Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to upload ISO with API user #81

Closed
dannytech opened this issue Apr 12, 2022 · 5 comments · Fixed by #130
Closed

Unable to upload ISO with API user #81

dannytech opened this issue Apr 12, 2022 · 5 comments · Fixed by #130
Labels
bug

Comments

@dannytech
Copy link

Overview of the Issue

When using an API token and either the cd_files and/or cd_content options in an additional_iso_files block like below, or the iso_url option, the upload fails with the error Post "https://<hostname>:8006/api2/json/nodes/<node>/storage/resources/upload": write tcp 192.168.5.71:51734->192.168.1.10:8006: use of closed network connection. I am able to manually upload an ISO without issue, and I've even tried assigning the API token I used full Administrator, but it continues to fail with this error. I can also upload an ISO using a username and password rather than an API token.

additional_iso_files {
    device   = "ide3"

    # Generate image with unattended installer
    cd_files = [
        "./autounattend.xml"
    ]
    cd_label = "autounattend"

    iso_storage_pool = "resources"
    unmount          = true
}
    iso_url          = "./autounattend.iso"
    iso_checksum     = "sha1:539d87c4b66ea7bc9770f103e6e7952a97b56008"
    iso_storage_pool = "resources"

I'm also not positive that this report should be here and not proxmox-api-go, not sure where the problem lies.

Reproduction Steps

Steps to reproduce this issue

  1. Use either the cd_files block above or create a new .iso file and specify it with iso_url
  2. Create a new API token and give it enough permissions to work with Packer (I even tested with Administrator)
  3. Run Packer
  4. The ISO will immediately fail to upload with the Packer error use of closed network connection
  5. Check the pveproxy access logs on your Proxmox server, they will show a 403 error and that the request was unauthenticated

Plugin and Packer version

From packer version:

Packer v1.8.0
/home/<username>/.config/packer/plugins/github.com/hashicorp/proxmox/packer-plugin-proxmox_v1.0.5_x5.0_linux_amd64

Simplified Packer Buildfile

Buildfile

Operating system and Environment details

OS, Architecture, and any other information you can provide about the
environment:

  • Packer is running in LXC under Proxmox (uname -a: Linux <removed> 5.13.19-6-pve #1 SMP PVE 5.13.19-14 (Thu, 10 Mar 2022 16:24:52 +0100) x86_64 x86_64 x86_64 GNU/Linux)
  • The Packer client and Proxmox server are on different subnets, I had to add a firewall allow so that it could be accessed on :8006
  • I also proxy the Proxmox interface using Nginx, but the same issue occurred when I tried with that
  • The API token uses privilege separation

Log Fragments and crash.log files

Relevant log from /var/log/pveproxy/access.log:

::ffff:192.168.5.71 - - [12/04/2022:16:01:19 -0700] "POST /api2/json/nodes/<node>/storage/resources/upload HTTP/1.1" 403 -

This error seems to suggest that Packer isn't sending the API credentials, since authenticated requests normally start with ::ffff:127.0.0.1 - root@pam. So the PVE API would simply be rejecting and closing the POST request, while at the same time Packer tries to upload the file, resulting in the use of closed network connection.
@dannytech dannytech added the bug label Apr 12, 2022
@proegssilb
Copy link

On first glance, this appears to be similar to the issue I'm having with Packer 1.8.1 and Proxmox 7.2. The API Token I'm using has Administrator permissions (which I intend to limit after I've verified everything works).

@jacksonporter
Copy link

jacksonporter commented Sep 25, 2022
edited
Loading

Same issue here! (Proxmox 7.2-11, Packer 1.8.3)

@zakx
Copy link

zakx commented Sep 27, 2022

I had to explicitly give PVEDatastoreUser permissions on the specific datastore where ISOs are stored to my API token, even though I disabled privilege separation. Did you try that?

@jacksonporter
Copy link

I was able to test doing this with the Administrator permission, so at least I know an API token can indeed work. Thanks @zakx !

@sebastian-de sebastian-de mentioned this issue Dec 12, 2022
Merged
@modem7
Copy link

modem7 commented Dec 13, 2022
edited
Loading

Just in case this is useful for anyone later down the line, this is how I've added my Packer user and role to Proxmox:

pveum useradd packer@pve
pveum passwd packer@pve
pveum roleadd Packer -privs "VM.Config.Disk VM.Config.CPU VM.Config.Cloudinit VM.Clone VM.Config.Memory Datastore.AllocateSpace Sys.Modify VM.Config.Options VM.Console VM.Allocate VM.Audit VM.Config.CDROM VM.Config.Network VM.PowerMgmt VM.Config.HWType VM.Monitor"
pveum aclmod / -user packer@pve -role Packer
Create the API token.

Unfortunately only tried with the ISO builder due to #79 - so apologies if it doesn't help this particular issue!

@comminutus comminutus mentioned this issue Jul 24, 2023
Open
@mpywell mpywell mentioned this issue Oct 8, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Rebase of #90: Add Secure Boot support
5 participants
@zakx @proegssilb @modem7 @dannytech @jacksonporter