From: Wolfgang Bumiller <w.bumiller@proxmox.com>
To: Dominik Csapak <d.csapak@proxmox.com>
Cc: pve-devel@lists.proxmox.com
Subject: Re: [pve-devel] [PATCH qemu-server v5 1/6] enable cluster mapped USB devices for guests
Date: Tue, 13 Jun 2023 14:23:04 +0200 [thread overview]
Message-ID: <fvyf3rzw7piafezzr4i6zcgf7yixaxctohwof2jkt4b7toislx@x56hfrixl6d3> (raw)
In-Reply-To: <20230606135222.984747-4-d.csapak@proxmox.com>
On Tue, Jun 06, 2023 at 03:52:02PM +0200, Dominik Csapak wrote:
> this patch allows configuring usb devices that are mapped via
> cluster resource mapping when the user has 'Resource.Use' on the ACL
> path '/resource/usb/{ID}' (in addition to the usual required vm config
^ should be /mapping in the commit message as well ;-)
> privileges)
>
> for now, this is only valid if there is exactly one mapping for the
> host, since we don't track passed through usb devices yet
>
> this adds a permission check for clone and restore since an admin can
> now give permissions for specific devices
>
> Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
> ---
> changes from v4:
> * rename s/resource/mapping/i
> * add permission check for clone/restore
>
> PVE/API2/Qemu.pm | 51 ++++++++++++++++++++++++++++++++++++++++---
> PVE/QemuServer.pm | 40 ++++++++++++++++++++++++++++++++-
> PVE/QemuServer/USB.pm | 27 ++++++++++++++++++++---
> 3 files changed, 111 insertions(+), 7 deletions(-)
>
> diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm
> index 587bb222..13cc73d1 100644
> --- a/PVE/API2/Qemu.pm
> +++ b/PVE/API2/Qemu.pm
> @@ -32,6 +32,7 @@ use PVE::QemuServer::Drive;
> use PVE::QemuServer::ImportDisk;
> use PVE::QemuServer::Monitor qw(mon_cmd);
> use PVE::QemuServer::Machine;
> +use PVE::QemuServer::USB qw(parse_usb_device);
> use PVE::QemuMigrate;
> use PVE::RPCEnvironment;
> use PVE::AccessControl;
> @@ -175,6 +176,16 @@ my $check_storage_access = sub {
> if defined($settings->{vmstatestorage});
> };
>
> +my sub check_mapping_access_clone {
> + my ($rpcenv, $user, $conf) = @_;
> +
> + for my $opt (keys $conf->%*) {
> + if ($opt =~ m/^usb\d+$/) {
> + PVE::QemuServer::check_vm_clone_restore_usb_perm($rpcenv, $user, $opt, $conf->{$opt})
> + }
> + }
> +};
> +
> my $check_storage_access_clone = sub {
> my ($rpcenv, $authuser, $storecfg, $conf, $storage) = @_;
>
> @@ -590,8 +601,13 @@ my $check_vm_create_usb_perm = sub {
>
> foreach my $opt (keys %{$param}) {
> next if $opt !~ m/^usb\d+$/;
> + my $entry = PVE::JSONSchema::parse_property_string('pve-qm-usb', $param->{$opt});
> + my $device = parse_usb_device($entry->{host});
>
> - if ($param->{$opt} =~ m/spice/) {
> + if ($device->{spice}) {
> + $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.HWType']);
> + } elsif ($device->{mapped}) {
> + $rpcenv->check_full($authuser, "/mapping/usb/$entry->{host}", ['Mapping.Use']);
> $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.HWType']);
> } else {
> die "only root can set '$opt' config for real devices\n";
> @@ -1696,7 +1712,12 @@ my $update_vm_api = sub {
