vz: add SSH over AF_VSOCK #3979

norio-nomura · 2025-09-06T05:18:12Z

Description:

Since systemd v256 (Ubuntu 24.10), SSH is bound to AF_VSOCK port 22.

https://github.com/systemd/systemd/releases/tag/v256

If the system is run in a VM providing AF_VSOCK support, it automatically
binds sshd to AF_VSOCK port 22.

https://discourse.ubuntu.com/t/oracular-oriole-release-notes/44878

When sshd is installed on a system, a new systemd generator, systemd-ssh-generator
binds a socket-activated SSH server to local AF_VSOCK and AF_UNIX sockets under certain conditions.

This PR changes to delay starting SSH port forwarding until the SSH server on the VM becomes ready. If AF_VSOCK port 22 can be connected, start a local SSH port as a proxy for AF_VSOCK port 22, instead of starting gvisor's port forwarder.

SSH over VSOCK is faster than SSH over gvisor's port forwarder.

This change is opt-out because it requires VZ and VM with systemd v256+,
setting LIMA_SSH_OVER_VSOCK=true does not mean it works.
To disable, set LIMA_SSH_OVER_VSOCK=false.

Benchmark logs:

On MacBook Pro 14 inch, 2023 with Apple M2 Pro

SETUP:

$ sw_vers
ProductName:		macOS
ProductVersion:		15.7
BuildVersion:		24G219
$ limactl start template://ubuntu-24.10 --rosetta --containerd=none --log-level error
<snip>
$ limactl shell ubuntu-24.10 sudo apt-get -U install -y iperf3 -qqq
<snip>

GRPC Port Forwarder (Current):

$ limactl shell ubuntu-24.10 iperf3 -s
WARN[0000] Both top-level 'rosetta' and 'vmOpts.vz.rosetta' are configured. Using vmOpts.vz.rosetta. Top-level 'rosetta' is deprecated. 
-----------------------------------------------------------
Server listening on 5201 (test #1)
-----------------------------------------------------------
Accepted connection from ::1, port 53668
[  5] local ::1 port 5201 connected to ::1 port 53672
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-1.00   sec   354 MBytes  2.97 Gbits/sec                  
[  5]   1.00-2.00   sec   359 MBytes  3.01 Gbits/sec                  
[  5]   2.00-3.00   sec   354 MBytes  2.97 Gbits/sec                  
[  5]   3.00-4.00   sec   354 MBytes  2.97 Gbits/sec                  
[  5]   4.00-5.00   sec   357 MBytes  3.00 Gbits/sec                  
[  5]   5.00-6.00   sec   354 MBytes  2.97 Gbits/sec                  
[  5]   6.00-7.00   sec   355 MBytes  2.98 Gbits/sec                  
[  5]   7.00-8.00   sec   355 MBytes  2.98 Gbits/sec                  
[  5]   8.00-9.00   sec   355 MBytes  2.98 Gbits/sec                  
[  5]   9.00-9.98   sec   352 MBytes  3.01 Gbits/sec                  
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-9.98   sec  3.47 GBytes  2.98 Gbits/sec                  receiver
-----------------------------------------------------------
Server listening on 5201 (test #2)
-----------------------------------------------------------
^Ciperf3: interrupt - the server has terminated

SSH Port Forwarder on gvisor's virtual network (Old):

