Closed Dulux-Oz closed 1 month ago
Hey @Dulux-Oz,
thanks for your request. I think, you're almost on the right way and you can simply select between two approaches.
When each node has different credentials and not the same or a shared user with the needed permissions, you can also use config management tools, such like Ansible. I use Ansible to generate the configs for each host, where it uses as API host localhost, with it's own credentials which are obtained for each host from a Hashicorp Vault which looks like:
[proxmox]
api_host: {{inventory_hostname}}
api_user: proxlb@pam
api_pass: {{inventory_hostname}}_services_{{role_service_name}}{{api_password}}
verify_ssl: 1
[balancing]
enable: {{proxlb_vm_balancing_activate}}
method: memory
mode: used
ignore_nodes: {{ingore_nodes}}
ignore_vms: {{ingore_vms}}
[storage_balancing]
enable: {{proxlb_storage_balancing_activate}}
[update_service]
enable: {{proxlb_update_service_activate}}
[api]
enable: {{proxlb_api_activate}}
[service]
daemon: {{proxlb_service_daemon_activate}}
schedule: {{proxlb_service_daemon_schedule}}
log_verbosity: {{proxlb_service_daemon_log_verbosity}}
config_version: 3
As you already mentioned before, you can also create a new user which is present on all nodes with the same credentials. The account needs at least for the pure VM/CT balancing the following permissions on:
I always wanted to provide a custom role template but unfortunately, I postponed it, until all features are in place (like storage balancing of course needs additional permissions). So yeah, Administrator and PVEAdmin include all that but might also be too much. That's probably a thing I should work at asap. So I guess, it could lead by starting with:
VM.Audit
(view VM config, required to obtain memory, disk, cpu metrics)VM.Migrate
(allowing the VM to be migrated)That both should be enough to migrate VMs (it is not enough for storage migration or rolling updates [no yet in main]. If I have enough time in the evening, I can give it a try. Hope it helps so far.
Cheers, gyptazy
Hey @Dulux-Oz,
I just gave it a try and you need the following roles for a a dedicated group/user:
I also added this to the docs here: https://github.com/gyptazy/ProxLB/blob/main/docs/02_Configuration.md#authentication--user-account--user--permissions
Cheers, gyptazy
Hi @gyptazy,
Thanks for getting back to me so soon and for resolving the issue/doco so quickly - great work.
That was Part 2 of my question; any feedback on Part 1 (ie what the api_host:
setting should be; and if it's the same or unique for all three nodes)?
Cheers
Dulux-Oz
Hey @Dulux-Oz,
That was Part 2 of my question; any feedback on Part 1 (ie what the
api_host:
setting should be; and if it's the same or unique for all three nodes)?
I think I answered it within the two approaches in https://github.com/gyptazy/ProxLB/issues/63#issuecomment-2311614148. However, I think those two approaches are very common like:
So, if you use the templating for the configurations and you run ProxLB on the same Proxmox node, you can simply use localhost in api_host
. If you have a generic user on all nodes, you can simply use any node, or enter multiple ones in a comma separated list like:
api_host: node01.gyptazy.ch,node02.gyptazy.ch,node03.gyptazy.ch
Of course, you can also (which is also very common) create a dedicated load balancer in front of them with HAProxy, nginx etc. So you simply connect to that one which balances you to a reachable node.
Hope it helps!
Cheers, gyptazy
Hi @gyptazy
api_host: node01.gyptazy.ch,node02.gyptazy.ch,node03.gyptazy.ch
Ahh, that's what I was missing :smile:
Thank you!
Hey @Dulux-Oz,
since I thought mentioning it directly in the README.md in https://github.com/gyptazy/ProxLB?tab=readme-ov-file#options where it only says in the descriptions:
Host or IP address (or comma separated list) of the remote Proxmox API.
Do you think there is room for improvement? Maybe you have any feedback or idea how I could improve the docs to make it more clear that not another one will also need to ask for it.
Happy to hear how to to improve the docs!
Thanks, gyptazy
Hi @gyptazy,
Yeah, I saw that there, but I still didn’t get it — that’s more about me then about the quality of the doco. :smile:
I don’t know; perhaps you could add something Explicitly Obvious™ like:
If running ProxLB on more than one Proxmox Node set the api_host: to a comma-separated list of each node’s IP Address or Hostname
For example: api_host: node01.gyptazy.ch,node02.gyptazy.ch,node03.gyptazy.ch
Just a thought.
Hey @gyptazy,
For what it’s worth, here is the Proxmox CLI commands to create that ProxLB user (my way of saying “Thanks”. Feel free to use, modify, document, or ignore at will.
pveum role add ProxLBAdmin --privs Datastore.Audit,Sys.Audit,VM.Audit,VM.Migrate
pveum user add proxlb_admin@pve --password <password>
pveum acl modify / --roles ProxLBAdmin --users proxl_badmin@pve
Cheers
Dulux-Oz
Hey @Dulux-Oz,
thank you, I added to the docs which you can also find:
Thanks for providing the snippet, I mentioned you in the according changeling (https://github.com/gyptazy/ProxLB/blob/main/.changelogs/1.0.3/docs_fix_default_config_add_dedicated_user_howto.yml#L4). I'm also always happy, if people directly provide PRs :)
Cheers, gyptazy
Hi All,
First of all: Great Plug-In! (Or whatever you want to call it :-) )
My issue: I'm just a tad confused, and so required someone to set me straight, please.
I've got a 3-node PVE and so want to run ProxLB on all 3 nodes (with
master_only:1
, of course). In theproxlb.conf
file, what do I set theapi_host
to: all 3 nodes (egapi_host:node1,node2,node3
), or something else?Also, each node has a different root password, so should I set up a
proxlb_user@pve
account (which, obviously, will be shared across all the nodes), and if so, does that account need any special privileges/roles (egAdministrator
,VM.Migrate
,VM.PowerMgmt
, etc)?Thanks in advance
Dulux-Oz