Aug 13, 2021
we have an enviroment with about 300 pupils in an education enviroment. Every pupil have a own ressource pool with Administrator permission. Every pupil is member of a group. The group have PVEDatastoreUser on every /storage/<STORAGE>. The group have also PVEVMAdmin permission on the Template that i want to clone and also sys.console permission. When a pupil connect to the proxmox enviroment they can see the template. When they right click on the template and select clone and want to create a full clone then the pupils get the message Permission check failed (/, Sys.Console) (403). I had tried a lot. When i got it running the pubils see about 800 LXC/VMs from all other. (e.g. Permission on / PVEVMAdmin). The Websearch wasn't successfully, only one hit in 2013. Have any one an idea what i can do? I don't have any idea ? Every user can create VMs and LCXs but no clones. I don't unserstand what is wrong?

OK, write down the problem is the solutuion. :) I had create a new role with the sys.console privileg. Then i add the new role to the goup with path / and it works :)
giving out Sys.Console permission might be a bit much. Probably there's an option in your template configuration that needs this privilege. On a hunch, is it using cdrom volume for the physical CD ROM drive? Otherwise, feel free to share the template configuration.
Thanks very much. You are right. This machine have a cd-rom. Here is the configuration:

boot: order=scsi0;ide2;net0
cores: 2
ide2: cdrom,media=cdrom
memory: 2048
meta: creation-qemu=6.1.1,ctime=1651585245
name: WebDocker
net0: virtio=2A:2F:A3:5C:C1:03,bridge=vmbr20,firewall=1
numa: 0
ostype: l26
scsi0: SSD-School:vm-136-disk-0,size=32G
scsihw: virtio-scsi-pci
smbios1: uuid=06fb7a4b-6d47-463a-8ee7-70f92977ea2c
sockets: 1
template: 1
vmgenid: d52fd246-049e-4140-9700-fae035754d92

I have to create in the next time some other templates for training porpose. All informations about the permissions will be very helpfull.