$ LIMA_SSH_PORT_FORWARDER=true LIMA_SSH_OVER_VSOCK=false limactl restart ubuntu-24.10 --log-level error
$ limactl shell ubuntu-24.10 iperf3 -s
WARN[0000] Both top-level 'rosetta' and 'vmOpts.vz.rosetta' are configured. Using vmOpts.vz.rosetta. Top-level 'rosetta' is deprecated. 
-----------------------------------------------------------
Server listening on 5201 (test #1)
-----------------------------------------------------------
Accepted connection from ::1, port 43814
[  5] local ::1 port 5201 connected to ::1 port 43824
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-1.00   sec   277 MBytes  2.32 Gbits/sec                  
[  5]   1.00-2.00   sec   280 MBytes  2.35 Gbits/sec                  
[  5]   2.00-3.00   sec   278 MBytes  2.34 Gbits/sec                  
[  5]   3.00-4.00   sec   279 MBytes  2.34 Gbits/sec                  
[  5]   4.00-5.00   sec   279 MBytes  2.34 Gbits/sec                  
[  5]   5.00-6.00   sec   279 MBytes  2.34 Gbits/sec                  
[  5]   6.00-7.00   sec   281 MBytes  2.36 Gbits/sec                  
[  5]   7.00-8.00   sec   280 MBytes  2.35 Gbits/sec                  
[  5]   8.00-9.00   sec   281 MBytes  2.36 Gbits/sec                  
[  5]   9.00-10.00  sec   279 MBytes  2.34 Gbits/sec                  
[  5]  10.00-10.03  sec  9.00 MBytes  2.34 Gbits/sec                  
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-10.03  sec  2.74 GBytes  2.34 Gbits/sec                  receiver
-----------------------------------------------------------
Server listening on 5201 (test #2)
-----------------------------------------------------------
^Ciperf3: interrupt - the server has terminated

SSH Port Forwarder over AF_VSOCK (New):

$ LIMA_SSH_PORT_FORWARDER=true limactl restart ubuntu-24.10 --log-level error
$ limactl shell ubuntu-24.10 iperf3 -s
WARN[0000] Both top-level 'rosetta' and 'vmOpts.vz.rosetta' are configured. Using vmOpts.vz.rosetta. Top-level 'rosetta' is deprecated. 
-----------------------------------------------------------
Server listening on 5201 (test #1)
-----------------------------------------------------------
Accepted connection from ::1, port 57942
[  5] local ::1 port 5201 connected to ::1 port 57948
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-1.00   sec   422 MBytes  3.54 Gbits/sec                  
[  5]   1.00-2.00   sec   425 MBytes  3.57 Gbits/sec                  
[  5]   2.00-3.00   sec   427 MBytes  3.58 Gbits/sec                  
[  5]   3.00-4.00   sec   426 MBytes  3.58 Gbits/sec                  
[  5]   4.00-5.00   sec   426 MBytes  3.58 Gbits/sec                  
[  5]   5.00-6.00   sec   428 MBytes  3.59 Gbits/sec                  
[  5]   6.00-7.00   sec   426 MBytes  3.58 Gbits/sec                  
[  5]   7.00-8.00   sec   428 MBytes  3.59 Gbits/sec                  
[  5]   8.00-9.00   sec   425 MBytes  3.57 Gbits/sec                  
[  5]   9.00-10.00  sec   425 MBytes  3.57 Gbits/sec                  
[  5]  10.00-10.00  sec  1.62 MBytes  3.83 Gbits/sec                  
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-10.00  sec  4.16 GBytes  3.57 Gbits/sec                  receiver
-----------------------------------------------------------
Server listening on 5201 (test #2)
-----------------------------------------------------------
^Ciperf3: interrupt - the server has terminated

website/content/en/docs/config/environment-variables.md

AkihiroSuda · 2025-09-06T08:05:56Z

pkg/driver/vz/vsock_forwarder.go

+	if err != nil {
+		return err
+	}
+	logrus.Infof("started vsock forwarder: localhost:%d -> vsock:%d on VM", hostPort, vsockPort)


Can be another PR, but wondering if we can further optimize the performance with (an equivalent of) systemd-ssh-proxy — SSH client plugin for connecting to AF_VSOCK and AF_UNIX sockets
https://www.freedesktop.org/software/systemd/man/256/systemd-ssh-proxy.html

I don't understand the meaning of the comment.

I thought it might be possible to eliminate the TCP->vsock forwarder and let ssh directly connect to the vsock.

