[pve-devel] [PATCH qemu-server] api: add 'allow-ksm' to memory options

[pve-devel] [PATCH qemu-server] api: add 'allow-ksm' to memory options

[Fabian Grünbichler]

else it is treated as root-only parameter, and since the UI will set/clear it
by default, that makes memory-editing in its entirety root-only.

Fixes: ae91d137c1e993031385da594c37c61e4295dc97 close #5291: support disabling KSM for specific VMs
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---

Notes:
    reported on the forum:
    
    https://forum.proxmox.com/threads/176180/

 src/PVE/API2/Qemu.pm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/PVE/API2/Qemu.pm b/src/PVE/API2/Qemu.pm
index a1c99b9e..5cdba4bb 100644
--- a/src/PVE/API2/Qemu.pm
+++ b/src/PVE/API2/Qemu.pm
@@ -742,6 +742,7 @@ my $memoryoptions = {
     'memory' => 1,
     'balloon' => 1,
     'shares' => 1,
+    'allow-ksm' => 1,
 };
 
 my $hwtypeoptions = {
-- 
2.47.3



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] [PATCH qemu-server] api: add 'allow-ksm' to memory options

[Fiona Ebner]

Am 18.11.25 um 10:42 AM schrieb Fabian Grünbichler:
> else it is treated as root-only parameter, and since the UI will set/clear it
> by default, that makes memory-editing in its entirety root-only.

Should it be editable by users with "just" VM.Config.Memory? One main
use case is security-related to avoid side-channel attacks. If the
answer is no, we should fix the UI of course ;)


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] [PATCH qemu-server] api: add 'allow-ksm' to memory options

[Fabian Grünbichler]

On November 18, 2025 11:08 am, Fiona Ebner wrote:
> Am 18.11.25 um 10:42 AM schrieb Fabian Grünbichler:
>> else it is treated as root-only parameter, and since the UI will set/clear it
>> by default, that makes memory-editing in its entirety root-only.
> 
> Should it be editable by users with "just" VM.Config.Memory? One main
> use case is security-related to avoid side-channel attacks. If the
> answer is no, we should fix the UI of course ;)

IMHO, yes. it is the default after all, and its purpose is to protect
this VM against other co-located guests, not against other admins that
are allowed to (re-)configure my VM.


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] [PATCH qemu-server] api: add 'allow-ksm' to memory options

[Fiona Ebner]

Am 18.11.25 um 11:12 AM schrieb Fabian Grünbichler:
> On November 18, 2025 11:08 am, Fiona Ebner wrote:
>> Am 18.11.25 um 10:42 AM schrieb Fabian Grünbichler:
>>> else it is treated as root-only parameter, and since the UI will set/clear it
>>> by default, that makes memory-editing in its entirety root-only.
>>
>> Should it be editable by users with "just" VM.Config.Memory? One main
>> use case is security-related to avoid side-channel attacks. If the
>> answer is no, we should fix the UI of course ;)
> 
> IMHO, yes. it is the default after all, and its purpose is to protect
> this VM against other co-located guests, not against other admins that
> are allowed to (re-)configure my VM.

Yes, good point :)


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] [PATCH qemu-server] api: add 'allow-ksm' to memory options

[Thomas Lamprecht]

On Tue, 18 Nov 2025 10:42:10 +0100, Fabian Grünbichler wrote:
> else it is treated as root-only parameter, and since the UI will set/clear it
> by default, that makes memory-editing in its entirety root-only.
> 
> 

Applied, thanks!

[1/1] api: add 'allow-ksm' to memory options
      commit: 57ab3e97178a8cd4942bdafa0fb5cb2a2a540a47


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel