physical disk passthrough - 500 Internal Server Error

[Maxy-Paulo]

Hello,

I'm trying to create a "qemu" with a physical disk mounted directly (passthrough).
Clone is running fine, but vm configuration update fail with an API 500 error, without much information.
When removing the block "virtio3", the VM clone sucessfully and start, When i set back the block "virtio3", the same API error 500 occur.
Adding the passthrough disk manually to the VM works.

How could that be resolved ?

---- Error from terraform
31m╷�[0m�[0m
�[31m│�[0m �[0m�[1m�[31mError: �[0m�[0m�[1merror updating VM: 500 Internal Server Error, error status: {"data":null} (params: map[agent:1 bios:seabios boot:order=virtio0 cores:2 cpu:host description:hvp-nomad-012 | NOMAD MEDIA hotplug:network,disk,usb ipconfig0:ip=192.168.1.92/24,gw=192.168.1.254 kvm:true memory:16384 name:hvp-nomad-012 nameserver:192.168.1.91 1.1.1.1 8.8.8.8 192.168.1.254 net0:virtio=7E:D3:48:69:0D:98,bridge=vmbr0 numa:false onboot:true ostype:l26 protection:false scsihw:virtio-scsi-pci searchdomain:potatokingdom.fr smbios1:uuid=3592152a-279b-42fa-9d5e-0f5d92610889 sockets:2 tablet:true tags:nomad;production virtio3:/dev/disk/by-id/wwn-0x6b083fe0e9520a002e19968217276c31,replicate=0 vmid:108])�[0m
�[31m│�[0m �[0m
�[31m│�[0m �[0m�[0m with proxmox_vm_qemu.hvp_nomad_012,
�[31m│�[0m �[0m on hvp-nomad-012.tf line 1, in resource "proxmox_vm_qemu" "hvp_nomad_012":
�[31m│�[0m �[0m 1: resource "proxmox_vm_qemu" "hvp_nomad_012" �[4m{�[0m�[0m

---- Terraform file
terraform {
required_providers {
proxmox = {
source = "Telmate/proxmox"
version = "3.0.1-rc3"
}
}
}
resource "proxmox_vm_qemu" "hvp_nomad_012" {
name = "hvp-nomad-012"
desc = "hvp-nomad-012 | NOMAD MEDIA"
tags = "production,nomad"
cores = 2
sockets = 2
cpu = "host"
memory = 16384

scsihw = "virtio-scsi-pci"
boot = "order=virtio0"
disks {
ide {
ide0 {
cloudinit {
storage = "local-lvm"
}
}
}
virtio {
virtio0 {
disk {
size = 10
cache = "writethrough"
storage = "local-lvm"
format = "raw"
iothread = true
backup = false
}
}
virtio1 {
disk {
size = 10
cache = "writethrough"
storage = "local-lvm"
format = "raw"
iothread = true
backup = false
}
}
virtio2 {
disk {
size = 30
cache = "writethrough"
storage = "local-lvm"
format = "raw"
iothread = true
backup = true
}
}
virtio3 {
passthrough {
file = "/dev/disk/by-id/wwn-0x6b083fe0e9520a002e19968217276c31"
}
}
}
}

network {
  model = "virtio"
  bridge = "vmbr0"
  firewall = false
}
ipconfig0 = "ip=192.168.1.92/24,gw=192.168.1.254"
nameserver = "192.168.1.91 1.1.1.1 8.8.8.8 192.168.1.254"
searchdomain = "potatokingdom.fr"

# -- Generic --
onboot = true
agent = 1
os_type = "cloud-init"
full_clone = true
clone = "hvp-template-ubuntu2404"
target_node = "${var.proxmox_node}"

}

---- Comand to add passthrough on proxmox directly (works)
qm set 108 -virtio4/dev/disk/by-id/wwn-0x6b083fe0e9520a002e19968217276c31,backup=0,cache=writethrough,iothread=1,replicate=0

[Tinyblargon]

@Maxy-Paulo The following works on my end:

  disks {
    virtio {
      virtio3 {
        passthrough {
          file = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi3"
        }
      }
    }
  }

This was tested with the current master branch against a virtual PVE 8.2.7

[MagicMicky]

Hello,
I'm trying to passthrough a disk to my VM using this terraform provider, and I think I have the same error - potentially with additional details.

