Role VM.config.networking prevent cloud init networking

[skoddex]

Hello everyone.

Currently working on the proxmox roles I would like to report a behavior on this part.
the vm config role blocks the configuration of a cloud init on the network option. Indeed I think it could be two separate things. I can restrict the hardware part of the vm on the network to prevent a group of users with this role to modify a template or vm to partition the creation of a vm on particular vlan (hardware bridge). But I want to be able to authorize them the right to choose the ip dns etc of the cloud init on this network.
The current behavior prevents one or allows both
What do you think ?

 

[fabian]

VM.Config.Cloudinit should be enough to update Cloudinit settings. if that doesn't work as expected, please provide a clear report of how you configured things, what you attempted, and what you got as a result.

 

[skoddex]

Hi,

It doesn't work because this problem based on a fw rule permission problem (but it's the same thing) is still undecided. But this is exactly the problem.
You should decouple the vm.config.network permission from the vm.config.cloudinit for network options.
As the author said, a team can change the cloud init options like ip and dns but cannot change the vm's network hardware to avoid security issues when working with network isolation with virtual interfaces and networks attached to the vm

Maybe i can propose a request to use vm.config.cloudinit permission on all cloud init options ?

https://bugzilla.proxmox.com/show_bug.cgi?id=2741

 

[fabian]

so your actual issue is that you want your users to set guest firewall rules without having VM.Config.Network? that is not related to cloud init at all. VM.Config.Cloudinit should cover all the cloud init stuff, if it isn't please provide details.

introducing a separate VM.Config.Firewall that allows changing firewall rules on the guest level might be worthwhile as well (implied by VM.Config.Network I guess), but it needs to be properly timed since introducing new privileges has wide-ranging effects.

 

[skoddex]

oh no sorry if my english is bad, not my native language.
The firewall rules issue was there to explain the multi-tenancy on a proxmox cluster.

I will try to be more clear.
If I assign a resource pool to a team with a vm template attached to a network, the team should be able to use this template by cloning it and modifying the cloud init including the dns and ip part without modifying on which network interface the vm clone is put.
Currently the permission vm.config.network to true which prevents the modification of the network interface at the hardware level of the vm, also prevents the modification of the ip options of the cloud init.

 

[fabian]

ah, that's a GUI bug, the backend/API actually only requires VM.Config.Cloudinit to update the cloudinit related settings (well, and VM.Config.CDROM for creating the cloudinit disk in the first place)..

 

[fabian]

correction: ipconfig is limited to VM.Config.Network, the rest is not.

 

[skoddex]

So all this option should depend only of vm.config.cloudinit ? When i see the code maybe it s a legacy when cloudinit permission didn't exist yet ?

 

[fabian]

everything except "regenerate" and "ipconfig" should be usable with VM.Config.Cloudinit. I'll check tomorrow in depth and send patches fixing up the GUI, and maybe (if possible), the ipconfig option.

 

[skoddex]

Thanks for your time
Don't hesitate to ping me if you want more uses cases explanation. It s a good option to work with multi team and automatisation

 

[fabian]

https://lists.proxmox.com/pipermail/pve-devel/2023-May/056694.html