feat: Add limactl vz-vmnet

It shares `VmnetNetwork` serialization between VMs.
- `limactl vz-vmnet --enable-mach-service`: register Mach service and launch
- `limactl vz-vmnet --enable-mach-service=false`: unregister Mach service

`limactl vz-vmnet` does:
- Receives a registration payload from VZ driver with fields:
  - `Network`: name of the network ("shared", "host", etc)
  - `CDHash`: `cdhash` bytes of the executable.
  - `Configuration`: `[]bytes@ representing `VzNetworkConfig` in JSON.
  - `Serialization`: serialization created by `VmnetNetwork.CopySerialization()`
- Validates the provided cdhash matches to client's cdhash by using xpc_peer_requirement API.
- Check the existence of the host interface using `VzNetworkConfig.Subnet`.
- If the cdhash is valid and the interface is not exists, accepts registration to serialization entries.
- If `Serialization` is not in payload and the network registration exists,
  reply the payload to client if the registered network still exists.
- reply error on otherwise.

VZ driver does:
- Check the existence of the host interface using `VzNetworkConfig.Subnet`.
- If exists:
  - Retrieves the existing registration payload from `lima vz-vmnet`.
  - Validate cdhash in payload matches with the self cdhash
  - If the `VzNetworkConfig` changed, produce a warning to log
  - Create a VmnetNetwork from the serialization
- If not exists, Create a VmnetNetwork from `VzNetworkConfig`, and register them to `lima vz-vmnet`

Signed-off-by: Norio Nomura <norio.nomura@gmail.com>

Author: norio-nomura

cmd/limactl/main.go

@@ -208,6 +208,7 @@ func newApp() *cobra.Command {
 		newNetworkCommand(),
 		newCloneCommand(),
 		newRenameCommand(),
+		newvzvmnetCommand(),
 	)
 	addPluginCommands(rootCmd)
 

cmd/limactl/vz-vmnet.go

@@ -0,0 +1,27 @@
+// SPDX-FileCopyrightText: Copyright The Lima Authors
+// SPDX-License-Identifier: Apache-2.0
+
+package main
+
+import (
+	"github.com/spf13/cobra"
+)
+
+func newvzvmnetCommand() *cobra.Command {
+	newCommand := &cobra.Command{
+		Use:               "vz-vmnet",
+		Short:             "Run vz-vmnet",
+		Args:              cobra.ExactArgs(0),
+		RunE:              newvzvmnetAction,
+		ValidArgsFunction: newvzvmnetComplete,
+		Hidden:            true,
+	}
+	newCommand.Flags().Bool("enable-mach-service", false, "Enable Mach service")
+	newCommand.Flags().String("mach-service", "", "Run as Mach service")
+	_ = newCommand.Flags().MarkHidden("mach-service")
+	return newCommand
+}
+
+func newvzvmnetComplete(cmd *cobra.Command, _ []string, _ string) ([]string, cobra.ShellCompDirective) {
+	return bashCompleteInstanceNames(cmd)
+}

cmd/limactl/vz-vmnet_darwin.go

@@ -0,0 +1,41 @@
+// SPDX-FileCopyrightText: Copyright The Lima Authors
+// SPDX-License-Identifier: Apache-2.0
+
+package main
+
+import (
+	"errors"
+	"os"
+	"os/signal"
+	"syscall"
+
+	"github.com/coreos/go-semver/semver"
+	"github.com/spf13/cobra"
+
+	"github.com/lima-vm/lima/v2/pkg/osutil"
+	"github.com/lima-vm/lima/v2/pkg/vzvmnet"
+)
+
+func newvzvmnetAction(cmd *cobra.Command, _ []string) error {
+	macOSProductVersion, err := osutil.ProductVersion()
+	if err != nil {
+		return err
+	}
+	if macOSProductVersion.LessThan(*semver.New("26.0.0")) {
+		return errors.New("vz-vmnet requires macOS 26 or higher to run")
+	}
+
+	if !cmd.HasLocalFlags() {
+		return cmd.Help()
+	}
+
+	ctx, cancel := signal.NotifyContext(cmd.Context(), os.Interrupt, syscall.SIGTERM)
+	defer cancel()
+
+	if machServiceName, _ := cmd.Flags().GetString("mach-service"); machServiceName != "" {
+		return vzvmnet.RunMachService(ctx, machServiceName)
+	} else if enableMachService, _ := cmd.Flags().GetBool("enable-mach-service"); enableMachService {
+		return vzvmnet.RegisterMachService(ctx)
+	}
+	return vzvmnet.UnregisterMachService(ctx)
+}