> PVE::QemuConfig->add_to_pending_delete($conf, $opt, $force);
> PVE::QemuConfig->write_config($vmid, $conf);
> } elsif ($opt =~ m/^usb\d+$/) {
> - if ($val =~ m/spice/) {
> + my $device = PVE::JSONSchema::parse_property_string('pve-qm-usb', $val);
> + my $host = parse_usb_device($device->{host});
> + if ($host->{spice}) {
> + $rpcenv->check_vm_perm($authuser, $vmid, undef, ['VM.Config.HWType']);
> + } elsif ($host->{mapped}) {
> + $rpcenv->check_full($authuser, "/mapping/usb/$device->{host}", ['Mapping.Use']);
> $rpcenv->check_vm_perm($authuser, $vmid, undef, ['VM.Config.HWType']);
> } elsif ($authuser ne 'root@pam') {
> die "only root can delete '$opt' config for real devices\n";
> @@ -1761,7 +1782,30 @@ my $update_vm_api = sub {
> }
> $conf->{pending}->{$opt} = $param->{$opt};
> } elsif ($opt =~ m/^usb\d+/) {
> - if ((!defined($conf->{$opt}) || $conf->{$opt} =~ m/spice/) && $param->{$opt} =~ m/spice/) {
> + my $olddevice;
> + my $oldhost;
> + if (defined($conf->{$opt})) {
> + $olddevice = PVE::JSONSchema::parse_property_string('pve-qm-usb', $conf->{$opt});
> + $oldhost = parse_usb_device($olddevice->{host});
> + }
> + if (defined($oldhost)) {
> + if ($oldhost->{spice}) {
> + $rpcenv->check_vm_perm($authuser, $vmid, undef, ['VM.Config.HWType']);
> + } elsif ($oldhost->{mapped}) {
> + $rpcenv->check_full($authuser, "/mapping/usb/$olddevice->{host}", ['Mapping.Use']);
> + $rpcenv->check_vm_perm($authuser, $vmid, undef, ['VM.Config.HWType']);
> + } elsif ($authuser ne 'root@pam') {
> + die "only root can modify '$opt' config for real devices\n";
> + }
> + }
> +
> + my $newdevice = PVE::JSONSchema::parse_property_string('pve-qm-usb', $param->{$opt});
> + my $newhost = parse_usb_device($newdevice->{host});
> +
> + if ($newhost->{spice}) {
> + $rpcenv->check_vm_perm($authuser, $vmid, undef, ['VM.Config.HWType']);
> + } elsif ($newhost->{mapped}) {
> + $rpcenv->check_full($authuser, "/mapping/usb/$newdevice->{host}", ['Mapping.Use']);
> $rpcenv->check_vm_perm($authuser, $vmid, undef, ['VM.Config.HWType']);
> } elsif ($authuser ne 'root@pam') {
> die "only root can modify '$opt' config for real devices\n";
> @@ -3488,6 +3532,7 @@ __PACKAGE__->register_method({
> my $oldconf = $snapname ? $conf->{snapshots}->{$snapname} : $conf;
>
> my $sharedvm = &$check_storage_access_clone($rpcenv, $authuser, $storecfg, $oldconf, $storage);
> + check_mapping_access_clone($rpcenv, $authuser, $oldconf);
>
> die "can't clone VM to node '$target' (VM uses local storage)\n"
> if $target && !$sharedvm;
> diff --git a/PVE/QemuServer.pm b/PVE/QemuServer.pm
> index ab33aa37..f209a604 100644
> --- a/PVE/QemuServer.pm
> +++ b/PVE/QemuServer.pm
> @@ -1090,6 +1090,8 @@ The Host USB device or port or the value 'spice'. HOSTUSBDEVICE syntax is:
>
> You can use the 'lsusb -t' command to list existing usb devices.
>
> +Alternatively, you can used an ID of a mapped usb device.
> +
> NOTE: This option allows direct access to host hardware. So it is no longer possible to migrate such
> machines - use with special care.
