Recently, I began using
For our environment, I made a custom Migrator role with these permissions. Since I will be targeting multiple datastores, I granted all of these at the / level, but it may be possible to further restrict the permission grants to lower portions of the tree in other contexts.
qm remote-migrate
(aka pvesh create /nodes/{node}/qemu/{vmid}/remote_migrate
) to move VMs from our PVE 7.x environment to our 8.x environment. According to the PVE API Documentation page for this feature, the only permission needed to use this endpoint is VM.Migrate
, but I found that the permissions below were the minimum required, as the migration would not complete without them:
Code:
DataStore.AllocateSpace
DataStore.Audit
SDN.Use
Sys.Audit
Sys.Incoming
Sys.Modify
VM.Allocate
VM.Config.CDROM
VM.Config.CPU
VM.Config.Disk
VM.Config.HWType
VM.Config.Memory
VM.Config.Network
VM.Config.Options
VM.Migrate
VM.PowerMgmt
For our environment, I made a custom Migrator role with these permissions. Since I will be targeting multiple datastores, I granted all of these at the / level, but it may be possible to further restrict the permission grants to lower portions of the tree in other contexts.