PVE Tokens, API, and Hookscripts

P

proxdrop

New Member
Aug 16, 2024
27
3
3
I'm trying to use Ansible to manage VMs in Proxmox - specifically attach hookscripts as necessary. The hookscripts are valid and attach just fine via "qm set <vmid> --hookscript..." when run on the local PVE node. The issue is going through the Ansible provider, or rather the API in general I think. Adding hookscripts requires root@pam for some reason that I don't understand. It may be valid but I don't know what it is. My root@pam is set with 2FA, and cannot be called programmatically. I tried with API tokens, hoping a valid token would bypass this, but no luck. The token root@pam!temp_token seems to successfully validate, but returns "500 Internal Server Error only root can set hookscript". Am I misunderstanding the API tokens in general? I made sure root@pam!temp_token has the same rights root@pam does. Is root@pam!temp_token able to configure hookscripts?

https://docs.ansible.com/ansible/la.../proxmox_kvm_module.html#parameter-hookscript

Code: 
- name: Add hookscript to existing VM
  community.general.proxmox_kvm:
    api_user: root@pam
    api_token_id: temp_token
    api_token_secret: <secret>
    api_host: helldorado
    vmid: 999
    node: sabrewulf
    hookscript: local:snippets/hookscript.pl
    update: true

API User + Password output:
Code: 
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: proxmoxer.core.AuthenticationError: Couldn't authenticate user: missing Two Factor Authentication (TFA)
fatal: [127.0.0.1]: FAILED! => {"changed": false, "msg": "Couldn't authenticate user: missing Two Factor Authentication (TFA)"}

API User + Token ID + Secret
Code: 
fatal: [127.0.0.1]: FAILED! => {"changed": false, "msg": "Unable to update vm test-vm with vmid 123=500 Internal Server Error: only root can set 'hookscript' config", "vmid": 123}

API User + Token ID + Invalid Secret (to test token cred)
Code: 
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: proxmoxer.core.ResourceException: 401 Unauthorized: invalid token value! - {'errors': b''}
fatal: [127.0.0.1]: FAILED! => {"changed": false, "msg": "401 Unauthorized: invalid token value! - {'errors': b''}"}
 
I won't bump again, but is there any way to impersonate root here? Disabling 2FA for API commands is a non-starter. My only other alternative is to script in SSH commands.
 
Currently looking at the same problem. I'm directly calling the API via http so its not an Ansible problem. IIrc it used to work with API tokens but now my scripts don't work any more (changed with 8.3 maybe?).
 
  • Like
Reactions: proxdrop
tschmidt said:
Currently looking at the same problem. I'm directly calling the API via http so its not an Ansible problem. IIrc it used to work with API tokens but now my scripts don't work any more (changed with 8.3 maybe?).
Click to expand...

I assume testing with Proxmoxer/python will show the same. I think the issue is how the API views root vs tokens.
 
You must log in or register to reply here.
Top Bottom