use PVE::QemuConfig;
use PVE::QemuServer;
use PVE::QemuServer::Drive;
+use PVE::QemuServer::CPUConfig;
use PVE::QemuServer::Monitor qw(mon_cmd);
use PVE::QemuMigrate;
use PVE::RPCEnvironment;
return $vollist;
};
+my $check_cpu_model_access = sub {
+ my ($rpcenv, $authuser, $new, $existing) = @_;
+
+ return if !defined($new->{cpu});
+
+ my $cpu = PVE::JSONSchema::check_format('pve-vm-cpu-conf', $new->{cpu});
+ return if !$cpu || !$cpu->{cputype}; # always allow default
+ my $cputype = $cpu->{cputype};
+
+ if ($existing && $existing->{cpu}) {
+ # changing only other settings doesn't require permissions for CPU model
+ my $existingCpu = PVE::JSONSchema::check_format('pve-vm-cpu-conf', $existing->{cpu});
+ return if $existingCpu->{cputype} eq $cputype;
+ }
+
+ if (PVE::QemuServer::CPUConfig::is_custom_model($cputype)) {
+ $rpcenv->check($authuser, "/nodes", ['Sys.Audit']);
+ }
+};
+
my $cpuoptions = {
'cores' => 1,
'cpu' => 1,
&$check_vm_modify_config_perm($rpcenv, $authuser, $vmid, $pool, [ keys %$param]);
+ &$check_cpu_model_access($rpcenv, $authuser, $param);
+
foreach my $opt (keys %$param) {
if (PVE::QemuServer::is_valid_drivename($opt)) {
my $drive = PVE::QemuServer::parse_drive($opt, $param->{$opt});
return if PVE::QemuServer::drive_is_cdrom($drive);
my ($storeid, $volname) = PVE::Storage::parse_volume_id($volid, 1);
- return if $volname eq 'cloudinit';
+ return if defined($volname) && $volname eq 'cloudinit';
my $format;
if ($volid =~ $NEW_DISK_RE) {
die "checksum missmatch (file change by other user?)\n"
if $digest && $digest ne $conf->{digest};
+ &$check_cpu_model_access($rpcenv, $authuser, $param, $conf);
+
# FIXME: 'suspended' lock should probabyl be a state or "weak" lock?!
if (scalar(@delete) && grep { $_ eq 'vmstate'} @delete) {
if (defined($conf->{lock}) && $conf->{lock} eq 'suspended') {
my $running = PVE::QemuServer::check_running($vmid) || 0;
- # exclusive lock if VM is running - else shared lock is enough;
- my $shared_lock = $running ? 0 : 1;
-
my $clonefn = sub {
# do all tests after lock but before forking worker - if possible
return $rpcenv->fork_worker('qmclone', $vmid, $authuser, $realcmd);
};
- return PVE::QemuConfig->lock_config_mode($vmid, 1, $shared_lock, sub {
- # Aquire exclusive lock lock for $newid
+ # Aquire exclusive lock lock for $newid
+ my $lock_target_vm = sub {
return PVE::QemuConfig->lock_config_full($newid, 1, $clonefn);
- });
+ };
+ # exclusive lock if VM is running - else shared lock is enough;
+ if ($running) {
+ return PVE::QemuConfig->lock_config_full($vmid, 1, $lock_target_vm);
+ } else {
+ return PVE::QemuConfig->lock_config_shared($vmid, 1, $lock_target_vm);
+ }
}});
__PACKAGE__->register_method({