There are non-root restrictions on the execution rights of the Proxmox CLI?

[Gordon Kaltofen]

I have a question about a product feature.

There are non-root restrictions on the execution rights of the Proxmox CLI? I have found nothing in this regard in the wiki or iNet.

I've added an additional user 'jenkins' for automation, written in the WIKI. This remote login should not be 'root' just because the login is done without entering a password via preshared keys.

Since the CLI command 'qm' but is in '/usr/sbin', it needs sudoers rights.

1) First idea:
Configuration via '/etc/sudoers' with this line:

%jenkins ALL = NOPASSWD: /usr/sbin/qm​

This means that users of the group 'jenkins' allowed to execute the command '/usr/sbin/qm' without entering the password.

But there is not this file. Is this type of configuration is not provided?

2) Second Idea: temporary workaound




If it does not work without root privileges, then jenkins to group 'root' to add.



Nevertheless, the execution of the command 'qm' is denied.

jenkins@testbed:~$ /usr/sbin/qm --help
please run as root

But I actually have this permission as member of root group.

If it should be relevant: In Proxmox VE Web-GUI is this user 'jenkins' member of group 'jenkins' with group role 'Administrator'.


Hence the question: work commands the CLI exclusively with the root account?

Thx for answers,
Gordon

 

[dietmar]

yes, qm is root only. Please use the API instead.

 

[Aleksandrs]

1) First idea:
Configuration via '/etc/sudoers' with this line:

%jenkins ALL = NOPASSWD: /usr/sbin/qm
​

This means that users of the group 'jenkins' allowed to execute the command '/usr/sbin/qm' without entering the password.

But there is not this file. Is this type of configuration is not provided?

You need to install sudo package, then edit the /etc/sudoers file, after which you'll be able to execute sudo /usr/sbin/qm.

 

[Gordon Kaltofen]

Thank you Aleksandrs for the good hint. That's worth a try.

Unfortunately, this probably will not solve my other problem with CLI. Therefore, it is better to follow Dietmar's probably recommendation and use the API instead of the CLI. It probably makes sense to write an API wrapper for scripting.

Thank you all for your efforts, guys.

 

[Gordon Kaltofen]

Thanks Aleksandrs, that's a good indication - per se.

But, unfortunately, that will not solve my other problem with the CLI. Therefore, it makes sense to follow Dietmar's recommendation and instead use the API. It probably makes sense to write an API wrapper for scripting, but something is always.

Thank you for your efforts.

 

[dietmar]

It probably makes sense to write an API wrapper for scripting, but something is always.

Also note that the 'qm' command is not feature complete, i.e it does not proxy any calls to other nodes.

 

[Gordon Kaltofen]

Thanks for the note. This is currently still no problem, because currently there is only one node. But this may change in the future.





But certainly one more reason to use the API.

 

[Gordon Kaltofen]

I have found a satisfactory solution. I use the pvesh command for API access via SSH.

Now the restricted user jenkins can execute the command pvesh without PW via SSH. I have shell wrapper scripts written to manage the VMs. To access the JSON objects in shell scripts, the program jq is very suitable.

Thanks again to everyone for all the hints and ideas.