cmd/limactl/vz-vmnet_nodarwin.go

@@ -0,0 +1,16 @@
+//go:build !darwin
+
+// SPDX-FileCopyrightText: Copyright The Lima Authors
+// SPDX-License-Identifier: Apache-2.0
+
+package main
+
+import (
+	"errors"
+
+	"github.com/spf13/cobra"
+)
+
+func newvzvmnetAction(_ *cobra.Command, _ []string) error {
+	return errors.New("vz-vmnet command is only supported on macOS")
+}

go.mod

@@ -148,4 +148,4 @@ require (
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect
 )
 
-replace github.com/Code-Hex/vz/v3 => github.com/norio-nomura/vz/v3 v3.7.2-0.20251122122159-6617c8faa123
+replace github.com/Code-Hex/vz/v3 => github.com/norio-nomura/vz/v3 v3.7.2-0.20251212095603-d3fad75f665e

go.sum

@@ -207,8 +207,8 @@ github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee h1:W5t00kpgFd
 github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
-github.com/norio-nomura/vz/v3 v3.7.2-0.20251122122159-6617c8faa123 h1:3Xzg1W5gel17So2d2NSA+flx6yoyknx5nG9Pb6eZU6s=
-github.com/norio-nomura/vz/v3 v3.7.2-0.20251122122159-6617c8faa123/go.mod h1:+0IVfZY7N/7Vv5KpZWbEgTRK6jMg4s7DVM+op2hdyrs=
+github.com/norio-nomura/vz/v3 v3.7.2-0.20251212095603-d3fad75f665e h1:6qEBUBrWQ/agtdr8rH9bolasuRpAPsbBcjTGlfzy3fA=
+github.com/norio-nomura/vz/v3 v3.7.2-0.20251212095603-d3fad75f665e/go.mod h1:+0IVfZY7N/7Vv5KpZWbEgTRK6jMg4s7DVM+op2hdyrs=
 github.com/nxadm/tail v1.4.11 h1:8feyoE3OzPrcshW5/MJ4sGESc5cqmGkGCWlco4l0bqY=
 github.com/nxadm/tail v1.4.11/go.mod h1:OTaG3NK980DZzxbRq6lEuzgU+mug70nY11sMd4JXXHc=
 github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE=

pkg/driver/vz/vm_darwin.go

@@ -37,6 +37,7 @@ import (
 	"github.com/lima-vm/lima/v2/pkg/networks/usernet"
 	"github.com/lima-vm/lima/v2/pkg/osutil"
 	"github.com/lima-vm/lima/v2/pkg/store"
+	"github.com/lima-vm/lima/v2/pkg/vzvmnet"
 )
 
 // diskImageCachingMode is set to DiskImageCachingModeCached so as to avoid disk corruption on ARM:
@@ -363,7 +364,8 @@ func attachNetwork(ctx context.Context, inst *limatype.Instance, vmConfig *vz.Vi
 	}
 
 	for i, nw := range inst.Networks {
-		if nw.VZNAT != nil && *nw.VZNAT {
+		switch {
+		case nw.VZNAT != nil && *nw.VZNAT:
 			attachment, err := vz.NewNATNetworkDeviceAttachment()
 			if err != nil {
 				return err
@@ -373,30 +375,16 @@ func attachNetwork(ctx context.Context, inst *limatype.Instance, vmConfig *vz.Vi
 				return err
 			}
 			configurations = append(configurations, networkConfig)
-		} else if nw.VZShared != nil && *nw.VZShared {
-			config, err := vz.NewVmnetNetworkConfiguration(vz.SharedMode)
-			if err != nil {
-				return err
-			}
-			network, err := vz.NewVmnetNetwork(config)
-			if err != nil {
-				return err
-			}
-			attachment, err := vz.NewVmnetNetworkDeviceAttachment(network)
-			if err != nil {
-				return err
-			}
-			networkConfig, err := newVirtioNetworkDeviceConfiguration(attachment, nw.MACAddress)
+		case nw.Vz != "":
+			nwCfg, err := networks.LoadConfig()
 			if err != nil {
 				return err
 			}
-			configurations = append(configurations, networkConfig)
-		} else if nw.VZHost != nil && *nw.VZHost {
-			config, err := vz.NewVmnetNetworkConfiguration(vz.HostMode)
-			if err != nil {
-				return err
+			vzCfg, ok := nwCfg.Vz[nw.Vz]
+			if !ok {
+				return fmt.Errorf("networks.yaml: 'vz: %s' is not defined", nw.Vz)
 			}
-			network, err := vz.NewVmnetNetwork(config)
+			network, err := vzvmnet.RequestVmnetNetwork(ctx, nw.Vz, vzCfg)
 			if err != nil {
 				return err
 			}
@@ -409,7 +397,7 @@ func attachNetwork(ctx context.Context, inst *limatype.Instance, vmConfig *vz.Vi
 				return err
 			}
 			configurations = append(configurations, networkConfig)
-		} else if nw.Lima != "" {
+		case nw.Lima != "":
 			nwCfg, err := networks.LoadConfig()
 			if err != nil {
 				return err
@@ -461,7 +449,7 @@ func attachNetwork(ctx context.Context, inst *limatype.Instance, vmConfig *vz.Vi
 					configurations = append(configurations, networkConfig)
 				}
 			}
-		} else if nw.Socket != "" {
+		case nw.Socket != "":
 			clientFile, err := DialQemu(ctx, nw.Socket)
 			if err != nil {
 				return err

