Normal users can't create containers

Jimin Hsieh

New Member
Apr 16, 2018
2
0
1
40
Hi,

After I updated with `apt update`, I meet an issue that normal users can't create containers. However, root user can create containers. When normal users create containers, web will return
Code:
Can't call method "map_method_by_name" on an undefined value at /usr/share/perl5/PVE/RESTHandler.pm line 263. (500)
. BTW, normal users can create KVM without problem. Thanks!
 
what is your 'pveversion -v' ?
 
Thanks for your replying!
Here is my `pveversion -v`.
Code:
proxmox-ve: 5.1-42 (running kernel: 4.13.16-2-pve)
pve-manager: 5.1-49 (running version: 5.1-49/1e427a54)
pve-kernel-4.13: 5.1-44
pve-kernel-4.13.16-2-pve: 4.13.16-47
pve-kernel-4.13.13-6-pve: 4.13.13-42
pve-kernel-4.13.13-5-pve: 4.13.13-38
corosync: 2.4.2-pve3
criu: 2.11.1-1~bpo90
glusterfs-client: 3.8.8-1
ksm-control-daemon: not correctly installed
libjs-extjs: 6.0.1-2
libpve-access-control: 5.0-8
libpve-apiclient-perl: 2.0-4
libpve-common-perl: 5.0-30
libpve-guest-common-perl: 2.0-14
libpve-http-server-perl: 2.0-8
libpve-storage-perl: 5.0-18
libqb0: 1.0.1-1
lvm2: 2.02.168-pve6
lxc-pve: 3.0.0-2
lxcfs: 3.0.0-1
novnc-pve: 0.6-4
proxmox-widget-toolkit: 1.0-14
pve-cluster: 5.0-24
pve-container: 2.0-21
pve-docs: 5.1-17
pve-firewall: 3.0-7
pve-firmware: 2.0-4
pve-ha-manager: 2.0-5
pve-i18n: 1.0-4
pve-libspice-server1: 0.12.8-3
pve-qemu-kvm: 2.11.1-5
pve-xtermjs: 1.0-2
qemu-server: 5.0-24
smartmontools: 6.5+svn4324-1
spiceterm: 3.0-5
vncterm: 1.5-3

BTW, I have a temporary solution to let normal users creating LXC. I added `PVEVMAdmin` to each user with the permission of path `/`.
 
how does your /etc/pve/user.cfg look like? and which roles/rights has a user which returns such an error?
 
I got the same issue with the very latest proxmox 5 (updated today)

Can't call method "map_method_by_name" on an undefined value at /usr/share/perl5
PVE/RESTHandler.pm line 299. (500)

I am using some python code to create users, pools, acls and groups. users get the role PVEAdmin and PVEDatastoreUser

s = ''
s = s + 'pvesh create /pools -poolid %s -comment "%s"\n' % (g,d.strip())
s = s + 'pveum groupadd %s -comment "%s"\n' % (g,d.strip())
s = s + 'pveum aclmod /pool/%s/ -group %s -role PVEAdmin\n' % (g,g)
s = s + 'pveum aclmod /storage/proxZFS/ -group %s -role PVEDatastoreUser\n' % g
s = s + 'pveum aclmod /storage/proxnfs/ -group %s -role PVEDatastoreUser\n' % g
print(s)
ret = run_script(s, output=True)

s = 'pveum useradd %s@DOMAIN.ORG -groups %s' % (uid, jsearchone(j,"uid",uid,"pi_dept"))
ret = run_script(s, output=True)


What am I missing ?
 
It ‘s the final step when creating a new container through the web ui
 
I'm having the same problem using pve 5.2 Downloaded yesterday. and the same work around but that seems to give users access to other vms. When I restrict the user's/ groups to their individual Pools.

In regards to roles for user or group.

if they don't have PVEVMAdmin at / they receive the error in the same spot as mentioned above.

i've added the PVEVM Admin in everyother spot exept / and it doesn't work till they have it at /.
I even added all my storage locations to my pool.


