Using a Proxmox role to restrict VMs to a specific network?

jdancer

Well-Known Member
May 26, 2019
153
29
48
54
Got some summer interns incoming and they will have access to a Proxmox cluster.


Is there a Proxmox role to restrict VMs to a specific network?


Obviously they will need access to the management network but VMs will be on a different network for Internet access.


If no such option is available, guess I will have to use a NAT box.
 
there is work going on to make bridges (and SDN vnets) ACL entities covered by the permission system - that would then allow to say "user X can only configure guests to use bridge foo" (for example). whether that will be ready in time for your summer interns I cannot promise ;)
 
  • Like
Reactions: roberto.berto
there is work going on to make bridges (and SDN vnets) ACL entities covered by the permission system - that would then allow to say "user X can only configure guests to use bridge foo" (for example). whether that will be ready in time for your summer interns I cannot promise ;)

Currently, hook scripts can serve as a workaround. Prior to starting a VM, it's possible to validate against a custom configuration file, such as /etc/pve/network-acl.yaml, which contains network ACLs. Additionally, parsing /etc/pve/nodes/rs1602/qemu-server/vmid.conf allows for the inclusion of VM names, VLANs, VXLANs, vnets names, and zones within ACLs, enabling precise control over network access.

Moreover, introducing logic to associate network interfaces, bridges, VLANs, VXLANs, zones, and vnets with pools (potentially managed through a file like /etc/pve/network-pools.yaml) is advisable. If a VM is a member of a pool and a network element is allocated within that pool, the VM should be permitted to utilize it. This approach is favored as it enhances organization and control.

Should a VM be ineligible to use a specific network, its initiation should be prevented through a hook script. Ideally, modifications to a VM's network settings would be restricted to ensure greater security.

Attention must also be given to disallowing network hotplugging. Without such measures, new networks could be added without ACL verification, as hook scripts do not currently monitor hotplug actions (e.g., adding disks or networks).
 
Besides that, I was diving into the GuestHelpers.pm file (https://github.com/proxmox/pve-guest-common/blob/master/src/PVE/GuestHelpers.pm), which I understand to be the source location for Proxmox's hook scripts. I stumbled upon an interesting piece of code that seems to suggest the ability to manage access permissions to virtual networks (vnets) through ACLs. Here's a snippet of what I found:

Perl:
sub check_vnet_access {
    my ($rpcenv, $authuser, $vnet, $tag, $trunks) = @_;


    my $zone = 'localnetwork';


    if ($have_sdn) {
    my $vnet_cfg = PVE::Network::SDN::Vnets::config();
    if (defined(my $vnet = PVE::Network::SDN::Vnets::sdn_vnets_config($vnet_cfg, $vnet, 1))) {
        $zone = $vnet->{zone};
    }
    }


    # if a tag is defined, test if user have a specific access to the vlan (or propagated from full bridge acl)
    $rpcenv->check($authuser, "/sdn/zones/$zone/$vnet/$tag", ['SDN.Use']) if $tag;
    # check each vlan access from trunk
    if ($trunks) {
    my $tags = get_tags_from_trunk($trunks);
    for my $tag (sort keys %$tags) {
        $rpcenv->check($authuser, "/sdn/zones/$zone/$vnet/$tag", ['SDN.Use']);
    }
    }
    # if no tag, test if user have access to full bridge.
    $rpcenv->check($authuser, "/sdn/zones/$zone/$vnet", ['SDN.Use'])
    if !($tag || $trunks);
}


This section appears to provide a mechanism for permission checking based on ACLs, but I'm not entirely sure I'm interpreting it correctly. Additionally, I haven't been able to find any documentation on this functionality. If anyone could shed some light on how this works, I would greatly appreciate it.

Thank you in advance for any insights you can provide!
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!