Cannot execute PVE 9 "root-only" commands in QEMU monitor even with "root@pam" token

[lpulley]

According to the PVE 9.0 changelog in the Roadmap:

Commands besides basic informational commands require the Sys.Modify privilege, and some commands are restricted to the root user.

This seemed sensible to me, but it seems that a root@pam token (even with Privilege Separation disabled) does not count as "the root user" here.

I have an application that POSTs (using a root@pam token) qom-set commands to /nodes/{node}/qemu/{vmid}/monitor (to update the requested-size of some virtio-mem QEMU devices). This worked great in PVE 8.4 but seems to be completely impossible in PVE 9.0. Is there any way to invoke qom-set through the PVE HTTP API in PVE 9.0? Am I missing something?

 

[Sviat]

Hi,

Looks like some monitor commands are too powerful to expose via API tokens and it was intentional security hardening.
But you can use supported API calls instead of qom-set, many device changes (CPU, memory, disk, network) now have official API endpoints.
For example, virtio-mem resizing may be achievable with

qm set <vmid> --memory <size>

 

[lpulley]

For example, virtio-mem resizing may be achievable with
qm set <vmid> --memory <size>

Thanks for the suggestion, but unfortunately, this isn't the same thing. virtio-mem is not officially supported in PVE yet: https://bugzilla.proxmox.com/show_bug.cgi?id=2949

Instead, I've added virtio-mem devices to my VMs with custom args via qm set <vmid> args "-object memory-backend-memfd,<...> -device virtio-mem-pci,<...>", and as far as I can tell, qom-set is the only mechanism in PVE that can update the requested-size of the device.

Shouldn't there be some way to give a root@pam token the same powers as the root@pam user?