Selecting network bridges

[speck]

When creating a new VM or adding a network device to a VM, a dialog like this is shown, where the user chooses which network bridge to attach:



A similar dialog is also shown when choosing network(s) for Corosync to create or join a cluster.

My questions:

1. Is there a way to limit or filter out the bridges presented? In the example shown, I would like to prevent my users from being able to choose the bridges on the system which are not for VMs to use, as they are being used for SAN or management traffic.

2. Barring that, it would be useful for the "Comment" field to be able to warn people away from choosing a bridge. Is there a way to populate the comment field?


-Cheers,

speck

 

[bl1mp]

In general the view on all cluster and VM ressources e.g. the network bridges is handled via ACLs (Acess Control Lists) in the Permissons section of the Datacenter section .
The default root user has access to, you guess, all ressources.

After creating a new users they have no permissons by default and you can grant them permissions via

Server View -> Datacenter -> Permissions -> Add

You can than apply a role, and the ruleset associated with that role, on a specific ressource path.

It is a little bit tricky to find the right path in the permissions dropdown menu of the WebUI Add-dialog, because it is not listed, but you can iterate them

For permissions on specific network devices , that should be:

/sdn/zones/<zone_name>/<interface_name>/<vlanid>

# For the physical devices and os interfaces, managed via the panel under
# host -> System -> Network
# the <zone_name> should be localnet
# ommiting the <interface_name> grants the permissions associated with the role on all interfaces in that zone.
# ommiting the <vlan_id> grants the permissions associated with the role on all vlans at that interface

An appropriate default role with permissions to assign the interface to a VM should be PVESDNUser.

---
This description above is the "traditional" way.
Since PVE 8 the SDN Feature is available.
So you can go straight to your network zone in the host configuration dropdown

Server View -> Host -> localnetwork (or other zone, if you created one in the Datacenter configuration)

To assign permissions to groups or user on the specific network path.

---
A third way would be to use the cli with:

pveum acl modify <path> --roles <string> [OPTIONS]

Note:
if you have multiple users with the same workprofile, it is highly recommended to use Group instead of User permissions.

This makes the user lifecycle management much smoother,
as new users inherit the same permissions as existing users,
and group membership can also be imported/synced from external authentication realms.

PVE supplies this really cool feature, for sophisticated permisson management.
Combined with the Ressource pools, you can grant specific permissions on specific VM- + Storageressources to conduct, client separation.


For further reading, check out https://pve.proxmox.com/wiki/User_Management

BR, Lucas

 

[VictorSTS]

1. Is there a way to limit or filter out the bridges presented? In the example shown, I would like to prevent my users from being able to choose the bridges on the system which are not for VMs to use, as they are being used for SAN or management traffic.

Bridges are the "virtual switch" that a VM/CT needs to connect to a network. Simply do not create bridges for any internal network that no VM should have access to, just use the interface/bond/vlan at host level.

 

[gfngfn256]

Is there a way to populate the comment field?

Of course. In the Proxmox GUI, go to the Node (left pane), Network (middle pane) & in the third pane select the appropriate Network Device / Linux Bridge etc. Then either press the Edit button above or double-click that entry, & enter text in the Comment field & press OK to save.

This can be very useful for many scenarios - including your own.

As far as your first question goes - definitely you should be controlling/limiting what others can do / see on your PVE system. You've already been given advice on how to do that & there is plenty more available, both here on the forum & in Proxmox Wiki/docs.

Good luck.

 

[speck]

Bridges are the "virtual switch" that a VM/CT needs to connect to a network. Simply do not create bridges for any internal network that no VM should have access to, just use the interface/bond/vlan at host level.

Thanks for the input, I do appreciate it.

Unfortunately, this system is doing other things besides hosting VMs so bridges are required.

 

[speck]

Of course. In the Proxmox GUI, go to the Node (left pane), Network (middle pane) & in the third pane select the appropriate Network Device / Linux Bridge etc. Then either press the Edit button above or double-click that entry, & enter text in the Comment field & press OK to save.

