kernel.
+tied to the Linux kernel. Podman machine must be used to manage MacOS and Windows machines,
+but can be optionally used on Linux.
 
 **podman machine stop** stops a Linux virtual machine where containers are run.
 

docs/source/markdown/podman-machine.1.md

@@ -7,7 +7,14 @@ podman\-machine - Manage Podman's virtual machine
 **podman machine** *subcommand*
 
 ## DESCRIPTION
-`podman machine` is a set of subcommands that manage Podman's virtual machine on macOS.
+`podman machine` is a set of subcommands that manage Podman's virtual machine.
+
+Podman on MacOS and Windows requires a virtual machine. This is because containers are Linux -
+containers do not run on any other OS because containers' core functionality are
+tied to the Linux kernel. Podman machine must be used to manage MacOS and Windows machines,
+but can be optionally used on Linux.
+
+All `podman machine` commands are rootless only.
 
 ## SUBCOMMANDS
 

test/e2e/system_reset_test.go

@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"os"
 
+	"github.com/containers/podman/v4/pkg/rootless"
 	. "github.com/containers/podman/v4/test/utils"
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
@@ -92,9 +93,12 @@ var _ = Describe("podman system reset", func() {
 
 		// TODO: machine tests currently don't run outside of the machine test pkg
 		// no machines are created here to cleanup
+		// machine commands are rootless only
+		if rootless.IsRootless() {
 			session = podmanTest.Podman([]string{"machine", "list", "-q"})
 			session.WaitWithDefaultTimeout()
 			Expect(session).Should(Exit(0))
 			Expect(session.OutputToStringArray()).To(BeEmpty())
+		}
 	})
 })