PVE 5.3.6 - pve-api feature request

[elurex]

My PVE Version

proxmox-ve: 5.3-1 (running kernel: 4.15.18-9-pve)
pve-manager: 5.3-6 (running version: 5.3-6/37b3c8df)
pve-kernel-4.15: 5.2-12
pve-kernel-4.15.18-9-pve: 4.15.18-30
pve-kernel-4.15.18-8-pve: 4.15.18-28
pve-kernel-4.15.18-7-pve: 4.15.18-27
ceph: 12.2.10-pve1
corosync: 2.4.4-pve1
criu: 2.11.1-1~bpo90
glusterfs-client: 3.8.8-1
ksm-control-daemon: 1.2-2
libjs-extjs: 6.0.1-2
libpve-access-control: 5.1-3
libpve-apiclient-perl: 2.0-5
libpve-common-perl: 5.0-43
libpve-guest-common-perl: 2.0-18
libpve-http-server-perl: 2.0-11
libpve-storage-perl: 5.0-34
libqb0: 1.0.3-1~bpo9
lvm2: 2.02.168-pve6
lxc-pve: 3.0.2+pve1-5
lxcfs: 3.0.2-2
novnc-pve: 1.0.0-2
proxmox-widget-toolkit: 1.0-22
pve-cluster: 5.0-31
pve-container: 2.0-31
pve-docs: 5.3-1
pve-edk2-firmware: 1.20181023-1
pve-firewall: 3.0-16
pve-firmware: 2.0-6
pve-ha-manager: 2.0-5
pve-i18n: 1.0-9
pve-libspice-server1: 0.14.1-1
pve-qemu-kvm: 2.12.1-1
pve-xtermjs: 1.0-5
qemu-server: 5.0-43
smartmontools: 6.5+svn4324-1
spiceterm: 3.0-5
vncterm: 1.5-3
zfsutils-linux: 0.7.12-pve1~bpo1

I am trying to use PVE API
HTTP: PUT /api2/json/nodes/{node}/qemu/{vmid}/config
using none root@pam user with following privs assigned from web gui

Datastore.Allocate Datastore.AllocateSpace Datastore.AllocateTemplate Datastore.Audit Pool.Allocate Sys.Audit Sys.Console Sys.PowerMgmt Sys.Syslog VM.Allocate VM.Audit VM.Backup VM.Clone VM.Config.CDROM VM.Config.CPU VM.Config.Disk VM.Config.HWType VM.Config.Memory VM.Config.Network VM.Config.Options VM.Console VM.Migrate VM.Monitor VM.PowerMgmt VM.Snapshot VM.Snapshot.Rollback

According to API Doc It only requires following privs ["VM.Config.Disk","VM.Config.CDROM","VM.Config.CPU","VM.Config.Memory","VM.Config.Network","VM.Config.HWType","VM.Config.Options"]

When I try to modify VM's net0 's MacAddress & pcie slot id, I keep getting following response
send:

data={
      "net0": "virtio=ab:cd:ef:00:11,bridge=vmbr0",
       "hostpci0": "05:00,pcie=1,x-vga=1"
 }

receive:
<Response [500]>
{"data":null}

if I use root@pam user, then server respond <Response [200]>

Is it possible to make hostpci0/pcie device to be a privs can be assigned to none root user

 

[sb-jw]

Could you send us the Complete Code snippet?

AFAIK you have to read out the current Network Config and then modify the Parts you need and resend the whole line back to PVE.

 

[elurex]

Could you send us the Complete Code snippet?

AFAIK you have to read out the current Network Config and then modify the Parts you need and resend the whole line back to PVE.

Ahhh! I think I found the issue.

Its "hostpci0": "05:00,pcie=1,x-vga=1" not editable by any none root user I guess it needs to be a feature request

Current Qemu.pm prevents none user to change any options

 

[Stoiko Ivanov]

Just to be sure we're on the same page:
`hostpci\d+` is used to pass PCI-e devices (e.g. a GPU, or a NIC) from the PVE-Host to a guest.
It's not used to change pci-slot-assigments within the guest.

As such I think that the current Permission system is on the safe side - otherwise a user != root could break the complete PVE-Host (e.g. pass through the network-device used for all VMs, or the disk-controller where PVE is installed).

 

[elurex]

i am running vdi service with gpu passthrough instance to users. each user has their own vm disks and depend on servers' gpu availability, user's vm need to dynamically assign with mac and pcie slot id

I try to add following code to Qemu.pm

return 1 if $authuser eq 'myuser@pam';

but I am still getting respond 500

if I try to run using pvesh cli

pvesh set /nodes/gpu09/qemu/902/config " --hostpci0 "04:00,pcie=1,x-vga=1" --net0 "virtio=AA:BB:CC:DD:96:F4,bridge=vmbr0"

I got following warning

malformed JSON string, neither tag, array, object, number, string or atom, at character offset 0 (before "update VM 902: -host...") at /usr/share/perl5/PVE/CLI/pvesh.pm line 125.

However, changes are made

 

[Stoiko Ivanov]

* Are you running the pvesh invocation on node `gpu09`?
* If not does it still happen when you call it directly on `gpu09`?