This can be very useful for many scenarios - including your own.

As far as your first question goes - definitely you should be controlling/limiting what others can do / see on your PVE system. You've already been given advice on how to do that & there is plenty more available, both here on the forum & in Proxmox Wiki/docs.

Good luck.

Thank you for the information. When trying to edit the comment field for one bridge (br_vlan11) and making no other change, I got this error:


The message is technically true: the system's default (0.0.0.0/0) route does live on the other bridge (br_vlan51), but not sure what the default gateway has to do with it. I will keep plugging away on it...

EDIT:

I've found a solution to the issue that satisfies me. Posting it here in case it helps someone else out:

All of my network configuration I did outside of Proxmox PVE configuring the interfaces in the /etc/network/interfaces file by hand (well, by Ansible really).

I've made the following changes:

1. Moving the interfaces/bridges I want to hide from Proxmox PVE (and its users) to a new file in /etc/network/interfaces.d/non-proxmox-interfaces, then including it with a source line in the /etc/network/interfaces file.
2. The "Comment" field in Proxmox PVE seems to be whatever comment line is immediately following the stanza defining the bridge in the interfaces file.

So my /etc/network/interfaces file now looks like this:

#-----------------------------------------------------------------------------
#  NOTE: Proxmox will try to manage network interfaces which appear in this file
#-----------------------------------------------------------------------------

auto lo
iface lo inet loopback

# Include the definitions of the interfaces that we don't want Proxmox
# to manage or present to users.
source /etc/network/interfaces.d/non-proxmox-interfaces

auto br_vlan21
iface br_vlan21 inet manual
    bridge-ports bond1.21
    bridge-stp off
    bridge-fd 0
# VLAN 21 - Data

auto br_vlan51
iface br_vlan51 inet manual
    address 10.88.51.231/24
    gateway 10.88.51.254
    bridge-ports bond1.51
    bridge-stp off
    bridge-fd 0
# VLAN 51 - Service Access

The not-for-guest-VM-use bridges are defined in the /etc/network/interfaces.d/non-proxmox-interfaces file.

Now the network dialog now shows only the two bridges that I wanted to have the Proxmox users be aware of, with useful comments taken from the file:


-Thanks

 

[VictorSTS]

Thanks for the input, I do appreciate it.

Unfortunately, this system is doing other things besides hosting VMs so bridges are required.

All of my network configuration I did outside of Proxmox PVE configuring the interfaces in the /etc/network/interfaces file by hand (well, by Ansible really).

Moving the interfaces/bridges I want to hide from Proxmox PVE (and its users) to a new file in /etc/network/interfaces.d/non-proxmox-interfaces, then including it with a source line in the /etc/network/interfaces file.

You've end up with a non standard PVE, configured in a "non-pve way of doing things", with issues that wouldn't happen if you followed the manual/best practices (PVE ACL, permissions, too many bridges). Glad it works for you, but remember the way you did all this when asking for support

 

[gfngfn256]

I totally agree with VictorSTS's above post. I'll just add the fact that you are using Ansible to set this up, appears to indicate it will be used in production. I would highly NOT recommend, using a concocted PVE system in production.

 

[speck]

I totally agree with VictorSTS's above post. I'll just add the fact that you are using Ansible to set this up, appears to indicate it will be used in production. I would highly NOT recommend, using a concocted PVE system in production.

I appreciate what you're saying, but I will push back a little bit on the suggestion that there is a One True Way to do things; I'm not sure how this can be given the wide range of hardware, filesystem (BTRFS/ZFS/EXT4), storage (NFS/CIFS/SAN), and networking topologies that are supported. How can any system be used without customization of any kind?

When using the GUI to make the changes to the networking devices, PVE shows the proposed changes it would make; if committed the changes would be applied to /etc/network/interfaces. This is how I learned where it stores and retrieves the "comment" field for each device.

With that being said, I'm all for following best practices and learning from others' mistakes before making them my own, especially while I'm still evaluating this system before putting it in production.

-Cheers,

speck