VM's VSOCK should not be open to the host unless the process that is starting the VM is mediated. As this PR is doing.

norio-nomura · 2025-09-07T03:23:09Z

Ubuntu 24.04 and earlier, SSH over AF_VSOCK can be enabled with:

provision:
- mode: yq
  path: /etc/systemd/system/ssh.socket.d/vsock.conf
  format: ini
  expression: |
    .Socket.ListenStream="vsock::22"

and upgraded SSH tracked at sshd socket activation does not support AF_VSOCK

norio-nomura · 2025-09-07T08:24:37Z

How to enable SSH over AF_VSOCK on Ubuntu 20.04, 22.04, and 24.04

Ubuntu 20.04, 22.04:

Since the patched version of SSH has already been released, it requires:

Add ListenStream="vsock::22" to ssh.socket configuration
Change ssh.service to use socket-based activation

$ limactl start template://ubuntu-20.04 --rosetta --containerd=none --set '.provision|=.//empty + [{
  "mode": "yq",
  "format": "ini",
  "path": "/etc/systemd/system/ssh.socket.d/vsock.conf",
  "expression": ".Socket.ListenStream=\"vsock::22\""
}, {
  "mode": "system",
  "script": ("#!/bin/bash
set -eux -o pipefail
systemctl is-enabled ssh.service || exit 0
# use socket based activation
systemctl disable --now ssh.service
systemctl enable --now ssh.socket
"|. style="literal")
}]'
$ limactl restart ubuntu-20.04 2>&1 |grep -i vsock
time="2025-09-07T17:01:40+09:00" level=info msg="[hostagent] started vsock forwarder: localhost:59291 -> vsock:22 on VM"
time="2025-09-07T17:01:40+09:00" level=info msg="[hostagent] Detected SSH server is listening on the vsock port; changed localhost:59291 to proxy for the vsock port"

Ubuntu 24.04:

~~Since the patched version of SSH is not yet released (2025/09/07), it requires installing the proposed version.~~
The patched version of SSH has been released (2025/09/09), update openssh-server to latest release.

Add ListenStream="vsock::22" to the ssh.socket configuration.
~~Install the proposed version of SSH.~~ Update openssh-server to patched version (1:9.6p1-3ubuntu13.14)
Already, SSH has been changed to default socket-based activation.

$ limactl start template://ubuntu-24.04 --rosetta --containerd=none --set '.provision|=.//empty + [{
  "mode": "yq",
  "format": "ini",
  "path": "/etc/systemd/system/ssh.socket.d/vsock.conf",
  "expression": ".Socket.ListenStream=\"vsock::22\""
}, {
  "mode": "system",
  "script": ("#!/bin/bash
ss -l --vsock|grep \*:22 -q && exit 0
apt-get --update install --assume-yes openssh-server
"|. style="literal")
}]'
$ limactl restart ubuntu-24.04 2>&1 |grep -i vsock
time="2025-09-07T17:01:56+09:00" level=info msg="[hostagent] started vsock forwarder: localhost:59299 -> vsock:22 on VM"
time="2025-09-07T17:01:56+09:00" level=info msg="[hostagent] Detected SSH server is listening on the vsock port; changed localhost:59299 to proxy for the vsock port"

Edit: The patched version of openssh-server has been released on Ubuntu 24.04

norio-nomura · 2025-09-08T12:58:10Z

I'm considering another PR for the port forwarder implementation to VSOCK, which can be defined in lima.yaml, but I'm not sure if it's better to mix the rules with .portForwards[]. 🤔

norio-nomura · 2025-09-09T14:57:34Z

Ubuntu 24.04:

Since the patched version of SSH is not yet released (2025/09/07), it requires installing the proposed version.

The patched version of SSH has been released (2025/09/09), update openssh-server to latest release.

norio-nomura · 2025-09-10T03:59:53Z

To support custom usernet, I will move WaitOpeningSSHPort logic to the server side.

norio-nomura · 2025-09-10T05:34:13Z

To support custom usernet, I will move WaitOpeningSSHPort logic to the server side.

done.

norio-nomura · 2025-09-10T05:58:31Z

To support custom usernet, I will move WaitOpeningSSHPort logic to the server side.

