Proxmox Virtual Environment Complete Course Part 9 - User Management
HTML-код
- Опубликовано: 30 май 2024
- Welcome back to LearnLinuxTV's full course on Proxmox Virtual Environment! In class #9, we'll look at how user management is structured, and we'll walk through the process of creating several accounts. Also, we'll take an initial look at groups and permissions as well.
Other episodes:
Class 01 - Getting Started: linux.video/pve1
Class 02 - Installation Process: linux.video/pve2
Class 03 - Web Console Overview: linux.video/pve3
Class 04 - Containers vs Virtual Machines: linux.video/pve4
Class 05 - Launching a Virtual Machine: linux.video/pve5
Class 06 - Setting up Virtual Machine Templates: linux.video/pve6
Class 07 - Creating Containers: linux.video/pve7
Class 08 - Setting up Container Templates: linux.video/pve8
Class 09 - User Management: This video
Class 10 - Backups and Snapshots: Coming soon!
Class 11 - Integrated Firewall: Coming soon
Class 12 - Command-line Interface: linux.video/pve12
Class 13 - Networking: linux.video/pve13
Class 14 - Shared storage: linux.video/pve14
Class 15 - Clustering: linux.video/pve15
Class 16 - High availability: linux.video/pve16
Bonus video 1 - Launching a Windows VM: linux.video/pve-win
Bonus video 2 - Getting started with Proxmox Backup Server: linux.video/pbs
Bonus video 3 - Proxmox VE - How to build an Ubuntu 22.04 Template (Updated Method): linux.video/pve-2204
Bonus video 4 - Build a Kubernetes Cluster on Proxmox: linux.video/proxmox-k8s
Timecodes
00:00 - Intro
02:32 - The two realms for users
03:30 - Adding a PAM user
06:42 - Manually creating a Linux user
08:53 - Adding a user into the pve realm
13:37 - Creating a group
14:26 - Adding user permissions
16:43 - Assigning a group to a user
LearnLinuxTV Sites
🐧 Main site:
➡️ www.learnlinux.tv
🐧 LearnLinuxTV Community:
➡️ community.learnlinux.tv
Support LearnLinuxTV (commission earned)
📖 Check out Jay's latest book, Mastering Ubuntu Server 4th Edition. Covers Ubuntu 22.04!
➡️ ubuntuserverbook.com
🙌 Support me on Patreon and get early access to new content!
➡️ learnlinux.link/patron
☁️ Support LearnLinuxTV and Set up your own cloud server with Akamai Connected Cloud:
➡️ learnlinux.link/akamai
🛒 Affiliate store for Linux compatible hardware/accessories:
➡️ learnlinux.link/amazon
💻 Check out the Tiny Pilot KVM for your Homelab:
➡️ learnlinux.link/tinypilot
About Me
🐦 Follow me on Twitter!
➡️ learnlinux.link/twitter
👨 More about me:
➡️ www.jaylacroix.com
➡️ www.learnlinux.tv
Recommended evergreen videos:
💽 How to create a bootable flash drive for installing Linux
➡️ linux.video/flash-usb
🐧 Understanding Linux permissions
➡️ linux.video/perms
🐧 OpenSSH Guide
➡️ linux.video/ssh
📖 LVM Deep-dive:
➡️ linux.video/lvm
🔐 How to better secure OpenSSH:
➡️ linux.video/secure-ssh
☁️ How to create a cloud Linux server with Linode:
➡️ learnlinux.link/create-linode
FAQ
🐧 Which distro do I use?
➡️ learnlinux.link/mydistro
💽 My recording gear (commissions earned):
➡️ learnlinux.link/recording-stuff
#Proxmox #Virtualization #DevOps 
Наука
I think a better way to think of the PAM realm might be that it allows you to give access to the PVE web UI to existing Linux system users. IOW, if you wanted to create a new user with access to the UI, you'd set it up in the PVE realm (barring external authentication, which you don't discuss here). But if you already had a user created on the system, and you subsequently wanted to give that user access to the UI, that's when you'd add the user in the PAM realm. I'm not sure if that's what they intended, but it's the only way it makes sense to me.
I am trying out version 8 and I love that it has 2FA using an authenticator app. It makes it much more secure to prevent anyone logging in.
Jay. You don't know me. I get it. But I am trying to give honest feedback here.
In the world of IT relatively, I'm a noob. But i have been running proxmox for a year and watched the whole thing to pick up tips. Most things I already know, but I certainly was all ears to learn. My point is, content was FANTASTIC. I wish I had this when I was first starting. Can't emphasize how happy I am to watch this.
I have been hitting the thumbs up like a madman, but my critique is how long this whole intro is about becoming a patron and all that, you need to ease back on it, I have had to hear all 1:30 of it for multiple videos now as well as sponsor stuff and adds... You gatta say it, and I get it.. Just less.
Thanks for what you do, keep it coming and I'll spread the word.
Brilliant series! Best, if not the ONLY one on YT I've found. Thank you for sharing.
I really love how this content is recursively organized and presented. 👍 Summary at the end of video helps a bit, too.
Kindest regards, friends and neighbours.
Hey man, this is a great series that's really helping me learn Proxmox. Thanks
Thanks for the Proxmox course
That was really informative. I have started watching this series recently and its really good. I was thinking of migrating to Proxmox in near future so the timing couldn't be any better. Well, I do have a request, can you please make a video explaining the storage management in Proxmox.
Excellent explanation ! Yoyr videos are much appreciated
Hi Jay,
Great Series! You've broken the topics out in a really logical way, and each video is long enough to cover it without being an extended lecture. Perfect delivery too. Some of the clearest and cleanest content of its type I've seen on RUclips. It must take a lot of prep and planning, but it really shows in the finished video. Bravo!
