Nested pools

jfguillaume

New Member
May 30, 2023
3
0
1
Hello,

This is going to be a mix of two problems that are sort of linked.

We use pools to both provide an easy way to manage access and to sort our virtual machines.

Let's say we got the following tree :
Code:
INFRA
  |- DNS
   |- LDAP
   |    |- PROD
   |    |- PREPROD
   |    |- TEST
And the groups "General Admins", "Ldaps Admins", "Ldaps Prod Admins", "Ldaps Prod Admins", "DNS Admins", etc.
We would like for example the group "Ldaps Admins" to have access to pool LDAP and it's children (actual and those that might be added afterwards), "Ldaps Prod Admins" to have access only on the pool Prod (and pool added as it's children afterwards) inside LDAP and so on.

Right now, the resources pool tree is a flat tree, which can get quite uneasy to navigate and require to add permission on each nodes.

Is there a way to have nested resources pools in PVE ?

Secondary, is there a way to organize virtual machine in folders / tree just for visual purpose ?

Cheers,
Jeff
 
Is there a way to have nested resources pools in PVE ?

Secondary, is there a way to organize virtual machine in folders / tree just for visual purpose ?
That is currently a no for both questions.

If you are using a somewhat recent version, you should be able to assign tags to guests though. With tags and/or a naming scheme and the search (very top of the GUI or Summary panels) you should get a quick view of the guests belonging to a "group".

Don't forget, that you can enable additional columns in the Summary panels. Hover over a column heading and a small arrow-down button should show up that gives you access to enable/disable columns.

Guest can only be part of one resource pool. So you will end up with quite a few resource pools, depending on how fine grained you need your permissions to be.

If the initial assignment of permissions for groups to the resource pools is that much work, consider scripting it. The pveum man page should give you some idea on what you can do. The file /etc/pve/user.cfg contains the user, group and permission settings.
 
Hello,

Thank you for you fast reply.
That is currently a no for both questions.
Is this a hard no or is this in your roadmap ?
If you are using a somewhat recent version, you should be able to assign tags to guests though. With tags and/or a naming scheme and the search (very top of the GUI or Summary panels) you should get a quick view of the guests belonging to a "group".

Don't forget, that you can enable additional columns in the Summary panels. Hover over a column heading and a small arrow-down button should show up that gives you access to enable/disable columns.
That's kind of how we do, I was wondering if there was another way.
Guest can only be part of one resource pool. So you will end up with quite a few resource pools, depending on how fine grained you need your permissions to be.
Yep, that's currently our issue.
If the initial assignment of permissions for groups to the resource pools is that much work, consider scripting it. The pveum man page should give you some idea on what you can do. The file /etc/pve/user.cfg contains the user, group and permission settings.
We will try to see how we can script our way out of this.

Thanks again for your time.

Cheers,
Jeff
 
@aaron I see the feature request was marked as "fixed in pve-manager >= 8.1.0". Is there any documentation on this feature yet?
 
@aaron I see the feature request was marked as "fixed in pve-manager >= 8.1.0". Is there any documentation on this feature yet?

Maybe this helps already?:
Access control
Support nested pools up to a nesting depth of 3 levels for greater flexibility in structuring VMs and containers (issue 1148).
Pool names can now contain at most two slashes (allowing to structure them as parent/child/grandchild).
Permissions are inherited along the path according to the usual inheritance rules.
https://pve.proxmox.com/wiki/Roadmap#Proxmox_VE_8.1
 
  • Like
Reactions: bmernz
Hi there

I am on v.8.2.7.

Maybe I am misunderstanding something. But if I have a pool lets say "Pool1" and I would like to create a pool below this pool1, I would create a new Pool "Pool1/SubPool1", which is working.
However, in the TreeView, there won't be a "Subpool1" below "Pool1", but there will be a "Pool1/SubPool1" along with "Pool1" on toplevel below "Ressource Pool".

So am I misunderstanding how nested pools are supposed to work, or is there something not working as expected?

Thanks.
 
Hi there

I am on v.8.2.7.

Maybe I am misunderstanding something. But if I have a pool lets say "Pool1" and I would like to create a pool below this pool1, I would create a new Pool "Pool1/SubPool1", which is working.
However, in the TreeView, there won't be a "Subpool1" below "Pool1", but there will be a "Pool1/SubPool1" along with "Pool1" on toplevel below "Ressource Pool".

So am I misunderstanding how nested pools are supposed to work, or is there something not working as expected?

Thanks.
I would love an update on this, if anyone has figured this out.

EDIT:
It seems that permissions are in fact inherited from the parent pool, but visually they just appear on the same level. I really wish that visually they would be displayed underneath the parent pool, as it would visually help with organization a lot.
 
Last edited:
It seems that permissions are in fact inherited from the parent pool, but visually they just appear on the same level. I really wish that visually they would be displayed underneath the parent pool, as it would visually help with organization a lot.
In another thread it was mentioned that they work on it.
 
  • Like
Reactions: t.lamprecht
Yeah, sprucing up the pool view to show each level as separate tree node, kinda like a folder, is planned.

There are two reasons this is not completely trivial:
For one, the UI component for the resource tree has already a non-trivial amount of complexity, some legitimate (optimizations, a few use cases under as single component) and some grown historically. So the implementation there is doable but might need a bit of preparation work, and it's kinda one of the central UI components in PVE, so not something we want to just rush.
The second one is the need to extend the API that backs the resource API to better include the membership of pools and sub-pools.

Don't get me wrong, that can be all done, just needs a bit of time. But I hope we get around to it soonish, it's something that IMO would really provide a nicer UX and especially complement the new Tag View of the resource tree well. As once implemented, one would have both flat categorization (tags) to easily find things and a hierarchical categorization (pools) to organize guests and whom can access them.
 
Has there been any traction with updating the API to support nested pools/sub pools? It always recently discovered that the presence of nested pools breaks integration with 3rd party backup tools. I'm assuming because it no longer reports the inventory correctly due to the lack of correct APIs. Having top level/parent resource pools works fine, it's only the nested pools that are an issue.

Thanks!
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!