This added an entry point /extension/wait_port?ip=<ip address>&port=<port> to endpoint sock of usernet.

norio-nomura · 2025-09-10T10:42:25Z

Updated to use SSHAddress as the host address.

pkg/networks/usernet/gvproxy.go

pkg/driver/vz/vm_darwin.go

website/content/en/docs/config/port.md

pkg/networks/usernet/client.go

norio-nomura · 2025-09-19T06:22:04Z

pkg/driver/vz/vm_darwin.go

 						logrus.Errorf("error writing to pid fil %q", pidFile)
 						errCh <- err
 					}
 					filesToRemove[pidFile] = struct{}{}


This line was not effective until this PR, because above defer:

filesToRemove := make(map[string]struct{}) defer func() { for f := range filesToRemove { _ = os.RemoveAll(f) } }()

has passed before filesToRemove[pidFile] = struct{}{} has effect.
Because I changed to wait waitSSHLocalPortAccessible, above defer changed to remove pidFile.
That’s why test fails with:
https://github.com/lima-vm/lima/actions/runs/17849303510/job/50754678943?pr=3979#step:9:165

time="2025-09-19T05:30:22Z" level=fatal msg="expected status "Running", got "Broken" (maybe use limactl stop -f?)"

I think filesToRemove is not required.
I'll remove them.

Since systemd v256 (Ubuntu 24.10), SSH is bound to AF_VSOCK port 22. https://github.com/systemd/systemd/releases/tag/v256 > - If the system is run in a VM providing AF_VSOCK support, it automatically binds sshd to AF_VSOCK port 22. https://discourse.ubuntu.com/t/oracular-oriole-release-notes/44878 > - When sshd is installed on a system, a new systemd generator, systemd-ssh-generator binds a socket-activated SSH server to local AF_VSOCK and AF_UNIX sockets under certain conditions. This changes to delay starting SSH port forwarding until the SSH server on the VM becomes ready. If AF_VSOCK port 22 can be connected, start a local SSH port as a proxy for AF_VSOCK port 22, instead of starting gvisor's port forwarder. SSH over VSOCK is faster than SSH over gvisor's port forwarder. This change is opt-out because it requires VZ and VM with systemd v256+, setting `LIMA_SSH_OVER_VSOCK=true` does not mean it works. To disable, set `LIMA_SSH_OVER_VSOCK=false`. Signed-off-by: Norio Nomura <norio.nomura@gmail.com> Loosen retry interval of connecting to SSH port on VM Signed-off-by: Norio Nomura <norio.nomura@gmail.com> Change default timeout to 600 seconds Signed-off-by: Norio Nomura <norio.nomura@gmail.com>

Signed-off-by: Norio Nomura <norio.nomura@gmail.com> # Conflicts: # hack/test-templates.sh hack/test-templates.sh: avoid using `limactl restart` Signed-off-by: Norio Nomura <norio.nomura@gmail.com> hack/test-templates.sh: change order of tests Signed-off-by: Norio Nomura <norio.nomura@gmail.com> change `grep -iq` to `grep -i` Signed-off-by: Norio Nomura <norio.nomura@gmail.com>

…ecomes available. Signed-off-by: Norio Nomura <norio.nomura@gmail.com>

`filesToRemove` was not effective until this PR, because above `defer`: ```golang filesToRemove := make(map[string]struct{}) defer func() { for f := range filesToRemove { _ = os.RemoveAll(f) } }() ``` has passed before `filesToRemove[pidFile] = struct{}{}` has effect. Because I changed to wait `waitSSHLocalPortAccessible`, above `defer` changed to remove `pidFile`. That’s why test fails with: https://github.com/lima-vm/lima/actions/runs/17849303510/job/50754678943?pr=3979#step:9:165 > time="2025-09-19T05:30:22Z" level=fatal msg="expected status \"Running\", got \"Broken\" (maybe use `limactl stop -f`?)" I think `filesToRemove` is not required. I'll remove them. Signed-off-by: Norio Nomura <norio.nomura@gmail.com>

