Build vpnkit and hyperkit from source, remove Docker Desktop dependency to build, and add --allow-vm-login flag

BUILD.md

@@ -76,9 +76,16 @@ poetry install
 
 Install [Homebrew](https://brew.sh/) dependencies:
 
-```
+```sh
 brew install vagrant create-dmg
-brew install wget opam pkg-config
+brew install wget pkg-config opam dune ocaml
+```
+
+Install opam dependencies:
+
+```
+opam init -y
+opam install -y alcotest astring base64 bigarray-compat charrua-client-mirage charrua-core cmdliner cohttp-lwt cstruct cstruct-lwt datakit-server datakit-server-9p duration ezjsonm fd-send-recv fmt hvsock io-page io-page-unix ipaddr logs lwt lwt-dllist mirage-channel mirage-channel-lwt mirage-clock-lwt mirage-clock-unix mirage-flow-lwt mirage-kv-lwt mirage-profile mirage-protocols-lwt mirage-random mirage-stack-lwt mirage-time-lwt mirage-vnetif oUnit pcap-format ppx_cstruct ppx_sexp_conv protocol-9p re rresult sexplib sha tar tcpip uri uuidm uwt
 ```
 
 Run this to compile hyperkit and vpnkit, and build a custom Alpine Linux ISO for Dangerzone, and copy it into the `share` folder:

dangerzone/gui/__init__.py

@@ -51,7 +51,8 @@ class ApplicationWrapper(QtCore.QObject):
 
 @click.command()
 @click.argument("filename", required=False)
-def gui_main(filename):
+@click.option("--allow-vm-login", is_flag=True, help="Allow logging into the VM as root to troubleshoot")
+def gui_main(filename, allow_vm_login):
     if platform.system() == "Darwin":
         # Required for macOS Big Sur: https://stackoverflow.com/a/64878899
         os.environ["QT_MAC_WANTS_LAYER"] = "1"
@@ -98,7 +99,7 @@ def gui_main(filename):
 
     # The dangerzone VM (Mac-only)
     if platform.system() == "Darwin":
-        vm = Vm(global_common)
+        vm = Vm(global_common, allow_vm_login)
         global_common.vm = vm
     else:
         vm = None

dangerzone/gui/vm.py

@@ -22,9 +22,10 @@ class Vm(QtCore.QObject):
 
     vm_state_change = QtCore.Signal(int)
 
-    def __init__(self, global_common):
+    def __init__(self, global_common, allow_vm_login):
         super(Vm, self).__init__()
         self.global_common = global_common
+        self.allow_vm_login = allow_vm_login
 
         # VM starts off
         self.state = self.STATE_OFF
@@ -144,9 +145,9 @@ class Vm(QtCore.QObject):
             stderr=self.devnull,
         )
         with open(self.ssh_client_key_path) as f:
-            ssh_client_key = f.read()
+            self.ssh_client_key = f.read()
         with open(self.ssh_client_pubkey_path) as f:
-            ssh_client_pubkey = f.read()
+            self.ssh_client_pubkey = f.read()
 
         # Start an sshd service on this port
         args = [
@@ -192,8 +193,8 @@ class Vm(QtCore.QObject):
         # Create a JSON object to pass into the VM
         # This is a 512kb file that starts with a JSON object, followed by null bytes
         guest_vm_info = {
-            "id_ed25519": ssh_client_key,
-            "id_ed25519.pub": ssh_client_pubkey,
+            "id_ed25519": self.ssh_client_key,
+            "id_ed25519.pub": self.ssh_client_pubkey,
             "user": getpass.getuser(),
             "ip": "192.168.65.2",
             "port": self.sshd_port,
@@ -261,13 +262,14 @@ class Vm(QtCore.QObject):
         args_str = " ".join(pipes.quote(s) for s in args)
         print("> " + args_str)
 
-        # Start the VM with the ability to login
-        # self.hyperkit_p = subprocess.Popen(args)
-
-        # Start the VM without ability to login
-        self.hyperkit_p = subprocess.Popen(
-            args, stdout=self.devnull, stderr=self.devnull, stdin=self.devnull
-        )
+        if self.allow_vm_login:
+            # Start the VM with the ability to login
+            self.hyperkit_p = subprocess.Popen(args)
+        else:
+            # Start the VM without ability to login
+            self.hyperkit_p = subprocess.Popen(
+                args, stdout=self.devnull, stderr=self.devnull, stdin=self.devnull
+            )
 
         # Wait for SSH thread
         self.wait_t = WaitForSsh(self.sshd_tunnel_port)

install/macos/make-vm.sh

@@ -7,14 +7,13 @@ cd ../..
 
 # Compile vpnkit
 cd vendor/vpnkit/
-unset OPAMROOT
-make || { echo 'Failed to compile vpnkit' ; exit 1; }
+make -f Makefile.darwin || { echo 'Failed to compile vpnkit' ; exit 1; }
 cd ../..
 
 # Copy binaries to share
 mkdir -p share/bin
 cp vendor/hyperkit/build/hyperkit share/bin/hyperkit
-cp vendor/vpnkit/build/vpnkit share/bin/vpnkit
+cp vendor/vpnkit/_build/install/default/bin/vpnkit share/bin/vpnkit
 
 # Build ISO
 cd vm-builder

vendor/vpnkit

@@ -1 +1 @@
-Subproject commit 7f0eff0dd99b576c5474de53b4454a157c642834
+Subproject commit 16ed722e6dc24307e99aee931ffd0eb80a9487d0

vm-builder/Vagrantfile

@@ -16,4 +16,10 @@ Vagrant.configure("2") do |config|
     echo "%abuild ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/abuild
     sudo -u user abuild-keygen -i -a -n
   SHELL
+
+  # Workaround VirtualBox bug in macOS Monterey
+  # https://github.com/hashicorp/vagrant/issues/12557#issuecomment-952026455
+  config.vm.provider "virtualbox" do |v|
+    v.gui = true
+  end
 end