pkg/driver/vz/vz_driver_darwin.go

@@ -280,8 +280,7 @@ func validateConfig(_ context.Context, cfg *limatype.LimaYAML) error {
 
 	for i, nw := range cfg.Networks {
 		if unknown := reflectutil.UnknownNonEmptyFields(nw, "VZNAT",
-			"VZShared",
-			"VZHost",
+			"Vz",
 			"Lima",
 			"Socket",
 			"MACAddress",
@@ -290,9 +289,9 @@ func validateConfig(_ context.Context, cfg *limatype.LimaYAML) error {
 		); len(unknown) > 0 {
 			logrus.Warnf("vmType %s: ignoring networks[%d]: %+v", *cfg.VMType, i, unknown)
 		}
-		if (nw.VZShared != nil && *nw.VZShared) || (nw.VZHost != nil && *nw.VZHost) {
+		if nw.Vz != "" {
 			if macOSProductVersion.LessThan(*semver.New("26.0.0")) {
-				return fmt.Errorf("networks[%d]: VZShared and VZHost require macOS 26.0 or later", i)
+				return fmt.Errorf("networks[%d]: 'vz: %s' require macOS 26.0 or later", i, nw.Vz)
 			}
 		}
 	}

pkg/limatmpl/embed.go

@@ -543,13 +543,9 @@ func (tmpl *Template) combineNetworks() {
 				tmpl.copyListEntryField(networks, dst, src, "vzNAT")
 				dest.VZNAT = nw.VZNAT
 			}
-			if dest.VZShared == nil && nw.VZShared != nil {
-				tmpl.copyListEntryField(networks, dst, src, "vzShared")
-				dest.VZShared = nw.VZShared
-			}
-			if dest.VZHost == nil && nw.VZHost != nil {
-				tmpl.copyListEntryField(networks, dst, src, "vzHost")
-				dest.VZHost = nw.VZHost
+			if dest.Vz == "" && nw.Vz != "" {
+				tmpl.copyListEntryField(networks, dst, src, "vz")
+				dest.Vz = nw.Vz
 			}
 			if dest.Metric == nil && nw.Metric != nil {
 				tmpl.copyListEntryField(networks, dst, src, "metric")

pkg/limatype/lima_yaml.go

@@ -317,10 +317,9 @@ type Network struct {
 	Socket string `yaml:"socket,omitempty" json:"socket,omitempty"`
 	// VZNAT uses VZNATNetworkDeviceAttachment. Needs VZ. No root privilege is required.
 	VZNAT *bool `yaml:"vzNAT,omitempty" json:"vzNAT,omitempty"`
-	// VZShared, and VZHost use VZVmnetNetworkDeviceAttachment. Needs VZ. No root privilege is required.
+	// Vz uses VZVmnetNetworkDeviceAttachment. Needs VZ. No root privilege is required.
 	// Requires macOS 26.0 or later.
-	VZShared *bool `yaml:"vzShared,omitempty" json:"vzShared,omitempty"`
-	VZHost   *bool `yaml:"vzHost,omitempty" json:"vzHost,omitempty"`
+	Vz string `yaml:"vz,omitempty" json:"vz,omitempty"`
 
 	MACAddress string  `yaml:"macAddress,omitempty" json:"macAddress,omitempty"`
 	Interface  string  `yaml:"interface,omitempty" json:"interface,omitempty"`