AkihiroSuda

Thanks

norio-nomura · 2025-09-23T06:05:37Z

Thanks! 🙏🏻

⚠️ **CAUTION: this is a major update, indicating a breaking change!** ⚠️ This MR contains the following updates: | Package | Update | Change | |---|---|---| | [lima-vm/lima](https://github.com/lima-vm/lima) | major | `v1.2.2` -> `v2.0.1` | MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot). **Proposed changes to behavior should be submitted there as MRs.** --- ### Release Notes <details> <summary>lima-vm/lima (lima-vm/lima)</summary> ### [`v2.0.1`](https://github.com/lima-vm/lima/releases/tag/v2.0.1) [Compare Source](lima-vm/lima@v2.0.0...v2.0.1) #### Changes - Binary release artifacts: - Fix a regression in v2.0.0 `level=fatal msg="template \"_images/<IMAGE>.yaml\" not found"` ([#4313](lima-vm/lima#4313), thanks to [@vvoland](https://github.com/vvoland)) - Misc: - pkg/networks/usernet: use `SIGINT` instead of `SIGKILL` ([#4310](lima-vm/lima#4310), thanks to [@norio-nomura](https://github.com/norio-nomura)) Full changes: <https://github.com/lima-vm/lima/milestone/64?closed=1> #### Usage ```console $ limactl create $ limactl start ... INFO[0029] READY. Run `lima` to open the shell. $ lima uname Linux ``` *** The binaries were built automatically on GitHub Actions. The build log is available for 90 days: <https://github.com/lima-vm/lima/actions/runs/19137304035> The sha256sum of the SHA256SUMS file itself is `25ad222fa1cf91a85ef7be67664f2ba65228a5d82a39be1adbbe842096854e24` . *** Release manager: [@AkihiroSuda](https://github.com/AkihiroSuda) ### [`v2.0.0`](https://github.com/lima-vm/lima/releases/tag/v2.0.0) [Compare Source](lima-vm/lima@v1.2.2...v2.0.0) This is the second major release of Lima, featuring the support for [pluggable VM drivers](https://lima-vm.io/docs/dev/drivers/), [GPU acceleration](https://lima-vm.io/docs/config/gpu/), and [MCP](https://lima-vm.io/docs/config/ai/outside/mcp/). This release also commemorates the promotion of the project from CNCF [Sandbox](https://www.cncf.io/sandbox-projects/) to [Incubating](https://www.cncf.io/projects/) 🎉. #### Highlights - [Experimental plug-in subsystem for VM driver infrastructure](https://lima-vm.io/docs/dev/drivers/). This will help implementing third-party plugins without modifying the code base of Lima. Thanks to [GSoC 2025](https://gist.github.com/unsuman/ff31a323ecef2289bf065882726ed7f0) contributor [@unsuman](https://github.com/unsuman) . - [Experimental krunkit VM driver](https://lima-vm.io/docs/config/vmtype/krunkit/) for supporting GPU acceleration ([#4137](lima-vm/lima#4137), thanks to [@unsuman](https://github.com/unsuman)) - [Experimental integration for Model Context Protocol (MCP)](https://lima-vm.io/docs/config/ai/outside/) ([#3744](lima-vm/lima#3744)). i.e., Lima can be now used as a sandbox for AI agents such as Gemini. - Add `limactl (start|restart) --progress` flag to show the progress of provisioning ([#3846](lima-vm/lima#3846), [#3915](lima-vm/lima#3915), thanks to [@olamilekan000](https://github.com/olamilekan000) [@norio-nomura](https://github.com/norio-nomura)) - Add `limactl shell --preserve-env` flag to propagate env vars from the host to VM ([#3830](lima-vm/lima#3830), thanks to [@olamilekan000](https://github.com/olamilekan000)) #### Other notable changes - `/tmp/lima` is no longer mounted by default ([#3951](lima-vm/lima#3951)) - SSH port is no longer hard-coded to 60022 for the "default" instance ([#3780](lima-vm/lima#3780)) - Forward UDP ports by default ([#4054](lima-vm/lima#4054)) - Support CLI plugins ([#3834](lima-vm/lima#3834), [#4009](lima-vm/lima#4009), thanks to [@olamilekan000](https://github.com/olamilekan000)) - Support custom URL scheme plugins ([#3937](lima-vm/lima#3937), thanks to [@jandubois](https://github.com/jandubois)). `template://default` is now recommended to be written as `template:default`. The old form is still supported. ##### Details - VM driver infrastructure: - [Experimental plug-in subsystem for VM driver infrastructure](https://lima-vm.io/docs/dev/drivers/) ([multiple MRs](https://github.com/lima-vm/lima/pulls?q=is%3Apr+milestone%3Av2.0.0+is%3Aclosed+label%3Aarea%2Fvmdrivers), thanks