VM and PVE shutdown management

amedeo.caparco

New Member
May 30, 2023
5
0
1
Good evening, I have been using Proxmox VE for several years with good results. Specifically I have version 6.6.3 and I usually manage everything with the root user. In this case I need to create a new user who has the ability to turn on/off the VMs and the same thing for the PVE node. Using the GUI, I then created the user in the datacenter (Linux PAM authentication server user), created a specific role and did some tests. I noticed that I can manage the power supply of the VMs by assigning the necessary privileges, but the same thing I can't do for the PVE. I also assigned all existing privileges to the role, but again the PVE shutdown keys are disabled. Is it possible that the PVE, from the GUI, can only be turned off with the root user? If anyone can give me some information I would be grateful. Thank you
 
Does the new user have the "Sys.Powermgt" permissions in one of their assigned roles?
 
Hi, specifically I assigned these privileges: Sys.Audit, Sys.PowerMgmt, VM.PowerMgmt, VM.Audit
Absurdly, I assigned all the permissions to the role and in any case the non-root user cannot turn off the PVE, the "shutdown" button is always disabled
 
Last edited:
Sys.Audit and Sys.PowerMgmt were the permissions I had to assign to my test user. Whenever you change any permissions for a user, or roles, do a full reload of the browser session in which you test it (Ctrl+R).
 
Even using the foresight reported I still have the same problem. To test I did the same procedure on another installation of Proxmox Ve this time even more recent or 7.3.3 but the problem is the same. I can handle shutting down the VMs but not the PVE, the key remains disabled in the GUI.

It seems that any permissions I apply to the role only work for VMs. But I don't understand one thing: I go to the vm, permission, add test user with test role. It works and if I go to users, permission I see what is attached. If, on the other hand, I don't insert the user in the permissions of any VM, it is as if it didn't apply to the PVE. But do I have to do something specific to assign the user to the PVE?
 

Attachments

  • Cattura.PNG
    Cattura.PNG
    35.8 KB · Views: 13
Last edited:
Well, those permissions need to be set for either /nodes or /nodes/{node you want to control} :)

The former with "Propagate" enabled.
 
Last edited:
but can you confirm that this operation can only be done from text and not from the GUI right? Unless I'm talking nonsense from the GUI, under the PVE, there is no permission section
 
AFAIU, you want the user to be able to power down not just VMs (VM.PowerMgmt) but also to power down the physical node (server) itself, right? Then it will need the Sys.Audit and Sys.PowerMgmt permission set for the permission path that includes the node itself.

When assigning the Sys.Audit & Sys.PowerMgmt to /vms/XYZ, they won't do anything, as the Sys.X permissions don't apply to a guest.

With that set, the user should be able to click on the "Shutdown" button for the node.
If the user should be able to handle the power mgmt for a guest, you need to assign the right permissions (VM.Audit, VM.PowerMgmt) at a permission path that includes the guests (/vms).
If you assign everything to the / with the "Propagate" option enabled, the permissions will be propagated down the permission tree.

Specifically I have version 6.6.3
I assume 6.4 since there is no Proxmox VE 6.6? It is possible that it won't work as expected if that was a bug back then. I am testing this against a current Proxmox VE 7.4.

Please, do upgrade as Proxmox VE 6 is EOL since quite a while and Proxmox VE 8 is on the horizon within the next months. We do have upgrade guides that should get you through the procedure nicely.
 
Yes my mistake, the version is 6.3.3. However I finally managed to figure out where to assign the authorization for the PVE, I had it before my eyes and I didn't understand! Thank you so much anyway for all the tips that made me focus on the right spot! Thank you
 
AFAIU, you want the user to be able to power down not just VMs (VM.PowerMgmt) but also to power down the physical node (server) itself, right? Then it will need the Sys.Audit and Sys.PowerMgmt permission set for the permission path that includes the node itself.
I don't understand the .. permissions path including the node itself... Was it just to set :
pveum aclmod / -group UserGroupAllowedToPowerOff -role Sys.PowerMgmt
and that give the user into the group the power on/off of the system. And doing a power off, mean a normal shutdown of all vm and then shutdown of the pve ?
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!