PVEAdmin users cannot create containers

[badbod]

Hi,
I updated Proxmox today and users with group PVEAdmin role now cannot create containers.

In the first page of create CT dialogue, all nodes are outlined in red, hover selection box shows 'seems to be offline'. Next button is grayed out regardless of details entered and cannot continue.

If add user permissions with path / and role PVEAdmin they can now create.

phpversion -v

proxmox-ve: 5.4-1 (running kernel: 4.15.18-14-pve)
pve-manager: 5.4-5 (running version: 5.4-5/c6fdb264)
pve-kernel-4.15: 5.4-2
pve-kernel-4.15.18-14-pve: 4.15.18-38
pve-kernel-4.15.18-12-pve: 4.15.18-36
pve-kernel-4.15.18-11-pve: 4.15.18-34
pve-kernel-4.15.18-9-pve: 4.15.18-30
pve-kernel-4.15.18-8-pve: 4.15.18-28
pve-kernel-4.15.18-7-pve: 4.15.18-27
pve-kernel-4.15.17-1-pve: 4.15.17-9
corosync: 2.4.4-pve1
criu: 2.11.1-1~bpo90
glusterfs-client: 3.8.8-1
ksm-control-daemon: 1.2-2
libjs-extjs: 6.0.1-2
libpve-access-control: 5.1-9
libpve-apiclient-perl: 2.0-5
libpve-common-perl: 5.0-51
libpve-guest-common-perl: 2.0-20
libpve-http-server-perl: 2.0-13
libpve-storage-perl: 5.0-42
libqb0: 1.0.3-1~bpo9
lvm2: 2.02.168-pve6
lxc-pve: 3.1.0-3
lxcfs: 3.0.3-pve1
novnc-pve: 1.0.0-3
proxmox-widget-toolkit: 1.0-26
pve-cluster: 5.0-37
pve-container: 2.0-37
pve-docs: 5.4-2
pve-edk2-firmware: 1.20190312-1
pve-firewall: 3.0-20
pve-firmware: 2.0-6
pve-ha-manager: 2.0-9
pve-i18n: 1.1-4
pve-libspice-server1: 0.14.1-2
pve-qemu-kvm: 3.0.1-2
pve-xtermjs: 3.12.0-1
qemu-server: 5.0-51
smartmontools: 6.5+svn4324-1
spiceterm: 3.0-5
vncterm: 1.5-3
zfsutils-linux: 0.7.13-pve1~bpo2

 

[dcsapak]

I updated Proxmox today and users with group PVEAdmin role now cannot create containers.

on which path do they have that permission?

If add user permissions with path / and role PVEAdmin they can now create.

so it works now?

 

[badbod]

on which path do they have that permission?



so it works now?

the rule I added was path '/' so username , / , PVEAdmin added in Permissions UI.

I am just reporting that recent update changed something and users could no longer create CT's, I had to manually add permission so they can work for now.

The path permission from PVEAdmin (not created by me but from installation) are,

/vms/100
/vms/102
/pool/LIVE
/pool/DEV
/storage/local
/storage/local-lvm

I don't know what they were before update, never played with it as it was working fine.

So, before update and having never ever played with permissions etc apart from simply adding the PVEAdmin role to a group and placing the users in that group, all was working fine. After recent update they can no longer create CT's and as a quick hack to allow the users I added that jankey rule, simply as a stopgap.

I assume it is a bug in the recent update, so I am reporting it here.

Regards
David

 

[dcsapak]

The path permission from PVEAdmin (not created by me but from installation) are,

/vms/100
/vms/102
/pool/LIVE
/pool/DEV
/storage/local
/storage/local-lvm

no the installation does not do things like that

i still do not understand what the permissions were before and what should have worked but didn't

can you post the content of the file '/etc/pve/user.cfg' ?

 

[badbod]

When I say installation I mean like creating a cluster with 2 nodes etc
I have not edited the PVEAdmin role rules.

what didn't work:
The normal user with the role PVEAdmin could not add a CT container, the node selector complained about the node 'seems to be offline' and could not go any further in the add CT dialogue.

file '/etc/pve/user.cfg'

user:root@pam:1:0:::my@email:::
user:user1@pam:1:0:user1:user1@email:::
user:myname@pam:1:0:my name::::

group:Developers:user1@pam,myname@pam::
group:Admins:::

pool:LIVE:Production:104::
pool:DEV:Development:106,101,109,110,107,103,108,105::


acl:1:/:myname@pam:PVEAdmin:          <----added by me in the UI to allow myname to add CT
acl:1:/pool/DEV:@Developers:PVEAdmin:
acl:1:/pool/LIVE:@Developers:PVEAdmin:
acl:1:/storage/local:@Developers:PVEAdmin:
acl:1:/storage/local-lvm:@Developers:PVEAdmin:
acl:1:/vms/100:@Developers:PVEAdmin:
acl:1:/vms/102:@Developers:PVEAdmin:

Regards
David

 

[dcsapak]

ok thanks, now i get it

there was a recent change in which the node rrd stats get now not exposed if the user does not have 'Sys.Audit' privileges on /nodes/nodename
but the gui component is checking the memory to indicate if a node is online (this is the bug)

i will fix this soon
you can add a privilege for /nodes or /nodes/nodename as 'Auditor' for now as a workaround

 

[badbod]

ahh ok, Thanks

to do that the I would add permission , path= /nodes to group= Developers with role= PVEAuditor ?

Regards
David

 

[dcsapak]

to do that the I would add permission , path= /nodes to group= Developers with role= PVEAuditor ?

yes this should work

 

[badbod]

Many Thanks. Looks to be working fine.

Best regards
David

 

[cerialphreak]

I'm having the same issue, where exactly did you add this permission? I'm not seeing anywhere in the gui to add a path argument. Sorry if this is a dumb question, I've never tried to create new users on proxmox before.

 

[badbod]

Select top level node 'Datacenter', from the center panel select 'Permissions' and then in the right panel select Add. in my case I added group permission with path=/nodes and role=PVEAuditor to my Developers group which is the group my developer users are in. So this part will vary with your group/users setup.

 

[cerialphreak]

Got it. Thanks for the quick response!

 

[brian.chase]

I am following this thread and was unable to locate some of the things called out in the solution called out by the Proxmox team member. Can someone issue a more detailed explanation of how to get around this bug? Currently, I have only root user, have access to Web UI and would like to create a new container and this is where I get stuck.

 

[dcsapak]

a container password must have at least 5 characters, indicated by the red box around the password field