Fedora Core OS ignition - root@pam API tokens restricted from using qemu args

T

thecurseofrng

Member
May 2, 2022
10
1
6
Paris, France
Greetings,

I'm running into an issue with the PVE API. I need to set the args field to feed an ignition file to Fedora CoreOS virtual machines, but can't using an API token attached to the root@pam user, even with separation of privileges turned off. The API returns the following error: 500 Internal Server Error: only root can set 'args' config. Running the same code with the root@pam user and password authentication works.

I understand why args was limited to the root user as this field can be somewhat dangerous, but is the limitation to requests using password authentication a design choice, a technical limitation as Qemu.pm is unable to differentiate if a token uses separation of privileges, or an oversight when API tokens were introduced?

Incidentally, is there any plan for Ignition support in PVE at some point? Or something at a lower level like <sysinfo type='fwcfg'> in libvirt? Anything that could avoid using qemu arguments.
 
thecurseofrng said:
I understand why args was limited to the root user as this field can be somewhat dangerous, but is the limitation to requests using password authentication a design choice, a technical limitation as Qemu.pm is unable to differentiate if a token uses separation of privileges, or an oversight when API tokens were introduced?
Click to expand...
there is currently some effort done into removing hardcoded 'root only' checks and replacing them with a 'superuser' privilege: https://lists.proxmox.com/pipermail/pve-devel/2022-April/052490.html
though this takes time to be implemented correctly

thecurseofrng said:
Incidentally, is there any plan for Ignition support in PVE at some point? Or something at a lower level like <sysinfo type='fwcfg'> in libvirt? Anything that could avoid using qemu arguments.
Click to expand...
not really, but i can imagine providing fwcfg values could be useful. would you mind open a feature request for this here: https://bugzilla.proxmox.com
 
Sorry to necro this but is there any recent update? For some reason my Proxmox throws a 401 when trying to authenticate with username and password so I'm relying on using an auth token. Since I intend to use Ansible to create Ubuntu VMs using Ubuntu's own autoinstall system I need the token to be able to access KVM arguments.
 
You must log in or register to reply here.
Top Bottom
Back