Permissions required for remote-migrate feature

[janders3]

Recently, I began using qm remote-migrate (aka pvesh create /nodes/{node}/qemu/{vmid}/remote_migrate) to move VMs from our PVE 7.x environment to our 8.x environment. According to the PVE API Documentation page for this feature, the only permission needed to use this endpoint is VM.Migrate, but I found that the permissions below were the minimum required, as the migration would not complete without them:

DataStore.AllocateSpace
DataStore.Audit
SDN.Use
Sys.Audit
Sys.Incoming
Sys.Modify
VM.Allocate
VM.Config.CDROM
VM.Config.CPU
VM.Config.Disk
VM.Config.HWType
VM.Config.Memory
VM.Config.Network
VM.Config.Options
VM.Migrate
VM.PowerMgmt

For our environment, I made a custom Migrator role with these permissions. Since I will be targeting multiple datastores, I granted all of these at the / level, but it may be possible to further restrict the permission grants to lower portions of the tree in other contexts.

 

[fabian]

you need to be aware of two sets of privileges required:

- the source side (the remote_migrate API endpoint you linked)
- the target side (the mtunnel API endpoint, called with the token specified in the remote_migrate call)

the latter will then do all sorts of privilege checks depending on the exact guest setup.

 

[janders3]

Thanks, it helps to have that documentation handy as well. My migrations are generally going well, I just thought it might help to note my experience somewhere, so that other sysadmins have something to look to if they want to attempt a qm remote-migrate.