From 7bd9d0b4f59e915afba204706f32114d8d262056 Mon Sep 17 00:00:00 2001 From: nxet Date: Sun, 14 Jan 2024 18:03:43 +0100 Subject: [PATCH 1/5] proxmox_kvm - new param to support unsafe updates --- plugins/modules/proxmox_kvm.py | 57 ++++++++++++++++++++++++---------- 1 file changed, 40 insertions(+), 17 deletions(-) diff --git a/plugins/modules/proxmox_kvm.py b/plugins/modules/proxmox_kvm.py index c0133ed8705..19a3a9a2b2b 100644 --- a/plugins/modules/proxmox_kvm.py +++ b/plugins/modules/proxmox_kvm.py @@ -525,6 +525,12 @@ - Update of O(pool) is disabled. It needs an additional API endpoint not covered by this module. type: bool default: false + update_unsafe: + description: + - If V(true), does not enforce limitations on parameters O(net), O(virtio), O(ide), O(sata), O(scsi). + type: bool + default: false + version_added: 8.3.0 vcpus: description: - Sets number of hotplugged vcpus. @@ -846,6 +852,20 @@ memory: 16384 update: true +- name: Update VM configuration (incl. unsafe options) + community.general.proxmox_kvm: + api_user: root@pam + api_password: secret + api_host: helldorado + name: spynal + node: sabrewulf + cores: 8 + memory: 16384 + net: + net0: virtio,bridge=vmbr1 + update: true + update_unsafe: true + - name: Delete QEMU parameters community.general.proxmox_kvm: api_user: root@pam @@ -981,7 +1001,7 @@ def wait_for_task(self, node, taskid): time.sleep(1) return False - def create_vm(self, vmid, newid, node, name, memory, cpu, cores, sockets, update, **kwargs): + def create_vm(self, vmid, newid, node, name, memory, cpu, cores, sockets, update, update_unsafe, **kwargs): # Available only in PVE 4 only_v4 = ['force', 'protection', 'skiplock'] only_v6 = ['ciuser', 'cipassword', 'sshkeys', 'ipconfig', 'tags'] @@ -1018,23 +1038,24 @@ def create_vm(self, vmid, newid, node, name, memory, cpu, cores, sockets, update urlencoded_ssh_keys = quote(kwargs['sshkeys'], safe='') kwargs['sshkeys'] = str(urlencoded_ssh_keys) - # If update, don't update disk (virtio, efidisk0, tpmstate0, ide, sata, scsi) and network interface + # If update, don't update disk (virtio, efidisk0, tpmstate0, ide, sata, scsi) and network interface, unless update_unsafe=True # pool parameter not supported by qemu//config endpoint on "update" (PVE 6.2) - only with "create" if update: - if 'virtio' in kwargs: - del kwargs['virtio'] - if 'sata' in kwargs: - del kwargs['sata'] - if 'scsi' in kwargs: - del kwargs['scsi'] - if 'ide' in kwargs: - del kwargs['ide'] - if 'efidisk0' in kwargs: - del kwargs['efidisk0'] - if 'tpmstate0' in kwargs: - del kwargs['tpmstate0'] - if 'net' in kwargs: - del kwargs['net'] + if update_unsafe is not True: + if 'virtio' in kwargs: + del kwargs['virtio'] + if 'sata' in kwargs: + del kwargs['sata'] + if 'scsi' in kwargs: + del kwargs['scsi'] + if 'ide' in kwargs: + del kwargs['ide'] + if 'efidisk0' in kwargs: + del kwargs['efidisk0'] + if 'tpmstate0' in kwargs: + del kwargs['tpmstate0'] + if 'net' in kwargs: + del kwargs['net'] if 'force' in kwargs: del kwargs['force'] if 'pool' in kwargs: @@ -1286,6 +1307,7 @@ def main(): version=dict(type='str', choices=['2.0', '1.2'], default='2.0') )), update=dict(type='bool', default=False), + update_unsafe=dict(type='bool', default=False), vcpus=dict(type='int'), vga=dict(choices=['std', 'cirrus', 'vmware', 'qxl', 'serial0', 'serial1', 'serial2', 'serial3', 'qxl2', 'qxl3', 'qxl4']), virtio=dict(type='dict'), @@ -1320,6 +1342,7 @@ def main(): sockets = module.params['sockets'] state = module.params['state'] update = bool(module.params['update']) + update_unsafe = bool(module.params['update_unsafe']) vmid = module.params['vmid'] validate_certs = module.params['validate_certs'] @@ -1429,7 +1452,7 @@ def main(): module.fail_json(msg="node '%s' does not exist in cluster" % node) try: - proxmox.create_vm(vmid, newid, node, name, memory, cpu, cores, sockets, update, + proxmox.create_vm(vmid, newid, node, name, memory, cpu, cores, sockets, update, update_unsafe, archive=module.params['archive'], acpi=module.params['acpi'], agent=module.params['agent'], From bd2b41ff6cc895481d9ca459155d4cd807a58165 Mon Sep 17 00:00:00 2001 From: nxet Date: Sun, 14 Jan 2024 18:09:16 +0100 Subject: [PATCH 2/5] changelog fragments --- changelogs/fragments/7843-proxmox_kvm-update_unsafe.yml | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 changelogs/fragments/7843-proxmox_kvm-update_unsafe.yml diff --git a/changelogs/fragments/7843-proxmox_kvm-update_unsafe.yml