to [@unsuman](https://github.com/unsuman)) - krunkit: - [Experimental krunkit VM driver](https://lima-vm.io/docs/config/vmtype/krunkit/) for supporting GPU acceleration ([#4137](lima-vm/lima#4137), thanks to [@unsuman](https://github.com/unsuman)) - VZ: - Support Rosetta AOT Caching with CDI ([#3858](lima-vm/lima#3858), thanks to [@norio-nomura](https://github.com/norio-nomura)) - Support accelerating SSH using `AF_VSOCK` ([#3979](lima-vm/lima#3979), thanks to [@norio-nomura](https://github.com/norio-nomura)) - QEMU: - Fallback to TCG when KVM is not available on Linux hosts ([#4204](lima-vm/lima#4204)) - MCP: - [Experimental integration for Model Context Protocol (MCP)](https://lima-vm.io/docs/config/ai/outside/) ([#3744](lima-vm/lima#3744)). Lima now provides MCP tools for reading, writing, and executing local files using a VM sandbox. Known to work with Google Gemini CLI. - `limactl` CLI: - Add `limactl (start|restart) --progress` flag to show the progress of provisioning ([#3846](lima-vm/lima#3846), [#3915](lima-vm/lima#3915), thanks to [@olamilekan000](https://github.com/olamilekan000) [@norio-nomura](https://github.com/norio-nomura)) - Add `limactl (create|start|edit) --port-forward` flag for static port forwarding ([#3699](lima-vm/lima#3699), thanks to [@Horiodino](https://github.com/Horiodino)). Usually not needed, but useful for instances created with `--plain`. - Add `limactl (create|start|edit) --ssh-port` flag ([#3791](lima-vm/lima#3791)) - Add `limactl (create|start|edit) --mount-only` flag ([#3947](lima-vm/lima#3947)). Similar to `--mount`, but overrides the existing mounts. Useful for mounting `$(pwd)`. - Support specifying `--set` multiple times in `limactl (create|start|edit)` ([#4197](lima-vm/lima#4197), thanks to [@AndiDog](https://github.com/AndiDog)) - Add `limactl shell --preserve-env` flag to propagate env vars from the host to VM ([#3830](lima-vm/lima#3830), thanks to [@olamilekan000](https://github.com/olamilekan000)). See also [`LIMA_SHELLENV_ALLOW`](https://lima-vm.io/docs/config/environment-variables/#lima_shellenv_allow) and [`LIMA_SHELLENV_BLOCK`](https://lima-vm.io/docs/config/environment-variables/#lima_shellenv_block). - Support CLI plugins ([#3834](lima-vm/lima#3834), [#4009](lima-vm/lima#4009), thanks to [@olamilekan000](https://github.com/olamilekan000)) - Support custom URL scheme plugins ([#3937](lima-vm/lima#3937), thanks to [@jandubois](https://github.com/jandubois)). `template://default` is now recommended to be written as `template:default`. The old form is still supported. - Add `limactl copy --backend=rsync` flag as an alternative to `scp` backend ([#3143](lima-vm/lima#3143), thanks to [@olamilekan000](https://github.com/olamilekan000)) - Add `limactl list--yq` and `limactl info --yq` flags ([#3998](lima-vm/lima#3998), thanks to [@jandubois](https://github.com/jandubois)) - Add `limactl rename OLD NEW` ([#4207](lima-vm/lima#4207)) - Deprecate `--yes` and introduce `limactl (clone|rename|edit|shell) --start` instead ([#4108](lima-vm/lima#4108), [#4285](lima-vm/lima#4285), thanks to [@Horiodino](https://github.com/Horiodino) [@nlordell](https://github.com/nlordell)) - YAML: - Migrate `cpuType` to `vmOpts.qemu` ([#3500](lima-vm/lima#3500), thanks to [@unsuman](https://github.com/unsuman)) - Add `yq` provision mode ([#3892](lima-vm/lima#3892), thanks to [@norio-nomura](https://github.com/norio-nomura)) - Prohibit relative paths in YAML ([#3950](lima-vm/lima#3950)). Relative paths were never intended to be supported, but they were accidentally allowed due to a regression in v1.1.0. The CLI command `limactl (create|start|edit) --mount DIR` still supports relative paths. - Default template: - Remove `/tmp/lima` mount ([#3951](lima-vm/lima#3951)) - Stop hardcoding SSH port 60022 ([#3780](lima-vm/lima#3780)) - Network: - Enable mDNS for vzNAT and socket\_vmnet ([#4272](lima-vm/lima#4272), thanks to [@norio-nomura](https://github.com/norio-nomura)) - Port forwarding: - Support port forwarding in plain mode ([#3699](lima-vm/lima#3699), thanks to [@Horiodino](https://github.com/Horiodino)) - Support host sockets in gRPC port forwarder ([#4008](lima-vm/lima#4008), thanks to [@norio-nomura](https://github.com/norio-nomura)) - Forward UDP ports by default ([#4054](lima-vm/lima#4054)) - Eliminated 3-second delay for detecting ports ([#4066](lima-vm/lima#4066)) - Removed iptables watcher for `sudo nerdctl run -p ...