Side question on the UI. This video shows it well as you're constantly logging in and out. Each time you log in, the resource tree on the left is expanded to show all nodes and storage. Mine is always collapsed (PVE 7.1-10, admin PC is windows using Chrome browser) How did you arrange this? It's really irritating to have to expand each and every time I log in. I've searched for an answer several times without success. Wonder if you can help me out.
What is really informative to me is that "Add > Group Permission" is at the higher level of menu "Permissions"!
I used to think the function loses because I only look for it under sub-menus.
I used cli like `pveum acl modify / -group admin -role Administrator` for such configuration.
I didn’t like proxmox and deleted it a few days ago. Decided to give it a second shot. Watched all of your tutorials regarding proxmox and I now really like it. I guess it didn’t like it because I didn’t know how to use it.
Jay, would you recommend disabling the root accounts on the servers and in the Datacenter after creating full admin privileges on another account?
Unfortunately, in my relatively limited experience at least, there's quite a few things you can't do in the UI unless your actually THE root user. It is stuff that you probably won't do often, but you have to enable-dostuff-disable root every time something comes up. One example is installing ceph, it literally tells you "Ceph not installed. Log in as root to install."
Additionally, I found it incredibly inconvenient to be logged in as anyone but root. At least early on, you need the shell quite often, and it's kinda convenient to have the "shell" button right there. If you're not root, you aren't logged in there automatically. You have to login every time with user/password for some reason. Having a (normal) shell with ssh open it likely easier, but still not as easy as just clicking on shell for a quick command.
Thanks for the video
Great series on proxmox. Can you drop the rest soon, plus it would be good to add more when you get time.
No idea why Proxmox can't create underlying linux user automatically, when Realm = pam. What is the point?
Because users are managed at the data center level. The data center represents the all the machines in the cluster so it can't realistically know where to create local pam users. This functionality could be added I'm sure (i.e. have the UI give you options to create the underlying Linux users targeting some number of machines in the cluster) but honestly there is very few reasons to create a pam user in those cases, pve users are really the way to go. If you need SSH to a given server you can just create the user directly withing Linux, I wouldn't even bother creating that user in the Proxmox UI myself.
Thanks so much for this!
Thank you Jay
This is great stuff. One thought - at 4:59 you mention that the created user is not in the shell environment - do you think if this is by design or do you think its on purpose?
Is there an example of how to setup users so they can attach over the web and run, but not edit, stop, start, create, etc, selected VMs? I'd can add the VM.Console permission and use web services calls to get a spice remote connection, but if that same user logs in, the list of VMs they could use is not present.
I wonder if you can add a user to a windows environment.
Thank you.
perfect!
Thank you
Do you have any videos for proxmox email alert notification?
Weird that you don't get asked the password for a PAM user in the GUI? The GUI could just execute the system command "adduser xyz" for you, right? 🤔🤔 Or is that not possible because "adduser" requires interactive input?
You are doing really great videos. That really helps me - thanks you for that 🙏. But what I really don't understand: Why can I add "Linux-Users" from the GUI and then have to manualy add them to the underling linux system. That dose make no sens to me, why proxmox is doing that. Mybe you explained it and I missed it with my level of english ❓
You awesome jayyy!
I could easily see how useful these are when tied to an LDAP or AD server.
Jay, can Proxmox interact with an Active Directory server or a comparable LDAP server for the purpose of user management?
if you become a patreon member you can ask questions and get help
I'd commented last night that it could, and given a link to the PVE docs, but that post seems to have disappeared. So I'll instead say that you can Google for the docs, but they indicate that PVE will interact with AD.
I see no reason why the GUI even bothers with PAM users. If all that gets shown is pve users, what would be lost?
You didn't mention how to add your PAM user to the sudoers. You actually need to install sudo to be able to do it.
root# apt install sudo
root# sudo adduser jay sudo
I will get your book
I also would like to disagree with your explanation. For me it looks more like that:
Proxomx is a service that has backend, frontend and some kind of database. When you create new user you are creating that user in proxmox database and only there. That user will be used to manage Proxmox system: send commands to the backend, then the backend will do all the dirty work on the machine and update the state in database if needed. When you create PAM user you are only telling the Proxmox that this user can login to the system using his Linux credentials - but they are not using those credentials to login as linux user, they are using those credentials to login to Proxmox account that was created in proxmox database.
So that is only logical that linux users are not created by proxmox and it should not be proxmox responsibility - for me that would presents a pretty big system vunrebility if proxmox would change system users - how it should act when backups are created and then imported on different systems? What if someone would be able to take over system without administrator knowledge and start changing linux users that would be exported with a whole system as backup? It would mean that anywhere when you restore a system from a backup it is already compromised via SSH. And when you create PVE account it is "pure" proxmox user that is isolated from the linux system and is fully managed by the Proxmox instance for Proxmox purpouses only without any access to linux system. At least that is how I think it should work: you should create proxmox(PVE) users, give them proxmox permissions and disable shell access. Shell access should only be for special ocasions and if someone would still be able to manage to compromise linux machine it should be 'theoriticaly' possible to create proxmox backup and import it on different machine knowing that all the mess stayed on a previous machine, though I would not advise it since they could change proxmox files directly on linux machine - but even in this grimm scenario it is a lot easier to just create proxmox instance from a backup of compromised machine on other network islated machine and fix all the permissions on the UI there than backing up compromised linux accounts.
And if someone would like to say that "Buuut you can change root password in the proxmox! root is PAM accoount! Your logic is invalid - proxmox is changing user paswords!" - think just for a second. If someone was able to get access to your root account using credentials you have a lot bigger problems than wondering what should they use to change a password Proxmox or SSH at this point. :)
please promote yourself at the end of the video. Not the beginning.