PVEAdmin users cannot create containers

badbod

Member
Sep 21, 2012
13
0
21
Hi,
I updated Proxmox today and users with group PVEAdmin role now cannot create containers.

In the first page of create CT dialogue, all nodes are outlined in red, hover selection box shows 'seems to be offline'. Next button is grayed out regardless of details entered and cannot continue.

If add user permissions with path / and role PVEAdmin they can now create.

phpversion -v

Code:
proxmox-ve: 5.4-1 (running kernel: 4.15.18-14-pve)
pve-manager: 5.4-5 (running version: 5.4-5/c6fdb264)
pve-kernel-4.15: 5.4-2
pve-kernel-4.15.18-14-pve: 4.15.18-38
pve-kernel-4.15.18-12-pve: 4.15.18-36
pve-kernel-4.15.18-11-pve: 4.15.18-34
pve-kernel-4.15.18-9-pve: 4.15.18-30
pve-kernel-4.15.18-8-pve: 4.15.18-28
pve-kernel-4.15.18-7-pve: 4.15.18-27
pve-kernel-4.15.17-1-pve: 4.15.17-9
corosync: 2.4.4-pve1
criu: 2.11.1-1~bpo90
glusterfs-client: 3.8.8-1
ksm-control-daemon: 1.2-2
libjs-extjs: 6.0.1-2
libpve-access-control: 5.1-9
libpve-apiclient-perl: 2.0-5
libpve-common-perl: 5.0-51
libpve-guest-common-perl: 2.0-20
libpve-http-server-perl: 2.0-13
libpve-storage-perl: 5.0-42
libqb0: 1.0.3-1~bpo9
lvm2: 2.02.168-pve6
lxc-pve: 3.1.0-3
lxcfs: 3.0.3-pve1
novnc-pve: 1.0.0-3
proxmox-widget-toolkit: 1.0-26
pve-cluster: 5.0-37
pve-container: 2.0-37
pve-docs: 5.4-2
pve-edk2-firmware: 1.20190312-1
pve-firewall: 3.0-20
pve-firmware: 2.0-6
pve-ha-manager: 2.0-9
pve-i18n: 1.1-4
pve-libspice-server1: 0.14.1-2
pve-qemu-kvm: 3.0.1-2
pve-xtermjs: 3.12.0-1
qemu-server: 5.0-51
smartmontools: 6.5+svn4324-1
spiceterm: 3.0-5
vncterm: 1.5-3
zfsutils-linux: 0.7.13-pve1~bpo2
 
on which path do they have that permission?



so it works now?

the rule I added was path '/' so username , / , PVEAdmin added in Permissions UI.

I am just reporting that recent update changed something and users could no longer create CT's, I had to manually add permission so they can work for now.

The path permission from PVEAdmin (not created by me but from installation) are,

/vms/100
/vms/102
/pool/LIVE
/pool/DEV
/storage/local
/storage/local-lvm

I don't know what they were before update, never played with it as it was working fine.

So, before update and having never ever played with permissions etc apart from simply adding the PVEAdmin role to a group and placing the users in that group, all was working fine. After recent update they can no longer create CT's and as a quick hack to allow the users I added that jankey rule, simply as a stopgap.

I assume it is a bug in the recent update, so I am reporting it here.

Regards
David
 
Last edited:
The path permission from PVEAdmin (not created by me but from installation) are,

/vms/100
/vms/102
/pool/LIVE
/pool/DEV
/storage/local
/storage/local-lvm
no the installation does not do things like that

i still do not understand what the permissions were before and what should have worked but didn't

can you post the content of the file '/etc/pve/user.cfg' ?
 
  • Like
Reactions: badbod
When I say installation I mean like creating a cluster with 2 nodes etc
I have not edited the PVEAdmin role rules.

what didn't work:
The normal user with the role PVEAdmin could not add a CT container, the node selector complained about the node 'seems to be offline' and could not go any further in the add CT dialogue.

file '/etc/pve/user.cfg'

Code:
user:root@pam:1:0:::my@email:::
user:user1@pam:1:0:user1:user1@email:::
user:myname@pam:1:0:my name::::

group:Developers:user1@pam,myname@pam::
group:Admins:::

pool:LIVE:Production:104::
pool:DEV:Development:106,101,109,110,107,103,108,105::


acl:1:/:myname@pam:PVEAdmin:          <----added by me in the UI to allow myname to add CT
acl:1:/pool/DEV:@Developers:PVEAdmin:
acl:1:/pool/LIVE:@Developers:PVEAdmin:
acl:1:/storage/local:@Developers:PVEAdmin:
acl:1:/storage/local-lvm:@Developers:PVEAdmin:
acl:1:/vms/100:@Developers:PVEAdmin:
acl:1:/vms/102:@Developers:PVEAdmin:

Regards
David
 
ok thanks, now i get it

there was a recent change in which the node rrd stats get now not exposed if the user does not have 'Sys.Audit' privileges on /nodes/nodename
but the gui component is checking the memory to indicate if a node is online (this is the bug)

i will fix this soon
you can add a privilege for /nodes or /nodes/nodename as 'Auditor' for now as a workaround
 
ahh ok, Thanks

to do that the I would add permission , path= /nodes to group= Developers with role= PVEAuditor ?

Regards
David
 
I'm having the same issue, where exactly did you add this permission? I'm not seeing anywhere in the gui to add a path argument. Sorry if this is a dumb question, I've never tried to create new users on proxmox before.
 
Select top level node 'Datacenter', from the center panel select 'Permissions' and then in the right panel select Add. in my case I added group permission with path=/nodes and role=PVEAuditor to my Developers group which is the group my developer users are in. So this part will vary with your group/users setup.
 
I am following this thread and was unable to locate some of the things called out in the solution called out by the Proxmox team member. Can someone issue a more detailed explanation of how to get around this bug? Currently, I have only root user, have access to Web UI and would like to create a new container and this is where I get stuck.

create_container_failure_stuck.png
 
Last edited:
a container password must have at least 5 characters, indicated by the red box around the password field
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!