` ([#4107](lima-vm/lima#4107)). `sudo nerdctl run -p ...` now requires nerdctl v2.1.6 or later. - Improved performance of gRPC forwarder ([#4247](lima-vm/lima#4247), thanks to [@balajiv113](https://github.com/balajiv113)) - Support UDP in Kubernetes ([#4233](lima-vm/lima#4233)) - Change default of `guestIPMustBeZero` to `true` when `guestIP` is `0.0.0.0` ([#4221](lima-vm/lima#4221), thanks to [@jandubois](https://github.com/jandubois)) - Build system: - Remove `Kconfig` and `config.mk`, in favor of Makefile variables ([#3732](lima-vm/lima#3732)) - Support Fedora, RHEL, and relevant host distributions ([#4228](lima-vm/lima#4228), thanks to [@valdela1](https://github.com/valdela1)) - Templates: - `alpine`, `alpine-iso`: update to Alpine 3.22 ([#4184](lima-vm/lima#4184), [#4190](lima-vm/lima#4190), thanks to [@jandubois](https://github.com/jandubois)) - `debian`: update to Debian 13 ([#4029](lima-vm/lima#4029), thanks to [@unsuman](https://github.com/unsuman)) - `docker`, `docker-rootful`: Enable containerd image store ([#3941](lima-vm/lima#3941), thanks to [@norio-nomura](https://github.com/norio-nomura)) - `fedora`: update to Fedora 43 ([#4255](lima-vm/lima#4255)) - `opensuse`: update to openSUSE Leap 16 ([#4203](lima-vm/lima#4203)) - `oraclelinux`: update to Oracle Linux 10 ([#4236](lima-vm/lima#4236), thanks to [@valdela1](https://github.com/valdela1)) - `ubuntu`, `default`: update Ubuntu to 25.10 ([#4202](lima-vm/lima#4202)) - `k0s`: New template ([#3728](lima-vm/lima#3728), thanks to [@plandem](https://github.com/plandem)) - `experimental/ubuntu-next`: update to Ubuntu 26.04 pre-release ([#4311](lima-vm/lima#4311)) - Project: - Invite Ansuman Sahoo ([@unsuman](https://github.com/unsuman)) as a Reviewer ([#4003](lima-vm/lima#4003), thanks to [@jandubois](https://github.com/jandubois)) - Promote from CNCF Sandbox to Incubating ([#4201](lima-vm/lima#4201)) Full changes: <https://github.com/lima-vm/lima/milestone/59?closed=1> Thanks to [@AndiDog](https://github.com/AndiDog) [@Horiodino](https://github.com/Horiodino) [@afbjorklund](https://github.com/afbjorklund) [@alexandear](https://github.com/alexandear) [@ashwat287](https://github.com/ashwat287) [@balajiv113](https://github.com/balajiv113) [@bonifaido](https://github.com/bonifaido) [@dharsanb](https://github.com/dharsanb) [@gnawhleinad](https://github.com/gnawhleinad) [@iamleot](https://github.com/iamleot) [@jandubois](https://github.com/jandubois) [@kachick](https://github.com/kachick) [@muchzill4](https://github.com/muchzill4) [@ningmingxiao](https://github.com/ningmingxiao) [@nlordell](https://github.com/nlordell) [@norio-nomura](https://github.com/norio-nomura) [@olamilekan000](https://github.com/olamilekan000) [@plandem](https://github.com/plandem) [@stek29](https://github.com/stek29) [@unsuman](https://github.com/unsuman) [@valdela1](https://github.com/valdela1) [@vax-r](https://github.com/vax-r) [@vishalanarase](https://github.com/vishalanarase) [@zyfy29](https://github.com/zyfy29) #### EOL of v1.2 Lima v1.2 will continue to receive security updates and critical bug fixes until **2026-02-06** (3 months from now). See also <https://lima-vm.io/docs/releases/>. #### Usage ```console $ limactl create $ limactl start ... INFO[0029] READY. Run `lima` to open the shell. $ lima uname Linux ``` *** The binaries were built automatically on GitHub Actions. The build log is available for 90 days: <https://github.com/lima-vm/lima/actions/runs/19130682878> The sha256sum of the SHA256SUMS file itself is `112f1ef1d9850e29b4be425ca71e8b6ac686f593ff741164885b51fbd6919ca6` . *** Release manager: [@AkihiroSuda](https://github.com/AkihiroSuda) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this MR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this MR, check this box --- This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).

