podman icon indicating copy to clipboard operation
podman copied to clipboard

Published 20 hours ago verified publisher icon containers

Hyper-V Administrators should not require admin

Open bismip opened this issue 1 year ago • 5 comments

Issue Description

Podman checks for admin permissions when running with Hyper-V on Windows. Members of the group Hyper-V Administrators should be able to manage VMs without admin permissions.

Steps to reproduce the issue

Run podman machine init without admin privileges.

Describe the results you received

Error about missing permissions.

Describe the results you expected

It should work.

podman info output

OS: windows/amd64
provider: hyperv
version: 5.1.2

Podman in a container

No

Privileged Or Rootless

None

Upstream Latest Release

No

Additional environment details

Windows 11

Additional information

No response

bismip avatar Aug 12 '24 10:08 bismip

hyperv does not technically require admin but the use of the registry keys to create the vsock does.

baude avatar Aug 12 '24 12:08 baude

would people rather have a priv elevation for podman machine init?

baude avatar Aug 12 '24 12:08 baude

hyperv does not technically require admin but the use of the registry keys to create the vsock does.

It should still work for members of Hyper-V Administrators, depending on how podman does it. I'll have a look at the code later.

would people rather have a priv elevation for podman machine init?

If admin is a requirement, this is probably the preferred way in restricted enterprise environments.

bismip avatar Aug 12 '24 13:08 bismip

It should still work for members of Hyper-V Administrators, depending on how podman does it. I'll have a look at the code later.

When I tested this last time, this was not true. The hvsock registry entries required admin.

baude avatar Aug 12 '24 18:08 baude

A friendly reminder that this issue had no activity for 30 days.

github-actions[bot] avatar Sep 12 '24 00:09 github-actions[bot]

Throwing my .02 in here.

I use Multipass and it does a similar setup to Podman and does not need admin to run, but uses a 'daemon' to do the admin required stuff. Not sure if this helps, but seems Podman for Windows could do similar.

For WSL, seems odd you'd need admin as well, do you?

jfmatth avatar Oct 18 '24 14:10 jfmatth

Now that https://github.com/containers/podman/pull/26277 has been merged, the first machine init needs to be run in an admin terminal, but consequent machine init don't need it, as well as other machine commands as start, stop, ls.... Belonging to the hyperv administrators group is the only pre-requisite.

The first machine init requires to be run in an admin terminal because we need to write in the Windows registry HKLM to create the Hyper-V sockets (that's required for host/guest communications).

l0rd avatar Nov 27 '25 10:11 l0rd