Current configuration

• Important bits

  disks {
    // [...]

    scsi {
      // [...]
      scsi1 {
        passthrough {
          file = "/dev/disk/by-partuuid/<uuid>"
        }
      }
    }
  }

Full terraform file

resource "proxmox_vm_qemu" "test-vm" {
  name        = "test"
  vmid        = 4320
  target_node = var.proxmox_target_node

  clone      = var.proxmox_vm_clone
  cores      = 2
  sockets    = 1
  memory     = 2048
  tags       = "test"
  full_clone = false
  

  agent = 1

  network {
    model  = "virtio"
    bridge = "<redacted>"
  }

  ipconfig0 = "ip=dhcp"

  disks {
    ide {
      ide0 {
        cloudinit {
          storage = "local-lvm"
        }
      }
    }
    scsi {
      scsi0 {
        disk {
          size    = "20G"
          storage = var.proxmox_storage_pool
          format  = "raw"

        }
      }
      scsi1 {
        passthrough {
          file = "/dev/disk/by-partuuid/<uuid>"
        }
      }
    }
  }

  connection {
    type        = "ssh"
    user        = "<redacted>"
    private_key = file("~/.ssh/id_rsa")
    host        = self.ssh_host
    port        = self.ssh_port
  }
  provisioner "remote-exec" {
    inline = [
      "ip a"
    ]
  }
}

The error is thrown when doing a terraform apply, and shows what looks like potentially an access rights issue

│ Error: error updating VM: 500 Only root can pass arbitrary filesystem paths. at /usr/share/perl5/PVE/Storage.pm line 543., error status: {"data":null} (params: map[agent:1 balloon:0 bios:seabios cicustom: cipassword: ciupgrade:0 cores:2 cpu:host delete:shares description: hotplug:network,disk,usb ipconfig0:ip=dhcp kvm:true memory:2048 name:test net0:virtio=16:F3:39:9F:51:C6,bridge=<redacted> numa:0 onboot:false protection:false scsi0:local-lvm:vm-4320-disk-0,replicate=0 scsi1:/dev/disk/by-partuuid/<uuid>,replicate=0 scsihw:lsi sockets:1 sshkeys:%0A tablet:true tags:test vmid:4320])

I tried with the suggested access rights, through a user as well as through a token that was assigned to the root user (seeing root is mentioned in the error), but it lead to the same error message

Using:

• Proxmox: 8.2.2
• telmate/proxmox 3.0.1-rc4

I might definitely be doing something wrong. The manual command (as root, in cli) works to attach the disk to the vm (see op's message) . If of interest, it's a partition and not a full disk.

[Tinyblargon]

@MagicMicky only user root@pam is allowed to passthrough a disk, from the cli or api.

[MagicMicky]

hey @Tinyblargon thanks for the reply there. Just to confirm, then it is only possible using a user / password login scheme right?
My root user has MFA so I tried using an API token under root@pam!terraform, with Privilege Separation disabled, and I have the same error thrown at me

[Tinyblargon]

@MagicMicky not everything works with api tokens. That's probably an issue in the Terraform provider or it's underlying library.

[MagicMicky]

Okay thanks! Upon further look into the issue I found the following that might be of interest if people ends up on this thread through search:

• Proxmox forum thread explaining that in some places in proxmox they "explicitly check for 'root@pam' and that does not include root@pam's tokens", and that "regular users can set disks/mountpoints to volumes that they have access to, while root can pass through host disks or bind-mount host directories"
• Bug report on proxmox tracking the potential addition of a "Sys.Root" access right

Seeing op's error (500) while trying to use a passthrough i would also say that it's likely that it relates to my issue - but can only assume that from this point.

I'll go and try to getmy root user's mfa work with this provider then, but so far I've been facing 401s despite adding a OTP. It's unrelated to the issue here so i'll try to stop spamming here!

Thanks for the fast replies though @Tinyblargon

[Tinyblargon]

@MagicMicky if you can't get the mfa working, can you create a new issue. I'll look into it, never tried mfa myself.