norio-nomura force-pushed the ssh-over-vsock-on-vz branch from 146e87a to 6ba3d31 Compare September 6, 2025 05:22

AkihiroSuda added this to the v2.0.0 milestone Sep 6, 2025

AkihiroSuda added the component/vz label Sep 6, 2025

AkihiroSuda reviewed Sep 6, 2025

View reviewed changes

website/content/en/docs/config/environment-variables.md Outdated Show resolved Hide resolved

AkihiroSuda reviewed Sep 6, 2025

View reviewed changes

norio-nomura force-pushed the ssh-over-vsock-on-vz branch 2 times, most recently from 4ea3d0f to a549d55 Compare September 6, 2025 12:42

norio-nomura force-pushed the ssh-over-vsock-on-vz branch 2 times, most recently from 2d98aa5 to 5161063 Compare September 8, 2025 07:45

norio-nomura mentioned this pull request Sep 8, 2025

GRPC port forwarding still has issues #3944

Closed

norio-nomura force-pushed the ssh-over-vsock-on-vz branch 2 times, most recently from e3bc0bd to 9238459 Compare September 9, 2025 09:49

norio-nomura marked this pull request as draft September 10, 2025 03:56

norio-nomura force-pushed the ssh-over-vsock-on-vz branch from 9238459 to 8119bb9 Compare September 10, 2025 05:33

norio-nomura marked this pull request as ready for review September 10, 2025 05:33

norio-nomura force-pushed the ssh-over-vsock-on-vz branch from 8119bb9 to 56bec01 Compare September 10, 2025 10:39

norio-nomura force-pushed the ssh-over-vsock-on-vz branch 4 times, most recently from 102d712 to 0a29768 Compare September 17, 2025 07:50