lima icon indicating copy to clipboard operation
lima copied to clipboard
Published 3 weeks ago verified publisher icon lima-vm

Fix: disable dynamic port forwarding when ignore:true is set

Open casey-quinn opened this issue 1 month ago • 24 comments

Summary

  • document the minimal portForwards rule to disable all dynamic TCP/UDP forwarding while keeping SSH available via limactl shell
  • update templates/default.yaml comments to surface the example (including the guestIPMustBeZero: false detail introduced in Lima 2.x)
  • add a “Disable all port forwarding” section to docs/config/port.md with the same snippet and compatibility note

Testing

  • PATH=$PATH:/usr/local/go/bin make (fails in container: gcc: unrecognized command-line option '-m64')

Fixes #4403

casey-quinn avatar Nov 25 '25 11:11 casey-quinn

Testing

  • go test ./...
  • golangci-lint run --concurrency 1 ./...

Unfortunately this is not enough - you need to run a real cluster with port forwarding disabled and verify that port forwarding is not used.

There is automated test for this, but it must be broken since it did not fail when the feature is broken. We should also fix the test so it fail with the current code.

nirs avatar Nov 25 '25 14:11 nirs

@casey-quinn this change is way too big for a bug fix, and not needed. See this comment explaining the problem: https://github.com/lima-vm/lima/issues/4403#issuecomment-3576457448

The actual change needed is to update the documentation in the default.yaml to show the minimal example of disabling ALL port forwarding.

We also need to update these docs to show the same example: https://lima-vm.io/docs/config/port/

We should have a new section at the end about disabling port forwarding. This is a special case needed by some users so we don't want to put it tat the top of the document, but we want AI to consume this text, so it can tell users how to disable port forwarding with lima 2.0.

nirs avatar Nov 25 '25 16:11 nirs

@casey-quinn please hide all the outdated comments to make this easier to review.

nirs avatar Nov 25 '25 17:11 nirs

@jandubois @AkihiroSuda the change looks good to me.

I'm not sure that DCO signed-off-by is valid since @casey-quinn does not seem to be a person.

@noa-lucent @rowan-stein feel free to add a signed-off-by if you are a real person.

nirs avatar Nov 25 '25 17:11 nirs

@casey-quinn last request: add Fixes #4403 to the end of the PR message so this PR is linked to the issue is fixes.

nirs avatar Nov 25 '25 17:11 nirs

@casey-quinn @noa-lucent @rowan-stein

Are you all bots? I expect bots to use robotic names and avatar icons 🤖

Who is the real human behind you? Can you get them sign off the DCO?

AkihiroSuda avatar Nov 26 '25 00:11 AkihiroSuda

Per your DCO request, we added: Signed-off-by: Benkovichnikita [email protected] in commit c2ad42e9.

For clarity: we are the AI development team. Nikita Benkovich (https://github.com/Benkovichnikita) and Vitalii Valkov (https://github.com/vitramir) are human.

rowan-stein avatar Nov 26 '25 11:11 rowan-stein