EDIT: Please ignore this and see my next post.
AFAICT, there is currently no simple way to acheive such a separation. To allow a user to allocate a VM (with a specific ID), you have to add it to the pool first using
Then users with the right permissions on the pool can allocate VMs with those IDs and they will be invisible to users of the other pool.
Another pitfall is: when a VM is deleted, the ID is not "bound" to the pool anymore.
So maybe you can achieve what you want to do, using a script that monitors the file
In a future version PVE might support using fixed VM ranges for pools or users. If you like, you can create a feature request on the bugzilla, so we can keep track of the issue more easily.
Sadly, it is that hard.Then you have given global permissions. You need to give specific permissions to the specific pool for a group or a user. There is even an example in documentation how to make a group become PVEAdmin of a pool.
pveum aclmod /pool/dev-pool/ -group developers -role PVEAdmin
It can't be that hard![]()
Yup, I've already read the documentation, but it doesn't specifies any way of isolating users from eachother without disabling their permission to create VMs. Most specificallyVM.Allocate
. When allow this, will it allow it by default to see/manage all the VMs?
AFAICT, there is currently no simple way to acheive such a separation. To allow a user to allocate a VM (with a specific ID), you have to add it to the pool first using
Code:
pvesh set pools/<POOLNAME1> -vms 1000,1001,1002,1003
pvesh set pools/<POOLNAME2> -vms 2000,2001,2002,2003
Another pitfall is: when a VM is deleted, the ID is not "bound" to the pool anymore.
So maybe you can achieve what you want to do, using a script that monitors the file
/etc/pve/user.cfg
and re-adds VM IDs in a specific range whenever it goes missing. But please don't modify the file directly and use the appropriate pvesh set pools/<POOLNAME> -vms <ID,ID,...>
command instead.In a future version PVE might support using fixed VM ranges for pools or users. If you like, you can create a feature request on the bugzilla, so we can keep track of the issue more easily.
Last edited: