Normal users can't create containers

J

Jimin Hsieh

New Member
Apr 16, 2018
2
0
1
39
Hi,

After I updated with `apt update`, I meet an issue that normal users can't create containers. However, root user can create containers. When normal users create containers, web will return
Code: 
Can't call method "map_method_by_name" on an undefined value at /usr/share/perl5/PVE/RESTHandler.pm line 263. (500)
. BTW, normal users can create KVM without problem. Thanks!
 
what is your 'pveversion -v' ?
 
Thanks for your replying!
Here is my `pveversion -v`.
Code: 
proxmox-ve: 5.1-42 (running kernel: 4.13.16-2-pve)
pve-manager: 5.1-49 (running version: 5.1-49/1e427a54)
pve-kernel-4.13: 5.1-44
pve-kernel-4.13.16-2-pve: 4.13.16-47
pve-kernel-4.13.13-6-pve: 4.13.13-42
pve-kernel-4.13.13-5-pve: 4.13.13-38
corosync: 2.4.2-pve3
criu: 2.11.1-1~bpo90
glusterfs-client: 3.8.8-1
ksm-control-daemon: not correctly installed
libjs-extjs: 6.0.1-2
libpve-access-control: 5.0-8
libpve-apiclient-perl: 2.0-4
libpve-common-perl: 5.0-30
libpve-guest-common-perl: 2.0-14
libpve-http-server-perl: 2.0-8
libpve-storage-perl: 5.0-18
libqb0: 1.0.1-1
lvm2: 2.02.168-pve6
lxc-pve: 3.0.0-2
lxcfs: 3.0.0-1
novnc-pve: 0.6-4
proxmox-widget-toolkit: 1.0-14
pve-cluster: 5.0-24
pve-container: 2.0-21
pve-docs: 5.1-17
pve-firewall: 3.0-7
pve-firmware: 2.0-4
pve-ha-manager: 2.0-5
pve-i18n: 1.0-4
pve-libspice-server1: 0.12.8-3
pve-qemu-kvm: 2.11.1-5
pve-xtermjs: 1.0-2
qemu-server: 5.0-24
smartmontools: 6.5+svn4324-1
spiceterm: 3.0-5
vncterm: 1.5-3

BTW, I have a temporary solution to let normal users creating LXC. I added `PVEVMAdmin` to each user with the permission of path `/`.
 
how does your /etc/pve/user.cfg look like? and which roles/rights has a user which returns such an error?
 
I got the same issue with the very latest proxmox 5 (updated today)

Can't call method "map_method_by_name" on an undefined value at /usr/share/perl5
PVE/RESTHandler.pm line 299. (500)

I am using some python code to create users, pools, acls and groups. users get the role PVEAdmin and PVEDatastoreUser

s = ''
s = s + 'pvesh create /pools -poolid %s -comment "%s"\n' % (g,d.strip())
s = s + 'pveum groupadd %s -comment "%s"\n' % (g,d.strip())
s = s + 'pveum aclmod /pool/%s/ -group %s -role PVEAdmin\n' % (g,g)
s = s + 'pveum aclmod /storage/proxZFS/ -group %s -role PVEDatastoreUser\n' % g
s = s + 'pveum aclmod /storage/proxnfs/ -group %s -role PVEDatastoreUser\n' % g
print(s)
ret = run_script(s, output=True)

s = 'pveum useradd %s@DOMAIN.ORG -groups %s' % (uid, jsearchone(j,"uid",uid,"pi_dept"))
ret = run_script(s, output=True)


What am I missing ?
 
It ‘s the final step when creating a new container through the web ui
 
I'm having the same problem using pve 5.2 Downloaded yesterday. and the same work around but that seems to give users access to other vms. When I restrict the user's/ groups to their individual Pools.

In regards to roles for user or group.

if they don't have PVEVMAdmin at / they receive the error in the same spot as mentioned above.

i've added the PVEVM Admin in everyother spot exept / and it doesn't work till they have it at /.
I even added all my storage locations to my pool.


