Kubemox V0.5.0 Incompatible With Proxmox VE 9.0.11

by Alex Johnson 51 views

A bug has been identified in kubemox v0.5.0 that causes incompatibility issues with Proxmox VE 9.0.11. Specifically, the error "Parameter verification failed" occurs during Virtual Machine (VM) creation. This article dives into the details of the bug, its root cause, reproduction steps, and potential solutions.

What's the Issue?

When attempting to create a Virtual Machine from a template using kubemox v0.5.0 with Proxmox VE 9.0.11, the process encounters a failure during the VM startup phase. Although the operator successfully clones the VM from the template, creates the VM in Proxmox with a valid VMID, and completes the disk cloning process, it subsequently fails to start the VM. The error message received is: ERROR Failed to start VirtualMachine error: bad request: 400 Parameter verification failed. - {"vmid":"invalid format - value does not look like a valid VM ID\n"}. The logs clearly show that the operator successfully retrieves the VMID, as indicated by the message New VM bug-test-vm has been creating with ID: 100, but fails immediately afterward with the VMID validation error. This issue arises due to stricter parameter validation in Proxmox 9.x, which rejects API calls with duplicate parameters, such as the VMID being present in both the URL path and the request body/query. This incompatibility prevents the seamless creation and startup of VMs, hindering the user experience and potentially disrupting automated workflows.

Root Cause Analysis

Delving deeper into the root cause, direct API testing revealed that while all Proxmox 9.0.11 API endpoints function correctly when called properly, Proxmox 9.x enforces stricter parameter validation compared to its 8.x counterpart. Specifically, Proxmox 9.x rejects API calls that include duplicate parameters, such as the VMID being present in both the URL path and the request body or query. The core problem seems to stem from kubemox (or the underlying luthermonson/go-proxmox library) redundantly sending the VMID parameter. This redundancy was tolerated by Proxmox 8.x but is now strictly rejected by Proxmox 9.x due to its enhanced validation rules. This change in validation behavior is crucial because it directly impacts how kubemox interacts with the Proxmox API, leading to the observed failures when creating and starting VMs. Understanding this root cause is essential for developing a targeted and effective solution that ensures compatibility between kubemox and Proxmox VE 9.0.11.

Test Results:

# ✅ Works - VMID only in URL
curl -X POST https://.../qemu/999/status/start
{"data":"UPID:...".}

# ❌ Fails - VMID as duplicate parameter
curl -X PUT https://.../qemu/999/config -d "vmid=999"
{"message":"Parameter verification failed.\n","errors":{"vmid":"duplicate parameter (already defined in URI)"}}

Expected Behavior

The expected behavior is that the VM should be created successfully, cloned from the specified template, and then started without encountering any errors. This seamless process is crucial for maintaining efficient and reliable virtual infrastructure management. To achieve this, the operator needs to be compatible with both Proxmox VE 8.x and 9.x. This compatibility can be ensured by adhering to Proxmox API best practices, which dictate that the VMID should only be included in the URL path and not redundantly included in the request parameters. By following these guidelines, the operator can avoid triggering the stricter parameter validation introduced in Proxmox 9.x, thereby ensuring smooth VM creation and startup processes. This approach not only resolves the current incompatibility issue but also future-proofs the operator against similar validation changes in subsequent Proxmox versions, ensuring long-term stability and reliability.

Reproduction Steps

To reproduce the incompatibility issue, follow these steps:

  1. Deploy kubemox v0.5.0 to a Kubernetes cluster.
  2. Configure ProxmoxConnection to a Proxmox VE 9.0.11 server (this issue does not occur with 8.x).
  3. Create a VirtualMachine from an existing template.
  4. Observe the operator logs. The VM will be created, but it will fail to start.

Expected Logs:

INFO Creating VM from template: ubuntu2404-base
INFO New VM bug-test-vm has been creating with ID: 100
INFO Virtual Machine bug-test-vm, creation process: create full clone...
DEBUG VirtualMachine bug-test-vm-001 has been created
ERROR Failed to start VirtualMachine - bad request: 400 Parameter verification failed

Potential Solution

The issue likely resides within the luthermonson/go-proxmox library, which kubemox relies on. Specifically, functions such as VirtualMachine.Start() and VirtualMachine.Stop(), or any operation that passes the VMID after VM creation, are potential areas of concern. The fix is likely straightforward: remove the redundant VMID parameters from the request bodies when the VMID is already present in the URL path. This adjustment would align the API calls with Proxmox's stricter validation requirements in version 9.x, resolving the "Parameter verification failed" error and ensuring seamless VM creation and startup. By addressing this redundancy, kubemox can maintain compatibility with both older and newer versions of Proxmox, providing a more robust and reliable user experience. Furthermore, this fix would also align with general API best practices, promoting cleaner and more efficient code.

CVE-2024-21545 and Security Implications

This issue is directly related to Proxmox's fix for CVE-2024-21545 (October 2024), which tightened API parameter validation. Proxmox 9.x now strictly rejects parameters with additionalProperties: 0 (the new default for security), while Proxmox 8.x was more permissive (additionalProperties: 1). The error message "property is not defined in schema and the schema does not allow additional properties" is the exact validation error from this security hardening. This change was implemented to enhance security by preventing unexpected or malicious parameters from being passed to the API, reducing the attack surface and improving overall system integrity. Addressing this issue in kubemox not only resolves the immediate incompatibility but also aligns with Proxmox's security enhancements, ensuring a more secure and robust integration between the two systems. Reference: Snyk CVE-2024-21545 Analysis

Versions

Kubemox version

v0.5.0 (Docker image: alperencelik/kubemox:v0.5.0)

Proxmox version

pve-manager/9.0.11/66a09cd007bc538f (running kernel: 6.8.12-5-pve)

Conclusion

In summary, the incompatibility between kubemox v0.5.0 and Proxmox VE 9.0.11, manifested by the "Parameter verification failed" error, is due to stricter API parameter validation in Proxmox 9.x. This validation rejects duplicate VMID parameters, which kubemox inadvertently sends. The solution involves modifying the luthermonson/go-proxmox library to remove redundant VMID parameters from API requests, aligning with Proxmox API best practices and resolving the issue. Addressing this incompatibility not only ensures smooth VM creation and startup but also aligns with Proxmox's security enhancements related to CVE-2024-21545, promoting a more secure and robust integration between kubemox and Proxmox. This fix will allow users to leverage the latest features and security improvements in Proxmox VE 9.0.11 without encountering compatibility issues with kubemox v0.5.0, ensuring a seamless and reliable virtual infrastructure management experience.

For further information on Proxmox VE and its features, visit the Proxmox VE official website.