packer-plugin-proxmox
packer-plugin-proxmox copied to clipboard
hashicorp
Documentation enhancement: Proxmox Builder
Dear Packer Team,
Re: Your Proxmox Builder Docs (https://www.packer.io/docs/builders/proxmox.html)
It would be nice if you actually documented precisely what permissions Packer's Proxomox builder is expecting.
As you know Proxomox allows granular definition of user privileges (https://pve.proxmox.com/wiki/User_Management)
As you also know, its 2019 ... and so "principle of least privilege" is king, not "meh, just give it god rights". ;-)
TL;DR ... Does the Proxmox builder really need Sys.PowerMgmt , Sys.Console, User.Modify etc. etc. etc.
Hi @udf2457, Very good point! Up until recently, the builder actually required root access, due to how keyboard input was sent to to VM. It should be possible to reduce the scope now, though. I'll look into the exact set of permissions required (unless you already did that, then I'd be happy to hear the results :) )
@carlpett
Unfortunatley my security head comes first and so whilst my sysadmin heart wants to experiment with Packer on Proxmox, my security head says "not on your nelly giving root on live/semi-live systems". ;-)
As far as I can tell from brief internet researches I can't run a test instance of Proxmox on AWS, and I don't have access to spare bare-metal box at the present time. So I'm afraid I'll have to leave the ball in your court in terms of experimentation.
Hi @udf2457 after some try&die here are some commands that works for me :
pveum useradd packer@pve
pveum passwd packer@pve
pveum roleadd Packer -privs "VM.Config.Disk VM.Config.CPU VM.Config.Memory Datastore.AllocateSpace Sys.Modify VM.Config.Options VM.Allocate VM.Audit VM.Console VM.Config.CDROM VM.Config.Network VM.PowerMgmt VM.Config.HWType VM.Monitor"
pveum aclmod / -user packer@pve -role Packer
Hope it helps.
@RemiDesgrange Thanks for your guide! It does not work however, if you want packer to upload the ISO file to Proxmox. As I am entirely new to Proxmox, I do not know how to extend the role privileges. Maybe you can chime in here?
Packer tries to talk to the following endpoint: https://pve:8006/api2/json/nodes/pve/storage/local/upload
The way I'm building my image with packer, the iso is already on the PVE instance. Feel free to add Datastore.AllocateTemplate (I mean it should work according to https://pve.proxmox.com/wiki/User_Management#_privileges).
Hello, so I just did this configuration on my cluster and settled on the following config:
- Create a new resource pool "packer"
- Create a new group "packer_group"
- Create a new user "packer" and add it to "packer_group"
- Add the desired datastore to "packer" resource pool
- Assign the following privileges to packer_group:
- PVEPoolUser on /pools/packer
- PVEDatastoreUser on /pools/packer
- PVEVMAdmin on /pools/packer
If a separate datastore for images is used also the following is needed:
- PVEDatastoreAdmin on /storage/iso-storage
This is because packer deletes the ephemeral images on this datastore at the end of its run which requires the Datastore.Allocate permission which the normal DatastoreUser does not have.
If you follow this setup you will have VM Pool where the packer user can create and delete only its own VMs which are isolated from the rest of the cluster. I think this should be the least amount of privileges to be able to execute all necessary packer tasks.
I followed this discussion on the Proxmox forum for this setup: https://forum.proxmox.com/threads/allow-user-to-create-vms-but-only-see-and-manage-those-created-by-itself.121222/
Hi
@udf2457 after some try&die here are some commands that works for me :
pveum useradd packer@pve pveum passwd packer@pve pveum roleadd Packer -privs "VM.Config.Disk VM.Config.CPU VM.Config.Memory Datastore.AllocateSpace Sys.Modify VM.Config.Options VM.Allocate VM.Audit VM.Console VM.Config.CDROM VM.Config.Network VM.PowerMgmt VM.Config.HWType VM.Monitor" pveum aclmod / -user packer@pve -role PackerHope it helps.
- Append
SDN.Use^1 to thepveum roleaddcommand if using SDN. - Append
Datastore.AllocateTemplate^1 to thepveum roleaddcommand if using a separate datastore for images (as mentioned in previous comments).
It would be great if all the info gathered in this issue were added to the docs. It can be pretty time-consuming to work through all the necessary permissions without any such reference.