Code: 
pveversion -v
proxmox-ve: 5.2-2 (running kernel: 4.15.17-1-pve)
pve-manager: 5.2-1 (running version: 5.2-1/0fcd7879)
pve-kernel-4.15: 5.2-1
pve-kernel-4.15.17-1-pve: 4.15.17-9
corosync: 2.4.2-pve5
criu: 2.11.1-1~bpo90
glusterfs-client: 3.8.8-1
ksm-control-daemon: 1.2-2
libjs-extjs: 6.0.1-2
libpve-access-control: 5.0-8
libpve-apiclient-perl: 2.0-4
libpve-common-perl: 5.0-31
libpve-guest-common-perl: 2.0-16
libpve-http-server-perl: 2.0-8
libpve-storage-perl: 5.0-23
libqb0: 1.0.1-1
lvm2: 2.02.168-pve6
lxc-pve: 3.0.0-3
lxcfs: 3.0.0-1
novnc-pve: 0.6-4
openvswitch-switch: 2.6.2~pre+git20161223-3
proxmox-widget-toolkit: 1.0-18
pve-cluster: 5.0-27
pve-container: 2.0-23
pve-docs: 5.2-3
pve-firewall: 3.0-8
pve-firmware: 2.0-4
pve-ha-manager: 2.0-5
pve-i18n: 1.0-5
pve-libspice-server1: 0.12.8-3
pve-qemu-kvm: 2.11.1-5
pve-xtermjs: 1.0-5
qemu-server: 5.0-26
smartmontools: 6.5+svn4324-1
spiceterm: 3.0-5
vncterm: 1.5-3
zfsutils-linux: 0.7.8-pve1~bpo9


Code: 
root@pve2:~# cat  /etc/pve/user.cfg
user:jay@pve:1:0:Jason:Williamson::::
user:root@pam:1:0:::robert@theitmethod.com:::
user:blindrain@pve:1:0:Robert:Whitacre:robert@theitmethod.com:::

group:Jay:jay@pve::
group:Admin:blindrain@pve::

pool:Jay:Jason's Servers:106:local-lvm,local:


acl:1:/:@Admin:Administrator,PVEAdmin,PVESysAdmin:
acl:1:/:@Jay:PVEDatastoreAdmin:
acl:1:/pool/Jay:@Jay:PVEAdmin,PVEDatastoreAdmin,PVEDatastoreUser,PVETemplateUser,PVEVMAdmin,PVEVMUser:
acl:1:/storage/local:@Jay:PVEDatastoreAdmin,PVEDatastoreUser,PVETemplateUser,PVEVMAdmin:
acl:1:/storage/local-lvm:@Jay:PVEDatastoreAdmin,PVEDatastoreUser,PVETemplateUser,PVEVMAdmin:
 
Last edited:
to create a vm, the user has to have the VM.Allocate privilege on the path /vms/ID
this can be set via
right directly on /vms/ID
right on /pool/POOLNAME when the pool has the vmid already in it
right on / or /vms with 'propagate' enabled
 
dcsapak said:
to create a vm, the user has to have the VM.Allocate privilege on the path /vms/ID
this can be set via
right directly on /vms/ID
right on /pool/POOLNAME when the pool has the vmid already in it
right on / or /vms with 'propagate' enabled
Click to expand...
Maybe i getting all wrong but, by doing this, users can see all VMs available, and option 2 defeat the purpose of users and pools, since depends of the almighty sysadmin to create the vm in the first place.
 
Dragnell said:
Maybe i getting all wrong but, by doing this, users can see all VMs available, and option 2 defeat the purpose of users and pools, since depends of the almighty sysadmin to create the vm in the first place.
Click to expand...
if you give them rights on /vms yes they can see all vms
if you just give them rights on /vmx/YYY then they can see only that (the vms do not have to exists to give permissions on those paths)

and the point of pools is simply a collection of permission paths
a 'resource pool' where users can take and allocate resources until the limits of those pools is not yet implemented
 
dcsapak said:
if you give them rights on /vms yes they can see all vms
if you just give them rights on /vmx/YYY then they can see only that (the vms do not have to exists to give permissions on those paths)

and the point of pools is simply a collection of permission paths
a 'resource pool' where users can take and allocate resources until the limits of those pools is not yet implemented
Click to expand...

If you want to allocate vmid between 400 and 499 for example, you have to declare each vmid separately with PVEVMADMIN rights. There is no wildcard option available like /vms/4xx of /vms/400-450 ? When a user create vmid 400 and removes it, the user can not re-use vmid 400 and you must allocate vmid 400 again?
 
pizza said:
If you want to allocate vmid between 400 and 499 for example, you have to declare each vmid separately with PVEVMADMIN rights. There is no wildcard option available like /vms/4xx of /vms/400-450 ?
Click to expand...
there's no wildcard option for that, but it should be pretty easy to write a bash script which uses pveum to give permission on a range of paths
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back