b/changelogs/fragments/7843-proxmox_kvm-update_unsafe.yml new file mode 100644 index 00000000000..733e5b48d0c --- /dev/null +++ b/changelogs/fragments/7843-proxmox_kvm-update_unsafe.yml @@ -0,0 +1,2 @@ +minor_changes: + - proxmox_kvm - Add parameter `update_unsafe` to avoid limitations when updating dangerous values. (https://github.com/ansible-collections/community.general/pull/7843). From 7940d4355c9ffefe6855b1c1bb14ea07719705c9 Mon Sep 17 00:00:00 2001 From: nxet Date: Sun, 14 Jan 2024 20:25:34 +0100 Subject: [PATCH 3/5] Apply suggestions from code review Co-authored-by: Felix Fontein --- changelogs/fragments/7843-proxmox_kvm-update_unsafe.yml | 2 +- plugins/modules/proxmox_kvm.py | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/changelogs/fragments/7843-proxmox_kvm-update_unsafe.yml b/changelogs/fragments/7843-proxmox_kvm-update_unsafe.yml index 733e5b48d0c..dcb1ebb218a 100644 --- a/changelogs/fragments/7843-proxmox_kvm-update_unsafe.yml +++ b/changelogs/fragments/7843-proxmox_kvm-update_unsafe.yml @@ -1,2 +1,2 @@ minor_changes: - - proxmox_kvm - Add parameter `update_unsafe` to avoid limitations when updating dangerous values. (https://github.com/ansible-collections/community.general/pull/7843). + - proxmox_kvm - add parameter ``update_unsafe`` to avoid limitations when updating dangerous values (https://github.com/ansible-collections/community.general/pull/7843). diff --git a/plugins/modules/proxmox_kvm.py b/plugins/modules/proxmox_kvm.py index 19a3a9a2b2b..46b8a247c59 100644 --- a/plugins/modules/proxmox_kvm.py +++ b/plugins/modules/proxmox_kvm.py @@ -527,7 +527,7 @@ default: false update_unsafe: description: - - If V(true), does not enforce limitations on parameters O(net), O(virtio), O(ide), O(sata), O(scsi). + - If V(true), does not enforce limitations on parameters O(net), O(virtio), O(ide), O(sata), and O(scsi). type: bool default: false version_added: 8.3.0 @@ -1041,7 +1041,7 @@ def create_vm(self, vmid, newid, node, name, memory, cpu, cores, sockets, update # If update, don't update disk (virtio, efidisk0, tpmstate0, ide, sata, scsi) and network interface, unless update_unsafe=True # pool parameter not supported by qemu//config endpoint on "update" (PVE 6.2) - only with "create" if update: - if update_unsafe is not True: + if update_unsafe is False: if 'virtio' in kwargs: del kwargs['virtio'] if 'sata' in kwargs: From f11d8d7457f96243fcba5ab119595bb9aaab1561 Mon Sep 17 00:00:00 2001 From: nxet Date: Wed, 31 Jan 2024 14:09:56 +0100 Subject: [PATCH 4/5] improved docs --- plugins/modules/proxmox_kvm.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/plugins/modules/proxmox_kvm.py b/plugins/modules/proxmox_kvm.py index 46b8a247c59..ee96cb8e1e0 100644 --- a/plugins/modules/proxmox_kvm.py +++ b/plugins/modules/proxmox_kvm.py @@ -522,12 +522,14 @@ - If V(true), the VM will be updated with new value. - Because of the operations of the API and security reasons, I have disabled the update of the following parameters O(net), O(virtio), O(ide), O(sata), O(scsi). Per example updating O(net) update the MAC address and C(virtio) create always new disk... + This security feature can be disabled by setting the O(update_unsafe) to V(true). - Update of O(pool) is disabled. It needs an additional API endpoint not covered by this module. type: bool default: false update_unsafe: description: - - If V(true), does not enforce limitations on parameters O(net), O(virtio), O(ide), O(sata), and O(scsi). + - If V(true), do not enforce limitations on parameters O(net), O(virtio), O(ide), O(sata), O(scsi), O(efidisk0), and O(tpmstate0). + Use this option with caution because an improper configuration might result in a permanent loss of data (e.g. disk recreated). type: bool default: false version_added: 8.3.0 From cbe38e4e82adefd4b1edc5d75babf60d4ff12408 Mon Sep 17 00:00:00 2001 From: nxet Date: Thu, 1 Feb 2024 13:54:01 +0100 Subject: [PATCH 5/5] updated `version_added` --- plugins/modules/proxmox_kvm.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/modules/proxmox_kvm.py b/plugins/modules/proxmox_kvm.py index ee96cb8e1e0..d180180cb4a 100644 --- a/plugins/modules/proxmox_kvm.py +++ b/plugins/modules/proxmox_kvm.py @@ -532,7 +532,7 @@ Use this option with caution because an improper configuration might result in a permanent loss of data (e.g. disk recreated). type: bool default: false - version_added: 8.3.0 + version_added: 8.4.0 vcpus: description: - Sets number of hotplugged vcpus.