Code:
pveversion -v
proxmox-ve: 5.2-2 (running kernel: 4.15.17-1-pve)
pve-manager: 5.2-1 (running version: 5.2-1/0fcd7879)
pve-kernel-4.15: 5.2-1
pve-kernel-4.15.17-1-pve: 4.15.17-9
corosync: 2.4.2-pve5
criu: 2.11.1-1~bpo90
glusterfs-client: 3.8.8-1
ksm-control-daemon: 1.2-2
libjs-extjs: 6.0.1-2
libpve-access-control: 5.0-8
libpve-apiclient-perl: 2.0-4
libpve-common-perl: 5.0-31
libpve-guest-common-perl: 2.0-16
libpve-http-server-perl: 2.0-8
libpve-storage-perl: 5.0-23
libqb0: 1.0.1-1
lvm2: 2.02.168-pve6
lxc-pve: 3.0.0-3
lxcfs: 3.0.0-1
novnc-pve: 0.6-4
openvswitch-switch: 2.6.2~pre+git20161223-3
proxmox-widget-toolkit: 1.0-18
pve-cluster: 5.0-27
pve-container: 2.0-23
pve-docs: 5.2-3
pve-firewall: 3.0-8
pve-firmware: 2.0-4
pve-ha-manager: 2.0-5
pve-i18n: 1.0-5
pve-libspice-server1: 0.12.8-3
pve-qemu-kvm: 2.11.1-5
pve-xtermjs: 1.0-5
qemu-server: 5.0-26
smartmontools: 6.5+svn4324-1
spiceterm: 3.0-5
vncterm: 1.5-3
zfsutils-linux: 0.7.8-pve1~bpo9


Code:
root@pve2:~# cat  /etc/pve/user.cfg
user:jay@pve:1:0:Jason:Williamson::::
user:root@pam:1:0:::robert@theitmethod.com:::
user:blindrain@pve:1:0:Robert:Whitacre:robert@theitmethod.com:::

group:Jay:jay@pve::
group:Admin:blindrain@pve::

pool:Jay:Jason's Servers:106:local-lvm,local:


acl:1:/:@Admin:Administrator,PVEAdmin,PVESysAdmin:
acl:1:/:@Jay:PVEDatastoreAdmin:
acl:1:/pool/Jay:@Jay:PVEAdmin,PVEDatastoreAdmin,PVEDatastoreUser,PVETemplateUser,PVEVMAdmin,PVEVMUser:
acl:1:/storage/local:@Jay:PVEDatastoreAdmin,PVEDatastoreUser,PVETemplateUser,PVEVMAdmin:
acl:1:/storage/local-lvm:@Jay:PVEDatastoreAdmin,PVEDatastoreUser,PVETemplateUser,PVEVMAdmin:
 
Last edited:
to create a vm, the user has to have the VM.Allocate privilege on the path /vms/ID
this can be set via
right directly on /vms/ID
right on /pool/POOLNAME when the pool has the vmid already in it
right on / or /vms with 'propagate' enabled
 
to create a vm, the user has to have the VM.Allocate privilege on the path /vms/ID
this can be set via
right directly on /vms/ID
right on /pool/POOLNAME when the pool has the vmid already in it
right on / or /vms with 'propagate' enabled
Maybe i getting all wrong but, by doing this, users can see all VMs available, and option 2 defeat the purpose of users and pools, since depends of the almighty sysadmin to create the vm in the first place.
 
Maybe i getting all wrong but, by doing this, users can see all VMs available, and option 2 defeat the purpose of users and pools, since depends of the almighty sysadmin to create the vm in the first place.
if you give them rights on /vms yes they can see all vms
if you just give them rights on /vmx/YYY then they can see only that (the vms do not have to exists to give permissions on those paths)

and the point of pools is simply a collection of permission paths
a 'resource pool' where users can take and allocate resources until the limits of those pools is not yet implemented
 
if you give them rights on /vms yes they can see all vms
if you just give them rights on /vmx/YYY then they can see only that (the vms do not have to exists to give permissions on those paths)

and the point of pools is simply a collection of permission paths
a 'resource pool' where users can take and allocate resources until the limits of those pools is not yet implemented

If you want to allocate vmid between 400 and 499 for example, you have to declare each vmid separately with PVEVMADMIN rights. There is no wildcard option available like /vms/4xx of /vms/400-450 ? When a user create vmid 400 and removes it, the user can not re-use vmid 400 and you must allocate vmid 400 again?
 
If you want to allocate vmid between 400 and 499 for example, you have to declare each vmid separately with PVEVMADMIN rights. There is no wildcard option available like /vms/4xx of /vms/400-450 ?
there's no wildcard option for that, but it should be pretty easy to write a bash script which uses pveum to give permission on a range of paths
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!