>
> @@ -1106,6 +1108,8 @@ EODESCR
> },
> };
>
> +PVE::JSONSchema::register_format('pve-qm-usb', $usb_fmt);
> +
> my $usbdesc = {
> optional => 1,
> type => 'string', format => $usb_fmt,
> @@ -2243,7 +2247,12 @@ PVE::JSONSchema::register_format('pve-qm-usb-device', \&verify_usb_device);
> sub verify_usb_device {
> my ($value, $noerr) = @_;
>
> - return $value if parse_usb_device($value);
> + my $parsed = eval { parse_usb_device($value) };
> + if (my $err = $@) {
> + die $@ if !$noerr;
(should use $err instead of $@ since you already assigned it)
> + return;
> + }
> + return $value if defined($parsed);
>
> return if $noerr;
>
next prev parent reply other threads:[~2023-06-13 12:23 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-06 13:51 [pve-devel] [PATCH access-control/guest-common/qemu-server/manager v5] cluster mapping Dominik Csapak
2023-06-06 13:52 ` [pve-devel] [PATCH access-control v5 1/1] add privileges and paths for cluster resource mapping Dominik Csapak
2023-06-07 17:03 ` [pve-devel] applied: " Thomas Lamprecht
2023-06-06 13:52 ` [pve-devel] [PATCH guest-common v5 1/1] add PCI/USB Mapping configs Dominik Csapak
2023-06-07 17:17 ` [pve-devel] applied: " Thomas Lamprecht
2023-06-06 13:52 ` [pve-devel] [PATCH qemu-server v5 1/6] enable cluster mapped USB devices for guests Dominik Csapak
2023-06-13 12:23 ` Wolfgang Bumiller [this message]
2023-06-06 13:52 ` [pve-devel] [PATCH qemu-server v5 2/6] enable cluster mapped PCI " Dominik Csapak
2023-06-06 13:52 ` [pve-devel] [PATCH qemu-server v5 3/6] check_local_resources: extend for mapped resources Dominik Csapak
2023-06-13 12:43 ` Wolfgang Bumiller
2023-06-06 13:52 ` [pve-devel] [PATCH qemu-server v5 4/6] api: migrate preconditions: use new check_local_resources info Dominik Csapak
2023-06-13 12:46 ` Wolfgang Bumiller
2023-06-06 13:52 ` [pve-devel] [PATCH qemu-server v5 5/6] migration: check for mapped resources Dominik Csapak
2023-06-06 13:52 ` [pve-devel] [PATCH qemu-server v5 6/6] add test for mapped pci devices Dominik Csapak
2023-06-06 13:52 ` [pve-devel] [PATCH v5 01/15] pvesh: fix parameters for proxyto_callback Dominik Csapak
2023-06-06 13:52 ` [pve-devel] [PATCH v5 02/15] api: add resource map api endpoints for PCI and USB Dominik Csapak
2023-06-13 11:26 ` Wolfgang Bumiller
2023-06-06 13:52 ` [pve-devel] [PATCH v5 03/15] ui: parser: add helpers for lists of property strings Dominik Csapak
2023-06-06 13:52 ` [pve-devel] [PATCH v5 04/15] ui: form/USBSelector: make it more flexible with nodename Dominik Csapak
2023-06-06 13:52 ` [pve-devel] [PATCH v5 05/15] ui: form: add PCIMapSelector Dominik Csapak
2023-06-06 13:52 ` [pve-devel] [PATCH v5 06/15] ui: form: add USBMapSelector Dominik Csapak
2023-06-06 13:52 ` [pve-devel] [PATCH v5 07/15] ui: qemu/PCIEdit: rework panel to add a mapped configuration Dominik Csapak
2023-06-06 13:52 ` [pve-devel] [PATCH v5 08/15] ui: qemu/USBEdit: add 'mapped' device case Dominik Csapak
2023-06-06 13:52 ` [pve-devel] [PATCH v5 09/15] ui: form: add MultiPCISelector Dominik Csapak
2023-06-06 13:52 ` [pve-devel] [PATCH v5 10/15] ui: add edit window for pci mappings Dominik Csapak
2023-06-06 13:52 ` [pve-devel] [PATCH v5 11/15] ui: add edit window for usb mappings Dominik Csapak
2023-06-06 13:52 ` [pve-devel] [PATCH v5 12/15] ui: add ResourceMapTree Dominik Csapak
2023-06-06 13:52 ` [pve-devel] [PATCH v5 13/15] ui: allow configuring pci and usb mapping Dominik Csapak
2023-06-06 13:52 ` [pve-devel] [PATCH v5 14/15] ui: window/Migrate: allow mapped devices Dominik Csapak
2023-06-06 13:52 ` [pve-devel] [PATCH v5 15/15] ui: improve permission handling for hardware Dominik Csapak
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=fvyf3rzw7piafezzr4i6zcgf7yixaxctohwof2jkt4b7toislx@x56hfrixl6d3 \
--to=w.bumiller@proxmox.com \
--cc=d.csapak@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.