Open maksimsamt opened 4 days ago
Hi @maksimsamt
I found when testing #281 these were the permissions I needed to reproduce the build, I definitely didn't need to give any access to /
. The issue upstream appears to be the need for /vms
access to create a VM, which goes against the idea of using pools. I suspect what's happening is the upstream API library is creating the VM under /
, then joining the VM to a pool if configured rather than submitting the VM for creation in the configured pool.
user@pve:~# pveum user permissions poolscopeduser@pve --output-format json-pretty
{
"/pool/SHARED" : {
"Pool.Allocate" : 1,
"Pool.Audit" : 1
},
"/sdn/zones/localnetwork" : {
"SDN.Audit" : 1,
"SDN.Use" : 1
},
"/storage/ISOs" : {
"Datastore.Allocate" : 1,
"Datastore.AllocateSpace" : 1,
"Datastore.AllocateTemplate" : 1,
"Datastore.Audit" : 1
},
"/storage/StandardSSD-lvm" : {
"Datastore.Allocate" : 1,
"Datastore.AllocateSpace" : 1,
"Datastore.AllocateTemplate" : 1,
"Datastore.Audit" : 1
},
"/vms" : {
"VM.Allocate" : 1,
"VM.Audit" : 1,
"VM.Backup" : 1,
"VM.Clone" : 1,
"VM.Config.CDROM" : 1,
"VM.Config.CPU" : 1,
"VM.Config.Cloudinit" : 1,
"VM.Config.Disk" : 1,
"VM.Config.HWType" : 1,
"VM.Config.Memory" : 1,
"VM.Config.Network" : 1,
"VM.Config.Options" : 1,
"VM.Console" : 1,
"VM.Migrate" : 1,
"VM.Monitor" : 1,
"VM.PowerMgmt" : 1,
"VM.Snapshot" : 1,
"VM.Snapshot.Rollback" : 1
}
}
If I add the PVEVMAdmin
role to /pool/SHARED
and remove it from /vms
the permission check still fails for the Packer plugin, but I can use the GUI to create a VM in the pool with the scoped user.
I'll try to dig into where the issue lies in the API and raise an issue upstream if we can't work around it in the Packer plugin.
Overview of the Issue
New plugin version 1.2.0 introduced PVE pool regression https://github.com/hashicorp/packer-plugin-proxmox/issues/281. Unfortunately, newer version 1.2.1 does not solve completely this issue. It seems that too many permissions are required for Packer build user to create vm/template. Meanwhile version 1.1.8 with the same setup and Packer build user persmision config works fine. Similar issue is in the Proxmox upstream API and my workaround how to solve this.
Reproduction Steps
In Proxmox PVE create Packer build user's stuff with isolated permissions. Build user has only the necessary permissions, no more, no less, for example, does not have
/
permission. Inspired by https://github.com/hashicorp/packer-plugin-proxmox/issues/184:Further, in Packer build scripts use this
packer@pve
user and/pools/packer-pool
pool. As mentioned above, this setup works in plugin version 1.1.8. Perhaps, you have to define in packer-plugin-proxmoxminimumPermissions
as it is in terraform-provider-proxmox and as mentioned above in my workaround how to solve this, will be enough to add onlySys.Audit
permission for the root/
. In this case will be necessary to addPVESysAdmin
role for thepacker-group
group:Plugin and Packer version
Packer v1.11.2 Plugin v1.2.1 Proxmox PVE v8.2.2
Simplified Packer Buildfile
n/a
Operating system and Environment details
n/a
Log Fragments and crash.log files