API List VMs

M

mvtab

New Member
Jul 11, 2024
10
0
1
Hello,

I am having some surprisingly difficult time trying to find an endpoint in the API where I can simply list the running VMs and their configurations.
I noticed that even in proxmoxer, and in it's related ansible module, it is not possible to get the configurations of a VM.

So far I considered:
- nodes/<node>/qemu/<vmid>/config: VMs can run anywhere, and they can change host more times in a minute. This is useless, because I can't nicely automate it.
- pvesh: I need to access the data from outside the Nodes. This is useless without a lot of workarounds.
- if cluster/resources from the API would behave exactly like the pvesh cluster/resources that would be nice. It does not.​

Any other ideas? Kinda makes me wonder how does the graphical interface even get it's data.


Kind regards,
mvtab
 
mvtab said:
- if cluster/resources from the API would behave exactly like the pvesh cluster/resources that would be nice. It does not.
Click to expand...
how so? If there are discrepancies, we need to look into why.

The way the web UI handles it is to regularly fetch the cluster/resources to know on which node the guests are located at. With that info, it is then possible to send the guest specific requests to the correct nodes.
 
mvtab said:
- nodes/<node>/qemu/<vmid>/config: VMs can run anywhere, and they can change host more times in a minute. This is useless, because I can't nicely automate it.
Click to expand...
Yes, I also wonder about this. An atomic operation yielding this information consistently would be much appreciated. The hypervisors should in general be abstracted and only the VMs should be visible and queriable.
 
aaron said:
how so? If there are discrepancies, we need to look into why.
Click to expand...
When I do a request on /api2/json/cluster/resources I only get a list of the nodes. I tried also -d '{"type": "vm"}' and all variations thereof but it doesn't really change anything. (I get '{"data": []}')
When I run a pvesh get cluster/resources -o json I get a full list of all VMs (if I add --type vm) and their hardware. (Exactly what I need)

At first I thought maybe it's because of permissions, but I even changed my API token permissions to full blown root Administrator and I still get the same results.

If I could get a list of the VMs somewhere I could work with that, because once I know the node and VM ID it's easy, but if I for example do a request on /api2/json/nodes/<node>/qemu I get also '{"data": []}'.
 
Last edited:
Since it is a GET request, the parameter, when using CURL, can be added as ?type=vm
since you don't see the guests without any type parameter, please check that the user/API token you use to authenticate has at least "Audit" privileges on the /vm/ ACL path.
 
aaron said:
Since it is a GET request, the parameter, when using CURL, can be added as ?type=vm
since you don't see the guests without any type parameter, please check that the user/API token you use to authenticate has at least "Audit" privileges on the /vm/ ACL path.
Click to expand...
I tried all variations thereof. -X POST -X PATCH ?type=vm, nothing works, empty data.
The token has no privilege separation and I gave it full Administrator privileges on / (tried first with suggested ones from documentation)

But let me get this right. This is not how the endpoint should act? Should I actually receive there the exact same results from pvesh?
 
GET parameter are added at the end of the URL.

https://proxmox-ve-host:8006/api2/json/cluster/resources?type=vm

mvtab said:
Should I actually receive there the exact same results from pvesh?
Click to expand...
Yes, if you run pvesh with the --output-format json option, the resulting output should be the same, except maybe some ordering. If you don't, it might be due to missing permissions. If you run pvesh, you most likely do it as the root user. When you interact with the API from another system, it is most likely as a different user or API-token which could be missing the necessary permissions.
 
So, apparently I misunderstood the privilege separation.

I had unticked the box, and gave full permissions to the API Token. However, those were ignored, and the user permissions were used. (None)
Gave the right permissions to the user instead of the token and it worked.
I wanted to have permissions set only at token level, i.e. user should have by default no permissions, but the token yes. Apparently this is not possible, only the other way around.

Thank you for the assistance.
 
Last edited:
Keep in mind, even if you use privilege separation, the token can never have more privileges than the user it is associated with.
 
  • Like
Reactions: mvtab
Just a quick note still, the API documentation is a little incomplete:

Here it is said the required permissions for the endpoint are none (all authenticated users). This is kind of correct, as you can get a node list without any permissions, but incomplete, because you can't see any other resources without Audit permissions on /vm (as explained to me by @aaron)

Thank you again and kind regards.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back